Hacking Humans 8.24.23
Ep 256 | 8.24.23

Hunting the hackers.


Selena Larson: I think $1,000 for anyone is really kind of horrible, but there are incidents of folks losing hundreds of thousands of dollars to romance scams, for example. And when they're kind of clustered as billions of dollars of losses or like users experience X, Y, and Z, it's really easy for us to forget that there are people behind these events. And the emotional impact, the mental impact is very, very real.

Dave Bittner: Hello, everyone and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hey, Joe.

Joe Carrigan: Hi, Dave.

Dave Bittner: We've got some good stories to share this week. And later in the show, we've got Selena Larson and Tim Utzig who are talking about hunting down a Twitter scammer. All right, Joe, before we jump into our stories, we've got a good bit of follow-up here this week. You want to kick things off for us?

Joe Carrigan: Yes. First thing I want to talk about, the wildfires in Hawaii.

Dave Bittner: Yeah.

Joe Carrigan: That is going to be scams.

Dave Bittner: Right.

Joe Carrigan: So don't fall for those. If you're going to give money to Hawaii, if you want to help support Hawaii, the state of Hawaii actually has on their website places where you can go and give money.

Dave Bittner: Yeah.

Joe Carrigan: You can also give to the Red Cross. They're helping.

Dave Bittner: Right.

Joe Carrigan: I think the state of Hawaii is saying give to the United Way of Hawaii.

Dave Bittner: Okay.

Joe Carrigan: That's what they're doing.

Dave Bittner: I saw someone say, whatever you do, don't come to Hawaii. We do not need you here. We have enough people.

Joe Carrigan: Yeah. Stay away from disaster areas until it's time to rebuild and they need volunteers and there's a call for volunteers.

Dave Bittner: There you go.

Joe Carrigan: That's when you go help.

Dave Bittner: Yeah.

Joe Carrigan: But right now is not the time.

Dave Bittner: Yeah. Okay.

Joe Carrigan: Steve writes in with some comments about the quiz I gave you last week from our last episode. He says, I like the quiz you both presented in the most recent episode, and I laughed at the end because that final question about Facebook, and this is about the Facebook lawsuits. When you read the question, I hit panic mode.

Dave Bittner: Okay.

Joe Carrigan: I did get this email, and I responded to create a claim. But as you presented the question and discussed it, I freaked out a little and thought I might have fallen for a scam. Of course, it all works out in the end. I had a good laugh at myself and paranoia that can easily be induced from this business.

Dave Bittner: Yes.

Joe Carrigan: You know, I think I came into this business with a bunch of paranoia, so I think I'm well suited for it.

Dave Bittner: Yeah. A little healthy paranoia is not a bad thing.

Joe Carrigan: Healthy paranoia, yeah.

Dave Bittner: But yeah, you just got to be careful to not let it run away with you.

Joe Carrigan: No, no. That's right. I hope that we didn't scare you too badly, Steve.

Dave Bittner: Yeah. We got an email from Jonathan Daigle who wrote in, and he was commenting on, I don't know, a couple episodes ago, we were talking about some Google Maps scams and that people had been able to go into Google Maps and change the phone numbers on things.

Joe Carrigan: Right.

Dave Bittner: Yeah. And evidently, Jonathan used to be a Google Map editor.

Joe Carrigan: Really?

Dave Bittner: Yeah. So he wrote in, I'm going to summarize here, but he said that Google Maps gathers information from various sources, including user input through Google accounts. One method is through a community of map editors who validate edits. Users can also claim businesses to edit them directly, although he thinks that process has changed some over time, and unclaimed listings can be open to edits from anyone. So as I said, Jonathan was once a Google Maps regional reviewer, which is part of a volunteer group that approves the user-submitted map updates. And of course, high-profile areas require special approval, like you can't rename the White House.

Joe Carrigan: Right. You need to have Yankee White clearance to do that.

Dave Bittner: Right. Exactly.

Joe Carrigan: I would name it Casablanca.

Dave Bittner: Yeah. So Jonathan suspects that the scammers altered the airline's phone number through some clever strategies and multiple accounts, maybe manipulating good edits before changing the phone number, and he suspects it involves some sort of organized, centralized scam.

Joe Carrigan: Probably.

Dave Bittner: Yeah. So interesting insights. Yeah. And thank you, Jonathan, for writing in. We appreciate it.

Joe Carrigan: Thank you very much, Jonathan.

Dave Bittner: All right. Let's jump into our stories here, Joe. Why don't you kick things off for us?

Joe Carrigan: Dave? They got me, Dave.

Dave Bittner: Oh, no.

Joe Carrigan: My story comes from my own personal life.

Dave Bittner: Oh, no.

Joe Carrigan: Now, I'm going to tell you, I have not suffered any losses.

Dave Bittner: Okay.

Joe Carrigan: But I'm going to let you take a guess as to how they got me. And it's something we complain about on the show a lot, so I'm going to give you that hint.

Dave Bittner: All right.

Joe Carrigan: So what was the mechanism through which they got me?

Dave Bittner: All right. I'm ready.

Joe Carrigan: Take a guess.

Dave Bittner: You just want me to cold guess?

Joe Carrigan: Yeah. Cold guess. Sorry.

Dave Bittner: You're giving me no information.

Joe Carrigan: No information.

Dave Bittner: And you just want me to guess.

Joe Carrigan: Yes.

Dave Bittner: All right.

Joe Carrigan: Because if I give you any information, you'll instantaneously know how they did it.

Dave Bittner: Okay. I'm going to let you guess that someone came at you using something that you are already interested in to pique your interest and lower your defenses.

Joe Carrigan: No.

Dave Bittner: Okay.

Joe Carrigan: Close. You're close. Yeah. I mean, generally speaking, you might be right. So here's what's going on.

Dave Bittner: Okay.

Joe Carrigan: My family, we're planning a family trip up to West Virginia, where my wife's family is from.

Dave Bittner: Okay.

Joe Carrigan: So I have to rent a nearby hotel. So what do I do?

Dave Bittner: Get online to find one.

Joe Carrigan: Right. Now, I know there's a hotel right by the house where we're going to be gathering.

Dave Bittner: Okay.

Joe Carrigan: So I say to the big machine in my phone, hey, I need to make a reservation. Give me the website for this hotel.

Dave Bittner: Okay.

Joe Carrigan: And I click on the link, and I start making a reservation for the room. Now I'm looking at the prices of the room. My son is also making his reservation for the room, because he's going up as well. He and his daughter are going up.

Dave Bittner: Yeah.

Joe Carrigan: So I'm looking at the reservations, and I'm like, these are some good prices, but they're not out of line with what I've seen before. My daughter and her husband are saying prices are going up, and I'm like, hey, I'm not seeing that. And I say the price, and my son goes, that's a really good price. How are you getting that price? I'm like, I'm just on the website. Doo-doo-doo-doo-doo. Dave, I wasn't on their website.

Dave Bittner: Okay.

Joe Carrigan: Now do you know how they got me, Dave?

Dave Bittner: Yes. You clicked through the link. Yes.

Joe Carrigan: I clicked on the ad.

Dave Bittner: You did what you tell everyone not to do, Joe.

Joe Carrigan: I did. I went as far as entering my credit card information, and it comes back and goes, no, that credit card information didn't work. I checked the credit card information again, and enter it again. Dave, I was persistent in my mistake here.

Dave Bittner: Okay. Have you canceled that credit card?

Joe Carrigan: I start to go, what's going on here? And I look up at the URL. I finally take the time to look up at the URL, and it has some BS reservation website.

Dave Bittner: Okay.

Joe Carrigan: And I'm like, oh, no. And my son looks over and goes, you have a podcast about not doing this.

Dave Bittner: Yeah.

Joe Carrigan: He's never helpful, my son. I love the boy.

Dave Bittner: Cobbler's kids have no shoes.

Joe Carrigan: Yes. He said, you didn't just -- he says, what are you going to do about this? You're a big-time cyber security expert. You're famous. And I say, well, you know what I'm going to do is I'm going to talk about this on the show.

Dave Bittner: I see. So you weren't getting scammed. You were gathering content for the show.

Joe Carrigan: That's right, Dave. That'll make me feel better.

Dave Bittner: There you go.

Joe Carrigan: No. So I'm going to give a shout out here to the credit card company. This was Capital One.

Dave Bittner: Yeah.

Joe Carrigan: I have a credit card with them.

Dave Bittner: Okay.

Joe Carrigan: I called them immediately after I realized what was going on. And there's a voice message.

Dave Bittner: Did you use the phone number on the back of the card or did you Google it?

Joe Carrigan: I used the voice number on the back of the card. That's exactly what I did. And that's what everybody should do. I'm like, I'm not falling for this one again.

Dave Bittner: Okay.

Joe Carrigan: So I put the phone number, I turn the phone over and I call Capital One. I enter my information and they go, hey, we've noticed some recent fraudulent activity on your account. And I was like, yeah.

Dave Bittner: Like within the past five minutes?

Joe Carrigan: Yeah. That's right. Sure. That is exactly what has happened. So I get a representative pretty quickly. And the guy says, yeah, I see it here. They didn't approve anything.

Dave Bittner: Oh good.

Joe Carrigan: So I didn't lose any money. Capital One didn't lose any money.

Dave Bittner: Right.

Joe Carrigan: They flagged it right away. And the guy said, we'll have a new card out to you very soon.

Dave Bittner: Oh, good.

Joe Carrigan: The whole event is over. So it ends very well for me, right? We tell story after story after story where people lose money on these kinds of things.

Dave Bittner: Yeah.

Joe Carrigan: I want to tell people, my main reason for telling the story is we have stories. In fact, our interview today is a very similar example of the courage that a lot of people have.

Dave Bittner: Yeah.

Joe Carrigan: We've had stories about people who have lost hundreds of thousands of dollars, and despite the absolute embarrassment -- I'm incredibly embarrassed about entering my credit card information into a wrong site. Right? But I would be remiss if I didn't come here and tell people, this happens to even the best of us. This happens to everybody, right? You are not immune to falling for this.

Dave Bittner: Right.

Joe Carrigan: And we have said this over and over and over again on this show. And one of the things, when you and I started this show, I made a commitment to myself that I would never say, that's not something -- I'm never going to fall for any of this stuff because I'm too smart for that. Because obviously, I'm not, right?

Dave Bittner: Right, right.

Joe Carrigan: And I live and breathe this field, this career field.

Dave Bittner: Yeah.

Joe Carrigan: This is pretty much all I think about. And this happened to me. So if you get scammed, do not be embarrassed. I know, well, you're going to be embarrassed. But don't be afraid to share your story. I know it's embarrassing. Don't be afraid to share your story.

Dave Bittner: Yeah. And there's a whole spectrum of embarrassment. I mean, there's, oh, gosh -- I would put this up there with, I don't know, leaving your fly down or something. It's not a big deal -- oh, gosh, silly me, you know, no harm, because you didn't lose any money.

Joe Carrigan: Right.

Dave Bittner: It was corrected. The system worked, right? The credit card company caught it.

Joe Carrigan: Right. Yep.

Dave Bittner: And you learned a lesson.

Joe Carrigan: And I got off easy.

Dave Bittner: Yeah, the other sort of little tiny side technical note that I'll add here is that with a lot of these websites, for example, when you're entering your credit card information, you don't even have to hit submit for that information to have been captured.

Joe Carrigan: Correct. 100% correct.

Dave Bittner: Yeah.

Joe Carrigan: Yeah, when you're entering that stuff, there could be JavaScript in the background that is sending that information along as it's being entered.

Dave Bittner: Yeah.

Joe Carrigan: That website may have essentially a key logger on it built in JavaScript, which might be loading that information up.

Dave Bittner: Right.

Joe Carrigan: It may not be actually accessing your keyboard, but it is accessing every single change you make to that field.

Dave Bittner: Yeah. Yep. All right. Well, all's well that ends well.

Joe Carrigan: Yes. Well enough.

Dave Bittner: I'm glad you dodged that bullet, but as you say, it can happen to anybody.

Joe Carrigan: Yes.

Dave Bittner: It can happen to the best of us, and it can happen to you.

Joe Carrigan: Thanks. I have one other note that a listener named George sent in.

Dave Bittner: Okay.

Joe Carrigan: It's not really exactly social engineering, but the Bank of Ireland recently, the Guardian -- we'll have a link to this in the show notes, but the Guardian has a story about the Bank of Ireland having a glitch in their ATM system or in their account system that let people withdraw money, too much money, from their accounts. It wasn't there.

Dave Bittner: Oh.

Joe Carrigan: And apparently, there were lines at ATMs once the word got out.

Dave Bittner: Right.

Joe Carrigan: Some of the Garda, the Irish police, were actually dispatched to ATMs to stop this from happening. I think that the Bank of Ireland is going to get a fine for this, but everybody who over-withdrew their accounts is still on the hook for the money.

Dave Bittner: Yeah.

Joe Carrigan: Don't think when these kind of things happen that it's free money.

Dave Bittner: Yeah.

Joe Carrigan: Yeah.

Dave Bittner: The odds are always in the house's favor.

Joe Carrigan: Right. The bank is the house in this case.

Dave Bittner: Yeah. Yeah. My story this week actually comes from the FBI. This is from the folks over at the IC3, the Internet -- what is it, the Internet --

Joe Carrigan: Crime Complaint Center.

Dave Bittner: Thank you, Joe. And they put out an alert a few days ago. This is about cyber criminals targeting victims through mobile beta testing applications. So sounds like what's happening here is people are saying -- as part of a scam, people are saying, hey, here's a way for you to get the latest version of this hot app that you want to be part of. It could be either an app that has limited access, something that actually is at an invite-only mode right now.

Joe Carrigan: Really? Can I take a guess at what they ask you to do?

Dave Bittner: Sure.

Joe Carrigan: Do they ask you to enable your developer options on your phone?

Dave Bittner: You know, I don't know. And I don't think this article says that, but basically what this is getting at is that they're actually using the beta testing functionality built into, for example, the Google Play Store.

Joe Carrigan: Okay. So you're using the Google Play Store. They're probably not asking you to sideload the app, is what that's called.

Dave Bittner: Right. So what this does is it allows you to load the app, but it will not have gone through the scrutiny that most apps go through, or that I guess every app goes through, either through Google Play or the Apple App Store. And so because of that, these apps can be full of all kinds of things that'll do all sorts of terrible things to your system. And so you have a false sense of security because it's still coming through the Google Play Store, but it's coming through the beta program of the Google Play Store where it has not been tested.

Joe Carrigan: Right.

Dave Bittner: So this article has a nice list of some red flags for malicious apps that talk about it draining your battery faster than usual. That indicates that it's busy processing some things behind the scenes. If your computer's running slow, again, that can be linked to the heat as well.

Joe Carrigan: Right.

Dave Bittner: Pop-up ads, a bunch of downloads, apps that request permission that have nothing to do with what that app actually does. Flashlight app doesn't need to know your location, right? Of course, the normal things, spelling errors, grammar errors, lack of details, pop-ups that look like ads, system warnings, reminders, things like that. We'll have a link to this alert here from the FBI, but it's a good reminder to be careful of where you're getting your apps from. Certainly for your mobile device, the best place is the official app stores. Of course, on iOS, you can't sideload things unless you've jailbroken the device.

Joe Carrigan: Right, yeah. It's very hard to do that.

Dave Bittner: Yeah. Yeah.

Joe Carrigan: So does Apple have a beta program, or do they not let you do that?

Dave Bittner: They do, yeah. They do have a beta program, yep. A developer can send you a link to be part of their beta program, and that allows you to load something that has not been reviewed yet.

Joe Carrigan: All right, so here's another example of somebody using a tool or a system that's intended to do things that are necessary and good, right?

Dave Bittner: Right.

Joe Carrigan: Like if I'm an app developer, and I have a following of people that use my app, and I have a group of super users who are on forums and all that stuff, I mean, these kind of apps are not the majority of apps, right?

Dave Bittner: Right.

Joe Carrigan: These are a small minority of apps that have these kind of followings. But those users, you may want to select some users from that community to be beta testers because they love your product, they're familiar with your product, and they want to help you make a better product.

Dave Bittner: Right.

Joe Carrigan: So these beta programs are important to have, but, and here's the but, it's something that can be abused.

Dave Bittner: Yeah.

Joe Carrigan: And that's what we're seeing here.

Dave Bittner: Yeah, so it'll be interesting to see if the app hosts, the app platforms, if they put in any additional layers of scrutiny in response to this, or if this is something that the folks who -- well, it's interesting because what's happening here is the bad guys are spinning up a developer account, and they're using that.

Joe Carrigan: Right, and you can spin up developer account after developer account.

Dave Bittner: Right, right, so maybe, again, it's hard to do at scale.

Joe Carrigan: Right.

Dave Bittner: How can we scrutinize the people applying for developer accounts one by one?

Joe Carrigan: Yep. So the solution here is going to be -- the problem -- well, I don't know, the problem here is that this solution gets pushed down to the user, that the responsibility gets pushed down to the user because of these big tech companies not being able to manage this at scale, as you say.

Dave Bittner: Right.

Joe Carrigan: So we have to talk to our folks and say, don't get roped into a beta program unless you are a real fan of this software.

Dave Bittner: Yeah, and I think there is a social engineering component here.

Joe Carrigan: Absolutely.

Dave Bittner: Because a lot of folks feel like, oh, I'm being invited to this beta testing program.

Joe Carrigan: Yeah. Makes you feel important.

Dave Bittner: I'm elite, yeah, I'm elite, so they get you that way, too. All right, we will have a link to that in our show notes. Joe, it is time to move on to our Catch of the Day.

Joe Carrigan: Dave, our Catch of the Day comes from Richard, who has some creative names for us. He says, hey, Joe, Cara Cash Coin and Dave Bittner Coin, I got a new tip on crypto. It's a hot one, potentially a life-changing opportunity. Cue the Wolf on Wall Street scene, the one where DiCaprio keeps reiterating that he gets 50% commission. All right, it goes like this, it says, hello, my name is Joseph Cole, Director of Operations at CRYPTODREAM, all caps. Some of my colleagues in other blockchain companies like Tether, Bitcoin, asked me to look for a trustworthy person who has the capability to receive cryptocurrency that runs into millions of dollars when exchanged. They have many wallets whose owners can no longer be reached or identified. Some have died in the ongoing Russian-Ukrainian war by accidents or even natural disasters without any next of kin in their mandates with the companies. If you can work with us, you will be entitled to 25% of whatever amount we move out per time. This deal can be concluded in a week with your cooperation. Revert very quickly if you think you are that person we are to work with. Best regards, Joseph Cole.

Dave Bittner: So what does revert very quickly mean?

Joe Carrigan: I don't know. Obviously, it's a translation error.

Dave Bittner: Right.

Joe Carrigan: It means get back, go back very quickly. Get back to us, yeah.

Dave Bittner: It probably means get back, respond.

Joe Carrigan: It'd be interesting to know what language this came from because this sounds like it's a colloquialism that doesn't translate well.

Dave Bittner: Right. Right.

Joe Carrigan: Yeah. If anybody knows what revert very quickly would mean in another language, but it is a colloquialism, we'd love to know it.

Dave Bittner: Yeah.

Joe Carrigan: So I don't know what happens here. This could be just kind of a play on the advanced fee scam.

Dave Bittner: Yeah, I'll bet it is.

Joe Carrigan: If you respond to them, you say, yeah, sure, I can do that. And they go, well, send us some Bitcoin so we know you're legit.

Dave Bittner: Right. Yeah. Yeah. Could be that they're money mule-ing you.

Joe Carrigan: It could be they're money mule-ing you.

Dave Bittner: Yeah.

Joe Carrigan: Using you as a step in the money laundering operation and they're promising you 25%.

Dave Bittner: Yeah.

Joe Carrigan: Okay. That sounds great. You know, if I get tied to this money, then that's going to end badly for me.

Dave Bittner: Right. Right. All right. Well, thank you, Richard, for sending that in. Of course, we would love to hear from you. You can email us. It's hackinghumans@n2k.com.

Dave Bittner: Joe, I recently had a really interesting conversation with Selena Larson, who is a threat researcher. I've interviewed her several times over on the CyberWire. And a friend of hers, whose name is Tim Utzig, and he's a business analyst, Tim found himself victimized by some bad guys. And Selena used her magical powers as a threat researcher to help him track down the bad guys. Here's my conversation with Selena Larson and Tim Utzig.

Selena Larson: So Tim is a friend of mine. We are part of a running group where sighted athletes guide blind runners. And we've become friends through our running group. And one day, he was telling me the story of how he got scammed by someone on Twitter supposedly selling laptops. One of the accounts that he follows and is friends with was hacked and used as a way to sort of share the scam. I, of course, was really upset. And working in my day job as a cybersecurity practitioner, I thought, hey, this isn't cool. Let's see if we can potentially find maybe the folks behind this, see if we can get your money back, or at the very least, put together some resources for law enforcement so Tim can report the crime and we can provide some additional information that might help law enforcement in their search.

>>1 Well, Tim, set the stage for us here. I mean, how did you fall into this? Where did it all begin?

Tim Utzig: So when I was an undergraduate at Towson University studying journalism, I met a reporter named Raku Bako, who works for Madison covering the Baltimore Orioles. And from that, I began following him closely as a fan of the Baltimore Orioles. And without knowing his Twitter account had been hacked, he was selling MacBooks that were going proceeds to charity. And I was not aware he was hacked. I'm blind and use a screen reader. And so I missed some key details that kind of would have set off alarm bells that his account had been taken over. I fell for the scam, and gave $1,000 to a person via Apple Cash to a person that ended up not being the reporter.

>>1 So just to be clear here, this reporter was unaware that his Twitter account had been taken over by scammers, and they were using that to pretend to be selling laptops?

Tim Utzig: That's correct. Yes.

>>1 Yeah. So you find yourself falling victim to this. It must have been a terrible feeling.

Tim Utzig: It was awful. It was gut-wrenching for several weeks. It was an awful feeling until I got in contact with WMAR from Baltimore and Selena just telling her the story. I felt very alone until they reassured me that this happens to a lot of people. But for several hours, if not days there, it felt very alone, especially you feel stupid. You feel like you should have seen warning signs. You talk to friends and family, and they saw that it was a scam being reported other places, but I didn't happen to see that. Also, it's so gut-wrenching as well, having a disability and not being able to see some of the signs that were out there that my other peers would have seen.

>>1 Yeah. So Selena, Tim mentions this to you. Did you immediately leap into action?

Selena Larson: Tim told me what happened, and I pretty much did, yeah. So I told him, you know, send me screenshots, send me the article, send me more information about the information that you have. I contacted a friend of mine who is an expert in social engineering and basically being able to track down scammers and, you know, try and identify people behind scams. And so I got with Tim, I got the information that he had, and then I coordinated with my friend who in the article is referred to as Steve. And we got to hunting basically, hunting through data, looking for information and trying to see if we could sort of piece together the puzzle of the fraud itself, potentially other victims, other incidents of this, what some of their accounts were, just a lot, trying to kind of piece together the overall scam in a way that we might be able to identify the who, the how, and potentially inform law enforcement.

>>1 Well, it's a fascinating story. Can you walk us through the process that Steve used here to try to track these folks down?

>>1 Absolutely. So when you are hunting fraudsters and working kind of against social engineers, you become a social engineer yourself. So what's really interesting is engaging with the actor. So initially, Tim gave us a phone number, right? So the initial contact was on Twitter, but it switched to iMessage. So all we had was a phone number. We texted that phone number saying, hey, I heard you're selling laptops. You know, I'm interested in getting one. We got a text back from a different number. So immediately we had two indicators, right? Indicators of suspicious activity. So then we were chatting with the person saying, you know, we're interested in this. In Tim's case, the cash transaction happened via Apple Cash. But in our case, we were initially messaging them not on an iPhone. So they're like, okay, what payment platforms can we use? We said we would be able to pay in Bitcoin, via Zelle app, which is a payment app, via Square app, or via PayPal. So essentially what we're doing is we're telling them, okay, you know, these are the ways that I can pay to see if they will send us payment accounts. Payment accounts are another way for people to be able to sort of track the actor, right? So Bitcoin is another one. You can track wallets. You can track usernames, personal information associated with various payment accounts. A lot of times people are using real names associated with their payment accounts, email addresses potentially. And what we were able to do is sort of piece together profiles of potential people involved in the scam based off of information gleaned through the chats, the one-on-one conversations, based off of the payment accounts that we were able to identify associated with names of apparent real people. Whether or not those payment accounts were part of a money mule operation or part of the scam itself is not clear, but we were able to identify sort of a cluster of apparent related activity related to the scam.

>>1 What about location information? Did you have any sense of where these folks were operating?

Selena Larson: Sure. So we had phone numbers, which of course include area codes. They were US-based phone numbers. So there was a potential for that. There was certainly people's social media footprints suggested various locations. We were able to sort of zero in on locations in the East Coast. We also sent a link through a tool called the Grabify app. This is actually something -- Grabify links are kind of similar to, for instance, what advertisers use to track people's activity online, right? So you can get an IP address, the geolocation of a user, some information about the user agent, like what device are they on? And so we were able to see someone click that. So at the time of click, we were able to identify that they were in the Eastern United States. And we were able to, again, get some additional information on at least the device itself and potentially associated with the user who, you know, appears to be at least somewhat involved in this overall fraud.

>>1 And so you gather all of this information. What do you do with it? Do you report it to law enforcement?

Selena Larson: Yeah. So there's an IC3 portal that the FBI provides and encourages people to report fraud. And Tim can talk to maybe about this a little bit as well, but we also were able to -- I worked with him to get a police report filed detailing all of the information that he had, as well as the information that I had. Unfortunately, you know, a lot of times these crimes go unpunished. There's a lot of fraud that happens. And if you look at public statistics of fraud, some of the tracking information, certainly the IC3 report that's published every year, you know, there's hundreds of millions of dollars in losses, whether that's business email compromise, whether that's consumer fraud, romance scams, pig butchering is a big, big one. So there's obviously a lot of this crime that's happening and there aren't great public statistics on whether or not they're prosecuted or whether or not, you know, the people behind these activity are, you know, caught basically.

>>1 Tim, what was it like for you with your interactions with the DC Metropolitan Police Department? Was it gratifying? Did you feel as though they were taking you seriously?

Tim Utzig: I felt it was a bit disappointing. I spent weeks, days waiting for responses that never came. When I first finally got in contact after about three weeks to a month with the person in charge of the financial crimes unit, he forwarded it off to what seemed to be someone junior down on the financial crimes team. And we went back and forth. He asked for details. Selena was involved in the conversation, giving him every bit of evidence we had. And since then, I've gone about two, three emails without a response and just figured they've kind of moved on.

>>1 Yeah. I share your frustration in that it seems as though, I don't know if it's because it's not a violent crime, but at the same time you certainly feel violated, but it just seems like law enforcement isn't really set up to have any sort of nimble response to this.

Tim Utzig: Absolutely not. And I tried to explain to them the gravity of the situation, at least to me. $1,000 to some people might not be just but a drop in the bucket, but for someone like me who's pursuing graduate school and living in DC, it's a big deal to be taken advantage of like that. And I wish someone like this, they'd have the manpower to pursue things like this. But unfortunately, that wasn't the case and it's very frustrating.

>>1 Yeah. And you also reported it to the FBI's IC3, the Internet Crime Complaint Center.

Tim Utzig: Yeah, absolutely. Selena helped me out with that. Selena has been a big help, her and her team getting this reported all over the place and getting this to the point it's gotten today and even being on this podcast here today. She helped me go through the FBI system and we'll see what comes of that, if anything.

>>1 Has there been much response after the story went live on Wired?

Tim Utzig: I mean, being on this podcast today for me is a big deal. Selena, I don't know as far as what you've seen on your end. I know I was on vacation and she sent me the article along and then I saw everything online around it and to me it was a big deal.

Selena Larson: Yeah, we've gotten a lot of really positive feedback. I think there is interest. So you mentioned some challenges with law enforcement. There is definitely interest in sort of bridging some of those knowledge gaps, helping victims of these types of crimes. I know that there are a lot of folks in the community that, you know, try and work either independently or through various nonprofits to help people who have been victims of crime, whether that's fraud, whether that's, you know, privacy and sort of surveillance, cybersecurity training for things like that, that might be more of digital threats, other types of digital threats. But the response has been overall really positive. I think as cybersecurity practitioners, people in the community, we very often lose sight of the people behind these crimes. Even in the conversations or the blogs that we publish or the tweets that we make, we call them users, right? I think user sometimes dehumanizes the individuals behind the computer, right? So they're victims of crime. These are human beings, they're people and, you know, every one of them is having a uniquely terrible experience. The impact really varies. For Tim, $1,000 is a huge loss. I think $1,000 for anyone is really kind of horrible. But there are incidents of folks losing hundreds of thousands of dollars to romance scams, for example. And, you know, when they're kind of clustered as billions of dollars of losses or like users experience X, Y, and Z, it's really easy for us to forget that there are people behind these events and the emotional impact, the mental impact is very, very real. And so I think that that's been, at least for me, a lot of the positive feedback I've seen is really giving humanity to cybercrime. And Tim was very, very generous in sharing his story. I know it can be really hard for victims of crime to come forward and discuss it. And Tim has been extremely brave, extremely forthcoming, helped me learn a lot about his end of things and the experience itself. And also, hopefully, our story can help other people realize that A, this stuff happens and B, it's okay to talk about it, C, you're not alone.

>>1 Yeah. Tim, help us understand here as someone who is blind, I think a lot of us don't realize the types of things that you experience when you're interacting with technology. And some of these things may put you at a disadvantage when it comes to being able to spot these scams.

Tim Utzig: Absolutely. I mean, first and foremost, technology is not made for people with disabilities and Therefore, technology is not made for people who are blind and visually impaired. And being blind is a spectrum. So these things have been retroactively added, things like Zoom, things like voiceover just on an iPhone, and later on, things of similar nature on Android. But it still is not completely proofed for people with disabilities. I constantly have to find myself going into the Apple store on Apple support each coming iOS update trying to talk about why voiceover now won't read text messages or read articles or will just glitch out every other month. And someone who's sighted doesn't have to go through, why can't I just use my phone and read text every other month? And so these are things that people like me have to think about. Now, granted, technology is in a great place these days than where it was being blind 15, 20 years ago, but it's still frustrating. And when you have to use something like voiceover and say reading a picture, not all things have alt text that's something a screen reader will read. And so if there's something off about a picture, for instance, and it doesn't read the alt text, then you could be misled as to what that picture is actually presenting.

>>1 I have to wonder, given the amount of information that you all were gathering here on these bad guys, was there ever a moment where you had an impulse that we're going to show up on their front doors or try to get down to that point and say, hey, give me my money back or give me a computer?

Tim Utzig: I'm sure Selena could probably speak to this, but especially after her team helped me track down these people and give the information over to law enforcement, it was so hard, even with the phone number I had initially that I was originally in contact with, to not just reach back out and say, gosh, I hate you, I can't believe you did this to me, give me my money back. But I had to walk away, bite my tongue and just move on and it's extremely frustrating.

>>1 Yeah.

Tim Utzig: So I think a lot of security researchers and folks who operate in this space definitely feel that compulsion of like, oh my gosh, like I just want to talk to them and tell them how bad they are and try to sort of engage with the baddies, so to speak. Obviously, you really shouldn't because that could go very badly. But also, in our case, we're not law enforcement. We can't do that. We've done all we can in terms of seeing what we can do with the tools available, with the resources that we have and the techniques that we're using. But you bring up a really good point because folks who do this a lot, who engage with victims of crime a lot, also suffer from mental health issues often. And it is really, really difficult. It's hard to watch people suffer. It's really hard to constantly engage with people when they're at their lowest. At BrunchCon last year, Ronnie Takowski gave a really great talk on the importance of taking care of yourself, the importance of focusing on mental health, basically highlighting that our jobs as security researchers can be really stressful, especially if you are doing victim engagement and talking to people who have been victims of crime. His presentation was really terrific and talked a lot about some of the resources that he uses to keep himself centered and healthy, because it is hard. I think calling it cyber security or even talking about it as something that only happens on the internet, we forget that this is real life. There's human beings in physical places that are experiencing this and it's easy to forget that when we're so focused on the malware and the TTPs.

>>1 Right. Well, Tim, thank you so much for sharing your story. And Selena, thank you so much for helping Tim and also sharing your part of the story with us.

Dave Bittner: Joe, what do you think?

Joe Carrigan: First things first, Dave. Go O's. You started off talking about being Orioles fans and watching Madison.

Dave Bittner: There you go.

Joe Carrigan: Now that I've said that, watched the Orioles fall out of first place and it'll all be my fault. Like I said before in my story, Tim coming forward is courageous.

Dave Bittner: Yeah.

Joe Carrigan: It's hard to do that, especially when you've actually lost money. So thank you, Tim, for sharing your story. This is very important that you do. I'm glad that you enjoyed being on the show. And if you're listening to this, you have my undying admiration for coming forward like this.

Dave Bittner: Yeah.

Joe Carrigan: This starts with a Twitter account takeover. This is why I keep saying to people that you have things of value. Even if you don't think that you would fall for a scam, the fact that someone thinks it's you may cost somebody you know money. And how's that going to affect your relationship? You know, I never actually say that explicitly in my talks. I think I might actually start -- I'm going to add that to my list of reasons why you care about cybersecurity. Because believe it or not, Dave, sometimes people still say to me, I have nothing that anybody wants.

Dave Bittner: Yeah.

Joe Carrigan: And that's not true.

Dave Bittner: Yeah.

Joe Carrigan: Being blind, you don't have access to some of the information. You're missing a large portion of it.

Dave Bittner: Yeah.

Joe Carrigan: And Tim talks about that throughout this interview. And I totally, totally get that. I mean, I wear glasses, that's as close as it gets for me, right? So I can see everything.

Dave Bittner: Yeah.

Joe Carrigan: But I mean, just imagine not being able to get all the visual cues that you get from a page.

Dave Bittner: Right. Well, there's so many things we take for granted.

Joe Carrigan: Right. Exactly.

Dave Bittner: Yeah.

Joe Carrigan: Tim's point, Tim makes a point about screen readers, and he touches on the idea of alt text for images that newspapers will put in their articles, they'll have alternate text that describes the picture.

Dave Bittner: Right.

Joe Carrigan: So if you're using a screen reader, the screen reader can look for that alternate text and tell you what's in it.

Dave Bittner: Yeah.

Joe Carrigan: The bad guys are never going to enter or provide alternate text. And it's not because they specifically want to go after blind people. It's just because they don't even think about that.

Dave Bittner: They're lazy.

Joe Carrigan: They're lazy. Right. They're not going to do it because it's more effort for them. And they really want to get these scams up and running and operational as fast as they can.

Dave Bittner: Yeah.

Joe Carrigan: So alt text takes up time. However, that being said, I do want to note that there is a possibility that people could use this to target blind people by providing misleading alternate text. It's another place for social engineering to attack. I mean, and this goes without saying, but that kind of a person is a despicable person, but they exist.

Dave Bittner: Yeah.

Joe Carrigan: One of the things that also sticks with me is Tim says he feels stupid. I felt stupid this week with what happened to me. So I totally get that. And Tim lost $1,000. That has a lot of impact. If I lost $1,000, I would be enraged.

Dave Bittner: Yeah, of course.

Joe Carrigan: Try not to feel stupid, though. Even when this happens to you, it's not happening to you because you're stupid. It's happening to you because terrible people are doing something awful to you.

Dave Bittner: Yeah.

Joe Carrigan: That's what's happening.

Dave Bittner: Right. And you're human.

Joe Carrigan: And you're human. Yeah.

Dave Bittner: Right?

Joe Carrigan: Enter Selena and Steve, and they go hunting. I like this terminology a lot. They start interacting with the scammer. And I like that they're interacting with the scammer trying to social engineer him. That's pretty good. They then start gathering a bunch of information about him. They use the Grabify link that lets you find out where they are and find out that they're kind of operating close by on the East Coast of the United States.

Dave Bittner: Yeah.

Joe Carrigan: Now, they could be coming out of a VPN.

Dave Bittner: Sure.

Joe Carrigan: That's very possible. They could also be here on the East Coast somewhere. And they build up a collection of information that they can then hand over to law enforcement. Now, Tim talks about his interactions with law enforcement and says he finds that he is disappointed with law enforcement, to which I say, shocker. I recently talked about my son's ATM experience. And I don't recall if I talked about my interaction with law enforcement, but this was with the Howard County Police, and I found them to be very indifferent to the situation. Now, the loss to my son, actually to my son's bank, was $400.

Dave Bittner: Yeah.

Joe Carrigan: And they made them whole. So it wasn't a big deal. But when I went over to the Community Engagement Center, right -- and first off, the door is locked. So you know what? I'm not going to go on a tirade. Right?

Dave Bittner: Yeah, that'd be good. Let's stay on Tim and Selena.

Joe Carrigan: Stay on Tim's story. I'm not surprised. Suffice it to say, I'm not surprised that Tim was disappointed in the law enforcement's response.

Dave Bittner: Yeah.

Joe Carrigan: A lot of times, these things don't rise to their level of attention until they reach a certain dollar threshold.

Dave Bittner: Right.

Joe Carrigan: And part of the problem is, and we've talked about this before, is that the amount of fraud that goes on in what you would consider to be low-dollar area from a law enforcement perspective, but from a personal perspective is a high-dollar area, like $1,000, there's tons of that going on.

Dave Bittner: Yeah, and it's not a violent crime.

Joe Carrigan: And it's not a violent crime, right. Yeah. Selena makes a really good point about the dehumanizing of the victims here when we call them users, they get targeted by this. These are people being hurt here when this happens. And we need to remember that as a society, as an industry, particularly in the cybersecurity industry.

Dave Bittner: Yeah.

Joe Carrigan: And to Selena's point, that yeah, sometimes it can be hard to sit here and listen to all these stories.

Dave Bittner: You have to be deliberate to not find yourself getting callous.

Joe Carrigan: Right. Yeah. That's a good point.

Dave Bittner: Yeah.

Joe Carrigan: And that's something I have to watch myself with, Dave.

Dave Bittner: Yeah. It's hard.

Dave Bittner: It is. There's so many of them.

Joe Carrigan: Right.

Dave Bittner: And to Selena's point, you don't want to dehumanize people. You don't want them to just become statistics because they're real people, people like Tim.

Joe Carrigan: Yeah.

Dave Bittner: That's real. $1,000 is a lot of money.

Joe Carrigan: Yes.

Dave Bittner: All right. Well, our thanks to Selena Larson and Tim Utzig for joining us. We do appreciate them taking the time.

Dave Bittner: That is our show. We want to thank all of you for listening. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. Our senior producer is Jennifer Eiben. The show is edited by Elliot Peltzman. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: And I'm Joe Carrigan.

Dave Bittner: Thanks for listening.