Follow-up from down under. Joe shares the story of a Mom scammed out of Gaelic Football League tickets. Dave describes a bounty hunter hoaxing suicide threats to get location information from mobile providers. The catch of the day requires a response from the grave. Our guest is Ben Yelin, senior law and policy analyst from the University of Maryland Center for Health and Homeland Security. He digs in to a particular Facebook scam that refuses to die.
Links to stories:
- 'I’m just broken up' - Mother devastated as she's scammed out of money while trying to buy All-Ireland final tickets
- Fake Cop Allegedly Tricked Phone Companies Into Giving Him People’s Location Data
Ben Yelin: [00:00:00] Think before you post.
Dave Bittner: [00:00:02] Hello everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world.
Dave Bittner: [00:00:14] I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:21] Hello, Dave.
Dave Bittner: [00:00:21] We've got some good stories to share this week. And later in the show, we're joined by Ben Yelin. He's a regular contributor over on the CyberWire, and he is a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. I asked him to join us because I wanted to dig into one of the most annoying Facebook scams that simply refuses to die. Can you tell I'm wound up about this, Joe?
Joe Carrigan: [00:00:43] I can tell. I don't know which Facebook scam it is.
Dave Bittner: [00:00:46] (Laughter) OK. I decided it was time to go to an expert.
Joe Carrigan: [00:00:49] OK.
Dave Bittner: [00:00:49] But before we get to all of that, a word from our sponsors at KnowBe4. So who's got the advantage in cybersecurity, the attacker or the defender? Intelligent people differ on this, but the conventional wisdom is that the advantage goes to the attacker. But why is this? Stay with us and we'll have some insights from our sponsor KnowBe4 that puts it all into perspective.
Dave Bittner: [00:01:17] And we are back. Joe, before we kick things off with our stories, we got a note from a listener.
Joe Carrigan: [00:01:22] OK.
Dave Bittner: [00:01:22] This is from a gentleman named Lewis (ph). And he writes in - first of all, I have to say that Lewis is from Australia. You know what that means - wacky accents.
Joe Carrigan: [00:01:32] Ridiculous accents.
Dave Bittner: [00:01:34] Lewis writes in, and he says, (imitating Australian accent, reading) hi. I often listen to the Catch of the Day segment and think to myself how strange it is that I seem to be lucky in that I do not really get a lot of scam emails and messages. However, if I think about it, I receive plenty of contact attempts on Instagram from scantily clad women with names made up mostly entirely of numbers. But, usually, I would block them and forget about it. I recently received this text message and for a second felt happy to have won something. Then I put on my skeptical hat and realized I have no memory of completing this survey. A quick search revealed that it is a scam.
Joe Carrigan: [00:02:10] Right.
Dave Bittner: [00:02:11] (Imitating Australian accent, reading) I had already emailed the company to check it. However, it seems they already knew, as they have a Facebook post about the text. It's something poor in that it doesn't seem to go into much detail about the scam. It's quite interesting in how the scammers are able to send a text and make it appear to have come from the same service that a legitimate company uses. Anyway, I thought this interesting, so I thought I'd pass it along. Thanks for an entertaining and informative show. Keep up the great work. You and Joe make a great team. I do find your Aussie accent quite funny, too.
Joe Carrigan: [00:02:42] (Laughter) He's probably laughing right now.
Dave Bittner: [00:02:43] I hope so.
Dave Bittner: [00:02:47] One of these days I'm going to practice that. Maybe I'll take a class on it.
Joe Carrigan: [00:02:50] Yeah, a class would be good. Maybe you should spend some time in Australia to pick it up.
Dave Bittner: [00:02:54] That's a good excuse.
Joe Carrigan: [00:02:54] Yeah.
Dave Bittner: [00:02:54] Maybe I could go stay with our friend Lewis here...
Joe Carrigan: [00:02:57] Right.
Dave Bittner: [00:02:57] ...If he has a spare bedroom or something.
Joe Carrigan: [00:02:59] I got friends in Australia I could talk to.
Dave Bittner: [00:03:00] International exchange program.
Dave Bittner: [00:03:02] Well, it is a good scam that he pointed out here. This is - someone texts you from out of the blue and the bait is that you've won some sort of survey or lottery thing. I think, you know, we've all been walking around in a shopping mall or something, and there's things - fill out this form and you could win this new car, right?
Joe Carrigan: [00:03:18] Right.
Dave Bittner: [00:03:18] That sort of thing.
Joe Carrigan: [00:03:19] I never do that.
Dave Bittner: [00:03:20] I - well, neither do I, but plenty people do.
Joe Carrigan: [00:03:22] Right.
Dave Bittner: [00:03:23] So this plays on that that in the back of your mind, it could be - you may have a memory...
Joe Carrigan: [00:03:27] Yeah.
Dave Bittner: [00:03:28] ...Of filling something out.
Joe Carrigan: [00:03:29] You drop your business card in a fishbowl at a restaurant - those kind of things.
Dave Bittner: [00:03:32] Right, right, right - get a free lunch.
Joe Carrigan: [00:03:33] Right.
Dave Bittner: [00:03:34] The other part of this that he addressed that I think is interesting is the scammers' ability to make the link look like a legitimate company. And it's not terribly complicated what's going on here. In the same way that I could have a link that said, to find out more, click here...
Joe Carrigan: [00:03:50] Right.
Dave Bittner: [00:03:50] ...And I could have the click here text be the link that the URL could go somewhere, instead of saying, click here, I could have it look like a link.
Joe Carrigan: [00:03:58] Correct.
Dave Bittner: [00:03:58] So it could say http - you know - www. - you know - thefbi.com.
Joe Carrigan: [00:04:01] You know, that...
Dave Bittner: [00:04:03] Or it can be something legitimate.
Joe Carrigan: [00:04:04] That's an excellent point, Dave. We've never really talked about that on this show, but the link text that you see and the URL that's actually behind it can be two completely different things.
Dave Bittner: [00:04:13] Exactly.
Joe Carrigan: [00:04:14] Yup.
Dave Bittner: [00:04:15] Exactly. And that's what this points out. And it's a really good point. It's something to be careful about. Obviously, on your desktop machine, any time before you click on a link, hover over it, let it pop up, and see...
Joe Carrigan: [00:04:25] Right.
Dave Bittner: [00:04:25] ...Where it's really going. There are ways to do that on mobile. It's a little more complicated, but it's worth your time to look up. So thanks to Lewis for sending this into us, and apologies for the Australian accent.
Dave Bittner: [00:04:37] All right, Joe, why don't you kick things off for us? What do you have for your story?
Joe Carrigan: [00:04:40] My story also comes from out of town this week, Dave, but I will spare everybody my accent. This comes from Rory (ph), who is a listener in Ireland. He reached out to me on Twitter and sent me a link to this story.
Dave Bittner: [00:04:50] Very nice.
Joe Carrigan: [00:04:50] So thank you, Rory. There is an organization in Ireland called the GAA, the Gaelic Athletic Association.
Dave Bittner: [00:04:55] OK.
Joe Carrigan: [00:04:55] And they run a number of traditional Irish sports leagues, including the Gaelic football league. And as you may imagine, tickets for these events are in demand. And the final game happened last weekend. There was a story last week in the Independent of Ireland about a woman from Kildare named Siobhan, and that's not her real name. They just called her Siobhan in the article. She reached out to a man on Adverts.ie, which is, I guess, like an Irish version of Craigslist...
Dave Bittner: [00:05:23] OK.
Joe Carrigan: [00:05:24] ...Who said that he had two tickets to the championship game of Dublin versus Kerry and he wanted to sell them at face value. And Siobhan said that she wanted to take her 14-year-old daughter to see the game because her 14-year-old daughter's a fan. They exchange phone numbers, and he claims - this guy claims he was a solicitor but got a job working for the Gaelic Athletic Association and had spare tickets for the final.
Dave Bittner: [00:05:47] OK, awesome.
Joe Carrigan: [00:05:48] And he wanted to ensure that the tickets didn't fall into the hands of touts is what the article says, but that's basically a scalper, right?
Dave Bittner: [00:05:55] OK.
Joe Carrigan: [00:05:55] And would only sell to genuine fans - he said he would only sell them to someone who he trusted would not sell them for a profit. So he's looking for trust, right?
Dave Bittner: [00:06:03] Yeah.
Joe Carrigan: [00:06:04] They spoke over the phone - Siobhan and this guy - for an hour and agreed to share social media accounts as an extra precaution. So you can see who I am - I'm a real person.
Dave Bittner: [00:06:14] Right.
Joe Carrigan: [00:06:14] And the following morning, the two arrange to meet at Croke Park in Dublin so the tickets could be handed over.
Dave Bittner: [00:06:22] OK.
Joe Carrigan: [00:06:22] Now, Croke Park is where this game is going to take place. Now the man says he has three more tickets that he wants to sell - two premium seats and one hill seat - and he only wants to sell them, again, to genuine fans. So Siobhan says she immediately contacts some of her friends who are over the moon at the opportunity, and she accepts right away. The total face value of all these tickets - 420 euros.
Dave Bittner: [00:06:44] Talking real money here.
Joe Carrigan: [00:06:45] Talking real money, right.
Dave Bittner: [00:06:46] Yeah.
Joe Carrigan: [00:06:46] So Siobhan tells the guy that his (ph) daughter is very excited, and he says, well, look; here's a picture of where you're going to be sitting on Sunday, right? And it's from the outside of the stadium. And she says, I have no reason to doubt his authenticity.
Joe Carrigan: [00:06:59] So Siobhan goes to Dublin, which is actually not a far trip from where she's from, Kildare, but while she's there, she has three kids in tow from her neighbor that she's watching. She meets the guy outside of a James Gill's Corner House at 1 p.m., which is just around the block from the stadium. And the guy shows up. He's a very well-dressed man. And he even promises the kids they can have a tour of the stadium afterwards - right? - because, hey, I'm with the GAA. I can get you in there...
Dave Bittner: [00:07:23] Yeah, he works there.
Joe Carrigan: [00:07:23] ...Show you around. I mean, there's nothing going on right now. Why not look around? So he explains that he shouldn't really be selling the tickets and that his job at the GAA would be in jeopardy if anybody ever found out, right? So keep it on the down low. They then walk to the ticket office, which is just down the block a little bit about a quarter-mile away and says to Siobhan, you sit here in this outdoor seating area at a cafe, and I'll go get the tickets. And Siobhan then hands him the 420 euros. And then she turns around to see the kids that she's minding. And that's the last she sees of him. He's gone.
Joe Carrigan: [00:07:51] About 25 minutes goes by. Siobhan realizes, hey, something's up. And she tries to call him. His phone is off. It doesn't work anymore. So she says, I know - the Instagram account. That's gone, too, right? He has disappeared. All evidence of his online activity is gone. And she says she's very upset because she could not believe she'd fallen victim to such a scam. She contacts the police, and they say they are aware of this guy, and they are definitely going to investigate him. So now Siobhan is out 420 euros and she has a daughter at home that she now has to break this news to that they're not going to get the tickets.
Joe Carrigan: [00:08:26] Couple things in this story that kind of raise red flags to me. The deal just keeps getting better. It starts out as two tickets. Then it becomes two more tickets and a premium ticket.
Dave Bittner: [00:08:35] Right.
Joe Carrigan: [00:08:35] And then, eventually, it becomes, hey, I can give you a tour of the place. It just keeps getting better.
Dave Bittner: [00:08:40] But each of those things that makes it better also increases the legitimacy of this guy.
Joe Carrigan: [00:08:45] Right.
Dave Bittner: [00:08:46] I can take you for a behind-the-scenes tour.
Joe Carrigan: [00:08:48] Correct. Yeah, it does increase the legitimacy of this guy. Now, I don't know. If I'm going to buy tickets from somebody, the very first thing I want to see is the tickets.
Dave Bittner: [00:08:55] Right.
Joe Carrigan: [00:08:56] You're not getting money from me until I see the tickets and we sit down at a table. But even then, you're still running the risk of buying counterfeit tickets.
Dave Bittner: [00:09:02] Well, and it seems like he set this up so that she gave him the money that he was then going to use to go buy the tickets using his credentials...
Joe Carrigan: [00:09:12] Right.
Dave Bittner: [00:09:13] ...Is how he framed it.
Joe Carrigan: [00:09:14] That may have been how he framed it, but he also framed it that he had these tickets because he worked for the GAA. So, hey, I get two free tickets because I work there. I don't know.
Dave Bittner: [00:09:20] Yeah.
Joe Carrigan: [00:09:21] But it's a sad story. It's interesting to me because he completely set up a fake persona online, right? He had a fake telephone number, and he had a fake Instagram account - probably pictures of him. Those accounts are gone, but I'll bet Instagram still has the data.
Dave Bittner: [00:09:33] Well, it's so brazen.
Joe Carrigan: [00:09:35] It is brazen.
Dave Bittner: [00:09:35] I'm sure there must be security camera footage of him...
Joe Carrigan: [00:09:39] Yeah.
Dave Bittner: [00:09:40] ...With as much walking around as they did.
Joe Carrigan: [00:09:42] I'll bet this guy gets caught.
Dave Bittner: [00:09:43] I hope so.
Joe Carrigan: [00:09:43] Yeah, me too.
Dave Bittner: [00:09:44] Yeah, what a scumbag.
Joe Carrigan: [00:09:45] Yeah.
Dave Bittner: [00:09:46] All right, well, it's certainly a cautionary tale.
Dave Bittner: [00:09:48] My story this week is about someone pretending to be someone they're not in order to access people's location data. This is a story - comes from the Daily Beast, written by Adam Rawnsley and Seamus Hughes, and it's out of Colorado. The Colorado Public Safety Task Force got in touch with some folks at T-Mobile, and they said they had an urgent situation. There was a man who was suicidal, and they needed the location from his phone to save his life. So after T-Mobile hands over the GPS data, this task force gets back in touch with them and says, good news. They found the man in a field outside of an apartment complex. They got to him just in time, and they saved his life. However, the problem - turns out there is no Colorado Public Safety Task Force.
Joe Carrigan: [00:10:43] Right.
Dave Bittner: [00:10:43] The Public Safety Task Force was the creation of a bail bondsman named Matthew Marre. The people he was trying to track down were not suicidal.
Joe Carrigan: [00:10:53] They were bond jumpers.
Dave Bittner: [00:10:54] They were bail jumpers he was trying to catch.
Joe Carrigan: [00:10:56] Right.
Dave Bittner: [00:10:57] And he was repeatedly contacting various mobile providers - T-Mobile, Verizon, Sprint - the folks who would have your location data...
Joe Carrigan: [00:11:04] Right.
Dave Bittner: [00:11:05] ...Under the guise of this Colorado Public Safety Task Force to get people's location information, and they would turn it over. Eventually, a employee at Verizon sort of caught on to this...
Joe Carrigan: [00:11:18] Right.
Dave Bittner: [00:11:18] ...Because of the number of requests that they were getting from this organization.
Joe Carrigan: [00:11:22] Yeah, we never got these requests before, but now we're getting a lot of them.
Dave Bittner: [00:11:25] Right.
Joe Carrigan: [00:11:25] It seems inordinate.
Dave Bittner: [00:11:26] Right. This person decided to call back the phone number for this alleged organization and, when he called, got the bail bondsman.
Joe Carrigan: [00:11:36] Bail bondsman.
Dave Bittner: [00:11:36] Right, right. Exactly. And so they contacted the FBI. And...
Joe Carrigan: [00:11:41] Really?
Dave Bittner: [00:11:42] Yeah.
Joe Carrigan: [00:11:42] That high up?
Dave Bittner: [00:11:42] That high up. And the FBI followed up. And sure enough, he's been accused of wire fraud. This Mr. Marre has been charged with wire fraud.
Joe Carrigan: [00:11:52] He will not be a bail bondsman anymore.
Dave Bittner: [00:11:54] No, he will not. But it's an interesting little bit of social engineering.
Joe Carrigan: [00:11:58] It is. That's very creative.
Dave Bittner: [00:12:00] It is. Like, we always talk about this time-pressure thing.
Joe Carrigan: [00:12:02] Yup.
Dave Bittner: [00:12:02] We have someone who is reportedly suicidal. You don't have time to think about this. I need this location information. I've been trying to think about - from a user's point of view, for you and me using our phones...
Joe Carrigan: [00:12:13] Right.
Dave Bittner: [00:12:14] ...If we didn't want our location information to be made available, there's really no way to prevent this. I suppose the point could be made that if you or I or someone we love truly were suicidal...
Joe Carrigan: [00:12:25] Right.
Dave Bittner: [00:12:25] ...We would want our location.
Joe Carrigan: [00:12:26] Right.
Dave Bittner: [00:12:27] We would want law enforcement to be able to come and at least try to talk us out of it, right?
Joe Carrigan: [00:12:31] Well, maybe.
Dave Bittner: [00:12:32] You or me.
Joe Carrigan: [00:12:32] Well, but if somebody...
Dave Bittner: [00:12:33] Someone we love.
Joe Carrigan: [00:12:34] It would be good. Yeah, if somebody - yes, if it was someone we love, we definitely want to have that done.
Dave Bittner: [00:12:38] Right.
Joe Carrigan: [00:12:39] I'm not saying the person who's doing that would want to have that done.
Dave Bittner: [00:12:41] Well...
Joe Carrigan: [00:12:41] But you're right.
Dave Bittner: [00:12:42] Yeah.
Joe Carrigan: [00:12:42] There is definitely a good side to this. Now...
Dave Bittner: [00:12:44] Yeah.
Joe Carrigan: [00:12:44] Here's my question. Is there some legally acceptable route that this bail bondsman could've gone to get this information? Could he have asked for a court order for the information to be released to him so that he can go out and collect the bail jumper, because this is part of the judicial system, right? Judges have a vested interest in having these guys be brought back in front of a court.
Dave Bittner: [00:13:04] Right.
Joe Carrigan: [00:13:05] So maybe they would be willing to issue a subpoena for that, or a warrant, although he's not a police officer, so I don't know that a warrant's the correct thing.
Dave Bittner: [00:13:12] Yeah, I don't know a lot about the bail bonds...
Joe Carrigan: [00:13:15] Yeah.
Dave Bittner: [00:13:16] ...Industry. I haven't watched any of those reality shows.
Joe Carrigan: [00:13:19] No, I don't watch them either.
Dave Bittner: [00:13:21] (Laughter) But...
Joe Carrigan: [00:13:21] But I do know that they are entitled to go after people who have jumped bail.
Dave Bittner: [00:13:24] And I wonder if there's a competitive aspect to this. By doing this, he got very accurate information very quickly, and maybe that gave him a competitive edge over some other people who might be after the same fugitive or something like that.
Joe Carrigan: [00:13:37] No, he's - I think he's the only one after the fugitive...
Dave Bittner: [00:13:39] Is that right?
Joe Carrigan: [00:13:39] ...Because what's happened is he has said - this is my understanding of how this works. He goes to a court with a guy who has a bond hearing, and they set the bond at, say, a hundred thousand dollars. He charges the accused criminal - the alleged criminal about 10% of that, about $10,000. And then he says to the court, if this guy jumps bail, I will give you a hundred thousand dollars.
Dave Bittner: [00:14:01] I see.
Joe Carrigan: [00:14:01] Right? Or I will make him appear, right? So now he has a very large financial incentive to have that guy show up on his court date.
Dave Bittner: [00:14:09] I see.
Joe Carrigan: [00:14:10] If he doesn't show up at his court date, then he can go out and get him. And he has, like, arresting authority, I think, to capture this guy and bring him back in. And then he's not on the hook for a hundred thousand dollars at that point.
Dave Bittner: [00:14:20] I see. All right, well, Joe, it's time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:14:28] Our Catch of the Day came from a user over on Reddit who posted this email that they received. Joe, see if you can figure out what the problem is with this scam email. It says, (reading) dear beneficiary, I want to let you that we receive another email right now from a young man called Mr. Mark Douglas. He said that you got an accident and died yesterday - that before you died in the hospital, you gave him the power of attorney to inherit your fund worth $10.7 million in our custody, and he said that he is ready to pay for the VAT charge duty so that we can hand over the fund to him. We need a confirmation to this, and if we do not hear from you within a couple of six hours, we are going to take the action by handing over him to the fund. Best regard.
Joe Carrigan: [00:15:16] (Laughter).
Dave Bittner: [00:15:19] Joe?
Joe Carrigan: [00:15:20] You can respond with, my death was definitely a bump in the road, but it could've been much worse. Anyway, I never told my attorney he could have the money before I died. Does me getting the money back require my being alive?
Dave Bittner: [00:15:33] Right. How do you respond to a scam email when you're already dead?
Joe Carrigan: [00:15:37] Right. Now, this is a good one. This is somebody trying to lure you in by making you think that somebody else is trying to scam you out of $10 million that doesn't exist.
Dave Bittner: [00:15:46] I suspect this may have gone through some translation layer.
Joe Carrigan: [00:15:49] Yeah. It's pretty bad.
Dave Bittner: [00:15:50] (Laughter) I don't know. How can you expect a response from someone who died yesterday?
Joe Carrigan: [00:15:55] Yes.
Dave Bittner: [00:15:56] All right, well, it's a quick one, but that is this week's Catch of the Day.
Dave Bittner: [00:16:00] Coming up next, we've got my conversation from Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security. And we are going to dig into one of the most annoying Facebook scams that simply refuses to die.
Dave Bittner: [00:16:11] But first, a word from our sponsors at KnowBe4. Now let's return to our sponsor's question about the attackers' advantage. Why did the experts think this is so? It's not like a military operation where the defender is thought to have most of the advantages. In cyberspace, the attacker can just keep trying and probing at low risk and low cost, and the attacker only has to be successful once. And as KnowBe4 points out, email filters designed to keep malicious spam out have a 10.5% failure rate. That sounds pretty good. Who wouldn't want to bat nearly .900? But this isn't baseball. If your technical defenses fail in 1 out of 10 tries, you're out of luck and out of business. The last line of defense is your human firewall. Test that firewall with KnowBe4's free phishing test, which you can order up at knowbe4.com/phishtest. That's knowbe4.com/phishtest.
Dave Bittner: [00:17:16] And we're back. Joe, I recently had the pleasure of speaking with Ben Yelin. He's a regular over on the CyberWire, and he is a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. He is also a real, live lawyer. And he's going to help me dig into some of the legal issues and details in a Facebook scam that I have to say just annoys the dickens out of me. So here's my conversation with Ben Yelin.
Dave Bittner: [00:17:46] So, Ben, thanks for joining us. I wanted to check in with you on this because this seems to be one of those online annoyances that refuses to die and pops up every few months. Just to go back and cover the background of it, any of us who use Facebook or Instagram will see this message come by from one of our friends and something along the lines of a message that says, I do not give Instagram or any entities associated with Facebook permission to use my pictures, information, messages or posts, both past and future. With this statement, I give notice to Instagram it is strictly forbidden to disclose, copy, distribute or take any other action against me based on this profile or its contents - and so on and so on and so on. You're a lawyer. What's going on here (laughter)?
Ben Yelin: [00:18:35] I'm a lawyer, but I'm also a person who spends time on social media. And I just crack up at how gullible people are. And I'm gullible to a certain extent. But the fact that someone would see a paragraph that's in a bunch of different fonts with exclamation points, you know, three exclamation points after the deadline tomorrow that comes in the first words of whatever post it is, something that references a Channel 9 or Channel 13 news report, which is bizarre - I presume there are a lot of Channel 9s and Channel 13s out there. It doesn't really cite which one it is.
Dave Bittner: [00:19:10] Right. It also tends to say, you know, deadline tomorrow. Everything that you've ever posted becomes public tomorrow.
Ben Yelin: [00:19:17] Yeah. I mean, it's just so silly. First, I started noticing it on the Facebook pages of people who, let's say, might not be as technologically inclined - so some of my friends who might be on the older side of the ledger. And that I understand. They don't have the same sort of cyber hygiene preparedness that we have.
Dave Bittner: [00:19:37] Right, folks who might not be digital natives.
Ben Yelin: [00:19:40] Exactly. In the past, I've also seen people I went to law school with or people who really should know better. To think that by copying and pasting something onto your Facebook profile, your Instagram profile, that you're granting yourself any sort of legal rights is just hilariously preposterous. Not to mention the fact that this scam has been popping up every few months for the past six or seven years, you would think that the people who are posting this would have come into contact with this in the past and would realize that it was a scam.
Dave Bittner: [00:20:12] Yeah.
Ben Yelin: [00:20:13] I guess I'm just sort of dumbfounded as to how people keep falling for this.
Dave Bittner: [00:20:17] Well, I want to dig in with you because you do have the expertise on this sort of thing. So let's just walk through it together. What is going on here in terms of what I agree to when I sign up for something like Facebook and how a message like this has any influence over that?
Ben Yelin: [00:20:39] Before you sign up for Facebook - and for most of us, that was probably some time, you know, longer than 10 years ago and we probably clicked that we agreed to the terms and conditions in, like, two seconds, but we did agree to them.
Dave Bittner: [00:20:50] Right, even though folks like you who are lawyers tell us to never agree to anything legal without reading it.
Ben Yelin: [00:20:57] Yeah. But I want to know what my high school friends are up to now. I don't want to have to wait 10 minutes.
Dave Bittner: [00:21:01] Fair enough.
Ben Yelin: [00:21:42] You do, you know, release some property rights when you agree to sign up for Facebook, but a lot of those rights are just far more mundane. And you can opt out of them simply by not signing up for a Facebook account or trying to get Facebook to change its public policies. So the idea that copying and pasting something onto your profile would have some sort of legal significance is just so far out of bounds.
Dave Bittner: [00:22:10] Part of what annoys me about this copy-and-paste thing is that so often, as you mentioned at the outset, you know, people who should know better will post something like better safe than sorry. And then they copy and paste it. And this is just noise added to the signal. I've become somewhat relentless in my replies to these. I have a copy and paste where I say this is a hoax. Please do not perpetuate it. Please delete this message.
Ben Yelin: [00:22:36] The better-safe-than-sorry thing absolutely drives me crazy as well. If there were some other hoax warning - you know, let's say you tried to convince people that a hurricane was coming and you'd have to shelter in place, you know, within the next 10 minutes otherwise you're going to be killed by an incoming hurricane, would you go into the basement of a building just because it was better safe than sorry? Of course not.
Ben Yelin: [00:22:58] You'd have a BS detector in your brain. You'd say I would have found out that a hurricane was coming prior to the last five minutes. Whomever is telling me this probably has no idea whether a hurricane is coming. And it would be absolutely ridiculous to take any action on the basis of something that's so obviously false. You know, to make a broader point, the fact that people can't see the warning signs that this is a fake post are kind of deeply concerning to me.
Ben Yelin: [00:23:26] Especially when you have things like ransomware attacks, they come from posts that look an awful lot like this, from disreputable email addresses, a lot of capitalization, changes on fonts, you know, scary-sounding warnings about an action that must be taken. And if people are falling for something so obvious like this, what's to stop, you know, somebody who works for a city government, for example, from clicking on an email and bringing down an entire city's digital infrastructure?
Dave Bittner: [00:23:56] Yeah.
Ben Yelin: [00:23:56] So, yeah, I mean, it's just - you're absolutely right. This better-safe-than-sorry thing is a canard. It makes no sense whatsoever. If you have any doubts as to whether some social media warning is true, first of all, it's almost certainly not true. Second of all, paste it into a Google search. You can immediately see that this has been a long-running consistent Internet hoax that has been debunked by reputable news organizations. Think before you post, I think, is the advice summed down into three words. And just have a better BS detector. It's just incumbent on all of us to be able to identify BS like this. So that's my little sermon on this post.
Dave Bittner: [00:24:42] All right. Joe, what do you think?
Joe Carrigan: [00:24:43] This really irritates you, doesn't it, Dave?
Dave Bittner: [00:24:44] Yes, it does, Joe. Yes, it does. Yes. And they come in waves, Joe. They come in waves.
Joe Carrigan: [00:24:50] They do.
Dave Bittner: [00:24:51] (Laughter).
Joe Carrigan: [00:24:51] Dave, this reminds me of a couple of things. No. 1 - in the days before Facebook, I got an email from a family friend that said please forward to all your contacts. There's a child missing, right? And it had a picture of a kid and everything. And I take this stuff and do exactly what Ben says here. And I put it into a Google search, and lo and behold, it comes out as a scam. So I've received a number of these. And by now, like you, I'm irritated. So I click the reply all button deliberately - right? - and send a message that says do not forward this to anybody lest you look like a fool. I was a little less elegant...
Dave Bittner: [00:25:30] I was going to say diplomatic of you, Joe (laughter).
Joe Carrigan: [00:25:32] Right, yeah, a little less diplomatic than I could have been. I actually think I used that term, lest you look like a fool, and said, this is a scam. It's been going on for years. This child was missing for one day in 1980 and was found or - you know, it was in the '80s this kid was missing. I got a phone call from the person that sent the email out.
Dave Bittner: [00:25:49] Oh.
Joe Carrigan: [00:25:49] And this person was very upset with me because I had embarrassed her in front of a bunch of people that she thought were important. And my reply to her was you sent this out without verifying its authenticity. I did a Google search, which took me five seconds to do the search, to find out this was a scam. And this person responded to me, well - exactly what Ben was saying - better safe than sorry.
Dave Bittner: [00:26:09] Yeah.
Joe Carrigan: [00:26:10] And I said, I think it's safer to do the Google search so you don't look like a fool.
Dave Bittner: [00:26:14] Well - and also you don't end up crying wolf.
Joe Carrigan: [00:26:17] Exactly. That's another - that's a very important point. In this kind of a situation, you don't want to distribute that kind of information if it's false because then people start to think, oh, this is another missing child report.
Dave Bittner: [00:26:27] Right.
Joe Carrigan: [00:26:28] It's fake.
Dave Bittner: [00:26:28] Right.
Joe Carrigan: [00:26:29] Don't distribute fake missing child reports.
Dave Bittner: [00:26:31] I have another friend on Facebook and all she does is forward missing child reports. Her entire Facebook feed is missing child reports. It's a crying wolf sort of thing. They're - they become invisible.
Joe Carrigan: [00:26:43] They do. I'm glad that I have Amber Alerts that come on my phone now because now I'm getting a geographically directed Amber Alert about a missing kid.
Dave Bittner: [00:26:51] Properly vetted.
Joe Carrigan: [00:26:52] Right, properly vetted. Exactly. Another thing this reminds me of is somebody was suggesting that they print up T-shirts that say, by selling me this software, you are voiding any end user license agreement, so that when you walk into Best Buy and you buy software, that somehow that gets you off the hook.
Dave Bittner: [00:27:09] (Laughter) I see.
Joe Carrigan: [00:27:11] Right?
Dave Bittner: [00:27:11] Yeah.
Joe Carrigan: [00:27:11] And I Googled it. I can't find it. I can't find any reference to it, but I did find something similar. It's a T-shirt that says, notice - management, by serving me, is responsible for any losses to my person or property that result in use of this establishment. I don't know. I think if Ben heard this, he would be like, yeah, that's not going to work either.
Dave Bittner: [00:27:28] Yeah, unless you could get them to sign your shirt maybe...
Joe Carrigan: [00:27:30] Right (laughter).
Dave Bittner: [00:27:31] ...Or click something.
Joe Carrigan: [00:27:32] Got to get them to sign it.
Dave Bittner: [00:27:33] Right.
Joe Carrigan: [00:27:34] And I agree 100% with Ben. It is incumbent upon all of us to have better BS detectors.
Dave Bittner: [00:27:40] Yeah.
Joe Carrigan: [00:27:40] If we had better BS detectors as people, would we be better off? Because if we had better BS detectors, would we start looking at everything as a scam? Like, you and I've said before, I'd rather be scammed every now and then than help somebody - not help somebody who needs it.
Dave Bittner: [00:27:51] Well, yeah. I think there is a difference, though, as a group (laughter).
Joe Carrigan: [00:27:54] Right.
Dave Bittner: [00:27:54] As a group. We're kind of preaching to the choir here, right? By virtue that we have folks listening to a show about how not to be scammed...
Joe Carrigan: [00:28:01] Right.
Dave Bittner: [00:28:02] ...These are people who are interested in bettering their BS detectors.
Joe Carrigan: [00:28:05] Right.
Dave Bittner: [00:28:06] So hats off to them.
Joe Carrigan: [00:28:07] Yeah.
Dave Bittner: [00:28:08] (Laughter) So...
Joe Carrigan: [00:28:08] And you know what? Tell everybody you know to listen to this show.
Dave Bittner: [00:28:11] Well, right, sure, yes, yes, absolutely, absolutely.
Joe Carrigan: [00:28:14] Shameless self-promotion.
Dave Bittner: [00:28:15] But I think the bigger picture is do everything you can to try to help folks who need helping along with this sort of thing, right? Just provide them with the tools. Don't just shame them.
Joe Carrigan: [00:28:24] Educate.
Dave Bittner: [00:28:25] Educate them. Provide them with the tools to better protect themselves, their families, their loved ones, all that stuff.
Joe Carrigan: [00:28:29] Maybe send them a DM rather than commenting on posts like Dave does.
Dave Bittner: [00:28:32] (Laughter) Maybe not hitting reply all, yeah, yeah.
Joe Carrigan: [00:28:35] (Laughter) Right, not hitting reply all.
Dave Bittner: [00:28:36] Yes. Yes.
Joe Carrigan: [00:28:38] But, Dave, what I'm saying there is I totally relate with your frustration.
Dave Bittner: [00:28:41] OK.
Dave Bittner: [00:28:43] All right. Well, folks, that is our show. We want to thank you for listening. And, of course, we want to thank our sponsors at KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can find at knowbe4.com/phishtest. Think of KnowBe4 for your security training. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: [00:29:10] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik. Technical editor is Chris Russell. Our staff writer is Tim Nodar. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:29:27] And I'm Joe Carrigan.
Dave Bittner: [00:29:28] Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.