Podcasts
Hacking Humans
Ep 123
Hacking Humans 11.5.20
Ep 123 | 11.5.20

Too good to be true.

Show Notes
Transcript

Mallory Sofastaii: You're giving away personal information when you do that to a retailer that shouldn't be trusted. They can then sell your information to someone else. They can sell it to the dark web. And it's just this cycle that keeps going.

Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast. This is a show where each week, we look behind those social engineering scams, those phishing schemes, those criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We've got some good stories to share this week. And later in the show, Mallory Sofastaii from WMAR Baltimore returns with her reporting on a fake website luring victims through social media ads. 

Dave Bittner: All right, Joe, why don't I kick things off for us with our stories this week? My story comes from the Naked Security blog over by Sophos. So this is from Paul Ducklin, who we've had on our show before, thanks to Carole Theriault. And this is about a fake Facebook copyright violation that tries to trick you into giving up your two-factor authentication information. There's some really interesting elements to this one. So I think it's pretty common. 

Dave Bittner: And Paul Ducklin points out here that if you're someone who's running any kind of professional page, anything on the internet, it's fairly normal for you to get copyright violation emails, legitimate or not. And I think, sometimes, they are legitimate. I've had - certainly had situations where I accidentally used a copyrighted image or a placeholder image - you know, got left in a website when it was meant to be replaced by something more permanent. And, you know, usually, you get a letter from somebody, and they'll say, hey, this belongs to us. Please knock it off. And you knock it off, or you swap it out or - and if you want to keep it, you pay them a licensing fee or whatever. But you make it right. 

Dave Bittner: So the point is that that's not that unusual a thing to get. 

Dave Bittner: So these folks are sending out mass emails that say notice of alleged copyright violation. Recently, there have been reports citing copyright violation of your page posts. Your case - and then it has a case number. And then it has a link that says continue. If you don't appeal in 48 hours, your page will be unpublished. And this claims to be coming from the Facebook team. 

Dave Bittner: As Paul points out, you know, the English is not particularly good here. So that's a red flag. 

Joe Carrigan: Yeah. 

Dave Bittner: But what's really interesting is that if you click through on that continue link, it takes you to a page on Facebook. 

Joe Carrigan: Really? 

Dave Bittner: Yes, a facebook.com page. And it is an account that's been set up on Facebook. And the landing page says copyright appeal. It says copyright appeal form. Use this form if something you posted was reported due to copyright. And says appeal form. And there's a link and it says facebook.com/copyright. And it has some more stuff that the Sophos people have blocked out. It says, if you skip the appeal form or the appeal is rejected, your page will be scheduled for deletion in 24 hours. So... 

Joe Carrigan: Ah, they cut the time in half. 

Dave Bittner: Putting the heat on. 

Joe Carrigan: Right. 

Dave Bittner: OK, so we've landed on a page that is actually on Facebook. Isn't that interesting (laughter)? 

Joe Carrigan: It is. 

Dave Bittner: Facebook does have ways to report that sort of thing. But I think what's interesting to me is that you can set up your pages on Facebook. You can set up a personal page. You can set up a business page. And you don't necessarily have to be logged in to Facebook to see these pages. 

Joe Carrigan: Right. 

Dave Bittner: And, of course, Facebook hosts millions of these pages. 

Joe Carrigan: Sure. 

Dave Bittner: So I suspect it's easy for someone to spin up something like this and have it be up for a few hours or a few days or perhaps even a few weeks before Facebook notices it. I put that on Facebook. I wish they'd do a better job, but there we are. 

Joe Carrigan: (Laughter) I agree 100%, Dave. 

Dave Bittner: (Laughter). Now, it gets even more interesting because you have this hosted on Facebook. And there is this link to the appeal form. And the appeal form has a Facebook link, as well. It goes to a secure site, facebook.com/copyright. And then there's some more in the URL. But as Paul points out in this blog post, the link that is appearing there is not actually where you will land if you click on that. 

Joe Carrigan: A-ha. They're masking the URL by showing you the text of the link in one form, but, actually, the href part of the anchor tag goes to a different format. We've talked about this before. 

Dave Bittner: Precisely. 

Joe Carrigan: This is a very common trick for social engineering. You think you're going to this link, but you're not. 

Dave Bittner: Precisely. And so that takes you to a domain that is hosted in the Central African Republic (laughter). 

Joe Carrigan: A-ha. 

Dave Bittner: Surprise, surprise (laughter). But again, this lands you on a page that has all of Facebook's branding on it. It asks you for your login email address, asks you for your full name as listed on the account. And then it asks you for your two-factor code. 

Dave Bittner: So what's going on behind the scenes here is that you're logging into this form on the bad guys' website. I suspect that as you're doing this in real time, behind the scenes, it's trying to log into your actual Facebook account, right? So you log in with your username and your password. Facebook then sends you the two-factor authentication code. This site is asking you to enter your two-factor authentication code. You think you're on Facebook. You think you're in a legitimate place. You enter your two-factor authentication code. They go back to Facebook. Put in your two-factor authentication code, and that's the ball game. 

Joe Carrigan: Right. They got your account. 

Dave Bittner: Right. 

Joe Carrigan: So a couple things about this - I'm looking at this article. If you want to understand how they do the trick with the URLs not pointing to the place that's in the text that you see, Sophos has actually gone ahead and written a demo here that's really good. And it shows you exactly how that works. It's on this article. So go look at that. 

Joe Carrigan: It looks like HTML code is actually pretty easy to understand, even if you're not technical. Further down, they have an animation of the login process. And when you enter your password, it says password incorrect. Enter again, right? And we've seen this before, too. 

Joe Carrigan: This way, it doesn't matter what you enter. If you enter the correct password, they're going to tell you it's incorrect so that you enter it again slowly 'cause they're only going to get one chance to try to log into your account. And if you quickly enter the wrong password and they go to log in, it's going to come back to their system and say that password was incorrect and you're going to be sitting there waiting for something to happen, and you might get suspicious. So they ask you to slow down before they even try to log in to get Facebook to send you the code. And it's a very clever trick that they do this. 

Dave Bittner: Yeah. Well, this article wraps up with some suggestions for what to do, things like checking the email sender, checking the address bar. Don't assume that a page on Facebook is a Facebook page. I mean, to me, that's the new part here. I don't know that... 

Joe Carrigan: Right. 

Dave Bittner: ...I've seen this sort of thing where part of the scam is actually hosted on Facebook. To me, that - that's clever and new to me. 

Joe Carrigan: Wait till we get to my story, Dave. 

Dave Bittner: (Laughter). 

Dave Bittner: Facebook has a place where you can report this sort of thing. It's phish@fb.com. And that address - it's an email address that Facebook has had around for a while, so you can report these sorts of things. 

Dave Bittner: Paul points out to avoid login requests that you arrive at from an email link - always a good advice. Don't click the link in an email. Go to the actual site. And then the last one here is use a web filter. And I would say - you know, and he points out there are free solutions - good antivirus solutions. Sophos Home is free for Windows and Mac. So there are entry-level solutions that will help you with this. But I'd also say a good password manager is... 

Joe Carrigan: Yep. 

Dave Bittner: ...Going to help prevent you from accidentally logging into the wrong site because they're not going to let you auto-enter your credentials in a site that isn't the actual site. 

Joe Carrigan: That's correct. I was going to suggest that if you didn't. Some of the password managers that are integrating to your web browser will prevent this from becoming a problem - prevent you from falling for this scam. 

Dave Bittner: Yeah. Well, it's a good article. I mean, the stuff at Naked Security is always good. And, of course, Paul Ducklin always putting out quality content. So we'll have a link to that in the show notes. Happy to share that with you. Joe, that is my story this week. What do you have for us? 

Joe Carrigan: Good news, everyone. 

Dave Bittner: (Laughter). 

Joe Carrigan: The feds have charged 60 people in what is being described as the largest elder fraud scam in U.S. history. This has been running for 20 years, and the feds think these guys have made off with $300 million. 

Dave Bittner: Wow. 

Joe Carrigan: The AARP, who actually does a pretty good job on reporting things like this, Dave - maybe you and I should consider joining them... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...They have an article here about how this scam worked. Victims with one or more magazine subscriptions would be called and offered renewals, often at reduced cost. But these guys were not calling to renew or reduce the price of existing subscriptions. Instead, they would trick their victims into signing up for entirely new magazines which they didn't need or want. 

Joe Carrigan: These guys were all calling from large call centers, right? That's why this was so profitable. They pretended to be canceling magazine subscriptions but instead signed people up for many more magazine subscriptions. 

Joe Carrigan: And then they would also call and threaten, like, legal action against them because they had unpaid magazine subscriptions. You have $2,000 in unpaid magazine subscriptions; we're going to sue you in court, or you can pay us $500 now. The Star Tribune has a great article on it, as well, that gets into more detail. It's written by Stephen Montemayor and Andy Mannix. 

Joe Carrigan: What's great about this story, though, is how these guys were caught. So there was this network - maybe there still is this network of these people called lead brokers who traded lists of victims. These data points for a victim contained name, telephone number, address and credit card information. And these things sold, for each victim, for ten to $15 which seems to me really high for a contact list - a lead list. Ten to $15 apiece, that's a lot of money. 

Dave Bittner: It is. 

Joe Carrigan: In 2016, the Minnesota attorney general sued a man named Wade Dahl (ph), who later pled guilty to running another similar scam for years. So what the feds did - the FBI and the U.S. Postal Service - they built a list that included some of their agents on this list with their details in term - including cellphone numbers, credit card information, names and addresses. And then they gave the list to Dahl, who sent the list to the lead brokers. His lead brokers then sold this list to scammers, and then the scammers called the FBI agents or the investigating agents. The agents then received and recorded more than 400 calls between July 2019 and January 2020. So that's like six months; they got 400 calls from these people. 

Dave Bittner: Wow. 

Joe Carrigan: And these calls were from nationwide magazine companies. So they also tracked what happened with the credit card and how much the companies added new and duplicate charges despite having been offered reduced rates or consolidating their fees. And once the feds had built up enough information, they went in, and they made the arrests. And they have arrested 60 people. 

Joe Carrigan: There was one victim on this who, at one point in time when the FBI was investigating this, they sent out these surveys to people who they knew had been victimized. And one guy wrote back and said, my mom has been continually victimized by these people. She has been spending $1,400 a year in magazine subscriptions. Nobody spends that much money in magazine subscriptions. 

Dave Bittner: (Laughter) Wow. 

Joe Carrigan: So this is the kind of victimization they're doing. These guys - well, they were doing. They're not doing it anymore. Hopefully, soon they're going to be - many of them will be guests of the federal government in some facility. 

Dave Bittner: Club Fed. 

Joe Carrigan: Club Fed. Right, exactly. Three-hundred million dollars. 

Dave Bittner: Wow. 

Joe Carrigan: Yeah. 

Dave Bittner: I wonder if this is something that we're going to see kind of dying out over time as these sorts of subscriptions move online and the following generation as, dare I say, you know, you and I, shift into this mode in our lives where, you know, we're going to be getting these things online. That's the way we're going to handle it. So a phone call from someone asking us about a magazine subscription will - it just won't be credible. We also won't answer the phone (laughter). 

Joe Carrigan: Right, yeah. That's really, I think, what's going to make it go away for me is - I just don't answer the phone. My phone actually does a pretty good job of not even showing me scam phone numbers that are calling anymore. 

Dave Bittner: Yeah. 

Joe Carrigan: That has improved over the past I'd say five years. That's gotten a lot better. 

Dave Bittner: Right. 

Joe Carrigan: My phone doesn't ring at all unless there's somebody in my contact list calling me. 

Dave Bittner: Were the people getting the magazines that they signed up for? In other words, was this a commission scam? Or do you have any idea to what degree that sort of thing was happening? 

Joe Carrigan: Actually, I don't. 

Dave Bittner: 'Cause I'm trying to think of, like - if you want to check in on your folks, your family members, your loved ones on something like this, I could imagine starting a conversation and saying, hey, Mom, you know, I see you have a subscription to People magazine here. 

Joe Carrigan: Right. 

Dave Bittner: Is that - tell me about that. What other magazines are you interested in? What other things do you get? You know, if you see a pile of half-a-dozen magazines on the (laughter) coffee table that don't seem to align with your loved one's interests... 

Joe Carrigan: Right. Exactly. Yeah. 

Dave Bittner: (Laughter) You know, Mom, why are you subscribing to Plumbing Weekly? I don't understand. 

Joe Carrigan: Right. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: You have both Good Housekeeping and Popular Mechanics. I don't understand this. 

Dave Bittner: Right (laughter). Right. Yeah. All right. Well, boy, I guess nice to see one where the good guys win... 

Joe Carrigan: Yep. 

Dave Bittner: ...And try to shut some of this stuff down. So good news indeed. All right. Well, let's move on to our Catch of the Day. 

(SOUNDBITE OF REELING IN FISHING LINE) 

Joe Carrigan: Dave, our Catch of the Day comes from a listener named Patrick. And he writes, (reading) Caught this one on my phone while trying to sell some junk in my garage. Thought you might want to check it out. I put the ad out and provided my email address and my phone number so people could get a hold of me, when out of nowhere this guy tried to get me. It's a great scam if someone is not paying attention. I'm providing you with a transcript of the text messages. I didn't keep him on the hook as long as some of your better stories go, but I was just so surprised. 

Joe Carrigan: And then he sends a transcript, Dave. And you want to play the bad guy, and I'll play the part of Patrick? 

Dave Bittner: Sure, sure. 

Joe Carrigan: OK. 

Dave Bittner: Hello. I want to buy your good stroller, little dusty. Are you a private seller? 

Joe Carrigan: Yes, I am. 

Dave Bittner: All right. I'm sending you a code number. Tell me the right code, then I feel you are real and I'll call you. So we can do that now? 

Joe Carrigan: Sure. 

Dave Bittner: Check your phone message. You got six-digit code. So send back code if you're real. Then I'll call you. Tell me the code number here, and I'll match it with my number, if I match it after I meet you with cash. You got the code? 

Joe Carrigan: Oh, good scam. I can't wait to share this on "Hacking Humans." 

Dave Bittner: Or bye. 

Joe Carrigan: By the way, I'm sharing your number with Google and the local and federal authorities. Good luck in jail. Hope you don't drop the soap. 

(LAUGHTER) 

Dave Bittner: Oh my. 

Joe Carrigan: So... 

Dave Bittner: It's come to this, Joe. We're part of people's responses to scams. 

Joe Carrigan: That's great. 

Dave Bittner: (Laughter). 

Joe Carrigan: I think that's awesome. Patrick continues. He said, (reading) they sent me the text saying that they needed a verification code before they called. Meanwhile, they tried to log into my Gmail account using the forgot-password button, and then the code was sent to my phone. As you can see in the text stream, they then ask for that code and said that if I gave it to them, they would call me and buy what I was selling. I won't share the Gmail code with you for security reasons - of course not, right? 

Dave Bittner: Of course, yeah. 

Joe Carrigan: 'Cause even though it's temporal, that's dangerous. 

Dave Bittner: Sure. 

Joe Carrigan: But you can see how someone might lose their account this way. And that is absolutely right. I can see how you could convince a non-tech-savvy person that I used a Google service to send you a code so send me that code. This, I think, is very dangerous. Patrick, thank you for bringing it to our attention. Thank you for sharing it. It's a pretty good Catch of the Day. It's not funny like our normal ones, but I think it's very important that we share this one. 

Dave Bittner: Yeah. No, it's a good one. So thanks so much for sending that in. That is our Catch of the Day. 

Dave Bittner: All right. Joe, it's a real pleasure to welcome back to the show, Mallory Sofastaii. She is an anchor at WMAR Baltimore, one of our local affiliates here. And she does a lot of reporting for helping out consumers with scams and things like that - you know, looking out for the folks in the community. And so she is back with her reporting on a fake website that was luring victims through social media ads. Here's Mallory Sofastaii. 

Mallory Sofastaii: Keena Antonelli - she's from Catonsville. She's going on a camping trip soon. So she was online searching for an inflatable kayak. She had looked at a different - some different websites at different prices. And then one day she was on Facebook. She saw an ad on her home screen, and it was for this kayak she'd been looking at. She was familiar with the company, Intex, and it was at a lower price than she was used to seeing. It wasn't anything crazy. It was still around $125. But that's what initially got her to click on the ad. 

Dave Bittner: And so take us through what happened next. 

Mallory Sofastaii: Yeah, so Keena clicked on the ad. She was familiar with the website. She kind of scrolled through, found the one she wanted, saw that it was on sale. So she went to check out, put in her credit card information, billing, shipping address. And when she hit the final button, she got this pop-up message that said, your order cannot be processed. And she thought, huh, that's kind of strange, but this is a credit card that I don't use that frequently. I kind of only save it for trips. Let me go log into my credit card. Maybe call them. See if it's something on their end. 

Mallory Sofastaii: So when she logged into her credit card account, she saw that there was a charge for $111, which didn't match the $125, but it was also by a company called PINGWILD. She had no idea. She thought she was shopping on Intex, this company that sells sporting goods, inflatable pools, mattresses, et cetera. She wasn't familiar with PINGWILD. 

Mallory Sofastaii: So then she went back to the website, and she looked at the URL, and she noticed that she wasn't actually on the Intex website; she was on intexcs.com. She typed that into Google, saw that a lot of people had made this mistake and that this was almost near replica of the legitimate company's website intexcorp.com, except it was intexcs.com. 

Dave Bittner: So she thought she was shopping on a legitimate website. She goes all the way through the purchase process, and that's when they got her. They hit her with this fraudulent charge. What happens next? Does she go to her credit card company then? 

Mallory Sofastaii: Yep. She called her credit card company. They said, well, you know, the charge is still pending. We can't do anything just yet. Once it processes, call us back. So she saw the charge posted. She called the credit card company, filed a dispute. 

Mallory Sofastaii: And then here's where it gets very interesting because the company actually countered her dispute and said, no, we sent her an item that she ordered. So Keena had no idea what they were talking about. But then about a week later, she received in the mail some fake Ray-Bans from China. And this is essentially - the BBB, the Better Business Bureau, who I spoke with about this incident - they believe that it was a brushing scam. 

Mallory Sofastaii: So the company sent her something light in the mail and that established a tracking history, a buying history, between her and the company so that the company could show the credit card company that, look, she placed an order with us, and we delivered that order. Here's the tracking information. But obviously, it wasn't the kayak that she had ordered. So then the credit card company opened up the file again. And now Keena is having to produce more evidence showing that, no, this was a fraudulent charge. They did not send me the item I purchased, and this is a fake website. 

Dave Bittner: Now, what about some of the digging that you've been able to do, you know, your investigations there at WMAR? Is there anything additional that you've been able to uncover? 

Mallory Sofastaii: With this website in particular, I just thought it was fascinating that, you know, usually when you see a fake website, especially around the holidays, you can easily spot some of the red flags where there's misspellings or the formatting is funky. 

Mallory Sofastaii: But this was the exact same homepage. The products were the same. The only differences were the URL, some of the prices. And then we went to the Contact Us page. We saw that the address on the fake website - it was some random house in Pennsylvania. We looked it up on Google Maps, had no affiliation to this fake company. And the phone number was almost the same as the real company, except it was one digit off. 

Mallory Sofastaii: So we tried calling the fake phone number. We tried emailing, you know, the Contact Us email. Both didn't work. So we were unable to contact whoever is putting up this front. We also reached out to the real Intex Corp. We weren't able to hear back from them right away. They've been very busy with the pandemic. But we did see on their Facebook that they are aware of these fraudulent websites that are, you know, taking their products, their homepage, and trying to rip off consumers, pretending to be them. And they actually posted about this over a year ago. 

Mallory Sofastaii: And so when I spoke to the BBB about this, they basically said, you know, websites or companies who have this happen to them - they can report it to the FTC. The FTC can request to have that website taken down. But it only takes two seconds for the scammers to find a new URL and put that website back up. 

Mallory Sofastaii: And in addition, with these brushing scams, you may have - a lot of people are familiar with, you know, the seeds that come from China. And you're told not to plant the seeds, you know, why are you getting this? It's another way for them to, again, establish this kind of relationship. Like, here's the tracking history. So then the person on the other end who is behind this whole scheme can then use your name, your address, go on Amazon, go on Google reviews and pretend to be you and leave a positive review. By leaving all these different positive reviews, it helps their website aggregate higher at the top when you search for something. 

Dave Bittner: You know, there's another sort of fascinating element in what you've described here, and that is that this woman, Keena - she had been shopping around for a kayak because she was getting ready to go camping. And so it strikes me that these scammers were able to use that information - the capabilities within Facebook, for example, that allow them to target someone who is in the process of looking for a specific item. In this case, it seems like the bad guys were able to capitalize on that. 

Mallory Sofastaii: Absolutely. There's a good chance that whoever was behind this fake website could have also purchased her web browsing history. That's also available on consumers. All those cookies and trackers when you are shopping online, and you wonder when you're on Facebook, how do they know I was looking for this pair of shoes? All of that is available to retailers. They can try to purchase that to try to bring in more customers. 

Mallory Sofastaii: But the fact that the scammers went out of their way to put these targeted ads on Facebook to reel in victims is just an added level of this sophisticated scheme that I don't typically hear about or see. 

Dave Bittner: Yeah. You know, it was always frustrating to me when I was on Facebook that it seemed like once a week I would see, as you describe, these ads for fake Ray-Bans that would pop up, you know? And it was always, like - it just seemed so obviously a fake ad. You know, it had the Ray-Ban logo, but it was on a funny little canted angle. And you know, there was just no way that, I don't know, a savvy person would think that this was a real ad from Ray-Bans. 

Dave Bittner: And what frustrated me about that was that I just couldn't understand how these ads kept getting through. How did Facebook not crack down on this sort of thing when it was so obvious to me as a user? Surely there must be a way for them to crack down on it. And I think about that in this case, too. I mean, does Facebook have some culpability here that they weren't doing a better job of screening these advertisers? 

Mallory Sofastaii: You know, that is an aspect of the story that I haven't explored yet, but I absolutely think it is worth digging into. But then you also have to think about Facebook as a business. They're not claiming that this company is real or not. They're just simply providing you access to this ad. But should they be responsible? That is an excellent question. 

Mallory Sofastaii: And I do know that with those fake Ray-Ban ads, some of these products that are heavily discounted, a number of times, people might say, you know, I'm just going to order it. What's the worst that could happen? You know, maybe it's a terrible product, but, you know, it's a fraction of what I would have paid for the real thing. Hey, maybe it's actually a decent knockoff. 

Mallory Sofastaii: But what they don't realize is that you're giving away personal information when you do that to a retailer that shouldn't be trusted. They can then sell your information to someone else. They can sell it to the dark web. And it's just this cycle that keeps going. 

Dave Bittner: What sort of recommendations do you have, for someone like Keena who is out there looking for camping equipment? She wanted to get herself a new kayak. How could she have prevented this? What sort of things could she have done in her shopping experience to maybe minimize the possibility of falling for something like this? 

Mallory Sofastaii: So after I did this story, I immediately called my mom because I know she is the kind of person who, you know, is on Facebook a lot, sees the ads and clicks right away. And the No. 1 thing I told her and tell everyone - if you are looking for something, if you see an ad that catches your eye, do not click on it. Go open up your web browser, your Google search, and type it in. Type in the company's name, and then go to the company through there. Do not click through this ad because in Keena's case, like I said, she had - she didn't notice those two little added-on letters in the URL that were an indicator that this was actually a fake website. 

Dave Bittner: Yeah. And it's so easy to do. And also you've got that emotional component. You're excited because you're about to get a good deal on this thing you've been shopping for. 

Mallory Sofastaii: Yep. And, you know, same with Prime Day and holiday deals coming up. There's this sense of urgency. You want to act quickly. You want to get that deal. Maybe it's a lightning deal and you see that time is expiring. But if it tries to navigate you to a different website away from the Amazon platform or you notice in the URL that it's Macy's with an E, you just have to look for those red flags. You have to take a second, really do just some quick background research. 

Mallory Sofastaii: If you're not sure, maybe this is - you're not used to buying camping equipment, so you're not sure if, you know, this is a reputable website, go to the Contact Us page. Look at the business address. Type it into Google. Is it a house in the middle of nowhere? That doesn't make much sense. Try calling the phone number. See if they have a voicemail set up. Email them. Look on the Better Business Bureau's website to see if they have reviews, and then also the contact information on the BBB's website matches what's on that website. 

Dave Bittner: Yeah, you've got to do your due diligence. You've got to stay vigilant here, right? 

Mallory Sofastaii: Oh, yeah. 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: That is a fascinating interview. Dave, this is a great story. This scam involves a lot of impersonation. First off, these criminals are impersonating Intex's website. Is it Intex or Intex's? I never can get those right when it ends in X. 

Dave Bittner: (Laughter). 

Joe Carrigan: They copy the site, and they host it. It doesn't look exactly like Intex Corp. - Intexcs. I actually went to these websites and looked at them yesterday. They registered a fake domain, the intex - intexcs.com. And they purchased ads on Facebook using Facebook's target marketing to get these people or get this particular victim. I'm sure she is not the only victim. And then they provide a U.S.-based phone number and U.S.-based address, which are probably worthless, right? 

Dave Bittner: Yeah. 

Joe Carrigan: And once you've ordered something, they send something lightweight so that when you protest and dispute the charges, they have some kind of tracking history for it. 

Dave Bittner: Yep. 

Joe Carrigan: This is amazing. The only thing that's a real tip-off here - because I had never heard of Intex before this, I wouldn't know that Intexcs wasn't the real website. It looks like it's a legitimate website. It's secured like a legitimate website, you know? Well, actually, we've talked about that before, how that little lock really doesn't mean much anymore. But it's remarkably good. The only thing that raises a red flag for me is that the prices are too good to be true. 

Joe Carrigan: You had a question, does Facebook bear some culpability here? And I did a cursory search and could not find anything that indicated advertisers are liable for people selling counterfeit goods on their site or running a scam website. I mean, I think Facebook should not be doing business with these people and should be doing more to root this out, but they're not. And it's not in their interest. They're going to collect the advertising dollars, I think. 

Joe Carrigan: Good point about the emotional component. How smart do you feel when you find a great deal, right? 

Dave Bittner: Yeah, I feel great. 

Joe Carrigan: I feel great. 

Dave Bittner: (Laughter). 

Joe Carrigan: I feel like I'm the smartest guy on the planet when I do that. Look at these chumps paying $300. I'm getting it for 50. 

Dave Bittner: Right, right. 

Joe Carrigan: So that's a great point there. 

Dave Bittner: The more you spend, the more you save, Joe. 

Joe Carrigan: That's right. 

Dave Bittner: (Laughter). 

Joe Carrigan: Your money's not worth anything if you don't spend it. 

Joe Carrigan: The best advice is to check with the Better Business Bureau because, you know, even checking the URL here - if you don't know that that's not the actual URL of the company, there's nothing that'll tip you off. You know, like I said earlier, this looks to me - if I didn't - I had never heard of Intex before today. So if I don't know that, how do I know what the real URL is? 

Dave Bittner: Yeah. And I suppose, too, rather than clicking through directly from a Facebook ad, if you go over in your browser and do a Google search for this company, you know, chances are that's going to get you to the legit company. Not 100%, but... 

Joe Carrigan: Yeah. 

Dave Bittner: ...It's probably better odds than clicking through the Facebook ad, right? 

Joe Carrigan: The fake company does come up on the first page of results, though. 

Dave Bittner: Does it? 

Joe Carrigan: Yeah, Intexcs does come up on the first page of Google results. 

Dave Bittner: Interesting. 

Joe Carrigan: But if I go to the real company, I'm going to see that these kayaks cost 300 bucks. And if I go back to the ad, it says - this one says it's going to be 100 bucks or 50 bucks. And I click on the ad, and I go to intex.cs, and there it is for 50 bucks, and I can buy it. 

Dave Bittner: Yeah. The psychology here is fascinating because I wonder if there's even a part in the back of your mind where you go, I know I should probably check with the company to make sure this is a legit deal, but if I check with them, it might not be. What if it's a mistake? 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: You know, what if they accidentally put the wrong price up and I'll be able to get this thing before they figure it out? You know, again... 

Joe Carrigan: It's fear of missing out thrown in there. 

Dave Bittner: Right, right. How smart you feel. Ha, I got a better deal than everybody else, you know? I paid less for my kayak than Joe did - ha, ha, ha. 

Joe Carrigan: How did you know I have a kayak, Dave? 

Dave Bittner: You just seem like a kayak kind of guy. 

Joe Carrigan: OK. 

Dave Bittner: Yeah. 

Joe Carrigan: Well, I do. 

Dave Bittner: (Laughter) All right, well, it certainly is an interesting story. And again, we want to thank Mallory Sofastaii from WMAR Baltimore for joining us. Always a pleasure to have her share her reporting with us here. We do appreciate it. 

Dave Bittner: And that is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.

Hacking Humans
Podcast Info
HOST(S):
Dave Bittner
Joe Carrigan
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Joe Carrigan, is a Senior Security Engineer with the Johns Hopkins University Information Security Institute. He has been a Software Engineer for over twenty years and has been working in the security field for more than ten years focusing on usable security and security awareness. He has experience in a broad range of fields including authentication systems, embedded systems, data migration, and network communication.
Schedule: Thursdays
Creator: CyberWire, Inc.
ADVERTISEMENT
KnowBe4
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.