Hacking Humans 1.18.24
Ep 273 | 1.18.24

It's the intricate deceptions that get you.


Dave Bittner: Hello, everyone, and welcome to the CyberWire's Hacking Humans podcast where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.

Joe Carrigan: Hi, Dave.

Dave Bittner: We've got some good stories to share this week. And joining us is our very special guest, Maria Varmazis. Maria, welcome to the show.

Maria Varmazis: Hi. Thanks for having me. I'm glad to be here.

Dave Bittner: Yeah. Very excited to have you join us today. So we're departing from our usual format just a bit. Usually Joe and I each share a story, and then we have a guest. But, instead, Maria will join us with a story in lieu of a guest, although I guess it's fair to say Maria is our very special guest.

Maria Varmazis: Keep saying very special.

Joe Carrigan: I'm checking an item off my bucket list. Do a podcast with Maria Varmazis. Check.

Dave Bittner: That's right. So I suspect that many of our listeners know Maria from her many appearances on The Smashing Security podcast. But then, also more important than that, she is the host of T-Minus, which is our daily space program here on the N2K Network. So, Maria, glad to have you here. We will be right back with our stories after this message from our sponsor. All right. We are back. And, Joe, I'm going to ask you to go ahead and kick things off for us with our stories here. What do you have for us?

Joe Carrigan: So this week my story is about a man by the name of Andy Cohen, who is apparently some kind of newscaster.

Maria Varmazis: Yes.

Joe Carrigan: I don't know who he is. I don't watch whatever network he's on. But he was on the Today Show. I think it was this morning as we're recording this.

Dave Bittner: Oh, right.

Maria Varmazis: He's quite famous in certain circles. Yes. Yes, he is.

Joe Carrigan: Not in the Joe Carrigan circle.

Maria Varmazis: Reality TV circles, he's -- he's very well-known. Yeah.

Joe Carrigan: Oh. That's why I don't know who he is. I abhor reality television. Can't stand it. Anyway, this is one of those shows. It's like a fishbowl. For some reason, they think it's a good idea to put the filming studio on the first floor. And always in the background, there's always someone looking in, like, Hey, what's going on in there.

Dave Bittner: Right.

Joe Carrigan: And I don't know. It just -- I find that humorous. Anyway, Andy Cohen was on the Today Show, and he's talking about an attack that he recently experienced that began with him losing his bank card, presumably a debit card, right. And he calls his bank and reports that it's been lost. We'll put a link to the entire interview in the show notes because it's really interesting to see what happens here.

Dave Bittner: Okay.

Joe Carrigan: The next day, he got an email from somebody that says -- that's actually a phishing email from his bank or impersonating his bank. And he goes to the phishing site and enters his bank credentials. And then they say, Well, what's your Apple ID? And he's like, Well, this is a scam, right?

Maria Varmazis: Yeah. Good instinct. Yep.

Joe Carrigan: Right. So he -- he terminates that interaction there. Now, I don't know if at this point in time he changed his password, which is the very first thing I would have done if I realized I'd entered my password on a phishing site for my bank. However, Andy is not a cybersecurity professional. He does not live and breathe this stuff, right. He -- he -- it's perfectly reasonable for him to say, Oh, this is a scam, and just terminate the interaction, go, Whew. They almost got me, not realizing that what's happened is they've already got it.

Maria Varmazis: Yeah. Yes. Yep.

Joe Carrigan: So -- so I have -- I have empathy here for Andy. I totally get why the next thing happened because the next day he gets a text message. It was somebody spoofing his bank again saying, Are you trying to make this transaction on your bank card? And he responds to text message? No. And as soon as he responds no to the text message, he gets a phone call. And the phone comes up, and they're spoofing -- this is another scam. This is a scammer, and they're spoofing his bank's caller ID. So it looks like his bank is calling. And the person to -- the person who's on the other end says, I'm from your bank fraud department and starts asking him about a transaction that he is -- that this fraudulent transaction, which probably doesn't exist, but then says, Well, let's look at some other transactions we have here and starts reading off transactions that are actually his legitimate transactions, probably because they have access to his bank account from the phishing attack.

Maria Varmazis: Oh, geez. Yeah.

Joe Carrigan: Successful phishing attack.

Maria Varmazis: Yep.

Joe Carrigan: Right. So they -- once he gave them the username and password and he didn't have multifactor authentication enabled, they were able to log in, and they were able to convince him that they had knowledge of his bank account and convince him that they were from his bank fraud department, and they weren't. Andy says that this person then said, I'm going to send you some codes via -- via text message. Read those numbers back to me for security purposes. These are codes that his bank was sending to him to authorize wire transfers. So, essentially, he's getting the code sent to him. The scammer is authorizing a wire transfer from the web interface of the bank. Andy's reading the code. The scammer is entering the code and transferring the money.

Maria Varmazis: Yeah. Ooh.

Joe Carrigan: Right. Now, at one point in time, the scammer said, Okay. Now, I need you to enter these numbers into your phone. And essentially what the scammer was having him do was enable call forwarding on his -- on his phone.

Dave Bittner: Really.

Joe Carrigan: Yes.

Maria Varmazis: Oh, my gosh. This is elaborate.

Dave Bittner: You can do that while you're in the midst of a phone call?

Joe Carrigan: I was listening to this scam, and I was horrified to hear -- hear what was going on here.

Maria Varmazis: Yeah. Oh, my God.

Joe Carrigan: It's -- you're right, Maria. This is incredibly elaborate. And Andy at one point in time in this interview, he looks at the camera and he goes, he says to the scammer, he says, I hate you, but you are remarkably -- you are remarkably good at what you do.

Maria Varmazis: Yeah, yeah. And he's a very high profile person. So it doesn't surprise me that -- that he would get hit with something this elaborate. But, man, it's elaborate.

Joe Carrigan: Yeah. It is. So now when the bank starts calling to verify that these wire transfers are legitimate, they get forwarded to the scammers. And they go, Oh, yeah. That's us. That's me. I'm Andy. And -- and I'm -- I authorized that transaction. At one point in time, he said when he was on the phone with this scammer pretending to be from his bank's fraud department, that he said, Yeah. Yesterday, I went to a website. And they not only asked for my credentials, but they also asked my Apple ID. And this person said, Oh, no. We would never ask for your Apple ID. That's obviously a scam.

Dave Bittner: Sure.

Joe Carrigan: Right.

Maria Varmazis: Just to build trust with him, you know.

Joe Carrigan: Exactly. That's what it does.

Maria Varmazis: We're the good guys, actually.

Joe Carrigan: Right. We're the good guys. Very convincing, right. So, you know, I thought this was a fantastic story in terms of -- in terms of what happened here and fantastic in, like, the level of fraud and deceit that went on here. Huge. And I have a few things I want to say about this. Number one, Andy Cohen did the absolute right thing coming forward and making this public, going on the Today Show and talking about it.

Maria Varmazis: Yes. Yes.

Joe Carrigan: Because Andy Cohen isn't the only person this happens to.

Maria Varmazis: Yeah.

Joe Carrigan: And this did not happen to Andy because he's -- he's a dummy. This happened to Andy because he was -- the string of transactions or the string of events lined up in his head, and everything made sense to him. And he thought he was doing the right thing, and he got he got scammed by a truly evil person.

Maria Varmazis: Yeah.

Joe Carrigan: Let's not -- let's not skip that part. This person, while, yes, Andy demonstrates his -- his respect for them, these people are bad guys, right. Now, my question for number two is -- oh, anyway, but I want to emphasize that. Andy, thank you for coming forward and talking about this

Maria Varmazis: One hundred percent, yes.

Dave Bittner: The Today Show audience is probably almost as large as ours.

Joe Carrigan: You would think.

Dave Bittner: Yeah. I mean --

Maria Varmazis: Maybe, maybe.

Joe Carrigan: We're going to drive some traffic to their site and give them a bump.

Dave Bittner: Sure, sure.

Maria Varmazis: He has a huge platform of his own, too. Just personally, he's very, very big. So, yeah.

Joe Carrigan: Right.

Maria Varmazis: He's going to be reaching a lot of people who might not normally be thinking about this stuff so.

Joe Carrigan: Which is awesome that he's using that platform for this, even in something that, I guarantee you, Andy's embarrassed by this. He says as much. And -- but I would say don't feel embarrassed. You got victimized by somebody. I mean, if you're walking down the street and someone -- someone beats you up and takes your wallet, you don't feel embarrassed about that, right? This is the cyber version of that, right?

Maria Varmazis: Yes.

Joe Carrigan: It's not -- you know, you didn't fall for this because you're stupid. You fell for this because you're a human, and they hit all the right buttons for you. It just lined up. Now, I do think there's an interesting coincidence here that leads me, again, down my tinfoil hat path here, Dave.

Dave Bittner: Yeah.

Joe Carrigan: Like last week. But it's interesting that this happens right after he loses his card and calls his bank and tells them that he's lost his card.

Dave Bittner: Right.

Joe Carrigan: Now, Andy says this is 100% pure coincidence. If -- if I were a bank that -- if I were the bank here, I'd be like, Why don't we get some security analysts in here to take a look at our systems?

Maria Varmazis: Yeah.

Joe Carrigan: Get some data loss prevention systems enacted and see what's going on. See if anybody is telling somebody about this or selling this information on the inside or if we have somebody who's just watching our traffic and finds this stuff out. I'm not 100% convinced this was -- this was coincidence. I mean, it -- there's a good probability it was, but I'm not convinced.

Dave Bittner: I had a situation once where I called my bank about some sort of credit card issue. And I was calling the number on the back of the credit card, right? And I must have misdialed, you know, just fat-fingered it or something.

Joe Carrigan: Right.

Dave Bittner: But what answered was something that at first sounded like a legit call center for a credit card.

Joe Carrigan: Right.

Dave Bittner: But there was something about it that was just off enough, like it -- you know, it was a little too nonspecific, like it was there to catch all of everything. And I hung up and called back and got the actual bank. And it was, Oh, man.

Joe Carrigan: You have reached this bank. Right.

Dave Bittner: Right, right. So I -- you know, I wonder if there's the possibility of that. When he called and reported it lost, could he have misdialed and reached someone. But I think it's probably more likely, Joe, that what you're talking about, that either someone on the inside is making a couple of bucks; or, you know, there's some kind of scraping thing on one of the bank's internal computers or something like that.

Joe Carrigan: Right.

Maria Varmazis: Yeah, yeah.

Dave Bittner: Looking for these things.

Maria Varmazis: My money would be on insider threat, honestly. It -- to me, this seems like way more than a coincidence. And I would bet that he has to say that because of a lawsuit maybe going the bank's way.

Joe Carrigan: We here fear no lawsuits.

Maria Varmazis: Yeah. Honestly, Andy Cohen, I know -- I know you don't know who he is, but he is a -- he's a really legitimately big name. So I have no doubt that, if somebody on the inside saw that name come across, the dollar signs were going through their head.

Joe Carrigan: Right.

Dave Bittner: Oh. I see.

Maria Varmazis: So I imagine if he was working something out with a bank, he was going, I'm going to see you guys. I don't know. It's just -- that's just conjecture. But, still, to me, insider threat seems very, very, very likely.

Joe Carrigan: Yeah. So how do you protect yourself on this? Never trust inbound calls. Never, never, never trust an inbound call. Someone calls you from your bank's fraud department, you say, I will call you right back and ask for your fraud department. What's your name? And then get redirected that way.

Dave Bittner: Yeah. But don't call the number that that person gives you.

Joe Carrigan: Yeah. Don't call the number they give you. Call the bank number. Call the known good bank number, the number on the back of the card.

Dave Bittner: Right.

Joe Carrigan: Or, you know, in the event that you haven't lost it or the -- or the number that's on the website. And do not -- do not Google it.

Dave Bittner: I know. I was just going to say that.

Joe Carrigan: They got me again this past week, Dave.

Dave Bittner: Oh.

Joe Carrigan: I was -- it was -- I was looking for -- I can't remember. Maybe it was Comcast. No, it wasn't Comcast. It was somebody's customer service number.

Dave Bittner: Yeah.

Joe Carrigan: And I hit the first number that came up. And somebody answered and went, Customer service. And I'm like, You got me?

Maria Varmazis: Oh, no.

Joe Carrigan: Because he knows -- he knows what it's up. And he's like, Yeah. I gotcha. That was it. I just hung up. Then I redialed. That's not a big deal when that happens. Just know that that's what happens.

Maria Varmazis: Customer service for who? And they're like, Well, who do you want it to be for?

Dave Bittner: Exactly. Right. All right. Well, very interesting. And we will have a link to that story in the show notes. Maria, what do you have for us this week?

Maria Varmazis: Well, it is hard to find good help these days, they say. And companies that are reeling from a ransomware attack, they have unfortunately really good reason to be very, very cautious about altruistic offers for help. There was a -- there was a research story out from Arctic Wolf Labs about something that I wasn't super aware of called a follow-on extortion campaign. And this was something that they had seen in October and November of this year, but they just published the research. And victims of the Royal and Akira ransomwares received emails from security researchers saying, basically, we're here to help. I don't know about you, but if I was reeling from a ransomware attack, an offer to help would sound like such a port in a storm.

Dave Bittner: Right.

Joe Carrigan: Right.

Maria Varmazis: Yeah. So they -- there were two names that were being used by these security researchers that were offering to help. One was called Ethical Side Group, or ESG. And the other one was xanonymoux. I don't -- I don't even know. It's not X anonymous. It just X -- anyway, xanonymoux.

Dave Bittner: Yeah. It's like the word anonymous with an x on either end of it kind of.

Joe Carrigan: Yeah. No s.

Maria Varmazis: Yeah. It looks hackery --

Dave Bittner: Yes.

Maria Varmazis: -- to the lay person. It does look quite hackery. So both the sets of victims received sort of similar-ish communications and claims from the supposed security researchers. And those claims include basically either offers of having the exfiltrated data in hand so obtaining what the victim had already lost or obtaining the data that was lost in order to delete it. So, basically, you weren't able to get this data because the ransomware either took it away from you or it deleted it, and we're going to get it back for you. So, again, a very, very appealing offer. But the victims in this case, the red flags started to go up because in this -- cases where the security researcher offered to obtain the data, the victim had been told by the ransomware that their data had been just deleted locally. So that data didn't go anywhere, so there was nothing that was exfiltrated. Or, in the case of server access offer from the security researcher, the ransomware had said also that the data was only encrypted. So some of these claims didn't quite make any sense. So the victims in this case that were being reached out to from the security researchers went, something's not quite right here.

Joe Carrigan: Yeah. This isn't adding up.

Maria Varmazis: Yeah. It's not adding up. So, in other cases, again, these claims are all a little bit related. Sometimes they've got a bit of a different flavor. But sometimes the researcher would offer not only to delete the data but also give access to the ransomware server. So I'm not sure what the plan would be there aside from just to sort of muck around, but sort of sounds maybe you could get revenge. I don't know what the goal would be there. But it's an offer.

Joe Carrigan: Yes. Now I can wreak my vengeance.

Maria Varmazis: Right. It sort of sounds tempting. And, again, we were talking about social proof. And, in this case, the email from the researchers actually came with proof of access to the exfiltrated data. So they would include little bits to show that they actually did have access to the data that they were claiming that they have.

Joe Carrigan: Interesting.

Maria Varmazis: Yeah. Very specific stuff, not just like, Oh, here's a zip file with your company's name on it but actually proof to have something. So there was a lot behind it that gave it heft. And the -- I guess the cherry on top of all this is that the price was a low, low five bitcoin just to do all this for the company that had been victimized.

Dave Bittner: Oh, five bitcoin. I mean, how much could that possibly be?

Maria Varmazis: It depends on the day, Dave. So, as of today, which may be very different when someone's listening to this, five bitcoin has about a 50k value, which, you know, it's not cheap, but it's -- compared to -- I was curious. What were the victims of the Royal and rans -- the Royal and Akira ransomware being asked, and Akira specifically, the ransom was usually 200k to 5 million.

Dave Bittner: Wow.

Maria Varmazis: So compare that to 50k, it seems like just, yeah. It's practically free. So, yeah. So what -- what seems really dastardly about this to me is especially a lot of the ransomware victims of Akira especially, these are really small companies, about 50 to 100 employees. And I don't know about you, but in companies that small, often they're not necessarily familiar with what a security researcher might actually do.

Joe Carrigan: Right.

Maria Varmazis: So this might smell legitimate to somebody. They may not actually realize that this is a very blatant extortion campaign.

Joe Carrigan: Yeah. This -- this seems a lot to me like the follow-on scams that -- that people hit that, you know, they pile on after they've got a victim, like an individual victim, not a corporate victim. But we've seen this where people have lost money in investment scams. And then somebody else contacts them and goes, I can get you your money back, but I need 10 grand up front.

Maria Varmazis: Yeah.

Joe Carrigan: And then, you know, they just take the money and run. It seems like it's an advancement and a -- and an increase in that.

Dave Bittner: Do we know, Maria, if the organizations that were approached by these folks had paid the ransom or not?

Maria Varmazis: I don't know about that. That was -- I was curious about that as well. I'm hoping when they saw the five bitcoin they maybe stopped and said, Okay. We think this is extortion.

Dave Bittner: Right.

Joe Carrigan: Right.

Maria Varmazis: Yeah. So I don't know. That is the question. Yeah.

Dave Bittner: I guess what I'm trying to understand is, did they pay the original ransom to, who was it, Royal and Akira ransomware groups and then this was trying to get more from them? Or did they not pay Royal and Akira, and was this the bad guys trying to take another swing at them --

Maria Varmazis: Yes.

Dave Bittner: -- with a lower -- lower amount of money?

Maria Varmazis: I think it's the second. To me, I was thinking of it as sort of a terrible upsell. Like, you didn't want to do the original one. Maybe you were a tiny little business and, you know, $5 million is way, way out of your budget. But maybe 50k is something you could manage, you know. So they're bargaining it down for you. You're still not going to get your data back. It's not going to happen. But, you know, 50k, maybe, sell you a little bit of hope.

Dave Bittner: Right.

Maria Varmazis: Yeah. It's terrible either way.

Joe Carrigan: It is.

Dave Bittner: So the recommendation here is, I guess, don't pay the ransom.

Maria Varmazis: Don't pay the ransom. And I think it, if possible, it behooves people to -- to familiarize themselves. Oh, this is a lot to ask people. A legitimate security researcher would not ask of something like this. That's not how a security researcher of repute works.

Dave Bittner: Right. They generally don't want to be paid in bitcoin, either.

Maria Varmazis: I mean, who knows? But, yeah. It's -- that's just not how they operate, so I guess maybe --

Joe Carrigan: I'll take any bitcoin anyone wants to send me.

Maria Varmazis: Like, if somebody wanted to give me some, I wouldn't say no. But, yeah. Maybe security researchers need a PR campaign of their own. That's not how we operate. That's not legit. I don't know.

Joe Carrigan: Yeah.

Dave Bittner: Wow. All right. Interesting. Well, we will have a link to that story in the show notes. My story this week comes from the folks over at the Hacker News. And this is about some goings on over on YouTube. I guess, before we dig in here, I'm going to ask each of you both. And I guess, Joe, I'll start with you.

Joe Carrigan: Okay.

Dave Bittner: To what degree do you have any experience throughout your long storied career and life being a person who's used computers for a long time with cracked software?

Joe Carrigan: I have -- I have avoided the use of crack software, Dave. I have not -- I don't think I've ever -- like, I've played the demo version of games, you know, the freely available ones, but never, never got a cracked version.

Dave Bittner: Okay.

Maria Varmazis: Really.

Joe Carrigan: Yeah. Now -- now, I will say, once there may have been one product that wasn't a game that I used that was not cracked but was available, made available to me.

Dave Bittner: Okay. Obtained through other means.

Joe Carrigan: Obtained through other means. Right. When I got it, it was rather outdated.

Dave Bittner: Okay.

Joe Carrigan: But it was still very powerful.

Dave Bittner: Yeah. How about you, Maria?

Maria Varmazis: I don't think I could be any more different, Joe. I think there was a good part of my life where absolutely none of the software I was using was legitimate. All it was cracked. I mean, that computer I had was completely radioactive in terms of how it was --

Joe Carrigan: All the malware.

Maria Varmazis: Oh, my gosh. But -- and I knew that. I just kind of assumed. But I would like to say it was just because I was a poor student. Let's just go with that being the reason. But, yeah. I have used a lot of cracked software in my day. I'm very familiar with like the bit -- what do they call the chiptune music that a lot of them play when you're installing them.

Dave Bittner: Yeah.

Maria Varmazis: I have some favorites.

Dave Bittner: Back in the day on the Mac, there was an app, basically a little database that was called Cracks and Numbers. And it was -- that's exactly what it was. It was full of -- basically it was a serial number database. And so you would just look up, you know, oh, I want to run Adobe Photoshop. And you'd look in cracks and numbers, and it would have, What version are you running? And here's a username and password. And, you know, back then, for a lot of this stuff, that's all it took to run a bit of software.

Joe Carrigan: Yeah because key just following an algorithm.

Maria Varmazis: Key generator.

Joe Carrigan: Yeah. Key generator.

Dave Bittner: Key generators.

Joe Carrigan: All right. Now, that I have used. And now that we're talking about this, yes, there's another one I've used.

Maria Varmazis: There you go. Big keeper, Joe.

Dave Bittner: Yeah. Well, and, you know, I think it's also fair to say that back in the '90s the threat of getting malware through a cracked piece of software was much lower than it is today.

Joe Carrigan: Right.

Dave Bittner: I would say, these days, it's pretty much 100%.

Joe Carrigan: Yeah.

Dave Bittner: Right. And, by the way, I mean, I'm thinking all the way back to the Apple II days back in the '80s. I remember, you know, there was always that guy who you wanted to play a copy of, I don't know, you know, Wolfenstein, the original Castle Wolfenstein or something that was -- and there was always a guy who could figure out how to circumvent the copy protection that was on --

Joe Carrigan: Yes.

Dave Bittner: -- the old Apple II floppy disk.

Maria Varmazis: Yep.

Dave Bittner: So everybody knew a guy, and that was a pretty common thing. I -- you know, back -- in my professional career, I remember there was a developer. His name was Kai Krause. And he developed a lot of very interesting graphics software that made really interesting things. And his philosophy was, he said, I understand that not everybody can afford to pay for everything. So, you know, if you copy a piece of my software to try it out, I don't have a problem with that. But if you use it professionally, please pay for it.

Maria Varmazis: Yeah.

Dave Bittner: And I thought that was a pretty fair, you know, compromise --

Joe Carrigan: Right.

Dave Bittner: -- back in the day that, you know, you want to try something out, fine. But if you are going to use it professionally, you've got to pay for it.

Maria Varmazis: Absolutely. Yep.

Dave Bittner: All that is to say that this article from The Hacker News is about YouTube videos that are promoting cracked software. So, you know, YouTube is I believe still the second most popular search engine out there, technically, beyond. Besides Google, more searches happen on YouTube than anywhere else. And I've certainly noticed that I'd say in the past decade or so YouTube became a popular place for folks to post things like cracks and serial numbers and things like that, you know, if you go on YouTube and search, just say, you know, Adobe Photoshop crack, you'll get a lot of hits. And most of them lead to URLs that are up to no good. And in this case, this particular story is talking about how it's being used to distribute the Luma stealer malware, which is -- does exactly what it says it will do. Once that gets installed on your -- on your computer, it looks to steal information. It's looking specifically for passwords and cryptocurrency accounts and, you know, basically anything that it can turn around and either use or sell for a buck. And these are -- these videos on YouTube are going after kind of the usual suspects. I mean, it kind of reminds me of what you were saying, Maria. It's the student who's looking to use a high-end piece of software, can't afford to do so. So a lot of this goes after things like high-end video production tools. They talk about Vegas Pro, which is a video editing software. The Adobe suite is always --

Maria Varmazis: Always.

Dave Bittner: -- a popular target because everybody wants --

Maria Varmazis: Always. That may or may not have been one of the cracked software suites that I had.

Dave Bittner: Right.

Maria Varmazis: May or may not.

Dave Bittner: You know, Microsoft Office is a big one. Just basically any of these that cost a pretty penny, and they go after students. And a lot of small businesses will use this sort of software as well. Another thing that's pretty rampant is a small business will buy one copy of a piece of software and then install it on everybody's machine, right.

Maria Varmazis: Yes, indeed.

Dave Bittner: And, of course, the providers have made that harder to do with everything being online. And so folks go looking for these sorts of cracks, and it leads to having these -- these stealers on your machine. This article points out that you can have things like crypto miners will be installed. Just all sorts of bad things can happen.

Joe Carrigan: So crypto miner would be the least of your concerns.

Dave Bittner: Yeah. Exactly.

Maria Varmazis: That's almost quaint.

Joe Carrigan: Right.

Dave Bittner: Yeah. You know, it's funny. I mean, I remember years ago -- and I want to say this was probably 2017 or so -- there really was a line of thinking that ransomware was going to die out, and crypto mining was going to be the thing because crypto mining is kind of -- and I'm going to use air quotes here -- a victimless crime in that, you know, if you're mining on somebody's computer while they're asleep, yes, technically you're stealing electricity from them. But they're probably not going to notice, right? So there's not a huge incentive for them to come after you, whereas with ransomware -- and this is back in the days of what I call nuisance ransomware where people were looking for $50 or $25 from consumers. They thought that was going to die down. And look where we are. Just the opposite has happened where --

Maria Varmazis: Yeah. Yep.

Dave Bittner: -- the ransomware operators hit the big time, and it's worse than ever. So -- so we will have a link to this story in the show notes. Of course, the bottom line here is don't use -- well, don't use cracked software. But if you must use cracked software, don't go to YouTube to look for your cracked software.

Joe Carrigan: Right.

Dave Bittner: Anybody know if the Pirate Bay is still around?

Joe Carrigan: It is still around.

Maria Varmazis: It's around. It's there.

Dave Bittner: Or so we've heard.

Joe Carrigan: So we've heard.

Maria Varmazis: I mean, I haven't been recently but --

Joe Carrigan: I'm a security researcher. I have to know these things.

Dave Bittner: Of course, of course.

Maria Varmazis: It's legit.

Dave Bittner: Absolutely, absolutely. As my friends over on Grumpy Old Geeks say when they need something, We're going to go to Sweden and get it. We're going to go over to Sweden --

Maria Varmazis: That's the way

Dave Bittner: -- and find a copy of that.

Maria Varmazis: Yo, ho, ho.

Dave Bittner: Like, buyer beware. All right. We will have links to all of these stories in the show notes. We will be right back with our Catch of the Day after this short message. Joe and Maria, it is time to move on to our Catch of the Day. [ SOUNDBITE OF REELING IN FISHING LINE ]

Joe Carrigan: Dave, our Catch of the Day comes from the Facepalm community on Reddit. Never heard this one before.

Dave Bittner: Okay.

Joe Carrigan: Yeah. I don't spend a lot of time on Reddit, either.

Maria Varmazis: Really?

Joe Carrigan: I don't know who Andy Cohen is, and I don't --

Dave Bittner: Don't get out much, do you, Joe. Just --

Maria Varmazis: You're not on Reddit, though? Really? Okay.

Joe Carrigan: I'm on Reddit. I have a Reddit account. I just don't spend a lot of time there.

Dave Bittner: You spend time in your backyard bunker.

Joe Carrigan: Right now I spend time in my backyard raking leaves. I'm still raking leaves. It's January. Plenty of leaves to rake.

Dave Bittner: Yeah, yeah. Well, this is a screen capture, and it's -- very top of the screen is the logo of the FBI, the Federal Bureau of Investigation. Below that is a button that says, Pay with bitcoin.

Joe Carrigan: Right.

Dave Bittner: And then there are two pictures of the American flag, one rectangular picture of the American flag and one cropped down to a circle.

Joe Carrigan: That's the social media American flag.

Dave Bittner: Yeah.

Joe Carrigan: Right.

Dave Bittner: And then --

Joe Carrigan: That's the American flag on LinkedIn.

Dave Bittner: Right. And then for some -- for some reason midway down there's a picture of a Bengal tiger that is cropped to be a close-up of its face. And it is growling at you, and I guess this is to --

Maria Varmazis: Serious.

Dave Bittner: -- put the fear into you. Yeah. It's to trigger some kind of a fight or flight mechanism. Now, this pops up on your phone. And not only are you scared because it's the FBI, but they're going to unleash a Bengal tiger on you if you don't do what is said here so.

Maria Varmazis: Did it play the sound when you open it?

Dave Bittner: I can only hope. I can -- oh, what's this? Rah!

Maria Varmazis: It's the FBI.

Dave Bittner: Where's my bitcoin? Okay. I'm going to read the text here. It says, your phone is locked because of violation of the American government. Your heinous crimes will be met with serious fury and punishment for the crimes of communication with enemy state like North Korea, Syria, Iran, Iraq for punishment 10-year forced labor, 25-year prison. Rah! There's the tiger. If you want to avoid these undesire, you must pay 500 USA currency in bitcoin, and we say nothing. We are police. We can do serious things. Rah!

Maria Varmazis: And violation is spelled violatuion.

Joe Carrigan: Right.

Dave Bittner: Yeah.

Joe Carrigan: It's terrible. Iraq, I don't know that Iraq is actually classified as an enemy state. I mean --

Maria Varmazis: That's the point that we're arguing.

Joe Carrigan: Yeah, yeah. I go for this -- I go for the little hands. It should be a tip-off, all the tip-offs.

Dave Bittner: I don't think Bengal tigers are native to any of those countries, actually, so.

Joe Carrigan: No. Nor are they native to the United States.

Dave Bittner: Right.

Joe Carrigan: What I would think, if I was going to put an animal in there, I would have put an eagle in there, right?

Dave Bittner: Yeah.

Joe Carrigan: The angry -- you know, the disapproving eagle, you know, the -- you know, the eagle looking straight at you with his eyes, you know, slanted downward like an angry face.

Dave Bittner: Right, right, right. The eagle of shame.

Joe Carrigan: The eagle of shame.

Dave Bittner: It's the same eagle they send out, the IRS sends out in their letters when they tell you that you underpaid this year. Disapproving eagle who -- oh, my goodness. Well, this is a good one.

Joe Carrigan: It's awesome.

Dave Bittner: Yeah.

Joe Carrigan: I love it.

Dave Bittner: I guess, you know, people pay -- I -- they had me at the Bengal tiger. That just really is the cherry on top of this so.

Joe Carrigan: There's a big, big button up to the top, says Pay with bitcoin. And the federal government will tell you over and over and over again they don't accept payment via bitcoin or a gift card or anything other than a check. Write them a check.

Dave Bittner: That's right. All right. Well, this is a great Catch of the Day. And, of course, we would love to get your Cash For the Days. Once again, you can email us. It's hackinghumans@n2k.com. That is our show. We want to thank all of you for listening. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. A quick note that N2K strategic workforce intelligence optimizes the value of your biggest investment: your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. Maria, before we go, what do people need to know about T-Minus, and where can they find it?

Maria Varmazis: You can find T-Minus Space Daily on all major podcast platforms and at space.ntk.com. We are the only daily space -- I'm doing a bad job promoting my own show. We are the only daily space podcast for space professionals.

Dave Bittner: All right. Do check it out. Our executive producer is Jennifer Eiben. The show is edited by Tré Hester. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: I'm Joe Carrigan.

Maria Varmazis: Oh. And I'm Maria Varmazis.

Dave Bittner: Thanks for listening.