Hacking Humans 4.6.23
Ep 238 | 4.6.23

Protecting against financial cybercrimes.


Keith Houston: The local people going after local people is actually increasing quite a bit because it's easier to learn how to do these scams now. You can buy a kit online, go on the dark web or certain Facebook group chats. You can buy a kit and learn how to scam your neighbor.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast. Where each week, we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan from Harbor Labs and the Johns Hopkins University Information Security Institute. Hello, Joe.

Joe Carrigan: Hi, Dave.

Dave Bittner: We've got some good stories to share this week. And later in the show, my conversation with Keith Houston. He is chief prosecutor for cyber and financial crime at the Harris County District Attorney's Office in Houston, Texas. He is sharing some stories about scams that have come through his office, as well as advice on how to best protect yourself. All right, Joe. Before we get to our stories here, we have some follow up. What do you got for us?

Joe Carrigan: Yeah, this is an interesting thing. It's scary, actually, very scary, that Neville wrote in and told us about. He says, "Dear Dave and Joe. I just came across this interesting but scary news item that described a pendrive bomb or a USB drive bomb."

Dave Bittner: Yeah.

Joe Carrigan: Yet another reason to not plug in pendrives from unknown sources.

Dave Bittner: Yeah.

Joe Carrigan: What do you do when you're a reporter and someone sends you a scoop in a pendrive? And it's a link to --

Dave Bittner: Give it to the reporter in the booth next to you.

Joe Carrigan: Right, yeah. It's a link to a BBC article that talks about an attack on these reporters in Ecuador.

Dave Bittner: Huh.

Joe Carrigan: Where they sent- somebody sent a bunch of small bombs that were- that would detonate when they were plugged in to a USB port.

Dave Bittner: Wow.

Joe Carrigan: So that's terrifying to me. Dave Bittner: Hm.

Joe Carrigan: These reporters apparently were getting into something they didn't- that somebody didn't want them to get into.

Dave Bittner: Right.

Joe Carrigan: So this essentially just an act of terror was carried out on them. One person was injured. No one was killed. There were numerous devices sent in and it was- it had a note on it that said, "Hey, here's a scoop for ya."

Dave Bittner: Oh.

Joe Carrigan: In Spanish. Yeah, I'm not as fluent in Spanish as I need to be, but it's --

Dave Bittner: Yeah.

Joe Carrigan: You know, it's there. And the guy that got injured had his hand injured when it happened because presumably, he was touching the device.

Dave Bittner: Right, right.

Joe Carrigan: Somebody wants to send these guys a message. Graham Cluley, who also had an article on this, noted that these attacks are rare, but digital attacks are not so rare. So a friend of the show had an article, as well.

Dave Bittner: Yeah.

Joe Carrigan: And now here's my question for you, Dave. Do we use this story as an example of worst-case scenario or is that just fear mongering? I think it's fear mongering.

Dave Bittner: I, yes, I mean I don't think this is something- I don't think this is a fear we should put into people. It's not a realistic fear. I mean, this was a specific case of someone who was targeted.

Joe Carrigan: Yes.
Dave Bittner: By bad people. I'm gonna presume organized crime. Joe Carrigan: Probably, yeah.

Dave Bittner: Yeah, going after them. I do recall- haven't we talked about devices that are designed to just damage your computer, like they'll blow out your USB port?

Joe Carrigan: Yeah, the- that works very similarly. Because what happens is when you plug a USB device in, the first thing that happens is it's supplied with five volts of power.

Dave Bittner: Right.

Joe Carrigan: And there's a certain amperage limit that you can- that you have. And what these other devices did was they just charged a bunch of capacitors with that five volts.

Dave Bittner: Oh, I see.

Joe Carrigan: And even if you do that at low amperage, it's fine. But what they do is once the capacitors were filled is they would just dump all that amperage back across the circuit board, back across the interface, I think over the data lines into the computer. And either burn up the USB or possibly reach further into the- it's a power surge, essentially, deliberate power surge.

Dave Bittner: Huh, okay.
Joe Carrigan: Now I have a way to get around this and to defend against it. Dave Bittner: Okay.

Joe Carrigan: So if you're a reporter and you get, "Hey, here's a scoop." You can just get an extension cord and get one of those USB charging bricks that has a USB plug on the end of it.

Dave Bittner: Unh-huh.

Joe Carrigan: And then plug the USB into that, plug that into the end of the extension cord, then walk to the end of the, you know, extension cord, 100 feet away.

Dave Bittner: Walk around the corner.

Joe Carrigan: Right, around the corner, and plug it in.

Dave Bittner: Okay.

Joe Carrigan: And if you hear a loud pop, then you just saved yourself some injury and possibly your life.

Dave Bittner: I don't know. I think if this is in your risk profile or that exploding USB devices are in your risk profile.

Joe Carrigan: Yeah.
Dave Bittner: Maybe you're going to know that and have some kind of

relationship with your local bomb squad or something. I don't know. I- maybe I'd put it inside of a safe. I don't know. It just seems like better safe than sorry when it comes to explosives, right?

Joe Carrigan: Yeah, I would agree. I don't know. Aside from what I just described, I don't know how you discern if this is a bomb or not.

Dave Bittner: I guess you could x-ray it. Joe Carrigan: You could x-ray it.
Dave Bittner: Right?
Joe Carrigan: Yeah.

Dave Bittner: That would probably work. Joe Carrigan: Yep.

Dave Bittner: Yeah. Just visit your local airport and just ask the people there. They just love when strangers ask them to x-ray things.

Joe Carrigan: Yeah, x-ray this for me.
Dave Bittner: 'Cause they're not very busy.
Joe Carrigan: One thing- one word they love here at the airport is bomb, right?

Dave Bittner: Right. Right, exactly. Say, "Listen, I'm not sure. This may be explosive. Will you just run this through for me? I just I'm just curious, really." Yeah, that'll go well for you.

Joe Carrigan: Yeah, don't ever, ever say the word bomb even as a joke in the airport.

Dave Bittner: No. No, that will not end well for you. Joe Carrigan: Yeah.

Dave Bittner: All right, well, our thanks to Nevile for sending that in. We do appreciate it. We would love to hear from you. If you've got some follow up for us, you can e-mail us. It's hackinghumans @thecyberwire.com. Joe, let's dig into our stories here. What do you got for us this week?

Joe Carrigan: So, Dave, last week, I had the warning from the FTC about artificial intelligence scam calls.

Dave Bittner: Yes.

Joe Carrigan: And this week, I actually have two links to articles from the CBC, that's the Canadian Broadcasting Company.

Dave Bittner: Right.

Joe Carrigan: And the first one is a YouTube video of a broadcast with Mark Quinn, who's a reporter for the CBC. Talking about somebody getting scammed out of ten grand with one of these family emergency scam calls.

Dave Bittner: Ooh.

Joe Carrigan: And the woman is actually on camera in this one and she says it sounded like her son, if I'm remembering this correctly. It sounded like her son on the phone but he had- it sounded like he had a cold. And he said, "Do you have a cold?" And the response was, "Yes, I have a cold, but it's not COVID, so I'm going to be fine."

Dave Bittner: Hm.

Joe Carrigan: And then the guy puts the other scammer on the phone who's pretending to be a police officer. They're saying this guy's been in a car accident and he's being held in custody.

Dave Bittner: Oh.

Joe Carrigan: And he needs about $10,000 in bail, or maybe it was a lawyer, but it's- so this scam is now happening.

Dave Bittner: Yeah.

Joe Carrigan: There's another story. This is actually a written story that we'll put a link to, as well, from Ryan Cooke from the CBC, where he talks about a grandparent scam with voice cloning, where this person lost $200,000.

Dave Bittner: Oof, wow.

Joe Carrigan: Which is a lot of money to lose.

Dave Bittner: Yeah.

Joe Carrigan: I can't begin to imagine the impact this is having on this family. But these attacks are happening now apparently in Canadia.

Joe Carrigan: In Canadia.

Joe Carrigan: I have jokingly said Canadia so many times. It's how I say Canada.

Dave Bittner: Okay.

Joe Carrigan: Oh, my gosh.

Dave Bittner: Well, the Mounties are gonna look down their noses at you at the border next time you try to cross there, Joe.

Joe Carrigan: Yeah, that's fine. I look down my nose back at them. Of course, they're on horses, so I can't look down at them at all. So this is becoming a- an issue now, at least as far it's happening in Canada. It's not- I don't know that I've seen any stories of it happening here in the US, but that doesn't mean that the US is invulnerable.

Dave Bittner: Of course.

Joe Carrigan: I am really concerned about this issue. This voice cloning has now gotten good enough. Now Dave, I want to ask you this question.

Dave Bittner: Yes.

Joe Carrigan: Because in the past, you have said you are dubious of these kind of claims.

Dave Bittner: Mm-hmm.
Joe Carrigan: Are you still so dubious?
Dave Bittner: No, not anymore.
Joe Carrigan: No?
Dave Bittner: No. I think it's completely plausible now. Joe Carrigan: Yep.

Dave Bittner: I think when we last talked about it, absolutely. I- 'cause we tri- remember, we traced it down and it was one of those things where it was kind of like a game of journalistic telephone.

Joe Carrigan: Right.

Dave Bittner: Where one journalist reported something- or I think a journalist made a conclusion that wasn't exactly 100% right and that became the standard and it just sort of ran from there.

Joe Carrigan: Right.

Dave Bittner: And I was never able to find any confirmation. In fact, I had got in touch with some people who were directly involved with the story and it turned out that it had never happened. Like it was more like, well, it could happen. This may be what happened. It was kind of like when a big company gets hit

with some ransomeware or something and they say, "You know, this- it was sophisticated actors. There must have been nation state folks who came after us." Rather than, you know, it was Bob in his basement with a --

Joe Carrigan: "There's nothing we could have done."

Dave Bittner: Right, right. So it was that sort of thing, but what was that, maybe six months, a year ago.

Joe Carrigan: Right.
Dave Bittner: A lot has changed since then and --

Joe Carrigan: Yeah, these models were out there, these- well, not models. They're- I don't know if they're- you make a model and then that becomes a- it generates speech based on a model.

Dave Bittner: Right, and they are so good.

Joe Carrigan: They are pretty good.

Dave Bittner: I mean, I could easily imagine just taking what you- hundreds of little sound clips of, you know, what we jokingly refer to here at the CyberWire as Robo Dave, which is the synthesized version of my voice.

Joe Carrigan: Right.

Dave Bittner: And just creating a soundboard. You know, soundboard software is where you just have a bunch of buttons and each of those buttons is assigned to different sound. And they could just be responses in my voice. Totally convincing. And you could easily play that game real time. And if you needed something really specific, you could have one person, you know, doing a- like a cough sound effect and just saying, "Hold on. Hold on, sorry. [Cough] You know, I got something in my throat." Meanwhile, their partner is typing in his answer to have the synthesizer generate a specific answer to respond.

Joe Carrigan: Right.

Dave Bittner: So, yeah, I- they won- won me over is probably the wrong way to say it, but yeah. I believe it's totally plausible now, so.

Joe Carrigan: I do, too. I do, too. I think that this is- I've played with the one that you recommended to me, the one we played a sample from- of your voice synthesized with this.

Dave Bittner: Right.
Joe Carrigan: And let- something 11. Let --

Dave Bittner: That was from elevenlabs.io.
Joe Carrigan: elevenlabs.io.
Dave Bittner: Yeah.
Joe Carrigan: I played with that a little bit at home and it's pretty darn good. Dave Bittner: Yeah, and it's only gonna get better.

Joe Carrigan: Yep.
Dave Bittner: Yep. All right, is that it for you? Joe Carrigan: That's it for me, Dave.

Dave Bittner: All right. All right, well, we will have links to those stories in our show notes. My story this week comes from the folks over at Akamai. This is some research that they recently published and it's titled the most common combosquatting keyword is support. Joe, combosquatting. Mean anything to you?

Joe Carrigan: That is a new one to me, Dave. I'd like to know what the definition of combosquatting is before we move on.

Dave Bittner: Right. Combosquatting is not when you accidentally sit on your bag of delicious Combos that you just bought from the convenience store.

Joe Carrigan: Oh, that's heartbreaking when that happens.

Dave Bittner: Right.

Joe Carrigan: Every time we go on a plane, my wife buys a bag of Combos.

Dave Bittner: You know, that's funny. Combos are an airplane food for me, too.

Joe Carrigan: Really?

Dave Bittner: I don't know why. I don't seek them out any other time. I guess --

Joe Carrigan: Yeah, it's the same with my wife. She gets them at the Hudson News at the airport.

Dave Bittner: Yes. I do the same thing. Joe Carrigan: Yeah.

Dave Bittner: I think maybe it's just a very airplane-friendly food. It's not messy. It does, you know, stick to your ribs a bit, so, yeah, interesting.

Joe Carrigan: But it's not that. Dave Bittner: It's not that, no.

Joe Carrigan: Combosquatting has nothing to do with sitting on a delicious bag of Combos.

Dave Bittner: Right, as our listeners are screaming into their mobile devices saying, "Get to the point!"

Joe Carrigan: Right.

Dave Bittner: So combosquatting is kind of like typosquatting, which we've talked about before.

Joe Carrigan: Correct.

Dave Bittner: So typosquatting, you can describe that for us, Joe.

Joe Carrigan: Typosquatting is a great social engineering trick that relies on somebody mistyping a word. And my favorite example of this is when I was showing my boss the really cool site, this predates Facebook, highschoolalumni.com, I accidentally typed highschoolalimni. And if you look at your keyboard, the I is right next to the U. And that was just a sight that exploded popups filled with porn on my computer as my boss was standing behind me. But that's a great example of typosquatting.

Dave Bittner: Yeah, yeah. So combosquatting, similarly, is combining multiple words to make a domain name. So, for example, let's say that I wanted to do business with my favorite tech company, Carrigan Industries.

Joe Carrigan:

Dave Bittner:

Joe Carrigan:

Dave Bittner:

Joe Carrigan:

Dave Bittner:

Joe Carrigan:

Dave Bittner: support.com.

Joe Carrigan:

Carrigan Industries. Right?

So Carrigan Industries has carrigan.com as their domain address.

I wish I had that domain address. In our little fictitious thing here.

Somebody else already has it.
Yeah. So there's nothing keeping me from registering carrigan-


Dave Bittner: Or carrigan-help.com.
Joe Carrigan: Yes.
Dave Bittner: Or any combination of those sorts of things. Joe Carrigan: Mm-hmm.

Dave Bittner: And combosquatting is just that. It's taking combinations of words, usually using a popular brand name, or something that people are familiar with, and then adding something to it to make a new domain. And how this kind of short circuits people's analysis is that they see the legit name in the URL.

Joe Carrigan: Right.
Dave Bittner: In this case, they see the word Carrigan and it's spelled correctly. Joe Carrigan: Yes.
Dave Bittner: And there are no funny characters.
Joe Carrigan: The- it's just followed by a dash and then the word support.
Dave Bittner: That's right.
Joe Carrigan: Yep.

Dave Bittner: And it's also plausible that a big international company like Carrigan Industries would have multiple domains to handle different things in their operations.

Joe Carrigan: Of course, we do. Why wouldn't we do that? Dave Bittner: Right.
Joe Carrigan: I- what we do is put support.carrigan.com. Dave Bittner: Right.

Joe Carrigan: Right. That's what normal peo- what normal companies do. Dave Bittner: Yes.

Joe Carrigan: In fact, if you want to go to Microsoft support, that's what you do. You go to support.microsoft.com, not microsoft-tech-support.com.

Dave Bittner: Right. Right. So when people see that, many people don't think much of it. And --

Joe Carrigan: Correct.

Dave Bittner: -- because of that, combosquatting has become very popular because it works.

Joe Carrigan: I'll bet it does, yeah. Does this research tell how well it works?

Dave Bittner: They do. They say that, well, first of all, they say that the most popular combo word is support, so carrigan-support.com or, you know, microsoft-support.com. And just add support to anything and that seems to get through people's filters. So back in 2022, Akamai analyzed this and they said that combosquatting was the most commonly observed cybersquatting type in terms of unique domain names. So what they're saying is that they're using combosquatting as part of their attack vector more than other types of squatting.

Joe Carrigan: Probably because it's easier than coming up with something that looks like Microsoft that's really like rnrnicrosoft, right?

Dave Bittner: Mm-hmm. Mm-hmm. Yeah. So they said some of the keywords to be careful of that come up a lot are words like verification, account, login, the word now, the word alert, the word free, the word promo. These are all kind of what seem to be benign words on their own and make sense as part of a company's day-to-day operations, but they are not, in this case. Let me just list some of the most popular ones here. We already said that support is the most popular keyword.

Joe Carrigan: Right.

Dave Bittner: Com is number two, login is number three, help if four, secure is five, www is six, which is interesting because you could do like you could put- stick it on the other side of a word and say www --

Joe Carrigan: dash.

Dave Bittner: -- carrigan.com.

Joe Carrigan: Right.

Dave Bittner: And you just get rid of that dot in there. People don't see that and off they go.

Joe Carrigan: Yeah, 'cause everybody's conditioned to go to www.carrigan.com. Dave Bittner: Yeah.

Joe Carrigan: That is a completely different domain name than wwwcarrigan.com.

Dave Bittner: Right.
Joe Carrigan: It's- I don't want to get into how domain name resolution works. Dave Bittner: Good.
Joe Carrigan: But suffice it to say that would return a different ID address.

Dave Bittner: Right, right. And then rounding out the top ten are the words account, app, verify, and service. So I think this is something to be mindful of. Again, if you want to get to a company, the best way to do it is through their front door.

Joe Carrigan: Correct.

Dave Bittner: And I hate to say it, but these days, it's hard to even trust Google for something like that because --

Joe Carrigan: Yeah. Google has gotten a little bit better. I was thinking about this today as I was looking at some search results.

Dave Bittner: Yeah.

Joe Carrigan: They don't have that little ad that blends into the back of the background, anymore.

Dave Bittner: Mm-hmm.

Joe Carrigan: They now have bold, black text that says sponsored.

Dave Bittner: Right.

Joe Carrigan: Still not great, but better than the old blended in the background ad.

Dave Bittner: Yeah, I mean my advice would be never click on one of those sponsored links because that's how the bad guys buy your traffic.

Joe Carrigan: Yeah.

Dave Bittner: But then also just be super-mindful because it's not just that they're buying the links. It's they're gaming the search engine optimization to get up towards the top of the listings, as well.

Joe Carrigan: Right.

Dave Bittner: So just- you just got to be vigilant. And sad to say, it's getting harder and harder because they're getting more and more clever. So we'll have a link to this research from Akamai. I think it's interesting stuff. I think the thing

to share with your friends and family is just let them know that this is a thing. And that if you see these artificially-extended versions of brand names you already know, there's a decent chance that somebody's up to no good. All right, we will have a link to that story in our show notes. Joe, it is time to move on to our Catch of the Day.

Joe Carrigan: Dave, our Catch of the Day comes from Shawn, who writes, "Received an e-mail warning from HR today. I've included the full message and the image below." And the e-mail from HR reads, "Several employees have reported receiving suspicious letters in the mail appearing to come from human resources. These letters contain a phony thank you card, a $100 gift card, as well as a USB thumb drive. Please exercise extreme caution if you receive such a letter. Do not insert the USB into your laptop and e-mail our SIRT, that's Security Incidence Response Team, immediately to report it." And Dave, can you take a look at this picture right here?

Dave Bittner: Yeah.
Joe Carrigan: Look at this.

Dave Bittner: Yeah. So what we've got here, a number of things. First of all, our listener includes the- or the photo includes the outside of the envelope.

Joe Carrigan: Mm-hmm.

Dave Bittner: Which has the address of the place they're sending it. Interesting to me that these scammers paid over $5 in postage to send this.

Joe Carrigan: Right, right.
Dave Bittner: That's, you know, that's an investment.

Joe Carrigan: The letter says at the top of it, there's a little card that says, "A huge thank you for giving your best each day, for never giving up, and for being a team player."

Dave Bittner: Mm-hmm.

Joe Carrigan: It says, "A token of- as a token of our appreciation, please enjoy this gift card. It can be used to purchase items on the enclosed flash drive."

Dave Bittner: Oh.

Joe Carrigan: Right? So that's how they get you to plug the flash drive in.

Dave Bittner: Huh. So they're kind of framing it as saying, "We've set up some kind of corporate store and the contents of that are on this flash drive." That's


Joe Carrigan: Yeah.

Dave Bittner: Mm-hmm.

Joe Carrigan: I can see how that might work. I have a couple of things I've noticed about this package.

Dave Bittner: Yeah.

Joe Carrigan: Number one, the address that you send it- that it's sent to and the return address are both the same address.

Dave Bittner: Mm-hmm.

Joe Carrigan: Right? That tells me two things. Number one, I would be, as an employee of this company, I would be why did they mail it?

Dave Bittner: Right.

Joe Carrigan: Why did they spend $5.10 to mail it to me when they could have just walked it over here?

Dave Bittner: Yeah.

Joe Carrigan: And two, it's clear that they wanted this plugged in to a corporate asset.

Dave Bittner: Mm, mm-hmm.

Joe Carrigan: The postmark is from a state that's about halfway across the country.

Dave Bittner: Oh, I didn't notice that.

Joe Carrigan: That would have been something else that sent up a red flag for me, I think.

Dave Bittner: Mm-hmm, yeah.

Joe Carrigan: Also, I have worked at large companies, and if I ever did that again, I would be very suspicious about anything that came from HR that says- starts with the words, "A huge thank you."

Dave Bittner: Go on.
Joe Carrigan: I'm just a little bit bitter about HR people from large companies. Dave Bittner: I see, okay, is a little cynical there.

Joe Carrigan: Yeah, is a little cynical, yeah. "Oh, a huge thank you." Yeah, right. Shawn goes on to say that you have to respect these- the creative approach and the investment on behalf of these attackers.

Dave Bittner: Right.

Joe Carrigan: The $100 gift card is probably stolen and never activated, which is probably correct.

Dave Bittner: Just taken off the shelf.

Joe Carrigan: Taken off the shelf and they walk out the store with it.

Dave Bittner: Right.

Joe Carrigan: Still, they spent $5 per attack in postage plus whatever it cost them to buy the USB drives.

Dave Bittner: Yeah.

Joe Carrigan: Now this looks like a particularly cheap USB drive.

Dave Bittner: Right.

Joe Carrigan: It might not even be a USB drive. It might be a rubber duck.

Dave Bittner: Who knows?

Joe Carrigan: You know, which is a- like a fake keyboard that goes in and enters a bunch of commands.

Dave Bittner: Yeah. Who knows, but I think you're right. It seems as though this is specifically targeting enterprise or tech organiz- well, in this case, perhaps a tech organization. But this is a way to get inside a business' systems. This is not --

Joe Carrigan: Right, they're just trying to get in there and then they're gonna try to do some business e-mail compromise. I think that's the next step because that's- or it might be ransomware, but I don't know. I would lean toward business e-mail compromise 'cause that's much more profitable.

Dave Bittner: Mm-hmm. Mm-hmm. All right, well, thanks to Shawn for sending this in. That is interesting, for sure. Again, we would love to hear from you. Our e-mail address is hackinghumans @thecyberwire.com.

Dave Bittner: Joe, I recently had the pleasure of speaking with Keith Houston. He is chief prosecutor of cybercrimes in Harris County, Texas. And he was kind

enough to reach out to us and let us know that he had some interesting stories to share. Here's my conversation with Keith Houston.

Keith Houston: I did casino surveillance for about ten years. I grew up in Las Vegas and started working in the casino industry when I was about 16 as a dishwasher. And then got into the hotel industry part of it, then into security, and eventually into surveillance. I've basically been chasing conmen my entire life, so.

Dave Bittner: Well, what are your insights from that part of your job? I mean, for folks who may not be familiar with the kinds of scams that people are trying to pull on casinos. I mean, is there- are there standard ones that you would see all the time or anything that stood out as being particularly clever?

Keith Houston: You see the, you know, the stuff you see on TV, like the card counters and stuff like that. And that's not- although we do get some of that but a lot of the theft that we saw was more like social engineering, in some ways. One of the big common ones when we still had coin in the casinos was somebody would drop a- like a $5 bill on the floor and say, "Hey, look. You dropped a $5 bill on the floor." And the person would bend over to pick it up. Somebody on the other side of the machine would reach between the machines and take their buckets of coin. So it's just a distract and grab bit. It's just a matter of applying to people's greed, I guess.

Keith Houston: Oh, look, right.

Keith Houston: Free $5, but I just lost the money I had from the slot machine, so.

Dave Bittner: Right. And from your security point of view, you know, the infamous eye in the sky, was it pretty obvious to you all when someone was working these sorts of scams? Did you just get an eye for it after a while?

Keith Houston: Yes, you definitely get an eye for it after a while. And I was lucky enough to be trained by somebody who had been working in the casin- well, he actually was a cheater, I guess, the casinos in the '60s and '70s. And got hired by the casinos to train people to catch people like himself after he got out of prison. But you do get a knack for it. One of the reasons why I think a lot of employers have procedures is when people are not following the procedures, you can notice it really quickly. When they're following the procedures, it's typically harder to steal.

Dave Bittner: Now that's interesting. So take us through your professional journey, then. What led you to where you are today?

Keith Houston: Well, I was working in the casino industry for a long time. I got married, decided to go back to school. I hadn't got my bachelor's degree. I went back pretty much just to get a degree so I could move up in the casino

industry, but while I was doing that, my first child was born and she had some medical complications. She's disabled and the Las Vegas area was just not suitable for her medical needs, at that time. I mean, this was about 20 years ago, so Vegas was still growing to what it is now. So I had to make a career choice of what I wanted to do. It's like, well, if I don't do this, I'd rather do some sort of prosecution.

Keith Houston: So I moved to Texas, I moved to Dallas-Fort Worth area and went to law school. Graduated in 2009, which was about the worst time you could graduate law school 'cause of the economy. Ended up working in Amarillo for three years, which I loved. I loved it up there. It was lots of good people and I got a nice taste of everything you could possibly think of under the law. Came to Houston and Harris County when a spot opened up here, mainly because my daughter's medical was better suited down here, and it's a big office where I can specialize.

Dave Bittner: So what is your day to day like these days? What sort of things take up your time?

Keith Houston: Most days- it depends on the day. We typically go to court early in the mornings. I don't have any court scheduled for a couple of hours, so I have some time available this morning. But typically, we're either due in court in the morning or sometimes we're assisting on investigations. For example, like last week, I brought somebody in that was already charged. They came in and they wanted to talk because they realized that the people that recruited them are much more responsible than they are. And so they wanted to try and cooperate in order to get a better sentence.

Keith Houston: So we do a lot of talking with people, a lot of investigative work, mostly assisting investigators. We don't do the investigation ourselves. It's like Law & Order. We just prosecute the cases they bring us, so.

Dave Bittner: I see. And what sorts of things are being pursued? I mean, can you give us some insights as to, you know, what are the things, the types of scams that folks like yourself feel rise to the level that it's worth pursuing them?

Keith Houston: My position got started about five years ago because there were a lot of lower-level cases that just weren't being pursued. The FBI had the cases, they investigated them. But the US Attorney's office was shorthanded, didn't have enough people, and they just were- they had to have a cutoff point of what they were accepting. So we started- they started bringing those cases to me at the state level and those were, you know, business e-mail compromise, romance scams. Most of them were lower level. Lower level for a BEC is under a million, so but in the state of Texas, any value-based crime of $300,000 or more is a first-degree felony. So it's- you can have some serious consequences.

Keith Houston: Right now, we've been seeing a lot of different uses for money mules, particularly in check washing and cashing seems to be the latest trend. People stealing mail from the outside mailboxes, washing the checks with some sort of chemical, and then recruiting money mules to open up accounts, cash the checks, and forward the money on. Still see a lot of money mules being used for BEC and romance scams. Occasionally, we do get money mules that have been scammed themselves, that really aren't benefitting from the crime. Typically if you are not benefitting from the crime in some monetary way, we're probably not gonna prosecute you. If it's a situation that's, you know, case by case.

Dave Bittner: Yeah. I think there's a perception out there that a lot of these sorts of crimes are coming from folks who are overseas. I mean, to what degree is this a local issue where, you know, local people are going after other local people?

Keith Houston: The local people going after local people is actually increasing quite a bit because it's easier to learn how to do these scams now. You can
buy a kit online, go on the dark web or certain Facebook group chats. You can buy a kit and learn how to scam your neighbor. Typically, most of these scams- I'll give you an example of a case that I had that was a- we've closed out all the cases on it now.

Keith Houston: It started about four years ago. Airline company was buying another airplane from another company. Money was sent here to Houston. Five different people were prosecuted at the lowest level. We prosecuted those five people all locally. They give us the four people above them in the chain. We prosecuted all of them. They gave us the three people above them all in the chain. And all these people are local. One of the three in the top gave us the actually hacker who was in Nigeria.

Keith Houston: So a lot of the organization is at the local level because these crimes really don't work unless you have some way to monetize it and that's what they're doing with the money mules. They're using money mules to monetize it.

Dave Bittner: Do you work in collaboration with the FBI?

Keith Houston: Yes, the FBI has a Cybercrimes Task Force with the Houston Police Department where Houston police officers are embedded with them. And they bring me stuff all the time. I also get stuff from the postal inspectors, occasionally stuff from the US Treasury, the Secret Service. There's, I think, 82 local law enforcement agencies in Harris County, the sheriff's office, we've got constables, all these little cities, they have their own police departments.

Keith Houston: A lot of the smaller departments, we will help them when they get these cases 'cause they usually get them and have no clue what they're

looking at. So we'll- and the FBI and Houston Police Department have been very good in assisting a lot of these lower agencies, lower- not lower agencies, but just lower-knowledge agencies.

Dave Bittner: Right.
Keith Houston: In doing these scams.

Dave Bittner: What about the judges? How up to speed are they when it comes to these sorts of things? Do you find yourself having to explain things or at we at the point now where they're up to- they know what's going on?

Keith Houston: The judges aren't- are pretty savvy with the basic knowledge. Grand juries are the most interesting 'cause, you know, it's 12 people off the street that are sitting there in a room and they decide whether there's going to be an indictment or not. Every time there's a new grand jury, I go down, and talk to them, and just give them a ten-minute introduction to what I do and how it affects the community. And then I'll start going into the cases. And then while that grand jury is in session, I'll go back to them during that time.

Keith Houston: With the judges, it's hit or miss. I mean, the vast majority of them have a good base knowledge or want to know more. There is some differences in approaches to how they handle the crimes, but generally, everybody has a good knowledge of it.

Dave Bittner: I see. Do you feel as though you and your colleagues are making a dent in what's going on down there? Is- do you have the resources you need to make a difference?

Keith Houston: Right now, we do need more resources, but it's been growing exponentially every year. When I started five years ago, nobody had been prosecuting the lower-level offenders here in the Houston area for some time. And we actually saw a drop the first year we had this position going because people started looking elsewhere to send- to use money mules and stuff. Of course, that only lasted about a year before the- just the volume of cybercrime overtook it, and since then, we've stayed pretty much the same level.

Keith Houston: But in like my department, we typically have like it's myself. I'm also part of the Financial Crimes Division, which usually consists of about 15 attorneys. Right now, we're at ten attorneys, but each one of those ten attorneys has a case that could be considered a cybercrime. It's just taking over all of the financial crimes now. There's some sort of cybercrime aspect.

Dave Bittner: What are your recommendations for folks who are looking to protect themselves, you know, based on the things that you see every day here. Are there suggestions you have for folks?

Keith Houston: Never, ever, ever accept money on behalf of somebody else.

Don't. Don't let them transfer money to your bank account. In most states, I believe all, but I'm not 100% sure, engaging in the business of money transmission is a felony. You're basically acting as a banker without a license.

Keith Houston: I also tell people if you get friend requests from somebody that you don't know, do a reverse image search, especially if somebody meets you on social media and then wants to get you off social media. Most social media platforms are actually decent at finding scammers, so usually detect somebody as a possible scammer within three weeks to a month and kick them off. So a lot of these people will try and get you on to a different platform, like Discord, or WhatsApp, or something else where they can communicate.

Keith Houston: The final thing would be to freeze your credit. That's one thing that I did a few years ago after I had a couple of identity theft scares. It's kind of a pain if you're gonna apply for something. You've got to remember to unfreeze all of your credit for 24 hours or so, but I haven't had a single problem since I've done that.

Dave Bittner: Joe, what do you think?

Joe Carrigan: I'm really glad Keith did this interview. Keith is actually one of my LinkedIn connections.

Dave Bittner: Ah, very nice.

Joe Carrigan: From a while ago. A couple of episodes ago, I talked about somebody named Keith and I didn't want to give any last names, but that was Keith Houston who sent that in.

Dave Bittner: Okay.

Joe Carrigan: It was he was commenting on the scams that we didn't understand how they were going on, if you remember that then.

Dave Bittner: Ah, all right.

Joe Carrigan: He was very illuminating.

Dave Bittner: Yes.

Joe Carrigan: But first- and the other thing I wanted to say is that the story about how he got into his current position is very interesting.

Dave Bittner: Mm-hmm.

Joe Carrigan: I love this how he started off washing dishes at a casino, worked his way up into casino security, and eventually went on to get a law degree,

and is now a prosecutor in Houston, Texas.
Dave Bittner: Yeah.
Joe Carrigan: Which is great for a guy named Houston to be in Houston, Texas. Dave Bittner: Right, since- it's kismet.

Joe Carrigan: Right. I like what he's talking about the casino scams. You know, these casino scams have a glamor to them, right? 'Cause we all think immediately like Ocean's 11.

Dave Bittner: Yeah.

Joe Carrigan: But they're really just the same thing as regular scams. They're just done in the casino 'cause that's where people have money, or cash, or chips that are essentially the same as cash.

Dave Bittner: Right.

Joe Carrigan: Fungible assets. The drop and grab scam that he talks about where someone drops a $5 bill and then another person reaches in and grabs all the coins from the slot machine?

Dave Bittner: Unh-huh.

Joe Carrigan: That is absolutely something that would have worked on me.

Dave Bittner: Is that right?

Joe Carrigan: Yeah.

Dave Bittner: Yeah?

Joe Carrigan: I think that's one of the ones I would have been susceptible to. "Oh, look at that. Did I drop $5? Let me pick that up."

Dave Bittner: Mm-hmm.

Joe Carrigan: Or just getting my attention turned away from something. That would- I would have lost whatever I had in that bucket.

Dave Bittner: Yeah.

Joe Carrigan: Which would probably have happened, anyway, 'cause I'm at a casino and casinos don't make money by giving away money.

Dave Bittner: Right, right.
Joe Carrigan: Keith makes an interesting point here about people following the

procedure in a casino and that it's harder to steal when they follow the procedure and easy to spot when they don't follow the procedure. I'm seen some pretty creative thieving from casinos in- on- this is years ago I think on Discovery Channel or something like that. Somebody made sleeves that fit over top of the chips.

Dave Bittner: Oh.

Joe Carrigan: That had a different value.

Dave Bittner: Oh, that's interesting.

Joe Carrigan: So they would put like $100 chips in to the sleeve and then they- somebody would say, "Can you give me five $20 chips for this $100 chip?"

Dave Bittner: Mm-hmm.

Joe Carrigan: And then they'd get back like five $100 chips. And then they could do that all night. But the dealer had to be in on the scam.

Dave Bittner: Mm-hmm.

Joe Carrigan: But so yeah, that does- those things are always interesting to me and I'm always fascinated by it.

Dave Bittner: Yeah, I remember I have a friend who was a banker and he- there was a similar scam where people would cut the corners off of $20 bills and paste them on to dollar bills. And get change from tellers that way.

Joe Carrigan: Really?
Dave Bittner: Yeah, yeah.
Joe Carrigan: Huh.
Dave Bittner: Yeah.
Joe Carrigan: Pretty awesome. Dave Bittner: Yeah.

Joe Carrigan: Good to know. It's interesting to hear that when Keith talked about business e-mail compromise, that anything under a million dollars is lower level in business e-mail compromise.

Dave Bittner: Mm-hmm.

Joe Carrigan: And that speaks to what I was saying back in the Catch of the Day, that business e-mail compromise is a huge money maker for these


Dave Bittner: Yeah.

Joe Carrigan: It is- it's big, and I'm glad to hear that it's $300,000 to become a felony in Texas. Scammers still need money mules and that makes sense. You need to have infrastructure in the areas where you're scamming these people out of their money. However that is, you're going to need to move that money around somehow. And I'm glad to hear they do not prosecute people who don't profit from it. Something else that he says here is that essentially all financial crime now has a cyber element. So it's still the same crimes, it's just now it's all being done at some point in time over the Internet.

Dave Bittner: Right.

Joe Carrigan: And that makes sense because that's how we all communicate on a regular basis.

Dave Bittner: And it's safer, too. I think you're less likely to get punched in the mouth by some, you know, right? I mean, literal. It's that simple.

Joe Carrigan: Yeah. Yeah.

Dave Bittner: Yeah.

Joe Carrigan: It's a good point.

Dave Bittner: Yeah.

Joe Carrigan: I'm less likely to get arrested physically while I'm trying to perpetrate the scam.

Dave Bittner: Right.

Joe Carrigan: You know, those things- those are all valid points.

Dave Bittner: Yeah.

Joe Carrigan: I like Keith's list of suggestions. It's only three that he lists out here, but never take money on behalf of someone else.

Dave Bittner: Mm-hmm.

Joe Carrigan: That is a bad idea. If you take money, it's because of you. It's for you. Look for the platform change. We say this frequently and Keith points out that the major social media sites are pretty good at picking out scams- scam accounts. So what do they do? They try to get you to an end-to-end encrypted app so that there they can't be kicked off that platform nearly as easily.


Dave Bittner: Yeah.

Joe Carrigan: So that's where they do their scamming. And finally, freeze your credit, which makes it really hard for you to get a loan, but it also makes it hard for someone to get a loan in your name.

Dave Bittner: Mm-hmm. Mm-hmm.

Joe Carrigan: So just- you just have to remember, "Oh, yeah, I froze my credit. I got to go out and unfreeze it while I apply for this loan."

Dave Bittner: Right. Right, yeah. You can't maybe spontaneously apply for that credit card.

Joe Carrigan: Right, which might be a good thing.

Dave Bittner: Which might be a good thing, also. That's right. That's right. Absolutely. All right, well, again, our thanks to Keith Houston for joining us. We really do appreciate him sharing his expertise and certainly what is a unique perspective. And, of course, we're happy that he listens to the show, as well, so thanks very much.

Dave Bittner: That is our show. We want to thank Harbor Labs and the Johns Hopkins University Information Security Institute for their participation. You can learn more at harborlabs.com and isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: And I'm Joe Carrigan. Dave Bittner: Thanks for listening.