Scams, scams, and more scams.
Mallory Sofastaii: And that's frightening to hear that, you know, mostly you think these scams are overseas, you know, you hear about these compounds where people are just - their whole focus is scams. But to actually hear that they have people on the ground who might pose as an FBI agent and come to your home, you know, that's -
Dave Bittner: Yeah, that's brazen.
Mallory Sofastaii: Fairly alarming.
Dave Bittner: Hello, everyone, and a warm welcome to the "Hacking Humans" podcast brought to you by the CyberWire. This is where every week we delve into the world of social engineering scams, phishing plots and criminal activities that are grabbing headlines and causing significant harm to organizations around the world. I'm Dave Bittner. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: We've got some good stories to share this week. And, later in the show, we are joined once again by Mallory Sofastaii. She is the consumer investigative reporter at WMAR-2 News in Baltimore. She's returning with some of the stories that she's been tracking. [ Music ] All right, Joe, before we get to our stories here, we've got some follow-up. Why don't you kick things off for us here?
Joe Carrigan: Dave Kenneth writes in - we recently took a little bit of a break while I was traveling and you were doing some traveling.
Dave Bittner: Right.
Joe Carrigan: So, we ran some reruns.
Dave Bittner: Yeah.
Joe Carrigan: And Kenneth writes in and says, "Hello, Dave and Joe. I was just listening to the encore presentation of the podcast dated October 11th. Joe mentioned creating separate email addresses, for example, for credit card companies."
Dave Bittner: Mhm.
Joe Carrigan: "I am crazy enough to run my own email server. Not the one I'm using to send this," he notes. He says, "I create an alias for each organization who wants an email address. This means when someone loses my data or sells it, I can tell who is to blame. I can then delete the alias and send the problems into the trash. The worst example was when LinkedIn lost my data and I started getting sextortion email messages. I knew who was the root cause simply by looking at the "To" field." So, in other words, he identified the email address because it was his own email address.
Dave Bittner: Right.
Joe Carrigan: He realizes that not everyone can do this. And he must admit it does raise his workload. So, it's not trivial to do this.
Dave Bittner: Right.
Joe Carrigan: "However, the few times I have not done this, I normally find myself unhappy that I did not."
Dave Bittner: Yeah.
Joe Carrigan: So, I'll agree with that.
Dave Bittner: Yeah.
Joe Carrigan: If you - if you're running your own email server, you should absolutely do this.
Dave Bittner: Yeah.
Joe Carrigan: If somebody says, "What's your email address," oh, I got an email address just for you.
Dave Bittner: Yeah, there's a way to do this with Gmail I think we've talked about before. You can just add a plus -
Joe Carrigan: Right.
Dave Bittner: To the first part of your email address. So, like if my name was dave@gmail.com, I could do dave+spamcatcher@gmail.com.
Joe Carrigan: Right. The only problem with that is everyone knows that trick and all I have to do is take everything between the plus and the at sign out and I have your email address.
Dave Bittner: Oh, yeah, good point.
Joe Carrigan: So -
Dave Bittner: Easy to automate.
Joe Carrigan: Right. With this, I can just spin up an email address and, when that email address gets compromised, shut it down and my server handles the rest of sending back bounces.
Dave Bittner: Right, right. No, that's better.
Joe Carrigan: Yeah, it is.
Dave Bittner: All right.
Joe Carrigan: You could also just go out and create new Gmail addresses every time you do it. I have like seven or eight Gmail addresses.
Dave Bittner: Yeah, yeah. All right. Well, Kenneth, thank you for sending that in. We do appreciate it. Shall we jump into our stories here?
Joe Carrigan: Yes, let's do that.
Dave Bittner: All right. I will kick things off for us. My story comes from Krebs on Security, which is, of course, a well-known security website written by Brian Krebs. And it's titled "The Fake Browser Update Scam Gets a Makeover." And Brian writes about this common scam that we've seen for a long time now where you'll be minding your own business, browsing on the internet, and you'll get a popup that says your web browser needs to be updated.
Joe Carrigan: I'm hearing Eddie Murphy in my head, "walking down the street, minding my own business."
Dave Bittner: Right. Okay. Your browser needs to be updated.
Joe Carrigan: Right.
Dave Bittner: And, so, it tells you you need to download some files. And you being a good safe person on the internet do so right away because lots of people have told you that it's important to install patches and keep up to date.
Joe Carrigan: Dave, I think we may have even said that here on this podcast -
Dave Bittner: Right.
Joe Carrigan: Once or twice.
Dave Bittner: But when you do, you are, in fact, taken to a place that is going to install malware on your -
Joe Carrigan: Right.
Dave Bittner: Computer. The twist here and what has updated this is that the folks who are doing this, of course, they need a place to store their bad files.
Joe Carrigan: Right. They need a hosting service for their malware essentially.
Dave Bittner: Right. And they also need a hosting service that is willing to look the other way.
Joe Carrigan: Right.
Dave Bittner: Or one that will not detect what they're up to.
Joe Carrigan: Yes.
Dave Bittner: And the latest wrinkle in this scam is that, evidently, they are using some blockchain technology, they're using places - a place called Binance, which is a smart contract provider -
Joe Carrigan: Right.
Dave Bittner: On the blockchain. And, basically, they host their code on Binance. And, so, when you go to Binance, you download this code that's part of a - that should be part of a smart contract, but, in fact, is the malware code. You download the code from there and then it gets executed. And they've got ya.
Joe Carrigan: Right. Now, this is something I don't even understand because I understand blockchain -
Dave Bittner: Right.
Joe Carrigan: But I've never taken the time to understand smart contracts. And this has to do with the Ethereum blockchain, or at least that's the first thing that pops into my mind is the Ethereum blockchain.
Dave Bittner: Yeah.
Joe Carrigan: Because Bitcoin's blockchain you can't do that with. Bitcoin's blockchain is just a blockchain.
Dave Bittner: Okay.
Joe Carrigan: But Ethereum's is not. It has the smart contract feature.
Dave Bittner: Yeah.
Joe Carrigan: So - but, outside of that, I don't know how that they're - technically how they're doing this. I'm sure it's possible. I know that you could put anything into a smart contract. I do know that. So, the fact that they're putting other code in there or even executables or whatever is not surprising to me.
Dave Bittner: Yeah. What they say here, and I'm just going to quote from Brian Krebs's write up on it, he says that he spoke to the head of security at Guardio Labs. And they said that "the malicious scripts stitched into hacked WordPress sites will create a new smart contract on the BSC Blockchain, starting with a unique, attacker-controlled blockchain address and a set of instructions that defines the contract's functions and structure. When that contract is queried by a compromised website, it will return an obfuscated and malicious payload."
Joe Carrigan: I see.
Dave Bittner: So, it seems to me like they're using some of the capabilities of the blockchain and the smart contracts to generate the malware on the fly.
Joe Carrigan: And what was it, the B something? B -
Dave Bittner: Binance Smart Chain, BSC.
Joe Carrigan: Oh, B - so, this is actually Binance's blockchain.
Dave Bittner: Correct.
Joe Carrigan: Okay.
Dave Bittner: Correct, yeah. So, what that does is it means to the - it can't be detected with like a static analysis where they're just looking for code that they know or a file type that matches something that's known ahead of time because the malware is being generated on the fly using the -
Joe Carrigan: The instructions -
Dave Bittner: The instructions -
Joe Carrigan: From the smart contract.
Dave Bittner: Exactly.
Joe Carrigan: Right.
Dave Bittner: Exactly.
Joe Carrigan: Okay.
Dave Bittner: Yeah. Now, they've reached out to the folks at the Binance Smart Chain and they're on it. You know, they're -
Joe Carrigan: What are they going to do?
Dave Bittner: Well, I don't know. I mean, they have seen some of the - I guess the methods that the folks use here and they're on the lookout for it. And, of course, if anything gets reported, they'll take it down right away. But, yeah, I don't know the specifics of how they're taking it down, but they are, you know, in good faith trying to do so.
Joe Carrigan: Right. Okay.
Dave Bittner: Yeah.
Joe Carrigan: I don't know how that works. I know that if there was something like that in Bitcoin, if there is a transaction in Bitcoin on that blockchain - and, again, this is not a smart contract blockchain.
Dave Bittner: True.
Joe Carrigan: So - and, again, I don't know how these smart contract blockchains work.
Dave Bittner: Right.
Joe Carrigan: But, once it's there, it's there.
Dave Bittner: Yeah.
Joe Carrigan: The blockchain is supposed to be immutable. Now, that being said, there was an Ethereum event that happened with a smart contract years ago where Ethereum actually rolled back the blockchain as a group. They agreed to roll back the blockchain and get rid of a piece of malicious code that was in the smart contracts of their blockchain.
Dave Bittner: Right.
Joe Carrigan: And that's why you now have Ethereum and Ethereum Classic.
Dave Bittner: Right. I remember that. Yeah, there was a group who hung on to the old one and then they - I - what, they forked off a new one. Right?
Joe Carrigan: They for - well, they forked off a new one, right, and that became the new official Ethereum.
Dave Bittner: Okay.
Joe Carrigan: But you can't stop a blockchain. The original blockchain is still out there.
Dave Bittner: I need a t-shirt that says that, "You can't stop a blockchain." It sounds like a '70s disco movie. Right?
Joe Carrigan: It does, yeah.
Dave Bittner: Once that blockchain is running, you can't stop a blockchain, Joe.
Joe Carrigan: That's right. You have to say "baby" after that.
Dave Bittner: Yeah, watch - just watch me -
Joe Carrigan: Right.
Dave Bittner: Watch me. Yeah. So, I - you know, I - again, I - as you, I do not know all of the nitty-gritty details of how smart contracts work. And, honestly, it's been a while since we've even talked about it over on CyberWire. I mean, it seems like they had their moment in the sun, like a lot of this stuff, and it's just sort of fallen off the regular conversations anyway. Which could just mean that they're in a state of equilibrium and they're doing -
Joe Carrigan: They're doing what they do.
Dave Bittner: Yeah.
Joe Carrigan: And they're doing it well.
Dave Bittner: Exactly.
Joe Carrigan: Right.
Dave Bittner: They figured out the glitches. And, you know, the people who need it, they know where it is and how to use it. Of course, I suppose this story points to something different from that, somebody's figured out a way to take advantage of it.
Joe Carrigan: Right. Yeah, it's just another way to exploit - you know, it's "my old hammer" analogy, Dave. It's a tool -
Dave Bittner: Yeah.
Joe Carrigan: And somebody's using it for evil.
Dave Bittner: Yeah, yeah. I like what Brian Krebs here says. He wraps up this article and he says, "More than a decade ago, this site published 'Krebs's Three Rules for Online Safety, of which Rule #1 was, 'If you didn't go looking for it, don't install it.'"
Joe Carrigan: Yeah, that's a great rule, by the way.
Dave Bittner: Right, right.
Joe Carrigan: All those rules are great.
Dave Bittner: Yeah.
Joe Carrigan: I can't remember what the other two rules are, but I remember looking at that post and going, "These are all great rules."
Dave Bittner: Yeah. Yeah. And, in this case, what that means is if something pops up on your screen and says, "You must install this now," don't.
Joe Carrigan: Right. Yeah.
Dave Bittner: You know, consult with someone else or, you know, there's no reason you have to do it now.
Joe Carrigan: Right.
Dave Bittner: Take the time and scrutinize it.
Joe Carrigan: What's interesting is the browser update is taking - is being hosted - that page is being hosted on a compromised WordPress site. Right? So, it looks like your browser is telling you, "Time to update."
Dave Bittner: Right, right. Yeah. And there's certainly no shortage of those.
Joe Carrigan: Right.
Dave Bittner: Yeah. All right. Well, we will have a link to that story in the show notes. Joe, what do you have for us?
Joe Carrigan: Dave, I've got something a little strange I think.
Dave Bittner: Yeah.
Joe Carrigan: My story comes from Kate Knibbs over at WIRED. And I have a new term for you, Dave, obituary pirates.
Dave Bittner: Mhm, okay.
Joe Carrigan: It sounds like a great group of guys, right, right off the bat.
Dave Bittner: It sounds like a heavy metal band.
Joe Carrigan: There was a heavy metal band named Obituary -
Dave Bittner: Okay, there you go.
Joe Carrigan: A death metal band.
Dave Bittner: All right.
Joe Carrigan: Some controversy. I think I actually interviewed one of their guitarists when I was in college.
Dave Bittner: Really?
Joe Carrigan: Believe it or not.
Dave Bittner: Yeah.
Joe Carrigan: Yeah. But this is nothing as interesting as that. What's happening here is Kate is talking about a story - Kate Knibbs is talking about a story from one of her friends. Her friend had a classmate die unexpectedly.
Dave Bittner: Okay.
Joe Carrigan: So, what do you do when you hear that somebody from your past has died unexpectedly?
Dave Bittner: Well, I go looking for the obituary.
Joe Carrigan: You go looking for the obituary. That's exactly what I do. I Google it. And that's what Kate's friend did -
Dave Bittner: Yeah.
Joe Carrigan: Looking for the official bit - obituary. But Kate's friend really had to look for this obituary because there is what Kate calls a "slimy cottage industry" around obituaries and these obituary pirates. And what they do is they scrape sites that host obituaries and then just republish the obituary on their sites.
Dave Bittner: Yeah.
Joe Carrigan: These site owners are then good at search engine optimization, so that their site comes up first in the results.
Dave Bittner: This happened to me.
Joe Carrigan: Did this happen to you?
Dave Bittner: Yeah, yeah. A family member on my wife's side of the family passed away. And I went looking for the obituary. And, you know, when someone passes, you kind of get in this mode of waiting for the obituary to publish.
Joe Carrigan: Right.
Dave Bittner: You know? 'Cuz sometimes it takes a couple days.
Joe Carrigan: Yep.
Dave Bittner: So, you're just kind of checking in to see, you're looking for information about the funeral, about services, where to send things, all that kind of stuff.
Joe Carrigan: Right.
Dave Bittner: And this was someone out of town. And the first thing that popped up when things started popping up was a YouTube video.
Joe Carrigan: A YouTube video?
Dave Bittner: Yes.
Joe Carrigan: Well, that's interesting because we're going to talk about that in a minute.
Dave Bittner: Okay.
Joe Carrigan: But these guys are using the traffic that's driven to their sites to charge a premium for ads and they're selling these ads. There was one mentioned in this article about selling a topical vitamin C cream.
Dave Bittner: Huh.
Joe Carrigan: I don't know if that's how vitamin C works.
Dave Bittner: Yeah.
Joe Carrigan: Or if you're just rubbing something on your skin and hoping that the placebo effect makes you feel better.
Dave Bittner: Right.
Joe Carrigan: They, also -
Dave Bittner: That's how you get rickets.
Joe Carrigan: Right. Rickets. I think that's vitamin D, isn't it?
Dave Bittner: It could be. I don't know.
Joe Carrigan: Vitamin C is scurvy. I know that.
Dave Bittner: Yeah, there you go.
Joe Carrigan: So, sympathy card - they, also, sell sympathy gifts, like candles or flowers.
Dave Bittner: Okay.
Joe Carrigan: They just pocket the money from this -
Dave Bittner: Oh.
Joe Carrigan: These obituary pirates. But, more recently, Dave, these pirates are making YouTube videos, just like the one you saw.
Dave Bittner: Yeah.
Joe Carrigan: And these are low-quality videos. And Kate tells a story about the - one of them is just a man sitting alone and he's speaking directly to the camera. Other people narrate obituaries over corny slideshows of candles and photos and deceased - and the deceased from their social media platforms.
Dave Bittner: Mhm.
Joe Carrigan: Right?
Dave Bittner: Yep.
Joe Carrigan: So, these guys are going out, they're making YouTube videos, they're uploading them to YouTube and they're making money off of people's obituaries.
Dave Bittner: That's - yeah. And that's what I witnessed. I went to - I saw this YouTube video and it was just a guy, looked like he was sitting in his - sitting at his dining room table in front of a laptop, nothing special about it.
Joe Carrigan: Right.
Dave Bittner: Looked like probably someone of Southeast Asian descent.
Joe Carrigan: Okay.
Dave Bittner: And was just - read the obituary. And this struck - you know, I - my first reaction was, "What the heck is this?"
Joe Carrigan: Right.
Dave Bittner: Like, what - you know, what - why? Why? It just seems to me so ghoulish.
Joe Carrigan: Right. Well, I would agree that it's rather ghoulish. But, Dave, there's money to be made here.
Dave Bittner: I know.
Joe Carrigan: I'm sure of it.
Dave Bittner: Yeah. Yep.
Joe Carrigan: Kate reached out to a number of the proprietors of these accounts, probably even the guy that you saw reading your family member's obituary.
Dave Bittner: Right.
Joe Carrigan: And none of them responded.
Dave Bittner: Yeah.
Joe Carrigan: I - I'm - are you shocked by that? I'm not.
Dave Bittner: No.
Joe Carrigan: And that's exactly the response I would have expected. I don't think -
Dave Bittner: Right.
Joe Carrigan: Kate's shocked by that either.
Dave Bittner: No.
Joe Carrigan: There is a woman named Jessica Koth who Kate spoke to. She is the director of Public Relations for the National Funeral Directors Association.
Dave Bittner: Okay.
Joe Carrigan: Every trade has their national association.
Dave Bittner: Sure.
Joe Carrigan: Including funeral directors.
Dave Bittner: Yep.
Joe Carrigan: And Jessica says, "These videos are not sanctioned or authorized by the funeral home or by the family of the person who died. I would imagine they would be quite upsetting to the families involved." I couldn't agree more. I mean, did you talk to anybody about the video or did you just keep that to yourself? I -
Dave Bittner: I told my wife.
Joe Carrigan: Yeah, I mean, but -
Dave Bittner: Not immediately though.
Joe Carrigan: Right.
Dave Bittner: Actually, no, my wife - I did not mention it to my wife because I didn't - she didn't need anything additionally to -
Joe Carrigan: Right.
Dave Bittner: Upset her.
Joe Carrigan: 'Cuz this was a family member of your wife. So, was it a close family member? If I can pry?
Dave Bittner: Close enough, close enough.
Joe Carrigan: Close enough that -
Dave Bittner: Yeah.
Joe Carrigan: I don't want to see -
Dave Bittner: I mean -
Joe Carrigan: Some -
Dave Bittner: Yeah. So, I kept it to myself. But, probably about a week later, she mentioned to me that, at the services for this person, someone had mentioned this.
Joe Carrigan: Oh.
Dave Bittner: And I said, "Oh, yes, I had seen that. I saw it, too. And I just, you know, I chose to kept it to - keep it to myself just 'cuz why? You know?"
Joe Carrigan: Right. There is no sense in bringing this up to a -
Dave Bittner: Correct.
Joe Carrigan: Grieving family. It doesn't -
Dave Bittner: Not at that moment.
Joe Carrigan: Yeah, it doesn't make anything better.
Dave Bittner: Right.
Joe Carrigan: Right?
Dave Bittner: It's exactly, again, you know, just how ghoulish and unsettling it is.
Joe Carrigan: Yeah.
Dave Bittner: But I - it makes me think, "Is a - is an obituary protected in any way?"
Joe Carrigan: Well, we're going to get there.
Dave Bittner: [inaudible 00:17:04] I don't know.
Joe Carrigan: We're going to get there -
Dave Bittner: Okay.
Joe Carrigan: Because Kate was talking about some Reddit posts where people are talking about this practice -
Dave Bittner: Yeah.
Joe Carrigan: And they're wondering why it's happening and whether they can do anything to stop it. And one person says, "These people are monetizing our beloved ones' deaths."
Dave Bittner: Yeah.
Joe Carrigan: Terrible -
Dave Bittner: Yeah.
Joe Carrigan: That they're doing this. But there have been some consequences. So, in 2019, there was a Canadian company called Afterlife that scraped and republished obituaries. And they were ordered to pay 20 million Canadian dollars. I don't know how many real dollars that actually is. But -
Dave Bittner: Oh, boy. Right, right. Please, when you write your letters, address them to Joe.
Joe Carrigan: I mean nothing to our good friends, our neighbors to the north -
Dave Bittner: Uh-huh.
Joe Carrigan: Of the border.
Dave Bittner: Yeah.
Joe Carrigan: I don't know how many American dollars that would be, but it's pretty close actually.
Dave Bittner: Right.
Joe Carrigan: And they sued and they won $20 million -
Dave Bittner: Wow.
Joe Carrigan: From these people. And the reason for their victory was because of copyright infringement. They said these people were just scraping and republishing obituaries and publishing photos that they didn't have permission to publish. So, this company was fined $20 million.
Dave Bittner: Wow.
Joe Carrigan: These YouTubers are essentially summarizing the information.
Dave Bittner: Oh.
Joe Carrigan: And a quote from the article, it says, "While distasteful, it is not illegal."
Dave Bittner: Right.
Joe Carrigan: So -
Dave Bittner: Right.
Joe Carrigan: They're not committing any crimes here, but they are doing something that is going to hook into us. I mean, you saw the video of your family member's obituary. You saw - you - somebody else in your family saw the video. There were probably some people that saw the video that didn't talk about it -
Dave Bittner: Right.
Joe Carrigan: That you didn't hear about it. This practice is ongoing and I don't know that there's anything you can do to stop it, other than not look at it.
Dave Bittner: Yeah.
Joe Carrigan: Right?
Dave Bittner: I, also, wonder if it's - and I understand I'm treading on dangerous ground here. But I wonder if part of what set me back on my heels is just kind of the cultural mismatch. Right? Like someone who I don't know, who I will never meet, who is from around the world, who has no -
Joe Carrigan: Right.
Dave Bittner: Interest in this at all, does this, that it makes it feel somehow more invasive than, you know, if - I don't know, if - you know, if my local newscaster, right, were posting -
Joe Carrigan: Right.
Dave Bittner: These kinds of things and said that they were doing it as a tribute or something like that, it probably wouldn't set me off as quickly as some random stranger from the other side of the world.
Joe Carrigan: Right?
Dave Bittner: And I guess that's just human nature. I don't know if that's right or not. And I suppose it could speak to, you know, some biases or whatever that I have hardwired into me. But it's just an interesting dynamic. And I just - it - it's awful and it makes me sad that this is where we are.
Joe Carrigan: Right. This is -
Dave Bittner: Right?
Joe Carrigan: Yeah. Well, this is what the internet has brought us.
Dave Bittner: Yeah.
Joe Carrigan: I - you know, I don't know that there's any legal ramifications here. The platforms could certainly - YouTube could certainly say, "We're not" - well, but then you can't say, "We're not allowing obituary videos," because what if you're a funeral home and you want to put up obituary videos -
Dave Bittner: Yeah.
Joe Carrigan: On YouTube that are actually the tributes that the family has authorized?
Dave Bittner: Right.
Joe Carrigan: You can't do that either. I think it's just something we have to live with.
Dave Bittner: Yeah. That's the -
Joe Carrigan: For whatever you do.
Dave Bittner: Thing.
Joe Carrigan: Whatever you do. Don't pay to light a candle on an obituary site. Right?
Dave Bittner: Right.
Joe Carrigan: Never do that.
Dave Bittner: Right.
Joe Carrigan: I mean, that's like paying to win a game. It's even worse than that because all you're doing is -
Dave Bittner: Well, see what they - you know, find the legit obituary.
Joe Carrigan: Right.
Dave Bittner: Most people say, "In lieu of flowers, send a donation to such and such an organization."
Joe Carrigan: Yes.
Dave Bittner: I imagine the floral industry aren't big fans of that. But, aside from that -
Joe Carrigan: That's fine with me, by the way, Dave. If the floral industry died out tomorrow, I'd be happy. Same with the diamond industry. I think those are two things we spend way too much money on -
Dave Bittner: Okay.
Joe Carrigan: Flowers and diamonds.
Dave Bittner: All right. So, you know, you can find something that was near and dear to the dearly departed's life and make a donation in their name.
Joe Carrigan: Yeah. And -
Dave Bittner: Just do that.
Joe Carrigan: If you're close enough, you can make the family dinner for a night or something.
Dave Bittner: There you go.
Joe Carrigan: That's really the best thing I think you can do.
Dave Bittner: Yeah. All right. Well, we will have a link to this story. As you say, this was from the folks over at WIRED written by Kate Knibbs. We will have a link to that in the show notes. Joe, it is time to move on to our catch of the day. [ Soundbite of reeling in fishing line ] [ Music ]
Joe Carrigan: Dave, our catch of the day comes from me.
Dave Bittner: Okay.
Joe Carrigan: Isn't that great?
Dave Bittner: Yeah.
Joe Carrigan: I told you earlier today that I have a bunch of Gmail addresses.
Dave Bittner: Right.
Joe Carrigan: And Gmail has sent out these notices to all its users that, beginning December 1st of this year, if you haven't logged into your Gmail address in six months, they're just going to delete the Gmail address. And it won't be available for anybody else to ever use either. So, it's gone. They're going to just close them down, archive the name and delete the content.
Dave Bittner: Okay.
Joe Carrigan: So, I've been going around to the email addresses I care about and reactivating them and log - signing into them. And I did that with one of my old email addresses and I found an email from a number of years ago that made it into my inbox -
Dave Bittner: Wow.
Joe Carrigan: Completely by all the spam filters.
Dave Bittner: Okay.
Joe Carrigan: The subject line was "ajobw," all one word and all lowercase. And the text was, "fls." The phish was actually in an attached JPG, which I have posted here into our document that we read from.
Dave Bittner: Okay.
Joe Carrigan: So, I'm going to let you - it's kind of self-explanatory as to what it is.
Dave Bittner: Yeah. It says it's from the International Organization for Migration. And it says, "Dear winner: In collaboration with the European Conglomerate Oil and Gas Corporation, wish to inform you the four lucky winners in this year annual Lotto draws. Your email address emerged alongside three others as a fifth category winner. You do not require participating or buying a ticket in order to become a winner. It is a free Lotto Lucky Draws. You have won a total amount of 49,000 British pounds in fight against European Migrant Crisis Awareness Campaign and support. The following particulars are attached to your Lotto payment order serial batch number, winning number, reference number. Forward the listed details below to email mfundoguali@representative.com for immediate commencement of your payment process."
Joe Carrigan: Ah-ha.
Dave Bittner: "Your full name, residential or working address, winning and reference numbers, telephone and mobile number, age to South African Mediator Johannesburg South Africa Mr. Mfundo Guala. Furthermore, for security measures, we strongly advise you keep this information confidential until payment has been received successfully." Wow. Okay.
Joe Carrigan: So, I didn't respond to this.
Dave Bittner: Well, you missed out.
Joe Carrigan: I did.
Dave Bittner: I mean, it's been years now.
Joe Carrigan: It's been years. So, somebody else probably got my lottery - there are no lottery winnings, Dave. I find it interesting that the address - or the art on this is from the International Organization for Migration, but the return address actually says Oil and Gas Corporation and the European Base Oil/Lubricants Conference, EMC, celebrates annual" - actually, it's not a return address, it's just a whole - it looks like a return address, but it's a whole thing about some oil and gas conference.
Dave Bittner: Right. Like they got their spam mixed up.
Joe Carrigan: Right.
Dave Bittner: They blended two of them or something -
Joe Carrigan: Yeah, I don't -
Dave Bittner: Like that.
Joe Carrigan: I don't know. This is - maybe this is just intended to confuse people.
Dave Bittner: Yeah. Or it could help make it get past a spam filter by -
Joe Carrigan: Yes.
Dave Bittner: Having more stuff. You know, that happens sometimes.
Joe Carrigan: So, yeah, that - there is one of the big scams that still runs around is a lottery scam. If you didn't buy a ticket, you didn't win. I didn't buy any lottery tickets that pay out in British pounds.
Dave Bittner: Right.
Joe Carrigan: So, there's no chance of me having won a lottery out of the UK.
Dave Bittner: Yeah.
Joe Carrigan: So, this is obviously just a scam. If you send these people any information, all they do is tell you about how much money you have there and you're going to have to pay some money to get it out. Just a basic advanced fee scam.
Dave Bittner: Right, right. All right. Well, we would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's hackinghumans@n2k.com. [ Music ] Joe, it is always a pleasure to welcome back to our show Mallory Sofastaii. She is a consumer investigative reporter at WMAR-2 News here in Baltimore. Mallory, thank you so much for taking the time for us.
Mallory Sofastaii: Yeah, thanks for having me, Dave and Joe.
Dave Bittner: So, you have been doing some really interesting reporting lately that is right up our alley here. And we're lucky to have you back to describe some of the stories you've been working on. What can you share with us today?
Mallory Sofastaii: So, recently, we had two stories where I went to the FBI Baltimore Field Office to talk with their agents there. I had reached out to them because, for these two scams in particular, I have been receiving a massive amount of emails, web hits on previous stories. And the first one involves tech support scams. And what I find so interesting about that is how these particular scams have evolved. You know, we're all kind of familiar with the emails that come out of nowhere, "Oh, we're renewing your virus software for a few hundred dollars. Click here to unsubscribe." You've probably seen those, right?
Joe Carrigan: Sure, absolutely.
Mallory Sofastaii: So, instead of that, you know, where it was a few hundred dollars or, you know, people would panic and be like, "Oh, no, I don't want my credit card charged again," so they would, you know, go through the process. And, through that process, they would lose a few hundred dollars. Well, now it's evolved into people losing their life savings, their retirement accounts, their investments. And how it's kind of working is it's around the same framework where they say, you know, "There's an issue with your computer." There's a popup that comes up. You're - you think that your computer is frozen. "You need to call the Microsoft support number right away." And it's interesting because we've seen this happen on Google Chromebooks. And that should be the first red flag, but you're just not thinking about that when you can't do anything on your computer and you kind of panic. Right?
Dave Bittner: Right.
Mallory Sofastaii: So, these people, you know, they call the phone number, they're connected with someone. The person immediately answers, "Tech support." They don't identify which company they're with because who knows how many people they're doing this with or, you know, where they've put out their feelers. And then it just kind of goes from there. You know, the conversations can last several hours. And they try to tell you, you know, "Listen, this is really urgent. Someone's accessed your computer. They're stealing your information now. We need to work together in order to stop this. We need to secure your financial accounts which have also been compromised. So, you know, here's what I need you to do by downloading this software," which ends up being a desktop sharing program. They asked the people to sign into their financial accounts, not knowing that the person on the phone can see them accessing their accounts. And then sometimes they can be really sophisticated where they - since it's a desktop sharing app, they might put something up on the screen. So, you know, if you were looking at your computer screen right now, you would see a window. But, behind that, what they're doing is they're transferring money within your own account. They might move it. They might do like a Zelle transfer outside. Sometimes we've seen where they transfer your money from your savings account to your checking account. How does it work really? It's an overpayment scam where they start to panic, they start to say, you know, "I reimbursed you too much. I refunded you too much money. My boss is going to be so angry. I need you to transfer it back. You know, please, please." And they beg and it goes on and on. And, you know, "I need you to send me that money back to me." But, really, what it was it was your own money. They were just moving your savings to your checking so it made it seem like you received a refund when that never happened. And then, instead, now you're sending your money to the scammer. So, they give all kinds of different reasons. But the reported losses are through the roof with this scam right now. When I talked to the FBI Baltimore Field Office, you know, he said it's not uncommon. We talked to Special Agent Keith Custer. He said it's not uncommon to see $600,000, $800,000, a million dollars in loss per victim. And that's because these people just panic and they give access to all of these accounts. And these scammers have no problem staying on the phone with you as long as possible to try to get as much as they can from you. 01
Joe Carrigan: Well, it's their job, really. Right?
Mallory Sofastaii: Right, right.
Joe Carrigan: That's what they do for a living.
Mallory Sofastaii: It's so awful, too, how much money that these people lose and how this particular scam has become so lucrative. And I know, you know, you guys have this tech background and, for the people that I interview, many of them are elderly, they don't really understand what this virus software does or what these notifications mean. All they know is they want access to their accounts and their computers and they don't want anyone to steal their money. When, instead, they're somehow giving it away.
Dave Bittner: Right. We had a story we covered recently where that was exactly the scam that you are describing. But one of the things that struck me was when the victim called in and thought she was talking to Microsoft, the person pretending to be Microsoft said, "Let me transfer you to your bank's security team," right, and pretended to transfer the call. But, of course, it was just transferring her to another scammer and now she thought she was talking to someone at her bank who was trying to protect her. But, of course, it was just another one of the scammers.
Mallory Sofastaii: I have heard that time and time again where, you know, it's multilevel. They keep transferring you to someone else, "Oh, I need you to speak with my supervisor," "here's the person in charge of securing accounts." And what's even more concerning, too, is - the FBI agent that I spoke with, he said, "We've actually seen people come to the victim's homes in person. What they'll say is, 'Because your information has been compromised, it's being used in an illegal scheme, a money laundering scheme. I'm going to send an FBI agent to your house to collect this money that, you know, is involved in this scheme. And then, you know, we'll be able to clear your name." And that's frightening to hear that. You know, mostly, you think these scams are overseas. You know, you hear about these compounds where people are just - their whole focus is scams. But, to actually hear that they have people on the ground who might pose as an FBI agent and come to your home, you know, that's -
Joe Carrigan: Yeah, that's brazen.
Mallory Sofastaii: Fairly alarming.
Dave Bittner: Yeah, yeah. You had another story about a romance scam. What was going on with that one?
Mallory Sofastaii: Yeah, unfortunately, I feel like we keep revisiting this, you know, every few months or several times a year. But we wanted to get this one out around "The Golden Bachelor," the new ABC show, because we know a lot of people who are older, you know, they're looking for love, they want to find their special person. And, with romance scams in particular, a lot of the victims are widows or widowers. And we came in contact with this woman in Frederick, Maryland, she's a widow. Her husband had passed a few years prior. It was a really kind of devastating situation where it was a medical incident and he passed away right in front of her. And she was very kind of traumatized by that and it was obviously upsetting. So, she's been leaning on her friends. And one way she's been able to keep in contact with her friends is through Words With Friends, the gaming site where you - you know, it's almost like a virtual Scrabble.
Dave Bittner: Right.
Mallory Sofastaii: But that's where she was contacted by an individual. He said his name was Michael. Just randomly messaged her saying, you know, "Would you want to play with me?" And they played Words With Friends and he immediately asked her to continue the conversation on WhatsApp. And that's kind of the first red flag is, you know, when you meet someone on an online dating site, on, you know, Facebook or even Words With Friends, they try to move you to a different platform, maybe one that's not being closely monitored. So, something like WhatsApp, where it's more private. They continue talking over several years. They develop this relationship. He says, you know, he is an architect over in Turkey. He has a son around the same age as hers. And that's something else we've seen where, a lot of the times, these romance scammers will mimic the profile of the person that they're targeting. So, "Yes, I'm also widowed." This, you know, person claiming to be Michael said same thing, his wife died suddenly in a medical emergency. You know? And it's just been him taking care of his son. Well, throughout the course of their conversations, which spanned several years, he made up a story about his son being in a bad car accident and all of his money had to go to these treatments and these blood transfusions, et cetera, "Can you help me with that?" And then she is a very religious person and she feels- you know, she kept saying to me, "I'm a Christian and I want to help people. And, so, I sent him money. And that's - I have no regrets about doing that." And then it evolved now into an investment opportunity. She wants to leave money to her kids. She had $35,000. He convinced her to send that into this investment company and started sending transaction statements showing how her $35,000 suddenly morphed into over $900,000. And, wow, what a great investment that was. And, so, she came to the point where it was like, "Okay, you know, now that it's grown so much, I want to be able to take some of that money out." And that's when they hit you with the fees. "Oh, well, in order to do that, it's going to be $17,000." "It turns out that this company is now in the United Kingdom and you're going to have to pay customs and import fees," et cetera. The money just keeps tallying up, the excuses keep growing. And, so, over the course of speaking with her, you know, it got complicated because what we didn't realize is she still believes Michael is real and Michael is who he says he is. And, you know, his - her daughter was trying to tell her, "This man is scamming you. You know, these transaction statements are fake. And, you know, he's just trying to deceive you." And it's been really hard for her to believe that someone could be that cruel and do that to her over, you know, the course of speaking several years. And she really was trying to convince her daughter into letting Michael visit, and asking me if I would talk to her daughter about that. And I tried telling her, too, you know, this is what happens. There is like this playbook that the FBI also went through with me and I conveyed to her how these scammers operate whereas they, you know, move your conversations to a different platform, they mimic your profile, they love bomb you where they're constantly messaging you and calling you and saying all these sweet things, and just kind of messing with your head. You just develop this relationship. Sometimes they ask you to keep it private, let's not go public just yet, it's too early. And then they get into the money aspect. That was kind of hard to hear. You know? And even in speaking with the FBI agent, she says, "That's the hardest part of my job is trying to convince some of these victims that these people aren't real." And it's just so hard to believe that when -
Dave Bittner: Right.
Mallory Sofastaii: You've developed this kind of relationship with someone.
Joe Carrigan: And she is still convinced to this day that Michael is a real person.
Mallory Sofastaii: She is, yes.
Joe Carrigan: Wow, that's -
Mallory Sofastaii: Her daughter -
Joe Carrigan: That's heartbreaking. It is -
Mallory Sofastaii: Yeah.
Joe Carrigan: This is a long game as well, years in the making for -
Mallory Sofastaii: Years.
Joe Carrigan: Pulling this scam.
Mallory Sofastaii: And you can only imagine how many people they are doing this to at once. You know, all you have to do is send a few messages a day, keep in contact. So, they could be doing this to a number of people and just trying to acquire new people as well. But they really do, they invest time. And, you know, if someone were to ask you off the bat who you didn't know, "Can you send me few thousand dollars," you're going to say, "No." But if you fall into this narrative of, "Oh, my gosh, he has a son the same age as mine. I can't imagine if that was my son, Peter, who was in this terrible car accident and now I can't afford treatment for him." So, they just keep building this web that these victims keep falling deeper into. And, you know, then it's hard for the family members, the actual people who are there to tell them, you know, "It's been a lie. All these years, it's been a lie."
Dave Bittner: As Joe said, I mean, one of the things that strikes me is just what a long game this is. I would say I really hadn't considered the fact that these folks could be playing something like this out over years. You know, days, weeks, months certainly, but to be in it for this long. And, as you point out, that really establishes this sense of trust. This is someone I've known for years, they have been through me through good and bad, through thick and thin. And why wouldn't I help them? It's really fascinating.
Mallory Sofastaii: Yeah. And we've seen these scammers, they isolate that individual. You know, "Maybe you shouldn't be talking to this person every day." You know, "Don't tell this person about the money that I've asked you about. You know, wouldn't it be a great surprise when you're able to gift them this amount of money later on?" But they try to isolate the person so that the ruse isn't up. You know, they don't want other people from the outside to realize who the victim is speaking with because, as an outsider, you see it much more clearly than you would when you are that invested.
Dave Bittner: You know, in the time that you've been tracking this in your job there at WMAR TV 2 News, have you sensed a growth in sophistication with this? What sort of evolution have you seen with the scams that you've been tracking?
Mallory Sofastaii: Oh, absolutely. I mean, now it's strictly cryptocurrency. Right? We used to see only gift cards. And still, you know, that might be like leading up to the big ask where they ask for gift cards and you go and you buy them and you scratch off the back and they take a picture and send it. And, immediately, the scammer will wipe those cards out. And then they think, "Okay, well, if I can get them to send these gift cards, then maybe I can get larger sums via cryptocurrency." And even with the tech support scams, you know, when we were talking to Special Agent Keith Custer, he said it's not uncommon to see older people at these Bitcoin ATM machines feeding in $100 bills and then sending, you know, thousands of dollars via Bitcoin. And I think it's because many people - I mean, it's a complex thing to understand with cryptocurrency. We're not used to it. It's still not commonly used as a payment method. So, if someone's walking you through it, they stay with you on the phone and they tell you exactly which Bitcoin ATM is within your area, the closest one. And, you know, if that - that - if that one's not working, go to this one. They ask for your location so they can direct you. And the whole time they're on the phone with you walking you through it, answering your questions. And you almost think that they're there to help you.
Dave Bittner: What are your recommendations for those of us who are, you know, friends and family? I always think about, you know, my own parents and loved ones. What sort of things should we be telling them?
Mallory Sofastaii: I talk about this all the time with my mom. She is a widow, she was on these dating sites and she was getting these messages. And I could clearly immediately see that they weren't who they said they were. And that was because maybe the photo was too good or, a lot of the times, I might just question, you know, people in military uniform are big targets because they know that Americans respect the military and, you know, officers in uniform maybe some women have a thing for that.
Joe Carrigan: Sure.
Mallory Sofastaii: But that is - that seems to be a big target where they will take those photos and use that as their catfish almost. So, I just - I encourage people to have these conversations with their loved ones. You know? Even if they're not searching for love. If - like I said, you know, this woman met this man on Words With Friends. You wouldn't - I would never assume that you would meet a love interest on an online gaming site. But they're trying to get you wherever they can. They just need that kind of introduction in order to start building that rapport. So, you need to have those conversations with anyone. You know? And I try to tell my mom each time I come across one of these situations like, "Please just talk to me about it. Don't be ashamed. You know, let's have an open conversation." Never send money to someone else. Even if you think it's real, consult with a friend, consult with a family member first before you send anything. Because, like we said with cryptocurrency, it's becoming increasingly harder to get that money back.
Joe Carrigan: So, Mallory, you said in the story you had about the tech support scam, that people were getting their retirement funds cleared out and other bank accounts as well. Is there any recourse for these folks? Do they have any way of getting this money back? Or is it just gone? Can it be tracked through the banking system?
Mallory Sofastaii: It's hard to say. In my experience, most of these people aren't able to recover that money. Unless, you know, the FBI decides to pursue a case, they identify patterns and then they hand it off to the DOJ and those people are prosecuted. But then restitution can take several years. So, unless it's reversed immediately, the likelihood of recovering that money is very low. But if you do send money and you do notify your bank right away, there is the chance that they might be able to intervene, intercept. I mean, don't even go immediately to the FBI because how that system works is you file a complaint, it goes to their IC3, their Internet Crime Complaint Center. And then IC3 sends it out to the individual bureaus. So, that takes time. Right? Contact your bank immediately. You want someone who can act quickly. Contact, you know, the investment company, whoever it is that has this money or was overseeing it for you, and do what you can. Contact local police. You know, in my experience, it depends. With different agencies, they might have better financial crimes units or, you know, more staffing or resources there so that they can pursue these cases. But you just want to act as quickly as possible.
Dave Bittner: And then I - is it fair to say contact folks like you, your local investigative reporter who often has success getting action from some of these other agencies when people feel like they're not being heard?
Mallory Sofastaii: Yeah, absolutely. You know, even if we're unable to help you recover that money, we can at least do what we can to spread the word about it so that more people don't encounter the same situation. I've also seen, too, where, you know, banks are required by federal law to reimburse victims when there's an unauthorized transaction. Meaning someone goes into your bank account and steals it. Now, if you transfer the money out, not always will they reimburse you. But sometimes, you know, if I send an email and we clearly point that out, it can help. Or you can go to the Consumer Financial Protection Bureau, which is another resource for consumers.
Dave Bittner: All right. Well, Mallory Sofastaii is an investigative reporter at WMAR-2 News in Baltimore. Mallory, thank you so much for joining us again and taking the time for us. Always a pleasure.
Mallory Sofastaii: Likewise. Thank you both. [ Music ]
Dave Bittner: That is our show. We want to thank all of you for listening. Of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. N2K's strategic workforce intelligence optimizes the value of your biggest investment: your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
