The band is finally back together. - Hacking Humans

Summary6 min read

Podcast Summary: Hacking Humans – "The Band is Finally Back Together"

Release Date: May 15, 2025
Host: N2K Networks
Description: Exploring deception, influence, and social engineering in the realm of cybercrime.

Reuniting the Hosts

The episode kicks off with hosts Dave Buettner, Joe Kerrigan, and Maria Vermazes reuniting after a period of absence. Dave humorously remarks, “[...] today we finally got the band back together” ([00:39]). The trio shares light-hearted banter, acknowledging Joe’s role as the steadfast member during their hiatus.

Listener Questions and Follow-Ups

1. IC3 Impersonations – Listener John’s Experience

Joe addresses a follow-up from a listener named John regarding impersonations of the Internet Crime Complaint Center (IC3). John recounts receiving a seemingly legitimate email from an FBI agent about a vulnerability related to his role as a CIO at a school. Initially skeptical, John verified the email by contacting the local FBI field office directly, confirming its authenticity.

John ([02:57]): “The whole thing was very intriguing and very helpful.”

Dave emphasizes the importance of verifying such communications through trusted sources, reiterating Joe’s practical advice.

2. Verifying Class Action Lawsuits – Listener Scott’s Concern

Maria presents a question from Scott about discerning legitimate class action lawsuits from scams. Scott expresses frustration over receiving dubious legal forms that promise free money but raise suspicions due to unprofessional URLs and formatting.

Dave ([04:57]): “It's never very much free money.”

The hosts suggest resources like classaction.org and the National Association of Attorneys General (nag.org) for verifying the legitimacy of class actions. They caution that scammers exploit the allure of free money to deceive individuals into providing personal information.

3. Healthcare Information Market – Listener Kenneth’s Inquiry

Kenneth poses two critical questions:

Market for Private Healthcare Information: Who purchases this data and for what purposes?
Personal Behavior After Receiving Breach Notifications: What actions should individuals take upon receiving such communications?

Dave responds by highlighting the high value of medical information compared to Social Security numbers or credit card details, citing:

Dave ([08:34]): “Social Security numbers sell for around $15. Credit card details sell for as little as $3. But medical information starts at around $60.”

He explains that medical data has a longer shelf life and can be exploited for identity theft, medical fraud, and extortion. Regarding breach notifications, Dave advises using them as indicators to stay vigilant against potential identity theft attempts.

Joe ([07:08]): “Your doctor's office does not need your Social Security number. Don't give it to them.”

Maria echoes the frustration, noting the inadequacy of current responses to such breaches and the necessity for more robust privacy laws.

Main Stories and Discussions

1. Influencer Fakery and Scamming the Real ID Requirement

Joe delves into two interconnected topics: the prevalence of fake influencer lifestyles and scammers exploiting the Real ID news cycle.

Influencer Fakery: Joe discusses how influencers create deceptive images, such as posing on fake private jets. He shares examples of elaborate setups where ordinary items like toilet seats are used to mimic luxury environments.

Joe ([12:50]): “Whenever you see an influencer sitting on a private jet. They're not sitting on a private jet. They're on some set maybe in LA.”

Real ID Scams: The hosts explore how scammers capitalize on the Real ID implementation news by sending phishing emails that appear to be from legitimate government sources. These emails often contain malicious attachments that install remote access tools like Screen Connect, granting attackers control over the victim’s device.

Dave ([30:53]): “They have all the appropriate Social Security Administration branding, the formatting, everything. But under the hood, there are executable files.”

Joe advises listeners to avoid clicking on email links and instead directly visit official websites to verify their Real ID status.

2. Scam Survivor Day and "Careless People" Book Review

Maria highlights May 8th as Scam Survivor Day, emphasizing the importance of addressing fraud shame and supporting victims of cybercrime. She references the book Careless People by Sarah Wynn Williams, which exposes unethical practices within Facebook, including:

Tracking user locations and emotions based on online interactions.
Serving targeted ads exploiting personal vulnerabilities.
Misusing adolescent girls' data to push beauty products.

Maria ([24:30]): “According to Wynne Williams, Facebook was also tracking when adolescent girl users deleted their own selfies and then served them beauty ads to them at that same moment.”

The discussion underscores the pervasive nature of social engineering and the ethical breaches by major tech companies.

3. Fake Social Security Statements Campaign

Dave presents a study by Malwarebytes uncovering a phishing campaign targeting Americans with fake Social Security statement emails. These emails prompt recipients to download supposedly legitimate statements but instead distribute malicious software that grants attackers remote access to their computers.

Dave ([30:20]): “These executable files install an app called Screen Connect, which is a legit remote access tool. But once installed, it gives attackers the keys to the kingdom.”

Joe shares a personal anecdote about receiving such an email, reinforcing the hosts' advice to verify communications independently.

4. Catch of the Day: Outlandish Scam Email

The episode concludes with a humorous segment featuring a listener named Richard’s scam email, which bizarrely claims a recipient has won a $30 billion Chevrolet truck. The absurdity of the message, riddled with typos and unrealistic promises, serves as a reminder of the nonsensical nature of many phishing attempts.

Dave ([36:18]): “$30 billion in a Chevrolet motor truck. Who's going to believe I’m getting $30 billion?”

The hosts laugh over the implausibility of such scams and stress the importance of skepticism when encountering outrageous offers.

Key Insights and Takeaways

Verification is Crucial: Always verify the authenticity of unsolicited communications by directly contacting official sources rather than relying on provided links or contact information.
High-Value Targets: Medical information is highly prized in the cybercriminal marketplace due to its long-term value and potential for various types of exploitation.
Social Engineering Prowess: Scammers adeptly exploit current events and trending topics, such as Real ID, to craft convincing phishing schemes.
Awareness and Reporting: Increased awareness of cyber threats and proactive reporting can mitigate the impact of social engineering and fraud.

Notable Quotes

Joe Kerrigan ([12:50]): “Whenever you see an influencer sitting on a private jet. They're not sitting on a private jet. They're on some set maybe in LA.”
Dave Buettner ([30:53]): “Don't trust an email just because it's got a federal logo. Do what Joe does, which is if you get one of these emails, go to Social Security Administration's website and just log in from there.”
Maria Vermazes ([23:51]): “If you are the victim of cybercrime, report it. It doesn't matter if you feel ashamed about it. You are a victim and you deserve help. Losing money and data is not the price of admission for the Internet.”

Conclusion:
In this engaging episode of Hacking Humans, the reunited hosts navigate through listener queries, dissect emerging cyber threats, and shed light on the sophisticated tactics employed by scammers. From deceptive influencer cultures to exploiting legislative changes, the discussion underscores the ever-evolving landscape of social engineering and the paramount importance of vigilance and verification in safeguarding against cybercrime.

For more insights and to share your experiences, visit hackinghumans2k.com.

Loading summary

Transcript250 lines

[00:02]
Maria Vermazes
You're listening to the Cyberwire Network, powered by N2K.
[00:15]
Dave Buettner
Hello, everyone, and welcome to N2K, CyberWire's hacking humans podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Buettner and joining me is Joe Kerrigan. Hey there, Joe.
[00:31]
Joe Kerrigan
Hi, Dave.
[00:31]
Dave Buettner
And and our N2K colleague and host of the T Minus Space Daily podcast, Maria Vermazes. Maria.
[00:37]
Maria Vermazes
Hi, Dave. And hi, Joe.
[00:39]
Dave Buettner
We've got some great stories to share this week, but before we get to that, we have got a lot of follow up. Actually, before we get to that, I feel like today we finally got the band back together.
[00:49]
Joe Kerrigan
Right.
[00:49]
Maria Vermazes
Yeah, I know. Here we are.
[00:51]
Joe Kerrigan
It's been a while since we've all been here, right?
[00:53]
Dave Buettner
Maria was out and then I was out. And Joe has been the stalwarts regular.
[00:58]
Joe Kerrigan
Yeah.
[00:58]
Dave Buettner
For once, the glue holding.
[00:59]
Maria Vermazes
Thanks for holding it all together, Joe.
[01:01]
Dave Buettner
That's right.
[01:01]
Maria Vermazes
We owe you.
[01:03]
Dave Buettner
Yeah. So we've got lots of follow up this week. Let's. Why don't we. I'll tell you why. There's three things here, so why don't each of us take one. Joe, you want to take this first one?
[01:14]
Joe Kerrigan
Sure, I'll take the first one. It says, hi, Dave, Joe and Maria, I love your show. You are part of my weekend routine. I listen to hacking humans while I clean my fish tanks.
[01:23]
Dave Buettner
Oh, I used to have fish tanks.
[01:25]
Joe Kerrigan
Me too. I had a fish that lived like 15 years.
[01:28]
Dave Buettner
Wow.
[01:29]
Joe Kerrigan
One African chick lid.
[01:30]
Dave Buettner
Okay. Yeah, I had some Oscars for a while. They were friendly.
[01:35]
Joe Kerrigan
There we go. Right down the rabbit hole.
[01:37]
Maria Vermazes
I was going to say chickens, fish. Okay. Yes. We're doing this.
[01:40]
Dave Buettner
We'll get to chickens. Trust me.
[01:42]
Joe Kerrigan
This is a follow up from your story on May 1st with the IC3 impersonations. I think that was a story I did.
[01:50]
Maria Vermazes
I think so.
[01:50]
Joe Kerrigan
In that story, you noted that the IC3 stated that they would never contact someone by phone, email, public forum, et cetera. And Joe wondered aloud how they would contact someone if they needed to. I've actually had that happen and I have the answer. While the ICC will not contact you directly, they will pass the information to the local FBI field office and an agent there will do the communication. As a CIO at a school, I once received an email from just such an FBI agent. I initially thought it was a scam like all other emails from the FBI. Go figure. That would be my first reaction, too. Oh, the FBI doesn't want to talk to me. However, it was professional and well written and seemed legitimate. I am in Central New Jersey, and the agent said that it was. That he was from the Newark field office. I searched for that office and called the main number, which did match the number that he was given in the email. Which is what you should do, right? Look it up in a trusted source. That's a. That's a good idea. And as for the agent, it turned out that the email was real. He wouldn't give me any details, but he wanted to let us know about a vulnerability potentially applicable to us that the FBI has discovered during investigation. The whole thing was very intriguing and very helpful. Okay. This seems to me like they are aware of somebody doing something and they're watching some network traffic where they're seeing this. Whatever organization he's a CIO of, of whatever this school is. They're getting hit with something.
[03:22]
Dave Buettner
Right.
[03:23]
Joe Kerrigan
So he's letting them know that that's. That's what's going on. But he can't give any details because probably because it's an ongoing investigation. Anyway, I just wanted to pass along that information. That's actually how they make the contact. I learned not every email claiming to be from the FBI is necessarily fake. I guess that's true.
[03:40]
Dave Buettner
Yeah.
[03:41]
Joe Kerrigan
Thank you and keep up the good work. And that's from John.
[03:43]
Dave Buettner
All right, terrific. Well, thanks, John, for sending that in. Our next bit of follow up will be read by Maria. Go for it.
[03:52]
Maria Vermazes
Okay. Hey, Dave, Joe and Maria. I have a question about class action lawsuits. How can we verify these are legit when they appear in our mailbox or inbox? I hate to pass up free money due to corporate misconduct. Also same. But my skeptical mind has a tough time filling out these legal forms and sending them off to some random place. How can I verify that I'm not sending my info to some scammer? The company being sued will not have the info posted on their website. When I look at the website they provide or search for it, I'm often taken to some specialized URL like Walmart class action lawsuit. Officesofbittner, kerrigan and varmontes.com Kudos to that. Which is exactly the sort of URL I'd create if I was going to start up a class action lawsuit scam. If you've already covered this, please direct me to the episode from Scott. I have the exact same question. Actually, I get these in the mail all the time and I've been sort of punting on these a lot of the times because they give me the ick. But it is free money and I kind of want it. So. Yeah, I don't know what the advice is here, aside from it's free money.
[04:57]
Dave Buettner
It's never very much free money.
[04:59]
Joe Kerrigan
Right. It's like five bucks.
[05:01]
Dave Buettner
Right, right, right.
[05:02]
Maria Vermazes
Three cents.
[05:04]
Dave Buettner
Yeah. But I understand what Scott's getting at here. So I did a little digging and there are some places online where you can check out the legitimacy of the class action lawsuits themselves. And I'll have a link to a couple of these. There's classaction.org, which is kind of a clearinghouse database of all the class action lawsuits. And then there's the national association of attorneys general. Nag.org nag.org yeah, how about that?
[05:38]
Maria Vermazes
Attorneys general, yes.
[05:39]
Dave Buettner
They need two ways. They need a better marketing, but they have a database of multi state settlements. So which. The bigger class action suits are often that. But so I mean, that's a starting point. I think the point is a good one that the URLs for these things are often very wacky. And so I think the skepticism is well warranted.
[06:06]
Maria Vermazes
Yeah, I sometimes get, sometimes I only get these by email. Like they don't arrive when they arrive in the mail. I'm maybe slightly more inclined to think this might be legitimate, but maybe.
[06:15]
Dave Buettner
Right.
[06:16]
Maria Vermazes
But a lot of times I just get an email and I'm going, yeah, I don't know.
[06:21]
Joe Kerrigan
Right.
[06:22]
Dave Buettner
Yeah, that's true. I mean, I guess I would look around for coverage of that particular class action suit because I do see quite often in press releases and so on. The links will be included there. And so maybe that's a more. At least, if nothing more, it's a place to double check the link to see if you're onto something.
[06:44]
Maria Vermazes
But fair enough.
[06:45]
Dave Buettner
Yeah. I mean the skepticism is warranted. But on the other hand, that's how they get you because you're not going to go after your $10 because it might be a scam. And so it's not worth going after the $10. And then the lawyers just get the $10.
[06:59]
Maria Vermazes
Oh, so we can't let the lawyers win is what we're hearing. Okay, got it.
[07:03]
Dave Buettner
Well, I mean, not if there's an alternative. Yeah, everybody hates lawyers until you need one.
[07:08]
Joe Kerrigan
Right, right.
[07:09]
Maria Vermazes
Fair.
[07:09]
Joe Kerrigan
I actually don't hate lawyers anymore. We have had need for lawyers recently and I've really come to respect a lot of these people.
[07:17]
Dave Buettner
Yeah, yeah, absolutely.
[07:18]
Maria Vermazes
Real estate really, really like having lawyers for a lot of that. Yes.
[07:21]
Dave Buettner
No, no, absolutely. All right, well, thank you Scott, for sending that in, I will field our final bit of feedback this week. This is from Kenneth, who writes in and says, hi, Maria, Joe and Dave. Is there an order in which I should greet you? Should I have included the chickens in the greeting? Kenneth continues and says, I was thinking all about the. Your privacy is important, but not important enough for us to do basic cybersecurity hygiene. Instead of paying executives more letters that I and family members have received, especially from healthcare companies, we froze all credit reports back at the Equifax breach. We've the free credit monitoring from various breaches. There's a lot more here. I'm going to condense kind of what Kenneth is going at. Kenneth basically wants to know two things, two questions. What is the market for private healthcare info for most citizens? In other words, who buys it and what do they do with it? That's an excellent question. I actually looked it up and medical information is much more valuable than other information.
[08:34]
Joe Kerrigan
It is.
[08:35]
Dave Buettner
So, for example, and these numbers are all. Always take it with a.
[08:41]
Joe Kerrigan
They're notional to say the best, to say the least.
[08:43]
Dave Buettner
There you have it. Social Security numbers sell for around $15. Credit card details sell for as little as $3. But medical information starts at around $60. And the reasoning for that is medical information has a long shelf life. Your medical history does not change where your credit card number can be canceled.
[09:11]
Maria Vermazes
That's a good point.
[09:13]
Dave Buettner
Your credit can be locked down. Your Social Security number is only worth so much. But for things like identity theft. Also, the research I did pointed to medical fraud and also extortion are ways that folks can come at you with your medical information. They could impersonate being you or get fake medical services. But also, let's say you've had some condition that you don't want anyone else to know about. They can come at you for that. So that makes the medical information a lot more valuable. Ken, the second question is, what, if any, personal behavior should we change or on receipt of one of these letters? In other words, other than meeting breach disclosure laws, what is the use of such a letter? Well, I think Kenneth is exactly on the nose here. There is no other use for this letter other than breach disclosure, right?
[10:03]
Maria Vermazes
Yeah. What do I do with this letter?
[10:05]
Joe Kerrigan
Well, you can use that letter to sign up for your next year free identity monitoring services, which we all get now all the time for free.
[10:12]
Dave Buettner
Yeah.
[10:13]
Maria Vermazes
Yep.
[10:14]
Dave Buettner
And you can put it in your file for the inevitable class action lawsuit.
[10:18]
Maria Vermazes
There you go.
[10:21]
Dave Buettner
Following year, I mean, I think it's mostly a heads up Kind of thing. To me, those letters provide you a data point for if you suddenly saw targeted attempts at identity theft. In other words, let's say there was a breach at XYZ Clinic, where you have a lot of medical information, and suddenly you started getting information that said, hey, we really need you to log into your account at XYZ Clinic, or, you know, something related to that that seems more. More of a coincidence. Just be mindful of that. Do you guys have any other insights on either of these questions?
[11:01]
Joe Kerrigan
I will tell you this. Your doctor's office does not need your Social Security number. Don't give it to them, because when they get breached, that'll be part of the breach. Your insurance company, you probably can't get away from doing that, but your doctor's office doesn't need it.
[11:15]
Dave Buettner
Maria, Anything.
[11:16]
Maria Vermazes
My only reflection is, honestly, it just all feels very inadequate. The question of what do I do with this information? Always comes up for me as well. And we touched on this a bit last week. There isn't much, and that just doesn't feel great. And there should be something else that we could do, and there isn't. And there's no point that I'm trying to get to, aside from, I don't like that.
[11:34]
Dave Buettner
No. I mean, I guess big picture. Write your congresspeople. Ask for more robust privacy laws and penalties for these sorts of things. Other than that, move to Europe.
[11:49]
Joe Kerrigan
Yep.
[11:50]
Maria Vermazes
Yeah.
[11:50]
Dave Buettner
Enjoy the warm embrace of gdpr. All right. Thank you, Kenneth, for writing in, and of course, we would love to hear from you. If there's something you'd like us to share on the show, you can email us. It's hackinghumans2k.com.
[12:20]
Unknown
And now a few thoughts from our sponsors at ThreatLocker. The tactics used by cybercriminals are becoming more and more advanced every day. The shift from a default allow approach to a default deny is more critical than ever. This is where Threat Locker comes in. Stay tuned for how Threat Locker allow listing and ring fencing has your back.
[12:48]
Dave Buettner
All right, let's get to our stories here. Joe, you want to kick things off for us?
[12:51]
Joe Kerrigan
Yeah. I'm going to talk about two things. Last week, Dave, you missed it, but I talked about some influencer fakery that happens online with. With weights. And when I talked about that in my office, my office mate, Michelle, who is a listener to the show, she enjoys the show.
[13:09]
Maria Vermazes
Hi, Michelle.
[13:10]
Joe Kerrigan
Hi. She said, you know what else they have? They have fake private jet sets.
[13:17]
Maria Vermazes
Oh, I've seen. Yes, I've seen these. Yes, you can.
[13:21]
Joe Kerrigan
Whenever you see an influencer sitting on a private jet. They're not sitting on a private jet. They're on some set maybe in la. That's where they seem to be centered. But you can actually Google where around me. There are some. Where, you know, are there any of these around me?
[13:36]
Dave Buettner
There are.
[13:36]
Joe Kerrigan
There are plenty of these around. You have to go, Maria. There's one in Boston. I found one in Boston. So you can take a picture for as little as $45 an hour with a one hour minimum. You can go into a. Into a set that looks just like a Learjet. There's even fake jets outside the window, so. Or you can have it so that they have clouds outside of the window so it looks like you're flying.
[13:59]
Maria Vermazes
I should record an episode of hacking humans from there, right? Next time I'll record from there.
[14:07]
Dave Buettner
I saw one incident of this where someone made it appear as though they were on a jet plane going somewhere. And basically they had imitated the look of the jet window by using a toilet seat. Because it's the same shape and it's white plastic.
[14:26]
Joe Kerrigan
Yep.
[14:27]
Dave Buettner
And so by just showing the edge of it, the curve of the edge of a toilet seat. And then beyond the toilet seat was a picture of the sky, you know, and they're kind of holding a drink up, like, oh, here I am in first class on my way somewhere fancy, right? Yeah. So.
[14:41]
Joe Kerrigan
But they're just sitting next to a toilet seat.
[14:43]
Dave Buettner
Yeah, exactly.
[14:45]
Joe Kerrigan
The least fancy thing you can do.
[14:46]
Dave Buettner
Yeah, that's true. That's true.
[14:48]
Maria Vermazes
Horse, per se.
[14:49]
Dave Buettner
Let's class up the joint. Bring me my toilet seat.
[14:51]
Joe Kerrigan
Right?
[14:52]
Dave Buettner
Yeah.
[14:54]
Joe Kerrigan
So I was amazed to see that. And again, that was something that didn't occur to me that these people do they just take fake pictures. And since seeing that I've seen a picture of somebody, I think it was on Instagram or something. I was, for some. I don't know why I was there, but I was there. And there's a picture of a lovely young woman sitting on a plane. And I'm like, it's probably fake. It's probably fake. You can even get a picture of yourself walking into a plane at these sets. Some of them are actually like fuselages.
[15:24]
Dave Buettner
Okay.
[15:25]
Joe Kerrigan
So, I mean, it's amazing. Don't believe anything you see from these influencers. They're. They're up to no good.
[15:31]
Dave Buettner
All right.
[15:31]
Joe Kerrigan
So that's the first thing. Yeah, it's just more of my bemoaning the influencer mindset. The other one is, I want to talk about this actually comes from a news organization. And I can't remember which one it is. Kens 5K E N S5 and it's written by Jimmy Baker. The scammers follow the news cycle. And when they follow the news cycle. Have you guys been getting any news? Like I watch the news in the morning when I get up and I'm drinking my coffee. The latest thing that I've seen multiple times is that the real ID requirements are coming into play now.
[16:10]
Dave Buettner
Yeah.
[16:11]
Joe Kerrigan
So what this is, is you have to have an identification that meets real ID requirements, which is a federal requirement to be able to board a plane now.
[16:24]
Dave Buettner
Yeah.
[16:25]
Joe Kerrigan
And our IDs here in Maryland have actually been compliant for a while.
[16:30]
Dave Buettner
Okay. I was going to ask you. I have no idea if my ID is real ID requirements, so that's a relief.
[16:36]
Joe Kerrigan
Right. Well, I'm going to tell you, I.
[16:38]
Maria Vermazes
Feel like for our non US Listeners, we should probably explain what this is because in a lot of countries they have a national id, but we don't have a standardized national ID in the US and every state's driver's license is different.
[16:50]
Joe Kerrigan
Different.
[16:50]
Maria Vermazes
So this is sort of an attempt to streamline that with this, with the standard called real id. But it's been a mess and they've delayed it many, many, many years because a lot of states just changed.
[17:00]
Joe Kerrigan
I think they're done delaying it.
[17:01]
Maria Vermazes
Yeah, I think it's been like over a decade of delay or something.
[17:04]
Joe Kerrigan
Right?
[17:05]
Maria Vermazes
Yeah, yeah, we'll see.
[17:06]
Dave Buettner
We'll see how compliance goes. Yeah.
[17:09]
Joe Kerrigan
So there is, there is a form of national ID in the United States. It's a passport and that' and, but every country has a passport and you don't need a passport. You know, nobody, if you are pulled over by a police officer here, they will never ask you for a passport.
[17:23]
Maria Vermazes
Yeah, but there's no, like, there's no thing that every single American citizen has that you can reliably say that everyone's got one. Whereas a lot of countries there is a national ID that everybody gets.
[17:33]
Joe Kerrigan
Yep. Right. And for, for the, the real id, it's not. It's more of a standard. Like your, your state driver's license or ID card must have the following features, like a hologram. It's gotta have two pictures of the person and it's gotta be. Have some anti. Counterfeiting things. Well, the scammers know. The scammers know that this is a news story that's making the round. So guess what they're doing? Capitalizing on it.
[18:00]
Maria Vermazes
Oh, of course.
[18:00]
Dave Buettner
Okay.
[18:02]
Maria Vermazes
The liturgical calendar now Adds the real ID in there.
[18:05]
Joe Kerrigan
Right. Well, I would say this is not something that would go on the liturgical calendar because this is like a once in a, once in a lifetime kind of event. Right. This is not something happens cyclically, not every year, but. But it is a news event that they're. That they're actually going to. They're going to follow. And it starts with some kind of phishing email where scammers use fake emails, text messages, or even contacting you on social media, which I would be shocked to see the Maryland Motor Vehicle Administration try to reach out to me on social media. And they say, hey, we are trying to catch up with you. You need to get your id, make it become a real id. And then they're going to send me to some web page that actually is. Looks legitimate, but of course is fake, and then it's just the regular scamming from there on out. This is really. We're just talking about the hook here.
[18:55]
Dave Buettner
Yeah.
[18:57]
Joe Kerrigan
There are ways you can check to see if your ID is real ID compliant. So, Dave, there's actually a tool if you look, if you follow any of the links that anybody links to. Our amazing. Maryland government has changed this webpage, so you can't. None of those older links work anymore. You actually have to go to the Maryland Motor Vehicle Administration's webpage and search for real id. And you can enter your driver's license number and we'll tell you if you have a real id. And I do. I do have a real id Good and ready to go. I don't know about Massachusetts, Maria. I'm sorry, I didn't check.
[19:31]
Maria Vermazes
Yeah, no, I was going to say our state IDs, our driver's licenses were not real ID compatible. So in the last X number of years, I can't really remember, there's been this huge push, at least where I live, to get people to go back to the rmv, bring a whole bunch of documentation with you so you can get a new license that is now real ID compliant. And there are so many stories of people showing up with their documentation and they find out that it's not the real thing or it's not the right stuff, and they have to wait hours and they have to keep going back. It's partially part of the reason why I think this thing has been delayed. And especially if you've. If you're in a state where your driver's license is like a piece of paper that's been laminated, trying to get from that to like a card is a whole Thing.
[20:14]
Joe Kerrigan
Yeah, I'm trying to understand this. Are you saying that your motor vehicle administration is not the epitome of government efficiency? That it's not, it's not, it's not a pleasant place to spend an afternoon?
[20:27]
Maria Vermazes
No. And the lines are extra long now because everyone's trying to rush and get.
[20:31]
Joe Kerrigan
These clamor to get their real id.
[20:33]
Maria Vermazes
But in, in, in fairness, I want to actually be fair to the people. The dmv. I don't think I've ever said this in my life. People are also not really understanding what's required of them, so they're showing up with the wrong stuff or not enough stuff. I mean, I, I, when I had to get mine done, I want to say five years ago, I, I, I follow the rules. I got it done pretty efficiently. But there are a lot of people around me who just kind of showed up with their license and said, give me a real id. And they, they just didn't read anything. They didn't understand. So, you know, there's, it's, you know, there's plenty of blame to go around, but it's, it's been a mess.
[21:05]
Joe Kerrigan
So now that I have my real id, do I need another, like, Social Security number card and tax return and something that says, yeah, he lives there, or, or do I have the real ID and that's sufficient? Can I get a new license with that? That's a good question.
[21:20]
Dave Buettner
You need a realer id.
[21:21]
Joe Kerrigan
A realer id.
[21:23]
Maria Vermazes
And then there's the realist, the Pokemon evolution of your driver's license. Yes.
[21:27]
Joe Kerrigan
So again, here we are. Remember, scammers watch the news if you see something pop up like this, and just because you saw it on the news that, that actually should be reason to give you pause and go, well, wait a minute, let me think about this for a second. I need to, I need to actually go to the state organization that does this and look up how, whether or not I have a real id. There are no fines to pay if you don't have a real, there's no financial penalty for not having a real id. So.
[21:57]
Maria Vermazes
Right. You won't be able to board a plane though.
[21:59]
Dave Buettner
Right. That's what I'm waiting for is when it comes into effect, how strict are they gonna be? Because, you know as soon as people start getting turned away from airplanes, all hell's gonna break loose, right?
[22:12]
Maria Vermazes
Yes.
[22:12]
Dave Buettner
You know?
[22:12]
Maria Vermazes
Yes.
[22:13]
Dave Buettner
Cause people are already wound up enough at the airport of trying to get through security and all that good stuff.
[22:19]
Joe Kerrigan
It seems like somebody looked at an airport and said, how Can I make that worse?
[22:22]
Maria Vermazes
Right Y.
[22:23]
Dave Buettner
Exactly.
[22:24]
Maria Vermazes
A family of eight on their way to Disney for that long awaited vacation only to be turned away because they had the wrong id. I can hear the headlines now. It's just coming. You just know it.
[22:34]
Joe Kerrigan
It's going to be a mess.
[22:36]
Dave Buettner
Yeah, I have a story, but we are running long, so I'm not going to share it.
[22:42]
Joe Kerrigan
I also had something I was going to say, but I'll shut up too.
[22:44]
Dave Buettner
All right, all right, tell you what, let's move on to Maria's story. What do you got for us this week, Maria?
[22:49]
Maria Vermazes
All right, I'll try to move through mine pretty quickly. May 8th is apparently scam Survivor day, which I just wanted to highlight first because I did not know that. I've been getting emails from the U.S. national Cybersecurity alliance about this. They have a really interesting push about fighting fraud shame, which is a really great phrase and great term that I think our listeners would be really interested in maybe incorporating into their world. And they have a blog post that we'll link to that I thought was very useful about helping people with fraud shame. So people who've been victims of fraud, we talk about this a lot on the show. How to mitigate, like not making them feel ashamed because again, it's not their fault what's happened. So there's, there are a couple really nice tips in there, but there's one that I just wanted to read because I just thought the verbiage was great. If you are the victim of cybercrime, report it. It doesn't matter if you feel ashamed about it. You are a victim and you deserve help. Losing money and data is not the price of admission for the Internet. I just, I thought that was such a great phrase.
[23:51]
Joe Kerrigan
That's a great way to put it.
[23:53]
Maria Vermazes
Yeah. Just gonna tattoo that on my forehead. It's not the price of admission for the Internet. If this happens to you, it's not your fault and definitely report it. So, yeah, just thought that was awesome. So we'll definitely link that blog post for people. So a story for us to discuss, this one came from, actually Joe Wilkins at Futurism, but also via Joe Kerrigan at Hacking Humans, who sent this to me. So thanks both Jos. And this was a highlight of the book that came out last month called Careless People by Sarah Wynn Williams. Have y' all heard about this book? It's been in a few news cycles because it's a former Facebooker.
[24:30]
Dave Buettner
This is the woman who worked at Facebook. Right. So sort of an expose.
[24:35]
Maria Vermazes
Yeah. Yet another one of those. I worked there when I didn't realize it was as evil as it was. And I saw some nasty stuff behind the scenes. And I'm gonna tell you everything now that I'm very clear of the shrapnel. So I'm a little cynical about these kinds of books because it's like, really. But she was at Facebook from 2011 to 2017. At some point in her career there, she was their public policy director. And this book, like many of these tell alls about Facebook, has a lot of confirmation of what has either been known or suspected for some time. And by the way, I just re upped my Facebook account that has been dormant for five years. So the timing on this was just horrible because I'm going, oh, reopened it. I had to because of my kids school stuff. There's literally no other way for me to find out what the heck's going on. Like, and you can't even get past that, that wall now that says you have to have an account. So I'm just like, okay, I can't even read it anymore. So I had to re up my old account and they, they drew me back in. So as for the. The revelations from Wynn Williams, some of these go beyond even what I had suspected. And as you both know, I'm pretty cynical about this stuff. So things like tracking user locations, likes and interests, that's child's play. We knew that. Monitoring mood based on interactions, posts and comments, words used par for the course, I think we all would assume, looking for specific words, especially ones that indicate the person writing it, is in significant emotional distress. Serving up ads to take advantage of that distress. Exploiting human vulnerability. You know, hacking a human. Yes, yes, they do that too. Um, the one that was really new to me that is getting some headlines is according to Wynne Williams, Facebook was also tracking when adolescent girl users. Why are they on Facebook? Different question. But adolescent girl users deleted their own selfies and then served them beauty ads to them at that same moment. So just I had to sort of let that one marinate a second. So I'm just imagining they've uploaded a selfie and they've noticed that they've got like a double chin or lacking that certain glow that they're looking for. Here you go. Please buy this very expensive face cream. It's just beyond icky. And again, we've covered allegations of stuff like this for many years. None of this is going to necessarily shock people of its kind, but I think the specificity is always just. Just makes Me stop and go, what the heck? Some of these allegations were surfaced back in 2017 in a news report by the Australian. And then when that came out, Facebook actually released a counter report saying we dispute those allegations and they were misleading. And when Williams says when that came out, all the people who were fired as a result of that 2017 report were let go for basically doing exactly what they were employed to do. So they were the fall guys. And meanwhile, the company was still working on making the micro, micro targeting that they had said that they were going to distance themselves from. They were going to make it available to the advertisers themselves and not just Facebook. So allegedly, according to the book standard disclaimers here. But I just. Yeah, he is right, Joe. When you sent me this, I was like, I don't want to talk about this, but I think we should.
[27:42]
Joe Kerrigan
Yeah, but I think you kind of have to.
[27:44]
Maria Vermazes
You kind of have to, but.
[27:45]
Joe Kerrigan
Bleh.
[27:47]
Maria Vermazes
Yeah.
[27:47]
Dave Buettner
I wonder if, and this is not an original idea, but that, you know, if we put social media in the same category that we put pornography, you know, a Playboy magazine, that one that, you know, you gotta be 18 to use it. Kids shouldn't be using this stuff because it's demonstrably dangerous and all these bad things come out of it. And the companies are demonstrably despicable when it comes to targeting the children.
[28:16]
Joe Kerrigan
Yes, they are.
[28:17]
Dave Buettner
So let's keep on.
[28:20]
Maria Vermazes
Don't trust them as far as you can throw them. I mean, just, just keep em. Keep it really arm's length. Yeah, it's just. Thanks, Joe.
[28:29]
Joe Kerrigan
Sorry, Maria.
[28:32]
Dave Buettner
This is your fault, Joe.
[28:34]
Joe Kerrigan
It probably is.
[28:36]
Maria Vermazes
Yeah. When I responded to you, I was like, gross.
[28:38]
Dave Buettner
Ugh.
[28:39]
Maria Vermazes
But yeah, I'll cover it.
[28:41]
Dave Buettner
Not too gross for me to use for my story this week.
[28:44]
Maria Vermazes
It's great content, Joe. Thanks.
[28:46]
Dave Buettner
Right, right. All right. We will have a link to that in the show notes. I'll tell you what, before we get to our next story, let's take a quick hear a message from our show sponsor.
[29:09]
Unknown
So let's return to our sponsor, ThreatLocker. ThreatLocker is a zero trust endpoint protection platform that strengthens your infrastructure from the ground up. Where traditional cybersecurity tools require you to create a list of things you don't want want to run. ThreatLocker enables you to easily curate an allow list of everything you need in your environment and network and block everything else by default. With ThreatLocker, allowlisting and ring fencing, you gain a more secure approach to blocking exploits of known and Unknown Vulnerabilities ThreatLocker provides zero trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware. The ThreatLocker Zero Trust Endpoint Protection platform deploys in a learning mode that analyzes the operations of your company, using machine learning to assist you in developing your allow list for approved applications, what they can do on the endpoint, what can interact with your data, and even east and west network traffic. We thank ThreatLocker for sponsoring our show.
[30:21]
Dave Buettner
And we are back. My story this week comes from the folks over at Cybersecurity News. And this is about fake Social Security statements. So this is research from the folks over at Malwarebytes, a cybersecurity company. They have found a campaign that is targeting Americans via emails that, that seem to come from the Social Security Administration. And the messages tell people that their Social Security statement is ready to download.
[30:53]
Joe Kerrigan
Which, which, by the way, I got one of these the other day and I thought to myself, I got to take a look at that because like every two years, if you have a Social Security Administration account, you get this email. Yeah, this happens for real. Now, my plan is not to click on any links in the. In the email, but Rather go to SSA.gov and log in with my account. I'm going to check my email, see if I have it right now. Go ahead, Dave. I'm sorry, I didn't mean to interrupt.
[31:17]
Dave Buettner
Well, so they're asking you to open a file and of course the file is not a statement. The emails look legit. They have all the appropriate Social Security Administration branding, the formatting, everything. But under the hood, there are executable files. And these executable files install an app called Screen Connect, which is a legit remote access tool.
[31:45]
Joe Kerrigan
Ah, no.
[31:46]
Dave Buettner
But once installed, it gives attackers the keys to the kingdom. Full control over your machine. This is linked to a group that the researchers have dubbed Molatari, which is named after the sketchy domains they use, like Olitari, ICU and gomolitari cyou. I don't know what the CYOU domain is. I don't know where that leads to. Yeah, and they're after the usual things, personal data, financial information, all that stuff. They are compromising WordPress sites to distribute the emails, which makes them look like they come from trusted sources. And they embed the email text as images to try to get past email filters. So once this Screen Connect software is up, they've got your machine. They're remotely controlling your machine. So they can run scripts, they can steal files, they can install more malware. And Screen Connect is a real tool so it can slip past your antivirus because there are situations where it's legit. So the notion here is don't trust an email just because it's got a federal logo. Do what Joe does, which is if you get one of these emails, go to Social Security Administration's website and just log in from there. Don't click on any links in any emails.
[33:14]
Joe Kerrigan
Yep. You can also go to socialsecurity.gov and actually, this email actually looks legit.
[33:21]
Dave Buettner
The one you got.
[33:22]
Joe Kerrigan
The one I got. Yeah. Looks like it's actually from the Social Security Administration. So this is what bugs me about this. I mean. I mean, I don't blame the Social Security Administration for this. I mean, these hackers just. Or these. These hackers. They're Fishers. They're not even hackers. These guys are just. They're just capitalizing on other things. This might be part of the liturgical calendar.
[33:46]
Maria Vermazes
Might be. I think it might also be taking advantage of some fear in the news cycles about things that might be going on with Social Security and access to it being diminished or getting messed up because of stuff going on. So I know there's been a lot of that in my family circle's discussion about make sure you have backups of those statements in case data goes away. So I think they might be capitalizing on that maybe.
[34:10]
Dave Buettner
Yeah. Little extra anxiety there. Makes you curious. I was thinking too, like, you know, Joe and I are a little closer to this becoming a real thing, a real need and concern than you are, Maria. You know, we're a little closer to those years where keeping an eye on where you stand in terms of your Social Security, just for financial planning.
[34:34]
Joe Kerrigan
Right.
[34:35]
Dave Buettner
Is a necessary thing. Yeah. Yeah. What, you know, 10 years from now or 15, or in Joe's case, next month?
[34:45]
Joe Kerrigan
No, more like 20, 30. I don't know. At what time do they just start sending me check? Because they have to.
[34:53]
Dave Buettner
Right, Right. Listen, sir, you can no longer put this off. You have to take this government money.
[34:58]
Joe Kerrigan
Right.
[34:58]
Dave Buettner
Whether you're like, they do force you.
[35:00]
Maria Vermazes
At a certain point.
[35:01]
Joe Kerrigan
They do. Yeah. I think it's 72 years old now.
[35:03]
Dave Buettner
Oh, is that right?
[35:04]
Joe Kerrigan
Yeah.
[35:04]
Dave Buettner
I didn't know that.
[35:04]
Joe Kerrigan
Yeah. It's at a certain. At a certain age, they. They make you get on Medicare and they make you take Social Security benefits, and they also make you withdraw from your tax deferred retirement accounts, like your IRA or your 401k.
[35:19]
Dave Buettner
Okay, interesting.
[35:20]
Joe Kerrigan
All that happens.
[35:21]
Dave Buettner
All right.
[35:22]
Joe Kerrigan
I think it happens around 72.
[35:23]
Dave Buettner
Okay, well, very good.
[35:25]
Maria Vermazes
Tell us when you find out. Joe.
[35:27]
Dave Buettner
That's right.
[35:27]
Joe Kerrigan
I'll let you know in at least another.
[35:29]
Dave Buettner
So we'll look forward to that on our next episode.
[35:31]
Joe Kerrigan
No, I'm not that old. Come on. I know my hair has all gone gray. I still got a couple good decades in me. Dave.
[35:40]
Dave Buettner
Oh, Grandpa Joe. Grandpa. Only one of us on this show is a grandparent. Yes. All right, let's move on.
[35:51]
Joe Kerrigan
I love my grandchildren. They're all beautiful.
[35:53]
Dave Buettner
Before Joe starts throwing things. All right, Joe, Maria, it is time to move on to our catch of the day.
[36:09]
Joe Kerrigan
Dave. Our catch of the day comes from a listener named Richard and it is an email that comes from the Chevrolet motor truck company.
[36:19]
Dave Buettner
Richard. In Richard's email, Richard said like I've got pure gold for you guys. And Richard, Richard was not overselling it?
[36:28]
Maria Vermazes
No.
[36:28]
Dave Buettner
Here it goes. It says form Chevrolet Motor Truck Company. I'm Lena of Chevrolet Motor Truck and I am writing to inform you of about your Chevrolet motor truck winning that brought by the United Embassy which has been on our office for so long. Due to the pandemic virus we could not deliver the Chevrolet truck and your funds worth on $30 billion USD. Now it has settled down slowly. The government of USA in the White House, Michigan, the Chevrolet Motor truck have been mandated to be delivered to your address as soon as possible. Thanks. God bless you and also with you.
[37:08]
Joe Kerrigan
That's right.
[37:11]
Maria Vermazes
Not a single piece of punctuation to be found, right?
[37:14]
Dave Buettner
Yeah, no, it's one big run along run run on sentence.
[37:17]
Joe Kerrigan
Can you fit $30 billion in a Chevrolet motor truck?
[37:20]
Dave Buettner
Oh, that's a good question.
[37:22]
Joe Kerrigan
I'd like to know. $30 billion. Your funds of 30 billion. Who's going to believe. I'm getting angry about this but somebody is going to believe it. $30 billion. You have any idea how much money that is?
[37:36]
Dave Buettner
It's a lot.
[37:36]
Joe Kerrigan
It's a lot of money.
[37:37]
Maria Vermazes
I would like to know somebody wants to give me some so I could find out. I would be very happy.
[37:42]
Dave Buettner
Right. If you want to take, take the bullet and figure out if $30 billion will fit in the back of a Chevrolet truck. The thing is if somebody gives you $30 billion they can keep the truck because you can go and buy a truck for a small percentage of $30 billion. In fact you could buy every Chevrolet.
[38:01]
Maria Vermazes
Truck coming on July, possibly the entire company.
[38:05]
Dave Buettner
Right, right, right. Oh my God. Let's see.
[38:08]
Joe Kerrigan
$30 million in $1 bills would weigh 66,000 pounds. So $30 billion in hundred dollar bills would weigh 660,000 pounds in hundred dollar bills.
[38:23]
Dave Buettner
That would exceed the carrying capacity of your average Chevrol.
[38:27]
Joe Kerrigan
You need a dump truck full of money is what you need. I don't even know you can carry that much.
[38:31]
Dave Buettner
Like a freight train.
[38:32]
Joe Kerrigan
Yeah. I mean, that's a lot of weight.
[38:34]
Dave Buettner
Yeah, absolutely.
[38:36]
Maria Vermazes
Just. You need larger denominations. Yes.
[38:38]
Joe Kerrigan
Yeah, Well, I mean, $100 is the largest one they have, isn't it?
[38:42]
Dave Buettner
Yeah, I think that's it. Yeah. I don't think there are any regularly minted bills that are bigger than 100 anymore. That was the one Montgomery Burns had.
[38:53]
Joe Kerrigan
The one trillion dollar bill. Well, that's very nice. Can I see it?
[38:58]
Dave Buettner
Y. Yeah. Again, this is very silly, but delightfully so. I really am trying to reverse engineer how this came to be. This word salad. Like what was this run through that somebody that this was generated somewhere. It must have been through automation.
[39:20]
Maria Vermazes
Speech to text, obviously.
[39:22]
Dave Buettner
Yeah, well, that's a good guess.
[39:24]
Maria Vermazes
I mean, voice attached kind of thing. Yeah.
[39:27]
Dave Buettner
Maybe voice to text in another language and then translated.
[39:32]
Joe Kerrigan
Maybe.
[39:33]
Maria Vermazes
But how do they misspell pandemic as pen. Pen dam ic. That's the only misspelled word and it's a very interesting typo.
[39:42]
Dave Buettner
Right.
[39:43]
Maria Vermazes
When I've gotten spam like this, it often is just the text with literally nothing else. So there's no phone number, no email, no attachment. Maybe Gmail in my case stripped it all out. But I love it when I get this and it's literally just this text and I'm like, okay, yeah, thanks for this random message that I can do nothing with. If I was going to fall for it, I'm not sure what I'm supposed to do.
[40:03]
Dave Buettner
This did have an email address to. To follow up with, but I, Yeah, I mean, talk about pre filtering somebody who's ready to be hooked. I mean that's the sad reality of.
[40:14]
Maria Vermazes
This, that you must receive this $30 billion. It's been mandated. Right, okay.
[40:20]
Dave Buettner
Right. All right. Well, Richard, you tell no lies. This was pure gold. It was great. Thank you for sending it in. I think that's the most fun one we've had in a while. And of course we would love to hear from you if there's something you'd like us to include for our catch of the day. You can email us. It's hackinghumans2k.com.
[40:55]
Unknown
And of course we want to thank this week's sponsor, Threat locker. Go to threatlocker.com HH and check out their Zero Trust Endpoint Protection platform. That's the words threat and locker with no space.com HH where you can request a demo and neutralize the threat of malware running on your devices.
[41:23]
Dave Buettner
And that is our show. Brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans2k.com this episode is produced by Liz Stokes. Our executive producer is Jennifer Ibin. We're mixed by Elliot Peltzman and Trey Hester. Peter Kilpe is our publisher. I'm Dave Bittner.
[41:55]
Joe Kerrigan
I'm Joe Kerrigan.
[41:56]
Maria Vermazes
And I'm Maria Vermazes.
[41:58]
Dave Buettner
Thanks for listening, Sam.