WhatsAppening here?

A

You're listening to the Cyberwire network, powered by N2K. Do you know how the space and cybersecurity domains connect T minus Space Cyber Briefing is your guide through the space based systems that expand the attack surface. I'm Maria Varmazis, host here at N2K CyberWire and I'm excited to share that T minus is back now as a weekly podcast, the T minus Space Cyber Briefing. We have a new dedicated focus on two great things that are even better together. Space and cybersecurity. Because whether we realize it or not, we all depend on space based systems that are, by the way, increasingly Internet enabled. We're talking cybersecurity technologies, policies and organizations that are securing the critical space based infrastructure that powers, protects and connects our lives here on Earth. So join me for T minus Space Cyber Briefing, new episodes every Sunday.

B

Hello everyone, and welcome to the Hacking Humans podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Buettner and joining me is Joe Kerrigan. Hey, Joe.

C

Hi, Dave.

B

And our N2K colleague and host of the T minus Space Cyber Briefing, Maria Vermazes. Maria.

A

Hi, Dave. And Hi, Joe.

B

We've got some good stories to share this week, but first we've got some follow up. Joe, you want to start things off for us?

C

I do. I have an interesting story this week.

B

Okay.

C

My wife finally.

B

What?

C

It's not a chicken update, so no. Okay. Dave, you recall back in October, we lost Fred?

B

Yes.

C

Yeah. Fred was a good boy. He was a big dog, but he was a good boy.

B

He was a good boy. He visited the studio here more than once.

C

He did.

B

He was a very good boy.

C

And he came in, he said hi to Dave and he sat down. He did nose through the trash because that was. Well, that's dogs.

B

And Fred liked to be pet. Oh, yeah.

C

He was very pushy. Very pushy. But one of the sweetest dogs I've ever known.

B

He was.

C

So we lost Fred back in October and we still have Josie because we also have two cats now, Josie and the Pussycats.

B

Okay, that's the joke.

C

So my wife is like, I think I want to get another dog, but I want to get another miniature poodle or something similar like Kevin, because Kevin was our first dog and she really loved Kevin a lot and he was a good boy as well. So she actually starts looking around and she got targeted by a puppy scammer. Oh, now can you. I'M going to ask both you, can you guess the platform, Guess the social media site she was on?

B

Wow, this is hard. What could it be? I don't know. Is it the Book of the Face?

C

It is the Book of the Face.

A

The Book of the Face.

C

Facebook. Right. So she actually engages. She says, where are you guys located? And they say, they were located in Pennsylvania.

B

Yeah.

C

And she says, well, that's great. I love these pictures of these dogs. I'd like to come up and meet them. And they were like, eventually they start telling her, yes, well, that's fine, but we don't reserve any dogs until you send a deposit. And I'm like, scam. Cause she's talking to me the whole time she's doing this. I'm like, this is a scam. And she goes, are you sure? I'm like, positive. This is a scam. And she says, okay, well, let me see if we can just go up and visit the dogs.

B

Right?

C

Because. And she goes, look, I don't want to reserve a dog. I just want to come up there and see the dogs you have right. Before sending you any money. And they're like, no, no, we can't do that, because that reserves a dog, and we can't reserve a dog. We're very reputable people were very, very honest and very, very open about what we're doing here.

A

Yeah, right.

C

Constantly saying that kind of thing about it. And I'm like. And they were like, you can give us a deposit of $500.

B

Oh.

C

And I'm like, that's a big deposit. And eventually she's like, no, I really want to come up and see the dog. And then I'll tell you what, we'll come up, we'll see the dog, we'll meet the dog, and if we pick out a dog, we'll write you a check on the spot for $500 for the dog.

B

Right.

C

And they go, how about you send us a positive? Like 250? How about two fitty, right.

B

Would you believe? Right, yeah.

C

They reduced the amount. And eventually my wife, you know, actually, my wife caught on very quickly after I pointed out, oh, yeah, this is a scam. We talking about talk. We've talked about them on hacking humans. And eventually she said, look, it's obvious to me that you're a scammer. You're not interested in selling. You're not. There are no dogs. And looking at the pictures, the dogs were all like, beautiful little fluffy puff balls.

B

Yeah.

C

And I'm almost positive they were AI or at least AI enhanced, but, you know, it's. Another scammer. Reported it to Facebook, I can almost guarantee.

A

And they'll be right on it.

C

Yeah, they're on it, right?

A

They've got their best men on it.

C

Yeah.

B

So how did she start her search on Facebook for puppies?

C

I don't know. That's a good question. She may have just gone looked for puppies, you know.

B

Yeah.

C

Poodle puppies.

B

Facebook. Marketplace, maybe?

C

No, it wasn't Marketplace. She was looking for business sites, I think. Or maybe she was on Marketplace.

B

I don't know.

C

I don't know, actually. That's a good question, Dave. I'll have to ask her that.

B

Yeah. Interesting. Well, glad you didn't get scammed.

C

Nope, didn't get scammed.

B

Yeah, lots of puppies come out of Pennsylvania. There's a lot of puppy mills up there. Yeah, unfortunately.

C

Yeah, it's not great. We got our dog from Virginia, Kevin. When we got him, Josie's just some random dog that some beagle got loose and impregnated a boxer. So now I have this dog that looks like.

B

Yes, you do.

C

Yeah. Right. Now I have this dog that looks like she's made out of spare parts with a little tiny boxer head and a big, staunch beagle body with a beagle tail and long legs.

B

Right. She made a trip through that transport mechanism from the movie the Fly.

C

Right. Thinks she's adorable.

B

Of course you do.

C

Right.

B

Yeah.

C

My daughter thinks she's an ugly dog.

B

So your daughter's probably just jealous of all the love and attention she gets.

C

My wife is definitely jealous.

B

There you go. All right, well, I have a couple things to share with you and our listeners this week. First of all, I had a very strange thing happen on a recent road trip. I was driving to visit some family on the Eastern shore of Maryland, which is about two hours away. My destination. And if you're familiar with this area in Maryland, if you're heading towards the Eastern Shore, Ocean City, you drive down Route 50, you cross over the Bay Bridge, and Route 50 takes you all the way there. Right. So I am most of the way there, and I'm driving along, minding my own business, and I look, there he was, and I look on the other side of the road, and I see that the traffic is backed up coming the other way. I'm thinking, oh, that's odd. So I look over to see what's causing the backup. Was there an accident or something? There was an emu running around on the highway.

C

I saw this story.

B

What? Yeah, there was an emu Is this

A

a normal thing that happens where you live?

B

It is not, no. For our listeners, I'll just say emus are not native to Maryland.

C

Right?

B

Emus are not. We have a very low, very low population of emus, but it's not zero. No, no. There's like, a children's petting zoo near us that has an emu.

C

I told you, when I was riding the bike around the BWI Bike trail, I was being stared at by an emu. Right.

A

Which is that petting zoo missing an emu. Could that be related to the one.

B

Well, that is, in fact, what happened. This emu had escaped from a farm. I learned later when I tried to look up the news story just to make sure that I wasn't hallucinating.

C

That's something you don't see every. Maybe I'm going crazy.

B

Right. It's like if there was someone in the car with me, I would have said, you do see the emu, don't you? Right.

C

Is the emu in the room with us right now, Dave?

B

That's right. Maybe so. The emu's name was Dexter. He had escaped from. He had escaped from a local farm. It took the state troopers four hours to capture Dexter, but he was taken back safe and sound to recover from his little adventure back at the farm.

C

Emus are quite wily.

B

They are. And they're fast.

C

Yes, yes.

B

Australia had a whole thing with them.

C

Did I ever tell you about how I found out about the Great Emu War?

B

Should I say yes?

C

Yes. It's a Google. Okay.

A

Okay.

C

I was doing a Google search with my son on the Great Gatsby, and I was type in the great. And the first suggestion is emu War. And I'm like, what? Wait a minute.

B

And Joe is gone for the next two hours.

C

I never got back to my son. Yeah. I never got back to my son about the Great Gatsby at all. I just got enthralled in the Great Emu War.

B

Yeah. No, it's. It's a page turner.

A

It is. I. I think that's one of those. Your surge habits are influencing what comes up. Because I tried that, and I get the Great Gatsby.

C

Really?

A

I'm not getting. I'm very sad that he did not get the Great Emu War.

C

Well, let me try it again.

B

Maybe I'm putting it in my. The Great Gatsby. Yeah.

C

Yeah. Gatsby. Yeah.

B

Animal war isn't even on the list.

A

It's the same. Whereas on mine, like, the fourth or fifth option is the Great Greek. So I'm telling you, it's.

B

There you go.

A

Which is the name apparently, of a restaurant in my neck of the woods. I didn't even know.

B

So the emu was safe and sound. But I also have from my travels, a chicken story. By the way, Joe, thank you for the eggs.

C

Yes,

B

ladies and gentlemen, last week Joe dropped by the office and delivered a half dozen farm fresh eggs from the day before. Yes, they were delicious. So warm. I ate them over the course of a couple of lunches. And they were delicious. I have to ask Joe. I don't know if I'm imagining this. Is it so that these eggs have a thicker shell than the egg you get in the supermarket?

C

Oh, yeah, they do.

B

Yeah. That's what it felt like when I was cracking them open. I was like, man, these eggs are hardcore.

C

Yes.

A

Yeah. I bought eggs from my neighbor the other day and I had the exact same reaction. I said, these eggshells are really thick and the eggs were delicious. But yeah, that's so funny you say that.

C

Yeah, they are thicker. Probably because the eggs in the store are maximized for profit. And they, you know, it's calcium might be more expensive. I don't know.

B

Well, they grow. Yeah, I guess they grow quickly. So maybe. Who knows? Who knows? But yeah, but anyway, delicious. Thank you, Joe. They were delicious.

C

You are more than welcome.

B

I appreciate it. But anyway, I got to my destination. Visiting a family member out on the eastern shore. And she actually has two neighbors who have chickens. And the one right next door has a rooster. Ask me how I know.

C

Yeah, I know exactly how you know. You found out at like 5:30 in the morning, didn't you?

A

Right, right, right.

B

So we're sitting there in the backyard, sitting on, you know, just chatting, sitting on some chairs. And the chicken coop is in view. And I see the hens and the rooster walking around. And I see something else in the chicken coop. What is that? Is it a rabbit? Is it? No, it was a rat.

C

A rat.

B

It was a rat and a chicken coop.

C

Yep. Yeah.

B

And this rat was just living his best rat life. Like he didn't have a care in the world. He wasn't trying to hide like Templeton from Charlotte's world. It was exactly what I thought he was like Templeton. And I was kind of surprised that the rooster didn't try to evict him.

C

Now, roosters, rats actually will kill chickens. They are not to be trifled with. Oh, they are smarter than mice. I don't know how I know this much about rats. But one of the things that I'm doing is I'm building a new coop because the current coop is too small. And when we were looking at options, my wife's like, what about that one on the ground? If it's on the ground, just envision the underneath of that teeming with rats.

B

Right.

C

And that's what I used every time, teaming with rats.

B

Well, this had at least one rat. And I don't know, I think it would be disconcerting to me if I live next to a chicken coop that also had a rat population. I might have words with my neighbor, but maybe I'm just being unrealistic about what to expect.

C

In the words of Jerry Clower, maybe you need to go out and have a rat killing.

B

Yeah, there you go.

A

Right? Rats are the number one reason why I will never have chickens, because I do not. Do not ever want to be dealing with that.

B

Yeah. Well, I said, what this neighbor just needs is a good snake. Right?

C

Yeah. Rat snake.

B

Yeah.

C

The problem is rat.

B

I don't know why she swallowed the fly.

C

You need a bunch of snakes because you will never keep up with the breed, breeding capabilities of a rat or a mouse.

B

Yeah, that's what we need. A whole den full of snakes. That's good. That's good.

C

Just gather up all the rat snakes in the state and then take them down to your chicken coop and just let them loose.

B

Sure. You ever hear the stories about that

A

joke from the Simpsons where they had, like, the snake bashing day. Come on. Like, yeah.

C

And eventually they wait for the gorillas to freeze to death in the winter.

B

Right. There's another story, though. Somebody built a house on top of a garter snake nest. Like a historic garter snake nesting site.

C

Really? Yeah.

B

Or thousands and thousands of garter snakes would come to nest underground. They didn't know this when they bought the house.

C

Right.

B

But anyway. All right, I'll tell you what. Let's take a quick break to hear from our sponsors. When we come back, we will actually dive into some hacking human stories. Stay with us. If you haven't already left. Every attacker counts on one thing. Environments that Trust too much. ThreatLocker closes that gap with default deny at execution. Unknown software blocked. Trusted apps contained with ring fencing. Configurations verified with ThreatLocker DAC so you stay secure and compliant. ThreatLocker delivers the visibility and control CISOs need without adding operational pain, making zero trust real for teams of any size. Stop ransomware at its earliest point. Book a demo@threatlocker.com N2K. All right. We are back. Joe, I am handing the microphone back to you. What do you got for us this week?

C

I have two stories because they're pretty quick, but the first one is coming from wbal, and I saw this in a lot of different places because I think this comes from their broadcast group, which I think. I think is Sinclair or no hearse Hearst broadcast. And this is from Damali Ramirez, who is a researcher, a data researcher for Hertz Broadcasting. And it is a really interesting graphic representation of the fraud losses that Americans have suffered. $16 billion last year. And if you scroll down the article, they have, you know, they have some pretty good breakdowns, of course, the five. The top five costliest schemes. Do you guys. If you guys haven't looked at the articles, anybody want to guess at number one?

B

I would guess romance scams.

C

Ah, romance scams, good guess. Number two. But the number one is malicious investment and investment advice.

B

Ah, okay.

A

Yeah. Makes a lot of sense.

C

Billion.

B

Okay.

C

Romance scams, 1.2. Government impostures, 3/4 of a billion dollars. Business imposters, another 3/4 of a billion dollars. And then job scams and employment agencies. Almost half a billion dollars.

A

That's going to be rocketing up the charts.

C

Absolutely. Because that one is. Is turning out to be very successful. I mentioned I was talking with a recruiter, an actual real live recruiter recently.

B

Yeah.

C

And I was like, look, I get a lot. You know, I'm sorry I was so abrupt, but I didn't actually, I don't know if I apologize. Anyway, I owe the guy a call. I said, you know, we get a lot of scams here. I get a lot of. And he goes, you would not believe the level of scams that I have to deal with in dealing with people and dealing with job. Job seekers. They're all. Everybody's scamming.

B

Yeah.

C

Both ends are scamming. This. Yeah.

B

It's awful.

C

It's. It's terrible.

B

Yeah.

A

Oroboros. Yeah.

C

Yeah. The next. The next article, our next graphic infographic. And these are interactive infographics, which I really like. Which states reported the most fraud? Most fraud schemes per 100,000 residents. So actually do per capita, which is good. Anybody want to guess at the highest state, the state where you are, where there were the most reported fraud cases per.

A

Reported is an important word there.

B

Right.

A

I would guess Florida.

B

Oh, Florida's a good guess. I would guess California.

C

Florida is a good guess. Florida is pretty high on the list. California is significantly lower.

B

Okay.

C

But number one is Nevada with 892 reports per 100,000 people.

A

Yep. Okay. That makes some sense.

C

Interesting.

B

Why Nevada? Or why do you say that makes sense? Maria?

A

I think gambling people who are maybe people who are more primed to be like, I want to throw some money in the direction of something that could be a good bet. Okay, yeah, sure.

B

Yeah, maybe.

C

Yeah. I'm not a big gambler, so, I mean, other than with cheese. Other than with cheese.

A

Right.

C

I mean, I just can't. I just remember you were talking Simpsons references earlier. There's an episode where they. Where they build a casino and Burns, of course, owns it. And he says, I've discovered the perfect business model. People shuffle in, empty their pockets, and shuffle out. And that's how I view casinos. I mean, there's. You know, they don't get to build those big, huge buildings by giving money away.

B

No.

C

Then there's losses. How much money people lost? And this is amazing. Arizona has the highest per capita loss of $6.1 million per 100,000 residents. Which means that, like, each person, if you average that out, Everybody lost, like, $61.

A

Oh, that's where that money went.

C

Yeah.

A

Flew out of my pocket.

C

I think this is interesting. Anyway, leave a link in the show notes. I really think this is a great article. Take a look at it. The other story I have, which is really pretty short, comes from Maine from the Portland Press Herald, written by J. Craig Anderson. And this is about a municipality up there called Harpswell. And they lost $189,000 to a vendor payment scam. Now, it doesn't say in this article whether it was business email compromise, the vendor site, or if it was just an impersonation attack, like with some Gmail address or something, or a lookalike domain or something. It doesn't say. They just said that they received the email to change instructions to divert payments for this $189,000 payment to somebody else. And that went through, and the money got sent. They very quickly realized they had been scammed. They contacted law enforcement, and they can't talk about it right now because it's an ongoing legal investigation.

B

Right.

C

But one of the things they're saying is we are now looking at strengthening our policy for these kind of things. The internal payment authorization verification protocol.

B

You think?

C

Yeah, it's. Here's what irritates me about this the most. First off, these taxpayers have lost money. That's number one.

B

Yeah.

A

That's a lot of money.

C

Yeah. Especially for. I get the impression this is a

A

small municipality, pretty much guaranteed.

C

Right. So it's probably not an insignificant Loss.

B

Right.

C

Like the state of Maryland got defrauded out of. Out of this much money. Nobody would blink.

B

Yeah.

C

You know, but the time has long. We've seen these attacks over and over and over again. They've been in the news. Baltimore city was actually hit by one of these, like two years ago. And it's time. If you work for a municipality or even a company, you need to address this process and how this works, because this is a very common vector. And that's really the only solution for it is because you're not going to get the. There is no technological solution to this problem. Because sometimes somebody may, in fact, change their banking details. They may say, I'm done working with this bank. I'm gonna go to another bank and I have to redirect my funds over there. Don't just trust an email on that. That is insufficient.

B

Right.

C

You need to say, oh, okay, well, then here's what we're going to need to do. And come up with a process.

B

Right.

C

Maybe they have to come in and verify this information in person, get some

B

verification from the bank.

C

Right.

A

Are towns on their own? Okay, so I just have to wonder. Cause I googled Harpsville really quick. It's a town of 5,000 people. Oh, wow. So, I mean, it is. That's tiny. That's practically a little more than a village. So I'm wondering, is there something that towns can look to? I mean, 5,000 is really small. To sort of copy and paste what the good policy is or. I mean, are they all trying to homebrew this from scratch?

C

That's a good question. I'm gonna have to do some research on that.

B

Well, my story has some advice here, so we'll wait for that as well.

C

Right. They do have insurance, so I think they're probably gonna be covered for the loss, which is nice. But. Yeah, still out there. The payment fraud is still going on.

B

Oh, yeah.

C

And it just happened.

B

It's a hot one.

C

Yep.

B

All right, well, we will have links to both of those stories in our show notes. Maria, what do you have for us this week?

A

Well, a story that definitely caught my eye. This one comes in via the Threat Hunter team at Symantec and Carbon Black. So before I jump into the story, gentlemen, I was trying to figure out what the established metric is for median dwell time for an attacker to be sort of sitting and waiting and doing their nasty stuff on someone's system. I could not find a consistent answer. It really does depend on who you ask.

B

And just. Just let me pause you there, Maria. What does that mean?

A

The dwell time is basically the time in which an attacker is sitting on a system and either exfiltrating data or trying to establish a foothold or just being in a place they shouldn't be.

B

Right.

A

So dwelling in it, if you will, right.

C

They're not, they're not instantiating any kinetic effects except maybe data exfiltration.

A

Well, that kind of not a great thing to be doing, right. But hanging out in a place they shouldn't be, right, dwelling in it. And it's a, it's a number, there's a attached to it. How many days an attacker will be dwelling in a thing. And the idea for a defender is to get that number down. You don't want, you don't want an attacker sitting in your system for very long because the longer they're there, the more damage they're going to do.

C

Right.

A

So we want to be able to find out that they're there as fast as possible. So the goal, as you know, good guys, is to get the dwell time number down. In any case, I was trying to figure out what sort of established number is for how long an attacker tends to dwell in a system. And I don't know if either of you have a number for this because I found a bunch. I'm just curious if either of you have heard anything.

C

Last I heard was like 180 days. 180, it's been a. Yeah, that's the last metric I remember hearing. Wow. Maybe that's, I mean that's really old though.

A

Well, you could be right. I mean, here's the thing. I was seeing things from 10 days, eight days, 14 days, I saw some that said six months. So it does seem to be really all over the place. So 180 is possible. But man, that is a long time. So this wasn't like a quiz to see if you got it right or wrong. I'm genuinely saying I can't find like a consistent number. But let's just say I saw a lot of things in the realm of a week to two weeks on average is often considered like what we're seeing for attacker dwell time in an organization's system. And the reason I'm bringing this up is the story that I'm covering today that comes again from the Symantec and Carbon Black Threat Hunter team was about a five month long espionage campaign against a senior executive who was working at a major global stock exchange. And this espionage was specifically targeting this person's Outlook account. And again, I want to repeat that the attackers were doing this, they were dwelling, if you will, for five months, which is a long time. If we're saying that the average is usually a week or two weeks before they're found out. So five months is, is epically long.

C

And they're. They're working on a stock exchange.

A

Yes. So the target was it works at a major global stock exchange. Not named, but one can imagine a handful of them. There's only a few and many bazillions of dollars moving through them. So, right, if this person is a senior executive and five months dwelling on their account and looking at their entire Outlook account, so you can just imagine what this person was talking about, who they were talking to, what kind of information they had access to, you know, their contact list, their calendar. I mean, that is, that is the game right there. If you've got that information for five months, I mean, that is a gold mine for an attacker. So. And it's interesting in the post that the Threat Hunter team put together about this, I'm just going to quote it, they said, we don't normally publish on single victim incidents, but the focus and operational discipline on display here and the central role mailbox theft plays in espionage operations more broadly makes this a useful illustration of what a targeted intrusion against a senior individual can look like over months rather than over days. And I really thought the phrase focus and operational discipline was worth highlighting because again, to carry out an attack against someone like this, and for five months, the attacker was not detected. That 150 days of dwell time is a lot. And the blog post goes into a lot of detail. I'm gonna do some nutshell because we don't need to get into every step, but y' all can read it if you want. But they. The attackers basically took a lot of really tiny steps and were very, very patient in making their footprint as small as possible. They didn't get greedy. They didn't, you know, they didn't overshoot like they were. They really took their time and exfiltrated data, really, bit by bit, drop by drop. And they, the attackers also hid their traces essentially by using cover from legitimate services to look as legit as possible. So that's how they were able to essentially dwell on that system for five months. So importantly, because I'm sure someone's gonna ask, we do not know how the attackers initially got in, so maybe one day there'll be an update to this story. So we can conjecture, but genuinely, we don't know yet if it was phishing or whatnot. We have no idea. But once the attackers were in and they managed to get a foothold on the victim system. They would schedule tasks with names that looked like legitimate Adobe Lenovo or OneDrive System Services. Just kind of running as they often do in the background. Because I don't know about you, I don't often look at my task manager just to be like, hey, what's running? Do I recognize all of these things?

C

Yeah, I do that pretty frequently actually.

A

Wait, so you actually do that?

C

Yeah.

A

Really?

C

Yeah, I did this morning.

A

Okay. Do you think a senior executive.

C

No, absolutely.

B

Joe's pretty self aware when it comes to these things.

C

Right.

A

And Joe, can you tell me that every single thing that's running in your task manager, you. You definitively know what it is and can identify it?

C

Sometimes I Google what the processes are. If I see something I don't recognize, I go, what is that? And I look it up and it's, oh, this is a Microsoft process for indexing or something. But yeah, I don't know, when I, when I go looking, I do some investigation. But I'm a cybersecurity professional. It's what I do for a living. And I don't do exactly this, but I've always been paranoid on this kind of stuff and I've always wondered, hey, what's running on my system?

A

That's a good thing.

C

For me,

B

I have done this. I do it from time to time. But for me, what usually triggers it is that the fans will start spinning up on my laptop.

A

That's right.

B

And I'll be like. Because I have a MacBook Pro here. And it rarely do the fans ever make a peep. So if they start spinning up, I'm like, wait, somebody's lost the plot, right?

A

Somebody's mining bitcoin using my machine.

B

Right. Something's going on. But like Joe said, nine times. Well, nine times out of ten, every time I've looked it up, I have never found anything malicious. But what I have found is some kind of indexing tool that's just going to town.

A

Yeah, I was gonna say you and I are both running on Mac. So for us it's activity monitor and not task manager, but same idea. And I always have mine running. But I will absolutely fess up. There are a lot of little things running there. I don't know what they are, and I probably should, but I don't. But I'm just fessing up.

B

I'm too busy clicking links.

A

It's true. And honestly, my machine is probably just a Typhoid Mary of all sorts of things.

C

That's right. Typhoid.

A

It's just. Honestly, it's a miracle that I'm even here right now that you're online at all.

B

No, you're patient zero when it comes. When the day comes and they try to figure out what caused the great downfall of Western society. It was me, Maria.

A

Me personally. I did it. You're welcome. Yeah. So going back to this story and not my terrible security hygiene, the attacker in this case would have these legitimate looking tasks running in the background and would also re register these tasks every few weeks during their campaign of data exfiltration. So they established persistence. And then for command and control, the attacker used a persistent instance of Dropbox, which a lot of us have running all the time. And later they also used OneDrive personal, another completely legitimate tool. And then drip by drip, really slowly, in tiny little chunks, they would exfiltrate data from the Outlook account. And again, I'm going to emphasize, they did this very slowly. So there were. This was never enough data leaving that would trigger an alert or even downgrade system performance. So no fans were spinning, nobody was overclocking their system. It was just like real quiet, real in the background, and nothing that would make the person who was targeted here actually think to check their task manager and go, what's going on? That's taken up like 95% of my CPU.

B

Right.

A

You know, it's nothing like that. So nothing looked suspicious, nothing acted suspicious. So that five months of dwell time makes a lot of sense in that case. So there's no necessarily like takeaway for the average person here because this was clearly highly targeted espionage. And then if there's anything actionable to be done here, it's for an IT professional.

B

Right?

A

But it was very interesting that the attackers also really left very little trace of themselves. There was not enough information from the tools that they used or other clues left behind like system identification and info. There was not enough left behind to even make a guess about who the attacker might be, which is just like, wow, I just, I find this story super fascinating. And I want to mention for the IT pros who may be listening, going, oh, Symantec did actually publish the indicators of compromise. So if this is something that sounds like it might be relevant to you, there are IOCs published on the blog post that you can look at. But I just. Very interesting that, you know, Slow and Steady won the race on this one. And also the attackers were very careful, meticulous, and patient. And we don't always see stuff like that.

C

Do we know what Kind of data they exfiltrated.

A

I don't. That was not published either. So yeah, I can't imagine it was anything people want out there.

B

Well, I've passed. I talked to somebody recently. I can't remember who it was. I was interviewing somebody who was talking about this kind of espionage and how sometimes these people are just looking for the movements of the market.

C

Right.

B

They just want insider information and that's what they use.

C

Exactly. What this screams to me. I don't know what an executive at a stock exchange gets in terms of information, but I'll bet they have better access than the average person does. They might have earnings reports early. I don't know if they do. I. This, this is one part of the, of the business world. I don't know. Yeah, yeah, you know, the investing world. I don't know when, when people find out earnings are they at. I know that you have to file these earnings with the sec. So, you know, if I was a malicious actor, I'd be targeting the SEC for the earnings reports or the filings before they come in. But I think you can time that with public release. I don't know. I wish I knew more.

A

So it sounds like we need to poke around on polymarket to see if somebody made a pretty penny.

C

Oh yeah, yeah. I'll guarantee you if you look into this, there were some big trades before large earning announcements that people made a lot of money on. And that was probably. That would be my guess as to what the outcome of this was. And this is probably some very sophisticated criminal organization.

B

We did a story about a week ago about, I believe it was a Google engineer who was accused of having access to the. I guess Google published lists of what are the most popular search terms for the past year, six months, whatever it might be. And this person had access to that before it was released publicly and made a bunch of polymarket bets on what they would be. And one big because he knew what

C

they would be is polymarket. The Polymarket's the futures organization.

B

I don't know how you'd label this.

A

They gamble on everything.

C

Yeah, but it's not gambling because these are actually investment vehicles and that's how they're getting around the gambling.

B

If you say so.

A

Okay, Rules, lawyer.

B

I keep them at arm's length. But anyway, his betting was conspicuous enough that I think that was part of how they tracked him down. And same thing with the sec. They've got finely tuned systems for trying to sniff out this stuff. But I think as Maria points out, one of the Things about this is discipline and patience.

C

Right?

A

Yeah.

B

And yeah. All right, interesting story. So we'll have a link to that in the show notes. I tell you what, let's take a quick break here. We will be right back after this message. Most environments trust far more than they should, and attackers know it. Threat Locker solves that by enforcing default deny at the point of execution. With ThreatLocker allowlisting, you stop unknown executables cold. With ring fencing, you control how trusted applications behave. And with ThreatLocker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today.

A

Foreign.

B

We are back and it is my turn here. My story comes from the folks at bitdefender. This is a story they shared. It's called the Deepfake boss scam. How to verify requests before it's too late. So we'll just set this up. Imagine that you get a video call from your CEO, and at first glance, everything looks right. The face looks right, the voice sounds like them. And they tell you that a confidential deal is underway and they ask for an urgent fund transfer. Would you stop and question it?

C

Yes. Yeah, only because I'm on this show and I've seen this exact scenario before.

B

Right, right, right. Well, according to bitdefender, this scenario is becoming increasingly prevalent. The bad guys are using AI to create these convincing deepfakes of executives, business leaders. And these Personas can appear in video meetings or on phone calls or voice messages. And they're there to exploit the trust that the leader has earned with their employees. Perhaps also fear. Right, but they're pointing out that this isn't just a theoretical thing. Hundreds of thousands, in some cases millions of dollars have been lost after the employees were convinced that they were speaking with the leaders of their companies. They pointed out one case where attackers used an AI generated voice clone to impersonate the CEO and trigger a fraudulent transfer of funds. There was another one where an entire video conference was populated with synthetic versions of executives and colleagues. So not just one person. Imagine getting on a zoom call and

C

there's the board of directors.

B

Right, right. Like an AI intervention. Right.

C

Dave, we love you and we care about you.

A

Oh man, I the flop sweat immediately.

B

And they were persuading the employees to move large sums of money. And imagine you, I would imagine most people today, you think, well, okay, maybe they could scam a one on one with my boss. But surely the entire half a dozen people of the whole board of directors, that can't be baked. But, but according to this article, it can. So they use a lot of things we talk about here all the time. Authority, urgency, familiarity. And then they apply pressure for the person to act quickly again using sensitive financial matters. And people are reluctant to challenge their boss. And they point out that remote work, hybrid work, increases the opportunities for this sort of thing because it's harder to go down the hall and knock on your boss's door and say, did you just ask me to transfer $2 million? When you're working at home.

A

Yeah. And also presuming that the executive is in your office, which in my experience is almost never the case. They're usually traveling or in a meeting or whatever.

B

That's true. Right. All in air quotes. So they point out defective defense. Something we talk about here all the time. Verification. Confirm these requests through a separate communication channel. You should have a multi person approval process. So your organization should require anything above a certain amount of money, should get in front of more than one set of eyes. And then also training, training your employees to recognize these sorts of manipulation tactics. They say if something involves money, sensitive data or access to critical systems, pause, verify.

A

Yes.

B

And be sure to follow the established procedures. But you need to have these procedures in place. And they're just emphasizing here that this AI, the capabilities of these AI systems is growing every day. And these deep fakes are getting more and more convincing. They're getting faster. So there's not so much of a pause between a question and an answer when an AI is responding to things. So people really need to unfortunately become more skeptical of what they see and hear and really lean into these verification processes. What do you guys make of this?

C

Yeah, I think that the policy angle of this is the key. Similar to the story I did about the company, the municipality. There we go. Haven't been sleeping well lately. Dave. Yeah, so you know, the municipality who lost all that money, that you really have to focus on the policy and the training and just be aware that this is out there, that these people are getting scammed. When we first saw this kind of thing happening, it was with email and the people who were, this is before LLMs, were big and popular and available. The people were imitating the language style, the linguistic writing style of the CEO to get somebody in a distant part of the organization to send millions of dollars for exactly this kind of thing. Hey, we got a secret deal coming. Don't tell anybody.

B

Right? And I would also add to that the gift card scams where you get a text message from the CEO that says, hey, I'm in a meeting or I'm at a conference. I need you to do me a quick favor.

C

Right, yeah. That. I don't know, that seems like, I mean, that's going to impact the individual more financially than it is the company. But you still want to protect against that and maybe have the company, the CEO, say, look, or everybody, every manager, it's our corporate policy that we will never ask you to run a personal errand for us. And that includes buying us gift cards, right? Especially.

B

Yeah, right. All right, well, we will have a link to that story in the show notes and again, we would love to hear from you. If there's something you'd like us to consider for the show, please email us. It's hackinghumans2k.com all right, Joe, Maria, it is time for our catch of the day.

C

Dave. Our catch of the day comes from a listener named Pete from the Netherlands and he writes, hi, Dave, Joe, and the one and only Maria.

A

I promise I didn't pay this person.

C

You guys have seen it on the show. Fake princes, dubious package tracking links, endless romance scams. But I think I have a fun catch of the day nomination for you. A cybersecurity consultant who is so desperate for a payday that they are actively trying to bypass the integrity of the entire IT sector.

A

Oh, interesting coach.

B

Bold.

C

I was approached on LinkedIn by a self proclaimed senior consultant, end quote, offering a massive laundry list of IT and cybersecurity certifications. Everything from a CISSP to Salesforce. I have the cissp, but I've never bothered to get the Salesforce thing.

B

Okay.

C

Instead of asking about the coursework, I decided to test her and ask her straight up, can I just buy them? Her answer was shocking and hilarious. Yes, you can call. Gee, can I just buy these certifications? So maybe now I will get that Salesforce.

B

There you go.

C

I've attached screenshots to the conversation.

A

Right.

C

Yes, Screenshots from my laptop so nobody can judge me by my reception or terrible battery status. Well, I appreciate that.

A

Way to look out for yourself.

B

Smart thinking there, Pete.

C

Yeah. Do you want to Just get into this.

B

Yes, let's get into it. So, Maria, why don't you start off? The person getting all this started is named Ankasha. So why don't you go ahead and I will play the part of Pete.

A

Hello. Warm greetings. Thank you for adding me to your network. Wishing you a wonderful day ahead. Well, I am a trainings consultant for IT and cybersecurity certifications. Good heavens. Do I need to read all of those?

B

No, that is copy and paste. Basically, all of them. Yeah. Right.

A

Okay. Are you looking for any certification and trainings? Like, I mean, it is just I. You name it, it's in this list.

C

It's just ends with or any other.

A

Or any other question mark.

B

Can I just buy them?

A

Yes, you can. May I know which certification you are looking for? Your profile, growth and skill development so that I can arrange details for you?

B

Salesforce.

A

Yes, we can assist you with Salesforce training and certification. I will request my training manager to provide you with comprehensive details regarding the certification, training, and the entire process. Please confirm me your contact number so I can arrange the details for you as per your comfortable time.

B

I don't want the training, just the certification.

A

Okay. Is this your right WhatsApp number? Hey, Pete. I'm awaiting for confirmation so that we will provide you all the details regarding the certification.

B

I really don't want to make phone calls about this.

A

Not for call without any permission. Only WhatsApp texting you can.

B

Not interested anymore.

A

Okay, no problem.

B

So Pete goes on. Joe, do you want to read this part where he describes where he says, the smoking gun?

C

Yeah. He says, here's a quick breakdown of their playbook. The smoking gun. In the second screenshot, she openly admits that I can bypass the exams and just purchase the certificates directly. Official bodies like Salesforce or Cisco obviously never do this. Meaning they are either selling worthless fake PDFs or offering an illegal proxy testing service. The Platform Pivot. Which is when she wants to go to WhatsApp. As soon as I showed interest, she aggressively tried to move the conversation over to WhatsApp. Is this your WhatsApp number or only WhatsApp texting you can, which I can barely get through, is a sentence so bad I can barely get through it.

A

Only WhatsApp texting you can.

C

Right? That's a classic move to escape LinkedIn's automated fraud detection systems. Which is 100% correct. Yep, it's the ultimate irony. A scammer attempting to sell cybersecurity credentials through blatant fraud. Love the show. Keep up the fantastic Work, Pete.

B

Wow. Well, as someone who has a PhD from Harvard, let me just say that I was on top of this from step one.

C

Right. You know what? I think I might get a fake PhD thing from Harvard or Stanford or something. Just hang it up in my office and see if. See if people notice that. Well, you have a PhD from Harvard? No. What's that? That's weird.

B

You should make one from all of the Ivy League schools and just rotate them every week. See if anybody notices that your PhD from Harvard became a PhD from Yale became a PhD.

C

Yeah, I did go to Dartmouth once for about a week.

A

Yeah.

B

Okay. Like,

C

that's one of my favorite things to tell people. I went to Dartmouth.

B

You did?

C

Yeah. I went to Vanderbilt, too. Just went there, that's all.

B

Okay. Nice. Nice cafeteria, right?

C

Yeah.

B

All right. Well, again, thank you, Pete from the Netherlands, for sending this in. We do appreciate it. And if you have something you would like to send us, please do. Our email address is hackinghumans2k.com. Most environments trust too much and attackers know it. Threatlocker enforces default deny at execution, blocks unknown apps and limits what trusted apps can do. Stop ransomware at the source. Get your demo@threatlocker.com N2K. And that is our show, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumanstudio. This episode is produced by Liz Stokes. Our executive producer is Jennifer Ibin. We're mixed by Elliot Peltzman and Trey Hester. Peter Kilpe is our publisher. I'm Dave Bittner.

C

I'm Joe Kerrigan.

A

I'm Maria Varmazes.

B

Thanks for listening.