A

You're listening to the Cyberwire Network, powered by N2K. Hello, everybody and welcome to Hacking Humans Podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I am Maria Varmaz and joining me this week is Joe Kerrigan. Hello, Joe.

B

Hi, Maria.

A

Hello. Hello. And also joining us this week is friend of the show, Michelle Kellerman. Hello, Michelle.

C

Hi, Maria. Hi, Joe.

B

Hi, Michelle.

A

And I should note that our friend Dave Bittner is at RSA at this very moment rubbing elbows with one and only Hugh Jackman. So we'll give him a pass for not being here this week, but we'll hold it against him a little bit

B

because I'd blow you guys off for Hugh Jackman as well, just so you know.

A

Yeah. Yeah.

C

Okay.

A

Well, that's great. Well, Hugh Jackman aside, we do have some interesting stories to share this week, but first let us get into our follow up and I do have some follow up for us this week. So this one comes from listener named Bruce and he wrote this. I volunteer with the local group Senior Center Tech Connect. And also, Bruce, thank you for doing that because that is a very important service. So thank you. I have been listening to most of your podcasts for a couple of years now as we are always helping local seniors avoid all the scamming, spamming, phishing, etc attacks. Again, thank you, Bruce. But I was the target of something I've never seen. And our volunteer cybersecurity expert says it may be part of an email bombing attack in retribution for recent attacks on Iran. Yesterday I started receiving a huge number, several hundred of obvious spam or scam emails for a period of maybe an hour of panic, selecting large blocks of these emails and sending them to my Gmail junk folder and sending to trash. I was beginning to think they would never stop. And it looked like Google's filters were not working. But after an hour I reduced the incoming number to a mere trickle and by today I've only gotten an occasional specious email. Most of them are addressed to my personal Gmail account, but with multiple periods between the letters of my address. Has anyone else. Yeah, has anyone else experienced this type of activity? Our volunteer cybersecurity expert says the local hospital he contracts with had received an even larger amount. I fear that if any of our local seniors encountered this, they would freak out. Please keep up the good work, Bruce. Yeah. So what are your thoughts on this, Michelle and Joe, what are your thoughts?

C

Well, a couple things One, it's really interesting seeing some of the, like, roundabout ways that we're feeling the impact from the war in Iran. I'm a volunteer first responder and the attack on Stryker took away our ability to get EKGs in the field. Our medics were severely limited without that, which was very frustrating because one of their. Yeah, their life pack that runs a whole bunch of information and monitors was unavailable some of the functions. So we were not having a good time about that. But yeah, I also learned about four email addresses for Gmail. If you add periods in between the email address, you can technically create another email address, but it still routes to your email address. Yeah, it doesn't change the name. Also, there's a lot of ways around some of the filters if you are not careful.

A

Yeah, I use the periods. And also you can add a plus after your name or whatever's in front of the AT symbol. You can add plus.

C

Yeah.

A

Or I do like plus spam or plus the name of the service I've signed up for so I can see who's reselling my email address.

C

Yeah.

A

As it gets passed around the Internet.

C

I learned that a couple weeks ago.

A

Yeah, it can be handy. But it's interesting to see that this attack was iterating on their email address with the sort of period trick. And I'm wondering, Joe, if you have any thoughts about this type of attack also.

B

Yeah, my concern would be that this is an email bombing attack that's trying to obfuscate something else. So typically when you have an email bombing attack, there may be somebody else in your email. I don't know how this works off the top of my head, but the message is, or the intent is to lose a real message in a flood of spam.

A

Yeah, it's like a DDoS attack almost.

B

And Bruce is saying that he was selecting large swaths of his emails and just sending them right to spam. It doesn't sound like. It sounds to me like Bruce knows what he's doing, so he probably has multifactor authentication on his email. So there's probably not somebody else in his email account. It. It could be exactly as he says, but whenever you see this kind of thing, that is the first thing you should do. And there's a note in here. I. I don't know who added this. Did you add this?

A

I added. Yeah, I added the note about subscription bombing. I was going to follow that up. Okay. About what? What I found. Miter covered sort of the basics about subscription bombing, but so, yeah, I, I will include this Link in the show notes. This is Miter's own post about what subscription bombing is and how it works. But as you said, Joe, it usually. It's like a DDoS. It obfuscates that there's a legitimate email in the middle of the flood that indicates that actually something has happened to an account that's connected.

C

The other thing, if you get enough of those and you're irritated, you try and hit unsubscribe, and the unsubscribe link is the malicious link.

A

Oh, yeah, good point. Yeah, good point. Yeah, there's a lot. What I thought was very interesting was that this can also be used as sort of a forward attack before you get an inevitable phone call that then starts this social engineering against you as a target. So it'll say, hey, I'm calling from whatever service, and, you know, we think that your account's been compromised. And of course, they're the ones that have done it. So a lot of the advice that I saw about subscription bombing or email bombing was essentially, if you are the victim of something like this, just assume that you have been involved in a security incident. Change passwords that are, you know, for sensitive things. Check for fraudulent transactions, you know, with your credit card or whatnot. But also be especially wary of incoming phone calls. And as Michelle said, don't click any links in those emails, even the unsubscribe links. They could be fishy. Yeah, yeah, absolutely.

C

Like, fear is a very powerful feeling in this game. So is irritation.

A

Yes. Yeah, it is.

B

I want.

C

You're annoying me. I'm not thinking that. Like, you're suspicious. I'm going to think that you're annoying. Yeah, it works.

A

Yeah. I would imagine for those of us who are Inbox Zero types, this would be especially annoying, but if you have 20,000 unread emails. Yeah, I was going to say, Joe, you're not. So you're like 20,000 unread emails. What's 500 more? Meanwhile, I'm in box zero and this would drive me insane.

C

You couldn't talk to me for the day.

A

You would be dying.

C

I would be ruining the vibe everywhere. You could not talk to me for the day.

B

I think I have 400 unread emails in my work email inbox just right now.

A

Yeah.

C

So you wouldn't even notice those emails, Joe.

B

Yeah, but I. I'm not saying I don't read them. I don't. I don't. It's not that I don't read them, it's just that they are. I know what they are. And particularly if an email comes in as just like one line and I can read the entire line in that little two line preview and Outlook, I don't open it. I got the information. So it just sits there.

A

So TL Dr. Don't try this on jokes. It won't work. Apparently Michelle and I are great victims for this, so send them our way. I don't know why I'm saying I'm gonna regret that immensely.

B

I don't want to come back.

C

I don't have problems now.

A

You're welcome, Michelle.

C

Sorry.

A

Well, on that happy note, why don't we get into our. Do you have follow up, Joe?

C

No.

B

No. In my raffle email right Now I have 20,832 emails, 20,000 of which are unread.

A

Oh, my God. How do you.

C

Trustworthy individual?

B

I don't think that's right.

D

Every attacker counts on one thing. Environments that trust too much. Threat Locker closes that gap with default deny at execution. Unknown software blocked. Trusted apps contained with ring fencing. Configurations verified with Threat Locker DAC so you stay secure and compliant. ThreatLocker delivers the visibility and control CISOs need without adding operational pain, making zero trust real for teams of any size. Stop ransomware at its earliest point. Book a demo@threatlocker.com N2K.

A

So now that we finished with our follow up, Joe, why don't we get into our stories? And I believe you're first today, so.

B

I am first.

A

You are. Go for it, Joe.

B

I have a story from the record and this is from Alexander Martin, and it is a story about the British government has sanctioning a. A Chinese cryptocurrency marketplace. It's called. I'm probably messing this up, but it's Zinbi or Jinbe Shinbi. I'm not. I'm not good with Chinese pronunciations. I mean, first off, Chinese is a very difficult language for someone who grew up learning an Indo European language. It's a completely different family of languages, but that's neither here nor there. The British government has sanctioned JINB as a global human rights problem. And the Foreign Ministry, the Foreign Office, officially has designated them as a global human under its global human rights sanction regime, which Britain is the first country to do this. I'm assuming that in Britain they mean the UK because that's an entirely different thing than Britain. Britain's just the island that contains England, Ireland and Scotland, or England, Scotland and Wales.

A

I'm only chuckling because, yes, you are correct, but I think that level of pedantry is Just okay, but understood. No, I know.

B

My alter ego, superhero. Captain Pedantic.

A

Oh, my God. Let's keep going, Joe. Let's keep going. All right.

B

In the government's official designation, Zinbi was described as having enabled and profited from the operation of scam centers across Southeast Asia, which we've been talking about that a lot. And there is a very, very British quote in here from the MP who. Who was talking about this, and he says our sanctions today send a clear message. We will not allow British people to become victims of these dreadful scams or tolerate the awful human rights abuses perpetrated in these scam centers. And this is Stephen Doughty. He's the government's minister in Europe, North America and overseas territories. We must keep the pressure up on dirty money and those who benefit from it.

C

Dirty money.

A

Yeah.

B

Yeah. This is not how I would characterize it, with words as kind and polite as this. But the Brits are very.

A

Because we're dirty Americans, that's why.

B

That's right. The reason they did this is because there's a company out there called Chainalysis, or chain analysis, that does cryptocurrency tracking. And they were able to demonstrate that this platform has processed 19.9. We'll just say, 20 billion in transactions between 2021 and 2025. Wow. So that's, you know, assuming that this is a growing thing, right, that they didn't. You can't just divide that number across evenly across these four years. You know, it could mean as much as like $8 billion last year, or even if it isn't, let's just say, $5 billion in processing of these. They've laundered 5 billion of $5 billion of money a year for the last four years. Huge.

C

Yeah. I think that's a big thing that is that this kind of scam is shedding a light on is how much dirty money there is. Every single time I see one of these stories, it's like, this platform does 20 billion, and this platform does 47 billion, and this platform does 1 trillion. And this platform is evil. We can't even calculate the number as a money coming from. I don't think there's scam on the planet, but. Yeah. Yeah. So you just. It really shows how much. There's so much more to everything than.

A

And that's just what we know about. I mean, that's the crazy thing is that this. There's got to be. It's. This is probably just tip of the iceberg, which is a staggering amount of money. Even what we do know about it's right. It's scary.

C

Gdp? What are you talking about?

A

Yeah, yeah, several countries gdp. Yeah.

C

Like I'm having a hard time with the scope of just how much dirty money there is that we didn't know about, but now can at least they put eyes on it.

B

Last week I covered an Interpol story where they said it was like half a trillion dollars in global fraud. And again, that's just what we know about. Half a trillion dollars. It's so much money.

C

Crazy.

A

That is crazy.

B

The designation that the UK has put on jinbe highlights the support for their number eight park, which is. Chain analysis says this is an industrial scale scam center compound in Cambodia. So this is one of those ones where they have the human trafficking, bringing people in, keeping them against their will and, and then having them scam people in their home country. So there's also a company called Legend Innovations which is the operator of eight park and two officials that they've named Tet Lee and who. I'm going to mess this up, Zhao maybe who are linked to the Prince Group, which is a conglomerate behind many such compounds. So this is like an industrial scale scam operation. So what the UK has done as part of this, the part of this sanction is they've seized a bunch of property from these organizations in the uk, which is pretty much all they can do in terms of, in terms of, in terms of the value, the biggest value of an asset. They seized an office building worth like $100 million or £100 million, $122 million. And I don't know if that's in this story or any other story I read about this, but it's such a huge thing. And there's another problem here as well in that even if you sanction jinbe, there's nothing that stops these operators of these scam centers from hosting their own wallets, making it.

A

Yeah, I mean this is just the nature of crypto at a certain point. I mean it's great for. Listen, I know it has a lot of great legitimate uses, but it also has a lot of really shady uses. And this is sort of exhibit A.

B

Absolutely. It is by its nature unregulated and impossible to fully regulate. You can regulate exchanges and that's just about what every industrialized country has done on the planet. And China, to their credit, has also been cracking down on this because their citizens are some of the most targeted by these scam centers. Yeah, because Cambodia is pretty close to China, so it's pretty easy to lure Chinese citizens to Cambodia and then just keep them there and have them phone back into China and scam Chinese people out of, out of millions of dollars.

C

So China you can send out of the country. Right, for their citizens.

B

I don't know if, if, if it's that or if they might do that. I'm not, I'm not familiar with China's economic policy.

C

Yeah, there's a limit to how much Chinese citizens can invest elsewhere out of the country. That's why there have been some underground crypto schemes, I'm fairly certain. Very interesting.

B

So one of the things, the last thing in this article that I wanted to point out was this designation. I'll just read from the article. This designation reflects a broader shift towards targeting the backbone of the scam ecosystem, including payment channels and laundering networks, rather than only individual perpetrators. So I don't know how easy that's going to be. This is, this is like, I like, we've already talked about that. This is going to be a much harder problem to solve. I don't know how you stop this. I don't have any suggestions. This is something that is just an awful situation all around and everybody just has to be aware of it. One of the reasons we do this podcast is because we want to make sure that these guys don't fool people. And if they listen to this podcast, I think people are less likely to get fooled by these things.

A

Amen. Well, that's a great, great story, Joe. So thank you for sharing that with us today. All right.

C

And I did just note that China imposes strict capital controls, equivalent of US$50,000 per person per year can leave China. They do not want their money leaving their country and leaving their economy. So there's a ton of money laundering going out of China, not for crime, just for rich people wanting to diversify and not be limited to what China is doing.

A

Yeah, that makes a lot of sense. I, I can, I can. I've. We, we've seen how that's shown up all, all over the world, so. Right, yeah. All right. With that note, Michelle, it's over to you for your story.

C

Yeah, so this one was kind of interesting. It's not based in technical crime, but this is how all of your identity information can be used to steal money and not even just steal your money, but still mess you up financially. So 11 people have been arrested by the FBI in LA for a house stealing operation since 2022. That's been going on since 2022. So house stealing? Yes, house stealing.

A

So apparently picking Up a house and walking away with it in a big sack.

B

They're in the striped shirt.

C

Yep. I'm getting like the cartoon criminal character running away. Yeah. So this is targeting specifically elderly homeowners above the age of 70 who have fully paid off homes. And then bad guys will try and take out loans against those fully paid off mortgages, the house's collateral to get access to large loans from banks and then they steal that money and then these people's homes are the collateral. Oh my God.

A

Oh wow.

C

Real. Like there is no safe corner, huh? Yeah.

A

So stealing. So basically mortgaging out a house from underneath somebody, huh?

C

You can get, you can get large loans and house gets put up as collateral. The there is a 15 count federal case for conspiracy to commit wire fraud, wire fraud, identity theft and money laundering. Or this would be aggravated identity theft.

B

I was about to say aggravated identity theft.

C

It's in conjunction with another crime. So they have the ring here, the like crime ring has sought $17 million in banks since 2022. They have successfully gotten $6 million. Wow. In all these high value neighborhoods in LA, the attackers created fake IDs and email addresses with the legitimate owners names. All because houses are public record. You can find out whose home is paid off. And with all this information that's your identity being stolen, they can theoretically, probably fairly easily create a fake identity and get a mortgage. They were more than, they were more successful than I would like. I just, I'm surprised that the banks didn't do more due diligence. Yeah.

A

I was gonna say. Cause this is, this is fully on the banks to do their, their work. There's nothing the average person can do to stop something like this because they won't know it's happening. Right? Yeah.

C

So you can get title insurance. A lot of people get title insurance. Right. When you get the house. So that way if you buy house where acts where you didn't realize it, but there's this other claim to the home, there is some fraud, there's a lien, whatever that you don't know at the time of purchase you can purchase title insurance. I don't know if you can purchase title insurance for extended periods of time, but I would imagine so because a Millman study for the American Land Title association found that fraud and forgery claims on mortgage refinances climbed to more than 40% of total title insurer losses. It's a significant problem.

A

Wow.

B

Huh.

A

My goodness. I was, for some reason I thought title insurance was mandatory. I don't know why. Maybe that just depends on the loan you're getting.

C

Yeah, there's at least some level, like a small one, but not. And it's usually only for like a year or two. Yeah, it's for the past.

B

Right. It covers, it covers past transactions. So if somebody comes up on, comes up to you after you buy the house and go, hey, that's really my house, you're covered. Yes, but here's my question about this. And I think about, I think about me being in this situation and somebody saying, hey, we're, we're foreclosing on your house because you took a loan out. And me just saying no and calling an attorney and saying, issuing a cease and desist letter immediately. And you know, it also probably opening up a civil lawsuit for, for this on the bank because as you both have said, they haven't done their due diligence here. They've. They've been defrauded of their, of their money, the loan money. But that is, from my perspective, that is not my problem. You guys, you guys let somebody take out a fraudulent loan. You guys let them fraudulently use my address as collateral. Go, go figure this out and stop bothering me.

C

Yeah, you're gonna give a, you're gonna give a house loan for, with a fake ID and email address. 20 year olds trying to sneak into a bar can do that. Where are you? What are you doing?

B

Right.

A

Are you, what are, what are you,

C

you seriously gonna tell me that you would get outsmarted by a kid trying to lie to his parents? Better. What are you. What is going on?

A

Yeah. Wow. I wonder if certain types of financial institutions are more. Yeah. Like smaller ones that maybe aren't as well equipped to deal with this if they're more at risk for getting involved in this kind of scam that, you know, if they don't have people that. To employed to do that. Due diligence or do it. Well, that's.

C

Yeah. I'm not sure. And you're. And we're starting to see, even when I was poking around about this story, there are starting to be what looks like some legislative fixes being proposed. So Maine is currently proposing a law, a statute that would make it so that it's like victims of fraud would get a break in their taxes for that. So right now if you get a whole bunch of money stolen, but like that's still somehow taxable to you, you still have to come up with the taxes to add insult to injury. And Maine is introduced. Yeah. Like, you still like the government's like, hey, that's Not a problem. You mess up. Like, that's not statutorily required. Maine just introduced legislation to make it so that scam victims do not need to pay taxes on the money that they lost.

A

Hmm. And Maine is also one of the oldest states in the. They have, like, the per capita of some of the oldest, if I remember incorrectly. Like, they've got a lot of old people in Maine.

C

They do.

A

That makes sense. Yeah.

C

And this came on the heels of the National Council on Aging just put out new guidance on top scans, target top scams targeting older adults. This was not on there, but it kind of is covered under the financial services scam. But definitely, like, hey, just because your house is paid off doesn't mean you have to stop paying attention to it.

A

Yeah.

B

Right.

A

Yeah. Would there be any sign for the average homeowner that maybe they. They'd been caught up in something like this? Is there something they should be looking for?

C

Not that I can tell, because I would imagine that it would show up on your credit report, but maybe they could somehow find a way to not use your. Because it's just the house is collateral.

A

Yeah.

C

And like, if you have a. If you have a title saying that you have ownership of that, it may not. There may be a way to, like, sneak around, like, the credit reporting side of things.

A

I'm not sure. Because you could always just put a freeze on your credit if you've paid off your house. I'm gonna bet you probably are like, I don't really need credit anymore. You could just put a freeze on your credit. Yeah.

C

This mother does that. She's just like, nobody's touching my stuff.

A

Yeah. I just. I don't need it anymore. So. Freeze it. Yeah.

C

I don't know. To get along anymore.

A

Yeah. Yeah.

C

Good for you. I love that.

A

Yeah. It's. It's. It won't work for everybody, but if it can work for you, it may not be a bad idea. So. Yeah.

C

Yeah.

A

That's a. That's a great one, Michelle. I. I have a few people in my life I need to talk to you about this one, so thank you. I. I've got homework now, but that's a great. It's. It's good to have stuff to talk to people about this, so thank you. It's a great story.

C

Yeah.

A

On that note, why don't we take a quick break and we'll be right back.

D

Most environments trust far more than they should, and attackers know it. Threat locker solves that by enforcing default deny at the point of Execution with ThreatLocker allowlisting, you stop unknown executables cold. With ring fencing, you control how trusted applications behave. And with threatlocker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today.

A

All right, so we are back. And now I'm going to be the one telling a story. Now this one is, it's kind of a. It made me chuckle, but it's a legitimate, it's a legitimate thing. It's a captcha scam. And it reminded me a lot of when I used to play a lot of online gaming. We used to play this trick on people who were new to, like when I played World of Warcraft for example, ages of ages and ages ago. You'd get people who are new to the game who are having problems and they'd go, how do I get out of this issue? And of course the thing we would tell them was, well, if you're on a Windows machine, make sure to hit alt folder. And of course you would immediately see that they would log out of the game. And it was hahaha. So this, this captcha scam has been around for at least a year and it's, it's a little bit similar to this and it's not the first scam to do this, but the idea is that there's a fake cloud flare page that sometimes people will see that will instruct victims to complete a captcha to go to proceed to the website they're trying to get to. And the captcha is the I'm not a robot checkbox. Right? But instead of hitting that checkbox or doing the weird like fill in the puzzle or find the fire hydrant, it'll say, to make sure that we know that you're human, I need you to press a series of keys and it will be something like please don't do this. But it'll be something like Windows key +R and then Control V and then enter. Oh great, thanks for doing that. You can now go onto your website. But of course what's happening is that when you are Doing those key presses that opens up a console window in the background. And then in the control V is pasting in a PowerShell script and. And you are essentially downloading to your machine an info stealer. And the specific one that's going around right now is something. I think we've talked about this in the show before. It's an info stealer known as Steel C. And this one is an info stealer. It can also. It can steal a bunch of gaming info, like your Steam account, as well as crypto wallet data, if you've got it. And it's kind of gnarly. So this one, it made me chuckle because it reminded me of back in the day when we would do stuff like tomato mess with other gamers. But if. If you're just hitting random keys because a website tells you to, please don't do that. Let's just please, please don't do it. So if you're. Captchas should never be having you hit random keys. But it's. It's getting a little hard to know because sometimes you get a test on a captcha, you're going, is this legit or not? Like, some of the ones where it's like, complete the puzzle or find the horse or whatever. It's just like, I can't believe this is a real thing. Um, so maybe the captchas need to calm down a little.

C

But certainly there's so many. Like, this is one of those things where, like, this would not have worked even, like, three years ago. Like, I feel like the change in Internet from now, from three years ago versus the previous three years was significantly greater, like, a much straight greater standard deviation. This would not have worked three years ago because you would, like, say, like, I'm not doing all that. Nothing ever asked me to do all that. But now with all the crazy, like, multifactor and all the different, like, technologies and all the ways to verify your identity of, you know, like, do it. Do a fun dance in front of the camera so we know you're real. It's like, you don't have. Like, the threshold is so much higher for, like, that's weird. You shouldn't be asking me to do that many things.

B

I have never been asked to do a fun dance in front of a camera.

A

It's gonna happen.

C

You know what, Joe? Today's the day.

B

Well, I don't have my camera hooked up, so. All right, let me get my camera hooked up. Michelle.

C

This is one of those things where it's just like, this would not have worked. Even just a couple years ago.

A

I know it sounded ridiculous when I read. Yeah, it sounded ridiculous when I read it. I'm going, who would do that? But actually, you're right. I could absolutely see people going, I don't know. The captures are weird now, and we have to do all sorts of stuff to make sure we're not AI So maybe hitting random keys is the way we prove that we're human. There's some new weird steel every other

C

day that I'm seeing.

A

Yeah, yeah, yeah, absolutely. And this intel stealer is going after a whole bunch of stuff, and it's going to be. It's pretty nasty. And if you download it directly by doing all the key presses that this not legitimate captcha say, then it would not be good to have on your machine. So.

C

Yeah, and again, you're already irritated that you're being asked to do another thing. You're not going to go. And then, look, you just want the irritation to be over.

A

Yeah, irritation as a vector is a really good. You're definitely onto something there. I really think so.

C

I remember seeing something that was like, why are irritating characters in books so much more hated than the bad guys? And it's like, because their crimes are fictitious. My irritation is real.

A

I'm feeling. I have not been harmed, but I'm annoyed.

C

Yeah, that's right. I'm feeling.

A

Oh, man, you're onto something there. Genuinely. So patented. All right, well, that was my story, so why don't we move on now to catch of the day. And Joe, I think you found today's catch, so tell us about it.

B

Did. It's from the fishing subreddit and it's an email that came in Reddit, slash, R fishing. For those of you who can't figure that out, welcome. Me, I have a. I would have

C

a hard time R fishing. Reddit. R fishing is redundant. Reddit. Thank you.

A

HTTPs://, slash. WW okay, sorry, Dr. Pedantic over here brought it up.

B

Yes. So it is an email that came into somebody and it says, I'll just read it. Should I read this or do you want to read it, Maria?

A

I would like you to read it, Joe.

B

Okay. Bonus letters across the top. By the way, this email is all centered and it says dear to me.

A

That's your beef with it.

C

That's your beef.

A

Because I centered.

B

It's pretending to be a person who needs help with their Medicare account. And Blanc, if you send an email to some government organization, are you going to center everything and put a big. Well, okay, let me just Read this.

A

Just read it.

B

Okay. Mo letters across. Stop. Dear Medicare Representative comma, I am writing regarding my access to my online government services accounts. I use the identity verification services provided through ID me and login.gov to access Medicare services on medicare.gov and then there's a big login.gov button. I would like confirmation that my identity verification and login access are active and properly connected to my Medicare account. If additional documentation or verification is required. Comma. And that's the end of the email and then.

A

Copyright 2026. Thank you for your time and assist.

C

Who's doing this?

A

Who is this Phishing?

B

This is a Medicare representative. Well, the person who received it was not a Medicare representative. They said so in the. In the comments. But it looks like this is just a fishing kit that is been used in a horrible campaign by some tyro noob.

A

Yeah.

B

Who just doesn't know how any of this stuff works. And the. The link goes to. Let me. The. The login link. The person hovered over the login link and took a screenshot with it. It's enable-site-metals-smith. Try Cloudflare.com. so try Cloudflare.com is probably a malicious.

A

Sounds legitimate to me, Joe. I don't know what the problem is.

C

I really just like, I'm just. One disappointed. Two I feel disrespected if you're gonna try and steal my stuff, like put in some effort.

A

Baseline. Effort. Yeah, baseline.

C

This is like AI swap type stuff.

B

Yeah, yeah, it is probably it.

A

I love also that the call to action button literally just says login.gov. that's. It's just. It doesn't say click here or what? It just says login.gov.

B

yeah, it's like a login in the middle.

A

It's just bizarre.

C

Bizarre.

B

Bizarre.

A

It's like they don't know how the Internet works.

B

Right.

C

I mean, it's also a pretty specific, like, targeted thing. How many people are Medicare representatives? That feels like that you're unnecessarily narrowing your field.

B

Right. I would hope that these people, these, these fishers have a. Have a list of Medicare addresses, email addresses. Maybe they're just trying this out to see how it works. I don't know.

C

She feels lazy.

B

It is.

A

It is lazy. Lazy. It's messy. Lazy. Yeah. Love it. But that's a great catch.

C

Go start a lemonade, Stan. Do something.

A

Do something productive with your life.

B

You can make much more money scamming people, sadly.

A

Well, that's why, that's why we're on the show, aren't we? So, yep, that's why we're here. Well, thanks for that, Joe. Thanks for that awesome catch of the day. Appreciate it. All right, and on that note, let's take a quick ad break and we'll be right back.

D

Most environments trust too much and attackers know it. Threatlocker enforces default deny at execution, blocks unknown apps and limits what trusted apps can do. Stop ransomware at the source. Get your demo@threatlocker.com N2K

A

all right, we're back. And before we close out, Michelle, you have something that you wanted to share with everybody. Go for it.

C

Yeah. Today starts the kickoff for a fundraiser for Blood Cancer United, formerly the Leukemia and Lymphoma Society. My best friend was nominated as a visionary of the Year for Boston in honor of her daughter who was who was diagnosed with leukemia as an infant. She was nine months old. She's since remission. She is doing great.

A

That's wonderful.

C

And she's been very active in the cancer community, especially for childhood cancer. She was very reliant on community support. So we wanted to really do our best to give back. So I'm on her team for Visionaries of the Year and we are starting a 10 week campaign. It kicks off today and anybody can donate. Every dollar counts. More than 70% of each dollar goes to actual research and support resources for the families who are affected. And anything that anybody's willing to give is so appreciated.

A

Yeah, Michelle, we'll put the link in the show notes for our listeners so they can check it out. Yeah, well, thanks for that, Michelle. Appreciate it. And well, yeah, and on that note, thanks for listening. And that's Hacking Humans brought to you by N2K CyberWire. We'd love to know what you think of our podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to hacking humans@n2k.com we're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. This episode is produced by Liz Stokes. Our executive producer is Jennifer Ibin. We're mixed by Elliot Peltzman and Trey Hester. Peter Kielpe is our publisher. And I'm Maria Varmazes.

B

I'm Joe Kerrigan.

C

And I'm Michelle Kellerman.

A

Thank you for listening.