Hacking Humans 7.21.22
Ep 205 | 7.21.22

Extortion scams and the LGBTQ+ community.


Paul Ducklin: Don't let the crooks drive a rift between you and your money, and definitely don't let them drive a rift between you and your true friends and family.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Got some good stories to share this week. And later in the show, Carole Theriault joins us. She's speaking with Paul Ducklin from Sophos' Naked Security, and they are talking about LGBTQ+ extortion scams. 

Dave Bittner: All right, Joe, before we jump into our stories this week, we have actually quite a bit of follow-up. 

Joe Carrigan: We do, a lot. The first one comes from both Kevin and Matt. They sent in notes about our puzzlement about the postscript N.B. 

Dave Bittner: Right. Yeah. 

Joe Carrigan: And, apparently, that is Latin for nota bene, which is - actually, I read this and knew it - immediately what nota bene meant. It means note well. And they actually - Matt, actually, sent along a link to a Wikipedia article about it. 

Dave Bittner: OK. 

Joe Carrigan: And it - basically, it's used to say, by the way, this is something else you should also note about this situation. The Wikipedia article - because we are both from Maryland, and Maryland is more of a cult than a state, right, Dave? 

Dave Bittner: (Laughter) Yes. 

Joe Carrigan: You can read the article... 

Dave Bittner: Even the way we slap our flag on everything, yes. I would agree with that (laughter). 

Joe Carrigan: Everything. Everything - all over our cars. And, boy, do we love our crabs, Dave. 

Dave Bittner: Yeah, we do. We do, yes. 

Joe Carrigan: (Laughter) I actually - I get a lot of looks from other Marylanders when I tell them I don't like crabs. 

Dave Bittner: What are you? What's - all right. 

Joe Carrigan: (Laughter) But this is actually an article from the Maryland Gazette from 1801. There - it's actually a - an ad, an advertisement, looking for a wife. And at the end, it says N.B. none need apply, but fuch as can come well recommended. And it was very common then to use F instead of S because of the Germanic nature of the language. So you actually should read that as but such as can come. So, ladies, if you have a time machine, this guy is out there. 

Dave Bittner: (Laughter). 

Joe Carrigan: That's right. 

Dave Bittner: I have to say nota bene also sounds Italian to me - nota bene. Doesn't it? 

Joe Carrigan: It does sound Italian. Well... 

Dave Bittner: And, you know, Italians - it comes from Latin, so... 

Joe Carrigan: Italian came out of Latin, so... 

Dave Bittner: There you go (laughter). 

Joe Carrigan: Yeah. 

Dave Bittner: All right. Well, good. Mystery solved. What else do we have? 

Joe Carrigan: Right. P wrote in to tell us about our Facebook link shortener discussion. We had a discussion last episode about why Facebook doesn't have a Facebook link shortener. And they said they did back in 2009 with fb.me, but they shut it down some years later. And today, they only have it for Messenger. And P provided a link for developers, Facebook developers, on how to use it. 

Dave Bittner: Yeah, it's funny. You know, I had a little nagging thing in the back of my mind when we were talking about this, that I had this vague recollection that Facebook had a link shortener. 

Joe Carrigan: Right. 

Dave Bittner: But I just couldn't remember. So thanks for writing in and helping clarify that. 

Joe Carrigan: They did, but they - it's only available on Messenger now. Well, you know, it should be - and that's how these scams are spreading, is via Messenger. Why not just make sure that, if you're going to send a link through Messenger, that it's a shortened link, that it's only the fb.me link? 

Dave Bittner: Yeah. 

Joe Carrigan: Right? You have the service. You use it in this platform. 

Dave Bittner: Yeah. But I guess any link shortener is - sets itself up to be used for - abused by people - just the very nature of what it does because it sort of hides - it can hide where you're going. So that makes it a likely target for scammers out there. 

Joe Carrigan: And finally, we have a great piece of feedback from a listener and friend of the show, Jonathan, who very comically writes in, select the preferred option - hi, Joe and Dave or hi, Dave and Joe. 

Dave Bittner: (Laughter). 

Joe Carrigan: And I want to point out, Dave, that I've thought about this a little bit. And I think Dave and Joe rolls off the tongue better than Joe and Dave. 

Dave Bittner: OK. Well, I won't disagree with that (laughter). 

Joe Carrigan: So I think - OK. So I - from here on out, I no longer have a problem with Dave getting top billing. I'm just going to accept it because Dave and Joe is easier to say than Joe and Dave. 

Dave Bittner: All right. 

Joe Carrigan: And then Jonathan says, I hope I haven't offended you guys somewhere in the past because I never hear anything back from my messages, and he smiles about it. And I know Jonathan. Jonathan and I have had coffee once together. And, Jonathan, if I haven't responded to one of your emails, I'm sorry. I looked through my inbox, and I don't see anything. But I'll reach out to Jonathan before this episode airs. 

Dave Bittner: Yeah, Jonathan. You know what you did. 


Dave Bittner: Don't be coy with me. You know. 

Joe Carrigan: But I will say this, I - since I have my - since I've - the last message I have in my inbox from Jonathan, which was in 2020, I have enacted some really strict filtering rules. And it might be the case that Jonathan has just gotten caught up in those. But if I send Jonathan an email, he will be on the safe senders list because I've sent him an email. 

Dave Bittner: All right. 

Joe Carrigan: At least, that's what I'm hoping. Anyway, he wanted to tell us about a really cool resist fingerprinting feature in Firefox that blocks fingerprinting, but it doesn't. So he was trying to use some features in Firefox. He was using NextDNS and uBlock Origin from Firefox. His browser was still unique at amiunique.org. Then he enabled resist.fingerprinting, which is in the about:config. You just search resist - set it for true. Unfortunately, that didn't change the unique result. He was still unique. One of the unique things is HTML5 Canvas. Even though I disallowed the prompt, Firefox shows with resist. And he set it to true. So this feature, this HTML5 Canvas - I'm not exactly sure what this is. I'll have to look into it, but because of - that is going a long way to uniquely identifying these browsers, apparently. 

Dave Bittner: OK. 

Joe Carrigan: Also interesting, Jonathan notes that his specific webcam and microphone are unique, which is... 

Dave Bittner: That combination? 

Joe Carrigan: That combination of webcam and microphone is enough to identify Jonathan when he's driving on the web. 

Dave Bittner: All right. 

Joe Carrigan: I think that is absolutely fascinating. 

Dave Bittner: Yeah. 

Joe Carrigan: Navigator properties and a list of fonts are also very low, of course. I mean, if you think about fonts and just how many fonts you have installed on your computer, that's a lot of data points. And if you have any variation from that in the general population, that's really going to set you apart. One of the... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Surprising things that narrowed down his profile is that he is running the current Firefox version, which is version 102 as of this recording, which - I looked today. I'm running the same version. Only 0.89% of other visitors are up to date on Firefox. Everybody needs to set their Firefoxes to update automatically. You know, I was on a conference among security professionals yesterday, and somebody was - it was a Zoom call. And they were running and sharing their screen, and I noticed that they had that little update thing in the upper right of Chrome. 

Dave Bittner: Oh, yeah. 

Joe Carrigan: That... 

Dave Bittner: Yeah. 

Joe Carrigan: And it was red, which means they have not updated Chrome in a long time. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: I'm like... 

Dave Bittner: Right. 

Joe Carrigan: ...Uh, yeah. We should be updating that very quickly. Every time that thing turns green, I click it. As soon as I see that thing, I click it and update it because Chrome actually does a really good job of restarting with everything that you had when you do that update. It doesn't... 

Dave Bittner: Yeah. 

Joe Carrigan: You don't lose your state. It keeps your... 

Dave Bittner: Yeah. 

Joe Carrigan: ...State pretty well. 

Dave Bittner: Oh, it's quite good. Yeah. 

Joe Carrigan: Jonathan also notes that he was a little surprised they could detect the ad blocking list you use, which is - he says, again, wow. I'm like, this is really interesting, the kind of - the kinds of things that these guys are using. They're using ad blocking against you to uniquely identify you (laughter). 

Dave Bittner: Right. Right. 

Joe Carrigan: It's fascinating. Jonathan points out also that the Electronic Frontier Foundation has a similar tool called coveryourtracks.eff.org. It does something very similar. When he goes to the EFF tool, it says - I'm told that the browser is unique, but it adds a friendly message that says, our tests indicate that you have strong protection against web tracking. Perhaps they have a different definition of strong, I guess. 

Dave Bittner: (Laughter). 

Joe Carrigan: I guess that means he's probably not - they're probably not letting him store cookies or other things or - I don't know. But Jonathan makes an excellent point here that the fact that they can identify you uniquely through these - this fingerprinting technique, that's all they need. They don't need to send you cookies or to do anything else. Once they have that and they can identify you every single time, it's the same thing as you carrying around a cookie. It's no different. If I can uniquely identify you, I can uniquely identify you. 

Dave Bittner: Yeah. Yeah. I just ran mine on Cover Your Tracks. And it says I have strong protection against web tracking, and it says my browser has a randomized fingerprint. So... 

Joe Carrigan: Ah, very good for you - let me look at that right now. 

Dave Bittner: Yeah, I don't know. It says - but there are still - it says 17.72 bits of identifying information, so there's no escaping (laughter), I guess. 

Joe Carrigan: Yeah, that's an information theory jargon. That means that there are 17 different ways to separate you down from the population. 

Dave Bittner: (Laughter) Yay. 

Joe Carrigan: Right? 

Dave Bittner: All right. Well, our thanks to Jonathan for sending this in. Our apologies to Jonathan for not being better at responding to emails. But... 

Joe Carrigan: Yeah. 

Dave Bittner: ...We will do - we will endeavor to do better. And we would love to hear from you. If you have something you'd like us to consider for the show, you can email us. It's hackinghumans@thecyberwire.com. All right. Let's move on to our stories here, Joe. 

Joe Carrigan: OK. 

Dave Bittner: I'm going to start things off for us. And my story is quite - it's quite a long article, but really, it covers a lot of ground. This is an article from Vice and it's titled "From Industrial-Scale Scam Centers, Trafficking Victims Are Being Forced To Steal Billions." And it's written by Alastair McCready. This article covers a lot of different things. It covers people getting scammed, the victims. The article... 

Joe Carrigan: Right. 

Dave Bittner: ...Starts off with a woman named Cindy Tsai, who - she received a random WhatsApp message, and it seemed to be a wrong number. And it said, are you Linda from the pet store? - doesn't get much more innocuous than that. 

Joe Carrigan: Right. 

Dave Bittner: And she thought she - someone had a wrong number. And, you know, she replied politely and said, sorry, wrong number. That was on October 15, 2021. And that started her down a path where she lost about $2.5 million. 

Joe Carrigan: Wow. 

Dave Bittner: Yeah. It started an online - she describes it as a quasi-romantic relationship with an intelligent, handsome younger man named Jimmy, who she believed lived in Los Angeles. They talked about life and sports and economics and then, eventually - wait for it - cryptocurrency. 

Joe Carrigan: I see. 

Dave Bittner: So it sounds like this scammer took his time, established rapport with her, developed a relationship and then started suggesting, probably offhandedly - said, oh, by the way, I don't know if you're interested in this sort of thing, but I've been having a lot of success buying and selling Ethereum through a website. Here's the one I'm using. If you're interested, I'll be happy to tell you more. And she was. At this point, she had trusted him or felt a certain amount of trust in him. 

Joe Carrigan: Right. 

Dave Bittner: And it was all a hoax. The online cryptocurrency platform was not real. They sent her down this path of - and it's the kind of thing we talk about here a lot, where somebody starts off with a little bit of money, and they - the platform makes you think like you're making more money. They may even allow you to withdraw little bits of money. But ultimately, in order to get your big payout, you have to pay more money for things like audits and, you know, put money in to get your money out. And that's how, eventually, they suck you dry. 

Joe Carrigan: Right. Yep. 

Dave Bittner: And in this case, she was duped out of $2.5 million. To add insult to injury, she is a cancer victim. She is - yeah, she's terminally ill. And so she was not - of course, not only physically vulnerable, but, as you can imagine, probably emotionally vulnerable as well. She had this - you know, this terrible diagnosis and was just looking for some friendship, maybe, you know, some comfort, someone to understand and talk to. And she got bilked out of a lot of money. 

Dave Bittner: That's only part of this story, though. The story goes on to talk about the actual scam centers themselves and focuses on some of the scam centers in Cambodia, in China. These call centers, these scam centers, are really trading in human trafficking. They tell the story of one person who traveled to Cambodia on the promise of a customer service job, and when he got there, he was met at the airport by four men who were tough guys. They had weapons. They confiscated his passport, took him to what had been a kind of a resort, casino kind of place. And this article talks about how there was a building boom of resort casinos in Cambodia, and a lot of Chinese citizens would come to Cambodia to gamble. But then Cambodia shut down the gambling, and so these facilities pivoted to being scam centers. 

Joe Carrigan: Really? 

Dave Bittner: And so - yeah. And so they hire people, but they also traffic people. This article talks about how employees will be sold from one scam center to another. They talk about the profits that they make off of people. And they detail about slave labor conditions, threats of rape and extreme violence in these scam compounds. So just horrific details here in this story about sort of the dirty underbelly of this kind of thing and what people are going through. A couple other things caught my eye. They talk about this term of art that I had not heard before, which sort of surprised me because, you know, you and I doing this every week, most of these things, we've heard of. But they call it pig butchering. 

Joe Carrigan: Yes. It's - only through the... 

Dave Bittner: Was that - is that familiar to you? 

Joe Carrigan: No, I've not heard this term either. 

Dave Bittner: So it's basically, you know, fattening up the pig, taking a victim through the process of preparing them - taking your time to feed and fatten up the pig before you take it to slaughter. And that's what they do. And they talk about - they have these pig-butchering manuals or - what they call them. And it's the script for the scammers to get people hooked in. This article details how these scam centers, over the course of the pandemic, have really honed their skills and really focused the scams and fine-tuned them so that they will work. 

Dave Bittner: Again, it's a long article. Lots of details in here. I highly recommend it for folks who are interested in this sort of thing. Lots of things in here that were new for me, really a bit eye-opening. I want to end, though, with the last paragraph from this article. It reads, (reading) complacency, after all, is the scammer's best friend, and even the savviest of people can lose everything in a momentary lapse of judgment. One volunteer, a Ph.D.-holder in biology who was scammed out of $150,000, recalled a line from a pig-butchering handbook she'd seen. It read, there is no unscammable person, only scripts that don't fit. 

Joe Carrigan: That is 100% correct. 

Dave Bittner: Yeah. 

Joe Carrigan: And that is something we've been saying on this show for years now, and that is... 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: ...That nobody is unscammable. They just got to find the right trigger for you. 

Dave Bittner: Right. 

Joe Carrigan: Right? 

Dave Bittner: Right. 

Joe Carrigan: And the... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Scammers know this. 

Dave Bittner: Yep. 

Joe Carrigan: They're just going to keep trying things. 

Dave Bittner: Yeah. So, again, highly recommend the article. There's just way more detail in it than we have the time to cover here. But I suggest everyone go check it out - really interesting work from the folks over at Vice. Definitely worth your time. All right. That's my story this week. Joe, what do you have for us? 

Joe Carrigan: Dave, my story comes from Tony Keith out at KKTV. That's in Colorado Springs, which is in Colorado. 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: Not like those guys in Kansas City, which is in Missouri, right? 

Dave Bittner: Right, right. 

Joe Carrigan: I picked this story because of the simplicity of the scam. There's a credit union out there called ENT - E-N-T - Credit Union, and it says its customers are being targeted by scammers, and they are alerting their customers of the scam. So someone reaches out to the customer through the ENT or ENT call center - or pretending to be from it. They might even spoof the number. Answer - people - and members answer the phone, and the person on the line pretending to be the credit union representative would usually ask for the member's online banking password and username. This is something we say you never give out, right? 

Dave Bittner: Right. 

Joe Carrigan: But they're doing this. If a member gives away this information over the phone, the scammer will try logging into their account with the information provided. Then if they have a two-factor authentication code that gets sent to their phone, like an SMS message, they'll ask for that, as well, just to validate and make sure this is going on. 

Dave Bittner: Right, right. 

Joe Carrigan: Once that happens, of course, that gives the scammer full access to the account, in which point in time, they just transfer the money out, right? I mean, if I can log into somebody's credit union account or - like my own, I can send money via my own credit union to other people no problem. I can wire - do wire transfers online. ENT wants to make it clear that none of their employees will ever ask for anything over the phone, such as a credit card or debit card or pin number. They'll never ask you for online banking names or usernames. They'll never ask you for accounting numbers or routing numbers or the CV code on the back of your credit card. They will never ask for your Social Security number - your full Social Security number. They might ask for the - a partial Social Security number for verification, I guess. 

Dave Bittner: Yeah. 

Joe Carrigan: But they will also never ask you for a verification code that they send you via the phone. They're going to use other information to authenticate you. This is not a complicated scam, right? This is just somebody picking up the phone, calling people they know are customers of this credit union, and saying, hey, I'm from the credit union. I need your username and password. I've often told the story here on this show and on Cyber - on the CyberWire show about a friend of mine who did a security audit - this was back in the '90s. He was contracted with the company. And he called them up. He said - he would - he had a list of phone numbers. And all he was doing was say - he said to them, hi, I'm with this company. We have contracted with your IT department to conduct a security audit. Can you please tell me your network username and password? That was the entirety of the question. And about 50% of the people gave him the network username and password. 

Dave Bittner: Right, right. 

Joe Carrigan: And that was the result of the - he didn't write that down. He just wrote down that 50% of the people complied with the request - or, you know, this person complied. This person did not. This person complied. This person did not. So nobody's ever going to need that information from you. They don't need it to reset your current password. They don't need it to log in for you. They should not be able to do that. People who work at credit unions and work at banks have access to everything about you already. They already know what your credit card number is, your debit card number. They may not know your PIN, but they know your online banking username, and they will certainly know your accounting number. And they probably have the routing number committed to memory. They don't need to know any of... 

Dave Bittner: Right, right... 

Joe Carrigan: ...This information. 

Dave Bittner: ...Right. Sure, sure. Yeah. No, it's a good reminder. And... 

Joe Carrigan: Right. 

Dave Bittner: ...I guess the other bit of follow up here is that if you - well, first of all, the odds of you - I guess it's - the odds are low enough that it's probably safe to say you will never get an inbound call... 

Joe Carrigan: Right. 

Dave Bittner: ...For something like this, right? 

Joe Carrigan: Yep. 

Dave Bittner: That's not how they contact you generally. 

Joe Carrigan: That's correct. 

Dave Bittner: But if you do, and you think - you suspect it might be legitimate, say to them, let me call you back. 

Joe Carrigan: Right. Absolutely. 

Dave Bittner: And then hang up and look up the number you have for them. Don't use the number they give you. If they say, oh... 

Joe Carrigan: Right. 

Dave Bittner: ...Sure, call me back. Here's my number. No, no, no, no, no, no, no, no. Don't use that... 

Joe Carrigan: Hang up... 

Dave Bittner: ...Number 'cause... 

Joe Carrigan: ...Hang up... 

Dave Bittner: ...You're just going... 

Joe Carrigan: ...Hang up right then. 

Dave Bittner: ...To be calling. Hang up, look it up. You know, go look at - find your most recent bill or statement or whatever, something - some correspondence from them that has their number. 

Joe Carrigan: Or the website. 

Dave Bittner: Yeah. Go to their website. I would - the only reason I hesitate a little bit with that is because say you did a Google search on... 

Joe Carrigan: Right. Ah. 

Dave Bittner: ...The credit union... 

Joe Carrigan: And they - somebody's bought... 

Dave Bittner: ...Right? There are scammers... 

Joe Carrigan: ...Google ads. 

Dave Bittner: Yeah. There's scammers out there who will buy the Google ads to come up first so that their scam phone number comes up first in the searches. 

Joe Carrigan: Yes. If you do that, that's... 

Dave Bittner: So just be mindful of that. 

Joe Carrigan: Yeah, be mindful of that. If I go directly to the bank websites or credit union websites, whenever I go to them, I don't Google the location and go. 

Dave Bittner: Right. 

Joe Carrigan: You just type in the URL or actually right-click on the entry in my password manager and say browse to URL. 

Dave Bittner: Yeah. 

Joe Carrigan: That's what happens. 

Dave Bittner: Yeah. 

Joe Carrigan: But yeah, if you do a Google search, be mindful of those ads. Those are common tricks. 

Dave Bittner: Yep. Yep. All right. Well, interesting story. And of course, we'll have links to both of our stories in this week's show notes. 

Dave Bittner: Joe, it is time to move on to our Catch of the Day. 


Joe Carrigan: Dave, our Catch of the Day comes from Ian from across the pond, who writes, my son is currently trying to find student accommodations for his second year. His university only guarantees accommodations in the first year. Unfortunately, he decided not to use the usual route of going through his student services and started looking on Facebook for rental properties. He contacted one listing and received the email chain that we're about to read. Luckily, his dad - me - is an IT auditor and an avid listener of "Hacking Humans," so the email below leapt out to me as a scam. Red flags included really cheap accommodation, calling Airbnb Airbnb Inc. and the generally poorly constructed grammar of the email. A quick check of the renter's Facebook profile showed multiple listings of the same property but described it as being in different areas of the country. Presumably, if he had continued with this, he would have sent a payment link for the deposit, and then the renter would have disappeared. I've not seen accommodation scams before, so I thought you might like this one. But we have actually seen these, though. 

Dave Bittner: Yeah. We've talked about them. Sure. 

Joe Carrigan: Yeah. But as always, he says he loves the podcasts and keep doing the work. So I will play the part of Ian's son, whose name is Benjamin. 

Dave Bittner: All right. 

Joe Carrigan: And you, Dave, as always, can play the part of the scammer. 

Dave Bittner: OK. 

Joe Carrigan: All right. Are you ready? 

Dave Bittner: I'm ready. 

Joe Carrigan: Hi there. I wanted to email you inquiring on the two-bedroom, two-bathroom flat in Carthis - Cardiff. Is it still available? I'm looking forward to hearing from you, Benjamin. 

Dave Bittner: Hello, Benjamin. My name is Evelyn and I received your message of interest in renting my flat. I work all day because I'm involved in a large project from Rossmill Clinics and Pharmacy in Dublin. The flat will be available from 12 July, quiet and has all facilities and aids, TV, parking, laundry, air conditioning, high-speed internet and pets are allowed. The flat is available indefinitely, so you can stay as long as you want. It's close to public transportation, schools, cafes, gyms and other facilities. The monthly rent is 615 pounds. The additional costs - water, electricity, internet, digital television, which are included in the price and are also important. The flat is equipped with all the necessary equipment and appliances. The property can also be rented unfurnished. In this case, I arrange the furniture for collecting and storing. Thank you for your interest and looking forward to future cooperation and friendship. Two-bedroom, two-bath, 615 pounds per month. Kind regards, Evelyn Bowman. 

Joe Carrigan: Now, Dave, I want to pause here for a moment. That is a really good price. Right now I might sell my house to live in that apartment - right? - if this were real. But it isn't. 

Dave Bittner: OK. 

Joe Carrigan: All your utilities and a place to live with two bedrooms and two bathrooms for 615 pounds a month? 

Dave Bittner: Mmm hmm. 

Joe Carrigan: Already I'm skeptical. But Benjamin replies, hi, Evelyn. I'm planning to move with my friend, both 20. We are currently students. However, we both have part-time jobs and income coming in and able to afford the rent. Under no circumstances will we abuse or host events that would disrupt the property. We aren't those type of students. As it is our last year, we will be predominantly studying and do not have time for these kind of activities. We both have guarantors if you have an issue with the rental income, as previously mentioned, and the personal income to be able to afford the rent. Would this be something you'd be comfortable with? Looking forward to hearing back from you, Benjamin. 

Dave Bittner: Hi, Benjamin. You can rent my apartment for an unlimited period. The price per month is 615 pounds including gas, water, internet, electricity, TV, parking space. I work on a big project in Dublin. We do have a solution for this inconvenience, so you can move in as soon as possible. I do not have the time to meet every potential renter, so I choose to use Airbnb. I use the Airbnb service only at the beginning to find a tenant. To visit and rent the apartment, I will use Airbnb Inc provides an online platform that connects hosts who have accommodations to rent with guests seeking to rent such accommodations. The Airbnb company will require confirmation, which is first two months, plus a security deposit of 615 pounds is required at the start of the lease, and it will be refunded at the end of the contract. A 30-day notice is required. After these first two months, you'll be sent the rent monthly directly to my personal bank account. You have to book the first two months. From the moment your booking is confirmed, an Airbnb representative will contact you about viewing, and you can move in straightaway. 

Dave Bittner: First you have to book it, and one of the representatives will contact you to arrange the appointment. The meeting will take place in the apartment, and he will give you the keys and sign a contract for the period wanted by you. We will make a fixed lease on British law between us, minimum two months, up to 10 years. I would like to know how many people you intend to share the apartment with and for how long. Any other details about yourself would be appreciated. I'm looking to rent the apartment to someone who will take care of it as his own. I have invested a lot in this apartment, and I'm sure you'll love it. So I guess this is it for now. I hope I didn't forget anything. Kind regards, Evelyn Bowman. 

Joe Carrigan: And that is the point where Ian has stepped in and gone, nope, this is a scam. 

Dave Bittner: (Laughter) Good. 

Joe Carrigan: Aside from the offer that's too good to be true, anything stand out to you, Dave? 

Dave Bittner: Well, this seems very generic to me. Like, this could be a reply to anything. 

Joe Carrigan: Right. 

Dave Bittner: And it's also repeats things that were said in the first message. 

Joe Carrigan: Exactly. That was one of the things that stood out to me is the second email from this Evelyn Bowman, who is almost certainly not Evelyn Bowman. It says everything that was said in the first email... 

Dave Bittner: Right. 

Joe Carrigan: ...Including that she works on a big project in Dublin. I mean... 

Dave Bittner: Yeah. 

Joe Carrigan: ...It seems unnecessary. 

Dave Bittner: This is copy and paste, copy and paste. Right. 

Joe Carrigan: Right, copy and paste. This is what these guys do all day long. 

Dave Bittner: Yep, yep. Well, thank you for sending this in, Ian. Your son is fortunate to have you. 

Joe Carrigan: Yes. 

Dave Bittner: Sons are lucky to have their parents, right? 

Joe Carrigan: Yes. 

Dave Bittner: (Laughter) Because sons are idiot sons (laughter) 

Joe Carrigan: Yes, idiot son - as we often describe - how our parents would describe us, my idiot son. 

Dave Bittner: Right, exactly. Oh, my idiot son did something again. Yeah, that was me. All right. Well, Ian, thank you for sending this in. We would love to hear from you. If you have something you'd like us to consider for our Catch of the Day, you can send it to us at hackinghumans@thecyberwire.com. 

Dave Bittner: All right, Joe. Always a pleasure when we can welcome back Carole Theriault to the show. And this week, she speaks with Paul Ducklin, who's also been on our show before. 

Joe Carrigan: Yep. 

Dave Bittner: He is from the Sophos Naked Security blog. And they are talking about extortion scams that are focusing on LGBTQ+ folks. Here's Carole and Paul. 

Carole Theriault: So, recently, the FTC put out a warning about LGBTQ+ extortion scams. So I invited my old friend and colleague Paul Ducklin, info security expert at Sophos Naked Security, to shed some light. I didn't mean to suggest you were old. I just meant that we've known each other for a long time. Thanks for coming on the show, Paul. 

Paul Ducklin: I'm quite even with that, Carole, given that if we're old colleagues, it applies equally to both of us, I guess. 

Carole Theriault: (Laughter) That's right. That's right. 

Paul Ducklin: (Laughter). 

Carole Theriault: So, Paul, can you tell us what's going on? Why is the FTC issuing a warning about these particular extortion scams? 

Paul Ducklin: Carole, I think the real problem is that if you go back a few years, you remember sextortion was in the news or porn scamming, as it was called, which is where crooks send you an email - hey, we know you were watching porn. We had malware on your computer. We took a screenshot and we videoed you at the same time. By the way, here's proof we're in amongst your stuff. Look, this is your password. This is your phone number. They never show you the video because they don't have one. And so we were able to tell people, look, you can just ignore the blackmail - 'cause they wanted money to suppress the video, which they did not have. We could tell people, ignore it. The problem now is that the crooks are going on dating sites - particularly on LGBTQ+ dating sites, it seems. 

Carole Theriault: All right. 

Paul Ducklin: They're finding dating profiles that feel like they might be a match with you. They rip off that person's profile. They contact you, which is the purpose of a dating site, after all. And then, pretty quickly, they, you know, befriend you and they send you explicit pics, which are not theirs. They've ripped them off from someone else to say, hey, you know, send me some pics as well. And, of course, you can imagine that the person might be inclined to trust this person... 

Carole Theriault: Of course. 

Paul Ducklin: ...Particularly, you know, if they're still in the closet. They're not fully out. You know, they're not able to just go and randomly meet people. So think, well, I've met this person under the right circumstance. Everything checks out. They reply with an explicit photo, and, simply put, the blackmail starts. You know, we'll out you. We'll tell your friends. We'll tell your family. We'll tell your employer. This is going to go badly for you. Send us money. And usually, I believe, the way is that they just say, go and buy a bunch of gift cards, you know, which have a cash value. 

Carole Theriault: So if someone finds themselves in this situation, what are they supposed to do? 

Paul Ducklin: So the only advice I can really give is, don't pay them money because, firstly, you have no reason to assume that they'll delete the photo. You've just got their word for it. And, secondly, even if you suddenly decide, well, I thought I could trust them before, then I didn't, now I'm deciding to trust them again - even if they do delete the photo, who's to say that they haven't already - or someone in their gang hasn't already sold it on to another criminal? Who's to say they haven't been a victim of a data breach themselves? Because crooks are notoriously sloppy at operational security themselves. So paying the money kind of just gets you in deeper because you've got no guarantee that they'll delete the photo. And even if they do and you believe them and they're telling the truth, it could still be out there. And unfortunately - and I know this can sound like victim blaming - your best defense is quite simply, if in doubt, don't give it out. 

Carole Theriault: (Laughter). 

Paul Ducklin: You know, go slow. I know it sounds sort of fuddy-duddy and old-fashioned, but that doesn't just go for nudie photos, which are bad enough. It actually goes for anything that anybody that you think you can trust but you don't really know tries to talk you out of - could be your phone number, your home address, your credit card number, your Social Security number, your National Insurance number, depending on what country you're in, your bank account number. There's a whole load of data that people go, oh, I'd never give away a nude photo. That would be crazy. But, you know, they might hand over other data that once they've let it go, the only thing you can do after you've given it out really is to say, please, can I have it back? There's no real stronger defense than that. 

Carole Theriault: It's funny. I've just read an article recently about how millennials feel safer dating online, effectively something that's kind of exploded during the pandemic. But the idea that they could meet people and date and get - you know, connect online made them feel safer. But in a weird, ironic way, we're kind of saying actually be really careful when there's computers involved or digital devices. 

Paul Ducklin: Yes. That's an excellent point because I'd imagine that starting with online dating can be a lot safer. You're not thrust face to face with someone you've never met before who might turn out to be a nutter. You know, you kind of think, well, I've got a chance to pre-filter. There's some strong evidence that that's not a bad idea at all. The problem is that there are crooks who go out of their way to use the fact that you can check up on them only so far online to turn themselves into the person that you want them to be in a way that looks legit. You know, they've ripped off somebody else's dating profile. They've ripped off their backstory, their life history. Everything you like, well, they'll just happen to like it well enough. In other words, you never quite get a chance to look at them and make a face-to-face judgment. 

Carole Theriault: Yeah. And the end result is money. That's what they want in the end. 

Paul Ducklin: Yes. I remember years ago when I was in Australia and we were working with the police over there dealing with the romance scamming when that first started to become a really big thing. That's the same sort of scam. But instead of going, send me explicit photos, then I'll blackmail you right away, the romance scammers have a longer-term view. They don't want the explicit photos. They want you to believe in them for weeks, months, sometimes even years, and then milk you for money. 

Paul Ducklin: You know, I went to an event where a victim came along and said - she said, I don't want you to think that I'm an idiot, that I'm overly gullible, that I'm unintelligent, that this couldn't happen to you. I started using online dating sites because I got tired of trying to meet guys down at the pub or somewhere like that. I just felt the dating sites are a better way forward. And even when I was deep in this scam, she said, the one thing that struck me is that the scammer who was defrauding me, when he said he would phone me at 4:30 on Friday afternoon, he never missed... 

Carole Theriault: (Laughter). 

Paul Ducklin: ...A day, you know? She said, whereas, you know, you meet someone at the pub, you like them, you go out a couple of times and then you're going to meet up with them at 4:30 on Friday, and then they'll phone you - oh, no, you know, I met Jim. And, oh, we had a cup of... 

Carole Theriault: (Laughter). 

Paul Ducklin: ...Tea. Oh, we went fishing, and now I won't be able to make it. 

Carole Theriault: There you go. If someone meets all their dates, you know they're up to something (laughter). 

Paul Ducklin: And so she just said it was - you know, it's like that's the way it was. I didn't do this because I was an idiot. I did it because I felt it was a different and, in some ways, a more responsible way to meet people without having to go face to face with them straight up. So, like I said, go slow. And when the person asks for any sort of information - whether it's an explicit photo, your home address, your credit card number, your bank account number, a copy of your passport or whatever - go slow. 

Paul Ducklin: And the other thing to bear in mind, Carole - I think this is quite important - is particularly for the longer-term scams, extortions - scams of this sort, I know that a lot of these crooks are past masters at putting a rift between people and their friends and family. So when friends and family warn them and try and warn them and say, you know what? I'm pretty sure you're getting scammed, they've been sort of conditioned to expect that from the crooks who will say, oh, well, it's just that they're jealous. It's just that they don't like the fact that you've met someone online. Or if it's an investment scam, they don't like the fact you might make money and they missed out. So whatever you do, don't let the crooks drive a rift between you and your money. And definitely don't let them drive a rift between you and your true friends and family. 

Carole Theriault: Brilliant. Paul Ducklin, friend and colleague and info security expert at Sophos' Naked Security. Thanks for coming on the show. 

Paul Ducklin: I see what you did there, Carole. 

Carole Theriault: This is Carole Theriault for "Hacking Humans." 

Dave Bittner: Joe, what do you think? 

Joe Carrigan: It's interesting - Paul links this back to sextortion scams, which have kind of evolved, right? 

Dave Bittner: Yeah. 

Joe Carrigan: And I can think of no worse situation for someone who is still in the closet, as they say, right? 

Dave Bittner: Right. Right. 

Joe Carrigan: Maybe his family doesn't know that he's gay. 

Dave Bittner: Yeah. 

Joe Carrigan: And perhaps there would be real ramifications because of the nature of the family members, right? 

Dave Bittner: Sure. 

Joe Carrigan: I can think of a number of ways this could go sideways, and it's not good. 

Dave Bittner: No. 

Joe Carrigan: One of the things that is a key point is that you really have no reason to trust that someone you have not met in person is who they say they are on the internet. And nowhere is that more the case than a dating site. My single biggest rule here for - I mean, I have no need for a dating site. I'm a married man, right? 

Dave Bittner: (Laughter). 

Joe Carrigan: But my single biggest suggestion here is meet the person first. Make sure that you're meeting the person. Make sure that that person is close by. These scammers can't meet you. They don't live near you. Just to dot this as a personal policy - and don't give anything to someone you have not met. And that includes personal information. That includes money. That includes gifts - anything. I wouldn't - until you've met somebody in person, you've verified who they are and that they look at least kind of like their pictures - right? - that... 

Dave Bittner: Right. Right. 

Joe Carrigan: ...They're a real person, I wouldn't give them anything. 

Dave Bittner: Right. 

Joe Carrigan: Duck is right. 

Dave Bittner: Nothing more romantic on a first date than requiring two forms of ID and a recent utility bill. 

Joe Carrigan: Right. 

Dave Bittner: (Laughter). 

Joe Carrigan: Duck is right. It's not just nudes. The problem is - but one of the problems with nudes is that they are immutable, right? There are always going to be nudes of you. You can't change the fact that you sent somebody a nude. 

Dave Bittner: Yeah. 

Joe Carrigan: You know, I don't know, Dave. This seems to me like something, like, I would never do. I don't think I would be interested in exchanging those with somebody. Maybe I'm too old. Maybe I just don't understand the... 

Dave Bittner: No, but, I mean, can you understand why some people would, though? 

Joe Carrigan: Yeah, I do. I do. 

Dave Bittner: Yeah. 

Joe Carrigan: I absolutely get why people do. 

Dave Bittner: Yeah. 

Joe Carrigan: But again, you should only do this with somebody you have met in person. 

Dave Bittner: Yeah. You have to establish a certain amount of trust over time. 

Joe Carrigan: Over time, yeah. 

Dave Bittner: This isn't just something willy-nilly. As you say, you know, it's... 

Joe Carrigan: Right. But these romance scammers... 

Dave Bittner: Like, once it's out there, it's out there. 

Joe Carrigan: These romance scammers go for a long scam as well. So don't let that be what convinces you that they're real. Meet them in person. Paul says something in passing that is key. They're going to make themselves exactly what you need them to be, which is how they get you to fall for the scam. It's one of the key things. Hey, look, this person checks all my boxes, right? 

Dave Bittner: Right. 

Joe Carrigan: It's one of the big things that can help exploit somebody... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Is just to match up with them perfectly. One of the things that's interesting is that scammers do not miss appointments. I found that to be absolutely fascinating. If a scammer says - in the example, they said, I'm going to call you at 4:30 on Friday. You can count on your phone ringing at 4:30 on Friday. 

Dave Bittner: I've never considered that. Yeah. But you're right. 

Joe Carrigan: Yeah. Yeah. Think of nudes as personally identifiable information, so... 

Dave Bittner: Well, yeah (laughter). 

Joe Carrigan: I mean, they are. They're a biometric, essentially, right? 

Dave Bittner: Sure. Sure. 

Joe Carrigan: And one of - the last thing that Duck says here is great advice. Do not let these scammers drive a wedge between you and your friends and family. They're going to start doing that pretty early on in the conversation, at least according to what Duck is saying here. They're going to start saying, they're going to be jealous of us. They just don't understand that we love each other. We found true love, and nobody can be happy for us because they're all miserable. That's... 

Dave Bittner: Right. 

Joe Carrigan: And you know what? That's going to sound good to somebody who is - you know, who might be hearing these kind of things from their friends and family one moment. 

Dave Bittner: Right. 

Joe Carrigan: So be mindful of that. Let that be a red flag when somebody says that your family's jealous. Let that trigger off something in the back of your head that goes, ah, this guy's trying to isolate me. 

Dave Bittner: Yeah. Yeah. I mean, you know, we also - we often talk about if a deal is too good to be true, it likely is, but... 

Joe Carrigan: Right. 

Dave Bittner: ...I suppose we could say if a person is too good to be true, they may be as well. 

Joe Carrigan: That's right. 

Dave Bittner: Yeah. 

Joe Carrigan: That's right. I would agree with that 100%. 

Dave Bittner: Mmm hmm. Mmm hmm. All right. Well, again, thank you for Carole Theriault and Paul Ducklin for joining us once again this week - always a treat when Carole submits her stories for our show. We do appreciate both of them taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.