A

You're listening to the Cyberwire Network, powered by N2K.

B

Hello, everyone and welcome to NTK CyberWire's Hacking Humans podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Buettner and joining me is Joe Kerrigan. Hey, Joe.

C

Hi, Dave.

B

And our N2K colleague and host of the T minus Space Daily podcast, Maria Vermazes. Maria.

A

Hi, Dave. Hello again and. Hi, Joe.

B

We've got some good stories to share this week. First, let's get into some follow up here, Joe. The most important news correct of the week.

C

This is what? Chicken news.

A

Chicken news.

C

Chicken news. And you'll notice I spelled in the script, I spelled C, H, I, G, G, E, N. Chickens. That's how we say it at home. My daughter has three eggs.

B

Wow.

C

Three eggs.

A

Wait, your daughter?

C

Yes, this is my daughter's chickens.

A

The chickens of your daughter.

B

My daughter's chickens, ladies. Okay.

C

Yeah. I don't know how many eggs my daughter actually has.

B

That's what I was gonna say. She treat them, but they have great value if she only has three.

C

Correct. What you are looking at here, Dave, right Now is about $400 an egg.

B

Oh, in this economy.

A

Yes. Congratulations. You guys are eg.

B

On your tuxedo to have a little scrambled egg.

C

We can't. You can't sell these eggs for $400 a piece.

B

I'm just saying for you to enjoy them yourself.

C

Right.

B

Put on your tuxedo, you know, your fancy dress up because it's a $400 egg. Why don't you gonna eat a $400.

C

You're never gonna do that. Well, actually each egg, each egg that adds, that comes out will. Will lower the cost. And the limit is. Well, it's not zero, but it's. It'll be pretty close to cheap.

B

Yeah.

C

Anyway. Yeah. So my daughter's flock is now laying. This is the second flock she had. You remember we had one flock that was taken out by an insider threat. That's right, Ellie. The dog.

B

Womp womp.

C

That just went down there and murdered all those chickens. I still address that dog as chicken killer.

B

Okay.

C

And my chickens are doing first to find. Yes. First of name.

B

How far do you suppose you are from eggs now, Joe?

C

Well, going by this, when did my daughter. When do I. When did I talk about the chickens getting eggs? When Pope Francis died. I remember his same weekend. So it was Easter. So then shortly after that, my daughter bought another 11 chickens or 12 chickens. And now they're laying here. So that was what, April? And now we're in November. So a little back in the napkin math. I should start getting eggs in the spring. Dave.

B

Okay.

C

Yeah.

B

All right. Well, that'll be exciting.

C

And I don't think one of my chickens is gonna lay any eggs.

B

No.

C

Yeah, it might keep my neighbors up in the morning, but.

B

Oh, no. Oh, no.

C

Yes, I believe it is a rooster.

A

It might make a good stew, though. So get that wine ready.

C

This chicken is too good looking to turn into stew. My plan is because we can't have the rooster on our land because we have less than three acres. You can't have roosters. But if he is a rooster, which I'm pretty sure he is, my plan for taking care of him and getting him off my property is to actually put him in the fair because he's really good looking chicken.

B

Oh, I see.

C

And I'll put him in there as what they call a cockerel, which is a male chicken that is under a year of age.

B

Okay.

C

And that means that he will be, you know, into the cockerel class. And then maybe he's an Americano chicken. And man, he is. I mean, when I say he's good looking, man, he is a good looking chick. He's a handsome bird. I should look this good. My wife is very upset that we're probably gonna have to get rid of him. But I think we can find him a good home because of how. Because of how handsome. How dashingly handsome he is.

A

Okay. I'm offended that you haven't shown us a picture of this bird.

C

I will get you a picture of.

A

It because you can't talk about how good looking it is and not share it with us. I mean, that's just mean, right?

B

Sure. All right, well, we'll look forward to that next episode.

C

Yeah. If I get home before the sun gets down.

B

Speaking of good looking chickens, I put a link in here. Are either of you familiar with the Jackraptor project?

C

No.

A

No.

B

So this is a breed of chicken. I think Joe just saw the picture.

A

I did.

B

This is someone who is basically trying to return chickens to their velociraptor roots.

C

Now, hold on. I think they're closer related to T. Rex, aren't they? Whoa.

A

That scares me. Oh, my God.

C

Good Lord.

B

Right? Did you ever think you'd see a chicken that would look as badass as these chick?

C

I mean, this chicken looks like he's a killing machine.

B

I don't want to meet him in a dark alley. No.

C

Well, you say hawk. It's a. Laughter I've seen videos of when hawks come in the chicken pens and there's a rooster there that hawks may not survive that.

B

The rooster.

C

Oh, I believe it's perfectly capable of killing that hawk. And that hawk is a killing machine in and of itself.

B

Right.

A

Well, it makes sense otherwise, I mean, they gotta be able to defend themselves somehow. They can't be just total easy prey.

B

Yeah.

A

So. Yeah. Wow.

C

50 bucks they want for a raptor to join the raptor reserve for a.

A

Little dinosaur that you can keep in your coop.

B

What could go wrong?

A

That's just. Oh, my God. It's both cool and nightmare fuel. Like, that's.

B

I thought this would appeal to you, Joe. I could picture this being just your kind of thing to have not just any chicken. Have a dino chicken.

C

Right.

B

Well, I mean, that's.

C

We call our little dinosaurs out back.

B

Yeah.

C

Well, you know, they move around.

A

How do they taste is my question. And I know they taste like chicken, but do they taste like dinosaur nuggets.

B

Or like they taste like particularly buff chicken? Right. These chickens strut around and make all the other chickens feel inadequate.

A

I mean, I feel inadequate looking at this chicken.

C

That is what roosters do.

B

We'll have a link to jackraptor.com in the show notes. It's something to see, isn't it?

C

Yeah. You should definitely take a look at this.

B

Yeah.

C

Even. Especially if you're into chickens like I am.

D

And now a word from our sponsor. Threat Locker, the powerful zero trust enterprise solution that stops ransomware in its tracks. Allow Listing is a deny by default software that makes application control simple and fast. Ring Fencing is an application container ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker.

B

All right, let's get to some stories here today. I am going to lead things off today and I feel like this is not justification. What is it when you feel satisfied?

C

Vindication.

B

Vindication. Thank you, Joe. Thank you for my live thesaurus.

C

I am the human thesaurus.

B

Yeah. This is an exclusive report that Reuters released as we're recording this. This came out today and Reuters did a deep investigation into Meta, which of course is the Facebook, Instagram and WhatsApp company. I suspect the three of us all have a similar opinion of Meta.

C

Yep. That is, I think we've made that pretty clear on this show.

B

Yeah. And so that's the vindication here. So this story is looking into Meta's ad network, particularly its fraudulent ad network.

C

Really?

B

Yes. Reuters got ahold of some internal company documents from Meta. And what? I'll just roll through some numbers here. As we all know, Meta has a problem with fraudulent ads.

C

Yes. Right.

B

Scammy ad.

C

Yep.

B

Every flavor of Scammy ad is on the Meta platform. And of course, Meta claims that they're trying to clear that out.

C

Hey, we. We deleted a bunch of accounts.

B

Yeah. Yeah. Well, these numbers run contrary to that claim. Right, so Meta's platforms, according to their own numbers, see an estimated 15 billion ads that the company classifies as high risk. Hmm.

C

Well, 15.

A

So that's not just their total number of ads, that's just their high risk ad.

B

These are the high risk ads. Every day, users of Meta's platforms see an estimated 15 billion ads that the company itself.

A

Not individually, to be clear.

C

Right.

B

No, it's just one guy who's. Bloodshot eyes. Yeah. Sitting in a dark room. And these are ads that show clear signs of being fraudulent. So these are the fake e commerce sites, the bogus investment schemes, the illegal online casinos, and the banned medical products. Okay.

A

Wonder, what's that? What's that ratio compared to things that are. They're pretty sure are legit? I mean, is that. Do they have a ratio or a percentage there?

B

I think we might get to that. So their internal systems flag these advertisers themselves as suspicious, but instead of removing them outright, what do you think Meta did?

C

Well, they just flag him as suspicious and take the money.

A

Tseg, you're close, Joe.

B

You're on the right path.

A

Maria, I don't think they do anything based on what I've seen.

C

Maybe they increase the price of the ads.

B

Yes, that's what they do.

A

Oh, my gosh.

C

Are you kidding me?

D

No.

A

You can scam our user base, but you're gonna pay.

B

That's right. That's right. We're in this together.

C

So everybody's got a price, I guess. Including a billionaire like Mark Zuckerberg.

B

That's.

A

Well, how do you think he became a billionaire?

C

That's right. Yeah.

B

Yeah. So if Meta's algorithms aren't 95% sure that an advertiser is a scammer, the solution from their point of view is to raise their ad rates. Kind of like a fraud tax.

C

Okay, so when you say 95%.

A

Yeah, sure.

C

Does that mean that if they are 95% sure that this person is a scammer, they jack up the price?

B

I'd come at it a Different way. If there's a 5% chance that they're not a scammer, then they don't delete the account.

C

Okay.

B

Instead they raise the price.

A

Do we know how much they raise the price by? Is it prohibitively high or just, you know, they don't find.

B

No, I know. I don't see that in this article.

A

I would be so curious to know if it's literally just like a little surcharge or if they're actually trying to price them out of business.

C

Right. Because that would be an effective, an effective means if you make this economically infeasible for the attackers.

B

Yeah.

C

Then that may be the goal. But I'll bet.

B

Well, that's the claimed goal, Right. Meta says that's the claimed goal, but obviously it's not slowing them down, right?

A

No, no, no. I'm kind of tempted to try this to see if I can make a fake ad and see what the price difference is with a legit one.

B

Yeah. So in 2024, according to Reuters, Meta made about $16 billion off of these high risk ads.

A

Yowza.

C

Okay, that's a good amount of revenue.

B

It's about 10% of their revenue. So Meta knows what they're dealing with here. According to the documents that Reuters got their own researchers, Meta's researchers concluded that Meta's products had effectively become a pillar of the global fraud economy, with one of their internal presentations estimating that its platforms were involved in a third of all successful scams in the U.S. oh my God.

C

Wow.

A

Wow. Can we give them a little trophy? Pillar of the global fraud economy.

B

So Meta of course, disputes this. They say that this is an exaggeration. They said to Reuters that the documents that Reuters got distort their approach to fraud and that they invest heavily in integrity and that they had removed more than 134 million scam ads this year alone.

C

134 million scam ads?

B

Yeah.

C

Wait a minute, wait a minute, wait a minute. 140. What was the number of scam ads that happen every day?

B

Was it 5 billion a day?

A

15 billion with a B.

C

15 billion. And they've removed 100 and some million.

B

Yeah.

C

This year.

B

134 million. This year.

C

This year. Okay, so we'd have to do the math here, but I mean, let's just, let's just give them 100 days and just knock that number up. That's 1.5 trillion.

B

Yeah.

C

Malicious ads.

B

It's not one to one though, because the 15 billion is just exposure, not individual ads, places.

C

But they're saying they removed 134 million of of these ads, which is nothing compared to the hundreds of the trillions of malicious ads they're showing.

B

Right? Yeah.

A

A million is less than a billion.

C

Right. So three orders of magnitude.

A

That's just math.

B

It gets worse.

A

Oh, cool. Tough love this, love this for us. Love it so much again.

B

According to Reuters, Meta's own records reveal the company weighs how much scam revenue it could afford to lose. So they have an internal policy that they call their revenue guardrail, which limits enforcement actions that might cost more than 0.15% of total earnings. So for context, that's about $135 million out of $90 billion. Right. So this is couch cushion change for Meta.

A

0.15%.

B

0.5. In other words, if they're cracking down on scams exceeds 0.15% of their total earnings, they gotta dial it back. They're leaning in a little too hard.

A

Like not even a rounding error. 0.15%, that's correct. Wow, the greed. The greed is just eye watering. Amazing.

B

Again, Meta takes issue with how Reuters is presenting this. Meta says that their long term plan is to gradually reduce scam related revenue from about 10% in 2024 to maybe only 6% by 2026. Of course, regulators are trying to turn up the pressure here. The SEC is investigating Meta's role in financial scams. UK regulators have found that Meta's products account for over half of payment related scam losses last year. More than every other social platform combined.

C

Right.

B

Wow. Y thinking about this. And I mean this is all possible because of the lack of regulation that Meta has their space has. Right. These online platforms are comparatively unregulated. Imagine if you were a bank and you knew people were doing fraudulent business through your bank and instead of kicking them out of the bank, you just charged them more. Right, right. Like regulators wouldn't be okay with that.

A

Where are the regulators? Where are they? Yeah, well, I think we know.

C

By the way, I did the math. 15 billion ads per day. 15 billion fraudulent ads per day is 5.4 trillion fraudulent ads per year. And if Meta has removed. Actually, well, you can't really say because when they say they remove an ad, they probably remove an ad campaign.

A

Yeah, yeah. I don't think you can. One to one it, as Dave said, it's a little, it's squirrely, but the ratio's off. I mean, it's just, it's not even close to enough.

B

Yeah. So some possible things that could get Meta to straighten up and fly right in terms of regulatory pressure. They could be imposed with something like real ad buyer verification. Basically, know your advertiser in the same way that financial institutions have to perform. Know your customer checks, put a greater burden on Meta to know who is doing the advertising. Um, they could have mandatory transparency reporting, they could have independent auditing of their algorithms and ad systems. They could have regulated response time obligations. Uh, one of the things this article points out is how even if something's taken down, it takes forever for it to be taken down and then allow them to be liable for platform enabled fraud. Yeah, people come at them.

C

I think that's the one that's going to get them because I'm sure in their EULA there is a binding arbitration clause in there so you can't sue them. I think you take that away, take that away and say, say that, you know, if, if you're scammed out of money, then you don't have to go through binding arbitration. You can go directly to a class action lawsuit.

B

Right, right. So it's an interesting expose. We'll have a link to the story again from Reuters in the show notes. It's, it's quite a read and once again just reinforces how much, I think we're all in agreement among the three of us that if there were an alternative, we would be there in a second.

C

Yep, yep.

A

Yeah, we sure would.

B

No, there isn't. I just feel, I just feel yucky every time I finish. Close out a Facebook window or something like, I want to take a shower.

C

Yeah, it's gross.

B

Yeah. All right, well, that is my story this week. Maria, you are up next. What you got for us?

A

Well, there's some interesting research from the Howler Cell team at Sideris. Is that how we say the company name, Siderus? I think so, yeah. They found a systemic supply chain risk in Windows Updaters. And this was ringing a bell. I think we talked about potentially vulnerable updaters or updater apps being an interesting attack vector. And then this research came through and I was like, oh, yeah, that sounds familiar. Let's dive into that. So the Howler Cell team branded this, and I love this, yet another acronym in infosec, the bring your own updates BYOQ attack vector that lets hack hackers hijack trusted updaters to run arbitrary code. Which makes sense when you think of how a Windows installer works. What they're doing there, it's running a lot of code. So if you can essentially hijack that, that legitimate process, then you can bypass a whole lot of security. Protocols, but also a lot of them aren't even looking at this process. So, you know, why would they be, why would that be hijacked? So, yeah, the idea is that the attackers would abuse legitimate update clients, as I said, to pull from the Internet and run attacker controlled packages. And because updaters and update paths are usually signed and trusted, this kind of activity can look normal and then can bypass endpoint detection, response AV and app control. So I'm going to read a little blog update, not update a little blog excerpt that Howler Cell wrote because I think it just summarizes it beautifully and then I'll dive into what they found. So they said bring your own updates or BYOU allows attackers to hijack trusted updaters to execute arbitrary code quietly after gaining initial access. Because the binaries are signed, the paths are trusted, and the behavior appears normal. This abuse often evades traditional security controls. And one example is the App Advanced Installer, which is an app and deployment tool that is used by many of the largest organizations in the world. And it can be leveraged to infect remote computers with malware, potentially leading to a devastating supply chain attack. And I keep saying app, but I really mean application. Sorry, it's a recent. This is an application, not an app.

B

So is this like, you know, I'm updating the drivers from my printer or.

A

You'Re updating some software, some piece of software? Could be anything, literally anything. Yeah, the blog post actually has a whole list of legitimate software that uses this Advanced installer app because you don't want to have to. If you're creating software for a thing, you don't have to go. And I now have to create an installer for this software. If one or a perfectly good one already exists, I can use that installer to ship what I got to do. So essentially it's kind of going, this attack is attacking earlier in the. I don't know, it's not the supply chain, but just kind of going backwards a step. Instead of attacking the software, you're attacking the software that is used to update the software. It's really interesting when you think about it. So, giving the lay of the land, the Howler Cell team found a vuln in advanced installer 22.7 back in May where they found that the updater would accept unsigned update packages by default. So the first step here was that the updater would support flexible options that can point to remote HTTP endpoints or network shares without integrity checks. Then the attackers could supply a crafted update config that references malicious payloads and then the updater downloads and executes them after presenting a totally normal looking UI prompt. In other words, if the payload is unsigned or unchecked, it would get executed in the user context when presented as a normal update. So very, very stealthy. And then we should note that Advanced Installer does have mitigation for this, but it is opt in, which is often where things get tricky. And that opt in mitigation is install only digitally signed update packages signed with the same certificate as the updater. But as you might imagine, many installers and deployments do not enable signature enforcement, including Advanced Installer's own updater in some cases where just like, ooh, it goes all the way down. So Howler Cell, which again, they did the research into this, they warned that this is not isolated many installer frameworks, not just Advanced Installer and signed update clients, expose similar attack surfaces. So I kind of hinted at the beginning of my story about why this is dangerous, because again, it's not attacking software, it's attacking the thing that updates the software. So popular installer tooling like this guy means many vendors and internal applications may inherit the weakness of a vulnerable advanced installer. For example, signed binaries and normal updater behavior will let malicious code run under the guise of legitimate updates. That's not a big surprise. And then this kind of activity, specifically because it's really not an attack path that we've seen very often, it can completely bypass and point defenses and that actually whitelist trusted installers or signed paths. And then as you might imagine, if the attacker gets initial access, because of the level of access that you have through an installer, they can pretty easily maintain persistence and then distribute malware broadly via trusted update mechanisms. So the Howler Cell folks said that in a real world scenario, that you could easily imagine this leading to supply chain poisoning, where a single compromised updater or poisoned package could then distribute malware to many different corporate customers. And again, in the case of Advanced Installer, this previous version anyway, a lot of legitimate software that you would recognize uses this. So it's actually quite scary to think that this is a single pane of glass, as you will, if you want to use that terrible phrase. And then attackers do not need administrative privileges or authentication in this specific exploitable flow. They only need the ability to influence the updater URL or config, which is kind of wild if you think about it. It's like, wow, I'm wondering why we haven't heard of this one as much before. I'm sure it has existed. It's just fascinating to read about. So the team that researched this do have some mitigation suggestions here. So for IT admins who have the ability to do this, they're recommending that they scan their environment for updater binaries and runtime use of URL or config options. They do recommend using endpoint detection and response rules to flag updater processes that spawn network downloads or launch unsigned executables. Of course, using block lists and allow lists is really important. So of course you want to block malicious domains and create allow lists specifically for update endpoints only legitimate ones requiring code signing for internal application releases and enforcing signature checks in deployment tools. That is again the the big loophole here that these this type of attack is exploiting. So making sure to keep that included and then including update security checks in procurement and vendor risk assessments. Because again, I don't think a lot of people are aware that this is even a thing. Certainly I wasn't. So the nutshell is that byou the bring your own updates new thing, new stealthy thing. It is powerful. It is a stealthy attack pattern. It does hijack trusted signed update channels to run malware. I thought it was really fascinating. Honestly. Defaults matter. So again, in the case of this specific advanced installer version, the default was that there was a mitigation, but it was opt in. Opt in mitigations are really not enough and this is pretty clear. And then for folks who have this kind of visibility into the processes internally treat update mechanisms as a high risk part of the supply chain. This is some pretty this is super fascinating. I found this blog post really interesting. I never would have thought of update mechanisms as even a way that an attack would be introduced, but got to add that to the pile. So it's really interesting to think how that could be a way in and then present such a problem for so many different software and companies. So yeah, fascinating. Something to be aware of.

B

So help me understand here. And I'm going to try to I feel like perhaps for some of our listeners we may be in the technical weeds with some of this.

A

A little in the weeds for me too, admittedly.

B

Let's try to pull out my weed whacker.

A

Sure.

B

So is the idea here that again, I'm just going to use my printer as an example? Right. I decide I want to check to see if there are any updates for my printer. I go search for updates for my printer. I get a link that says good news, there's an update for your printer is the fact that I'm going to an unknown location. Is that what's going to get me the infected update to my printer via an installer? Or have the bad guys actually infected the installer at the printer provider's website? Do we know?

A

I'm trying to. I think the part where my brain's getting a little stuck is this is not like a driver thing. So that's. They make a point of saying this is not specifically that kind of a thing. It might help to look at the, for example, the list of different companies that use Advanced installer in this specific case. So it's things like Dell, ebay, Apple, Sony, a lot of these companies that might be deploying their own software. Somewhere in the process, the configuration is not done correctly. So the installer itself is being exploited. Yeah, I guess I'm trying to figure.

B

Out where at what stage of the game do the bad guys get in.

A

I'm trying to figure out if this is, I don't think this is something where someone's going to a website and it's not a consumer level thing. This is going to be more of an enterprise admin, enterprise thing. So, yeah, it's.

C

When I first started in the tech field, one of my jobs, we had an updater inside for Windows. Like your Windows system could update itself by going out to Microsoft. But if every computer in our network, which was at the time just one big network, and it's a security nightmare, but if every computer went out at night to update, it would shut the, you know, it would be a denial of service. You wouldn't be able to do it. So what they had on the inside was they had one updater server, one update server that would go out and pull the update from Microsoft and then that could be distributed in a managed way across all the Windows machines in the environment.

B

Right.

C

So it sounds like it's something like that.

A

Yeah, it's, it's. I think this is definitely something where like the average employee at one of these companies is not going to encounter this. But when you're talking about the, the update path, this is something where if somebody pulls something. Yeah, I don't. That's a great question actually, Dave. Where exactly does the attacker come in here? Where does the, where does the, the misconfig become introduced? I'm not entirely sure.

B

Okay.

A

And then part of the reason I'm kind of, I'm a little quiet right here is I'm going back and rereading the blog post to see if I missed that. So it allows attackers to hijack the trusted updaters. So the paths are trusted. So that's a great question. Maybe I'm missing something here. There is a malicious update configuration file. So somehow whoever is responsible here is being pointed to the malicious configuration file and then it's being hosted on a remote server. So you have to trick the updater into presenting that. I'm not sure I actually understand that part either, Dave. That's a good question.

C

It sounds like they have to get in somehow.

A

They have to get in somehow. Yeah.

C

Change the configuration on the updater.

B

Yeah, yeah.

A

It's a thing where it's doable. I don't. But again, it's not like it's a fish. Where it's a thing where the average user has to be aware of it.

B

Yeah. And it's kind of like instead of, you know, poisoning your glass of water, you're poisoning the water supply.

C

Right?

A

Yes. Yeah, that's a really great way of putting it. So, yeah, I'm reading through the blog post and I'm thinking to myself, I'm looking at like the checksum and stuff, and usually that's people make sure to run them and you know, use and check against the checksum. But why would that be bypassed in this case? I don't know, because people are working fast and miss stuff. I'm not really sure. I feel like this is where our IT friends could definitely fill me in on this one because I have not had to do that as part of my job. So I'd love to know. Yeah.

B

Well, if one of our listeners has more detailed insights into this or can help spell it out, let us know. We'd love to hear from you and we'll provide some clarification as we find out ourselves. But I guess the bottom line here is be careful where your installers come from.

C

Well, I mean, the bottom line is turn on what should be already turned on. Right. Signing only install signed updates from the same certificate that installed the software initially or from use the PKI infrastructure. I just did it again. I'm going to burst into flames. The I in PKI stands for Infrastructure Use PKI to validate everything.

A

Yes. Remember, the mitigation for this is opt in. So if you're not opted in, you're not going to.

C

And it shouldn't be. This product should be secured by default.

A

Yeah, it really should.

C

Yeah.

A

And actually that's something that Hallersell mentions at the end is that they did responsibly disclose this one to Advanced Installer and they said that it basically they're aware of it, but it doesn't sound like that issue has been entirely mitigated. I don't want to miss a. What's the word I'm looking for?

C

Misrepresent.

A

Misrepresent. Exactly. What's going on. But they're saying that essentially what they've identified is an. I'm having a total brain fart on words today. But yeah, it sounds like this is still somewhat of an issue.

B

So, Joe, you need to play wordle today, right? All right, I tell you what, we will have a link to that story in the show notes. Let's take a quick break. We'll be right back after this message from our show sponsor.

D

And now back to our sponsor, ThreatLocker, the powerful Zero trust enterprise solution that stops ransomware in its tracks. ThreatLocker Protect is the core Threat Locker product focused on endpoint security designed to prevent unauthorized software from running, control how applications interact and manage access to storage devices. Its building blocks are allowlisting, ring fencing, and network control. Allowlisting is a deny by default software that makes application control simple and fast. Ring fencing is an application containment strategy ensuring apps can only access the system resources they truly need to function. Network control locks down access by port, source, IP or dynamically with ACLs that automatically update as IP addresses change. Shut out cybercriminals with world class endpoint protection from Threat Locker. And we thank ThreatLocker for sponsoring hacking humans.

B

And we are back. Joe, you are up next. What you got for us, Dave?

C

My story comes from everybody's favorite news source, Fox News. Yay. Surprisingly. Surprisingly. It's not a political post though, so it's a story about it from Kurt Knutson with two S's in his name, which I think is weird, but he's a cyber guy. Report. It's not really weird. It's probably just the way his family spells his name and always has.

B

Yeah.

C

So sorry, Kurt, but the. There's There's a couple things in this story that are not exactly 100% correct, but there are. The story is about ghost tapping scam which targets tap to pay users. Dave, you pay with your Apple phone, correct?

B

I do. I pay with my Apple phone. I pay with my Apple watch. In fact, the last time I was on vacation, I got into Disney parks using my Apple Watch. Really? I could just tap on a little thing and a little thing light would turn green and they'd say, please come in, sir.

C

Right.

B

It's very fancy.

C

Let the velvet open the velvety rope. You know.

B

That's right.

C

Come on in.

B

Mr. Bittner, Mr. Mouse is waiting for you. Mr. Bittner. Yeah.

C

In your private dining room. That's right. So here's how this works. They're talking about the wireless technology that's in your credit cards, which is an RFID chip. And this story talks about scammers who use near field communication devices that mimic legitimate tap to pay systems. Now, I think technically the. The device is an RFID reader, not a near field communication, because that's what you have on your phones. And your RFID is what's in a credit card. Because there's no power on an RFID system until it comes into contact with an RFID reader's field. It's essentially a small radio field. Yeah, I think I'm being way pedantic.

A

About this, but you're not known for pet entry, Joe.

C

Right? Am I me? So what happens is, these scammers pose as charity vendors or market sellers who only accept tap payment. And they will come up to you and they'll say, hey, I've got to get this done really quickly. I got a hundred other people I got to talk to. And they don't want you to pay attention to anything that's going on in terms of the amounts. And then they will charge you far more than you initially thought you were being charged. There's some real world cases here where people have lost hundreds or a thousand dollars.

D

So.

C

And they're also using systems that come close to, like, your wallet and go through your wallet. They are able to emit a field into your wallet. Now, I think this. Dave, you and I are both amateur radio operators, right?

B

That's true.

C

So we're familiar with antenna design.

B

Yes.

C

So if you have a regular RFID reader, it has an antenna inside that emits a signal. The RFID goes into that field is actually powered by that feel. This is the same way that you would charge an electric toothbrush.

B

Yeah. I can't remember if you were with me, Joe, but I saw Kevin Mitnick demonstrate this once. Of course, Kevin Mitnick, who has passed away.

C

Yes.

B

But he was a world famous hacker. For the folks who may not know who he is. Famous. Notorious. Depending on your opinion of Mr. Mitnick. But he was always nice to me. Yeah, me too.

C

I did meet him once. Yeah, he signed some of my 2600s and said free Kevin on the front of him.

B

Oh, nice.

C

Yes.

B

So Kevin was also kind of famous for having business cards that were lock pick kits.

C

I have one of those, too.

B

Yeah. So I saw Kevin do a demonstration where he had a Specialized piece of equipment that could basically do these kind of scans at a distance.

C

Right.

B

And very effectively.

C

So what that is is a directional antenna. So if you focus the energy and actually because the attacker is in control of the transmitter, they can emit a lot more energy than is needed for a standard transaction. Now, good news is that modern chips use the same kind of tokenization that happens on your near field communication, on your Apple Pay and your Google Pay and your Samsung wallet and all that stuff. Okay, so you're not going. They're not going to steal your credit card details, but these guys aren't really doing that. What they're doing is they're just running a bunch of charges on your credit card or your debit card. So the question is how to protect yourself from this. You as an individual, of course, you have to go out and buy one of these fancy RFID blocking wallets or card sleeves. It's essentially a little Faraday cage is the term of art.

B

Yeah.

C

That the. When the signal encounters that, it doesn't go any further, stops it.

B

Right.

C

And then verify before you tap. In other words, look at the amount you're being charged before you tap the tap to pay device. If they're using a regular device, set up instant alerts. I have this on every credit card that I have that will allow it. Every time a charge is made, I get an alert and I can look at my phone and see how much I was charged.

B

Yeah.

C

So I know exactly how much I paid for my bagel and coffee at Dunkin Donuts. They always ask, you want a receipt? I'm like, nah, I got a text out the door. I go, so that's really how you protect yourself. Be cautious in crowded areas. I mean, that's really not very helpful. I mean, you're not going to be sitting there with your head on a swivel going, who around here has the yaggy antenna pointed at my butt? Right. You know, that's just not something any normal human being is going to do.

B

I don't think that's a phrase that's ever been uttered in the history of the English language.

A

Joe, Add that one to the pogo stick one. Joe, what was the.

C

What was the pogo stick? What I wanted to accomplish on this pogo stick.

B

He's got the yaggy pointed at my butt.

C

Right.

A

Okay. We really need some Joe merch.

B

That's why Joe's no longer invited to the ham radio club meetings.

C

Right, Right.

B

So a couple things here. Another tap to pay thing that I'm a Big fan of that. I've used several times in the past month. For the first time is they have tap to Pay with your iOS devices and the Washington D.C. metro. This is.

A

Oh, yeah, that's right. Yeah, yeah, yeah.

C

So you don't have to go to a fare machine anymore. Fare card machine, no.

B

You just strut on up with your phone, tap it on the little receiver thing, the gates open and you go out you go. Yeah. And on the other end, you tap it again and you're all set. It's wonderful. It's the way it should be. So let me ask you this.

C

Yeah.

B

I was at a venue last week. Actually, both Maria and I were at a venue last week. We were at a cybersecurity conference where we were presenting.

C

My invitation. Must have gotten lost in the mail.

B

Must have.

A

Did mention you, though, Joe.

B

Oh, good. Okay.

C

Say my name.

B

This was an auditorium. So imagine movie theater seating.

C

Okay.

A

And so I know where you're going with this.

B

I'm sitting in the seat and I'm looking at the stage and I look on the seat in front of me, there's a little label that says. All it says is tap your phone here.

A

Yep.

B

And there's a little like, you know, wifi looking logo.

A

Tap your phone. The little nfc. Yeah, the field. Yep.

B

So let me ask you, Joe.

C

Right.

B

You're sitting there.

C

Yeah.

B

Every single seat in the place has a tap your phone here on the back of it. Well, actually, I should probably ask Maria. She's the clicker.

A

Yeah.

B

What do you do?

A

I did not do the thing. I was so tempted, though. The intrusive thoughts were very loud.

C

I'm so curious, what happens if I.

A

Do tap on here? It was also annoying me because it's like, okay, even if I wasn't an infosec person, it doesn't tell me what to do that for. It's just bad messaging. Doesn't say tap it for what reason? What am I going to get out of this? Like, are you going to charge me a million dollars? Are you going to download something to my phone? I mean, are you going to make it explode? I don't know.

B

Are you going to bring me a cocktail?

A

Yeah, it might be. Yeah, Imagine it could be something nice. Yeah, I didn't go that way. So, yeah, they don't tell you what to do it for. And I was thinking to myself, maybe it's just a magnet and it just lets your phone stick there. I have no idea, but I don't want to find out. I actually didn't do It.

B

Well, I did.

C

Oh, you did?

B

I took one for the team.

C

What happened when you did that?

B

So a little alert popped up on my phone that said, do you want to connect to? And I'm just making up a name here, like locationvendor.com. so it's connected to some kind of service that the venue pays to use. I'm guessing that it is a way to order drinks and food and stuff like that from your seat through your phone, because it'll tell them what seat you're in. That's my guess now. So I clicked enough, I tapped, and that popped up. I did not click through.

C

Right.

A

Because you didn't give them your payment information, Dave.

B

I did not. No, I didn't. I did not. But sort of what you were saying, Maria, like, the lack of information that they give you on this, all it.

A

Says is it bothered me.

B

It says, tap your phone here.

A

Yeah.

B

Okay. And I did.

A

Taking the paranoia tinfoil hat off, I was like, for what reason? Like, what is the point of this? Yeah, it bothered me a lot.

B

Yeah. So.

A

Because, like, if it was the WI fi, it didn't indicate that at all. Like, hey, tap here to join the WI fi. It would have just been so easy. And they didn't do it.

B

Right, Right. It's like walking down the street and seeing a big red button that just says, press button.

C

Right?

B

Right.

A

You know I would press that button.

B

I know, Joe.

C

I would. That is something I'd do. I'd look up first to make sure there's not some kind of, like, Looney Tunes safe hanging above my head. Or a piano. Yeah, that would be my first thing to do. But then once seeing just clear sky, I'd push that button.

B

And that's when the trapdoor opens beneath you.

A

See, the answer is you use a very long stick.

B

Right, Right.

C

A broom handle.

B

Yeah. All right, well, we will have a link to that story in the show notes. Joe, Maria, it is time for our catch of the.

C

Dave, our catch of the day comes from the phishing subreddit, and it says you are. The subject is an Elect Evite.

B

Yes. The Elect invite.

C

The Elect. I'm sorry. I read that totally wrong. I botched that. It's the Elect invite.

B

Yeah.

A

Here, let me help you out here, Joe.

B

There you go. Thank you.

C

Ooh, even better.

B

All right, so it goes like this.

C

Oh, hold on. We should tell everybody what Maria just did. She enlarged the image so I could read it.

A

I made it bigger so you can read it.

C

My old man.

B

Oh, okay.

C

Thanks, Maria.

B

That's really cool. The large print edition. Yeah, it goes like this. Esteemed applicant, the Elect extends a singular invitation. You have been observed. Your ambition, discretion and resolve set you apart. The world is shaped by those who know how to act unseen. Those who understand power and responsibility alike. If you accept, your first step is private and small. Reply to this email with yes. Upon receipt, an envoy will contact you with further instructions. Membership is not a promise of fortune. It is access to counsel, knowledge and a community bound by strict secrecy and mutual aid. Those who join do so with solemn commitment to the Circle's code. Discretion is paramount. Keep this invitation to yourself and respond only by the channel above. Mr. J. The council of the Ecliptic.

A

Oh, my God, yes. A million times yes. I'm in.

C

I wouldn't find a hard time not responding to this with yes, just to.

B

See where this goes. It's like the Stonecutters, right?

A

We do. Yes.

C

Also, it sounds like the guy from men in black. Mr. J. And you're going to be Mr. K when you get there, right?

B

Right, Right.

A

The Council of the Ecliptic. Oh, my God. I want to be part of this. That sounds amazing.

C

So do you know what the ecliptic is?

B

No.

C

The ecliptic is the path of the. From the Earth's point of view, it's the path that the sun and the moon and all the planets take through the sky. So it's where all the zodiac signs are. Pisces, Sagittarius, Leo.

B

Interesting. I'm surprised you didn't know that. Maria, space person.

A

I was thinking. I've never heard ecliptic. I don't know, astrology stuff. That's not a thing I'm familiar with. But I was thinking. Okay, so if it's about the zodiac, does this mean this is outreach from the Zodiac Killer?

B

No, I think.

C

Is he in jail now? Didn't they catch him?

B

Who knows?

A

They caught the Zodiac Killer.

C

Didn't they kill you? Hold on.

B

I don't know.

A

He's probably like Moses in jail.

B

He's probably like the Dread Pirate Roberts where they just roll over a new one every now and then. So, looking at this, several things jump out. They want secrecy from you. They want you to act right away. They're offering exclusivity. They're flattering you. They're saying you have ambition, discretion, and resolve that set you apart. So, yeah, pushing a lot of emotional buttons here, trying to get you to reply. And then I'm guessing that probably the membership fee is pretty steep.

C

Yes, that's probably where that's how they get you, Dave.

B

Yeah, the ongoing membership fee. It's really the breakfast fees that get you. It's not just a membership. It's ongoing stuff. So.

C

The Golden State Killer is the one they caught. And that's who I was thinking of. The Zodiac Killer, who was active in San Francisco Bay. He has not been identified.

A

Well, as I said, it's Ted Cruz, so we're good. It's fine. He's all right. We know where he is. This is a meme. I'm not serious. Please don't sue me. Ted Cruz?

B

Yeah. Ben Yellen's from the San Francisco area. Just saying.

A

Have we seen him in the same room as his own?

B

Well, I mean, he's not there anymore, so maybe he had to flee the area. You never know. These are how rumors begin.

C

Some of these killings happened, I think maybe before Ben was born.

B

Yeah, well. Well, it's always a good thing to say something bad about a lawyer because they're not going to come after you. All right, well, that is our catch of the day, and of course, we'd love to hear from you. If there's something you'd like us to consider for the show, please email us. It's hackinghumans2k.com thank you.

D

To ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. For sponsoring hacking humans. Visit threatlocker.com.

B

And that is our show. Brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans2k.com this episode is produced by Liz Stokes. Our executive producer is Jennifer Ibin. We're mixed by Elliot Peltzman and Trey Hester. Peter Kilpe is our publisher. I'm Dave Bittner.

C

I'm Joe Kerrigan.

A

And I'm Maria Varmazes.

B

Thanks for listening.