A

You're listening to the Cyberwire Network, powered by N2K. Hello, everyone, and welcome to N2K, CyberWire's hacking humans podcast, where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Kerrigan. Hey, Joe.

B

Hi, dav.

A

Maria Vermazes is off this week, but she will be back next week. Yes. She had some business to attend to, so she says hello, and she misses everyone after the winter break, but we will enjoy having her back next week. We have some good stories to share this week. And later in the show, Joe and I welcome Rishika Desai. She's from a company called before AI. We're discussing a recent blog post that they had. This is about social media ad account rentals, which is a growing area of brand impersonation. All right, before we dig into any of that, let's dig into our follow up. Joe, what do you got for us?

B

We got a chicken update, Dave.

A

Oh, thank goodness, everybody.

B

I'm sure everybody was like, over Christmas break or New Year's break, you're like, how are Joe's chickens? I'm sure the chickens are doing well. I was working on. I said before we went left on the break, I said, I'm gonna be working on a new chicken run. Yeah, I got most of that done, but then on Saturday of this week, right before recording this, I broke something in my ankle.

A

Oh.

B

So it's.

A

Let me ask. Were you mountain climbing? Were you skydiving?

B

Excellent question.

A

Were you scuba diving?

B

No, I was doing something much more mundane. I stood up. Dave.

A

That's okay. Wow.

B

It's a stress fracture on an old injury is what it is. And I was moving the walls. I built this thing in. You know, I conceived of it as a big box and then built walls. And I had moved one of the walls out with a. I built a nice Dutch door. Dave. I'm really proud of the Dutch door.

A

Okay, fair enough.

B

So I moved the Dutch door out with my son's help. And then I picked up one of the regular walls. It doesn't have anything on it, just a featureless wall. Cause that was light enough for me to carry. Carried it in, and I was putting in some. Either some supports or actually beginning to nail wire to it. Cause these chickens, Dave. It took one of my chickens about five minutes to find her way to the top of the run and be standing. This thing is 6ft tall. 6ft 3 inches tall, and she hopped up on a little thing inside and then quickly hopped up. I had to put ramshackle makeshift roof on it. I'm planning on building a roof, but that's on hold right now because I can't walk around the house very much. I'm walking with a cane. I've got a boot on my foot.

A

Yeah. Your ankle is currently not load bearing.

B

No, it is not. I mean, actually, the ankle is fine. It's actually this extra piece of bone that's not even supposed to be there, that's fractured. The only thing it does is hurt. That's all it does. That's the only purpose it serves, is cause pain.

A

Okay.

B

Right.

A

But they're not threatening to go in and, like, take it out. You've just got to sit this one out.

B

I just got to sit this one out. Right. I did talk to my friend who is an orthopedic pa, and I said, can I just cut this open with an X acto knife and get the Dremel tool in there? He goes and he goes. You're joking. But that's pretty much what we do when we do surgery on this.

A

Wow. All right, well, we wish you a speedy recovery.

B

Yeah. I hope this is not long lived.

A

No, no, that's fun. Cause, you know, injuries take longer to heal the older we get. Right.

B

And I've got this thing, like I said, standing up. This is the most old man injury I've ever incurred.

A

Right.

B

You know, the original injury that this is an exacerbation from was much more. Much more cool.

A

For ages ago.

B

Or. Ages ago. Yeah, back in college.

A

Oh, okay. Well, that's good.

B

Yeah.

A

All right. You can tell me this story offline.

B

I'll tell you that story offline.

A

All right, well, speaking of stories, See what I did there? Let's jump into our stories, and I'm gonna lead things off for us here. This is actually a story from the folks over at Reuters. It's interesting. One of those cool interactive scrolling webpages, and it's all about how cybercriminals plot to rob a target in a week or less. And basically, what's happened here. Well, let me set the table. Set the tail for you. Set the whatever. Set the. What am I setting? I'm setting something.

B

You're setting the story.

A

There you go. Setting the story.

B

The scene. Setting the scene.

A

Ah, that's what I'm looking for, Joe. I'm setting the scene. Ooh, boy. I'll take words that are just out of reach for 500.

B

Apparently some of my brain is in my ankle. That's right.

A

So I think we've all had this thing where your phone buzz and you get a message from a number that you don't recognize and smart folks like you ignore it. Look at it. Probably Maria would just click on it because she's not here so we can blame it on her.

B

Maybe Mabel Johnson will answer it.

A

There you go. And it says something nondescript like, hi, my name is Sam, nice to meet you. And for some people out there, this is a chance encounter, maybe the first step of some comfort or some romance. And according to this report from Reuters, after some police raids in the Philippines, they uncovered some things that explain how these moments come to be. They found detailed handbooks, really step by step guides for how to groom strangers, build intimacy and ultimately get their money. So these were manuals that were written in Chinese and English and basically they're instruction books for social engineering, for emotionally manipulating people. They spell out how to invent a believable Persona, what sort of job to claim, what sort of hobbies you should know about, even things like zodiac signs. There are a couple things in here that are noteworthy in how blunt they are. One of the Chinese manuals said, I'm quoting here, a woman's IQ is zero when in love.

B

I know a number of guys that applies to as well, myself included.

A

It says another item promises that once emotions are in place, money will follow naturally. And of course they're talking about, you know, pig butchering, right. For going after people to get their money. It talks about how the scammers adapt to their targets. Middle aged women are described as lonely and overburdened. Career focused professionals should be met with admiration and confidence. Conservative personalities should be offered excitement and escape. So basically they go through this process of feeling you out. It's kind of like a choose your own adventure book really. Well, if you run into someone with these personality aspects for, you know, like I just said, someone who's conservative, then you're gonna go down a certain path.

B

When you say conservative, you don't mean politically conservative, right?

A

You mean like.

B

Yeah, I mean they don't say a lot. They're.

A

Yeah, yeah.

B

Or they don't wanna take risks.

A

They're not someone out seeking adventure, you know, so that's. You wanna offer them the thing that they don't get in their normal day.

B

To day life and pretend you're gonna offer it to em risk free.

A

Exactly, exactly. Paying them lots of compliments and things like that. Other things that are in this handbook, they say daily messages are mandatory. Small requests are a good way to build rapport. Remind people to eat on time. Call me tonight. Trust me, follow my lead. They say that speed matters. One of the handbooks outlined a seven day arc. On day one, you make contact. On day two, you introduce investing. On day five, you establish romance. And by day seven, you present a fake investment platform.

B

Seven days to the fake investment platform.

A

Yeah, seven days. Which, you know, compared to some scams, that's a long game. Right? I mean, that's.

B

Yeah, I mean, compared to like the panic calling with the threats and you know, like, hey, this is the IRS and you owe us money.

A

Right.

B

Those are very short term, but seven days is pretty short time horizon. We've seen some of these romance scammers work these things for months.

A

Yeah, that's true, that's true. And these folks are playing the long game.

B

Yeah.

A

This article talked to some victims. There was a woman named Beth who she met someone who claimed to be named Richard on the Tinder platform after a divorce. And within weeks they were engaged. Within a few more weeks, she'd sent him tens of thousands of dollars.

B

Oh, man.

A

And eventually, lucky for her, her financial advisor intervened.

B

Excellent. Good work on that guy.

A

Yeah. Made sure that or girl, I don't know guy or gal, made sure that, you know, or I guess set her straight. What was going on here? So the story touches on things that we've talked about a lot here. Things like shame, things like isolation, questions that never get answered. Just sort of leaving people hanging, you know what?

B

The questions that never get answered. I wonder if there's like some kind of psychological component where the victim essentially just fills in the blank themselves. Like with a lot of these scams, particularly. We saw this when years ago, I was doing the old timey scams, which essentially are the same scams that are being run today. They're just run in person, where the goal was to let the victim fill in the blanks and come up with their own ideas. And I'm wondering if that's why they leave some of these questions unanswered. Not because they couldn't answer them, but because getting the victim to answer them is better from their perspective, psychologically worse for the victim, but better for their success rate.

A

I think that's certainly plausible one thing, another an additional thing that I thought was perhaps it's just a way to keep them on the hook, to keep them kind of emotionally agitated, always wanting. Leave them wanting more.

B

What do we call that? The information gap. Yeah, they want the information. So they're gonna stick around to get it.

A

Right. You know, it's like when you get a message from your boss that says, can we talk?

B

Yeah, I have nightmares about that, Dave.

A

It's the worst information gap there is.

B

Yes. Right? Yeah. I think. I think now in my career, if my boss sends me an email and she says, can we talk? I have. I have got to. I would respond to that like, that's an unacceptable information gap to leave in a message.

A

Well, it reminds me also of, like, when our kids were in school and the school nurse would call, the first thing they'd always say is, everything's okay.

B

Everything's right. And they do that because they know that the information gap is devastating. So they say everything. That's the first sentence out of their mouth if everything's okay.

A

Right. So the scammers, they want to leave you guessing and say, oh, next time we speak, I have something I need to share with you. And now you're on pins and needles, wondering what it's going to be.

B

I got to tell a story about this.

A

Okay.

B

When I was in my brief but failed sales career, I worked with this guy. Let's call him Larry.

A

Okay? Right.

B

That was actually his name, but I'm not gonna tell you what his last name was, but he was kind of this smarmy sales guy. And one of the things he said was when you call and leave a message for somebody, say, hey, I got great news. Give me a call back.

A

Right?

B

And then when they call back, ask what the great news is, they'll call you right back because you told them you have great news. And I tried this on my sister, okay? I said, hey, Kate, great news. Give me a call back. And she calls back, and she goes, hey, what's the great news? And I'm like, I don't have any news. I just wanted to see if that would work to get you call back one of the sales guys I work with, and she's like, all right, I'm gonna hang up now.

A

Right.

B

So very frustrating. But my question to Larry was, so what's the great news? What do I tell him? He goes, oh, just tell him you got, like, $3 off on the product and give him a $3 discount.

A

Yeah.

B

And tell him, isn't that great? I'm like, that's just, like, the worst way to go about.

A

Yeah, yeah, yeah.

B

Just intellectually dishonest sales. I mean, maybe that's why I failed at that, is because I just couldn't bring myself to be that way.

A

Yeah. I know, I understand. I understand. And sadly, a lot of those things work.

B

They do work.

A

So these manuals, they end with a final instruction to the scammer. They say, never focus on just one target and if one connection burns down, move on. Keep messaging, keep fishing, don't worry about that. Yeah, Keep multiple balls in the air.

B

This, again, sounds like a sales thing. Yeah, this is exactly what they tell you in sales. I mean, what you're looking at here, Dave, is the front end of a business and the inside salespeople.

A

Right.

B

There are no outside salespeople in this business. Cause everybody's doing everything over the Internet, over the phone. But this is lead generation and business development.

A

Yeah. So this is one of those articles, like I said at the outset, it's one of those interesting visual presentations where it's very graphically rich. So we're going to have a link to this in the show notes, and I would recommend this is one that you could send around to your friends and family and coworkers because it's not just informational, it's educational. So I think it could land with a lot of people. The play element of it might make some of these things sink in a little better, make it a little easier to consume.

B

Yeah.

A

So we'll include that link in the show notes and we hope you do check it out. All right, that's what I've got. Joe, what do you got for us this week, Dave?

B

This week I want to Talk about the CrowdStrike 2025 Global Threat Report, which came out my office. Actually, my former office mate, Michelle, we've now since moved, so we'll put a link to the report in the show notes. You have to enter some information on it. But she came into my office today and said, have you seen this report yet? And I was like, I have not. And there are some interesting facts we're gonna get to in this, but first thing I wanna say is CrowdStrike, that is a cool cover for a report.

A

Okay, yeah, I see. Yes, I agree.

B

It's got like a cyberpunk guy with a mohawk, a cyberpunk guy with a black hat. It's really. And it doesn't look like a typical cybersecurity image on the front of it, but I think it is AI generated.

A

Well, this is kind of CrowdStrike's thing too. In trade shows, they have these big mannequin models of threat actors and that sort of thing. And they throw a good party also, by the way.

B

Do they?

A

Well, you know, cybersecurity companies have A lot of money. So, yes, they throw very nice events, but, yeah, they did invest in striking graphic design for this particular product.

B

Yes. So the first quote here that I want to talk about comes from very early in the report. The number of new named adversaries tracked by the elite CrowdStrike counter adversary operations team continues to expand. And established adversaries are consistently adding new targets, more sophisticated techniques to their evasion, intrusion and exfiltration arsenals. So nothing's getting better, essentially, is what this is saying. Now, there is a good bit of. Since we're on the topic of sales salesmanship going on in this. In this report as well, so keep that in mind. This is a marketing tool for them. But the data in here is legit. And since we're talking data, let's talk about some terrifying statistics that are in this thing.

A

Oh, goody.

B

Yes. Breakout time. What do you think is the average time for someone to move out of the first machine that's been compromised on a network? Average time.

A

So what you're saying is they get access to the initial machine that they break into and then they start moving around.

B

Correct.

A

On your.

B

On your network. Pick, Pick a time.

A

Few hours, I guess, something like that.

B

48 minutes. That's the average time. The fastest observed breakout time was 51 seconds. That's got to be an automated attack.

A

Yeah, yeah.

B

There's got to be automation involved in that. This is. This is the lowest that CrowdStrike has ever seen for this, this, this metric.

A

Okay.

B

Voice phishing attacks. And then they put in parentheses vishing, which I like that they're not really saying this is voice phishing, because I hate that term, vishing.

A

I know you do.

B

These are scam calls. They are up 442% between the first half of 2024 and the second half of 2024. So the data in this report is from 2024, even though it's a 2025 report. And I'm not sure when in 2025 it came out, but it might be a little older. But this is an interesting thing. The next interesting statistic is attacks related to initial access are up, accounting for 52% of vulnerabilities that CrowdStrike observed. And Access Broker advertisements increase 50% year over year. So the first kinetic. There's a whole kill chain for these attacks. And getting access is like the first thing that you really need to do in order to do something.

A

Right.

B

And there's. There actually is things you do before you do that. Like there's reconnaissance and then there's like maybe some fishing or a phone call or something. But once you get access, a lot of times, in fact, there are people out there whose business model is I'm just going to get access and sell it to the highest bidder.

A

Right, yeah. Like you say, these access brokers, they're the ones who, they sell you the keys to get in.

B

To get in. And the advertising for that has increased over 50% from, from the years.

A

So business presumably is booming, right?

B

Yeah. Getting the access is, is, they're, they're doing well. And I don't know if this is advertisement for hey, we'll get you in or hey, I've got in. Here's, here's the credentials. Yeah, the, the valid account abuse accounted for 35% of cloud incidences. So this is still a problem. And one of the big factors in this is people putting cloud access tokens in code that gets checked in somewhere or gets put on a website or something. You got to take precautions to make sure that's not out there. Here is the most interesting statistic and the one that actually Michelle highlighted to me when she brought it in. 79% of the detections in 2024 were malware free detections. That means these were just social engineering attacks. They just called in and talked to somebody and said, hey, we got, you know, here's some BS story. Let me get access to your system. They would then use that, you know, do something. I'm gonna outline a story of how it works with a specific group here in a minute.

A

Okay.

B

But if you go back to 2019, that was only the case 40% of the time. In other words, almost two thirds of the time there was malware involved. Now, almost 80% of the time, no malware. We're just getting the access and we're socially engineering our way in to this system, this company, and we're exploiting the existing system and living off the land. There's no malware.

A

Yeah, I wonder how much that points to the fact that the malware detection is getting better and better. Yeah. So they can't rely on that to the degree that they used to be able to. And they have to just use social engineering.

B

It may be a factor. Yeah, it may be also that these guys are scaling up and they're just going with the easier attacks.

A

Right, right.

B

The other, the other thing is that like you said, malware in these situations is not going to be like bespoke malware. It's going to be some kind of commodity malware. And that's going to show up almost instantaneously with a scanner. So as soon as you copy a file to a disk that's malware, if it has a fingerprint that is recognizable by the antivirus on the machine, it's going to get quarantined. And I think Your point is 100% valid, that this stuff doesn't really work anymore. But you know what? PowerShell is not malware. Right?

A

Right.

B

The bash shell in a Linux system is not malware or a Mac system. It's not malware. It's normal software. And I can run commands in that that do very malicious things.

A

Right. So the point being, there are pre existing, pre installed bits of software on everyone's computer that are capable of good and bad. So that tends to be what we're seeing here. And the. The term for that is living off the land.

B

Yes.

A

Yeah. Interesting. What else here, Joe?

B

So there's a case study in here about this threat actor they call Curly Spider. And this report goes into how they name these different threat actors. Normally, if it's from China, they call it something panda. It's interesting that there's no threat actors from the United States listed.

A

Yeah, we've talked about that over on Cyberwire. Like, you know, it should be like patriotic eagle. Right?

B

Curly eagle.

A

Yeah. Canada would be Apologetic Beaver.

B

Apologetic beaver. Right, Beavers.

A

Yeah.

B

I did find that Colombia has the ocelot. So if it's out of Colombia, the country, not this town that we live in or they actually used to live in. I have moved out of Colombia. But the ocelot. Every time I hear ocelot, I think of two things. I think of the archer Baboo, and then I think of Salvador Dali who actually had an ocelot named Baboo, which is reference to the joke.

A

So, yeah, I think of Phineas and Ferb because Dr. Doofenshmirtz was raised by ocelots. Whenever I think of Dr. DoofenshmirtZ, the thing that immediately flashes to my mind is baking soda volcano.

B

Anyway, Doofusmirtz is my. Is my icon on the Disney plus, by the way.

A

All right, so what happened with Curly Spider?

B

Spider is what they call their E crime units. In other words, they're not nation state associated, they're just out there, okay? They emerge as one of the fastest and most adaptive e crime adversaries out there. And they say that what happens is the way this organization works is a user receives a huge amount of spam, impersonating charities and newsletters and financial offers and all this other stuff. And as soon as they get that? They get a telephone call from someone pretending to be from it, and they're saying, hey, we see you're getting a lot of spam. This is called by malware or maybe outdated spam filters. The user is then instructed to install an RMM tool. I guess that's some kind of remote management like Microsoft Quick Assist or teamviewer. And if it's not already present, and then the adversary will use this tool to establish control. And once they're in, that's the game.

A

Right.

B

So they will install backdoors. And a lot of. Like I said, these things, you don't need to install malicious software as a backdoor. You can just open up a reverse shell with a command prompt. So as soon as you can have access to the machine, you can be in. Yeah, these guys operate very quickly, too.

A

Yeah. All right, well, we will have a link to the CrowdStrike 2025 Global Threat Report. We'll include that in our show notes. And of course, we would love to hear from you. If there's something you'd like us to consider for the show, please email us. It's hackinghumans2k.com we're gonna take a quick break here. We will be right back after this message from our sponsor. Every attacker counts on one thing. Environments that Trust too much. ThreatLocker closes that gap with default deny at execution. Unknown software blocked. Trusted apps contained with ring fencing. Configurations verified with Threat Locker DAC so you stay secure and compliant. ThreatLocker delivers the visibility and control CISOs need without adding operational pain, making zero trust real for teams of any size. Stop ransomware at its earliest point. Book a demo@threatlocker.com N2K. All right, Joe, we are back, and joining us here today is Rishika Desai. She is from a company called before for AI, and we're talking about a blog post that they recently posted about some of their research. It's titled, want to scam someone's customers? Rent their social media ad accounts. So tell us the story here. How did this originally come to the attention of you and your colleagues?

C

So, while we were on one of our initial level of investigations, we identified that there were certain websites which had a page title or the page description which said that rent a Facebook account or rent a Facebook ad account or black hat Facebook advertising account. So such were the keywords that we observed on certain websites. Now, it wouldn't be as interesting to us unless we also saw that there were so many different telegram accounts associated with them, and then they had significant number of subscribers to that channel. When we went in depth of it, we realized that, okay, they're actually selling an ad account which does not even belong to an agency. So it would be a different case altogether if it was a legitimate agency, but they were using some unethical practices to host certain ad accounts which different businesses can rent out to run their ads. And that's how we carried out our investigation.

A

Well, take us through how this works. I mean, this is about taking advantage of existing ad accounts. Walk us through the fraud here.

C

All right, so let me start from the basic or give you a perspective from a business. Right? There are certain legal businesses that operate in certain zones that is considered non compliant with the ad agencies. Now if you're running a business, we always understand that it's very essential to have some campaigns running, some sort of marketing running in a way that we get our increased revenue, we get different views or customers reaching our social media pages or website. Right. So as an Eagle business, if you're operating a zone in a zone where it does not fit compliant to ad agencies, they might tend to ban the business or the account that you're working on. Right. To give you a basic example, let's say about crypto, right. Or some drugs that have very unsolicited claims like they will help in losing weight in 10 days or something like that. Right. So such false narratives are often caught by platforms which are helping you promote the ads. Now in such cases, with the fear of having your account banned, what these agencies do is that they reach out to a service which is again operating in this unethical zone where they have two ways of generating the account. Either they compromise an existing account where fake KYC details are used of different customers and those people are not even aware that their account is used in this, in this entire fiasco. Or second thing is they manually create such accounts by generating fake identities with the help of AI. So there was this one website that we saw which also has an embedded service of generating fake documents such as driving license SSN details for random customers. And then they use it to make an ad account which is then further used for renting to other businesses. And that is where the entire black hat or like gray area comes to the picture.

B

So they use like a completely synthetic identity for the creating of, the creating of, of these accounts of these ad accounts. And yes, I'm assuming that they're using the Social Security number, maybe an ein number or something like that here in the US to, to get around or to at least on the Surface of it comply with with tax regulation.

C

Yes, that is correct. That is correct. Now if you see like I mentioned, there are two ways to it. One is like you mentioned, creator creating a synthetic account. Second one, if you have come across certain data breaches that happen on the cybercrime forums, you must have realized that they also push out certain PII which we call as personally identifiable. That case if somebody wants to have a valid number, let's say a valid driving license number for the tax purpose, the numbers could be taken from such breaches where people have uploaded their sensitive documents and while use that to synthetically generate an artificial ID with the face matching of that of the perpetrator.

A

Now are these services only being used by criminals or are there some gray areas here as well?

C

Certainly there are gray areas definitely. Like, like I tell you, certain, certain kinds of businesses. For example, if you have a crypto related website, or let's say a website where you're introducing new tokens regularly. Now because such, such is the industry of crypto where putting anything out there as a social media campaign could be considered as manipulation if it's not done correctly. Right. So certain businesses with the fear of getting your account permanently banned on those ad marketplaces could actually turn to such services. That is also a possibility.

A

Now once a rented ad account goes active, what sort of campaigns do you all typically see being launched here?

C

There's one interesting example that was covered in the blog. So let me give you an example of that. Like I come from India and recently there the government had banned crypto and gambling websites. A recent bill was passed. So assuming that happened during the start of September 2025, by the time it was the 25th of September, we saw short ads running for like one hour only on meta platform meta ads library where they were promoting again crypto and gambling websites. Right. So the goal is to basically gather as much audience to a particular website and what better than social media, right? So this was one example which we observed was recent and was not there for a long period of time, but it had a potential to reach significant amount of people out there on social media.

A

What's the importance of the speed here? You mentioned that some these ads typically aren't up for very long. Is are they trying to stay ahead of being shut down?

C

Yes, yes that is true. Because sometime or later they realize that these accounts, even though they are running crypto ads are still non compliant with the platform policies. Right. But given the platform base that any social media has, the user base, any social media has even a One hour ad could reach millions of people in no time. Now that is the scale of the campaign that you take into consideration as an alternative to setting up a domain and then waiting for it to reach the right people. Let's say through SMS spamming or let's say through email phishing. Right. So this is one way where within like within minutes your ad could reach so many potential people. And in a way social media kind of plays on algorithm. Right? So there is a possibility that all the people who are looking for crypto related something will get that ad at the exact moment. And because the right kind of audience is being attracted to that campaign, this is where the potential of launching a campaign and it reaching the right people and then the malicious abuse of it in the future is highly possible.

B

I have a question about these accounts that have been taken over. Have you seen any impact on the account owners? These are presumably people who have legitimate business requirements and somebody is using their account because it's been compromised. I imagine that if, if they start running, if the bad guys start renting out that account to post scam ads and that account gets banned, then that can have a really bad impact on the, on the legitimate operations of a legitimate business.

C

Yes, yes, it does have. Now the thing is, what I have learned during this investigation is that the ad platform quietly favors those accounts which kind of have been compliant for a long time. They have a regular history of doing timely payments, or let's say they are, their ads are getting good engagements right now, given that all of this is compliant. And suddenly one day they receive a warning that your account is under review and we might potentially ban it, or sometimes they even impose a hard ban on the account where nothing is considered, not even an appeal, and it's just banned outright. So in that case they just don't ban the account, they ban the entire entity that is associated with that account, which involves your name, your domains, your bank accounts or even your business number. Right. So all of these identification majors are taken into consideration and the next time you try to set it up, they're going to flag it outright saying that, okay, we have identified a potential malicious campaign once and we are not going to let you create an account using the same entities. So it definitely does a significant damage on a legitimate business owner running an ad on his individual account.

A

How does it play out that the people who have the accounts, who have the ad accounts, that they don't notice it right away?

C

There is a possibility, but normally the credentials that are provided to you is provided by that agency. So it's them who make sure that, that the account that you are getting the access and everything is just sorted in a way that detecting that activity would be simply difficult. Or maybe the user would be permanently locked out, all the personal information changed. I mean, all the factors are possible.

A

And these are scammy ads. I mean, what happens when a victim clicks on one of the ads that pops up in their social media feed.

C

Along like every time an ad is run on a social media, you, you might be seeing that small horizontal bar below every ad which says click now, book now, inquire today. Right. So they are redirected to one of the malicious domains set up, or rather where the threat actor, cybercriminal wants a user to go. Right. From there, the domain phishing element comes into the picture where they could be probably asked to enter credentials or prompt for downloading of a malware. So their entire motive of launching that ad campaign or the phishing domain would be successful after that.

A

So what are your recommendations then? How should people best protect themselves against this sort of thing?

C

Well, in, in one of our investigations we saw like for example, that ad which ran for like one hour, right. In case we, we observed that the account that was promoting this particular ad was just recently registered. It had like zero followers. It had no other credible activity to be associated with. So it's very simple. If you're seeing any activity from an account from a social media account, instead of clicking, I think we should just pause for a minute and see if it's really the account from on which we wish to engage right now. The thing is, many a times there could also be a possibility that if we talk about Twitter or Instagram X or Instagram, any account that is promoting something will have a blue tick, right? So it's a verified account. But even then, because that account is hacked, we often see that they are tricking the users into visiting a malicious website. So in that case again, we should just stop and review that. Whether this user is really the person I could trust for let's say a crypto website redirection or a fake healthcare advice related redirection. Right. The whole game for any user who is not aware that what they are clicking on is potentially a malicious campaign is just to wait and watch whether. Do I really want to be associated with it.

A

Yeah, maybe. If you're scrolling through one of these social media platforms and you find something that's interesting, assume that the ad is malicious. And if it's something you're interested in, just go look it up yourself.

C

Exactly. Why don't you click on the. Simply take the name of the product or something that you're interested in and just go on Google. You'll automatically land out on land on a real website than clicking on that ad and being redirected or having multiple redirections. You don't even know where you're going to land.

A

All right, well, thanks so much for joining us and for sharing this information. Again, we will have a link to this blog post in our show notes. We do appreciate you taking the time. Thanks so much, Rishika.

C

Thank you so much, Dave.

A

Most environments trust far more than they should, and attackers know it. Threat Locker solves that by enforcing default deny at the point of execution. With Threat Locker allow listing, you stop unknown executables cold. With ring fencing, you control how trusted applications behave. And with Threat Locker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today. All right, good stuff. Well, Joe, it is time for our catch of the day.

B

Dave, our catch of the day comes from the scambait subreddit on Reddit. This looks like. Well, I don't like how this opens, Dave. I got a feeling I'm gonna be playing the guy in blue since it opens with are you still alive, old man?

A

You are correct, Joe. You are correct. I will say at the outset that this is one of my favorite catch of the days ever.

B

Okay?

A

And as we make our way through, I think it'll be crystal clear why it is so.

B

I think I already.

A

So I will start here. So, are you still alive, old man?

B

Who is this?

A

This is Valentina. Didn't you save my number?

B

I did not.

A

We exchanged numbers at the charity party last month. Don't you remember?

B

At the sausage convention?

A

Wait, isn't this Scott's number?

B

No, this is Han.

A

Oh, my gosh, I'm so embarrassed that I actually called a stranger an old man.

B

It's okay, dear. It happens all the time. I'm getting older. How are you, Han?

A

Thank you for your understanding and politeness. Nice to meet you. I'm 37. If you don't mind. May I know your age?

B

69, but aging like a fine wine.

A

Yeah. I like to communicate with older people, which can always help me learn new knowledge. I come from Singapore and live in Los Angeles. Where are you from?

B

I'm originally from Karelia, but now I'm all over the country.

A

And then the person has posted a picture of Han Solo from Star Wars. In the cantina.

B

In the cantina. Right before he shoots Greedo.

A

Right. And then continues and says, this is.

B

Back before the Kessel Run, when I still had my looks.

A

You look very mature. A bit like an actor in an old movie. If only she knew, right? This is me. I own a jewelry company and I'm also a jewelry designer. What do you do?

B

And it's a picture of a very attractive Asian woman. And we've noted this before, that this is.

A

Almost universal.

B

Almost universal, Right. This is what happens. Okay, let me get back to this. Oh, wow. I'm retired now, sweetheart.

A

LOL. 69 is indeed the retirement age. What did you do before you retired?

B

Actually, I was a chauffeur for a royal family, if you can believe that. Long time ago. Far, far away.

A

I don't quite understand what that is.

B

It's okay. I was basically a pilot.

A

In my eyes, this is a very cool career. I'm glad to meet an excellent friend. Are you traveling alone or with your wife now?

B

My wife passed away. Unfortunately. After our son had an incident with his uncle, things became difficult.

A

Sorry. So do you usually have any hobbies like traveling, fitness, yoga, reading, music, golf, and do some charity work in my spare time.

B

Mainly I spend time with my friend Chewy. Sometimes I feel like I'm the only person who can understand him.

A

It's always interesting to travel with good friends. To be Honest, in the seven years I came to the U.S. i only had one bestie. She was also my assistant. And the rest were business partners. I only talked to them about work.

B

I'll have to come take you for a spin in the Falcon sometimes. The Falcon. Like a Ford Falcon. Right? Not the Millennium Falcon. This is pretty good. Anyway, Always looking for new friends. And then he sends another picture of a much older Harrison Ford.

A

Still. You know, this is the current Han Solo. Current version of Han Solo. Right. The sequels.

B

Looking ruggedly handsome.

A

There you go.

B

If you could live with being around this for a few hours. My son had these pictures done for me before he changed.

A

Lol. Looking forward to it. You look like a gentleman. Your son's photography Skills are commendable. Do you use WhatsApp or Telegram? This is my work phone, where we can communicate better.

B

Never heard of them.

A

If you think it's okay, you can download a telegram in the app store. It only takes two to five minutes to complete the download.

B

Hold on a moment. My son just stopped by. Such a pleasure to see him.

A

Okay, then you download it quietly. I don't want others to know that we know each other. Let me know when you finish downloading. I will share my telegram business card with you later. After you finish downloading, you can click on my business card to send me a message there directly.

B

And then another picture of Valentina. And I'm assuming this is the business card piece, but Han is saying. Wait. He seems angry. I wonder where this is going.

A

Okay, you can take care of him first and keep time with your family.

B

I think you should call the police. He has murder in his eyes. Ben.

A

No. There's a picture of Han Solo. Han Solo being bisected with a lightsaber.

B

A red lightsaber from Kylo Ren, I'm assuming, right? That's right. Is that the. I'm not really a big fan of the newer movies, so. I know Dave. Such a philistine. Yeah. Does your mother like dogs, too, or just you?

A

What? My mother likes dogs. And I also like dogs. I have a Pomeranian and a French bulldog.

B

Awesome. They're the best. Could you by chance go to your local store and pick me up an Apple gift card? I'll pay you back, Valentina. I just need four gift cards for $1,000 each. Then send me the code. We can't say this on the air, Dave.

A

F you.

B

Right.

A

I know.

B

It's the. I know. Picture Right before Han gets frozen in carbonite.

A

Right when Princess Leia says, I love you and Han says, I know.

B

May the Force be with you. Dumbass. Star wars is great. You should watch them sometime.

A

There you go. So you see why I love this one, too.

B

I do, I do. Not only is it funny, but it's chock full of references to your favorite movie series.

A

There you go. Yeah. This is the scam bait that I wish I had come up with myself. Yes, it's delightful and interesting that they came across someone. I suppose. Interesting, but also, on reflection, not surprising that perhaps they came across someone who has no idea who Han Solo or Harrison Ford is.

B

Dave, I hate to break this to you, but I work with quite a few young people who have never seen a Star wars movie.

A

Movie. Okay.

B

And I don't know what to tell them.

A

Yeah, well, you know, I mean, it's their lives to live, right?

B

Yep.

A

All right, well, we will have a link to that series of posts over on Reddit, so do check that out. And again, if there's something you'd like us to consider for our catch of the day, please email us. It's hackinghumans2k.com. Most environments trust too much and attackers know it. Threatlocker enforces default deny at execution, blocks unknown apps and limits what trusted apps can do. Stop ransomware at the source. Get your demo@threatlocker.com N2K. And that is hacking humans brought to you by N2K Cyberwire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cyber security. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans2k.com this episode is pretty produced by Liz Stokes. Our executive producer is Jennifer Ibin. We're mixed by Elliot Peltzman and Trey Hester. Peter Kilpe is our publisher. I'm Dave Bittner.

B

And I'm Joe Kerrigan.

A

Thanks for listening.