A

You're listening to the Cyberwire Network, powered by N2K.

B

Hello, everyone, and welcome to Hacking Humans, where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Buettner, and joining me is Joe Kerrigan. Hey, Joe.

C

Hi, Dave.

B

And our N2K colleague, Maria Vermazes. Maria.

A

Hi, Dave. And Hi, Joe.

B

We've got some good stories to share this week and no follow up this week, so we're gonna jump right into our store. I know, I know.

A

Not a single chicken email.

C

You could fill the gap with some chicken nut tape.

A

Oh, boy.

C

Since sue last week was like Keeping up with the chicken talk. Yeah, I finally finished the roof on my chicken run.

B

Oh, good.

C

So now I have a complete domicile for my chickens and my rooster attack. What he did. Her back was turned, and he jumped up and pecked her twice or three times in the leg. And she has a bruise you would not believe on her leg from a chicken. I said you lost a fight with a chicken?

B

I would say if my rooster had attacked my wife, we'd be having chicken fricassee for dinner.

C

We're very close, Dave. Very close.

A

Yep.

C

The only thing keeping this rooster alive right now is the fact that he's with his hens. He's a pretty good rooster. He exhibits exemplary rooster rooster behavior around other chickens. Around his hens, not so much around people.

B

See, I think what you need to do is first bring in the replacement rooster.

C

Right?

B

And then make an example of the first rooster so that the second rooster knows what's at stake.

C

Make. Make the first rooster the new rooster.

A

Watch.

B

Yeah, exactly.

C

Here, watch this.

B

Yeah, yeah. This could be you.

C

Just.

B

I'm just telling you, this is a warning.

C

Don't ever forget it.

B

That's right.

C

I know your brain only weighs 3 grams, but put this in one of those grams.

B

Yeah, yeah. Every attacker counts on one thing. Environments that Trust too much. ThreatLocker closes that gap with default deny at execution. Unknown software blocked. Trusted apps contained with ring fencing. Configurations verified with Threat Locker DAC so you stay secure and compliant. ThreatLocker delivers the visibility and control CISOs need without adding operational pain, making zero trust real for teams of any size. Stop ransomware at its earliest point. Book a demo@threatlocker.com N2K. All right, well, let's get to our stories here. Joe, you have the honors this week. What do you got for us?

C

Do I got two stories? Because both of mine are pretty short. But I'm going to start with a news story that goes pretty much around the world. World, Actually, it only goes from India to the United States, but then it jumps all around the United States. This is from the India Times, or Times of India, rather. Or I guess it's actually both of them, because that's the domain name. Timesofindia.india times.com. weird. Anyway, the headline is Indian in New Jersey on work visa arrested in gold scam. Nabbed when he was going to collect $800,000 in gold.

B

Wow.

C

So the guy is. His name is Negan Batman, and he is here in the US On a work visa, and apparently he lives in New Jersey.

B

Okay.

C

But I mean, this. This goes all over the United States. Well, not really all over, but it goes from New Jersey down to Texas, where we were talking about the. The gold bust of the jewelry stores that were owned down there. Yeah, we talked about this. They were the actual endpoint of all the gold. So these people would call, you know, scammers, call in to somebody. And in this case, they said, hey, your bank account's frozen. In order to unlock it, your bank account, Social Security benefits will no longer be accessible. In order for you to unlock it, you need to give us all your money in gold for safekeeping. Because, you know, they give you some lie about your bank account being involved in fraud or something like that. And what has happened is people have emptied out their bank accounts, gone, and purchased physical gold, and they hand this to these scammers who then would take it to the jewelry stores, who would then convert it into jewelry and sell it.

B

Okay.

C

Which is how this scam works and where the payout comes in. But what happened in this case was there were detectives in Collin County, Texas, which is where we were talking about with the jewelry store busts.

B

Yeah.

C

So the Collin County, Texas, sheriffs got word that Bot was going to be picking up the gold in Tangapoa Parish, which you can tell by the name. Parish is in Louisiana. So they called the sheriff's office over there. And on April 7, instead of picking up gold, Bot got arrested, which is good, because I guess he drove from New Jersey down to Louisiana to pick up the gold.

B

It's a worthwhile trip.

C

Absolutely. For almost a million dollars in gold.

A

I think I'd manage that. Yeah.

B

So let me ask you this. So I just did a little asking of our good and Mr. GPT, because I was curious what $800,000 worth of gold weighs in my mind, for no particular reason, I pictured kind of like a Dungeons and Dragons. Dragons sitting on a pile of gold.

C

Right.

A

A little hoard.

B

Right.

C

So what's the price of gold right now? Like $4,000.

B

Well, before we dig into the actual numbers, just a gut feeling. Do you think $800,000 is a lot of gold? Or do you think $800,000 is not a lot of gold?

C

I think that's probably enough gold or a little enough amount of gold that you can carry around on your person.

B

Okay, Maria.

A

I'd say it's around $800,000 worth of gold.

B

What object do you. Thank you, smarty pants. What object do you think it would be comparable in size to, uh,

A

smaller than a red box?

C

Yeah. Okay, hold on. Let me think here. And maybe I'm totally off base here. Cause I'm thinking I don't know what the price of gold is right now.

B

Currently between $4,800 and $5,100 per troy ounce.

C

Around $5,000. A troy ounce.

A

We will use anything but the metric system.

B

What is a Troy ounce from the Trojans. Get Troy on the phone. Ask him.

A

What is that?

C

I work with a guy named Troy. Next time I see him, I'm gonna say, hey, ask him about his ounces. Tell me about your ounces.

B

Tell me about your gold ounces. Yeah, right.

C

So let's see. That's 800,000, and that means that there's 5,000. So that's like 160 troy ounces, which would probably be around what?

B

I'll give you the answer.

C

Yeah.

B

Bowling ball. The size of a bowling ball.

C

Okay.

B

Yep.

A

Okay.

B

Now, I don't know about you, but I think it'd be pretty cool to have a solid gold bowling ball. I'm sure.

C

Here comes old moneybags Bittner again.

B

Exactly. Solid gold bowling ball in a silk bag. Here he comes.

C

And he's going to knock all the pins down.

A

As weirdly, the machine didn't give the ball back. As odd after he got that strike, it just disappeared.

B

It's a big crashing sound at the end of the cut a groove down the center of the lane because. Yeah, that's interesting. I wonder if you had. Because, you know, bowling balls are dense.

C

Yeah.

B

So I wonder if you had a solid gold bowling ball next to a regular bowling ball and you went to pick up the solid gold bowling ball. Would you pull a muscle?

C

Probably.

B

Probably.

C

I mean, even if it was just steel, you'd probably pull a muscle, right?

B

Yeah.

C

Well, maybe not. It's kettlebells. I mean.

B

Yeah, that's pretty heavy.

C

Yeah.

B

Bowling ball.

C

Yeah, yeah. Bowling ball the size of gold.

B

I sent us down a little rat hole there.

C

Okay, that's fine.

B

So what's next, Joe?

C

We do that all the time. So next is actually from Infosecurity magazine. This is coming out of Google's threat intelligence group and they are warning of a new threat group that is targeting BPOs. Does anybody know what a BPO is?

B

I'm not falling for that again.

C

That is a business process outsourcer.

B

Okay, sure, sure, sure.

C

What a business process outsourcer is, is obviously you have some atomic business process that you can just outsource to somebody. Yeah. I remember the first time I saw this was I went to see a neurologist because of my raging case of attention deficit disorder. And he was talking into his computer and this was like back in the early 2000s. And I said, what are you doing? He goes, I just make these sound files that go to some offshore site. They transcribe everything and put it in your notes. It'll be there by tomorrow. Oh, I'm like, oh, okay. At the time I was like, okay. But now I'd be like, hey, wait a minute, where, where does that data go? Right. Because all this information that you're using, that they're using in the, in this business process is all company sensitive business information.

B

Right.

C

And we've seen attackers do this a lot where they go to an adjacent company and they come into your company via some business process provider that you use.

B

Yeah. Your supply chain.

C

Right. They attack you. I don't know if I'd call it a supply chain attack, but maybe, I guess service supply chain. Yeah, you could call it service supply chain. Okay, Right. They're using a campaign that relies on social engineering and live chat features to send employees to spoof okta login pages. And of course they're all fake. They're using phishing kits to bypass standard multi factor authentication stuff. I'm not really sure how they're doing that, aside from maybe if it's some kind of code based multi factor authentication, like with an RSA token or a soft token on your phone or perhaps a text message is sent to your phone. All of those are very vulnerable to these kind of attacks. They can just be used as pass throughs if you have an advanced enough phishing kit that will get you access to a system. So I think it's time to increase that distance of security level between all of those other forms of multi factor authentication and the hardware form of multi factor authentication. Does you understand what I'm saying?

B

Go on.

C

You look like you're a little confused, Dave. So I rank Multi Factor authentication in for the least secure. Multi factor authentication is a text message that's sent to your phone and that's not secure because that message may not be encrypted, although generally now they are. But actually I don't think any of the ones that I receive actually are. So they're sent in plain text, so somebody could intercept it. Somebody could also SIM jack your phone and then have access to all your codes for login.

B

Right.

C

The next one is the soft token and the hard token, which are essentially pseudo random number generators that will, based on the time, give you a time based password that lets you access it. Now, unless you have the seed, you can't really predict what the next number is going to be. Yeah, but all of those forms of multi factor authentication are based on entering a code which can be socially engineered out of somebody.

B

Right.

C

Then you go up the next level to the hardware based authentication, which is essentially certificate based authentication, which has to do with a challenge response and relies on cryptographic primitives we believe are secure. And that is much more secure because let's go with the Fido alliance and their model.

B

Like Yubikeys.

C

Like Yubikeys. Right. Yubikeys, Google Titans, and there's a bunch of different ones that generates a private key based on the website or the server name that you're getting the request from. So if you don't enroll with that server name, the system will not work. So if you're getting phished, you're not going to be going to the server that you're enrolled with, you're going to be going to some other server, you're going to derive a completely different private key, which means even if they have your public key, it won't work.

B

Well, I mean, it seems to me at its basic, one of the advantages of the hardware key is that the code itself does not need to pass through a human being.

C

Correct.

B

So that human being cannot be phished.

C

Right, cannot be phished. And I don't think we're aware of any vulnerabilities in the FIDO protocol. So.

B

No, I mean, I guess the problem or the vulnerability there is that once you have a token on your browser, say that once you authenticated once with it, someone can steal that token.

C

They can steal the token and use that. Yeah, and use that. And that's what we see a lot of, particularly with like Discord hijacking. Because as you know. Well, Dave, once. Once you lose your Multifactor authentication for Discord. You can't get in.

B

Yeah.

A

Oh, sorry to hear it, Dave.

C

Yeah, Dave. Dave lost his Discord account.

B

No, of course. I just abandoned it. I was like, look, you're not worth this much to me.

C

Right. Because it was like screaming into the void trying to get Discord's attention on it. Exactly. Yeah.

B

Like, well, okay, that's just something I'll have to live without. And I'm okay with that.

C

But if Discord. I don't think they invalidate tokens when you start coming from a completely different IP address. I don't know what their internal processes are. Yeah, but you know, if. If you're developing a secure app like a banking or a secure website, like a banking website or a banking web app, whatever, that session token should be tied to the source IP address, you know, the IP address of the user. And if that changes, you should invalidate it. Yeah, so that. Because, I mean, that's indicative of. That's exactly what's going to happen when somebody comes and steals your session tokens, then logs. Logs in from a different location. However, that being said, there's nothing to stop somebody from using like a remote. Remote access tool to log in from the user's location and then do all kinds of nefarious stuff. So even. Even if you have all of these different tools in place, there's still vulnerabilities.

B

Sure.

C

But they almost always involve attacking the user.

B

So what are the recommendations here?

C

Well, the number one recommendation here, Dave, is implement a FIDO 2 hardware security key. Believe it or not, it's almost like

A

you predicted that one.

C

Yes, it is. Monitor live chats for suspicious interactions. I don't know how you do that. Maybe with an agent. Right. Maybe with an AI agent.

A

You could probably just an intern who just sits there and watches them.

B

Sits over your shoulder, follows you around. Yeah.

A

Hey, what you doing? What you doing?

B

Who you talking to?

A

Tell me more about that.

C

Educate employees on a specific campaign, on this specific campaign or other campaigns like it. Proactively block unauthorized domains that you will find in the indicators of compromise. For this specific threat. They're going after somebody that impersonates Zendesk with. With a fake domain. Then monitor unauthorized binary execution.

A

Yeah.

C

Which may or may not occur. We're seeing fewer and fewer of these attacks don't involve malware. They just. They do what's called living off the land, where they just use the existing infrastructure. So, I mean, that's. That's a good piece of advice. You. You absolutely have to do that. For the sake of security. But you should not be relying on that as your sole defense anymore. I mean, that. I mean, it's been decades since that.

A

Yeah, that's table stage. If you're not doing that, that's get on that yesterday.

C

Right? Yeah. And regularly audit newly enrolled MFA devices across the organization for unauthorized additions.

B

Right.

C

So that's what people can do to prevent it.

B

All right. All right, Very good. Well, we will have a link to that story in the show notes. Actually have links to both of your stories in the show notes. Maria, you're up next. What do you got for us?

A

Well, in lieu of doing a story this week, I actually have an interview to share with everybody. I spoke with Sean Colicchio, who is the CISO at Palera. He's also a psychology professor, and he spoke to me a bit about not just what we can do as human beings in the face of social engineering attacks and social engineering attacks that have been made more nefarious with AI, but what organizations can do to help make training more effective against AI trained techniques. So here's that conversation.

D

So I'm Sean Colicchio. I'm the global CISO of a company called Polera Cybersecurity and IT technology solutions company. Basically what I do is run a security and compliance program for the firm. And I also teach as a professor at a local university called Wilmington University and created a course called the Psychology of a Cyber attacker roughly 10 years ago and continue to teach that several times per year. Previous to these experiences, I also was a field expert performing physical social engineering engagements. And so I try and do as much as I can to give back to the community with speaking engagements and security conference attendance, as well as mentoring junior professionals that are entering the field.

A

Yeah, no. And greatly appreciate you coming on, Sean. And I'm really thrilled to be able to pick your brain a little bit. I'm a junior student of all these things that you mentioned, having been in cybersecurity on the vendor side. And I've just learned as I go. But experts like yourself I always learn so much from. So I really look forward to hearing your thoughts on, especially on social engineering and the accelerant that has been AI entering this world. But before we dive into all that, I know there's a conference talk that you tend to give about the human layer of cyber risk, and I'm asking you a little bit to give me the elevator pitch for your talk. And let's just start there and then we'll dive in from that point.

D

Yeah, perfect. So I worked with my team to develop a relatively compelling social engineering lore. But before I get into the detail of that, you know, I think the audience is familiar with the gift card attack. And using social engineering via either email or sms, phishing or smishing or even teams calls nowadays to compel real world actions. So getting somebody to actually go to, you know, a pharmacy or a gas station and buying gift cards, rubbing off the number and then sending the number to the attacker, effectively siphoning funds out from that user and they typically will impersonate a C level executive or somebody they know and typically they'll tell them, hey, don't call me back, I'm really busy. Which is one of the ways we try and enable and aware create an awareness for individuals to verify the legitimacy of these type of requests. So they say I'm in a meeting, I'm very busy and instead of calling me, can you just do this favor for me which creates this authority in the request. It also is a familiarity tie in from a psychological perspective and then they typically will fall victim to that, going to a pharmacy or what have you and buying these gift cards. And I've even seen personally when I go to buy gift cards for a Christmas present as an example that some of these places are now trained when they see somebody buying 10 gift cards, they ask, I've personally been asked, hey, why are you buying these? Which I thought was odd at the time. And then I realized they're actually being trained now to spot victimization and individuals that are going in to buy these cards. So that's kind of the real world example of the gift card attack. Well, what we did, the team developed a deep fake phishing lure that was a video delivered via email that was impersonating a C level executive at a company. And you know, as, as an organization we perform social engineering engagements routinely and we try and get as creative as possible with, with some of these engagements. So the deep fake lore was actually generating interest to the end user, saying, hey, you know, we're going to be meeting at the company meeting soon and before we meet in person, I want you to do something to prep which creates this urgency, which is also a tie in to psychology, which we see all the time with phishing in general. And so the request was actually creating a paper airplane and we need you to create a paper airplane, write your name on the wing and we're going to have a distance contest. So now you've got competition. In this particular instance it was a sales focused organization. So you've got individuals that are targeted specific specifically because the executive thinks they could win, which now creates, again, tapping into that authority, that familiarity, and it creates this compelling reason to act. And then, sure enough, 10% of the victim pool showed up and issued a paper airplane. And we have photographs of a box of paper airplanes that were sent to us to just show how this worked. And so, as interesting as it was to leverage AI to produce the outcome, psychological principles don't change. I mean, AI is accelerating these attacks and scaling them in a way that's never been seen before. But what really works is that human psychology hasn't really changed too often. So that's one of the things that we did, and it was well received. So that was the core part of the talk. And showed the example and showed the results and even some takeaways on how to prevent it.

A

Yeah. And I know that's the how to prevent it part. I'm sure a lot of people are probably champing at the bit a little bit, and I want to get to that. But I thought something you said was especially profound and that the human psychology doesn't change even in the face of AI that I know a lot of people, I mean, myself included, we see what feels like. I'm not sure if it is, but what feels like an exponential increase in the efficacy of some of these social engineering attacks with AI involved. But I often have thought, well, you know, the human psychology hasn't changed, so that's why it's gonna be harder. But I'm wondering, it sounds a little bit like you're saying that actually is of benefit to us when we're thinking about how we can defend against these attacks is because those fundamentals on the human side are unchanged. Am I interpreting that potentially correctly?

D

Absolutely. I mean, I think if listeners remember one thing, it's trust your instincts, and your instincts are in that same biological makeup as the psychological potential exposures that the attackers are trying to capitalize on. And so it's kind of like the Turing Test in a way, where you can be convinced that something is real. But the only way that you're being convinced that something is real from a computer perspective or from a chatbot or what have you is because the programming around that technology has been made to produce the outcome that will convince the victim that it's real. So if you're spotting those type of things and you trust those instincts in the Spidey sense. Right, as some people call it, you can really try and understand, well, is this odd that somebody in an executive position is sending Me a text message to get gift cards, irrespective of the gift cards or the lore. To your point, you can trust yourself and your psychology that does give you that instinct that this is foreign or odd or scrutinize it. And so by being consistent with our own human nature, you can actually defend yourself because the attackers will inevitably try and emulate that. And that's the pattern that you want to look for.

A

Yeah. Is there anything organizationally that we can do to maybe help bolster that spidey sense on the individual level? I know when I've talked to random people in my life about what we're seeing right now, many people feel like they don't even have that spidey sense really calibrated anymore because they don't know what to trust, what not to trust, how to, you know, trust that gut feeling. Because, you know, I've been tricked so many times. Is there anything we can do? Again, if you're think, thinking more organizationally to help with that?

D

Yeah, I think that's a really great question. I mean, I mean, in general, the short answer is conditioning. And I think not just, you know, security awareness.

B

Right.

D

And I'm a big fan of, of this podcast, and I think that's a running theme is, you know, the defensive line is the end users, which, you know, from a university perspective, the constituents and the end users and the insider threats, they're all the same user pool, they're all on the same network segments. But. But the conditioning could take multiple forms. It doesn't have to be, let's call it flash in the pan or very exciting from an AI perspective. It doesn't have to be very novel. It can be consistently predictable. And I think what I've found success in is ebbing and flowing between something that's very sophisticated and something that's table stakes or mundane, if you will, routine. An example might be one year working through an AI based deep fake phishing lure for an organization, and then the next year when they're expecting something that might be very exciting to find or something that's interesting anecdotally to talk about, and then that year is really just a QR code drop or USB drop, which now USBs have to be USB, C and A. And you get into all kinds of OS flavors that you have to work through to make that attack type work, which is, I think, less effective because of that. QR codes are still there and they're still everywhere, frankly. And so that's a great example of the conditioning can get worn out if you're constantly just looking for something that's flashy or exciting, you don't think about the QR code sticker that's on top of the menu at the restaurant that somebody might have put on top of the menu to try and capture hundreds of people at a time. And so trying to keep a balance of consistency with the table stake threats that are out there and the basics, as well as keep people guessing with the exciting phishing lures is a way that you can balance your conditioning and bring it back to muscle memory to make sure an organization is defending against these type of threats.

A

That's a great, great idea there. And the balancing between the hypervigilance and their fundamentals that still remain. I love that. That's fantastic. And I'm wondering on an individual level, because I know many people who listen to our show are the family IT person or just someone who's trying to raise their own awareness and look out for people in their community. What should they know about, I guess the current state of social engineering as you see it?

D

Yeah, I think you kind of tapped on this a bit a second ago, which was what can people do to spot these things? I think one thing that used to be the easy way to prevent a phishing attack was grammatical error. And looking at grammar in a phishing email, if it was off base spelling errors, a 0 instead of an O to maybe try and evade signature based email defenses, that's no longer the standard, it's almost the opposite. And you've probably heard this before. Of course, if it's too perfectly written, then maybe that in and of itself is a red flag.

A

Oh yeah.

D

You know, if it's flawless, maybe some AI model produced that phishing lure.

B

Right.

D

So I think that there's a balance between reality and again, back to that muscle memory. And I think when spotting an AI specific phishing lure, generally speaking, there's some things that I've noticed are common. Most individuals that write an email don't use hyphens in a way that AI does routinely. Typically, somebody might use parentheses or commas to break up an idea in a sentence. And very often AI will use hyphens to separate a segue or a minor idea in a sentence. So seeing hyphens in content is one way you can spot phishing. I think another is bulleted lists often don't have periods at the end. Typically when you write them, they're a fragment of a sentence. But AI most of the time will add a period at the end. And so that's another minor thing. It's not 100% correlated with a threat, but these are just small takeaways that somebody listening can maybe use when they look at the nest phishing attack that comes in. And I also think when you're conditioning your own small organization, it's very important. And this is something I speak to in the course as well. It's very important to have red flags baked into the event. If it's too hard to spot the phishing attack or it's too convincing, it's like fish in a barrel. There's no learning opportunity for the end user. The end user wants to walk away with. I could have been better by spotting this one thing or these several things. And so when performing an engagement, it's very important to build those things in so later on, it can become an educational opportunity and not just, you know, a punch in the face. Nobody likes getting punched in the face. So that's one of the things we try and preach as well.

A

That makes a lot of sense. Incentivizing as opposed to just punishing. Yeah, that is a wonderful point, Shawn. I appreciate that. I recognize we're coming close to the end of our time, so I wanna make sure if there's anything you wanted to mention to our audience, anything I missed, that I give you that opportunity to share it.

D

Yeah, absolutely. I think just back to the psychological principles. I think it's extremely important to realize we all recognize authority, liking, familiarity. People interact with people they like, and they interact with people that are familiar to them. So if you feel something is off, reach out to the person via voice. Even that can be potentially falsified and people can be impersonated. But my goal today, hopefully listeners see what's out there a little bit more and why these things matter. And it's really important to think through a problem and slow down. Most attackers get their success by speeding up and accelerating the engagement and the conversation. And so by taking a beat and taking a breath and really trusting your instincts. That's how we can be more resilient as a community and in the industry in general.

A

Brilliantly said. Sean, thank you so much, and thank you for sharing your expertise with us today. I really appreciate it.

D

All right, thank you, Maria.

A

All right, Dave and Joe, now that you've had a listen, what do you think?

C

I will go first. I'll tell you exactly what I think about this. This is one of the greatest things that he said in this interview, is about trusting your gut. He calls it Spidey senses.

A

Yeah, yeah, right.

C

Yeah, that's exactly right. When somebody calls you and it seems a little bit off. Probably is a little bit off. That's probably a good judgment.

B

Yeah. I like the part where he was talking about when it came to. To training to mix it up some. The difference between edge cases, the fundamentals. Everybody when they say, hey, it's training day, everybody goes. So the least you could do is mix it up, keep it interesting and vary it. And I think it gives you a better chance of stuff sticking.

A

Yeah, I thought it was really neat that. The point he was making is if you have everyone really hypervigilant for really sneaky attacks, that it could actually prime people to miss the really obvious ones that we've become almost inured to. So it's good to keep people aware of the oldies but goodies. Stick around.

C

Maybe this really is a Nigerian prince.

A

It's like as much as we chuckle about it. Right. But someone. I don't know if that one necessarily, but some really basic phishing attacks can still get you if you're just going, oh, whatever, on autopilot because you're thinking about the fancy new, you know, AI deep fake attack, it's like, yes, that exists. And so do the old ones. They're all still kicking around at the same time. So you don't want people getting too sort of black and white, thinking it's either one or the other. It's an. And. And the thing that I found very validating. I don't know about you two, but when I asked him, you know, what's your advice for the individual person? And he basically said, everybody's gotta slow down.

C

Yeah, yeah.

A

I think we say that a lot on this show. And it made me feel much better. And I just kinda wanna make sure that people channel their inner Mediterranean a little bit. Just slow down. And that will just do a lot for preventing you from instantly reacting out of panic or annoyance or any of the other strong feelings that I think attackers are trying to take advantage of. So, yeah, slowing down, which is a very. It's always interesting when it comes to these social engineering sets of advice. Sometimes it sounds very unsexy, like, hey, slow down. Trust your gut. But, right, we're talking about attacking humans. So do human things like slow down.

B

Yeah, yeah.

C

I think that's the crux of. Of his point in the article is that, you know, these things are your allies, you know?

B

Yeah, yeah.

C

There's a reason you have a gut instinct, and it harkens all the way back to, you know, days of out in out in the wilderness, you'd hear something that sounded off, and you'd immediately pay attention to it and be like, that's not right.

B

The other one that I like to emphasize that I think doesn't get the recognition that it deserves is talk to a friend, talk to a coworker.

A

Yeah.

B

And it goes along with slowing down because in the process of doing this, you'll slow down. But just saying it out loud to another person can often make you realize something's off. Right.

A

Yeah.

B

Just the other person's not in that heightened emotional state that you may be in as these people try to manipulate you.

C

Right.

A

Yeah. Yeah. So if you're on the receiving end of that kind of a thing, try to be patient. I would rather my family come to me with these things and use me as a sounding board than go, oh, I don't want to bother her. So. No, I want people to bother me about that. I want to help. Because you're right. Just as you're verbalizing it, sometimes mid sentence you go, oh, yeah, that is kind of silly, isn't it? It's like, I'm happy I could help by just standing here and listening to you. But, yeah, sometimes it can be very hard to discern. And, yeah, that's great advice, Dave. I like that. So my great appreciation to Sean for coming on the show and sharing his expertise with us, and I will make sure we have links to where you can find him and more information about his paper airplane talk in the show notes because it's a really interesting one. So thanks again, Sean.

B

All right. Yeah, Much appreciated. Really good stuff. I tell you what, let's take a quick break here to hear from our sponsor. We will be right back after these messages. Most environments trust far more than they should, and attackers know it. ThreatLocker solves that by enforcing default deny at the point of execution. With ThreatLocker allowlisting, you stop unknown executables cold. With ring fencing, you control how trusted applications behave. And with ThreatLocker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. Its powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today. All right, we are back. And I actually have two stories today, or a story and a list because they're both kind of short. But the story I want to touch on this is from the folks over at Bleeping Computer. And this is about a scam that is making the rounds. I checked with several of my coworkers and they've gotten tons of these in the past couple weeks. These are traffic violation scams. And the note here is that the scammers have switched to including QR codes in their phishing text messages. So basically they're sending out these notice of default traffic violation messages nationwide and they're demanding a low payment. Most of these are like seven bucks, Right. But the goal is not to get the money. The goal is to steal your information to get your credit card.

C

Interesting.

A

Yeah, makes sense. Yeah.

B

So toll violations have been around for a while, but the new twist on this is that they're including these QR codes to get you to go to the location where they want you to log in. And QR codes are much harder for defensive measures to unpack. And they don't look as obvious as a funky looking URL.

C

Right.

B

So it's more likely to make it through both your automated defenses, but your personal ones as well. Because I don't know about you guys, but I can't read a QR code by sight.

C

Not yet.

A

Not yet. Working on it.

B

Let me challenge you to that, Joe. Can you get that in a week? No. Let's take advantage of that brain of yours. Yeah.

C

You know what?

B

Get you obsessed about something.

A

Yeah. Hyper focus on it. I'm sure you can make it happen, Joe. Use the Nero Spice in your favor.

C

Yeah, Challenge accepted.

A

I love it.

B

QR code flashcards with Joe

A

most useless.

B

When Joe's gonna be like, let me see. It says www.joeis. wait a minute. All right, well, my other thing I wanna share today, this actually came from one of our listeners who is a regular contributor. This is someone who I've mentioned many times, who is a friend of the show, former federal law enforcement officer, and prefers to stay anonymous. And so I respect that. Believe he's retired these days, but he sent me along this nice list that he uses for himself and his friends and family. And he calls it 10 hard stop rules for Online Scams. And it's a good list. So I thought I'd share it, go through it, and we can talk about it as we go. So number one, caller ID is not proof.

C

Yes.

B

Names, phone numbers, email senders, and even verified badges can all be faked.

A

Yes. It's easily purchased. Yes.

C

Yes.

B

Right. Initiate contact yourself. End Inbound contact, Outbound contact only. Look up the organization yourself and use official contact details, not anything provided in the messenger call.

A

Correct.

B

We've talked about this many times. Absolutely no codes or passwords from inbound requests. Again, if you didn't start it, don't share credentials or one time codes. Verify inside your account. So access your account by typing the address yourself or using a saved bookmark. Not links or prompts.

C

Right.

B

Because people will send you emails that say click here to connect to your bank and go somewhere else.

C

Right.

B

No links or QR codes. Type it yourself. Related to the previous one. No remote access or device changes. So never grant anyone remote access to your machine. Don't install software. Don't connect to a and he puts in scare quotes. Secure or AI server. Don't ever share your screen or change any of your settings because someone told you to do it.

A

That's for sure. Yes.

B

Yeah. Never bypass protections. Don't use payment options meant for friends and family or anything that removes protections. Don't disable safeguards or take shortcuts to fix or speed up anything.

A

Yeah. They're there for a reason.

B

Yeah, yeah, yeah. And I say roll into this, you know, don't go to a third location.

C

Right.

B

And that can be a financial location.

C

Yes.

B

Or even a different platform we talk about all the time in the catch of the day. Like people trying to get people just, hey, do you have telegram? Do you take you somewhere you don't want to be?

C

Yeah, Some unregulated place where they're not watching what you say.

B

Right.

C

Like on dating apps. It's really big with romance scams.

B

Yeah.

A

Yeah.

B

Put you in a bad neighborhood.

C

Yep.

B

Number eight, no irreversible payments from inbound requests. No crypto gift cards, wires or peer to peer transfers. Never send money to reverse refund or fix a transaction.

A

Yes. Big one right there. Yep.

C

Yep. When somebody says, oops, I made an error here, you say thanks and you leave.

A

Or oh gosh, someone accidentally deposited a whole lot of money in your account. That didn't mean to do that.

B

Hmm.

A

That feels like a go to your bank immediately situation.

C

Right. I'd like to withdraw all this accidentally deposited money. Actually. It's not there.

B

Right?

C

It's not there.

B

It was never there in the first place.

A

Correct.

B

Yeah, the same thing, I guess. Does that apply to things that get delivered to you by accident?

C

Yeah, I think there's like Amazon packages you didn't order. Right.

B

I saw this week somebody got like an iPad in the mail that they never ordered. And I know, like, legally you are allowed to keep anything that's sent to you that you did not order.

C

Right.

B

But I guess it might be more complicated these days in that you could ruin your Amazon account, for example, that you have to rely on. If Amazon suddenly had a beef with you and said, hey, send that iPad back. And you said, no Amazon. They'd say, okay, no Amazon for you.

C

Right.

B

So it's a little more complicated than the days of the postal service.

C

Right. If you're with the Apple thing you're talking about, Apple could just brick your iPad.

B

Well, that's true. Yeah, I guess they could.

C

They'll say, this is a stolen iPad and it won't work anymore.

B

Right.

A

Yeah. I was a recipient of a lot of Amazon packages of, of stuff I never ordered. And Amazon's whole thing was, if it's been delivered to you, you keep it. We don't want it back. There was no way for me to return it. They didn't want it back. It was very, very strange. So free stuff. It was all, to be honest with you, it was all junk I didn't want. It all went in the trash. So I really resented that it was coming my way. So it's just like, great, just landfill.

C

Just sell it off. Facebook marketplace.

A

Like I don't have enough to do in my life. Someone's given chores time for that.

B

Yeah, yeah, yeah. All right, getting back to the list here. Number nine. Secrecy is a stop signal. Don't tell anyone. Or if someone says to you, don't tell anyone, or they pressure you to keep something quiet, stop.

C

Right.

B

That means it's time to tell someone. That's isolation, right? Exactly. They're trying to isolate you. And then last but certainly not least, pause before any financial action if it feels urgent. Slow down.

C

There are those two words again.

A

Slow down.

B

Yeah. And real organizations will give you time to verify.

C

Absolutely.

B

They'll appreciate it.

A

Yes. Yes, they will. Sorry, I'm just. I two years ago, bought the house that I'm in right now, and every transaction I did that was legit got flagged for fraud every step of the way. We almost missed closing and I appreciated the diligence. Yes. We had to go through so many hoops and so many in person conversations within the bank, and again, we almost missed closing on our own house because fraud was doing what it should be doing, which was slowing it down and checking.

C

Yeah, well, I mean, that's how you Avoid having your house sold from underneath you.

A

Yes, yes. It was one of those things. I was like, I'm very glad this is happening. I really wish that in the case of that transaction, we had known that we needed to build that in. I wish we had realized that would happen. But the financial institutions are doing exactly the diligence they should have been doing. So I appreciated it.

C

That's good. I think they've lost enough money on this.

B

It's a really good point, because it's another place where we can all slow down. Because I know probably once a week I find myself going, ah, security is

A

such a pain in the butt.

C

Right, Right.

A

Because you, Dave Bittner, screaming like a Muppet, arms a flailing.

B

Usually it's because I have to get up off of my couch, go get my Yubikey, bring it back, plug it in, you know, whatever. And I don't want to be slowed down, but when that happens, I remind myself to talk myself off the ledge. I said, this is a good thing. Security's a good thing. It's a pain in the butt. I'm angry about it right now, but in the end, this is easier than getting my stuff stolen.

C

I will tell you this, Dave. More often than not, when I go to open my password Manager at home, I have to stop what I'm doing and walk upstairs and get my backpack, which has my Yuba key, and then bring my backpack back downstairs and plug in my Yubikey.

B

And for anybody who's seen Joe's backpack, that's no small task.

C

Right? Cause when I come in, I put it in the dining room, much to my wife's chagrin. Don't leave this here. Okay.

A

The whole house.

B

Shit.

C

Right? Yeah. Everybody knows when I'm home. They can feel the vibration. But then, you know, I go downstairs, I'm like, oh, I should probably pay this bill or check on my check on my college webpage so I can, you know, see how my grades are. Oh, I need my Yubikey to open my Password manager. Yep, yep. Gotta go back upstairs. And I always mean to bring it back downstairs, but I just don't. Yeah, again, that's the ADD talking.

B

Just this past week, I had my. What do you call it? My ATM card got flagged.

C

Really?

B

Yeah. It's my own stupid fault. It's a long story. Let me just cut it short by saying Facebook was involved. I'll leave it at that. I was trying to set something anyway.

C

So were you trying to buy some of their cryptocurrency, Dave?

B

No, no, I was just trying. I was trying to do all good intentions and no good deed goes unpunished. We'll leave it there. Yes, but. So I ended up having to go to my bank to get my card reinstated. Fortunately, I didn't have to get a new card, which meant I didn't have to go, you know, renew all my things that my card was signed up for. Right. But what struck me was the ladies who were helping me at the local branch. They were very kind and wonderful customer service, but they were also apologetic, like, oh, we're sorry you had to go through with this. I was like, no, no, no, no, it's fine.

C

No, this is suspicious activity.

B

Right. This is all working the way it should. No problem at all. So they appreciated that. All right, I will have a link to that story from bleeping Computer in our show notes and of course, we would love to hear from you. If there's something you'd like to share with us, you can email us. It's hackinghumans2k.com Joe Maria, it is time for our catch of the day.

C

Dave. Our catch of the day comes from R scams on Reddit. This is an email that's coming to somebody who has 39% of their battery left

A

charge your. That's cute.

C

It's. There's just so much information on your screen that you don't need to share. You know, you can crop this a little bit better.

B

Why does this person have two signal strength meters?

C

That's a good question. I was wondering that myself. Not only have two signal strength meters, but they're also on the Wi Fi and it's apparently Wi Fi 6.

B

Huh.

C

You know, it's.

B

I'm missing out on something here. I'm feeling a little wireless FOMO. I don't know. Yeah.

C

639 in the evening or afternoon? I actually can't tell. 6:39 somewhere.

B

Let me ask you this, Joe. At what point in the battery charging world do you start to feel anxious? What number did you get to?

C

I get upset if my battery goes below like 50%.

B

Really?

C

Yeah. Like my phone. I don't use my phone that much. Or at least I think I don't use my phone that much. Maybe I use my phone way too much.

B

Okay.

C

And when I, when I see it below 50%, like in the evening, I'm like, like, what's going on? Is my battery dying? Am I using this too much? Something's up.

B

So how about you, Maria?

A

Oh, I let it go down to probably 10% before I charge it couldn't do that, but.

C

But I was a chest when you said that.

A

Yeah. I frequently keep my phone on a charger throughout the day though, so it depends. I mean I have it right now on my desk charger so it's probably a topped up but yeah, easily it'll go down to 10% if I'm out and about and I'm fine with it. It's cool.

C

So the subject on this email is app publishing revenue share opportunity for you. Let me see. Somebody who's already published an app is going to share their cash with me.

B

Yeah. And it's named.

A

Why would that be a scam?

C

Right.

B

It's from someone named Gerard.

C

Great, he sounds awesome.

A

That sounds like a real name.

B

Yeah, it goes like this. Greetings. Since November 2023, Google has passed a new policy for new app and game developers to pass a 14 days closed testing mandatory test. This has hindered the growth of private app and game monetizers to earn with their apps. At Kyiv Gaming Hub we're requesting for your partnership in hosting and managing of our apps and games for fixed and recurring fee. Also includes tester accounts due to our technology upgrade. If you're interested in this offer, kindly reply to this email with your WhatsApp contact and out regional managers will reach out very soon. CEO Enger Levi Kyiv Gaming Hub International

C

this sounds like you're going to get sucked into some Eastern European mafia kind of thing. That is my fear here. Yeah, you're gonna be muling apps around the Internet and they're gonna be using your Google account and they're gonna walk you through this. That's what this smacks up to me. It could just be sideload this malicious app on your phone, which is less

A

bad, which one's worse?

B

Well, let's unpack it just bit by bit. Let me ask you Maria, at its core, what do you think this is about?

A

I mean to me it sounds like an account takeover attempt, which I mean that they're asking you to go to WhatsApp. I mean it starts with an email but then it goes to WhatsApp. And I'm sure they're gonna say hey, we need your account for some nefarious, totally innocent sounding thing. But yes, I can't imagine anything good would happen once you do that.

C

Yeah, right.

B

Yeah, I think I'd be suspicious too to what Joe is saying that this is some kind of app laundering sort of thing where they get someone who's got an IP address in a favorable nation, right?

A

Oh yeah, yeah, yep.

B

Russia or something. To be the one submitting the app to the App Store so that it doesn't maybe raise as many red flags. Who knows? But yeah, I'm sure this is taking you down a path that will not end well for you.

C

Right?

B

Yeah. All right, we will have a link to that in our show notes and again, we would love to hear from you. If there's something you'd like us to consider for the catch of the day, please do email us. It's hacking humans2k.com. Most environments trust too much and attackers know it. Threatlocker enforces default deny at execution, blocks unknown apps and limits what trusted apps can do. Stop ransomware at the source. Get your demo@threatlocker.com N2K. And that is our show, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please fill out the survey in the show notes or send an email to hackinghumans2k.com this episode is produced by Liz Stokes. Our executive producers, Jennifer Ivan were mixed by Elliot Peltzman and Trey Hester. Peter Kilpe is our publisher. I'm Dave Bittner.

C

I'm Joe Kerrigan.

A

And I'm Maria Varmazes.

B

Thanks for listening.