Podcast Summary: Hacking Humans — Tap, Pay… and Prey.

Podcast: Hacking Humans (N2K Networks)
Date: November 13, 2025
Episode Theme:
An exploration of deception, influence, and social engineering in modern cybercrime, with a focus on fraudulent digital advertising, supply chain vulnerabilities via software updaters, and tap-to-pay scams in payment systems.

Hosts & Contributors

Dave Bittner
Joe Kerrigan
Maria Varmazes

Episode Overview

This episode peels back the layers on some of the latest, most insidious forms of cybercrime targeting both individuals and organizations. It covers:

The massive scope of ad fraud on Meta’s platforms and the company’s conflicted response
New research on how legitimate software update mechanisms can be hijacked at scale
Real-world social engineering scams leveraging modern tap-to-pay technologies
A tongue-in-cheek "catch of the day" exploring recruitment-themed phishing

The tone is conversational, candid, and sometimes sardonic, especially when discussing the ethical lapses of major tech companies or the absurdity of some scam attempts.

Key Discussion Points & Insights

1. Meta’s Fraudulent Ad Network Exposé

[07:06 – 18:24]

- Main Takeaways:

Reuters Investigation: Meta’s platforms (Facebook, Instagram, WhatsApp) serve an estimated 15 billion “high risk” (potentially fraudulent) ads daily.
Meta’s internal systems flag these but instead of removing them, often just increase the price for the suspected scammers—a policy nicknamed a “fraud tax.”
In 2024, Meta reportedly earned $16 billion from high-risk ads (10% of ad revenue).
Internal research at Meta estimates its platforms are involved in a third of all successful US scams.
Meta allegedly limits anti-fraud efforts if losses in revenue from enforcement exceed 0.15% of their earnings, equating to about $135 million out of $90 billion.

- Regulatory Angle:

US/UK regulators are scrutinizing Meta. UK reports found Meta products responsible for over half of payment-related scam losses, exceeding every other social platform combined.
Suggested countermeasures include “know your advertiser” rules, independent ad system auditing, and holding platforms liable for enabling fraud.

- Notable Quotes:

“If Meta’s algorithms aren’t 95% sure that an advertiser is a scammer, the solution from their point of view is to raise their ad rates. Kind of like a fraud tax.” — Dave [10:15]
“Meta’s products had effectively become a pillar of the global fraud economy.” — Dave (quoting Meta’s own leaked internal presentation) [11:00]
“0.15%… not even a rounding error. The greed is just eye watering.” — Maria [14:32]
“Imagine if you were a bank and you knew people were doing fraudulent business through your bank and instead of kicking them out, you just charged them more.” — Dave [15:51]

- Memorable Moment:
Joe joking about Meta’s greed:
“Well, how do you think [Zuckerberg] became a billionaire?” [10:12]

2. Supply Chain Risk: "Bring Your Own Updates" (BYOU) Attacks

[18:30 – 33:00]

- Main Takeaways:

Research by the Howler Cell team at Sideris/Siderus reveals widespread vulnerability in Windows software updaters, notably Advanced Installer.
Dubbed "Bring Your Own Updates" (BYOU): attackers can subvert installer update mechanisms to run arbitrary code if signature enforcement isn’t enabled.
Many software deployment tools accept update packages without checking signatures by default (opt-in security rather than secure by default).
Attackers able to alter the update config can push malicious payloads, bypassing most endpoint protections.
Advanced Installer and others are widely used across big companies (Dell, eBay, Apple, Sony, etc.), which could make this a supply-chain attack vector.
Mitigation: Enforce code signing for updates, scan for updater binaries, monitor unusual updater behavior, and include update security in vendor risk assessments.

- Notable Quotes:

“This is not attacking software, it’s attacking the thing that updates the software.” — Maria [20:54]
“Defaults matter… the default was that there was a mitigation, but it was opt-in. Opt-in mitigations are really not enough and this is pretty clear.” — Maria [25:43]
“Be careful where your installers come from.” — Dave [31:49]
“The product should be secured by default.” — Joe [32:24]

- Memorable Moment:
Dave’s analogy for the attack:
“It’s kind of like, instead of poisoning your glass of water, you’re poisoning the water supply.” [30:47]

3. Ghost Tapping & Tap-to-Pay Social Engineering Scams

[34:30 – 44:00]

- Main Takeaways:

Joe introduces "ghost tapping" scams exploiting contactless payment (NFC/RFID) technology.
Scammers masquerade as vendors, rush users through tap-to-pay transactions, and overcharge or run repeated charges.
Some use directional antennas to read cards from a distance.
Key advice: Use RFID-blocking wallets, scrutinize payment amounts before tapping, and set up instant transaction alerts on cards.
Joe and Dave reminisce about security legend Kevin Mitnick demoing advanced RFID skimming techniques.
Discussion about ambiguous tap-to-phone signage in public venues and the curiosity (and paranoia) it sparks even among cybersecurity professionals.

- Notable Quotes:

“You're not going to be sitting there with your head on a swivel going, who around here has the yaggy antenna pointed at my butt?” — Joe (humorous aside on the paranoia of tap-to-pay security) [40:20]
“It’s like walking down the street and seeing a big red button that just says, ‘Press button’.” — Dave [44:45]

- Memorable Moment:

Maria’s intrusion of thought:
“I was so tempted though. The intrusive thoughts were very loud.” (On whether or not to tap an unexplained NFC label at a venue.) [42:31]

4. Catch of the Day: The "Council of the Ecliptic" Recruitment Scam

[45:33 – 50:18]

Segment Summary:

The hosts review a phishing email purporting to invite the recipient to a secretive club, “The Council of the Ecliptic.”
The email flatters and mystifies, asking for total secrecy and simply a reply of “YES.”
The segment is lighthearted, with the hosts joking about the absurdity and allure of the scam.

Excerpt from Scam Email:
“Your ambition, discretion and resolve set you apart. The world is shaped by those who know how to act unseen. …If you accept, your first step is private and small. Reply to this email with yes. Upon receipt, an envoy will contact you with further instructions.” [46:08]

Hosts’ Jokes:

Maria: “Oh my God, yes. A million times yes. I'm in.” [47:08]
Dave: “It’s the Stonecutters, right?” [47:16]
Joe: “They’re pushing a lot of emotional buttons here, trying to get you to reply. And then I’m guessing that probably the membership fee is pretty steep.” [49:00]

Notable Quotes & Timestamps

“Meta’s products had effectively become a pillar of the global fraud economy.” (Dave quoting Reuters) [11:00]
"Defaults matter... the default was that there was a mitigation, but it was opt-in. Opt-in mitigations are really not enough." (Maria, on supply chain installer attacks) [25:43]
“You're not going to be sitting there with your head on a swivel going, who around here has the yaggy antenna pointed at my butt?” (Joe, tap-to-pay scams) [40:20]
“It’s kind of like, instead of poisoning your glass of water, you’re poisoning the water supply.” (Dave, on the scale of the updater vulnerability) [30:47]

Episode Flow / Structure

[00:00 – 07:06]

Light banter on "chicken news," personal anecdotes, and segue into main stories.

[07:06 – 18:24]

Dave leads with the Reuters report on Meta’s complicity in ad-based scams.

[18:30 – 33:00]

Maria covers the BYOU (“Bring Your Own Updates”) attack class, with discussion and clarification from Joe and Dave.

[34:30 – 44:00]

Joe shares a Fox News story on "ghost tapping" payment scams. Tangents into NFC security best practices and real-life curiosity with anonymous tap-to-phone requests.

[45:33 – 50:18]

Catch of the Day: Review and deconstruction of a "secret society" phishing attempt. Group jokes and banter.

Final Takeaways

Ad fraud and scam-enablement on social media platforms are widespread and under-regulated, demanding increased transparency and liability.
Default settings in widely used software deployment tools can open gaping holes in organizational cyber defense if not carefully managed.
Simple, social engineering-based tap-to-pay scams remain effective in public spaces; vigilance and technical mitigations remain your best defense.
Phishing attempts are increasingly creative; critical thinking and skepticism are vital.

[For more information or to access the original news and research, see the episode’s show notes and referenced articles.]

Podcast Summary: Hacking Humans — Tap, Pay… and Prey.

Hosts & Contributors

Dave Bittner
Joe Kerrigan
Maria Varmazes

Episode Overview

This episode peels back the layers on some of the latest, most insidious forms of cybercrime targeting both individuals and organizations. It covers:

The massive scope of ad fraud on Meta’s platforms and the company’s conflicted response
New research on how legitimate software update mechanisms can be hijacked at scale
Real-world social engineering scams leveraging modern tap-to-pay technologies
A tongue-in-cheek "catch of the day" exploring recruitment-themed phishing

The tone is conversational, candid, and sometimes sardonic, especially when discussing the ethical lapses of major tech companies or the absurdity of some scam attempts.

Key Discussion Points & Insights

1. Meta’s Fraudulent Ad Network Exposé

[07:06 – 18:24]

- Main Takeaways:

Reuters Investigation: Meta’s platforms (Facebook, Instagram, WhatsApp) serve an estimated 15 billion “high risk” (potentially fraudulent) ads daily.
Meta’s internal systems flag these but instead of removing them, often just increase the price for the suspected scammers—a policy nicknamed a “fraud tax.”
In 2024, Meta reportedly earned $16 billion from high-risk ads (10% of ad revenue).
Internal research at Meta estimates its platforms are involved in a third of all successful US scams.
Meta allegedly limits anti-fraud efforts if losses in revenue from enforcement exceed 0.15% of their earnings, equating to about $135 million out of $90 billion.

- Regulatory Angle:

US/UK regulators are scrutinizing Meta. UK reports found Meta products responsible for over half of payment-related scam losses, exceeding every other social platform combined.
Suggested countermeasures include “know your advertiser” rules, independent ad system auditing, and holding platforms liable for enabling fraud.

- Notable Quotes:

“If Meta’s algorithms aren’t 95% sure that an advertiser is a scammer, the solution from their point of view is to raise their ad rates. Kind of like a fraud tax.” — Dave [10:15]
“Meta’s products had effectively become a pillar of the global fraud economy.” — Dave (quoting Meta’s own leaked internal presentation) [11:00]
“0.15%… not even a rounding error. The greed is just eye watering.” — Maria [14:32]
“Imagine if you were a bank and you knew people were doing fraudulent business through your bank and instead of kicking them out, you just charged them more.” — Dave [15:51]

- Memorable Moment:
Joe joking about Meta’s greed:
“Well, how do you think [Zuckerberg] became a billionaire?” [10:12]

2. Supply Chain Risk: "Bring Your Own Updates" (BYOU) Attacks

[18:30 – 33:00]

- Main Takeaways:

Research by the Howler Cell team at Sideris/Siderus reveals widespread vulnerability in Windows software updaters, notably Advanced Installer.
Dubbed "Bring Your Own Updates" (BYOU): attackers can subvert installer update mechanisms to run arbitrary code if signature enforcement isn’t enabled.
Many software deployment tools accept update packages without checking signatures by default (opt-in security rather than secure by default).
Attackers able to alter the update config can push malicious payloads, bypassing most endpoint protections.
Advanced Installer and others are widely used across big companies (Dell, eBay, Apple, Sony, etc.), which could make this a supply-chain attack vector.
Mitigation: Enforce code signing for updates, scan for updater binaries, monitor unusual updater behavior, and include update security in vendor risk assessments.

- Notable Quotes:

“This is not attacking software, it’s attacking the thing that updates the software.” — Maria [20:54]
“Defaults matter… the default was that there was a mitigation, but it was opt-in. Opt-in mitigations are really not enough and this is pretty clear.” — Maria [25:43]
“Be careful where your installers come from.” — Dave [31:49]
“The product should be secured by default.” — Joe [32:24]

- Memorable Moment:
Dave’s analogy for the attack:
“It’s kind of like, instead of poisoning your glass of water, you’re poisoning the water supply.” [30:47]

3. Ghost Tapping & Tap-to-Pay Social Engineering Scams

[34:30 – 44:00]

- Main Takeaways:

Joe introduces "ghost tapping" scams exploiting contactless payment (NFC/RFID) technology.
Scammers masquerade as vendors, rush users through tap-to-pay transactions, and overcharge or run repeated charges.
Some use directional antennas to read cards from a distance.
Key advice: Use RFID-blocking wallets, scrutinize payment amounts before tapping, and set up instant transaction alerts on cards.
Joe and Dave reminisce about security legend Kevin Mitnick demoing advanced RFID skimming techniques.
Discussion about ambiguous tap-to-phone signage in public venues and the curiosity (and paranoia) it sparks even among cybersecurity professionals.

- Notable Quotes:

“You're not going to be sitting there with your head on a swivel going, who around here has the yaggy antenna pointed at my butt?” — Joe (humorous aside on the paranoia of tap-to-pay security) [40:20]
“It’s like walking down the street and seeing a big red button that just says, ‘Press button’.” — Dave [44:45]

- Memorable Moment:

Maria’s intrusion of thought:
“I was so tempted though. The intrusive thoughts were very loud.” (On whether or not to tap an unexplained NFC label at a venue.) [42:31]

4. Catch of the Day: The "Council of the Ecliptic" Recruitment Scam

[45:33 – 50:18]

Segment Summary:

The hosts review a phishing email purporting to invite the recipient to a secretive club, “The Council of the Ecliptic.”
The email flatters and mystifies, asking for total secrecy and simply a reply of “YES.”
The segment is lighthearted, with the hosts joking about the absurdity and allure of the scam.

Hosts’ Jokes:

Maria: “Oh my God, yes. A million times yes. I'm in.” [47:08]
Dave: “It’s the Stonecutters, right?” [47:16]
Joe: “They’re pushing a lot of emotional buttons here, trying to get you to reply. And then I’m guessing that probably the membership fee is pretty steep.” [49:00]

Notable Quotes & Timestamps

“Meta’s products had effectively become a pillar of the global fraud economy.” (Dave quoting Reuters) [11:00]
"Defaults matter... the default was that there was a mitigation, but it was opt-in. Opt-in mitigations are really not enough." (Maria, on supply chain installer attacks) [25:43]
“You're not going to be sitting there with your head on a swivel going, who around here has the yaggy antenna pointed at my butt?” (Joe, tap-to-pay scams) [40:20]
“It’s kind of like, instead of poisoning your glass of water, you’re poisoning the water supply.” (Dave, on the scale of the updater vulnerability) [30:47]

Episode Flow / Structure

[00:00 – 07:06]

Light banter on "chicken news," personal anecdotes, and segue into main stories.

[07:06 – 18:24]

Dave leads with the Reuters report on Meta’s complicity in ad-based scams.

[18:30 – 33:00]

Maria covers the BYOU (“Bring Your Own Updates”) attack class, with discussion and clarification from Joe and Dave.

[34:30 – 44:00]

Joe shares a Fox News story on "ghost tapping" payment scams. Tangents into NFC security best practices and real-life curiosity with anonymous tap-to-phone requests.

[45:33 – 50:18]

Catch of the Day: Review and deconstruction of a "secret society" phishing attempt. Group jokes and banter.

Final Takeaways

Ad fraud and scam-enablement on social media platforms are widespread and under-regulated, demanding increased transparency and liability.
Default settings in widely used software deployment tools can open gaping holes in organizational cyber defense if not carefully managed.
Simple, social engineering-based tap-to-pay scams remain effective in public spaces; vigilance and technical mitigations remain your best defense.
Phishing attempts are increasingly creative; critical thinking and skepticism are vital.

[For more information or to access the original news and research, see the episode’s show notes and referenced articles.]

wavePod

Tap, pay…and prey.

Powered by Wave AI

Summary

Podcast Summary: Hacking Humans — Tap, Pay… and Prey.

Hosts & Contributors

Episode Overview

Key Discussion Points & Insights

1. Meta’s Fraudulent Ad Network Exposé

2. Supply Chain Risk: "Bring Your Own Updates" (BYOU) Attacks

3. Ghost Tapping & Tap-to-Pay Social Engineering Scams

4. Catch of the Day: The "Council of the Ecliptic" Recruitment Scam

Notable Quotes & Timestamps

Episode Flow / Structure

[00:00 – 07:06]

[07:06 – 18:24]

[18:30 – 33:00]

[34:30 – 44:00]

[45:33 – 50:18]

Final Takeaways

Summary

Podcast Summary: Hacking Humans — Tap, Pay… and Prey.

Hosts & Contributors

Episode Overview

Key Discussion Points & Insights

1. Meta’s Fraudulent Ad Network Exposé

2. Supply Chain Risk: "Bring Your Own Updates" (BYOU) Attacks

3. Ghost Tapping & Tap-to-Pay Social Engineering Scams

4. Catch of the Day: The "Council of the Ecliptic" Recruitment Scam

Notable Quotes & Timestamps

Episode Flow / Structure

[00:00 – 07:06]

[07:06 – 18:24]

[18:30 – 33:00]

[34:30 – 44:00]

[45:33 – 50:18]

Final Takeaways