Hacking Humans 9.22.22
Ep 213 | 9.22.22

The rise in fraudulent online content.

Transcript

Jane Lee: Scammers are known to have what I like to call a 100% swipe rate, meaning they are matching with 100% of whoever they can.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We've got some good stories to share this week. And later in the show, my conversation with Jane Lee. She is trust and safety architect at a company called Sift, and she's here to explain the scammers' practice of pig butchering. 

Dave Bittner: All right, Joe, before we dig into our stories this week, we've got some follow-up here. 

Joe Carrigan: Yes, we do. 

Dave Bittner: I'm going to kick things off with a kind letter I got from a listener named Jason, who is - I'm going to go out on a limb here and say is from the U.K. 

Joe Carrigan: The U.K. 

Dave Bittner: (Laughter) If you remember last week's episode, we did a little bit of teasing about mum and mom and American English and British English and all that sort of stuff, and... 

Joe Carrigan: Yes. Keeping with the well-deserved ugly American stereotype (laughter). 

Dave Bittner: That's right. That's right. Which is our obligation to maintain around the world. 

Joe Carrigan: Right. It's our gift to the world, right? 

Dave Bittner: (Laughter) That's right. Our - being boorish and loud whenever we travel. 

Joe Carrigan: Right (laughter). 

Dave Bittner: That is what we bring to the world. All right. 

Joe Carrigan: That's right. And you should be happy about that. 

Dave Bittner: That's right. That's right. They should - I don't know why they don't appreciate it more than they do. 

Joe Carrigan: I don't - me neither, Dave. Ingrates, I guess. 

Dave Bittner: (Laughter) Yeah, yeah. So anyway, Jason writes, and he says, I've been listening to the show for many years, and I'm a big fan. Thank you for bringing good information to everyone so they may better protect themselves from malicious actors. Well, thank you very much, Jason. I don't in any way feel as though you're buttering me up. 

(LAUGHTER) 

Dave Bittner: He goes on to write - I'm sure you'll get a few responses on the topic of mum versus mom. If we take a look at the spread of the British Commonwealth, you'll find that there are more speakers in the world of British English than those who speak American English. British English speakers are in India, 1.4 billion, South Africa, 58 million, Australia, 20 million and New Zealand, 5 million, whereas American English seems to be confined to North America, the U.S. with 331 million and Canada with 38 million. We could also dig into which countries learn which dialect of English, but I think that wouldn't matter too much, and we'd just be splitting hairs at this point. Yeah. Who wants to split hairs, Jason? 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: So he says, anyway, keep up the good work, and thanks for quality podcasts. He goes on to write, P.S., as someone from the U.S. actually invented aluminum, I'll agree that the American pronunciation is probably the most correct. However, if we take numbers into account again, more people in the world use aluminium, and those numbers are overwhelmingly larger than numbers in the U.S. When in the U.S., use the proper pronunciation, and anywhere else, use whatever makes you happy. 

Joe Carrigan: Jason, I love this email. It's great. Thank you for sending this. 

Dave Bittner: (Laughter) I - my favorite part is how Jason just begrudgingly admits that we might have him on aluminum. Yeah. 

Joe Carrigan: Aluminum, yeah. But, again, points out that many more people say aluminium. 

Dave Bittner: That's right. That's right. Well, Jason, thank you for the kind note. I do appreciate it. As Joe stated, I think last week - I know I certainly was kind of intentionally playing off of the ignorant American stereotype (laughter). So... 

Joe Carrigan: Right. We like to do that here. 

Dave Bittner: Yeah, we do. So thanks for writing in. We do appreciate it. 

Joe Carrigan: It's a good letter. Thank you, Jason. 

Dave Bittner: We would love to hear from you. If you have something you'd like us to consider for the show, you can email us. It's hackinghumans@thecyberwire.com. 

Dave Bittner: Joe, we got another little bit of quick follow-up here. What do you want to share with us this week? 

Joe Carrigan: This is a personal story for me, Dave. My wife and I have cellphones, and we have been with the same carrier for a number of years. And we've been going through the process of buying new phones and just pulling the SIM card out of the old phone, putting it into the new phone. 

Dave Bittner: Oh, yeah. 

Joe Carrigan: And we've been doing that for about six years. 

Dave Bittner: OK. 

Joe Carrigan: Well, our SIM cards have become outdated. And we were starting to have problems making calls and receiving calls. Like, every time she'd call me, my phone would not ring. My wife is the only person that calls me, really. 

Dave Bittner: She fell for that story, did she? 

Joe Carrigan: My phone didn't ring. 

Dave Bittner: (Laughter) Yeah, I don't know what you're talking about, honey. 

Joe Carrigan: So I actually called the - I got concerned enough, I called the provider and said, hey, my phone is not ringing when somebody calls me. And he goes, well, I'm looking at your stuff there. You've got an old SIM card. We're going to send you out two new SIM cards. 

Dave Bittner: OK. 

Joe Carrigan: So I had to do a SIM swap on my phone. Dave, it was remarkably easy to do. 

Dave Bittner: OK. 

Joe Carrigan: It was - I would say it's a fairly secure process. The - I have a PIN with my mobile provider. 

Dave Bittner: Right. 

Joe Carrigan: So when I call them and I say, I want to do a SIM swap, they go, first, enter your PIN. So I enter the PIN, and then they say, we're going to send you a text message. Enter the code from that text message. The process to do this was completely automated. I never talked to a single human being during the process. And while waiting for the text message or while trying to enter the text message, moving around my phone, the automated system said, if you need more time, say, wait a minute, right? So if I didn't have a PIN on my phone and somebody else wanted to SIM swap me and they were trying to get that code from me, they would just have to say, wait a minute, while they tried to do some social engineering trick to get the code from me to SIM swap me. 

Dave Bittner: I see. 

Joe Carrigan: So I cannot impress enough upon everybody how important it is to put a PIN on your mobile carrier tech support on your mobile carrier account. 

Dave Bittner: Yeah. 

Joe Carrigan: Right - that's the word I'm looking for, account. So that whenever they do tech support, you have to have that pin first. 

Dave Bittner: Right. 

Joe Carrigan: That's very important. 

Dave Bittner: Yeah. That's interesting. I'm upgrading soon to a new phone that will have an eSIM. 

Joe Carrigan: An eSIM? 

Dave Bittner: Yeah. So no hardware SIM anymore. The new iPhones are - it's all electronic. 

Joe Carrigan: Huh. 

Dave Bittner: So it's a brave new world, Joe. I don't know... 

Joe Carrigan: That's right. 

Dave Bittner: (Laughter) I don't know what I'm in for, but... 

Joe Carrigan: Yeah, we'll find out. 

Dave Bittner: ...Got no choice. 

Joe Carrigan: Yeah. 

Dave Bittner: Yeah. 

Joe Carrigan: I'm using my Google Pixel 6, just the standard Pixel 6. 

Dave Bittner: Yeah. 

Joe Carrigan: Overall, I'm not impressed with the phone. I don't think this is a flagship phone, Dave. 

Dave Bittner: OK. 

Joe Carrigan: I didn't get the Pro, though. Maybe I should have spent the extra couple hundred bucks and gotten the Pro. 

Dave Bittner: Yeah, well... 

Joe Carrigan: Maybe then I'd be happy, but probably not. 

Dave Bittner: Next time. 

(LAUGHTER) 

Dave Bittner: All right. Well, let's move on to our stories this week. I'm going to kick things off for us. I actually have two stories this week... 

Joe Carrigan: OK. 

Dave Bittner: ...Cause they're short. 

Joe Carrigan: OK. 

Dave Bittner: Starting off with a series of tweets from Larry Cashdollar. I don't know that Larry's been a guest on this show. But he's a regular over on the CyberWire, and he's been my guest a number of times on our "Research Saturday" show. 

Joe Carrigan: OK. 

Dave Bittner: Well-respected cybersecurity guy, does a lot of research. Always a pleasure to have him on. He shared a series of text messages. He was selling a desk on Facebook, using Facebook Marketplace. And someone sent him a message asking him if the desk was still available. And he said, hello, the desk is still available. And then they said, OK, I send a voice code. If the post is real, show me code. Then I'll call. The code is six digits. Check your phone message and show. Please give me code. So Larry, being a security... 

Joe Carrigan: Right. 

Dave Bittner: ...Person said, sorry, no, you're a con artist. 

Joe Carrigan: Yeah. 

Dave Bittner: You're using my cellphone number to authenticate to something and verify. It's not worth the 50 bucks to risk it. And then the scammer said, it's just verify. And Larry said, nope. 

Joe Carrigan: Right. 

Dave Bittner: They said, not anything. And Larry said, bye. 

Joe Carrigan: Right. 

Dave Bittner: So I just think this is worth sharing because it's a good example - an exact example - of what they'll do here. This scammer was trying to pass off the six-digit code as being some sort of verification, you know, of the authenticity of Larry himself. Of course... 

Joe Carrigan: Right. 

Dave Bittner: ...Has nothing to do with that. 

Joe Carrigan: Yes. I like to think - when I think about these kind of things, I think about, what's the data behind this activity? Does this scammer have Larry's information? Does he know one of his email accounts or something? Where is he trying to - who's going to be sending him the code? 

Dave Bittner: Right. 

Joe Carrigan: It would have been interesting for Larry to say, OK, send me the code to see what the guy was going to do, not give him the code. By God, don't give him the code. And I wouldn't recommend anybody who isn't a cybersecurity expert like Larry to try this. 

Dave Bittner: Yeah. 

Joe Carrigan: Do what Larry did here. 

Dave Bittner: I - you know... 

Joe Carrigan: What Larry did is the safest course of action. 

Dave Bittner: It's funny you mention this, but I did see someone, also on Twitter earlier this week, who said that when this happens to them, they send the scammer just a random string of six digits... 

Joe Carrigan: Right. 

Dave Bittner: ...And string them along. 

Joe Carrigan: Yeah. 

Dave Bittner: And then when they say, that didn't work, they say, oh, I'm so sorry, I must have reversed a couple of numbers. And they send them the same string of digits with two numbers reversed. 

Joe Carrigan: Right. 

Dave Bittner: And, of course, that doesn't work either. 

Joe Carrigan: Yeah. 

Dave Bittner: And they just - as long as they can... 

Joe Carrigan: Keep wasting their time. 

Dave Bittner: Yeah. Keep wasting their time (laughter). 

Joe Carrigan: That's fine. If you're OK with doing that, that's OK. 

Dave Bittner: Yeah. 

Joe Carrigan: You know, you got to understand, though, these guys are criminals, and they do have your contact information. 

Dave Bittner: Right. 

Joe Carrigan: So be careful. 

Dave Bittner: They're probably more experienced at this exchange than you are. 

Joe Carrigan: Yes. Absolutely. 

Dave Bittner: Yeah. All right, well, my other story this week comes from the folks over at CyberScoop. This is an article written by A.J. Vickens (ph) or Vicens. I'm not sure how they pronounce their name there. But this is about a phishing scheme that's targeting Mideast researchers using what they call a herd mentality approach to dupe victims. And, basically, what's going on here is that they will loop their victim into a conversation onto an email chain, and the email chain looks as though it's been going on for a while now. 

Joe Carrigan: I see. 

Dave Bittner: So there will be several messages back and forth between authorities, experts, people that the victim may be familiar with... 

Joe Carrigan: Right. 

Dave Bittner: ...You know, pretending to be those sorts of people. And so the notion is that when the victim gets looped into this email chain, they start reading through it and they say, oh, OK, there's - obviously, if someone else is responding to this, it must be legitimate. 

Joe Carrigan: Yeah. 

Dave Bittner: And that's where the - this notion of it being a herd mentality comes in. 

Joe Carrigan: Yeah. It's the bandwagon approach. 

Dave Bittner: Yes. Yes, exactly. But, of course, there's nothing to it. And ultimately, what they're trying to lead people to is some sort of credential harvesting situation. So this particular case, they seem to be targeting people in the Middle East in government, I believe particularly in Albania. But, you know, these things don't stay in one part of the world for long, so (laughter)... 

Joe Carrigan: No. This tactic - this technique will come out, and you'll be seeing these. I don't know how you protect against yourself - protect yourself against these, except for, you know, being mindful of what your state is in terms of being logged into something. 

Dave Bittner: Right. Right. And I'd just say that, you know, consider it a red flag. 

Joe Carrigan: Right. 

Dave Bittner: If you suddenly get looped into a preexisting conversation like this, make sure you do your due diligence. Check the email addresses. Check - you know, don't reply in the thread. Reach out to people individually... 

Joe Carrigan: Right. 

Dave Bittner: ...Who may be involved and just, you know... 

Joe Carrigan: Yeah, this is a good - this is going to be a highly effective technique. 

Dave Bittner: Yeah. 

Joe Carrigan: Especially, I can see if, like, halfway down the email chain, you put a link to a document that just harvest - that is a credential harvesting site. 

Dave Bittner: Right. 

Joe Carrigan: You know, and then, bam. 

Dave Bittner: Yeah. 

Joe Carrigan: That's it. 

Dave Bittner: Yeah. All right. Well, those are my stories this week. What do you have for us, Joe? 

Joe Carrigan: Dave, my story comes from Naked Security. And Paul Ducklin has a story - or a blog post, I guess - about a new technique called browser-in-the-browser attack. And it's really clever and really simple. 

Dave Bittner: OK. 

Joe Carrigan: But basically what it is is you can take images that look like the windows that are on your computer and load them into a browser and make it look like there is another window inside the browser window. So Paul has some really good examples in here. He puts - he has this example domain that he puts a - just some simple HTML in, right? And then he goes ahead, and he puts in a couple of images on the top and shows you what it looks like. And the most convincing part of these things is that if I'm putting up something that looks like the top of your browser, I control what that image is, and I can control what you see and what you may think is the URL. 

Dave Bittner: Oh, I see. 

Joe Carrigan: Right? And, I mean, it has all the different little buttons on it that make it look - in this case, it's imitating an Apple - you know, a - what is it? - OS X. IOS is the mobile one, but OS X - it's imitating OS X, and... 

Dave Bittner: MacOS 

Joe Carrigan: MacOS - is that what it's called now? 

Dave Bittner: Hasn't been - well, it was never OS X. It was OS 10 (laughter). 

Joe Carrigan: OS 10. Well, sorry, Dave, I don't go to the cult meetings, so... 

(LAUGHTER) 

Dave Bittner: Fair enough. 

Joe Carrigan: So it looks like macOS, but it's inside of a browser. Now, if you remember, last week I was talking about a phishing campaign that Jeffrey Aptel (ph) had uncovered. It was actually kits - phishing kits that were attacker-in-the-middle. 

Dave Bittner: Yeah. 

Joe Carrigan: Now if I pair this with this browser-in-the-browser attack - right? - and I make the middle screen just, like, an iframe or whatever it is - a div - in HTML that loads up something that looks like your Office 365 page, and I put in the browser-in-the-browser window - the picture that I'm going to show you - just the URL to your Office 365, this becomes what I would imagine to be a very effective attack because now I look at the URL. The URL looks right, even though it's just a picture. And I look at the page, and the page is actually the page being served to me via a proxy. So I don't have any idea unless I look at the outer window and the URL in the outer window and see that there is something else, but my eye may never even go there. 

Dave Bittner: Right. 

Joe Carrigan: I may go up and look at the URL and stop right there and go, this looks good. It is - these attacks are getting much more sophisticated. 

Dave Bittner: Yeah. 

Joe Carrigan: There is a comment from someone named Aleksandr on the - who makes a very good observation. He says, I can imagine this becoming very sophisticated, having it detect your browser and operating system and adapting the pictures to that. 

Dave Bittner: Oh, yeah. 

Joe Carrigan: So I think that's a really good observation because when you send your browser string, it tells the web server what operating system you're getting. 

Dave Bittner: Right. 

Joe Carrigan: And that lets the web server serve out the right - it used to let the web server serve out the right kind of content. Well, web servers can still do that. Now we use HTML5, which is supposed to be more standardized, right? 

Dave Bittner: Yeah. 

Joe Carrigan: But you can still key off the browser string that you receive - the information the web server receives, and send out the right content. So I can send out Windows content to Windows users and Mac content to macOS users. 

Dave Bittner: Right. 

Joe Carrigan: And even iOS content to iOS users and Android content to Android users. 

Dave Bittner: Yeah. 

Joe Carrigan: I could do all that. And Aleksandr goes on to say, though it would be more difficult to do it against Linux users due to its UI diversity... 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: ...Which is true because when you use Linux, you could be using any number of desktops, and they all look subtly different - or different. They all look different enough to be noticeable. 

Dave Bittner: Yeah. 

Joe Carrigan: But I took a look at the operating systems that are used worldwide, and this comes from statcounter.com. Close to 80% - 75% of desktop operating systems worldwide use Windows. 

Dave Bittner: OK. 

Joe Carrigan: So if you're not going to do dynamic HTML for this and just not key off thing - I mean, you're going to do some kind of dynamic HTML, but if you're just not going to key off the browser string, your best target is Windows followed by macOS at 16%. And then Linux is all the way down there at, like, 2%. 

Dave Bittner: Yeah. 

Joe Carrigan: How many people do you know that run Linux on their desktop, Dave? 

Dave Bittner: I think I'm looking at him (laughter). 

Joe Carrigan: No, I use Windows. I use Windows. 

Dave Bittner: Don't you have some Linux stuff at home? 

Joe Carrigan: I do. I have a Linux computer. 

Dave Bittner: OK. 

Joe Carrigan: But I don't - you know, I use it for when I need a Linux computer. 

Dave Bittner: OK. I see. 

Joe Carrigan: The only person I know who runs Linux as their primary desktop is my daughter. She runs Linux. 

Dave Bittner: Oh, OK. She's the one. 

Joe Carrigan: She's the one. That's right. 

Dave Bittner: Yeah. OK. You know what this reminds me of? This - there's an old practical joke where if someone leaves their computer unlocked... 

Joe Carrigan: Oh, yes. 

Dave Bittner: ...You take a screen capture of their desktop. 

Joe Carrigan: Yeah. 

Dave Bittner: And then you hide everything on the desktop. 

Joe Carrigan: Yes. 

Dave Bittner: And you make the screen capture the desktop image. 

Joe Carrigan: We did that several times. 

Dave Bittner: So now what happens is when this person comes back to their computer, they try to click on things and nothing works because they're not actually icons. They're - it's just an image. 

Joe Carrigan: I'll tell a great story about this. 

Dave Bittner: I'll be the judge of that. Go on (laughter). 

Joe Carrigan: Well, we were - when I was working - we were doing SETI@home and running it on our computers, right? 

Dave Bittner: Oh, yeah. Yeah. 

Joe Carrigan: So that had a client that had a screen saver, and it would show you all things it was doing in analysis. 

Dave Bittner: Right. 

Joe Carrigan: And every now and then, there'd be a peak. Right? And in the - you could also run - you could also look at it while it was not in screen saver mode, and it would be like a little client that looked very similar. 

Dave Bittner: Yeah. 

Joe Carrigan: So I took a screenshot of mine when there was a peak and drew an arrow to it, and put up a fake window that said, you have found an extraterrestrial signal. Please call this number immediately. 

Dave Bittner: (Laughter). 

Joe Carrigan: And I hear the guy - I go to put it on his screen, his desktop, and I hear the guy call. 

Dave Bittner: (Laughter). 

Joe Carrigan: Right? Because it's just some number to some ridiculous line. 

Dave Bittner: Oh, OK. 

Joe Carrigan: It may have been some... 

Dave Bittner: I wasn't - I figured you would have made it your phone, and you could've answered the phone and said, hello, Carl Sagan here (laughter). 

Joe Carrigan: Where were you 20 years ago when I was... 

Dave Bittner: Yeah (laughter). OK. 

Joe Carrigan: But he calls the number, and he's like, what, and he hangs up. And then I start laughing at him - ha, ha, ha, ha, you fell for it. 

Dave Bittner: Oh, yeah (laughter). 

Joe Carrigan: And then he replaced my screen saver with the Sysinternals blue screen of death screen saver. 

Dave Bittner: Nice. Turnabout is fair play. 

Joe Carrigan: Yeah. 

Dave Bittner: Yeah. 

Joe Carrigan: I actually called tech support because I didn't understand what was going on (laughter). 

Dave Bittner: Ah, very good. See? He got the upper hand. 

Joe Carrigan: He got me back, Dave. 

Dave Bittner: All right, well, those are our stories. We will have links to all of them in the show notes, of course. Joe, it is time to move on to our Catch of the Day. 

(SOUNDBITE OF REELING IN FISHING LINE) 

Joe Carrigan: Our Catch of the Day comes from Peter, who writes, another fun one. Dave, this one has it all. 

Dave Bittner: OK. Well, shall I read it then? 

Joe Carrigan: Yes, you should. Yes. 

Dave Bittner: OK. So this comes from the International Remittance Department, FirstBank Nigeria PLC. We're not even two sentences in and the red flags are... 

Joe Carrigan: Right. 

Dave Bittner: ...Going off. 

Joe Carrigan: Yep. 

Dave Bittner: Thirty-five Asaba House, Lagos, Nigeria, and then the email address is a Gmail account, so... 

Joe Carrigan: Right. 

Dave Bittner: ...There you go. 

Joe Carrigan: That makes sense. 

Dave Bittner: firstbanknigeria@gmail.com. 

Joe Carrigan: Sure. 

Dave Bittner: What - yeah. That makes total sense. 

Joe Carrigan: That's what they have. They use Gmail over at that national bank in Nigeria. 

Dave Bittner: Well. 

Joe Carrigan: It is a real bank, by the way. 

Dave Bittner: OK. So it goes like this. 

Dave Bittner: (Reading) Dear beneficiary, this letter is written to you in order to change your life from today (laughter). I am Reverend Ashi Ashi (ph), the director international, the remittance department of this bank. My boss, Mr. Jacobs, the managing director and CEO of this bank, is now on compulsory leave, and all power has been vested on me to make all international payments. Also, due to reported cases of corrupt practices in other Nigerian banks, including the Central Bank of Nigeria, the federal government has revoked or canceled all power vested on these banks and has appointed our bank - FirstBank of Nigeria - to make all foreign payments. 

Dave Bittner: (Reading) Be informed that the federal government have approved the release of part payment of 7.5 million - 7.5 - this is so bad - (reading) the release of part payment of $7,500,000 out of your total funds, which has been in this bank for many years, unclaimed because my boss Mr. Jacobs' collaboration with the government of Central Bank of Nigeria have refused to tell you the truth on how to claim your fund. This is because he has been using the interest accumulated from your fund every year to enrich himself without your knowledge. 

Joe Carrigan: Fiend. 

Dave Bittner: (Reading) I want to help you pull out this fund to your bank account using the easiest and the quickest method, which has not been made known to you before. By this method, you will open the domiciliary account with this bank - FirstBank Nigeria. Your fund would be lodged into this domiciliary account, and your fund will be paid directly to any bank of your choice. After the transfer, you will confirm the funds in your bank account within five hours the same day - no cost of transfer and no stoppage from any government department, as the transfer will be done with the bank alone, and it's very safe (laughter). 

Dave Bittner: (Reading) The method which was introduced to you before is the telegraphic transfer, for which confirmation was 48 hours. Because of the time factor, petitions could come from various organizations, stopping your payment and asking you to pay a huge fee, which would be difficult for you to pay so they can benefit from the huge interest your fund generates while still in the bank. This method is not safe for you because it's not done within the bank alone, as information of the payment would be sent to the general control unit of the federal ministry of finance and the office of the accountant general of the federation. 

Dave Bittner: (Reading) As a good Christian, I have nothing to gain by keeping your fund. I want to assist you receive your fund before my boss resumes office. You have to follow up and work with me now, so keep this very confidential because of fraudsters and imposters who go about presenting various bank accounts in order to divert another beneficiary's fund. 

Dave Bittner: (Reading) Note - your transfer code is FBXNZ7XX5M. You must keep it confidential to avoid intruders or claims by anyone so that I do not transfer your fund to the wrong bank account. 

Dave Bittner: (Reading) Finally, I ask for your mutual understanding and cooperation to serve you better. Yours truly, Reverend Ashi Ashi. 

Joe Carrigan: So in this thing - you didn't bore them with the details, but it asked for all this kind of personal information here. 

Dave Bittner: Yeah. 

Joe Carrigan: And you're supposed to fill that out. But this thing has the appeal to religion. 

Dave Bittner: Yep. 

Joe Carrigan: It's a reverend. He's a good Christian. He's going to help you. He's not a reverend. And if he is a good Christian - if he is a Christian, he's not a good Christian. He's trying to steal money. 

Dave Bittner: (Laughter) The boss is out of town, and we've all lost our minds. 

Joe Carrigan: Right, yes. The boss is out of town. We all lost our minds, which is great. 

Dave Bittner: Right. 

Joe Carrigan: You know, it's the social engineering one-two punch. You have a problem. I have a solution. 

Dave Bittner: Yeah. 

Joe Carrigan: This is a fantastic Catch of the Day. 

Dave Bittner: Yeah. 

Joe Carrigan: It just has everything in here. 

Dave Bittner: Yeah. Well, our thanks to Peter for sending that in. We would love to hear from you. If you have something you'd like us to consider for the show, you can send it to hackinghumans@thecyberwire.com. 

Dave Bittner: All right. Joe, I recently had the pleasure of speaking with Jane Lee. She is the trust and safety architect at Sift. And our conversation centers on this practice we've touched on here before, and that is pig butchering. Here's my conversation with Jane Lee. 

Jane Lee: Romance scams are not anything new. So I think pig butchering scams are an - I don't want to say elevated because I think that gives them too much credit, but it's basically romance scam on steroids. And so it combines, like, all traditional elements of romance scams with the - you know, the new allure of crypto. 

Dave Bittner: Something for everyone, right (laughter)? 

Jane Lee: Yeah. Yeah. 

Dave Bittner: Well, before we dig into the specifics of pig butchering, just real quick, can you give us a little 101 on romance scams? 

Jane Lee: Yeah, sure. So romance scams are basically these scams where the scammer is matching with their victim, or they're first connecting with their targets via social - any sort of social media or social platform. And right now we are seeing with the rise of online dating app usage, they are focusing on dating apps. But really, you know, they could exist on Facebook. I saw them during my time when I was at Facebook. They can message you on Instagram, TikTok. So any platform that has a messaging capability, they are there. 

Dave Bittner: And so when we get to pig butchering, which is, as you say, is kind of an amplified version of this, can you walk us through exactly what happens? 

Jane Lee: Yeah. And sorry, I just realized I didn't answer your question completely. So I explained romance scams where they meet their victims initially, and how it initially starts off is they start overwhelming their targets or their love interests with compliments, promises of gifts, you know, the words that every person wants to hear from someone that they are intimately close with. And then it leads to manipulation. You know, they start talking about financial freedom or, hey - with the traditional romance scammers, they'll make up some sort of sob story about either them being stuck in the country, or, you know, they have a child that needs medical expenses covered. And so that is where I think the line with traditional romance scams is drawn. Now with pig butchering, you have all those elements of romance scams where ultimately the scammer is trying to get the target to send them some sort of money. 

Jane Lee: But with pig butchering, what makes it a little more unique is that, well, one, the preferred currency is cryptocurrencies, and then two, the technical sophistication of the bad actors. And so they actually have a fake crypto trading platform where they direct their targets to. It mimics, you know, your traditional or very common, mainstream - I'll say mainstream crypto platforms. You know, if you were to cross-check the prices that are displayed on this fake platform, they will all check out. But of course, the platform is 100% controlled by them. They manipulate, you know, your return on investment and such. And so that is what makes this the amplified version of the traditional romance scam. 

Dave Bittner: And how much time are they investing in their victims here generally? 

Jane Lee: Yeah. So the thing about this particular scam is it - I think when I outline, you know, the step-by-step process and what goes on, people find it hard to believe because when you lay out all the facts, you know, it's kind of obvious what's going on. But these scams take months. So I've heard one to three months. My undercover investigation, I think - I said I started in about - around October of 2021 and wrapped up in January of 2022. And so that is about four months. So yeah, they really take the time to develop these trustworthy, loving, intimate relationships with their targets over the course of months, I would say. 

Dave Bittner: Well, can you walk us through the process when you went undercover, as you say? What exactly went on there? 

Jane Lee: Yeah. So what I did was I - I mentioned this a little bit, but we at Sift, we have a network of dating app customers, of social media platforms. And so we first detected this as an anomaly, something that kind of stood out as abnormal. And, you know, this is where a little bit of my private life experience comes into play. But when I saw this as the occasional dating app user myself, I quickly recognized, hey, I've seen these accounts before. These look very familiar. I've seen them on the apps. You know, I couldn't really put my finger on what exactly it was. And then when I looked into it, I realized it was actually a very prevalent problem. And so what I did was I downloaded every single dating app or major dating app on the app stores. And then I - my - I'm just genuinely a curious person. What I wanted to know was what they were doing, how they were getting this money. And yeah, so I matched with a scammer who became my scammer boyfriend and, you know, kind of baited him into giving me the step-by-step process that they were leading their victims to. 

Dave Bittner: Is there anything in particular that you did to attract their attention? You know, is there - are there particular attributes that they're looking for? 

Jane Lee: Yeah, I think they are trying to catch their widest net. And so I really didn't have to do much. My existence on the dating apps was enough to come across them. And these scammers are known to have what I like to call a 100% swipe rate, meaning they are matching with 100% of whoever they can. They're just trying to match with whoever will kind of entertain them or give them even a chance. And so, you know, there wasn't really anything specific that I did. I kind of knew the type of profile that I was looking for because they all have this similar type of either picture or job title. Or, you know, their profiles feel the same. And whenever there's so much of the same thing, especially in, like, the online fraud world, I think it warrants a second look. So yeah, there was nothing in particular I did. I just had to match with one of them. 

Dave Bittner: And so once you engage with this person, what are some of the outstanding things that happened along the way? 

Jane Lee: Yeah, I think the - obviously, I knew what I was getting myself into, but, you know, something that I did not expect - you know, I talked about love bombing and that really intense moving fast, fastness, like, the relationship just really picking up and, you know, them just overwhelming me with compliments. I did not expect - this is a funny way to put it - but, like, my heart to flutter, you know? And so the individual on the other end, you know, was promising me, hey, a trip to Osaka to see the cherry blossoms. Another individual was - you know, promised to send me a $25,000 bottle of wine. Another told me how beautiful I was. And, you know, it's just things that people want to hear. Everyone wants to be told that they're wanted and beautiful. It's a very natural human desire. And so even me knowing what I was getting myself into and who I was interacting with - at least loosely, what I was getting myself into - I felt something. You know, it sounds silly, but... 

Dave Bittner: Yeah. 

Jane Lee: ...You know, you kind of blush a little bit. And I did not expect that. Yeah, that's what I would say was the most unexpected thing. 

Dave Bittner: Yeah, I think that's a really fascinating point and an important point because, you know, we often talk here about how this can happen to anyone, that there's no shame in finding yourself having fallen victim to this. And I think what you're saying kind of speaks to that, that no one is immune to being human. 

Jane Lee: Yeah. Yeah. And, you know, I think it's so important. You know, as we get this story out and we share about it, I think a lot more victims are - I think, typically, victims are people that have been targeted by these scammers - that they are ashamed. There's that shame factor to it. But I think there is an empowerment in getting the story out, as well. And then you relate to other people that have fallen victim and, you know, give them the empowerment to come forward with it. The other thing that I really emphasize is how long these scams play out for. And they're really playing on a human vulnerability or a desire, a natural human desire - right? - to feel wanted, to feel loved, which makes the scam so believable. 

Jane Lee: And then lastly, you know, at Sift, we release a quarterly index report. And as part of the most recent report that came out, we actually conducted a consumer survey and conducted that research. And we found that - I think it's something like over 40 or 50% of millennials and Gen Z have encountered this type of scam. And so I think the misconception is that maybe, you know, older people that are not as tech-savvy are more vulnerable to this type of scam. But it really - you know, it really impacts everybody. 

Dave Bittner: Was there ever a point along the way where you felt as though maybe they were on to you? 

Jane Lee: I don't. I hope not. I don't think so. 

Dave Bittner: (Laughter) Hard to say. 

Jane Lee: Yeah, I hope not. But I did, you know, take extra precautions, you know, in using a VoIP number and, you know, something that would be harder for them to trace. I also - because I knew I was trying to get information out of the process, I was careful not to give in too soon, if that makes sense. And so my scammer - I call him my scammer boyfriend, but, you know, I did not buy in when he first mentioned crypto investments to me. Eventually, the conversation always comes to how financially successful they are, how they have financial freedom, things of that sort. And I - when they first mentioned it, I kind of was - just brushed it off and said, oh, that's cool. You know, didn't really give it much attention. And then eventually, as the conversation continued and, you know, weeks had gone by, I finally said, OK, you know, I'm interested. Why don't you tell me more? Yeah. So I hope not. I don't think so because otherwise, I don't think they would have sent me as much information as they did. 

Dave Bittner: Right. 

Jane Lee: Yeah. 

Dave Bittner: And then - so how far down the path did you go? At what point did you decide to, you know, pull the ripcord? 

Jane Lee: Yeah. So I went as far as, you know, investing in their crypto platform. So I did send over a small amount of Tether, which is a stablecoin or - yeah, is - was, at the time, a stablecoin. And immediately - you know, of course, I mentioned this earlier, they are manipulating all of the values you're seeing. So, you know, you send the money and then, hey - guess what? - in four minutes, you made $10, right? And the - my scammer boyfriend, at that point, told me, hey, look - like, look how much you made in a short period of time. You would actually make a lot more money if you were to put in a little more. Why don't you try putting in a thousand? And at that point, you know, I think I had enough information that I needed, and I was no longer comfortable, you know, giving any more than that. And so that's when I kind of just ghosted them. 

Dave Bittner: Right. 

Jane Lee: However, I have heard some victim accounts of them actually being able to withdraw the funds. So, you know, they put in a little, they're able to withdraw a little. So it's very tangible for them, which is the other added element that makes it so believable because you could actually - you actually are seeing the money, at some point. And so I think that's another important point to drive when we're talking about why this scam is so successful. 

Dave Bittner: Yeah. I want to ask you, you know, your advice on people protecting themselves from this, but I'd love to try to come at it from two directions. I mean, obviously, how do we protect ourselves from falling victim to this? But then, also, how do we protect our loved ones? 

Jane Lee: Yeah. So I'll start off with the first one because I think it involves - your last question because I think I could kind of bundle my answer up for both. So I think protecting, just, individuals and our loved ones, this - the consumer education piece is not where I would like it to be or where I think it should be. And so I think it's - you know, I said this when we first got on this podcast, but the consumer education piece and things like this podcast - not only is it important to give the victims a voice - for giving the victims a voice, but also to get the message out so that it - you know, it prevents one other person, at the very least, from falling for this. Since this story - or my research came out publicly, I've had friends of friends in my network talking about how they have encountered this. So, you know, just continuing to share about it, get the message out. 

Jane Lee: And then for us as individuals, you know, if you feel like you are talking to someone that might potentially be a scammer on the app, one, move slow, right? What these scammers typically do is they will, within the first day or two, try to get you to move off of the dating app, onto an encrypted messaging platform. And the reason why they do this is, they are hedging their risk. So they want to avoid their chances of being caught on the dating app, so they'll say, oh, let's move it over to WhatsApp. Let's move it over to Telegram. If you're uncomfortable with it, just say, hey, I'd much rather, you know, stick to this dating app. They will give you all these excuses of, hey, I'm trying to reduce my time on this app, or, you know, hey, I don't really spend much time using the app. But you know, stand up for yourself. And if you feel more comfortable sticking to the app, say so. Secondly, if you are conflicted in whether the trading platform that you are dealing with is fake or not - because like I said, the values on the app actually reflect real-time values of cryptocurrency. So if you were to Google, hey, what's the price of Bitcoin right now, or Ethereum? - it'll check out. 

Jane Lee: I would say, most trustworthy apps or crypto platforms are, - well, one, they're indexed on search engines like Google, and they have a presence on the App Store - like, so the Apple Store or the Google Play Store. And so check to see if there's - they have a presence there. And then, you know, if this person then starts asking you for more and more investments or to do more and more investments, I'd always just say, proceed with caution. But I think the - you know, the first two tips of, you know, taking things slow and checking out - really doing the research on where you're putting your money into - I think those are my main two pieces of advice, I would say. 

Dave Bittner: Joe, what do you think? 

Joe Carrigan: Dave, I am enthralled with - I was enthralled listening to this. First off, Jane went undercover to investigate this practice. 

Dave Bittner: Yeah. 

Joe Carrigan: This pig butchering practice - gross name, by the way. It's a term of art that I'll bet came from the people doing it. 

Dave Bittner: Yeah. 

Joe Carrigan: But these guys are always - these bad guys are always looking to step up their game because the aim of the scammer is one thing, and it's just more money. 

Dave Bittner: Yeah. 

Joe Carrigan: It's interesting that she says that these guys can target you on any platform that has a messaging capability. So it's not just dating sites, but dating sites are where they start with because this is kind of like a - she called it a romance scam on steroids. 

Dave Bittner: Yeah. 

Joe Carrigan: It's a combination of a romance scam and an investment scam. Do you remember years ago, we had the story of the Australian man who was scammed out of his retirement savings by a - somebody posing as an investment firm saying, we have these investments? And he was putting - he put a small amount of his retirement in there because he'd never heard of these guys. And then they show him a website where his money gets bigger and bigger and bigger, and eventually, he transfers all of his money over there. And once they're like, hey, you know, we're looking for more - he's like, I'm out of money. That's all my money. And they just shut down and went away. 

Dave Bittner: Right. 

Joe Carrigan: That was it. 

Dave Bittner: Right. 

Joe Carrigan: They got away with a lot of money from that guy. 

Dave Bittner: Yeah. 

Joe Carrigan: This is the same thing, except they're doing it with crypto. 

Dave Bittner: Yeah. 

Joe Carrigan: When Jane says that if you lay all the facts out, it seems obvious - right? 

Dave Bittner: Yeah. 

Joe Carrigan: That is a great perspective from the outside of the situation, which is kind of why it's important to have input from other people and to discuss things with people, to have them go, I think you need to be careful here. 

Dave Bittner: Right. 

Joe Carrigan: Because I'm an outside observer, and here's what I see. Right? You might not see them on the inside of this scam. And to highlight that point, I want to talk about one of the most remarkable things from this interview, and that is when she was talking about her own emotional response to these scammers' compliments and things of that nature. 

Dave Bittner: Yeah. 

Joe Carrigan: Jane knows that she's dealing with a scammer, and she still gets that heart flutter. She experiences this emotional response trying to research bad guys. And if she's doing that while she's doing this research, how does that - it's much more easy to understand why people fall for this. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? Because she's getting the emotional response from someone she knows is a liar. 

Dave Bittner: Right (laughter). 

Joe Carrigan: She knows what this guy is. 

Dave Bittner: Right. Right. 

Joe Carrigan: And if you don't know that, it's - I think it's a lot easier to fall for this. 

Dave Bittner: It really points to how much - or so much of this is hardwired into us. 

Joe Carrigan: Yeah. 

Dave Bittner: You know? 

Joe Carrigan: It is. 

Dave Bittner: Yeah. 

Joe Carrigan: These exchanges they use are really good. I wouldn't be surprised if there are kits out there that you can buy that do this, right? They link to some bitcoin feed that just produces prices. Those feeds are out there. And you can probably just use an API to read a bitcoin price and get an accurate real-time bitcoin quote and show that on the webpage. 

Dave Bittner: Yeah. 

Joe Carrigan: It looks right with these correct prices. I love the story she tells about baiting her scammer boyfriend. She said just being on the app was enough - that just being there and - what did she say? - 40% of millennials and Generation Z have gotten these kind of attacks. 

Dave Bittner: Wow. 

Joe Carrigan: So these guys are going after everybody. 

Dave Bittner: Yeah. 

Joe Carrigan: It's interesting that they try to match your profile for 100%. So they look at your profile, and then they build their profile to match it. And then they reach out to you. So... 

Dave Bittner: So they are literally too good to be true. 

Joe Carrigan: Right, exactly. They're literally too good to be true. You probably won't match 100% with anybody. I mean... 

Dave Bittner: Right. 

Joe Carrigan: ...There are things that my wife and I will never agree on. 

Dave Bittner: (Laughter). 

Joe Carrigan: Right? We've been married 20 - 27 years, 28 years - a long time. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: Twenty-seven years. I like that she actually sent the guy a small amount of money in Tether. I don't remember if Tether is the one that had that crisis and it became worthless, but she did the research before that happened. And then the guy says, hey, let's try a thousand. Look how much money you're making. 

Dave Bittner: Right. 

Joe Carrigan: Right? And they even let people withdraw small amounts sometimes. That's - I think that's really clever. When Jane is talking, she says, look for the telltale signs that are, like, a quick move to another platform. Dating apps don't want these guys on their platform. And the bad guys don't want to get caught and have their account shut down, right? 

Dave Bittner: Right, right. 

Joe Carrigan: Look for fast-moving romance and research the exchange. My advice is learn to recognize the pattern. There's a pattern here in this kind of attack. And it's - you start with somebody who matches 100%. They're fast-moving off the dating platform, right? They - tons of compliments, and they want to move the relationship faster. They talk about their financial success with crypto. They make promises of fantastic gifts that never really materialize. I mean - but you would feel like a bad person. You go, hey, where is that $25,000 bottle of wine you promised me? I never got that. 

Dave Bittner: (Laughter) Right, right. 

Joe Carrigan: Right? I mean, what kind of person says that? Nobody says that. 

Dave Bittner: Yeah. 

Joe Carrigan: They're going to share their success with you and try this exchange. It's a new exchange. We just started it. Right? All these things match up to a pattern that is what this scam is. And I think that pattern recognition - that's something humans are really good at. So when you start seeing these things or if somebody starts pointing this out to you, you need to be receptive of it. 

Joe Carrigan: Now, remember, these guys are going to try to isolate you. Right? Because it's also part romance scam, they're going to say, your friend is jealous of our happiness. 

Dave Bittner: Right, right. 

Joe Carrigan: They're going to say all kinds of terrible things like that to try to keep you away from your friends so that they can keep you away from your money. I think this was a fascinating interview. I'm really glad we had Jane on the show. 

Dave Bittner: Yeah. 

Joe Carrigan: It's awesome. 

Dave Bittner: Absolutely. Well, again, our thanks to Jane Lee for taking the time. We do appreciate her joining us. 

Dave Bittner: That is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.