What’s inside the mystery box? Spoiler: It’s a scam!

Maria Varmazes

You're listening to the Cyberwire Network, powered by N2K. Hello everyone and welcome to N2K, CyberWire's hacking humans podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Maria Varmazes, dusting off my Dave Buettner impression yet again as he has.

Joe Kerrigan

Been through that a lot lately.

Maria Varmazes

I do, I do. It's okay. It's all right. And he's in transit back from a busy rsac, so we wish him safe travels on his way back. And with me is, as always, the one and only Joe Kerrigan. Hi, Joe.

Joe Kerrigan

Hi, Maria.

Maria Varmazes

Hi. And we have some interesting stories to share with our listeners this week. We got a lot of listener feedback, not just cause I was gone. I appreciate people saying they missed me.

Joe Kerrigan

I missed you.

Maria Varmazes

Thanks, Joe. I appreciate that. People are really responding to a lot of the stories we've been covering. And I had to choose of the many emails we've been receiving. All nice, by the way. Thank you. This one I wanted to respond to because it was about one of my stories. So I'm being selfish and it starts this way. Hi, Dave, Joe and Maria. Let me start by saying how much I love the Hacking Human podcast. Thank you for watching for me. It's a perfect blend of drama and comedy based on real stories. It makes my commute far less miserable. That's very nice to hear. Thank you. Also, apologies in advance for any mistakes in English. It's not my first language and therefore I use an AI LLM to revise it below. Thumbs up. Smart idea. I wanted to share some thoughts on Maria's story from episode 335, When AI Lies, Hackers Rise. That was from April 24 this year about scammers using fake banking apps to trick sellers with phony payment screens. Oh yes. Here in the uk. Yes. Yeah, this was an interesting one and I was very. I was feeling a little bit outside my lane because I'm not UK based, as people might be able to surmise from my accent. So so. But thankfully this listener is so he can clue us in a little bit. And he said, here in the uk, most high street banks have been using the faster payments service for a while now, which means payments typically arrive within seconds, even between different banks. That sounds nice. This could have helped the seller in that story verify the funds before handing over the goods. Additionally, many banks have recently introduced a check payee function. When making a bank transfer, you may enter the name of the person or business along with the account number and sort code. The system then checks for a match, full, partial, or no match. On a few occasions, I've mistyped the name and received a warning which prompted me to double check with the recipient. And you can still choose to proceed even with a no match. But it's a useful extra layer of fraud prevention. And there is a campaign here called Stop think Fraud. And I try to stay cautious as online payments, but I can absolutely see how fake apps or screenshots can mislead sellers or anyone. It reminds me of a story from an acquaintance whose e bike was stolen. Oh, yeah, the bike's thief. They're just brutal. The police couldn't help much. That is a familiar story. So he kept checking Facebook Marketplace and similar apps. A few days later, he spotted his bike listed for sale. He had the nerve to convince the seller, who gave vague answers about the bike's origin, to accept a bank transfer instead of cash. He then used one of those fake bank account simulators to trick the thief into handing over the bike. A bold move and lucky the thief didn't check their account until later. All right. And I have to say, he goes on to say, I completely agree with Joe. There you go, Joe. When it comes to these kinds of transactions, cash is king. And, and it says cheers from Jose, who is not Spanish, but Portuguese, in case we try to pronounce his name. So, Jose. Thank you. I love that. Turning the tables on a bike thief with the banking app Stimuli.

Joe Kerrigan

Can't remember where I saw this, but somebody said that they, their bike was stolen and they saw it pop up on like, Facebook Marketplace or something, and they went to, they reached out to the seller who was the thief, and, you know, they said, where'd you get the bike and how long would you buy it? All this kind of stuff and from your backyard, they show up and they meet and they go, the guy goes, can I take it for a test ride? And this. And the, the, the seller goes, sure. And he just rides home with it.

Maria Varmazes

Zoe's off with his bike.

Joe Kerrigan

He was just gone.

Maria Varmazes

Gone. Honestly, that's, that's bold. But I love that. I mean, you're gonna know how your own bike works, right? I, I've, I, I know in my neck of the woods, in, in the, in the Cambridge, or I'm not in Cambridge anymore, in Massachusetts, I'm further out, but back when I was closer to that area. Bike thieves are rampant, and the, the, sometimes the police would actually help people if they're Doing a sting going, you know, hey, I found my bike on Craigslist. I want to get it back. And sometimes the police have been known to help, uh, in situations like that. So, you know, please be careful, cuz some of these bike thieves are, are definitely. They can be dangerous. But I gotta, I, you know, I gotta give people credit. Using the fake apps to trick these at their own game. That is, that is very clever. So that's awesome. That is awesome. Well, thanks, Jose, for your very, very sweet feedback and for the very helpful context on the story. So thank you for writing in. All right, so Joe, you said you also have some feedback. I know some feedback on. I mean, feedback and follow up. Yeah, go for it.

Joe Kerrigan

I saw something. This is just something I didn't think was good enough to be a story, but I wanted to talk about it. I saw this. I don't remember where I saw it, but it made absolute sense to me. It was one guy in something that looked like the Mythbusters prop room. You ever seen Mythbusters where you go in there and.

Maria Varmazes

Have I ever seen Mythbusters, one of my favorite TV shows of all time? Yes, I've seen mythbusters. Yes.

Joe Kerrigan

You know where, where they. They take you into. I think it's Jamie Heineman's company, the production company, or maybe it's Adams. I don't know. It's one of their companies. And you know, they've just got all this stuff they've made and it's like props from everywhere. And you know, they go, oh, if we need this, we have it over here. And it's stacked, literally floor to ceiling in a warehouse, but.

Maria Varmazes

And meticulously organized too, which always just means. Wow. Yeah. Yep.

Joe Kerrigan

Yeah. Which makes me think it was Jamie. And not necessarily.

Maria Varmazes

That's what I was thinking. Yeah. I was like, that has to be Jamie. Yep.

Joe Kerrigan

Right. But. But anyway, the. There, it's in a place like this and this guy goes, let me show you this. And he picks up like this, this 50 pound dumbbell and just hands it to the guy with one hand. And the guy goes, what is this? And he picks it up and he's holding it and it's. He says, this way is next to nothing. This is nothing. He goes, yeah, I know. And it's. It's a fake dumbbell.

Maria Varmazes

And.

Joe Kerrigan

And then he says, well, you know how like when you're. You're drinking out of a empty coffee mug? It does. You can tell the coffee mug's fake by the way it moves. And that's because of the amount of water that's missing. Fluids is missing from the coffee cup. So we have this and he hands him an 80 pound dumbbell. He says, this actually weighs 15 pounds. So it is actually a weight that you can move. And it looks like you're actually putting effort into moving a weight. Your muscles will flex. It's what social media influencers use for their fitness videos.

Maria Varmazes

Get out.

Joe Kerrigan

Yes, that's. And I was like, I can't believe that because I've seen people like squatting with huge racks of, of barbells and I'm like, how are they doing that? It's fake. That's how they're doing it.

Maria Varmazes

That's how they're doing it.

Joe Kerrigan

And I feel like an idiot for not knowing that going in.

Maria Varmazes

I just wouldn't. Yeah, I don't, I'm with you though, because I, I didn't, I wouldn't think influencers would put in the effort to fake it. I don't know what, now I'm saying that out loud. I'm going, of course they wouldn't real. Like, why wouldn't they? But for some reason I just figured they, you know, ordinary people just using the actual stuff they do and not going, I want to figure out how to fake this. That's just so much more work than just doing the real thing. I don't know my laziness saying, why would you do that?

Joe Kerrigan

I, I don't, I, I mean, I guess because you can, you can demonstrate to people, look, I can curl £80 for, you know, five sets of, of 16. And you know, that's, that's pretty heavy feet, right?

Maria Varmazes

That's pretty heavy. Yeah, yeah, yeah, right? Yeah.

Joe Kerrigan

But, you know, you're not doing it, you're doing £15 for. So I mean, it makes perfect sense to me. You know, this is, this just goes along with the whole, don't believe everything you see on the Internet, of course, but really think about what you're watching in these social media influencers and what they're trying to do to your brain to get you to follow them. And they're faking a lot of it. You know, I hate to generalize because maybe there are some guys out there. I don't go looking for, you know, fitness videos. Anybody who looks at me will say, there's a guy that doesn't watch fitness videos on his phone.

Maria Varmazes

You got, see, Ty, Bo, you couldn't fake that back when that was a thing like actually doing the aerobic body weight exercises. I don't think you can fake that. But, yeah, weights.

Joe Kerrigan

Billy Banks, right?

Maria Varmazes

Yeah.

Joe Kerrigan

Was that who it was?

Maria Varmazes

Oh, my gosh, no, I just remember Tai Bow guy. I'm going to get listener comments now that I don't remember. It was a while ago. Please don't sue me. I don't remember.

Joe Kerrigan

I think his name was Billy Banks.

Maria Varmazes

Probably Billy Banks. That sounds about right. I just. I just don't remember. It was a long time ago. Yeah, it's not in the memory. It's not in the memory banks. Anyway, that fascinating. As I said, as I was saying it out loud, I was kind of going, of course it would be fake, but, yeah, I'm with you. It never would have occurred to me. So that's interesting.

Joe Kerrigan

And it never had occurred to me, which is why I felt like an idiot.

Maria Varmazes

Well, you and me both. We're idiots together today. It's fine because Dave's not here. Dave would have caught that immediately. So there you go. We miss you, Dave.

Unknown Sponsor Voice

And now a few thoughts from our sponsors at ThreatLocker. The tactics used by cybercriminals are becoming more and more advanced every day. The shift from a default allow approach to a default deny is more critical than ever. This is where Threat Locker comes in. Stay tuned for how Threat Locker allow listing and ring fencing has your back.

Maria Varmazes

Okay, let us move on to the stories now. All right, looks like I'm starting off today. So my story, Joe, comes from James Coker from Info Security magazine. And, and this is a little flavor on a scam that we've talked about in the past. This one is specifically subscription scam campaigns, and it comes by way of bitdefender research. And they're talking about physical subscription or mystery boxes being scams. Now, these are very, very popular. They've been popular for quite some time. These like monthly or quarterly subscription boxes. I get ads for these all the time and I'm not even on Facebook anymore where, you know, you sign up for like a monthly snack thing or, you know, travel around the world with this mystery box. You don't know what country it's going to be and you'll get some yummy snacks or whatever. I'm not saying that company seems to be legit, but there's a lot of pretty much any vertical you can think of. There's some sort of sophisticated or semi sophisticated monthly subscription box that you can sign up for. And you. You don't know what you're going to get in the mail, but it's sort of like a delight, like giving yourself a little present. I guess that's Right. It's a loot box. That is exactly what it is. And hopefully there's no mimic inside, but usually it's an actual.

Joe Kerrigan

The mimic is on the outside.

Maria Varmazes

Yeah, that's. Well, it's. The whole thing is. The whole thing is the creature. Now my husband's going to come running in. He's going to be like, well, actually all my D and D friends. Anyway, these mystery boxes are unsurprisingly rife for scamming. And a number of fake websites have been cropping up that do mimic legitimate websites. And personally, just speaking only for myself, even the legitimate ones can be a little confusing. Maybe this is just me officially getting old, but sometimes I go to these websites and I'm trying to figure out what the heck am I actually buying. And maybe that's by design, but the fake ones capitalize on that sense of at least me being confused. And they're trying to sell you shoes or electronics or clothes or even investments. I don't know how that would work, but investments in a mystery monthly household.

Joe Kerrigan

Sounds like a terrible investment idea.

Maria Varmazes

Yeah. I was like, you don't know what investment you're going to be bought into. We're just going to yolo this. I don't really understand, but okay. Fooling their money or soon parted, I suppose. But the idea behind this is, as you can probably imagine, Joe, is just to steal the credit card info. So it's kind of an elaborate fish, essentially tricking users into signing up for a monthly subscription that presumably you will never actually receive. Steal your credit card info and then just hope you forget that you signed up for this or at least for a few months so they can get your money. Or before you talk to a credit card company and say, actually that was a scam. But yeah, we have talked about apps, like mobile apps. I think that was a story that Dave did some time ago about mobile apps that you sign up for and then you can't figure out how to unsubscribe, and they sort of fly under the radar for a while, hoping that you forget to unsubscribe.

Joe Kerrigan

Yeah. It's like seven bucks a month for a mobile app.

Maria Varmazes

Yeah. And you've just completely forgotten that.

Joe Kerrigan

Yeah. And that's. That's. There's a threshold where. Where you won't make a concerted effort to unsubscribe. Like, if I'm getting to hit 50 bucks a month for a subscription service to nothing, I'm cancer.

Maria Varmazes

Yeah, you'll feel that for sure. Yeah, absolutely.

Joe Kerrigan

But you know what? Yeah, we've talked about the wine club. I was in, in Texas for, for a number of years.

Maria Varmazes

You know, it's funny, I just signed up for a wine club, but I can verify that I actually got wine.

Joe Kerrigan

So my wine too, I, I, I just had to go down to Texas to get it.

Maria Varmazes

Well, you know, nice little road trip, but yeah, the, the, the, I, you know, the cup of a Starbucks coffee or something. Maybe people will hope that you forget that you signed up for this. So, yeah, the small up, small upfront cost and it hooks the user usually in a sneaky way into recurring payments that they don't know that they have signed up for a subscription. And, and the same time you've given up your personal and financial data to sign up for this. And the websites pull a lot of interesting strings to try and fake out that they're legitimate. Apparently they, they do a certain things to verify that the user, that the user is real, that the customer is real. To make it seem like we're, we have a threshold. We, as the scammer, we want to make sure that you, the customer, are not going to try and hook us. So are you actually real customer? Because obviously if we were a scam, we wouldn't care if you were real or not. So this is how you know we're real. And of course they make sure that the fine print is extremely fine and that the subscriptions are, you know, really, really, really hard to cancel and that you don't even recognize that this is a recurring cost. Joe, I want you to guess what social media platform is being exploited for this.

Joe Kerrigan

Okay, I'm going to guess.

Maria Varmazes

It might rhyme with mace hook.

Joe Kerrigan

That, that's a tough one. Now I was going to go with Facebook, but you said mace hook.

Maria Varmazes

Yeah. Does it rhyme? Book of Faces? Yeah, yeah, yeah. Ding, ding, ding, right? Big surprise, right? They, they do leverage Facebook pages that maybe they bought on the black market that you know, were legitimate and then got taken over by scammers or, you know, where they harvest likes, that kind of thing. We've talked about that bazillions of times.

Joe Kerrigan

Yeah, I've seen that happen numerous times.

Maria Varmazes

Oh yeah, it happens all the time. It's amazing. And it's just when you see those pages pop up and you can sell, they're actively garnering as many likes and comments as possible. You just know how many months is it gonna be until suddenly their name has changed and they're doing something drastically different.

Joe Kerrigan

Right.

Maria Varmazes

It's like clockwork. It's amazing. These scammy pages Also use paid ads. Big surprise, because those ads are cheap. They're just micro pennies, like just fragments of pennies to pay for. They sometimes impersonate legitimate content creators to boost legitimacy. I think we've talked about that. Some YouTube creators with some significant followers got impersonated for some scammy stuff like this. So what people might consider like a small potato personality being impersonated to give something like this legitimacy is very interesting to me. And BitDefender says over 200 fake sites in this vein were traced to one address in Cyprus, of all places. Just like what we covered a story on the Cyberwire today also about something else scammy going on in Cyprus. What is going on? Aside from really nice beaches in Cyprus and tax offshoring, apparently scams. I don't know what's going on.

Joe Kerrigan

Yeah, well, that's. I mean, that's what happened with Isle of Man as well. They had, they had a scam, a whole scam company move into Isle of Man because it's kind of like a tax haven. So it, it. I don't know, you know, I'm. I'm all in favor of tax havens.

Maria Varmazes

Right.

Joe Kerrigan

But, you know, not scam havens.

Maria Varmazes

Not a scam haven. Yes. Cyprus two twice in one day. Now I'm going, what is going on there? One thing, there are a couple things about this. So not a lot of this is, you know, very, very different from a lot of the scams we've talked about. There were some little details that I thought were interesting. One was in order to evade malicious ad detection that presumably Facebook deploys, the scammers actually use multiple ad versions of their scams. But like, one of many is malicious and the others show random, harmless products. So it's sort of like a roulette of if you actually. Yeah. And that I'm just going, that's a lot of extra work. But I suppose again, if it's really cheap to run these ads and you're casting a super wide net, I guess the economies of scale is if one out of, I don't know, five is actually scammy, you will catch somebody and.

Joe Kerrigan

The images, that's gonna be like an 80% reduction in your exposure. I mean, it must be so cheap for these ads that that's inconsequential.

Maria Varmazes

That's the thing, isn't it? That just tells you how cheap it is. Indeed.

Joe Kerrigan

Right.

Maria Varmazes

The ads are also. This is not a big surprise. Often image only. So there's no text and they will weirdly crop the images to defeat pattern detection. And I gotta say, when you see a weirdly cropped image that usually for me as a human is a tell that this is scammy when you see, like, way off center. But I guess it fools the algorithms that Facebook has. So that is interesting. So, yeah, this is yet another flavor of the scam that we've been talking about for some time. And my question is always, do they actually receive anything in the mail? And I couldn't find an answer to that. My bet is that they do not, but it would be especially confusing if they did. So if anyone knows if they've. If they've gotten ensnared by one of these mystery box scams, have you actually received anything? I would be very curious to know, but I have a feeling the answer to that one's no.

Joe Kerrigan

Yeah, I think so as well. I think this is, you know, get what you can and get out, and that's the. That's the M.O. here. So I would be surprised if they actually got anything that would mean more effort for this scam than they've already put into it, which is actually.

Maria Varmazes

Yeah, there's a lot of effort in this one. Yeah, right. Yeah, it would be very interesting. But yeah, let us know if you've encountered this. I'd be very curious. Anyway. All right, so that was my story. Joe, it is your turn next. Tell me what you've got for today.

Joe Kerrigan

I've got a story from the New York Times, from Michael Gold and Cecelia Kang, and perhaps you've heard about this, but this is about. The House of Representatives in the US Here passed a bill to ban sharing of revenge porn and also non consensual sharing of artificially generated images.

Maria Varmazes

So, like deep fake porn?

Joe Kerrigan

Yes, like deep fake. Well, deep. Yeah, deep fake porn. But I don't know that it. That the deep fake part is focused on just the illicit images, you know, the. The inappropriate images. So. Okay, and we'll get. We'll get to that in this, this discussion, but I will put a link in the show notes to the New York Times article. The actual text of the bill that I have covers deep fakes and images you may have sent in the past. The Senate passed this unanimously back in February, which is rare to get a bill that is. Wow.

Maria Varmazes

I have not heard Senate unanimously anything in years. Okay. Wow. Okay.

Joe Kerrigan

Right. There were 409 votes for this bill in the House of representatives and two votes against it, and 24 people that were no votes. Meaning that they didn't vote.

Maria Varmazes

Okay. They weren't There or whatever.

Joe Kerrigan

They weren't, they weren't there or they, they were going to abstain or something.

Maria Varmazes

Yeah.

Joe Kerrigan

So, you know, before you jump on the, the, the two people that voted against this, there, there are people who are opposed to this bill. Like the, the Electronic Frontier foundation has an article on. They call it the, the Take It Down Congress Passes the Take It Down Act. Oh, and by the way, you should look at the text of the bill because Take it down is actually an acronym. Let me, let me pull this up because this. I get more and more convinced every single time that Congress is wasting my money with the Department of Acronyms Tools to Address Known Exploitation by Immobilizing Technological Deep Fakes on Web and Networks Act. Take It Down Act. Oh, you.

Maria Varmazes

No, I. So if you heard me streak, it's when the page loaded and I was like, you have got to be joking that that's an acronym. Okay. That is a bugaboo of mine, especially in the space world, because they also do terrible acronyms like this. And, and wow. Wow. We could just spend the whole episode about that, honestly. But we will.

Joe Kerrigan

Let's not focus on that. Let's not focus on that. That's really not the important part.

Maria Varmazes

My goodness. Yeah. Yeah.

Joe Kerrigan

The, the fear is the, the, the position of the Electronic Frontier foundation is that this can be used like, like a very blunt tool to get people to take down things, that is, get platforms to take down things that people want and particularly people in power. So one of the things the Electronic Frontier foundation has said is that the President Trump has already said, I'm going to use that to take down deep fakes of me, which may or may not be valid in terms of, you know, in terms of the context. Right. But I think that if, if, if someone's using AI to make deep fakes of an elected official in a, in a form of parody or, or some other satire or, or actual. How can I say it? Like Syria. What's. It's a SLAPS test. Syria's literary, artistic. I can't remember everything from my days in communications classes in college. But there is, there is a standard for this.

Maria Varmazes

It's the. I know it when I see it. The.

Joe Kerrigan

Yeah, it's kind of like that. Yeah, but it's.

Maria Varmazes

What you mean. Yep, yep.

Joe Kerrigan

It's serious literary and political. Something standing, maybe.

Maria Varmazes

Yeah.

Joe Kerrigan

But you know, I think if you're, if you're making, if you're making AI generated memes of pick your least favorite political person and put their name there. I think that's Fine. I don't think that's what the intent of this law is for. But the Electronic Frontiers foundation is that it's says that it could be used for that. And particularly in the same way that Copyright, Digital Copyright act has caused a lot of things to be banned from platforms, even though they fall under fair use. Because these companies are not going to, not going to take the time to examine every single case as a fair use case now.

Maria Varmazes

Right. They're going to just react first and then. Yeah, it can get. That tool can be abused.

Joe Kerrigan

Yeah, yeah. And I see the point for abuse, but I also see that, that particularly with the revenge, the revenge porn aspect of this, you know, that is, that is clearly designed in, clearly delineated in here. So it's not something, you know, these are. We're going to talk about that, that part in a minute. But that is, you know, if you have some images of, of an X, an X something or other, whatever, right. You're. You're going to have to pay a fine and maybe spend up to two years in prison if you publish these things. And if it's a minor, three years, three years in prison. The Digital Forgery act, because it doesn't specifically talk about. I haven't done a full read on this, but I can see this being used for those like those fake Keanu Reeves ads, remember where Keanu Reeves is holding up a T shirt and they just put whatever it is. Now this gives someone like someone trying.

Maria Varmazes

To sell you an air fryer. Yeah, yep.

Joe Kerrigan

Right, exactly. Someone like Keanu Reeves and Brad Pitt a way to control their image. And I'm not here to advocate for the rights of rich and famous celebrities. But earlier in your story you mentioned the unpopular YouTuber or the little known YouTuber. What about that guy or that girl who have a small following and somebody's targeting their audience. Right. This is not somebody with millions of dollars. I can see this being a real, a real benefit to them, but who.

Maria Varmazes

Just is the victim of revenge porn, who has zero. You know, they're not an influence or anything at all. Just.

Joe Kerrigan

Right.

Maria Varmazes

A regular person who's just.

Joe Kerrigan

But that's.

Maria Varmazes

Has a very vindictive ex or something.

Joe Kerrigan

Yeah, yeah, that's. But that there are two different sections of this law and the revenge porn part of this is, is pretty explicit and the viguity comes into the AI portion, the AI generated image portion. And I think that's where a lot of these, a lot of the objections are happening. Now Ars Technica has a, an, an article that heavily reads from this eff article or statement. But I think Ars Technica does a really good job of presenting both sides of the issue here. They're talking about that the law doesn't seem to address, like communication, but rather publication. So if you're sending images, you know, artificially generated AI images from yourself, you know, to a friend of yours, hey, look, here's Keanu Reeves riding a buffalo down a hill off a ski jump, you know, that's probably fine, right? But if you start publishing that and maybe, maybe you're going to have an issue. But, uh, anyway, there is something I, I want to talk about here, and that is the issue of, of these images that, you know, that get used later in. In revenge porn. And my advice has always been just don't share these kind of pictures with somebody. There are better ways to express your intimacy. But more importantly, you really have no control over any of this media once it leaves your phone. And you need to understand that in many cases, these things leave your phone almost immediately. Like my photos automatically back up to Google and to Microsoft. Don't forget about that in my case.

Maria Varmazes

Icloud. Yeah, same.

Joe Kerrigan

Right. So, you know, here's the thing. I trust my wife to the utmost. So much so that she actually gets to make decisions as to whether I live or die in certain situations. Right? That's a pretty good level of trust. I would never send this kind of image to her. And not because I don't trust her, but because I don't trust anyone else in the channel and anyone else on the other end of that channel as well, because the channel is just one part of it. But you got to think about it. You take a picture with your device. Do you trust your device manufacturer? Do you trust all the software on your device? Then you think about your cloud storage provider.

Maria Varmazes

Does.

Joe Kerrigan

Do you have the utmost trust in that, in that organization? What about the developers that wrote the code that securely transmit your data? How do you know that that's all valid? What about the platform that owns the channel? Right? Like, if we go back to Snapchat, remember when Snapchat was new, there was evidence that, or some reporting that suggested that they were holding on to images a lot longer than.

Maria Varmazes

Then.

Joe Kerrigan

The. The.

Maria Varmazes

They weren't disappearing me.

Joe Kerrigan

Yeah, they were disappearing from the clients. But the servers still had the servers.

Maria Varmazes

Yeah, I remember that. Yeah.

Joe Kerrigan

And then when you send it to somebody, what about their device, right? What about their cloud storage partners? And what about them? And that's really the last point. You know, that's the. The Focus of the. Of this law is just the recipient. Right. But you've got to think that this law is really only addressing that one tiny piece of that process, the recipient. There are so many other moving parts in between you and the recipient that, frankly, I don't know about you, but I just find it difficult to trust that many people.

Maria Varmazes

Yeah. And it's not even. No, I'm with you. I mean, Joe, it's not even a matter of, like, assuming bad intent necessarily. It's just breaches happen. Even if that provider does everything. Right. Breaches do happen. So that is. You know, I'm reflecting as you're saying this, and I just. I think the nature of phones, especially being something that, you know, keep in our pocket and it gives people have a sense of privacy with them. This wasn't as much of an issue back when, you know, computers were sort of more of like a public shared device. I'm thinking of like the family computer was in a public part, you know, central part of the house, that kind of a thing. Or if you had one of those. And now, you know, I think many people, especially younger folks who grew up with phones being so ubiquitous, they may not understand all those steps that you've described about how many intermediaries there are between you and the recipient of something that hasn't either been communicated well or not as understood as maybe we would like. Maybe it's a bit of both. But it's having this small device that you can just keep in your pocket or bedside or whatever, it's easy to forget that it is a public. It is. It's private to you in a sense, but it's really public in a lot of other ways.

Joe Kerrigan

A lot of other people that have.

Maria Varmazes

A lot of people just sing in.

Joe Kerrigan

Yeah, yeah.

Maria Varmazes

What I like to say is companies.

Joe Kerrigan

Like Google are very good at security, but security and privacy are two completely different things.

Maria Varmazes

Amen to that. Yep. Absolutely. Yeah. And getting back to the bill itself. So, yeah, I echo that. Yeah. The best advice is to abstain from this kind of thing, but we know that people will do it. I mean, so, you know, it's all well and goes for us to be like, just don't. But people are going to, People are going to, and people are going to. So this bill I feel very conflicted about because my gut instinct is like, this is good. I'm very glad that this is happening because especially in the US we have very, very little protecting anybody from any of this.

Joe Kerrigan

Correct. That's the first federal law that protects anybody from Anything like this, anything.

Maria Varmazes

And I really need to emphasize, I know that states also have in many cases laws about this as well. My state of Massachusetts only passed a revenge porn law last year which was, we could not believe how long that took. So many other countries. This might be like a, maybe a no brainer, but we really don't have much in the U.S. protect consumers in any way. So I can easily see on the EFF's argument and they're very smart people who really understand this stuff and how it will be misused. I can absolutely see their argument about how there will be corner cases and abuse for this and then I'm going. But on the other hand, we as consumers are pretty much left completely alone and there's nothing helping us when you.

Joe Kerrigan

Start looking at the damage that gets done to kids in this situation. There was one article that, that cited, I think it was Alexandria Ocasio Cortez talking about the damage, psychological damage that gets done to young girls when they are, when they are, when their images are passed around. And, and that's a valid point. But you know, the other, the other one is the, the amount of young boys that have just killed themselves over things like this. Literally killed themselves.

Maria Varmazes

Literally killed themselves. That's right.

Joe Kerrigan

And, and I'm hopeful that this will provide, you know, an almost instantaneous way for them to stop that kind of thing from going on.

Maria Varmazes

That's right. Yeah. I think I, as I said, I, the eff, I highly respect what they do. So I'm not trying to be like.

Joe Kerrigan

I'm not, I'm not belittling their, their position at all. I agree that there is a potential for abuse, but I think I'm with you on this one, that as Americans we don't have, we don't have this kind of protection. And President Trump said he's going to immediately sign the bill when it gets to his desk. And it was actually kind of a, a pet project of the First Lady.

Maria Varmazes

I, I don't doubt it. I'm sure she was affected by, yeah, it doesn't surprise me. That says a lot of bipartisan support and I think the EFF is doing a great job of keeping an eye on how this will be abused. And, and honestly, like, I hope they continue to do that because I'm sure there will be, there will need to be legal challenges for overreach and the like. So. But yeah, but as I said, my gut instinct is we need something. We just, we're completely, we're out here going, is anybody going to do anything about any of this. So, yeah, I'm kind of like, all right, all right, great. So let's see what happens.

Joe Kerrigan

We'll roll the dice on this one.

Maria Varmazes

Goodness gracious. All right, well, thank you, Joe. That really great story. And thank you for highlighting something that's so important and is. I guess we'll see really how this goes. So. Yeah, we'll see. Thank you for highlighting. This is a good one. And we'll be right back after a word from our sponsor.

Unknown Sponsor Voice

So let's return to our sponsor, Threat Locker. Threatlocker is a zero trust endpoint protection platform that strengthens your infrastructure from the ground up. Where traditional cybersecurity tools require you to create a list of things you don't Want to Run, ThreatLocker enables you to easily curate an allow list of everything you need in your environment and network and block everything else by default. With ThreatLocker allowlisting and ring fencing, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker provides zero trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware. The ThreatLocker Zero Trust endpoint protection platform deploys in a learning mode that analyzes the operations of your company using machine learning to assist you in developing your allow list for approved applications, what they can do on the endpoint, what can interact with your data, and even east and west network traffic. We thank Threat Locker for sponsoring our show.

Maria Varmazes

And we're back. And now it is time for Catch of the Day. Joe, what do we have?

Joe Kerrigan

Catch of the Day today comes from Rick, who said he got this email from. Well, I don't know, someone. YG is their initials, but it's. It's pretending to be a message from Harbor Freight, and Rick noted that it was capitalizing on the. The tariff deadlines.

Maria Varmazes

Oh, my. I'm sure you've also gotten a gajillion emails about this. I know I have.

Joe Kerrigan

So.

Maria Varmazes

Interesting. Yeah. Yep.

Joe Kerrigan

Right. So I don't know. How do you want to do this? You want to. Because.

Maria Varmazes

Yeah, because there's a bunch of screen caps here. How do you want to describe these different screen caps? Can you. Can you describe what's going. Maybe. Let's go through each image. So, okay, the first one is of contact that looks like it's been created. I don't know how they respond, but it's this.

Joe Kerrigan

This. Isn't this how this goes on iPhones? This looks like it's from an iPhone. I don't know.

Maria Varmazes

It is it is definitely an iPhone. Yep.

Joe Kerrigan

Okay. I have an iPhone. I really don't like using it. But it looks like an email that says it's from yg. That's the contact initials. And I guess that's for your Harbor Freight gift is inside. But the interesting thing is that the email address is like newsletter czdhrog www.and that makes a really long immediately I've lost interest in this if it's coming to. Right?

Maria Varmazes

Yep.

Joe Kerrigan

But then the next image that Rick sends along is is is a picture of the email and it's got a flyer that looks like it's a survey about Harbor Freight answer. And when you've been chosen to receive a new icon core master tool set and big black letters at the top says warning prices increase at midnight.

Maria Varmazes

Oh my gosh.

Joe Kerrigan

And then it's got this picture of this tool set that I'm really interested in. Actually this is one of those things that might work on me because.

Maria Varmazes

Yeah, don't get hooked. Don't get hooked.

Joe Kerrigan

There's a lot of tools here. I mean I have some of them, but I don't have all of them.

Maria Varmazes

Gotta catch em all. Yeah.

Joe Kerrigan

It says click here to claim. And when you go inside, there is another picture of the tools and it says, dear Harbor Freight customer, complete a quick survey for a chance to receive the icon core master tool set. Tell us about your experience with Harbor Freight and enter to win this exciting reward. Rewards are limited, so don't miss out. Attention urgency. Yep, this survey expires today, which was April 25, 2025. So a couple of things about this.

Maria Varmazes

Oh, and there's a countdown at the bottom, I see.

Joe Kerrigan

Yeah, there's a countdown at the bottom that says five hours and 52 minutes left. You better hurry up. A couple things. Whenever I hear, you know, supplies are limited, I immediately go to that episode of the Simpsons where Homer is ordering the the microphone, the radio microphone for Bart for his birthday. Are you familiar with this episode?

Maria Varmazes

My goodness, it's I don't nothing way.

Joe Kerrigan

Early in the series.

Maria Varmazes

But yeah, earlier in the series is what I'm more familiar with. But it has been a while since I've watched the Simpsons. So refresh my memory.

Joe Kerrigan

It's a parody of the Mr. Microphone from the 70s and 80s commercial. You used to be able to buy this microphone. It would broadcast on AM and low power and then it would come through your stereo and you could hear nothing but feedback for the low, low cost of 1999 or something like that.

Maria Varmazes

Wow, what a deal.

Joe Kerrigan

But Homer's watching this TV commercial and it's just ridiculous. Right? And at the end it says, act now. Supplies are limited. Homer goes limited and lunges for the phone and starts dialing. Right. I think of that every time I hear somebody say supplies are limited. I think, you know, is this, is that really the thing that gets people to act now? You know, supplies are limited. You know, if, if you sell out of these things in five minutes, you're going to make more. Right. Because you're going to want to do that again. Trust me, I know. This is work. Right. Supplies are effectively in amount of this on modern. In modern economic terms. You're not talking about gold here, right? You know, it's, it's. These are all tools made out of iron. The earth is like something like 80% iron. You're not. Supply is not limited. Don't tell me supplies are well, but actually free supplies are probably limited. I think that Rick is right. They're trying to capitalize on the fear of tariff increases. But I don't know how they're trying to get that with the prices increase at midnight for your free tool set. You know, the price increases from free to whatever the territory.

Maria Varmazes

Not free. Yeah. I don't know if it's not real. Yeah.

Joe Kerrigan

It doesn't make sense. This is probably one of those survey things that just steal your information or it's just for some click farm or something. I don't know. All these things are really scammy. And I'll admit that early in my days of using the Internet, I fell into one of these survey things.

Maria Varmazes

Oh, I totally did too. I was just thinking that I'm like, I absolutely did stuff like this when I. Especially when I was really. Surveys money. Oh, yeah.

Joe Kerrigan

I want people. Yeah, I want people. I never got any money out of it. We got gift cards out.

Maria Varmazes

I never did either. But if I could win a free thing. Yeah, absolutely. That's probably why my. My information is in every breach known to humankind.

Joe Kerrigan

Yeah, exactly.

Maria Varmazes

Half of it's me giving it away by accident on surveys. So, you know, that's my fault.

Joe Kerrigan

Yeah. Don't take online surveys.

Maria Varmazes

No, I mean, don't, don't. Yeah, definitely don't do it. Yeah. Or. Or those apps where they're like, you get a free version of this app instead of the paid one if you just do a whole bunch of surveys. Like, don't do that either.

Joe Kerrigan

Pay for it.

Maria Varmazes

Okay. Yeah. Anyway, that's a great catch. Appreciate it. Joe. That was a nice one. I like it.

Joe Kerrigan

Yeah. Thank you, Rick. For sending it in.

Unknown Sponsor Voice

And of course, we want to thank this week's sponsor, Threat locker. Go to threatlocker.com HH and check out their Zero Trust Endpoint Protection Platform. That's the words threat and locker with no space.com HH where you can request a demo and neutralize the threat of malware running on your devices.

Maria Varmazes

All right, and that is Hacking Humans brought to you by N2K CyberWire. We would love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans2k.com we're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K makes it easy for companies to optimize your biggest investment your people. We make you smarter about your teams while making your teams smarter. Learn how@n2k.com this episode is produced by Liz Stokes. Our executive producer is Jennifer Ivan. We're mixed by Elliot Peltzman and Trey Hester. Peter Kilby is our publisher and I'm Maria Varmazes.

Joe Kerrigan

And I'm Joe Kerrigan.

Maria Varmazes

Thanks for listening.