When AI lies, hackers rise.

Dave Buettner

You're listening to the Cyberwire Network, powered by N2K.

Joe Kerrigan

Hello everyone and welcome to N2K, CyberWire's hacking humans podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Buettner and joining me is Joe Kerrigan. Hi, Joe.

Maria Varmazes

Hi, Dave.

Joe Kerrigan

And our colleague and host of the T minus Space Daily podcast, Maria Vermazes. Maria.

Dave Buettner

Hi, Dave. And hi Joe.

Joe Kerrigan

We got some quick follow up here. Joe, what do you got?

Maria Varmazes

13 chickens, Dave.

Dave Buettner

Congratulations.

Joe Kerrigan

13 chickens. 13 chickens.

Dave Buettner

There's dozens of chickens.

Joe Kerrigan

Yep.

Maria Varmazes

One of them is a rooster. So he's very small right now. Very adorable.

Joe Kerrigan

They're always cute when they're small.

Maria Varmazes

Yes.

Dave Buettner

Is it long for this world or what are you gonna do with it.

Unknown

When they grow up?

Joe Kerrigan

Ok, start crowing and they start waking you up in the morning. But go on, Joe, I don't want to hijack your story.

Maria Varmazes

No, no, I just.

Joe Kerrigan

How did you come. How did you come to have 13 chickens?

Maria Varmazes

Well, my daughter is the person who's housing them right now. We're actually building a chicken coop over at her place. I was working on it last night as we record this. So the chickens are actually inside her house right now. She went and got four of them at a tractor supply company and then last week went over and picked up another, I guess nine at some place across the Bay Bridge, so. On the Eastern Shore.

Joe Kerrigan

Okay.

Maria Varmazes

And they are all Wyandotte chickens. Wyandotte, I don't know.

Joe Kerrigan

What does that mean?

Maria Varmazes

That's just the breed of egg laying chicken that they are.

Joe Kerrigan

Okay. And these are for eggs, right?

Maria Varmazes

These are egg chickens and they are apparently very beautiful when they get bigger. I mean, they all look like little puff balls right now.

Joe Kerrigan

Yeah.

Maria Varmazes

But they. Yeah, we have 13 of them and they're running around in a little closed in Pennsylvania in my daughter's basement right now.

Joe Kerrigan

Okay.

Maria Varmazes

With a heat lamp and an artificial hen that I can sit under and be warm.

Joe Kerrigan

An artificial hen.

Dave Buettner

What does that look like?

Maria Varmazes

It is just Googling that big orange rectangle.

Joe Kerrigan

It seems like something that I don't want to Google.

Maria Varmazes

Yeah, you can Google check warmer. Oh wait, don't Google check warmer.

Dave Buettner

Artificial rooster. Artificial hen.

Maria Varmazes

Artificial hen. It's just a big orange thing that has four legs on it and it sits up off the wood chips that are in the pen. And the chicks love being under it because it emits heat and it keeps them warm. And that's Why? I call it artificial hen.

Joe Kerrigan

So the plan here is that ultimately you're going to have an unlimited supply of eggs, is that right?

Maria Varmazes

That's the plan.

Joe Kerrigan

You're going to be. So every week you're going to come in here with a dozen eggs for me. Is that my future, Joe?

Maria Varmazes

Yes, maybe. Either that or I'm going to really acquire an affinity for hard boiled eggs.

Joe Kerrigan

Right, exactly.

Dave Buettner

Nom, nom, nom.

Maria Varmazes

I ate 12 eggs today. Had to eat them. Cause if I. There'll be 12 more tomorrow. Right.

Joe Kerrigan

So what happens with the rooster then? I mean, when you have laying hens, do you have to keep the rooster away from them or.

Maria Varmazes

That's a good question. I thought you did. But you can just grab the eggs quickly. So you have to go out there two or three times a day and grab the eggs and bring them in. So we'll do that once in the morning, once in the evening. It should be fine. If we want to have more chicks, we just don't grab the eggs.

Joe Kerrigan

Oh, I see.

Maria Varmazes

All of a sudden we have more chicks.

Joe Kerrigan

Right, right, right. Okay. So whether or not the eggs are fertilized does not affect their ability to be eaten.

Maria Varmazes

Correct.

Joe Kerrigan

Okay, correct.

Maria Varmazes

If you grab them early.

Dave Buettner

Oh, okay.

Maria Varmazes

Do not let them sit around for half a week or something. And you know, and you grab them early, put them inside. You don't need to refrigerate them or anything. I don't think I'll let you know what I find out, Dave. This is all territory for Joe.

Joe Kerrigan

Well, I think we're gonna hear from probably some experienced chicken farmers.

Maria Varmazes

I would like to know.

Dave Buettner

I have a feeling I would love.

Maria Varmazes

Love to know any advice anybody has about my family, my chickens.

Joe Kerrigan

Attention, Joe.

Maria Varmazes

Attention, Joe.

Dave Buettner

That or a good recipe for a coq au vin is in your future. I'm just saying.

Maria Varmazes

Yes, coq au vin.

Joe Kerrigan

My grandfather had some chickens for a while, but they all got eaten by foxes.

Maria Varmazes

Yeah, that's one of our big concerns because there are foxes, coyotes and hawks up where we live.

Joe Kerrigan

Right.

Maria Varmazes

And yeah, I actually heard a coyote out in, in. I was out looking at the stars because I do that. I'm a nerd. And I, I heard, I was listening. There was an owl, a. A horned owl. A great, great horned owl. And then I heard a single coyote. And I know this was coyote because this is exactly what a pack of coyotes sounds like. And when I was down in Texas, I, I could hear packs of coyotes. But this was just one animal.

Joe Kerrigan

Yeah.

Maria Varmazes

Making the same noise.

Joe Kerrigan

Yeah, we've got coyotes around here now?

Maria Varmazes

Yep, it is. I don't know what I'm going to do about that, Dave. Probably nothing.

Joe Kerrigan

Well, my wife and I said we were careful with our dog because you've met my little dog, Misty. She's only about £10.

Maria Varmazes

Yeah. Very little dog.

Joe Kerrigan

Very little dog. And we have. We can't let her out on our deck by herself because of the hawks. Well, we have bald eagles.

Maria Varmazes

Bald eagles, wow. Yeah.

Dave Buettner

They will snatch. They will snatch a dog. It's true.

Joe Kerrigan

She's within the zone.

Maria Varmazes

Yeah.

Joe Kerrigan

For a bald eagle. So we don't let her out there by herself.

Dave Buettner

Misty, one of those hazing vests, the ones with the big spikes on them, have you seen those?

Joe Kerrigan

Yeah, I saw someone walking a neighbor walking their little dog with one of those. And I'm thinking it's one of those things where you're thinking, there's a story here.

Maria Varmazes

Right.

Joe Kerrigan

But I'm not going to ask. I'm not going to ask.

Maria Varmazes

That's not happening to me again. Right.

Joe Kerrigan

Yeah. You don't, you know, it's not something you go out and purchase for your little dog without there having been something. So I didn't want to re traumatize the nice young lady who was walking the dog, but I thought to myself, you know, this isn't just an expression of how punk this dog is.

Dave Buettner

Right, Right. The Mohawk.

Maria Varmazes

It looks color dog on your dog from slayer in the 80s.

Joe Kerrigan

Yeah, exactly.

Maria Varmazes

The nails all hammered through.

Joe Kerrigan

Right. All right, well, join us next week for Poultry Corner with Joe and David Rhea. And we will be right back after this message from our show sponsor.

Unknown

And now a few thoughts from our sponsors at ThreatLocker. The tactics used by cybercriminals are becoming more and more advanced every day. The shift from a default allow approach to a default deny is more critical than ever. This is where ThreatLocker comes in. Stay tuned for how ThreatLocker allowlisting and ring fencing as you're back.

Joe Kerrigan

All right, we are back. And, Joe, why don't you kick things off for us?

Maria Varmazes

I have a story from Thomas Claiborne over at lrege. That's what those of us in the know call the Register.

Joe Kerrigan

Okay, Right.

Maria Varmazes

But this is a story kind of related to AI Hallucinations. So are you familiar with the concept? It's basically, AI tells you something that isn't true or references something that doesn't exist.

Joe Kerrigan

Can I insert a little fact here?

Maria Varmazes

I'd love for you to insert a fact.

Joe Kerrigan

So I read an article recently from neuroscientists, and they are making the case that what AI does should not be referred to as hallucinations.

Maria Varmazes

Okay.

Joe Kerrigan

They should be referred to as confabulations.

Maria Varmazes

Confabulations?

Joe Kerrigan

Yes.

Maria Varmazes

Okay.

Dave Buettner

Why?

Joe Kerrigan

Well, I. My understanding of this is incomplete at best, but I think hallucinations come out of nowhere, out of whole cloth, and confabulations are based on a set of pre existing facts.

Maria Varmazes

Oh, okay.

Dave Buettner

Okay. Well, that sort of tracks imaginations, imaginings. Okay. Confabulation. All right.

Joe Kerrigan

Anyway, go on, Joe.

Maria Varmazes

For the purposes here, we'll continue to call them AI hallucinations, just because that's the term of art. And maybe confabulation is a better term. I would probably lean. Lean towards that. Anyway, this article in the Register quotes Faras Abu Khadiji, who is the CEO of the security firm Socket, and from now on I'm just going to refer to him as Faras. Okay. But he says we're seeing a real shift in how developers write code. With AI tools becoming the default assistant for many, Vibe coding is what's happening constantly now. Have you heard this term vibe coding before?

Joe Kerrigan

I have, yes.

Dave Buettner

Yes.

Maria Varmazes

I have not. This is a new one to me because I haven't done a lot of development recently, which makes me sad. But Vibe coding is. This is from Wikipedia. Vibe coding is an AI dependent programming technique where the person describes a problem in a few sentences as a prompt to a large language model tuned for coding. The LLM then generates the software, shifting the programmer's role from manual coding to guiding, testing and refining AI generated source code.

Joe Kerrigan

Yeah.

Maria Varmazes

All right, well, this is great because you can really improve the productivity of a coder.

Joe Kerrigan

Right.

Maria Varmazes

Of a software developer. But Faros goes on to say developers prompt the AI to copy the suggestion and move on. Or worse, the AI agent just goes ahead and installs the recommended packages itself, which is probably a bad idea.

Joe Kerrigan

Well, back up here for folks who aren't developers. What are we talking about when we say packages?

Maria Varmazes

Excellent question. I made an assumption that everybody would have the same life experience as I have, but they don't. That's a common experience. Common error on my part. So here's how this works. You have package. Let's use Python as an example. Because Python, they're actually called packages, I.

Dave Buettner

Believe, and not the snake. The programming language.

Maria Varmazes

The programming language. Correct.

Dave Buettner

Got to really back up here, dude.

Maria Varmazes

Right? So there's a programming language out there called Python. And in fact, if you want to start learning how to program, I usually recommend people start with Python because it's a very easy language to understand. And read. And it's not a compiled language, it's an interpreted language. But it is still a good programming language and is very popular out there. There is a huge community for it. So if there's a functionality that you'd like to reuse over and over and over again, someone will develop what's called a package for it, and you can even develop a package for it. Now, some of these packages are written in Python, some are written in C so that they run faster, but they're out there and they provide functionality that you don't have to develop. So this is where the whole idea of software dependencies comes in. And this is one of the reasons we've been hearing so much about SBOM Software Bill of materials is because if I include a package, I might just include that package, but that package may also include other packages that are called dependencies. And if I'm in my Python environment and I tell the pip, which is the Python package manager, go out and get me package X. If package X has dependency of package Y, it will also get me package Y, it'll install it.

Joe Kerrigan

Right. Okay, so let me just interject here. So the notion is I'm developing, let's say I'm developing a website where I want to sell my widgets.

Maria Varmazes

Right.

Joe Kerrigan

And I don't want to reinvent the wheel when it comes to taking credit cards.

Maria Varmazes

Correct.

Joe Kerrigan

So I can go out and get a pre existing package, let's call it, that will do that for me and I can just plug it in and that functionality will be taken care of for me. And I didn't have to do the programming myself.

Maria Varmazes

Correct.

Joe Kerrigan

Is that a good example?

Maria Varmazes

That's a good example. There's even more basic example in, in that, that could apply to that use case. There's a one out there called Django, which is a great web development framework. So let's say you want people to log into your website. You don't have to write that. You can just call the Django functionality for creating and, and you know, working with users. Yeah, I mean that's a lot of administrative overhead. If you have to sit down and write that, well, Django just includes it and you're up and running. All you have to do is call the right library calls.

Joe Kerrigan

Okay.

Maria Varmazes

Okay, well, so we have two things going on here. We have all these different packages out there and we have developers using AI to write their code. And then we have AI maybe hallucinating and the bad guys have figured out that AI's hallucinate and that coder is going to vibe.

Joe Kerrigan

Yeah.

Maria Varmazes

Right. So what Farras is pointing to here is that there is a growing concern that he has, and he's even seen it, where somebody has looked at the AI hallucinations and said, oh, this AI has come up with a package name that doesn't exist. Somebody else is going to try this. I'm going to go out and write that package. And that package is going to be malicious.

Dave Buettner

Yeah. Yep.

Maria Varmazes

Okay.

Joe Kerrigan

Right.

Maria Varmazes

So.

Dave Buettner

Yep.

Maria Varmazes

So the developer now goes to the IDE and they. Or it goes to the. The AI. The. They. They tell the AI what they want, the AI generates some code for them, they copy and paste that into their integrated development environment. That's what IDE stands for. And normally the code would just fail because it's calling a library that doesn't exist. But if the AI agent installs the library that exists, it could be a malicious library.

Joe Kerrigan

So the AI agent makes up the name of a library.

Maria Varmazes

Right.

Joe Kerrigan

It hallucinates the name of a library.

Maria Varmazes

Hallucinates the name of a library.

Joe Kerrigan

The bad guys know that this is a commonly hallucinated name.

Maria Varmazes

Correct.

Joe Kerrigan

So they go and create that library and put it in the usual places where people go looking for libraries.

Maria Varmazes

Yes, places like GitHub.

Joe Kerrigan

So the innocent user.

Maria Varmazes

Programmer.

Joe Kerrigan

Programmer. I'm sorry, takes this code that the AI has given them and trusts that the dependencies that it's calling on are legit.

Maria Varmazes

Right.

Joe Kerrigan

And they may not be.

Dave Buettner

Yeah.

Maria Varmazes

Yes.

Joe Kerrigan

They may in fact be malicious.

Maria Varmazes

Correct.

Joe Kerrigan

Okay.

Dave Buettner

Yeah.

Maria Varmazes

Okay.

Dave Buettner

And maybe a more experienced programmer would know to check that kind of thing, but a lot of people are looking at AI to go, I don't know how to code, but I can get AI to do it for me. And they're not going to know to even think of this kind of thing.

Maria Varmazes

I overheard a conversation in my office a couple of weeks ago where a guy was just talking about something he wanted to do, but he had never done any real programming before. He wanted to build something like a CRM. I don't know why he was doing it.

Dave Buettner

Notoriously easy.

Joe Kerrigan

Yeah.

Dave Buettner

I mean, CRM, right?

Maria Varmazes

Yeah.

Dave Buettner

Being extremely sarcastic, just in case people don't know. CRMs are a nightmare. Yeah. Okay.

Joe Kerrigan

You know, Joe, I just figured I'd wanted to solve nuclear fusion. Yeah, seriously, you know, it doesn't seem like anybody's gotten around to that. And I think AI is probably going to be my pathway to doing that. Well, this.

Maria Varmazes

This guy was saying, he sat down.

Dave Buettner

You can engineer it. Well, Dave, you can fix anything.

Maria Varmazes

Yeah, he sat down and within, like A day of working with the AI had something serviceable that he thought was was good enough. I mean, what. This was not a complex customer relationship manager. It was just a.

Dave Buettner

Probably for any customer relationship management, not content. Okay, all right, never mind.

Maria Varmazes

But still, I'm sorry.

Dave Buettner

No, it's okay. It could CRM mean lots of things. Yeah, it's okay.

Maria Varmazes

Yeah. CRM, not cms. Right, right, right, right, right, right. So what Fero says is even worse is when you Google some of these slop squatted. By the way, that's a great name for this slop squatted packages. You'll often get an AI generated summary from Google itself confidently praising the package. This is a direct quote saying that it's useful, stable and well maintained. But what the Google AI is doing is looking at the readme file in the GitHub package which says this package is useful and maintained and safe.

Dave Buettner

It's slop all the way down.

Maria Varmazes

It's slop all the way down. Right. There's no skepticism, there's no context. Developer in a rush, it can, it can give the false to a developer in the rush and give the false sense of security legitimacy.

Joe Kerrigan

It's theology.

Maria Varmazes

Right, Exactly. That's a good way to call it. It's theology.

Joe Kerrigan

Wow. So for our listeners, what's the concern here?

Maria Varmazes

What is the concern? The concern is that, well, if they're ever going to get into developing programming languages or developing in a programming language, make sure that you're using a programming language that. Well, geez, I don't even know what to tell you here. I mean, you really got to be vigilant. You have to be knowledgeable about things. You're going to have to do the investigation of all the libraries that your code calls for the average user. There's really not much going on here. This is more of a social engineering attack against people who write code. Yeah, I think it's a very creative attack and, but it's got a specific audience. So you know, it's not something you need your mom to worry about here.

Joe Kerrigan

Unless she's, unless someone you know is like, is saying, hey, you know, I've been trying out, I've never coded before and now I'm a coding machine thanks to AI. Maybe let them know.

Maria Varmazes

Yes.

Joe Kerrigan

Just in case.

Maria Varmazes

Yeah, because I'll tell you is I've sat down and prompted AI to write some code for me before. It comes up with some pretty good code pretty quickly.

Joe Kerrigan

Yeah, yeah.

Maria Varmazes

It's impressive.

Joe Kerrigan

Yeah. There's no question it's usable. Or rather I'd say it is a useful tool, but as you say, don't be overconfident in it.

Maria Varmazes

You need to know what you're doing. You need to know about the library. So if it includes a library like Pandas. Right. Or Numpy, those are good libraries.

Joe Kerrigan

I'll take your word for it.

Maria Varmazes

But if it includes a library like Crazy Uncle Joe's, you know, library to calculate IP addresses or something like that.

Joe Kerrigan

Right.

Maria Varmazes

Who knows what that's going to do?

Joe Kerrigan

Yeah.

Dave Buettner

So this sort of. This sort of means that you either you have the experience to discern, which means you're probably more senior, or you're taking the time to look this up, which means you're not in a rush, which is usually not what applies to people who are using these tools.

Maria Varmazes

Yes. Absolutely not.

Dave Buettner

This is great. This is you don't know what you.

Joe Kerrigan

Don'T know kind of thing.

Maria Varmazes

Yep.

Dave Buettner

Yeah. Oh, boy.

Joe Kerrigan

All right. Well, it's interesting. We'll have a link to that story in the show Notes. I'm going to go next here. And I wanted to kind of put a bow on all of the stories about toll road scams that we've been seeing here.

Maria Varmazes

Are we never going to talk about them again?

Joe Kerrigan

Well, that's my intention. That's my desire.

Dave Buettner

This is my true hope.

Joe Kerrigan

And thanks to everybody who has sent in their experiences, their screen grabs of toll road scams. You can stop now. We've seen them all.

Dave Buettner

We've got so many.

Joe Kerrigan

Yeah. And again, you know, I appreciate. Love it when people send stuff into us. We're good on this one, though. But the way I want to put a button on this is a serious cybersecurity research team. The folks over at Cisco Talos have done an investigation of these toll road. They call them smishing scams. I know that's your favorite term, Joe.

Maria Varmazes

Smishing, terrible term.

Dave Buettner

Yeah.

Joe Kerrigan

So they dug into this and the Talos team, certainly highly respected when it comes to cybersecurity investigations. So what their research showed is that this has been going on since October of last year targeting folks in the US who are toll road users and they impersonate toll services like E ZPass and they send messages to people claiming that they owe some money, usually small amounts, and they're threatening late fees to try to get people to act quickly. And then the victims are sent to spoofed websites which mimic the legitimate toll service portals. And these sites have fake captchas and. And they'll show the fake bills and they want people to provide their personal and financial information. So their names, addresses, phone numbers, and of course, their credit card information. Now, Cisco found, the Talos team found that this campaign was taking place in at least eight different states. Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas. Maria, you want to add Massachusetts to that list?

Dave Buettner

Might as well throw it in.

Joe Kerrigan

And this was from the state abbreviations that they saw in some of the fraudulent domains that had been spun up. So they attribute this to a, or actually multiple, financially motivated actors. And they're using a kit developed by someone named Wang Daoyu. This kit has been linked to the Smishing Triad, which is a cybercrime group that are known for targeting various sectors like postal and financial services. So this kit is distributed through a telegram channel. Evidently, this channel has over 4,400 subscribers. And it offers up phishing modules for specific toll systems like they mentioned Massachusetts, Easy Drive, MA and the North Texas Toll Authority. So you can buy a kit that is tuned for the area that you want to cover. They think that the campaign might be using data from large public leaks, like the 2024 National Public Data Leak. But Talos hasn't found any direct evidence for that. It also relies on typo squatted domains which were registered from late last year through early this year. So the domains look like legitimate domains, but they're not. But it's just ongoing. And I think what's made this so ubiquitous is, number one, it's successful. Number two, it doesn't require much on the part of the folks who are doing this because they can just buy a kit to go after whoever they're after, and people respond to it. I also think it's. It's what I categorize as nuisance malware. If somebody takes you for five or ten bucks, chances are you're not going to go to the ends of the earth. And chances are law enforcement's not going to go to the ends of the earth to try to track down someone who's doing this sort of thing.

Maria Varmazes

Right.

Joe Kerrigan

You're not turning people's lives upside down with a toll, a fake toll scam. But we'll see. I mean, it could be that if it gets big enough, then you get tracked. You know, law enforcement, the FBI, those kind of folks who might try to go after the masterminds of this sort of thing. So I thought it was interesting to see that someone as legit as Cisco Talos found this to be annoying and present enough to actually take their time to dig into it. And I thought it might be for our audience to hear what they discovered. So Wang Da you.

Maria Varmazes

Sounds like a real name.

Joe Kerrigan

Wang Dao you.

Maria Varmazes

Yeah. Sounds like a Korean name.

Joe Kerrigan

Yeah, could be. I don't know. Don't know.

Dave Buettner

I think it's interesting that Telegram is being used for this too. Isn't that all these kids always tend to be through telegram. That seems to be the vector for that. Go figure. I mean, it's just. It's always interesting to me.

Maria Varmazes

Yeah, it is because it's a allegedly end to end encrypted chat service. But when you get groups, I don't know how I think it works differently. I don't know.

Joe Kerrigan

Yeah, yeah. Geez.

Dave Buettner

It comes up a lot, doesn't it? It does. I got a letter in the mail from the Massachusetts pay by plate, easy, easy pass, whatever. And I really had to pause and think for a second. Did they start doing by mail scams now? Like, is this for real? I've gotten so many of the fishy text messages that I really had to stop and think about it.

Maria Varmazes

Yeah, good. That's probably good.

Dave Buettner

Well, yeah, it is good. Yes, it is, but it's just really made me think.

Joe Kerrigan

Yeah, it's good, but at the same time it's like a time tax.

Maria Varmazes

Right. It's wasting brain power.

Joe Kerrigan

Right, Right. Exactly.

Dave Buettner

Yeah.

Joe Kerrigan

All right, well, we will have a link to that blog post from Cisco Talos in the show notes. So do check that out. Tell you what, let's take a quick break before we get to Maria's story here. We will be right back after we hear a message from our show sponsor.

Unknown

So let's return to our sponsor, ThreatLocker. ThreatLocker is a zero trust endpoint protection platform that strengthens your infrastructure from the ground up. Where traditional cybersecurity tools require you to create a list of things you don't Want to Run, ThreatLocker enables you to easily curate an allow list of everything you need in your environment and network and block everything else by default. With ThreatLocker allowlisting and ring fencing, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker provides zero trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware. The ThreatLocker Zero Trust Endpoint Protection platform deploys in a learning mode that analyzes the operations of your company using machine learning to assist you in developing your allow list for approved applications, what they can do on the endpoint, what can interact with your data, and even east and west network traffic. We thank ThreatLocker for sponsoring our show.

Joe Kerrigan

And we are back. Maria, what do you have for us this week?

Dave Buettner

I have a story from the BBC. This is about a scam that's going on in the uk, but it's sort of speaking of law enforcement not doing something about a five dollar scam, maybe a thousand pounds. Is that worth doing something about? I don't know. Apparently maybe not, probably not, but it can still devastate somebody who's the victim of course of a scam that takes that much money or more. So this scam is kind of old school. I think this is what caught my attention about this story. So the BBC profiles at the beginning a gentleman named Anthony Rudd, who's a mechanic who was selling about a thousand dollar, excuse me, a thousand pounds worth of power tools from his own business. He's a small business mechanic owner. And so he posted the tools on social media saying, you know, these are my used tools, you want to buy them. And a scammer responded to his post on the social media marketplace and they arranged an in person meetup, which is the best practice that is often said, you know, don't you know, just do these kinds of transactions anonymously online, go in person and meet the person you're selling for. So that's exactly what he did. And he met the person who was pretending to buy the tools from him and they shook hands and they spoke. The scammer even paid for these tools, paid the thousand pounds as agreed and showed Anthony his banking app showing that he had sent the money. And he even handed his phone over to Anthony saying, here, you can put your account details into my phone so I can make sure that the money gets to you. And a payment successful message popped up on the app's screen and Anthony figured, all is well, I've been paid, we're good to go here. And then they both walked away and went home. And then not long later, Anthony realized that money never made it to him. Even though he put his information in the banking app that he was very familiar with, it looked all legitimate. So what happened here was essentially these scammers who are doing these kinds of in person scam have a lookalike app that they have downloaded not off the Google Play Store or whatever, it's not a legitimate app that you can get anymore, but you can find it if you're looking for it. And this app looks exactly like a lot of commonly used UK banking apps where you can do these kinds of transactions. So they've got that look alike and the apps work just like the real apps do. So they can show up to these in person meetups with their victims for real goods and have the victims type their own information in the app. So it all seems above board. And they get that payment successful message. And because, you know, you shook hands with these guys, they actually seem like they're discerning whether or not your goods are worth them buying. Nobody's hackles are up, nobody's thinking I should wait and look on my own phone to see if that money went through. They're just sort of trusting that that app looks real. It says payment successful. It must be legitimate. So it's, it's, it's really unfortunate. And as I said, it's a kind of old school scam, but it's got a new school twist with the, the fake apps. And in the case of Anthony Rudd, the mechanic, the police said they could not identify any suspects, so the case is stalled and basically dead. And he was so devastated by this game of people showing up to his place of business and buying from him that he actually quit his job. It just destroyed his trust in people. And he said, I found it absolutely sickening that you could look someone in the eye, shake their hand and then rob them. He came into my workplace and took my tools. It angered me so much that someone could be so brazen, but it's also embarrassing that I allowed this to happen. So that's what he told the BBC, which I, I really felt that. And BBC was profiling a number of people that this had happened to. So it wasn't just this one gentleman. There was another man named John Reddick, who again, he posted real goods to sell on a social media marketplace. In this case, a gold bracelet worth around £2,000. And he was selling it to finance a vacation to Spain with his kids. And so he advertised this gold bracelet for sale on social media. Two gentlemen showed up to his house for the transaction and they looked at the bracelet and they put the whole song and dance on about, do we want to buy this, do we not? Okay, yes, we do. And they did the same exact scam of we're going to use the banking app that we all use. We're going to put the payment information. You can do that part. Hit. Payment complete. We're good to go. And now Mr. Reddick is out of the gold bracelet and he never received his £2,000. So, yeah, apparently Action Fraud in the UK says in the last three years there's been at least 500 reports of this exact scam happening. And again, the fake apps are no longer on Google Play but you can find them directly online and they are right now specifically imitating UK banking apps with fake balances, transfer screens and confirmation methods. But I wouldn't be surprised if we see this proliferate to other types of apps soon. So. No. And also I should note they didn't say in the BBC article which social media platforms are being used to perpetuate this scam, but we could probably guess so. Yeah.

Joe Kerrigan

The usual suspect.

Dave Buettner

The usual suspect, yeah.

Maria Varmazes

Interesting to say that it's all only with face to face transactions.

Joe Kerrigan

Yeah. It's a shame that the police haven't been able to book anybody.

Dave Buettner

I, I, it seems like a very high touch scam that they would go through all this much trouble for, you know, a social media scam to actually show up to someone's house in person. You know, they could be on camera or whatever and they just, it's so brazen. They just don't seem to care because it seems to be working. So it's also interesting to me that.

Joe Kerrigan

They'Re getting goods, you know, rather than just scamming someone out of money, like, because then they have to turn around and fence this stuff. The tools or the, I guess gold is probably, maybe easier, I don't know.

Maria Varmazes

But still, it's fungible, right?

Unknown

It's, yeah.

Joe Kerrigan

Takes some extra effort.

Dave Buettner

Yeah, it sure does. I guess maybe, maybe that lowers people's guards because they're thinking the same thing. Like it's not like it's, it's cash, it's just a thing. Who cares, you know? Yeah. Yeah. So that, that might be why people aren't as diligent about making sure that they're checking their own phones to make sure that phone, that money has gotten in.

Maria Varmazes

I'm very concerned about two people showing up to look at a bracelet that actually has safety concerns for me. Yeah.

Dave Buettner

At his home.

Maria Varmazes

You're like, okay, I'm not putting my banking information into your banking app. I don't know what that banking app is. Maybe then you get beat up and they just steal the thing anyway. Right. You know that's my concern. You're dealing with criminals, right?

Dave Buettner

Yeah, I know.

Joe Kerrigan

We have a thing here, local to you and I, Joe. And this is all over where the local police stations will have spots out front of the police station for these sorts of transactions.

Maria Varmazes

Right.

Joe Kerrigan

So you can say to somebody, meet me at the police station and we'll do it there. I don't know that that would save you in this particular case, but it might give them pause and it'll probably prevent you from getting knocked on the head.

Maria Varmazes

Yes, also. Well, that's a good point. But also, while you're there, I know the one over here in Howard county in Columbia, there is a square painted on the ground that is designated for those exchanges, and that square is surveyed by cameras. So they have footage of what goes on in there.

Joe Kerrigan

Right. And if it goes bad, a giant safe falls out of the sky onto that square.

Dave Buettner

There's a big.

Joe Kerrigan

You look up, there's a rope, a fraying rope with a big safe on it.

Maria Varmazes

So bring your slide whistle.

Dave Buettner

Yeah, I was gonna say that might deter some folks, I would imagine, but if you're being really brazen again, the police, are they going to go after somebody who's done something like this? They're pretty busy. I don't know. You might be hedging your bets a little bit on that.

Joe Kerrigan

The other thing is, this strikes me is that I think perhaps there's a perception that doing money transfers with large amounts like this, £2,000, that you're safer doing it electronically rather than handing over or accepting cash from someone. Again, someone's going to knock you over the head, take the bracelet and the cash. This way, you're just getting an electronic transfer. Nobody's carrying around a big wad of cash. And maybe it's safer. But I have to wonder, I'm curious what the two of you think. Is it a better plan to say to someone, cash only?

Maria Varmazes

Yeah, I don't know. I tend to think it is. I tend to think it's better to say cash only. Meet in a public place. Right. And you bring the cash, I'll bring the object, and you can see it and take it or not. And we'll go about our separate ways. I think that's better. I don't want you. For me. Yeah, right. Yeah, for me, you know, Would I want my wife doing that? No. No, I would not.

Dave Buettner

Yeah. I was gonna say, I'm not doing that in a million years. I'm five foot one. No, I'm not. I'm not doing that.

Joe Kerrigan

Right. Well.

Dave Buettner

And so I get nervous carrying more than $40 on my person. Joe.

Maria Varmazes

I'm not.

Dave Buettner

Absolutely not. Yeah. I would personally rather do something through an app. But again, in my case, I would have my own phone out and verify through an app that I know and trust that I, you know, that that money has been received before I release the goods. But. Right. That's. It's. I can understand the social pressures of. Especially if two men are showing up at your house.

Maria Varmazes

Yeah.

Dave Buettner

You may Want to just kind of get this transaction over with and have them go along their merry way. So there's, there's a lot of social trust going on here and exploitation. And this struck me as so old school. I never would have thought this would be happening right now. But perhaps everything old is new again and maybe this is more expedient than Viagra pill scams.

Joe Kerrigan

Well, we're hearing lots of things about like people saying hey, can I, you know, can I make a quick phone call on your phone? You know, emergency. And they've trained themselves to be extraordinarily fast at finding any bank apps you have on your phone. And they can just, you know, and they've transferred, they've emptied your bank account without you even realizing it because you think that they've, they're just making a phone call. So you know, never hands assume they'd.

Dave Buettner

Run among my phone.

Joe Kerrigan

Anybody?

Dave Buettner

Yeah, that's for sure.

Joe Kerrigan

It's just too risky these days. Say, I'm sorry, I can't help you. Yeah. All right. We will have a link to that story in the show notes and of course we would love to hear from you. If there's something you'd like us to consider for the show, you can email us@hackinghumans2k.com Joe Maria, it is time to move on to our catch of the day.

Maria Varmazes

Dave, our catch of the day is a smishing attempt.

Joe Kerrigan

Okay.

Maria Varmazes

It comes from a listener named John. I did say it.

Joe Kerrigan

Yeah.

Maria Varmazes

It actually looks like it actually comes via email to a text message. Yeah, I like this one, Dave. I like this catch pretty a lot. I like tickles me.

Joe Kerrigan

Well, this is claiming to come from a female representative. So Maria, do you want to do the honors here?

Dave Buettner

I'd be delighted.

Joe Kerrigan

Go for it.

Dave Buettner

Hello, I'm Lena, a recruiting representative at Adjust in parentheses for some reason.

Maria Varmazes

Right.

Dave Buettner

Your resume has been recommended by several online recruitment companies and we'd like to offer you a remote position. This flexible role involves assisting adjust merchants with data updates, visibility and bookings. We provide free training. You can work 60 to 90 minutes daily and earn 200 to $500 per day. Dang, really? Wow. The base salary is $800 for every four days worked with a five day paid probation period. Afterward you can sign a contract with a base salary of $5,000. Wait, really? Plus a performance bonus of $1,000 to $3,000. We also offer a paid annual maternity and paternity leave. If you would like to participate, please send a message to this number. Here's a whole number note you must be at least 18 years old. We look forward to your response. So we're very impressed by you. Are you over 18?

Maria Varmazes

Right. My favorite part of this is that this is obviously some kit for a job scam that somebody bought. And they just said, all right, I got it. I'm going to start sending out text messages right now. And didn't bother editing the text that clearly says adjust. Adjust.

Joe Kerrigan

Yeah, it says adjust in parentheses, like, hey, dum dum. This is the part you're supposed to replace.

Dave Buettner

Would you like to work at Lorem Ipsum?

Maria Varmazes

Yeah, Right.

Dave Buettner

Oh, my God.

Joe Kerrigan

Right, Right. No, that's a good one.

Maria Varmazes

I started a company called Lorem Ipsum.

Dave Buettner

Lorem Ipsum.

Joe Kerrigan

Yeah. That reminds me of the guy who registered do not reply dot com. Yeah, yeah.

Dave Buettner

Bless it.

Joe Kerrigan

All right, well, thank you, John, for sending that in. We do appreciate it. And once again, please send us your catch of the days. It's hacking humans2k.com.

Unknown

And of course, we want to thank this week's sponsor, ThreatLocker. Go to threatlocker.com HH and check out their Zero Trust endpoint protection platform. That's the words threat and locker with no space.com HH where you can request a demo and neutralize the threat of malware running on your devices.

Joe Kerrigan

That is hacking humans. Brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast, Apple. Please also fill out the survey in the show notes or send an email to hackinghumans2k.com this episode is produced by Liz Stokes. Our executive producer is Jennifer Ibin. We're mixed by Elliot Peltzman and Trey Hester. Peter Kilpe is our publisher. I'm Dave Bittner.

Maria Varmazes

I'm Joe Kerrigan.

Dave Buettner

And I'm Maria Varmazes.

Joe Kerrigan

Thanks for listening.