Hacking Humans 7.9.20
Ep 106 | 7.9.20
Send me money so I know you are real.
Transcript

Satnam Narang: Anytime you see something around giveaways and people doing giveaways through Cash App, 99.9% chance scammers will create fake profiles on Cash App and send these incoming requests to users saying, hey, you won the giveaway.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We've got some good stories to share this week. And later in the show, my conversation with Satnam Narang from Tenable on the increase of scams on Venmo, PayPal and Cash App due to the opportunities provided by the economic fallout of COVID-19. 

Dave Bittner: All right, Joe, before we dig into our stories this week... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Got a little bit of follow-up here. 

Joe Carrigan: Yeah. 

Dave Bittner: Now (laughter) - now, Joe, you know, there's nothing that the internet likes more than when someone makes a small error about something technical. 

Joe Carrigan: Yes. 

Dave Bittner: (Laughter) Now, we've... 

Joe Carrigan: I know, Dave (laughter). 

Dave Bittner: Just - it seems like just last week, we were crowing about how Joe was right about something. 

Joe Carrigan: Yes (laughter). 

Dave Bittner: And then, as - I guess as karma, in her unique, inimitable style, came back and bit you in the butt. 

Joe Carrigan: Right. 

Dave Bittner: We got several letters. Now, before I read the letters here, let's just - let's go back, and let's listen to the little segment from last week's show. I can remember it... 

Joe Carrigan: Oh, dear God. Why must we do this? 

Dave Bittner: ...As if it was - as if it was just yesterday. Here it is. 

(SOUNDBITE OF ARCHIVED BROADCAST) 

Joe Carrigan: Yeah. Absolutely, Dave. A bash shell script in the Mac world - you've got to remember that Mac is based on a distribution of BSD called FreeBSD. Years ago, they forked it off of FreeBSD and then put all their own stuff on it. And a lot of companies do this. Like, PlayStation is built on FreeBSD as well. And the license lets you do this. But because that means it's essentially a variant of Linux, because the BSD lineage goes all the way back to Linux, you can run these scripts on there, which are just essentially an order of commands. So if you think of it in the Windows world, it's the same thing as a .bat file. And in Linux, they're also called bash shell scripts as well because the shell is ported over to Linux. It works exactly the same. 

Dave Bittner: All right. So, Joe, we got letters. We got letters, and I'm just going to read one of them. This is from a listener named Steve (ph). He writes, and he starts, (reading) just to allow Dave to say Joe is wrong on Unix origins, BSD is not from Linux. 

Joe Carrigan: No, it is not. 

Dave Bittner: (Reading) AT&T invented Unix. 

Joe Carrigan: Yup. 

Dave Bittner: (Reading) UC Berkeley copied the idea and made BSD. AT&T sued UC Berkeley and lost. OS BSD was released to the world in multiple forms for wide use. Linus Torvalds did not like the way corporations could use the open license in BSD to hide their code, so he created Linux and the GNU GPL license that requires companies to open source code if they use it. Now companies have two options for a *nix-style OS - go it alone in closed source with a BSD variant or join the community and use or create a Linux variant. 

Joe Carrigan: Yes. 

Dave Bittner: So, Joe, what happened here, my friend? 

Joe Carrigan: So, Dave, I was listening to this episode 'cause I like to make sure that I don't make any stupid mistakes when I'm talking. 

Dave Bittner: (Laughter) Yes. 

Joe Carrigan: And as I'm talking, I listen, and I go, oh, did I just say that BSD came from Linux? And then I heard myself say it again, Dave. And I said, did I just say that twice? No, BSD did not come from Linux. That was a terrible verbal typo on my part. It came from Unix and Bell Labs. It was developed out of Research Lin - I almost did it again, Dave. 

Dave Bittner: (Laughter). 

Joe Carrigan: It came out of Research Unix. And, yes, there was a lawsuit. And then BSD was released to the world. And it is - FreeBSD is the - all these BSD variants now. There's FreeBSD, OpenBSD and NetBSD, but they all share the common lineage with Unix, not with Linux. Linux is a completely separate code branch that... 

Dave Bittner: Yeah. 

Joe Carrigan: Steve is correct. Linus Torvalds said, I'm just going to start making a kernel that works and is free and open-source. 

Dave Bittner: Yeah. 

Joe Carrigan: So BSDs are also free and open-source, but their license is different. Like I said last week, it allows you to take their code and do whatever you want with it. 

Dave Bittner: I think you should quit while you're ahead, Joe. 

Joe Carrigan: Yes. I'm going to shut up now. 

Dave Bittner: (Laughter) Thanks to everyone who wrote in about this (laughter). 

Joe Carrigan: Yeah. Thanks, everybody. Thanks. 

Dave Bittner: All right. All right. We'll move on to our stories. I'll start things off. This is actually from the BBC, and this came to my attention from our friend Graham Cluley - friend of the show, also host of "Smashing Security." This is a story from the BBC's website. It's written by Marco Silva, and it's titled "How Facebook Scammers Target People At Risk of Suicide." Now, Joe, you and I talk about how these scammers - they're terrible people, and they have no scruples, and... 

Joe Carrigan: They are awful people, and I think I'm about to believe that they're even worse than I thought they were. 

Dave Bittner: Yes. Yes, indeed. Listen to this. So the BBC did an investigation, and they found dozens of Facebook pages that claimed to sell poison to people who are contemplating suicide. And it turns out that it is a scam. The story here follows this reporter who sort of went down this rabbit hole. He got a message on Facebook advertising that you could buy a deadly poison. Now, what I want to know and what this story doesn't really lay out here is, why did he see this ad? 

Joe Carrigan: Right. That's a good question. 

Dave Bittner: Because one of the things we know about Facebook is that it is able to target an ad with incredible precision and specificity - they can find a person. So what I wonder is - and the story - perhaps because they don't want to give too much away about how to do something like this - but I wonder, how are these scammers able to find or target people who may be contemplating ending their lives? And the fact that you can do that, of course, is very troubling, that you can target someone who may be up to - you know, contemplating that is troubling in itself. 

Joe Carrigan: The fact you could target any vulnerable population like this is troubling. 

Dave Bittner: Right. Right. So this reporter reached out to the folks who are claiming to sell this deadly poison. They don't say what the poison is - again, I think just for discretion point of view, they don't want to pass that information around in the article here - and texted back and forth with the folks who were claiming to sell this sort of thing. They offered competitive prices, fast delivery. They crowed about the purity of the poison that they were selling. They said you get the fastest delivery if you pay using - wait for it - cryptocurrency, so sale would be anonymous. And of course, in the end, it turns out that the whole thing is a scam. These folks do not have any poison to sell, which I suppose... 

Joe Carrigan: Is kind of good. 

Dave Bittner: It's a good thing. They're con artists. But part of what they're up to here and part of what caught my eye with this is that they know that you are very unlikely to go to law enforcement and report the scam. 

Joe Carrigan: Oh, absolutely. 

Dave Bittner: Because what are you going to say to law enforcement, right? If it's something you're considering - if you're considering suicide, well, chances are you're not going to go to law enforcement and say, hey, this is what I was up to. I was trying to buy this illegal item, and they scammed me out of my money. So the scammers take advantage of that. 

Joe Carrigan: Sure. 

Dave Bittner: Now, this reporter did reach out to Facebook. And Facebook went and - it looks like it took a couple rounds of interaction with Facebook. Facebook did remove the pages, but they pop right back up again. It's the old game of whack-a-mole. 

Joe Carrigan: I'm not at all surprised that it took a couple of rounds of communication with Facebook to do this. Whenever you approach one of these large behemoth companies and say, hey, there's something wrong going on here, for so long, it sounds like you're screaming into the void. These guys do not care and do not - you know - quiet, I'm making money over here, hand over fist. Don't bother me with this. 

Joe Carrigan: You know, this should be something that immediately gets the attention of a company like Facebook. Somebody is abusing your platform to take advantage of people who might be considering suicide. If I saw that in the message, that would have my undivided attention immediately. 

Dave Bittner: Yeah. And I can't help wondering, you know, what are - computers are pretty good at matching up things, right? 

Joe Carrigan: Right. 

Dave Bittner: So like, they - I mean, if - whatever the name of this drug is and even whatever - however many variants of the spelling of this drug is, if I were running something like Facebook and - I would want to have some sort of alert go off with some sort of content moderation person when this word popped up. 

Joe Carrigan: Right. 

Dave Bittner: Now, maybe I'm underestimating the, you know, the scale and all that sort of thing. But sorry - Facebook has a lot of money. And... 

Joe Carrigan: Dave, I think what you're underestimating is the value of the ad revenue. 

Dave Bittner: Perhaps, perhaps. No, yeah. Yeah. 

Joe Carrigan: That's my pessimistic view on this is that Facebook doesn't want to give up the ad revenue. 

Dave Bittner: Well - and you know what? Seems like Facebook has earned that pessimistic view... 

Joe Carrigan: Yeah, absolutely. 

Dave Bittner: ...Over time, over time. Again, the article's by Marco Silva from the BBC. We'll have a link to it. There's no depths to which they will not sink, is there? 

Joe Carrigan: No, there isn't. These guys are the lowest of the low, and they are continually demonstrating that with surprising tenacity, I would say. Like, look how low we can go now. Wow. I'm impressed. 

Dave Bittner: Right. Right. Well, that's my story this week. Joe, what do you have for us? 

Joe Carrigan: Dave, my story comes from Krebs on Security from Brian Krebs. Are you familiar with a service called privnote.com? 

Dave Bittner: I am not, no. I believe I've heard of it, but I don't really know anything other than having a vague recollection of the name coming by. 

Joe Carrigan: So privnote.com is an end-to-end encryption communication system that allows you to send a note to somebody that is then destroyed once they read it. 

Dave Bittner: OK. 

Joe Carrigan: Right? So there is another website out there that Krebs became aware of called privnotes.com - with an S on the end, right? And it's an impersonation website that does not use end-to-end encryption. And Privnote actually reached out to Brian Krebs with this and said, hey, what's going on with privnotes.com? And it took Brian a little bit of research, but he figured out what it is. Before we get into what it does, I want to talk about the Google search results for Privnotes and Privnote. 

Dave Bittner: OK. 

Joe Carrigan: If you enter Privnotes in a Google search result, Krebs found that the very first search result was an ad that took you to the impersonating site, privnotes.com. 

Dave Bittner: Oh, OK. 

Joe Carrigan: The first search result was Privnote, the correct site, but the very second site in the search results was the impersonation site. So Brian Krebs has a picture here with three search results. One of them is an ad, and two of them are - from the search results - and two of them go to the impersonation site. And only one of them goes - so even if you picked randomly, chances are you're going to the wrong site. 

Dave Bittner: Right. They're outnumbered. Yeah. 

Joe Carrigan: They're outnumbered. What the site actually does is, if I send you a message that has a bitcoin address in it, the site looks for my bitcoin address and strips out my bitcoin address and replaces it with an attacker - with presumably the Privnotes operator's bitcoin address. So now I don't get my money. Privnotes gets my money. And of course because it's a cryptocurrency, there's no way for me to get it back. It's gone, right? 

Dave Bittner: So let's just say you and I were sending messages that had nothing to do with bitcoin. I was just saying, hey Joe, how's the weather? How's vacation? How you doing? 

Joe Carrigan: Right. Yeah. Yeah. 

Dave Bittner: So those messages would pass back and forth as - just the way that they would in the legit app? 

Joe Carrigan: Sort of, yes. They would pass back and forth, but they would not be encrypted. 

Dave Bittner: Right. And we wouldn't know that. 

Joe Carrigan: We wouldn't know that unless we knew that they - we were on the wrong site. That's correct. 

Dave Bittner: OK. Interesting. 

Joe Carrigan: So we would see everything going by. Now, here's another thing that's interesting about it. If I send a note to you and then open it from the same IP address - right? - the bitcoin address doesn't change. So the developers of this malicious Privnotes app were smart enough to go, well, if somebody tests it, they're going to see that the bitcoin address has been changed. They're not going to use the service. So before we change the bitcoin address and display it to the user, let's make sure the user is not coming from the same IP that the message was sent from... 

Dave Bittner: Oh, I see. 

Joe Carrigan: ...Which is actually a pretty clever defeat of testing because chances are, if you're going to test it, you're going to test it from the same IP address, and they've taken that into account. But if you test it from two different IP addresses, as Brian Krebs did - and he says he had help from Allison Nixon as well, who is from Unit 221b. I'm not sure what that is. I'll have to look that up later. 

Dave Bittner: A security firm or something. Yeah. 

Joe Carrigan: Yes. Yep. One of the other things they found, that Brian and Allison found, was that this script only replaced the first instance of the bitcoin address in the message. So if I sent you the message, and I said my bitcoin address is this, again, I tell you my bitcoin address is this, it would only replace the first one. They wouldn't replace the second one. And I'm trying to guess if there's a technical reason behind that or if that's just lazy programming - right? - because let's say I send you a list of, like, three different Bitcoin addresses. And if I were to replace all three of those with the same wallet address then you might become suspicious, right? You'd say, well, Joe said he was going to send me three, but he just sent me one three times. But that's simple enough to overcome. I could just replace each one of those with a different bitcoin address and create those wallets and have - I could have hundreds of wallets on the bitcoin system for free. It doesn't make sense to me. Maybe - I tend to think that might just be lazy programming. 

Dave Bittner: I guess it's a numbers game here that - first of all, they got to trick people into using the platform. 

Joe Carrigan: Which they've done very well. And that's kind of the point here is we've talked about this before where they have a lookalike URL. And this URL is just Privnote with an S on the end of it. By going for a plural of the legitimate site, they've created a great opportunity for themselves. Now, of course, I've said frequently that you should buy up all the domains you can think of, and buying up a plural seems like a no-brainer. But you really can't buy up all the domains. It's just impossible to do that. Somebody's going to come up with a good way to impersonate your domain that you didn't think of buying up. I don't really blame them here. I mean, Privnote is being victimized here by these operators. 

Dave Bittner: It's hard to give a recommendation here as to what would be the obvious tell that you are on a site that was up to no good because it looks exactly like the regular site. It functions... 

Joe Carrigan: Yep. 

Dave Bittner: ...Like the regular site... 

Joe Carrigan: Yep. 

Dave Bittner: ...Other than it's vacuuming up or I guess redirecting your funds, your cryptocurrency funds, to the bad guys... 

Joe Carrigan: Absolutely. 

Dave Bittner: ...Which might not notice right away because you're intending to pay someone, so the money flows out of your account. 

Joe Carrigan: You see that instantaneously, yeah. Within 10 minutes you see that. 

Dave Bittner: Right. 

Joe Carrigan: Yep. 

Dave Bittner: Right. I guess the lesson here is be extra careful with the URL (laughter). 

Joe Carrigan: Be extra careful. Make sure you use the right URL. And what really is upsetting is that Google is selling these guys' ads. Again, here we have the ad revenue. You know, I don't know that you could call Google and say, hey, you're selling ad revenue to somebody trying to scam me. Or if - even if Privnote got on the phone with Google, I bet you - again, you'd feel like you were yelling at a brick wall. It wouldn't be doing you much good, because... 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: ...The ad revenue is more important than your complaint. 

Dave Bittner: All right. Well, it's another cautionary tale there. Good story. Joe, it is time to move on to our Catch of the Day. 

(SOUNDBITE OF REELING IN FISHING LINE) 

Dave Bittner: Our Catch of the Day comes from EZ Computer Solutions. They have a blog on their website where they have what they call hilarious spam email examples. Joe, this one alleges to come from the United Nations, and it's titled Your Payment is Ready. Let's see. This comes from someone claiming to be a woman, Mrs. Ann Walter (ph). So it goes something like this. 

Dave Bittner: Attention, Sir Madam. Sequel to United Nations public protection policy against fraudulent activities operating in Europe, U.S. and various African banks, this council was set up to fight against scam and fraudulent activities worldwide, responsible for investigating the legitimacy of unpaid contract, inheritance and lotto winning claims by companies and individuals, and directs the paying authorities worldwide to make immediate payment of verified claims to the beneficiaries without further delay. It was resolved that all unpaid claims would be concluded via e-wire transfer through First Sunset Bank, which is a very reliable and secure bank. Your beneficiary funds, the sum of U.S. dollars 4.8 million, has been forwarded and deposited in First Sunset Bank for instant transfer to you once you contact them. You are advised to contact First Sunset Bank via email below to guide you further on the wire transfer procedures - First Sunset Bank email contact person Mrs. Agnes Scott (ph). Please be informed that transfer time is limited sequel to policy. Therefore, you are advised to attend as soon as you read this email and also reconfirm your full details to them. We have copied all our coordinate security agencies for record purposes. Thank you. Yours faithfully, Ms. Ann Walter, Director, Special Duties, United Nations Security Council. 

Dave Bittner: Wow, Joe. 

Joe Carrigan: You know what I love about this one, Dave? 

Dave Bittner: Hmm? 

Joe Carrigan: It starts off with the premise that this is a fraud prevention program. 

Dave Bittner: (Laughter). 

Joe Carrigan: We're working against all these fraudulent activities, but you got some lotto winnings coming to you. 

Dave Bittner: I guess so. Yeah. I mean, and everybody trusts the United Nations - right? 

Joe Carrigan: (Laughter) Of course. Right. 

Dave Bittner: I mean, they're - that's a good organization. This contact person is named Agnes. There aren't very many people named Agnes anymore. 

Joe Carrigan: No. 

Dave Bittner: That's a name that's fallen out of favor, I suppose. I don't know why, but... 

Joe Carrigan: It is. I don't know why, either. 

Dave Bittner: Not a bad name (laughter). 

Joe Carrigan: Yeah, it's not a bad - nothing wrong with it. I don't know. This one caught my eye. I thought this was - I thought it was kind of funny because it starts off with the - first off, they go with the big name, the United Nations. And then they say, hey, we're trying to prevent all this fraud. And then, hey, here's your phishing fraud hook. 

Dave Bittner: Right. Yeah, and it's interesting that they use the word sequel a couple of times, which I suspect must be some translation problem. It says sequel... 

Joe Carrigan: Yeah, that's an artifact of translation. 

Dave Bittner: Yeah. Sequel to United Nations public protection policy. I suppose it probably was, like, following the United Nations public policy. 

Joe Carrigan: Yeah. Pursuant to. 

Dave Bittner: Right. Right. Yeah. Isn't that interesting? 

Joe Carrigan: Well, let's not sit here and proofread these guys' phishing email for them. 

Dave Bittner: (Laughter). 

Joe Carrigan: Give them better suggestions (laughter). 

Dave Bittner: That's true. That's true. That's a good point. That's a good point. All right. Well, our thanks to the folks at EZ Computer Solutions for posting this and sharing it online. That is a fun one, and that is our Catch of the Day. 

Dave Bittner: Joe, I had the pleasure of speaking recently with Satnam Narang. He is from Tenable. And we discussed the increase of scams on cash apps like Venmo and PayPal. And this has really been triggered by the economic fallout from COVID-19. People have fallen on hard times, and it makes them more vulnerable. And the folks at Tenable have been tracking this. Here's our conversation. 

Satnam Narang: So this is actually a follow-up to a blog that I had written back in October of 2019 essentially covering a trend that I had observed in relation to giveaways on Twitter and Instagram from Cash App, which is owned by Square. So Cash App is a peer-to-peer payment application service, kind of like PayPal, Venmo, where you can send money between individuals, hence the term P2P. So peer-to-peer. 

Satnam Narang: So back in October, I started noticing - actually, I'd noticed it a long time before that, but the research came out in October. I'd been tracking a trend where every week when Cash App does giveaways - so for those of your audience that don't know, Cash App does weekly giveaways on Fridays called Cash App Friday. Essentially, they basically ask people to drop their what's called Cashtags, which is like a username on Cash App, so that way you can send money. So, like, if I wanted to send money to you, Dave, I would just need to know your Cashtag, which would be, like, $Dave, if you were lucky enough to get that Cashtag. 

Dave Bittner: Early enough adopter (laughter). 

Satnam Narang: Yeah. So if you adopted it early enough, you would've had that one. So then I would hop into my Cash App and say, OK, I want to send money to Dave. Just type in $Dave. So then I can send you money. 

Dave Bittner: Yeah. 

Satnam Narang: I don't have to know your telephone number. I don't have to know your email address. It's just an easy way for me to be able to send you money. In the same way, Cash App asks users to basically respond to their tweets, and then people started dropping their Cashtags into their replies. What ended up happening is that scammers started surfacing all these Cashtags that were being shared on these posts, and they were starting to send them requests for money. So when you're on Cash App, you can obviously send money to users, or I could send you a request and say, hey, Dave, you know, you owe me 10 bucks for dinner. You'll get that incoming request. It'll say it's from me, and then you'll send me the money. So what the scammers were doing is that they were essentially impersonating Cash App by using avatars, changing their $Cashtags to be, like, something like, CashGiveaway or something like that, saying, hey, you know, you won the giveaway. Send me $10, and then I will send you $500 back or some absurd amount of money - so essentially perpetrating advance-fee scams where they're saying, you could get a ton of money, but you need to pay a little bit upfront. So... 

Dave Bittner: Oh, that's fascinating. 

Satnam Narang: This was one component of the scams that I observed last year. The other component was, even if Cash App was posting in their Cash App giveaway tweets, some scammers would create accounts on Twitter and then respond to Cash App saying, hey, I will be doing a giveaway of my own. For the first, you know, 500 people that retweet and like this message, I'm giving away $50,000 or $500 to the first X amount of people. And then if you did the math, you're sort of like, that means you have really a lot of money sitting on hand... 

Dave Bittner: (Laughter). 

Satnam Narang: ...If you're offering, you know, 500 times this many people. You're sitting on, like, $500,000. You're giving that away? You would think that it would catch on and people might take that as sort of, like, a precautionary thing. Like, wait a minute, this doesn't... 

Dave Bittner: Yeah. 

Satnam Narang: ...Add up. Unfortunately, people fell for it. So I kind of took the time last year to kind of highlight those two particular types of scams as well as the ones that were being perpetrated on Instagram, too, because Cash App also does giveaways on Instagram. So this research was sort of a follow-up to that, also in relation to what was happening with COVID-19 because Cash App, in their effort to try to help out people who were struggling financially as a result of the economic impacts of COVID-19, started doing more frequent giveaways. And then also celebrities and influencers started getting in on the action, too. So I started to observe a trend here, and I wanted to kind of highlight it and bring it to the, you know, surface so that people were aware that this was happening. 

Dave Bittner: Well, let's go through some of the things that you discovered together. What are some of the most interesting details to you? 

Satnam Narang: When we talk about these giveaway scams leveraging Cash App and some of these celebrity giveaways, there's really two types. Right? So the first type is what's called signal boosting. So the signal boosting is essentially a way for them to get people to retweet and like their message because by doing that, it helps amplify their message to other Twitter users and their followers. So in a way, they're sort of incentivizing people to share their message across so there's more eyeballs looking at that message. And then when you have more eyeballs looking at that message, there's more of an opportunity for people to actually fall for the scam. 

Satnam Narang: So then once they do share the tweet or favorite it, the scammers will then ask the users to send them a direct message or a DM. And then they'll say, hey, you know, I would like to help you, give you money. But you know, you need to go through these steps. You need to send me money to verify that you're real. And then they'll try to basically extract money out of you first. And then once they are able to convince you to send the money, they'll block you on Twitter, and then you'll be out of whatever amount of money they ask for. It could be as little as $5; it could be as much as, you know, a couple hundred to $500 depending on how they frame it. So that's method No. 1, which is signal boosting. 

Satnam Narang: The second method is, as I mentioned, the incoming request. So essentially, they're impersonating folks like Cash App. They're impersonating, you know, popular influencers and celebrities who are doing giveaways like Jeffree Star, David Dobrik. There's several others that I've seen, as well. I think even they've been impersonating some popular rappers like Megan Thee Stallion, who's done some giveaways as well - not necessarily related to COVID, her giveaway was just wanting to give back to her fans. 

Satnam Narang: But anytime you see something around giveaways and people doing giveaways through Cash App, 99.9% chance scammers will create fake profiles on Cash App and send these incoming requests to users saying, hey, you won the giveaway because you're essentially broadcasting to the world when you respond to a tweet from a David Dobrik or from Jeffree Star with, say, your Cash App or what we saw in this case, too, people were sharing their Venmo usernames as well as their PayPal, like, short URLs, like paypal.me slash, you know, a short link to send me money or to send you money. So having all this rich data being shared in a public forum is basically fodder for these cybercriminals. It's kind of like the adage of, like, the watering hole. Right? You have all these animals coming to drink from the watering hole, and the predators are just sort of waiting there to attack. Essentially, this is the same thing happening here. 

Dave Bittner: I suppose, especially if we're talking about smaller amounts, people are probably embarrassed to talk about it. They may just look at it as a lesson learned and move on. 

Satnam Narang: Yeah, exactly. And you know, that's essentially the reason why we're publishing the research, too, is 'cause we want to prevent it. And I mean, I try to do my best efforts, too, whenever I do see Cash App doing a giveaway. Classic example I can give you - there is a YouTuber from, I think - I don't want to butcher it but hehe (ph) or h3h3Productions. His name is Ethan Klein - very popular YouTube channel. He started doing a giveaway back in April. He was going to give away $100,000 over 100 days, essentially, basically, giving out, like, $500 to random users. When he tweeted this out, I saw this. I knew. I was like, I know this is going to be abused by the scammers. A hundred days, $100,000, pretty sure scammers are going to come through and take advantage of that. 

Satnam Narang: So I tweeted proactively at Ethan. And I sort of let him know - I said, hey, you know, this is a great initiative that you're doing. You know, kudos to you. But please warn your followers that scammers are going to start targeting them. You just want to let them know if anyone asks you to verify yourself to get money from me, it's not me. And then about - I want to say, like, two weeks later, he started getting people getting feedback to him, saying, hey, people are trying to scam me out of money, asking for, like, 12 bucks. So he posted a few tweets to kind of warn users about it. But it sort of - kind of one-off tweets - it's not going to stick, right? 'Cause those tweets will eventually fall down through the timeline. And all his other tweets will sort of show up. 

Dave Bittner: Right. 

Satnam Narang: And unfortunately people are going to still continue to lose their money, which is why in this particular blog, I kind of provided some potential advice to these P2P companies that provide these services - how they could potentially help prevent scammers from extracting money from their users. 

Dave Bittner: Well, let's go through that together. What are your recommendations? 

Satnam Narang: I think first and foremost, the most easiest way to get in front of the users is to kind of flag it when they do get an incoming request. So if you do get an incoming request, sort of have some sort of language at the bottom or somewhere within the app that says, for example, Cash App will never ask you for money. Or anybody asking you for money in advance in order to win a giveaway is trying to scam you out of your money. And essentially block the user and report them. Just sort of give them some sort of in-product warning because as much as I do my best effort and even people on Twitter who are kind of trying to keep track of these scammers, you know, reporting them, replying to their tweets, you can't really warn people about users sending you direct requests through the apps themselves. So I think if these companies took the steps to try to address the issue head on - right? - in the app itself, it could save a lot of folks. 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: Interesting interview. I like what Satnam's doing here. One of my favorite things about what he's doing is he's reaching out to these people and saying, hey, be careful what you're doing. You're going to have - your fan base is going to be subjected to fraudulent activity here. And once again, I'll bet Satnam feels at some point in time like he's yelling at somebody that's not listening to him, right? 

Dave Bittner: (Laughter) Right. Right. I mean, that's the thing these days - is that the first thing you often have to do when you're trying to do the right thing is convince people that you - you yourself are not a scammer. 

Joe Carrigan: Well, yeah. You know, actually, it's funny you say that, Dave. I've said many times one of my jobs at Hopkins is I have to disclose vulnerabilities. And I had a vulnerability that I had to disclose to a company. I found out who I had to disclose it to. And I called the guy. 

Dave Bittner: Now, these are vulnerabilities that the researchers at Hopkins have discovered. 

Joe Carrigan: That's correct. I'm sorry. 

Dave Bittner: Students, the folks who are working on these sorts of things. Right. 

Joe Carrigan: These were students who found a vulnerability that was exposed on the internet. They were doing some research. And they found this stuff. And the instructor said, oh, that has to be disclosed to the company. So I worked up a disclosure package. And I said, I need to send this to somebody there. And the person did not respond to any of my phone calls. I didn't have an email address, but I did have a fax number. So I faxed him the... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...Disclosure. And I said - put on the end - I said, we now consider this vulnerability disclosed. And we'll be discussing it in 14 days. You know, that's our default nondisclosure period - 14 days. 

Dave Bittner: Right, OK. 

Joe Carrigan: It's really short, right? But he called me back. And the first thing he said was, I didn't respond to any of your phone calls 'cause I thought this was a scam. 

(LAUGHTER) 

Joe Carrigan: I said, you know what? I can't fault you for that. I am not surprised. It's tough to get their attention. Cash App does do giveaways and encourages users to put their Cashtags on Twitter and Instagram. And I understand that Square wants to grow their user base, and that's what the purpose of the giveaway is. But man, I don't - this doesn't leave me with a good feeling - you know, just the fact that this kind of thing can open your user base up to fraud. 

Joe Carrigan: Yeah, Cash App is not doing anything wrong here, but they're allowing their user base to be subjected to this. It would be better if they said, you know, send us your Cashtag through some kind of private means so that it doesn't get exposed to the world, and everybody can't reach out to you and say, hey, you won. Send us 10 bucks, so we know you're real. The send me money, so we know you're real hook - right? - the whole purpose of that scam - that seems almost valid. I mean, it's obviously a scam because to us, we know that it's essentially just a cash turnover scam. 

Dave Bittner: Yeah. 

Joe Carrigan: But I can understand would - somebody would fall for that because it seems like, oh, they want to make sure they're not sending money to some drug dealer or something, right? 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: Who knows? Who knows what the reasoning behind this is? But it seems like a plausible hook. 

Dave Bittner: And especially if you're excited about perhaps getting more money, then that clouds your judgment. 

Joe Carrigan: Absolutely. When it comes to advice, Satnam says that he advises that companies put these warnings in product. I think that's a great idea. Cash App is never going to ask you for money to give you money. That - in a giveaway. I think that's a great idea. 

Dave Bittner: Well, again, we want to thank Satnam Narang for joining us. He's from Tenable. And we do appreciate him taking the time. That is our show. We want to thank all of you for listening. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.