Barking up the wrong Facebook page.
Mallory Sofastaii: We tried to reach out to Twitter through their press email, and their automatic response now is a poop emoji.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan from the Harbor Labs in the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: We've got some good stories to share this week. And later in the show, Mallory Sofastaii, Consumer Investigator and Anchor with WMAR Returns. This time she's talking about how scammers are going after animal adoption organizations. Scoundrels.
Alright, Joe, it is good to be back. We were away for a week while I was recovering from a little dash of COVID.
Joe Carrigan: A little dash. That's how we call it now. A little dash of COVID.
Dave Bittner: I don't want to -- yeah. COVID is not fun. And while I would say I had a minor, not minor, what do you call it? Not a minor bout with it, it was not bad.
Joe Carrigan: It was survivable, apparently.
Dave Bittner: Yes. So far, so good. But --
Joe Carrigan: I was not feeling well. We didn't record in person. I think this is the first time you and I have been in the same room for about a month.
Dave Bittner: Yeah, yeah.
Joe Carrigan: Yeah.
Dave Bittner: So I wouldn't wish it on anyone, I'm glad to be done with it. Glad that I had all my shots and everything, which, you know, I assume made it less worse. Than it otherwise would have been. But anyway, good to be back. We've got some follow-up this week.
Joe Carrigan: We do.
Dave Bittner: What do we got, Joe?
Joe Carrigan: George wrote in to complain about Wells Fargo from our Episode 249.
Dave Bittner: Okay.
Joe Carrigan: Great. I'm mixing up the numbers, Dave. Now, I don't want to go into too much detail about his complaining about the staff at Wells Fargo and the way they run things, but suffice it to say he doesn't think they're doing a good job with customer care.
Dave Bittner: Okay.
Joe Carrigan: But I do want to highlight one of his claims from his email. He said, "When my wife had had one of her Wells Fargo accounts locked out online, due to a problem with her multi-factor authentication, she went to a local Wells Fargo branch for help. The staff and manager gave her a hard time by publicly embarrassing her with statements like she was stupid. Unfortunately, I was not there, or with her, or else I would have definitely intervened. But because this" --
Dave Bittner: Breaking news, Wells Fargo, a branch burns to the ground.
Joe Carrigan: I'm sure George is not going to burn -- George is not an arsonist, Dave.
Dave Bittner: No, no. But he will stand up for his loved ones.
Joe Carrigan: But we all feel that way sometimes. We all have the inner arsonist that says I'm, you know.
Dave Bittner: That's right. Treat someone I love this way, you will pay.
Joe Carrigan: Like Melvin from "Office Space," I'll burn this place to the ground.
Dave Bittner: Right, right.
Joe Carrigan: "But now she refuses to use multi-factor authentication on her Wells Fargo account. Because of this interaction."
Dave Bittner: Right.
Joe Carrigan: Which makes complete sense to me. George says he's put some other controls on there. I'm assuming that he has a really strong password for it.
Dave Bittner: Right.
Joe Carrigan: Which would be good. But yeah. This is, I don't doubt that this happened. I don't have any other confirmation. But I would not be surprised to see this happen.
Dave Bittner: Yeah.
Joe Carrigan: It's unfortunate. I would hazard a guess to say that it's probably localized.
Dave Bittner: I hope so.
Joe Carrigan: George was triggered by our story in Episode 249 to say you know, I had a bad experience with Wells Fargo, too.
Dave Bittner: Yeah.
Joe Carrigan: And here it is.
Dave Bittner: Yeah.
Joe Carrigan: So, you know, it's unfortunate that this kind of thing happened.
Dave Bittner: It is. And you know, look, everybody has a bad day and we all have moments we wish we could take back where we weren't as kind or gracious with other people. But if you're --
Joe Carrigan: If you work at a bank.
Dave Bittner: There's no excuse, if you're, yeah, if you're in a customer service position to, you know, shame a customer or make them feel bad about themselves. That's just unacceptable.
Joe Carrigan: Yeah, the person has come in to get their online account locked out, or unlocked, you're supposed to just help them with that. Don't ridicule them for it. It's, you know what? For a lot of people, this is the first time they're doing it. You know? There are going to be bumps in the road.
Dave Bittner: Yeah.
Joe Carrigan: Understand that.
Dave Bittner: They would no longer have my business.
Joe Carrigan: Yes. Suffice it to say, that's how I would have responded, too.
Dave Bittner: Yeah, yeah. Alright, well, our thanks to George for sending in that story. Let's jump into our stories here. My story comes from a listener named Keith who wrote in, this is a story from the Wall Street Journal written by Jaewon Kang. And it's titled "Scammers Target Stores with Bomb Threats Seeking Bitcoin and Gift Cards." So, evidently, some of the bigger, well-known national retail chains, organizations like Kroeger and Wal-Mart and Amazon, Whole Foods, they have received bomb threats at stores. And it seems like this isn't localized to one area. It's happening across the nation. They're receiving bomb threats where the person, the person threatening the bomb, calls in and says that for example, a pipe bomb has been placed in the store. And if you don't pay 5,000 dollars in bitcoin, or some of them have demanded gift cards, we're going to set off the bomb. And of course, the store has to take this seriously.
Joe Carrigan: Right.
Dave Bittner: So typically we're talking about evacuating the store, calling law enforcement, bringing in a bomb squad, or at least, you know, dogs to sweep the store and so on and so forth. And I don't know what the income rate of a large store like this is. But I can imagine when you're talking about a Whole Foods or a Wal-Mart, if you shut down for a couple hours, which I think something like this would shut down the store for a couple hours, you're probably going to lose more than 5,000 dollars in revenue.
Joe Carrigan: Yes.
Dave Bittner: So I wonder if this is spreading because it's working. I wonder if there are cases where the stores are doing the math and paying off the terrorists.
Joe Carrigan: Right, yeah.
Dave Bittner: Because it's cheaper.
Joe Carrigan: I would bet -- I don't know. That would be a good, a good question to ask. A good -- I would like to know the answer to that.
Dave Bittner: Yeah. We probably would never know. I mean, they wouldn't want to publicize it. I mean, people, well, you know, here's the thing. There would certainly be coverage of the bomb threat. Because I don't suppose a store could wave off a bomb threat. Because what if a bomb goes off accidentally?
Joe Carrigan: Right.
Dave Bittner: Right? Now look, there's probably no bomb. Right? I mean, I think we can all agree, there's probably no bomb.
Joe Carrigan: If somebody calls in a bomb threat, though, and says we're going to detonate it if you don't give us the 5,000 dollars.
Dave Bittner: Right.
Joe Carrigan: The only response is to pull the fire alarm and evacuate the building immediately.
Dave Bittner: Yeah.
Joe Carrigan: I'd just hang up the phone and do that. Because you don't, you know, you're not -- don't sit there and try and negotiate with them at that point in time. Just evacuate the building.
Dave Bittner: Yeah.
Joe Carrigan: The question I have is are these guys calling up to these places and saying look, we could shut you down with a bomb threat. If you don't give us 5,000 dollars, we'll call the bomb threat in to the local police.
Dave Bittner: Right.
Joe Carrigan: And then they'll come in and evacuate your store for you.
Dave Bittner: Right.
Joe Carrigan: That seems to me like a more approachable way to do it. Because if somebody calls a bomb threat into my store, I'm evacuating that store and hanging up the phone and getting out myself.
Dave Bittner: Right.
Joe Carrigan: That's it.
Dave Bittner: Right.
Joe Carrigan: I'm hanging up the phone, they're not going to make any progress.
Dave Bittner: Yeah.
Joe Carrigan: But if I'm -- if somebody calls me and says hey, you know, I'm the bad guy. And I'm just going to be honest with you. I don't have a bomb in your store, but I can call the police and tell them there's a bomb in your store.
Dave Bittner: Right.
Joe Carrigan: And they'll come in and evacuate your store and you will lose two hours of business while the dogs run through and search for bombs.
Dave Bittner: Yes.
Joe Carrigan: That would be more persuasive I think.
Dave Bittner: Yeah.
Joe Carrigan: However, I don't think you should capitulate to that, either. Because if you capitulate to that once, you're going to capitulate to that once a week. Once a month, at least. They're going to do that all the time because they know it works. It's going to become a cost of you doing business.
Dave Bittner: Yeah. I mean, it's an interesting sort of, I guess is it fair to say escalation of the ransomware trend?
Joe Carrigan: I think it's a low-effort. I don't know if I'd even call this ransomware. This is like --
Dave Bittner: I mean, you're holding the store hostage basically.
Joe Carrigan: Yeah, you're holding the store hostage. But it is a ransom, but it's not, there's no ware. You know? There's no software. There's no technical expertise in this, you're just trying to scare people.
Dave Bittner: Right, it's a threat.
Joe Carrigan: Right, it's a threat. Yeah. I don't. It's so low effort.
Dave Bittner: Yeah. This article doesn't point to any cases that were successful, where you know, they don't highlight any times when the stores paid the demand. They do point out that there have been other cases of stores being threatened for other things. You know? There was a story, they say, earlier this month some Target stores got threats because the retailer had LGBTQ merchandise in the stores.
Joe Carrigan: Yes, and I think there was some talk of burning a Wells Fargo to the ground.
Dave Bittner: Right. People were, you know, and again, they had to take those threats seriously.
Joe Carrigan: Right, absolutely they do.
Dave Bittner: Yeah. But there was no money exchange there. So, yeah. It's interesting. It's tough on the employees. Obviously, you know, tough on the folks who want to purchase things at these stores. Tough on law enforcement, because they've got to go, they have to be taken seriously. But I wonder, too, you know, the other side of this where part of what enables this sort of thing is the degree to which we can still have anonymity when it comes to making a phone call.
Joe Carrigan: Right.
Dave Bittner: And that's a problem.
Joe Carrigan: It is. Well, is it? Well, do you need anonymity when you're making a phone call? That's a good question.
Dave Bittner: Well, when you're making this kind of phone call.
Joe Carrigan: Yeah, this type of phone call, absolutely.
Dave Bittner: But you know, I mean, what I'm saying is you can use, you know, voiceover IP account. You can get a burner phone call. So -- I mean a burner phone. You could go to Wal-Mart, buy a burner phone, and call the Wal-Mart.
Joe Carrigan: Maybe you can look around for a payphone. When's the last time you saw a functioning payphone?
Dave Bittner: You know what I can tell you the answer to that. I saw a functioning payphone at Disney World. Yeah. We had -- we were vacationing in Disney World in March of this year. And we were at Animal Kingdom. And there was a functioning payphone attached to the side of the buildings. And I'm -- my two sons seriously thought it was a joke. Like they thought, they picked up the handset of this payphone and they expected that Mickey Mouse was going to talk to them.
Joe Carrigan: Right.
Dave Bittner: That's what they thought. But no, it was a dial tone. You know, I don't even know if my younger son has ever heard a dial tone. Right?
Joe Carrigan: There's a great video out there showing a bunch of kids, you know, like 10 or 11 year old kids, a rotary phone and saying make a phone call on this phone. Here's my number. And they can't do it.
Dave Bittner: Right.
Joe Carrigan: Because no one's ever gone through the three minutes of instruction it takes to use a telephone.
Dave Bittner: Yeah. Yeah. No, ask a kid today why we use the phrase "hang up" when we say we're going to end a call. I'm going to hang up. Why do we use that phrase? They're not familiar with that. We had a -- like me, you probably at some point in your life had a phone in your kitchen.
Joe Carrigan: Yep.
Dave Bittner: That was on the wall.
Joe Carrigan: No, it was not on the wall. We never had a wall-mounted phone.
Dave Bittner: No?
Joe Carrigan: I always wanted one, but we never had one.
Dave Bittner: Well we had one in the kitchen. With a very long cord. You know? A little handset cord. And so when you ended the phone call, you hung up. You hung the handset on the phone that was hanging on the wall. But nobody does that anymore. Anyway.
Joe Carrigan: In the cradle at my house.
Dave Bittner: We have digressed.
Joe Carrigan: Yes we have.
Dave Bittner: Far from the story here. But anyway, I, look on the one hand, I can see there are good uses for anonymity in the world, in our society. But it enables this sort of thing.
Joe Carrigan: Yes.
Dave Bittner: So you've got good sides and bad. But we'll have a link to this story in the show notes. I'm not sure what really can be done about this.
Joe Carrigan: Not paying the ransom, or the demand.
Dave Bittner: Right.
Joe Carrigan: Because if you do that, all they're going to do is come back. If you don't do that and you just take the hit a couple of times, you know, they'll eventually give up.
Dave Bittner: Right. They'll move onto something else.
Joe Carrigan: Right.
Dave Bittner: If they're not getting paid.
Joe Carrigan: Right.
Dave Bittner: That's a good point. It's a good point. Alright, well that's what I have this week. Joe, what have you got for us?
Joe Carrigan: Dave, my story comes from the New York Times. And it is written by Julian Barnes and Edward Wong. The headline is "Chinese Hackers Targeted Commerce Secretary and Other US Officials."
Dave Bittner: Yeah.
Joe Carrigan: So apparently, Chinese hackers have gained access to the email account of Commerce Secretary Gina Raimondo.
Dave Bittner: Yes.
Joe Carrigan: Which is impressive.
Dave Bittner: Is it?
Joe Carrigan: I don't know. So I have some questions I'm going to ask at the end of this, at the end of this. But they were also trying to get access to people in Department of State. For those outside of the US, maybe even those not familiar with the set-up in the US Government, in the executive branch, there are these secretaries who head up different cabinet position. That's called a cabinet position.
Dave Bittner: Right.
Joe Carrigan: And they head up these different departments.
Dave Bittner: Yeah.
Joe Carrigan: Department of Commerce is one department. Department of State is another department. Department of Commerce deals with, as you would expect, commerce. And international trade and things. And the Department of State deals with matters of diplomacy.
Dave Bittner: Yeah.
Joe Carrigan: It's really what they are intended to do. So, it makes sense to me that a foreign national would be -- who works, a foreign, let me say, a foreign state would be very interested in gaining access to the email accounts of the secretaries of these departments.
Dave Bittner: Right, that would be -- it's a sensible espionage target.
Joe Carrigan: I would agree, yes. And particularly Ms. Raimondo, who has been, as the article points out, one of the most outspoken critics of Beijing and has said things like we're going to stop exporting our semiconductor technology if China supplies the trips to Russia. And we're also going to put tighter export controls on them.
Dave Bittner: Yeah.
Joe Carrigan: So China doesn't want that to happen. So it makes sense that this would be a good target. Now, it's important to note that nobody in the government is saying that China -- is attributing this to China. One of the big problems in all this, and Robert Lee talks about this all the time. His big thing is attribution is remarkably difficult.
Dave Bittner: Yeah.
Joe Carrigan: But they have a number of people who are not named in this article who are pretty sure it's China, and I think Microsoft has even gone so far as to say yeah, this is probably China.
Dave Bittner: Yeah.
Joe Carrigan: Microsoft disclosed the hack on Tuesday. And the State Department said that they had discovered an intrusion back in May. Or rather, they discovered intrusion in June, that it started in May.
Dave Bittner: Right.
Joe Carrigan: And these are with Microsoft Cloud accounts, Microsoft 365 email accounts.
Dave Bittner: Yeah, and my understanding is that it was the government that detected the intrusion, and tipped off Microsoft.
Joe Carrigan: Right.
Dave Bittner: And Microsoft, because it was a government agency that was breached, they were obligated to do the disclosure.
Joe Carrigan: Correct.
Dave Bittner: Yeah.
Joe Carrigan: And when the State Department said hey, we've got some things going on here that are kind of hinky, that's when Microsoft did their internal investigation and found out, oh yeah, somebody is inside the Secretary of Commerce's email.
Dave Bittner: Oops.
Joe Carrigan: Right. So they found that pretty quickly after Department of State let them know.
Dave Bittner: Right .
Joe Carrigan: So US officials are saying they're only targeting a few accounts across 25 different organizations. And they're only making it, they've only made it into a single digit number of accounts. So it's not been a broad attack. And the article says that the US Government currently says that no classified information was lost. It also says, from other sources, that it's pretty early in the investigation to determine that.
Dave Bittner: Right.
Joe Carrigan: So they give it and they take it away.
Dave Bittner: Well, it's some high level targeting, too.
Joe Carrigan: It is some high level targeting.
Dave Bittner: If they indeed got into a cabinet level email account, that's a serious breach.
Joe Carrigan: Yeah, yeah. I would hope that they are practicing their proper protection of classified information.
Dave Bittner: Yeah.
Joe Carrigan: To make sure that there is no classified information in this account, which there's probably not supposed to be.
Dave Bittner: Right.
Joe Carrigan: American officials have said Microsoft charges organization extra for regular access to the logs that would let them discover this.
Dave Bittner: Yes.
Joe Carrigan: So, I don't know, how do you feel about that, Dave?
Dave Bittner: Well, my understanding is that this was a point of contention between Microsoft and the federal government. With some of the contracting for these cloud services.
Joe Carrigan: Right.
Dave Bittner: Where the feds were saying, you know, we want to contract with Microsoft for cloud services and you know, the government contracts, it's probably safe to say they contract with just about everybody for the big, the big cloud providers.
Joe Carrigan: I would say that's true.
Dave Bittner: Yeah. So in their negotiations with Microsoft, it was a point of contention where the government was saying, look, we don't want to have to pay for this premium tier of cloud services to get something as fundamental as logging.
Joe Carrigan: Right.
Dave Bittner: And that's what is at issue here.
Joe Carrigan: Oh, and this is what has happened. Is because they didn't pay for that service, and they didn't get it, they're now hung out to dry here.
Dave Bittner: Are they? I'm not really sure.
Joe Carrigan: Or not hung out to dry, but --
Dave Bittner: I'm not sure because it was the government that discovered this.
Joe Carrigan: Right.
Dave Bittner: So somebody, it could have been, I don't -- look, I'm guessing here. But it could have been that some of the organizations had access to the logs and some didn't. Some felt it was worth it to pay for it, some didn't. I don't know, I'm totally speculating here.
Joe Carrigan: Right. I have a couple of more fundamental questions.
Dave Bittner: Okay.
Joe Carrigan: Why are large government organizations, like Department of State and Department of Commerce even using Microsoft Cloud services to host their email?
Dave Bittner: Probably cheaper.
Joe Carrigan: Okay. It's cheaper, but well, I don't know. Is it cheaper? It would be a good question to ask. Because especially if you're having the pay for log files or log service, let's just say it's a service, I've spoken to people who work in security I night government.
Dave Bittner: Right.
Joe Carrigan: And one of their big concerns, one of the things that -- I've spoken to a person.
Dave Bittner: Yeah. Okay.
Joe Carrigan: Let me say it that way. And he and I were talking and he was like we're not going to the cloud with our email services, because first off, we need to be able to monitor that very closely.
Dave Bittner: Yeah.
Joe Carrigan: And this is one of those examples where it's pretty easy to predict what's going to go wrong here. And you're not going to have any insight into the system.
Dave Bittner: Yeah.
Joe Carrigan: And you're going to be relying on the cloud vendor to provide it. If they miss it, then, I mean, I have a lot of questions here, Dave.
Dave Bittner: Yeah. Yeah, I mean it --
Joe Carrigan: Look --
Dave Bittner: I think ultimately it's a risk assessment.
Joe Carrigan: Yeah!
Dave Bittner: Right? And so, so far, we're talking about non-classified email accounts.
Joe Carrigan: Right.
Dave Bittner: So you put that reality into your risk assessment and you weigh that against the costs and you say what would happen if this account got breached? And which level of security is Microsoft promising us for the price we're going to pay? And somewhere along the lines, somebody made the assessment or Microsoft won the contract and here we are.
Joe Carrigan: Right. My other question, and this is a big question, is why are government organizations not using some kind of physical security device like the CAC, the Common Access Card? That would authenticate them much like a Yubikey does. I don't know if it's the same, I don't think it's the same protocol, but it's a fairly available protocol. Or if Microsoft can't do CACs, why not just use Yubikeys, or --
Dave Bittner: Yeah, I don't know, they may be. I mean, this, my understanding is that this hack has something to do with the threat actors being able to generate secure keys in a way that Microsoft had not anticipated.
Joe Carrigan: I see.
Dave Bittner: Yeah.
Joe Carrigan: That's interesting.
Dave Bittner: Yeah. So.
Joe Carrigan: So they've defeated some security feature.
Dave Bittner: That's my understanding. Again --
Joe Carrigan: This is some advanced nation state actor.
Dave Bittner: Yeah, well, I think it's a combination of an advanced nation state actor and a bug/vulnerability that people were unaware of.
Joe Carrigan: Right.
Dave Bittner: Zero day, basically. And so, you get those two things together and this is the kind of thing you can end up with.
Joe Carrigan: Oh yeah, absolutely.
Dave Bittner: This is a classic supply chain --
Joe Carrigan: Alright.
Dave Bittner: -- issue.
Joe Carrigan: Well then my questions are answered, then.
Dave Bittner: You want to choose a different story this week, Joe?
Joe Carrigan: No. I'm sticking with this one.
Dave Bittner: Okay, very good. Very good. But you know what, I think your questions are good and it does highlight the complexity of all of this.
Joe Carrigan: Yeah, no, absolutely.
Dave Bittner: You know, look, security's hard.
Joe Carrigan: It is.
Dave Bittner: Right? And software's complex. And so, you don't, there's no way to know what's lurking under the hood here. At some point you've got to trust people and I can't blame people for trusting the big providers. But this goes to show you that even the big providers have vulnerabilities and it's a risk assessment. You know?
Joe Carrigan: Yeah, it always is.
Dave Bittner: Yeah. Yeah. Alright, well those are our stories for this week. We will have links to those in the show notes. We would love to hear from you. If there's something you would like us to discuss here on the show, you can email us. It's hackinghumans@n2k.com. Joe, it's time to move onto our "Catch of the Day."
[ Soundbite of Reeling in Fishing Line ]
Joe Carrigan: Dave, our "Catch of the Day" comes from Steve. It is a -- it's just an advanced fee scam. Or something of that nature. But it's pretty good.
Dave Bittner: Okay.
Joe Carrigan: So.
Dave Bittner: It goes, it says, "Dear Sir, I am Barrister Andre Dennis, the lawyer to Mr. Hennadiy Kernes, late. My client, Hennadiy Kernes, was born on the 27th of June, 1955." 1959, sorry. "In the Ukrainian SSR Soviet Union, now Ukraine. Unfortunately, he died of COVID on the 17th of December, 2020 and buried in Germany at the age of 61. I bring you a proposal that will change our lives forever! Mr. Hennadiy Kernes was a top politician in Ukraine, known for his political stride. He was alive, he was a member of a political party known as Kernes Block. And was a mayor of Kharkiv from 24th November, 2010 until death. Kernes's wife and her two kids were killed by the Russian military on 8th of April, 2022 during the Russian invasion of Ukraine. My client, Mr. Hennadiy Kernes was one of the corrupt politicians in the history of Kharkiv. However, Kernes's tenure reign in Kharkiv was marked by scoundrels and controversy. Hence in 2014, an attempt was made on his life. I was his close ally. My client made a fixed deposit of 39,800,000 dollars using a company which never existed. I was the person that handled most documentation of his shady deals while he was still mayor of Kharkiv. This is a lifetime opportunity that will change our lives forever. I'm going to recommend you as the beneficiary of 39, 800,000 dollars. So that the funds will be released directly to your bank. All I require from you is honesty and cooperation to enable us to see this transaction through. We're going to share the funds in two equal parts. 50% for each. The transaction will be executed under a legitimate arrangement that will protect us from any breach of law. I advise you to keep this matter confidential. Get back to me, whatever you decision, as I wait for your prompt response. Yours in Service, Barrister Andre Dennis."
Joe Carrigan: So, it's pretty awesome. The Kearns was the mayor of Kharkiv and did die of COVID in December of 2022.
Dave Bittner: Ah.
Joe Carrigan: So, I did a cursory amount of research. I don't know if his wife and children were killed, I don't think that's the case.
Dave Bittner: Yeah.
Joe Carrigan: But Steve notes, "I love the mash-up of current events in the Ukrainian war with meeting an honest money laundering mule."
Dave Bittner: Right. Right.
Joe Carrigan: I thought this was just fantastic.
Dave Bittner: Yeah.
Joe Carrigan: It's obviously fake. You're going to get scammed if you start responding to this. You're going to have probably an advanced fee scam.
Dave Bittner: Yeah.
Joe Carrigan: To release the money.
Dave Bittner: Yeah, probably.
Joe Carrigan: And as always, they will keep hitting you up for money until you either run out of money or realize it's a scam and stop paying them.
Dave Bittner: Right, right. Alright, well our thanks to Steve for sending that in. And again, we would love to hear from you. If there's something you'd like us to consider for our "Catch of the Day," you can email us at hackinghumans@n2k.com.
Joe, I recently had the pleasure of speaking with Mallory Sofastaii. She is the Consumer Investigator and Anchor at WMAR, which is one of our local broadcast affiliates here in Baltimore. And our conversation centers on how some scammers are going after animal adoption organizations. Here's my conversation with Mallory Sofastaii.
Mallory Sofastaii: Yeah, thanks, Dave, for having me. It's really awful what we've been seeing. I was contacted by the owner of a local rescue group, "Bring Them Home" animal rescue and trapping. She was extremely frustrated because on May 17th, she discovered that she lost access to her Facebook page. And she needs that page to post about animals that are up for adoption, to be a resource if someone needs to rehome their animal if they're in a bad situation, and also to fundraise because she relies on these funds to care for these animals. A lot of them need medical attention. And this was kind of her tool and her platform to do all of that. And then all of a sudden, she lost access. So she immediately tries to contact Facebook, and she gets no response. So, she's been trying for months to get a hold of them to take back control of her page. She sees that she's been locked out, the password's been changed, and she can't get in. And in the interim, someone is now using her page, and you know, her following to post about fake puppies that are for sale. So this goes completely against the core of her purpose, but also we know that these puppies aren't real. If you want to say, buy one, you click through the link, you have to fill out this form, and then they ask for a deposit right away for 300 dollars via Venmo or Zelle. And that's just not how that works. Even if you were interested in buying a dog online, you know, you have to see the dog, you have to interact with the breeder. You're not just going to send someone money out of the blue.
Dave Bittner: Right. So not only taking over the account, but using the good will that these rescue organizations have built up as part of the scam.
Mallory Sofastaii: Right. And in the course of speaking with Leah, who runs this rescue, she let us know that it's not just happening to her, that it's happening to other people. She's also an admin on a page called "Lost and Found Pets of Baltimore City and Baltimore County." And they use the page to post about animals that were found on the streets, animals that were taken to the shelter. And then owners can go there and look through the photos and try to find their missing pet. Well that page was also taken over by hackers. It could potentially be the same people, because they shared Leah's fake puppy post that was on her original Facebook. And then they changed their name of the page from the "Lost and Found Pets of Baltimore County and City" to "BARCS," which is our local animal shelter in Baltimore City, the Baltimore Animal Rescue and Care Shelter, trying to mimic them to then solicit contributions to that page. Which is extremely problematic, because BARCS cares for around 10,000 animals a year. And they really rely on any kind of donation that they receive. And also their good name. So if people suddenly get scammed, you know, they may not realize that it's not actually BARCS.
Dave Bittner: And Facebook has been unresponsive?
Mallory Sofastaii: So Leah finally got her page back, I want to say within the last week. But it probably took around two months. And she only got it back because she started going through LinkedIn, scouring the internet. She found the phone number for someone who supposedly works on Facebook's security team. It was actually the phone number for this person's ex-husband, who then connected her with this woman. So she had to go through great lengths to get her name in front of someone.
Dave Bittner: Wow.
Mallory Sofastaii: Yes. And then within a few days of doing that, her page had been restored. But leading up to that, she had received no response from Facebook. And Dave, I have to say, I've connected Facebook as well. And typically when I reach out to a company, you know, I'm connected with public relations, coordinator, they'll send me a response, they'll at least acknowledge that they're looking into this. I received no response at all from Facebook. I sent follow-up emails. Nothing.
Dave Bittner: Yeah, that really strikes me. Because I think, you know, I'd go so far as to say it's a public service that you and, you know, folks at the local affiliate level are able to do for your viewers, for your listeners, to be able to take on some of these cases. Where people aren't getting responsiveness. Because of the public platform that you have, it's kind of a superpower that you and your colleagues have to make these companies pay attention. But really frustrating that Facebook has been unresponsive to that.
Mallory Sofastaii: Extremely frustrating. And also, you know, I love animals, I have rescue pets myself.
Dave Bittner: Right.
Mallory Sofastaii: And I feel like time is of the essence here! These local non-profits, the shelters are filled to the brim right now. Like they need so much help to rehome these animals, and they need that money to care for these animals. So the fact that someone is now taking away their ability to do that, you know, I feel like there's urgency to this. And if you were to ask them, they'd say yes, animals' lives are at stake by no longer having access to their platforms. And so, you know, that's why they come to me and that's why I try to escalate this issue or get it in front of the right people. And the fact that I wasn't able to do that was really frustrating. And I have to say that with some of these social media platforms, it's almost becoming the norm. We had an issue with Twitter a few weeks ago where an individual was scammed, we tried to reach out to Twitter through their press email, and their automatic response now is a poop emoji.
Dave Bittner: Yeah, yeah. Yeah, it's hard to -- I mean, not a serious company when that's the response you get from their PR. So, what are your recommendations here for organizations, you know, lots of companies are doing business on Facebook, both for profit but non-profits as well. In retrospect, are there any steps that they could have taken to better protect their pages?
Mallory Sofastaii: Yeah, so, it almost feels like we're rolling the dice now that you know the company may not be responsive if this were to happen to you. And BARCS has said that, you know, they are taking every precaution they can to avoid this. Because they see that rescue groups, organizations dealing with animals, are targets now. So they've limited the number of admins that they have to, you know, just try to avoid any potential phishing scams. There's less people that they could target. Facebook also has a link on their website about how to better keep your account secure, and that includes login alerts and two-factor authentication. I have to say though, there was a third rescue that we spoke with, "Rescue Well." They lost access to their page in the beginning of January. Now the hackers haven't been utilizing the page. She feels like they've kind of been sitting on it. But she says that she received no phishing email. No notices. She has two-factor authentication. She's actually in a tech space. So she was really surprised to see that someone had taken over her account and she had no knowledge of it until she tried to login. And to this day, she still hasn't regained access to that account. So, you know, you want to be as careful as you can. And I know when I login on Facebook from a different device, it asks me to, you know, approve a code, so it's a familiar device. So you just want to make sure you have those two-factor authentications set up, but you just have to be very careful about the links you're clicking on. With Leah and her rescue, she suspects that she was hacked after receiving an email from Petfinder, although it wasn't really Petfinder, and it was asking her to confirm her non-profit's details and clicking on that link. And so she thinks that that might have been how her account was compromised. But again, that wasn't the case for several others.
Dave Bittner: It strikes me that the social engineering aspect of this. You know, you mentioned that we all, we love these animals. You know? And so I think that puts our guard down when we see an animal that's in need or we're looking for an animal we want to bring into our home, you know, we want to make, that animal is like a family member. And so it's easy to get caught up in that. And perhaps not be as careful as we otherwise would be. But I guess this is a lesson here that you really need to be vigilant.
Mallory Sofastaii: Absolutely. And also, you know, it's a lesson, too, you know, we always say adopt don't shop. But I have to say, I see so many fake puppy scams on the internet. And the photo that these hackers were using was on eight different websites, four different Facebook pages. So you know that they're just repurposing this photo or other people are to try to take advantage and play on people's emotions. They see that cute puppy, they're maybe feeling lonely or vulnerable, or, you know, they want to contribute to this rescue group in need. But you have to do your due diligence. Because sadly, the real organizations, the real people that rely on these fundraising and donations, you know, are being targeted and exploited.
Dave Bittner: So, in addition to reaching out to Facebook, you reached out to some of these payment platforms as well. What did you find from them?
Mallory Sofastaii: Yeah, so how they were operating this kind of scheme is, you know, you would send a deposit via Zelle for this puppy and there was this person's name. Well, if you didn't have Zelle, then you could message them and they'd give you your Venmo ID. So me along with several of the people associated with the non-profit wanted to see what user IDs were being used so that we could make Zelle and Venmo aware of that. And between Zelle and Venmo there were probably six different accounts we had identified. And the strange thing with this, you know, there were people's names, they were set to private so you couldn't see how many people had actually paid the deposit for the puppies or what other transactions they had had. But I alerted Zelle and Venmo. Zelle was very guarded, they basically said they can't discuss any individual accounts but that fraud isn't tolerated and they'll begin investigating right away. They didn't say whether or not, you know, anyone had sent money via Zelle or if they were able to return that. Venmo, however, I worked with their public relations person, I sent four different Venmo IDs, we were made aware that at least two people had sent deposits. PayPal did -- PayPal is the parent company of Venmo - they confirmed to me that they were able to return the funds for at least one of the victims. And that they were able to investigate and freeze some of the other accounts. My question for them though, was you know, were these new accounts that were created by these people? Or were these accounts that had been taken over and now used in this scheme? Because you do have to verify your account through Venmo in order to set one up.
Dave Bittner: Yeah.
Mallory Sofastaii: So that's kind of another layer, you know, of how, you know, scammers are using peer to peer payment transfer apps, because it is harder to return the money. It is harder to trace. And you know, like we saw, they used four or five different names and we don't know if those were actually real people, if they were involved, or, you know, if they were just using someone else's account.
Dave Bittner: Alright. Well, Mallory, thank you for helping spread the word about this. And all the work that you do there at WMAR-2 in Baltimore. And thank you for taking the time for us today.
Mallory Sofastaii: Thank you, Dave. So nice being with you.
Dave Bittner: Joe, what do you think?
Joe Carrigan: More screaming into the void of big tech, Dave.
Dave Bittner: Yes.
Joe Carrigan: This infuriates me. Listening to this story is more frustrating. I was on LinkedIn the other day, and one of my connections was talking about one of his connections that had had his account suspended.
Dave Bittner: Oh.
Joe Carrigan: Because they thought he was a bot because of the frequency with which he was posting. And he was tagging, asking people if they knew anybody at LinkedIn, and he was tagging people at LinkedIn. Or respondents, rather, were tagging people at LinkedIn. And people who still worked at LinkedIn would not respond. They weren't responding to it.
Dave Bittner: Yeah.
Joe Carrigan: And people who didn't work at LinkedIn said well maybe you should talk to this person. Because the person, I checked on this, the person who did respond no longer worked at LinkedIn but did work at LinkedIn. And said well, try this person. But that person never responded.
Dave Bittner: Yeah.
Joe Carrigan: You know, it's not their problem, Dave.
Dave Bittner: I know.
Joe Carrigan: But it makes sense to me that someone would want to take over an adoption page for animals so that they can scam people with fake puppies. That seems like a real opportunity for a scammer.
Dave Bittner: Right.
Joe Carrigan: Even if you were faking adoption of animals, not just the sale of puppies, you could still make money by scamming people with adoption fees. We need you to deposit an adoption fee.
Dave Bittner: Right.
Joe Carrigan: And some of the adoption fees at some of these agencies around here are steep.
Dave Bittner: Yeah, it's true.
Joe Carrigan: Yeah we, I have also adopted two dogs out of a, I don't want to call it a shelter. It's an organization out of West Virginia.
Dave Bittner: Okay.
Joe Carrigan: We've gone up there because we have connections up there. And because the fees are a lot less. Right? And now we've built a relationship with the folks, so, we know who they are. And our next dog will probably come from there. Hopefully that won't be for a very long time.
Dave Bittner: Right, right.
Joe Carrigan: Because right now I have two dogs, and in my opinion, that's one dog too many.
Dave Bittner: Okay.
Joe Carrigan: But I love both my dogs and I couldn't ever do anything, I couldn't ever change the situation that I have two dogs.
Dave Bittner: Sure.
Joe Carrigan: No angry email, please.
Dave Bittner: Sure.
Joe Carrigan: Interesting that they're asking you to fill out a form. That is probably another way to capture information they're going to use to either sell or, I doubt these guys are actually going to go ahead and do some identity theft, they're probably just aggregating information so they can sell it.
Dave Bittner: Right.
Joe Carrigan: That's another branch of their business model. And they're taking over -- it was interesting, when Mallory talks about the guys that took over one page, and then set it up to impersonate BARCS. Which is the animal rescue for Baltimore City.
Dave Bittner: Yeah.
Joe Carrigan: You know, the animal control for Baltimore City.
Dave Bittner: Right.
Joe Carrigan: So, I mean, that's terrible.
Dave Bittner: Yeah.
Joe Carrigan: Because now you're directing traffic away from BARCS, right? The actual legitimate service. And you're impersonating them.
Dave Bittner: Right, it's kind of a double whammy.
Joe Carrigan: Yeah!
Dave Bittner: Yeah.
Joe Carrigan: And you're, and you're taking this Baltimore County organization -- for those who are outside of the Maryland area, didn't grow up in, well, the greatest state in the Union, Dave.
Dave Bittner: You tell no lies, Joe.
Joe Carrigan: My son-in-law who's from Pennsylvania says that Maryland has the highest ratio of pride to land mass.
Dave Bittner: Ah, okay. Alright. That's funny.
Joe Carrigan: In the union.
Dave Bittner: I don't know, has he been to Rhode Island? But.
Joe Carrigan: Not a lot of land mass there. I don't know. Yeah, that's a good question.
Dave Bittner: No, but yeah, again, no lies told. Right, yes. Most Marylanders are fiercely proud of our little home state.
Joe Carrigan: But anyway, Baltimore City and Baltimore County are two different jurisdictions.
Dave Bittner: Yeah.
Joe Carrigan: The county is all around the city, but the city is not part of the county.
Dave Bittner: Right.
Joe Carrigan: It's not beholden to anything. So, the fact that they're going over a Baltimore County organization and impersonating a Baltimore City organization, I think that's interesting. But I don't think it really matters for what they're doing. They're just harming two groups of people at the same time.
Dave Bittner: Yeah.
Joe Carrigan: Right? And for that, I hope they're caught. Although I doubt anything will ever happen to these guys.
Dave Bittner: Right.
Joe Carrigan: The length that Leah had to go to to get her page back, Leah's the person that Mallory interviewed.
Dave Bittner: Yeah.
Joe Carrigan: That is unacceptable. That she had to go on LinkedIn, find people who worked at Facebook, call that person up, say oh, that's actually my ex-spouse. Let me put you in touch with them. I mean, that, first off, that's a huge amount of dedication on the part of Leah. So, kudos to Leah. But you shouldn't have to do that.
Dave Bittner: Yeah.
Joe Carrigan: And the fact that there's no response from Facebook, one of the things, I just got through talking to a group of people earlier this week about this. Remember, with these social media platforms, you are not the customer. You are the product.
Dave Bittner: Right.
Joe Carrigan: They sell you like a grocery store sells groceries. And if a grocery store drops a bottle of ketchup on the floor, they don't turn to the bottle of ketchup and go how can I help? They just clean up aisle six, right?
Dave Bittner: Right.
Joe Carrigan: Except with Facebook, it's just bottles of broken ketchup all over the store.
Dave Bittner: Right.
Joe Carrigan: They don't care.
Dave Bittner: Right.
Joe Carrigan: You're not impacting their business model at all.
Dave Bittner: Yeah.
Joe Carrigan: Why would they take the time out of their busy, busy day to do this? I mean --
Dave Bittner: You are a rounding error.
Joe Carrigan: Yeah, right, exactly.
Dave Bittner: Yeah.
Joe Carrigan: So its totally up to you to secure your account. And even if you do everything right, there is another story that Mallory was talking about, this woman who worked in the tech field and had multi-factor authentication on her account.
Dave Bittner: Yeah.
Joe Carrigan: Somehow, her group got taken over, too. Now there's a number of ways that can happen. All you need to do is put the wrong person in an admin position in one of the groups. You know, and you could even know the person that you're doing it to, but if they don't have multi-factor authentication on their account and their account gets hacked, that new owner of the person's account can kick you out of the group, assign themselves as administrator, and Bob's your uncle, they're done.
Dave Bittner: Right.
Joe Carrigan: They've got it.
Dave Bittner: Right.
Joe Carrigan: There's also the possibility, if you're the only administrator, that they might have somebody on the inside. I don't know, I'd need to know more information about that.
Dave Bittner: Yeah.
Joe Carrigan: I think that's less likely, though.
Dave Bittner: Yeah. Probably. I wish that there was some sort of obligation for these companies --
Joe Carrigan: Dave, come now.
Dave Bittner: I know, I know, it's adorable for me to say these things. But I wish there was some sort of obligation for these companies to operate at a human scale when it comes to customer service and responsiveness. In other words, you know, that you, if you're going to do, if you're going to run as a business, then you have to be reachable. Within a reasonable amount of time. And that's not the case right now.
Joe Carrigan: No.
Dave Bittner: There's not going to be the case any time soon. And I think it's bad for us that we've allowed this to happen.
Joe Carrigan: Dave, that would severely impact their profits.
Dave Bittner: Exactly. Exactly.
Joe Carrigan: On the peer -- discussion on the peer to peer money apps is interesting as well. I think these apps are very difficult to monitor. I don't know, what's the word? I don't like them.
Dave Bittner: Yeah.
Joe Carrigan: You know, I don't use them. I have used them in the past. I don't like using them. But my biggest concern with this is when you send money over these accounts, over these peer to peer things, it's pretty much gone.
Dave Bittner: Right.
Joe Carrigan: Although Venmo in the discussion did a really good job of getting somebody their money back.
Dave Bittner: Yeah.
Joe Carrigan: And too, if I was going to speculate on how they're doing it, I would say that they're taking over accounts. They're taking over verified accounts.
Dave Bittner: Yeah.
Joe Carrigan: To get access to them. And then they're probably sending the money via whatever the CashApp or Venmo or Zelle or whatever.
Dave Bittner: Right.
Joe Carrigan: Around to other accounts. It may have a whole network of these things where they move them through, move the money through.
Dave Bittner: Yeah. Convert them to crypto and off they go.
Joe Carrigan: Yeah. Convert them to crypto. And once they convert it to crypto, it's, you know, nobody's going to do blockchain analysis for 3,000 dollar fraud case.
Dave Bittner: Right. Right. Right. Well, I want to thank Mallory Sofastaii for joining us again. She's been on our show a number of times.
Joe Carrigan: She has. I've interviewed her once.
Dave Bittner: Yeah. Always appreciate her taking the time for us. As I mentioned in my conversation with her, I think, you know, the work that they're able to do there as broadcast affiliates, to shine the light on these things and you know, use the attention that they can bring to these things to try to get things taken care of.
Joe Carrigan: Right.
Dave Bittner: You know, that's a real service to their community and so, I'm glad that she's in a position to do that and that's still happening, you know? Because broadcast affiliates don't have the power or influence that they once had.
Joe Carrigan: Right.
Dave Bittner: So, the fact that they still find value in doing this for their community, I think that's a good thing.
Joe Carrigan: I would agree. Although, I will point out that she got no feedback, nothing back from Facebook, and a poop emoji back from Twitter.
Dave Bittner: Yeah.
Joe Carrigan: So, it seems to me like these big tech companies have just written off local media and I think maybe this needs to be handled by a large, you know, one of the larger news networks.
Dave Bittner: Yeah.
Joe Carrigan: You know if somebody just hammers on these guys day and night.
Dave Bittner: Yeah. Well, and sometimes that's how it happens, you know.
Joe Carrigan: Right.
Dave Bittner: A local affiliate gets hold of a story, and then the network that they're affiliated with runs with it. And off you go. So. We'll see.
Joe Carrigan: I was a member of a Facebook group that got taken over. And the -- one of the members was able to post a link to a new group. They just started a new group that they did. And everybody -- it was a small group, it was only like 600 people.
Dave Bittner: Okay.
Joe Carrigan: But we all went to the new group. And I don't like Facebook. I hate it. It's the only social media platform I'm on regularly.
Dave Bittner: Yeah.
Joe Carrigan: And it's not on my phone, it's, the only thing I have on my phone is the messenger.
Dave Bittner: Right.
Joe Carrigan: And that's what draws me into the web interface is the messenger. I go let me check and see who's sending me this message. And.
Dave Bittner: Yeah. Yeah. You know, look, there's no doubt it has utility and people find value in it. I'm not on Facebook but my wife is.
Joe Carrigan: Did you start a Threads account?
Dave Bittner: No.
Joe Carrigan: No?
Dave Bittner: No. No.
Joe Carrigan: I'm not doing that either.
Dave Bittner: No, I'm -- I transitioned from Twitter. I locked down my Twitter account and I went over to Mastodon. And I'm very happy over on Mastodon. You know, it's not algorithmically driven, there's no ads, and it's the way the internet used to be, Joe!
Joe Carrigan: Maybe I'll get, maybe I'll reactivate my Mastodon account or start a new one.
Dave Bittner: Yeah, yeah. It's -- so I'm content there for the moment. I don't feel the pull from any of these other young whippersnapper startup social media companies. So.
Joe Carrigan: It's not a whipper -- it's Mark Zuckerberg, he's not a whippersnapper.
Dave Bittner: Well, no, but he's younger than me! So.
Joe Carrigan: Yeah, younger than both of us.
Dave Bittner: There you go. Alright, well again, our thanks to Mallory Sofastaii for joining us. Again, she's the Consumer Investigator and Anchor at WMAR-TV in Baltimore. And we do appreciate her taking the time.
That is our show. We want to thank all of you for listening. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
