Hacking Humans 1.25.24
Ep 274 | 1.25.24

Phishing for mail.


Abhilash Garimella: And if they miss you with the delivery scams and you are savvy enough to avoid all this, there people stealing packages off your porches. So it's sort of all these digital landmines that's been built around. It's really difficult for a consumer to navigate through.

Dave Bittner: Hello, everyone, and a warm welcome to the "Hacking Humans" podcast, brought to you by the CyberWire. Every week we delve into the world of social engineering scams, phishing plots, and criminal activities that are grabbing headlines and causing significant harm, all over the world. I'm Dave Bittner, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hi Joe!

Joe Carrigan: Hi Dave!

Dave Bittner: We've got some good stories to share this week. And later in the show, Abhilash Garimella. He is head of research at Bolster. We're talking about a phishing campaign that was targeting consumers of the US Postal Service. [ Music ] Alright, Joe, before we jump into our stories here, we have a couple of items of follow-up here.

Joe Carrigan: Yes, two quick items here. Cybernews has a story on something we talked about way back in Episode 272, and that's the ad that you kept seeing popping up about the car accident.

Dave Bittner: Yes. Yes. "I miss him so much." Yes.

Joe Carrigan: Yes, that one. So we have a link in the show notes about that, so go check that out. That's from Cybernews.

Dave Bittner: Let me just add to that, that I got a hot tip from my wife who is a Facebook Group administrator. So she knows how to use Facebook at a much higher level than I do. And she made the suggestion -- Probably. She made the suggestion within Facebook, rather than looking at the timeline that it provides you with, look at the feeds. So look at Facebook Feeds, and then select just a -- what do you call it? What's the timeline where it's in order of the time the things happened?

Joe Carrigan: Chronological?

Dave Bittner: Thank you! Chronological! That's the word I'm looking for. It's chronological. Set your feed to chronological, just from your friends, and that will pretty much do away with that particular scam. And I tried it, and sure enough.

Joe Carrigan: I'll do that tonight.

Dave Bittner: It worked.

Joe Carrigan: I actually -- I don't know if I'll do that tonight, because I'm not on Facebook every single day.

Dave Bittner: Yes.

Joe Carrigan: I have the Messenger on my phone, and that's pretty much the only reason I still have a Facebook account is because of Messenger. Like I say, every time we talk about it, it keeps me in touch with family.

Dave Bittner: Yes.

Joe Carrigan: That's it.

Dave Bittner: Yes, well, the feeds makes Facebook a much more pleasurable experience, which is hardly a compliment. [ Laughter ]

Joe Carrigan: It's a lot better than hitting yourself in the thumb with a hammer when you're --

Dave Bittner: Exactly. Rather than, you know, a sledgehammer, just a regular hammer. It's much less painful. So yes. What else we got, Joe?

Joe Carrigan: Mike wrote in to tell us about a breach at a company called Resend.

Dave Bittner: Okay.

Joe Carrigan: This is a company that he uses in his development. They offer an API that you can incorporate into your software products that manages email.

Dave Bittner: Okay.

Joe Carrigan: Resend had a breach starting late last year, and they emailed everybody. And Mike sent along a copy of the email.

Dave Bittner: Yes?

Joe Carrigan: That he received, which is essentially the breach notification, and we'll put a link to this in the show notes. This is how you do breach notification.

Dave Bittner: Oh, okay.

Joe Carrigan: It's a pretty good paper. Yes. I'm sure that Mike is frustrated that some of his data may have been breached, but I don't want to focus on that. I want to focus on the fact that Resend actually put together a pretty good report, and made it public on their web page about this breach.

Dave Bittner: Okay. Very good.

Joe Carrigan: So good stuff. Well done, Resend.

Dave Bittner: Yes. Finally we have an anonymous listener who wrote in with a handful of things. I just want to cover a couple of them here.

Joe Carrigan: Alright.

Dave Bittner: First of all, this person wrote in and said, hey guys, just listened to the episode and have a thought about Michael's SMS scam issues. So this was the person whose wife was driving the car and getting on a toll road, and kept getting an SMS message, a text message, saying that hey, you're on a toll road, and you need to pay the toll.

Joe Carrigan: Right.

Dave Bittner: Right? So this person writes and says, to me, you guys actually said the answer, ALPR, that's automated license plate readers.

Joe Carrigan: Alright.

Dave Bittner: My guess is that it may not be a scam, and may be legit. Michael says that he has etag, but it's his wife who had the car. So to me, the state or county has used ALPR and is not correlating the license plate with the paid etag. So they see her plate, and see that she does not have an etag registered to her. That's my guess.

Joe Carrigan: Poorly developed software system, used by a government entity. Hmm.

Dave Bittner: So I think this is plausible.

Joe Carrigan: It is plausible. Very plausible.

Dave Bittner: Yes.

Joe Carrigan: I would agree with this. Recently, we switched back to Maryland etag system, which is EZPass.

Dave Bittner: Yes.

Joe Carrigan: When I signed up for it, Maryland had a convenience fee of like, $5 a month.

Dave Bittner: Okay.

Joe Carrigan: Which is -- I don't like paying convenience fee for something that cost you less money to do.

Dave Bittner: Okay.

Joe Carrigan: So we had the Delaware EZPass.

Dave Bittner: Right.

Joe Carrigan: Which you can sign up for, because they didn't have the $5 a month fee.

Dave Bittner: Yes?

Joe Carrigan: Not only am I cheap, but I'm also a little resentful [laughs]. So I went ahead and did that. But then I decided -- Maryland changed the rules a couple of years ago, and I was like, I should really sign up for the Maryland EZPass, especially since they give you lower tolls if you're a Maryland resident.

Dave Bittner: Okay.

Joe Carrigan: So if you live in Maryland, now there's no reason to not have -- in fact, you're foolish if you don't have the Maryland EZPass.

Dave Bittner: Yes.

Joe Carrigan: So I signed up for that, but at the same point in time, my Delaware one had expired.

Dave Bittner: Oh, okay.

Joe Carrigan: So the Maryland guys were sending me messages, and I said, okay, I'll sign up for the Maryland one now. And I said, will my old tolls be applied to my new account? And it took them, like, three months to work that out. But they kept sending me bills, and I kept saying, no, you're supposed to charge my credit card for these, because I have an account with you. You know the tag numbers. You have the tag numbers. You know the tag numbers of all my cars. You have all this information, go ahead and please put it all together and charge me.

Dave Bittner: Yes.

Joe Carrigan: Took them months. [ Laughter ]

Dave Bittner: Okay, well at least they didn't overcharge you, I guess, right [laughs]?

Joe Carrigan: I don't think they did. I don't know. I don't look at the statements too well.

Dave Bittner: Yes, well, you can't fight City Hall, Joe. You can't fight City Hall [laughs].

Joe Carrigan: Actually, I'll say this. Maryland state government is pretty responsive when you call them up.

Dave Bittner: Yes, and I have to say, I mean, you know, all the nightmare stories, but most of my interactions with our MVA have not actually been that bad. Pretty good.

Joe Carrigan: That is one thing that I'll disagree with you about. I've had miserable experiences at the MVA, especially around here. So much so that I go to rural areas of the state to do my MVA business.

Dave Bittner: Okay, fair enough. This listener says, one more thing, says on the Facebook ads, this has happened to me before, this is where you were talking about the pan that you had purchased?

Joe Carrigan: Right. I was taking about the HexClad pan.

Dave Bittner: Right, right. And this listener says I'm willing to guess that you purchased the pan from Amazon, and the Amazon account uses the same email address as the Facebook account. So simple tracking, sort of.

Joe Carrigan: Well, my son actually picked up the pan.

Dave Bittner: Yes?

Joe Carrigan: And my wife and I were the ones talking about it. We didn't -- I didn't even search the pan or look for it. So it was not that. But the same resident, it was shipped to the same house. My son lives with us, so.

Dave Bittner: Yes.

Joe Carrigan: Yes. It could be. It could be they -- and the correlation -- he's right. The correlation is simple. They know where we all live.

Dave Bittner: Yes [laughs]. They sure do.

Joe Carrigan: They sure do. [ Laughter ]

Dave Bittner: Alright. And this listener follows up and says I like the show, the banter, and what you guys are trying to do, even if you may say something I disagree with. Keep it up, and hopefully the show will be around for years to come.

Joe Carrigan: What! May say something we disagree with? He should not disagree with anything we ever say.

Dave Bittner: He must be talking about me, Joe.t

Joe Carrigan: Okay.

Dave Bittner: Because obviously no one could ever disagree with anything that you say. So.

Joe Carrigan: Everybody should disagree with what I just said, by the way [laughs].

Dave Bittner: Alright.

Joe Carrigan: Nobody should 100% agree with anybody else.

Dave Bittner: Okay. Fair enough. Alright, so again, thank you all for writing in. We do appreciate it. And you can send us a message. It's hackinghumans@n2k.com. Alright, let's move on to our stories here. I have a story from the folks over at ProPublica. And this is an article titled, How Walmart's financial services became a fraud magnet. Something at Walmart being suboptimal, Joe. I'm shocked. I'm shocked. Shocked [laughs]! So --

Joe Carrigan: I don't like Walmart.

Dave Bittner: Yes. I don't -- I mean, I think that's a pretty common thing -- I think most people -- I think most people don't shop at Walmart because they choose to shop at Walmart. Like, Walmart is where you shop if you have no other options [laughs].

Joe Carrigan: Right. Right.

Dave Bittner: Either because, I mean to Walmart's defense, Walmart is very inexpensive.

Joe Carrigan: They are. And they do have good pricing.

Dave Bittner: Right.

Joe Carrigan: Some of the ways they achieve that may not be the most ethical.

Dave Bittner: So you get a lot for your money at Walmart.

Joe Carrigan: Yes.

Dave Bittner: But you know, it can also be -- to me, I have trouble with the chaos that is Walmart. It makes me anxious, being in a Walmart, because of how messy it is, and just the kind of activity that's going on there. The way it's organized is just not great for me. But you know, that's not to say I never shop there. But if I have the option of shopping elsewhere --

Joe Carrigan: I do.

Dave Bittner: I -- yes. Like, where you and I live, there's a Target nearby the Walmart. I go to the Target, and only if the Target does not have what I need will I then --

Joe Carrigan: Also, Amazon.

Dave Bittner: Right, right. Yes. You know. Yes, absolutely. Any way. This story starts out talking about someone named Christy Browne, who's a retired teacher in New York, who was deceived way back in February '22 by a scammer who was claiming to be from the FBI, and was telling her that drug traffickers were using her Social Security number. In a roundabout way, you know, the ways that we describe here all the time, she was directed to buy $2,000 in Walmart gift cards, and share the details, which was going to help the FBI crack the case. Of course, it turns out that it was a scammer.

Joe Carrigan: Of course.

Dave Bittner: And the scammer sold the gift card details to another scammer, someone named Qinbin Chen, who is a Chinese national who was living in Virginia, who then used those gift cards to buy other gift cards, which is interesting, right? So you got your Walmart gift cards. Then you turn around and you buy Apple gift cards, or any other brand. So now you've effectively laundered the money, because now you're two gift cards deep into this.

Joe Carrigan: Right. Yes, and there's probably no relationship between the gift card numbers.

Dave Bittner: Correct.

Joe Carrigan: So no traceable relationship. It's almost like cash.

Dave Bittner: Yes. Exactly. Exactly. So this person's operation, Mr. Chen's operation, which ultimately involves reselling the gift card to folks in China, because US gift cards are a hot commodity in China, because it's ways to get around some of the, you know, restrictions on money and surveillance and so on and so forth in China. This person laundered about $7 million.

Joe Carrigan: Seven million dollars? One guy laundering $7 million?

Dave Bittner: Yes. This article talks about how basically they had the equivalent of in-store money mules who would sit there and wait for the gift card numbers to come in, and then go and buy other gift cards, and they would use the automated kiosks to do it. You know, in other words --

Joe Carrigan: Probably the Walmart app as well.

Dave Bittner: Well, yes, they'd use the line at the store where there isn't someone checking you out.

Joe Carrigan: Right, yes. It's unsupervised.

Dave Bittner: Right. Exactly.

Joe Carrigan: So there's nobody to go, this is kind of funny.

Dave Bittner: Well, what's interesting about that to me is that I know a lot of stores you can't buy a gift card through the kiosk. You have to go through the line to do it. But evidently, that's not the case in Walmart, at least -- or at least it wasn't when this was all happening.

Joe Carrigan: Right.

Dave Bittner: The Department of Justice was on to this. In fact, they referred to the case as the Walmart Scheme.

Joe Carrigan: Ah.

Dave Bittner: And the DOJ has claimed that Walmart had insufficient anti-fraud measures, and they were resistant to stricter enforcement. And that helped facilitate this fraud. They -- the DOJ claims that Walmart had routed over a billion dollars in fraud losses in about a decade, between 2013 and 2022.

Joe Carrigan: Really?

Dave Bittner: Yes. And you know, Walmart makes -- this article points out that Walmart makes big money off of all of this. They get a cut of every gift card sold.

Joe Carrigan: Sure.

Dave Bittner: They get a cut of wire transfers, which is big business at Walmart. So they've made hundreds of thousands of dollars.

Joe Carrigan: Facilitating cybercrime, essentially.

Dave Bittner: Facilitating cybercrime, so the FTC alleges. In fact, they sued Walmart in 2022, alleging that Walmart had allowed these fraudsters to exploit their money transfer service. Walmart likes the financial services line of business. In fact, they bought an online banking platform in 2022. Ultimately, this person, Mr. Chen, he ran his scheme for five years, and he was arrested in 2021. He had a trial back in September and he was convicted on multiple charges. And he will be in prison for quite a while.

Joe Carrigan: Okay.

Dave Bittner: The original victim, Christy Browne, who we mentioned, she lost $2,000. Of course, beyond that there was the emotional distress of everything that she went through.

Joe Carrigan: Yes. Yes. I'd like to point out, if Christy Browne hears this, $2,000 is getting off pretty cheap in one of these scams.

Dave Bittner: Yes.

Joe Carrigan: I know it's a lot of money, and I don't mean to diminish it, but breathe a sigh of relief there. There are people who lose tens and hundreds of thousands of dollars to these kind of things.

Dave Bittner: Yes. Still.

Joe Carrigan: Still, $2,000 nothing to sneeze at. If I lost $2,000, I'd be livid.

Dave Bittner: Yes.

Joe Carrigan: Again, we hear somebody coming forward and talking about it, which is great.

Dave Bittner: Yes.

Joe Carrigan: So thank you, Christy Browne, for that. That's courageous and I in no way -- and there are a lot of people who don't come forward and say that. They just go, well, I guess I'll take that as a lesson, and they go on. But by sitting here and telling your story, you make it public, and everybody else now knows about it.

Dave Bittner: Yes. This article points out that Walmart was -- I guess the way to describe it is being kind of two-faced in their --

Joe Carrigan: Duplicitous.

Dave Bittner: Duplicitous, thank you. That is a much more expensive word than the one I chose. [ Laughter ] Walmart in their public statements, they of course point out that they are trying to stop this sort of fraud. And also they point out that through their financial services that they have saved their customers millions and millions of dollars over the years. And I think there's something to that in that Walmart has these centers where you can do cash transfers and so on and so forth. There are Walmarts that have -- I think they call them Walmart Money Centers.

Joe Carrigan: Really?

Dave Bittner: Yes.

Joe Carrigan: You can, like, use Walmart like Western Union?

Dave Bittner: Exactly.

Joe Carrigan: Really?

Dave Bittner: Exactly. And they do it at a much lower cost than any of their competitors. And so Walmart will say that in doing that and providing a cheaper alternative for folks, that they are helping them and saving them lots of money, which is true.

Joe Carrigan: Yes.

Dave Bittner: But this article points out that behind the scenes, that Walmart has been very strident in their lobbying to try to stop efforts for protection against third-party criminal conduct, and also basically blaming the victims. It's saying that it's not Walmart's fault that these people are falling for fraudsters. That people should know better. And it's basically not Walmart's problem.

Joe Carrigan: Yes. Start fining them. Make it Walmart's problem. You know? I don't know.

Dave Bittner: So the bottom line here is, you know, there's some pretty deep systemic issues, and Walmart seems to be taking a kind of casual approach to it. Or at least, that's the case that this article makes, saying that they have inadequate employee training, and that they're loose with the compliance. You know, even the things that they said they would do with the FT -- for example, after their -- actually I think it was back in 2018 this article points out that Walmart made an agreement with the FTC, kind of -- they weren't ordered to do so, but they made an agreement that they would make it so that you could no longer buy gift cards with gift cards.

Joe Carrigan: Okay.

Dave Bittner: And had they done that, that would have stopped this entire --

Joe Carrigan: Right. This racket, this form of money laundering would not be possible.

Dave Bittner: that's correct.

Joe Carrigan: Right.

Dave Bittner: But Walmart didn't do that. They said they would, and they didn't. And so this article points out they've kind of been dragging their feet even with things that they said they would do. It's a long read, but there's lots of interesting details in here. So of course, we'll have a link to this story in the show notes. So do check it out. That is my story this week. Joe, what do you have for us?

Joe Carrigan: Dave, we're going back to cookware for me this week.

Dave Bittner: Oh, good [laughs].

Joe Carrigan: [laughs] Are you familiar with Le Creuset?

Dave Bittner: [adopts French accent] No, I am not.

Joe Carrigan: [adopts French accent] It is a French cookware, Dave.

Dave Bittner: Okay.

Joe Carrigan: And it is a very good cookware.

Dave Bittner: Okay.

Joe Carrigan: We have a number of these pots around. It is -- and it's, like, enameled cast iron --

Dave Bittner: Okay, sure.

Joe Carrigan: -- is what it is. And you can tell it is Le Creuset because that is embossed in the cast iron up top. This is good stuff.

Dave Bittner: Okay.

Joe Carrigan: It is not cheap, though.

Dave Bittner: Yes.

Joe Carrigan: And there is a young woman, apparently she is very famous. Perhaps you have heard of her? Her name is Taylor Swift. Do you know who that is?

Dave Bittner: Rings a bell.

Joe Carrigan: Rings a bell?

Dave Bittner: Yes.

Joe Carrigan: Okay. She's a very popular singer or something. I think she's dating a football player.

Dave Bittner: Yes.

Joe Carrigan: And of course, everybody knows who Taylor Swift is.

Dave Bittner: Popular with the kids [laughs].

Joe Carrigan: Yes, and the young adults, too.

Dave Bittner: Sure!

Joe Carrigan: Up to, like, 30-year-old women just --

Dave Bittner: They go gaga for Taylor Swift.

Joe Carrigan: They go gaga for Taylor Swift.

Dave Bittner: Yes.

Joe Carrigan: And I guess, Lady Gaga.

Dave Bittner: There you go. Even Lady Gaga goes gaga for Taylor Swift.

Joe Carrigan: Does she?

Dave Bittner: I don't know. I just made -- I like the pun. Go on.

Joe Carrigan: [laughs] Anyway, she also likes Le Creuset, because she gave it as a gift to a bridal shower to one of her fans she just showed up at. Somebody noticed that she has it in her house.

Dave Bittner: Okay.

Joe Carrigan: On some posting.

Dave Bittner: Yes?

Joe Carrigan: There's an article, New York Times, that we'll link to that talks about it that says that she is -- in the past has indicated that she likes somehow, Le Creuset.

Dave Bittner: Okay.

Joe Carrigan: Well, somebody decided they were going to build a fake ad that featured a fake Taylor Swift talking about a Le Creuset giveaway. It rhymes nicely. I didn't realize that because I'd written everything here. Didn't get the French pronunciation rhyming with the English. Anyway, it was a giveaway and this was deep faked, using samples from Taylor Swift's voice.

Dave Bittner: Yes.

Joe Carrigan: And then overlaid over a video. And in The New York Times video, there's a picture of the video, and I don't think the video looks like Taylor Swift.

Dave Bittner: Okay.

Joe Carrigan: It looks a little weird to me, but I'm not good with faces.

Dave Bittner: Okay.

Joe Carrigan: Like I've said before, I can't tell Kurt Russell and Patrick Swayze apart.

Dave Bittner: [laughs] Okay.

Joe Carrigan: So anyway. The ad was hey, I'm giving -- Le Creuset is doing this giveaway. Click here and you can get some free Le Creuset. Now there are like $250 pots, Dave.

Dave Bittner: Alright.

Joe Carrigan: And if you click on the ad, you were taken to a page, a webpage that said help us get these things to you, shipping is like 10 bucks.

Dave Bittner: Ah!

Joe Carrigan: Right? And you enter credit card information and you never get your $250 pot mailed to you.

Dave Bittner: [laughs] Right. Of course.

Joe Carrigan: Right? There have been a rather -- a number rather, of people who have been impersonated this way including Selena Gomez.

Dave Bittner: Okay.

Joe Carrigan: Who you and I are both big fans of.

Dave Bittner: Yes.

Joe Carrigan: Especially from Only Murders In The Building.

Dave Bittner: Yes, I do know who she is.

Joe Carrigan: Yes. Oprah Winfrey.

Dave Bittner: Personal friend of mine.

Joe Carrigan: Oprah Winfrey's a personal friend of yours?

Dave Bittner: Yes.

Joe Carrigan: Okay.

Dave Bittner: We worked together once.

Joe Carrigan: Did you?

Dave Bittner: Yes.

Joe Carrigan: She used to live here.

Dave Bittner: That's right.

Joe Carrigan: Yes.

Dave Bittner: Yes.

Joe Carrigan: And then Martha Stewart.

Dave Bittner: Okay.

Joe Carrigan: Now Martha Stewart, that's the first name in this list where I would put any credence in what these people said about cookware.

Dave Bittner: [laughs] Okay.

Joe Carrigan: Right?

Dave Bittner: Yes.

Joe Carrigan: Like if Taylor Swift said to me, you know what piano you should buy? I'd be like, tell me. Which piano should I buy?

Dave Bittner: Right.

Joe Carrigan: There's somebody I give her credence on

Dave Bittner: Sure.

Joe Carrigan: Which microphone should you use for singing? Okay, good.

Dave Bittner: Yes.

Joe Carrigan: She also plays guitar. She's multitalented, right?

Dave Bittner: Sure.

Joe Carrigan: Selena Gomez, if -- I'd take acting advice from.

Dave Bittner: Yes.

Joe Carrigan: Right?

Dave Bittner: Also a musician in her own right.

Joe Carrigan: Yes. I mean, kind of like a produced musician, you know? Anyway. Oprah Winfrey, I don't know what I would take as advice from Oprah Winfrey, but certainly not cooking advice. I don't think that Taylor Swift, Oprah Winfrey, or Selena Gomez ate a lot of their own meals over the last couple of years.

Dave Bittner: Not lately. No, probably not.

Joe Carrigan: Right.

Dave Bittner: Yes.

Joe Carrigan: Martha Stewart at least, I would trust that advice.

Dave Bittner: Okay.

Joe Carrigan: But this got me thinking about what do you do to defend yourself against this? And maybe this is the old curmudgeon, grumpy old Joe, kind of thing.

Dave Bittner: Yes?

Joe Carrigan: But don't worship these celebrities. Any of them. Right? Don't be so enthralled with them that when you see an ad for whatever it is they're selling, that you're just like, ooh! This is somebody I like. I wonder what they like.

Dave Bittner: Yes.

Joe Carrigan: If you like anybody -- there are people I like.

Dave Bittner: Yes?

Joe Carrigan: Like, take for example, Dave Lombardo, one of the best drummers, I think, ever in heavy metal.

Dave Bittner: Okay.

Joe Carrigan: I would listen to anything he had to say about drumming.

Dave Bittner: Yes?

Joe Carrigan: Right? That would be the end of it. If he'd want to tell me about pots and pans, I wouldn't care.

Dave Bittner: But what if there was some crossover with something that he and you both had in common? So let's say he said, I don't know, here's a particular brand of whiskey or a bottle of wine, or you know, something like that?

Joe Carrigan: I'll give you the perfect example of that.

Dave Bittner: Yes?

Joe Carrigan: Ryan Reynolds.

Dave Bittner: Okay.

Joe Carrigan: Who I enjoy a lot of his movies.

Dave Bittner: Yes.

Joe Carrigan: I think he's very funny.

Dave Bittner: Okay.

Joe Carrigan: He has a gin that he is an owner of.

Dave Bittner: Okay.

Joe Carrigan: Aviator Gin.

Dave Bittner: Right.

Joe Carrigan: Never tried it.

Dave Bittner: Okay.

Joe Carrigan: You know why? Because it's gin, Number 1. I don't like gins.

Dave Bittner: You don't like drinking a pine tree?

Joe Carrigan: No, I don't. [ Laughter ]

Dave Bittner: I actually do like gin, but I get where you're coming from.

Joe Carrigan: Have you ever tried Aviator Gin?

Dave Bittner: No.

Joe Carrigan: No! Would you try Aviator Gin because Ryan Reynolds recommended it?

Dave Bittner: No.

Joe Carrigan: No. Me neither! [ Laughter ] Me neither! I wouldn't try it.

Dave Bittner: I'm trying to think of any examples in my life of when a celebrity's endorsement has swayed me to purchase anything. I can't think of anything.

Joe Carrigan: Yes.

Dave Bittner: I don't know.

Joe Carrigan: I've tried to think about this a lot. The only thing I can think of is exactly the example I gave earlier with musical instruments, because I used to read, like, Guitar Player magazine and all that.

Dave Bittner: Sure, yes.

Joe Carrigan: You know, here's Joe Satriani. What does he play? This is what Kirk Hammett played. Here's what Kerry King likes to play. And all those things would be -- Slash. Slash was another guy. He liked Gibson guitars, right?

Dave Bittner: Yes.

Joe Carrigan: So but those are -- that's the tools of their trade, right? You know, like my dad and actually me, all of us in my family, we all have these mechanical pencils that we love, because my dad was an accountant, and everybody -- like, my kids and I are either an accountant or engineers. We all love these mechanical pencils.

Dave Bittner: Okay.

Joe Carrigan: So I would take our advice on mechanical pencils before I took anybody else's advice over mechanical pencils. And this is now getting really -- the point of this just being silly, embarrassing [laughs].

Dave Bittner: It's okay [laughs].

Joe Carrigan: The celebrity worship; you can't -- these people are good at what they do, right?

Dave Bittner: Yes.

Joe Carrigan: These people are good -- like, Oprah Winfrey and bring people together and put together an entertaining show.

Dave Bittner: Right!

Joe Carrigan: Taylor Swift, a very good performer, beloved by many people. Selena Gomez, a pretty good actor, musician as you mentioned. That's their job. Their job isn't whatever celebrity product -- whatever product they're endorsing. I just never caught on with that idea of celebrity endorsements of products.

Dave Bittner: No, but it seems to work.

Joe Carrigan: It does seem to work.

Dave Bittner: As long as there's been advertising [laughs] and there's been celebrities, there's been celebrity endorsements. So.

Joe Carrigan: All the way back to the days of cigarettes.

Dave Bittner: Yes.

Joe Carrigan: I'm Clark Gable, and I really like these cigarettes.

Dave Bittner: Right, right. Nine out of 10 doctors recommend Lucky Strikes.

Joe Carrigan: Right [laughs].

Dave Bittner: Yes. So it's effective. But I mean, your point is a good one.

Joe Carrigan: Right.

Dave Bittner: That you're -- you shouldn't let your being enamored with a celebrity short-circuit your critical thinking about any sort of product.

Joe Carrigan: Right.

Dave Bittner: Yes.

Joe Carrigan: Now that being said, trust me when I say these pots and pans from Le Creuset are very good. I'm not being paid. [ Laughter ]

Dave Bittner: That's Joe Carrigan's celebrity endorsement.

Joe Carrigan: Right? [ Laughter ]

Dave Bittner: It's the "Hacking Humans" stamp of approval on fine French cookware. That's exactly -- boy, that is so in our lane.

Joe Carrigan: Right [laughs].

Dave Bittner: Yes [laughs].

Joe Carrigan: I would say, if you're going to do that, try it yourself. But the other thing I tell you is, remember, nothing's free. Right? You're not going to log into a website and miraculously get award a $250 item.

Dave Bittner: Right.

Joe Carrigan: Right? Let alone something that's going to cost you way more than $10 to ship to you. These things are heavy. They are heavy pots and pans.

Dave Bittner: Yes. But you know what strikes me about this is, what's really smart on the scammers' part is that a $10 fee --

Joe Carrigan: Right.

Dave Bittner: -- is not a lot.

Joe Carrigan: Yes.

Dave Bittner: And so, the victim of this, I bet a lot of people were like, you know what? I'll roll the dice.

Joe Carrigan: Right.

Dave Bittner: This is probably a scam, but what if it isn't?

Joe Carrigan: Right.

Dave Bittner: Then I'll get a 250 --

Joe Carrigan: I mean, Taylor Swift's behind it.

Dave Bittner: Yes! I'll get a -- no, I'll get a $250 pot for $10.

Joe Carrigan: And if not, I'm out 10 bucks.

Dave Bittner: And I'm out 10 bucks. And also the odds of them reporting it are very low.

Joe Carrigan: Very low. Because it's so --

Dave Bittner: Little bit of money.

Joe Carrigan: Yes.

Dave Bittner: Yes. So I think there's some deliberate and craftiness on the part of the scammers here.

Joe Carrigan: I think so.

Dave Bittner: Yes.

Joe Carrigan: The article from The New York Times -- it's a Dr. Lyu from the University of Buffalo saying these AI-generated voices are getting much easier to generate. The AI lip sync is getting much easier to come across, and that these things are just going to happen more and more frequently.

Dave Bittner: Yes.

Joe Carrigan: These scams are coming. They're already here, obviously.

Dave Bittner: [laughs] Right, right.

Joe Carrigan: But they're only going to grow in number.

Dave Bittner: Yes.

Joe Carrigan: So you remember the Keanu Reeves t-shirt scam? Where it's Keanu Reeves holding up something and everybody Photoshopped out whatever he's holding and put up t-shirts?

Dave Bittner: No, I don't remember that.

Joe Carrigan: Oh. I thought we talked about it on this show. Maybe we didn't. Maybe I'm --

Dave Bittner: Well, it's also quite possible I have a terrible memory, so [laughs].

Joe Carrigan: It is possible.

Dave Bittner: In fact, count on it.

Joe Carrigan: Well, this is that on steroids.

Dave Bittner: Yes.

Joe Carrigan: You know? Now they're just making fake videos of popular people talking about giving away expensive pots.

Dave Bittner: That's another annoyance I have with Facebook, by the way.

Joe Carrigan: Oh yes. That's -- you know what Dave? Very good that you mentioned that, because these ads ran, of course, on all of Meta's platforms. And I forgot -- glossed over this sentence here in the show notes that we have, but dozens of separate similar Le Creuset scam ads featuring Taylor Swift, many of them posted this month, were still visible as of late last week on Meta's public ad library.

Dave Bittner: Yes.

Joe Carrigan: So Meta has done nothing about it.

Dave Bittner: Yes.

Joe Carrigan: So there's my jab at Meta for the week.

Dave Bittner: The thing I've been thinking of here that is an annoyance on Facebook is you will see some sort of wise quote, right?

Joe Carrigan: Right.

Dave Bittner: And that wise quote will be superimposed over the image of some celebrity.

Joe Carrigan: Yes.

Dave Bittner: The celebrity didn't say that.

Joe Carrigan: Right.

Dave Bittner: It has nothing to do with the celebrity.

Joe Carrigan: Well, you know what Abraham Lincoln said, Dave. Don't believe anything you read on the internet.

Dave Bittner: That's true. I saw that on the internet, so I know it's true. Alright, Joe. It's time to move on to our "Catch of the Day." [ SOUNDBITE OF REELING IN FISHING LINE ] [ Music ]

Joe Carrigan: Dave, our "Catch of the Day" comes from me.

Dave Bittner: Uh-oh.

Joe Carrigan: This arrived in my inbox this week.

Dave Bittner: [laughs] Okay.

Joe Carrigan: And I'm going to let you guess right off the bat how I know this was a scam.

Dave Bittner: Well, because this is a notice about your iCloud account.

Joe Carrigan: That's right, Dave.

Dave Bittner: Internationally known Apple device user that you are.

Joe Carrigan: [laughs] Right. I don't own any Apple devices.

Dave Bittner: [laughs] Okay. Yes. So want me to read this?

Joe Carrigan: Yes!

Dave Bittner: Okay, well it starts off, there's the iCloud logo at the top of the email. Below that, there's an Apple logo, and then a bunch of invoice IDs and dates and things like that. But it says, you've reached your iCloud Drive storage limit. Hello, your iCloud storage will soon be full. Apple is giving away 50 gigabytes of storage space for free, because the entire available storage space has been exhausted. What does that mean? It's nonsensical.

Joe Carrigan: It's very tired. It's lying down. It's had a rough day. All my storage space is tired of carrying around all my pictures.

Dave Bittner: Click on the link below to benefit from the offer. Offer valid today only.

Joe Carrigan: Ooh! Artificial time constraint.

Dave Bittner: Your Apple iCloud team. Get up to 50 gigabytes.

Joe Carrigan: Right.

Dave Bittner: Now when did this come to you, Joe?

Joe Carrigan: Last week.

Dave Bittner: Okay.

Joe Carrigan: Last week.

Dave Bittner: Alright. So 2023. Copyright 2023.

Joe Carrigan: Yes, well it came in 2024.

Dave Bittner: Hmm.

Joe Carrigan: Hmm. So down at the bottom here, it says to stop these, please go here.

Dave Bittner: Yes.

Joe Carrigan: And here is a link.

Dave Bittner: Okay.

Joe Carrigan: And I didn't click on that link. I didn't even mouse over it to see what it was, but interesting, it also says write to this address, which is in Valley Cottage, New York. Upstate New York, I guess? Or Valley -- I don't know where Valley Cottage is. But I did look at Google Maps. This address, and StreetView. d: [laughs] Is it like a [laughs] -- I'm just picturing a lonely rest stop by the side of the road or something [laughs]. You're not far off.

Dave Bittner: Okay. Come on.

Joe Carrigan: You know all the -- we live in Columbia, you know all the one-level industrial commercial spaces we have around here?

Dave Bittner: Oh yes, brick-on-block.

Joe Carrigan: Yes.

Dave Bittner: Brick-on-block commercial office space, sure.

Joe Carrigan: Brick-on-block commercial office space is what it is. One of those suites in here is a trampoline place, you know?

Dave Bittner: Yes.

Joe Carrigan: What do they call them around here, that they have? I don't know.

Dave Bittner: The bouncy houses and things.

Joe Carrigan: Bouncy houses, right.

Dave Bittner: Sure. Yes.

Joe Carrigan: One of them is a medical supply company.

Dave Bittner: Okay.

Joe Carrigan: I don't know which one of these this is. I'm wondering if -- why this address was even in here. This might just be me going down a rabbit hole that has no meaning or anything.

Dave Bittner: Right.

Joe Carrigan: Highly possible.

Dave Bittner: Yes.

Joe Carrigan: Especially with the way I think about things. But I was fascinated by that.

Dave Bittner: Yes, that is interesting.

Joe Carrigan: I wonder if there's somebody at this address that's part of this scam.

Dave Bittner: Right, and what happens if you write them [laughs]? Oh you got us! Boys, shut it down.

Joe Carrigan: [laughs] right, we got to write these guys a letter.

Dave Bittner: We got a postcard from Joe! The jig is up! [ Laughter ]

Joe Carrigan: Maybe I'll do the old Mark Twain thing, where I send them a letter and go, they know everything. Run!

Dave Bittner: Ah. There you go. Yes. Alright, well we would love to hear from you if you have something you'd like us to consider for our "Catch of the Day," you can email us. Again it's hackinghumans@n2k.com. [ Music ] Joe, I recently had the pleasure of speaking with Abhilash Garimella. He is the head of research at Bolster. And we are talking about a phishing campaign targeting customers of the US Postal Service. Here's our conversation.

Abhilash Garimella: The holiday season, so we have usually observed a high volume of phishing and scams that happen during the holiday season throughout, I mean, it's been through 2021, 2022, 2023. And we have seen a consistent raise through each of these, you know, US and [inaudible 00:34:38] has always been up. And that's the reason we started diving deep into these. So our research has actually stemmed out of research we worked on prior to this one, which is finding out that a lot of retail brands out there are being impersonated. We identified a, where hundreds of brands which had phishing kits deployed across multiple geographies. And that's what led -- interesting to why we should be delving into delivery scams, because there should always be a second part to the online retail scams, which is if the attackers can't get you with fake online data, they just do want to get you with these [inaudible 00:35:13] pages.

Dave Bittner: Well, let's talk about the scam itself. I mean, suppose that I'm a consumer out there, and I'm doing my own thing, minding my own business, how would these folks try to draw me into this scam?

Abhilash Garimella: Awesome. So the USPS or you know, the major delivery scams that we have seen, they usually have three phases of attack. The first one is the set-up phase, right? I mean, the attacker either purchases [inaudible 00:35:39] domain which is a common misspelling, and they try to make it look legitimate. It could be that one of the domains that we observed was an attacker purchased walmarts.co, Walmart with an "s" at the end. And then they started hosting it on one of the free hosting providers or these freemium SaaS hosting providers. Or they could simply start using the web free. And once the attack is actually set up, the second part of the attack is the medium of distribution. The attack is distributed by your SMS, your messaging service, or the email. These days they're also using WhatsApp, Signal, Telegram. You know, anything that they can get their hands on, a list of your data. But what usually happens is that the target or the potential victim receives a message that is a fake alerting, or a fake alert about a package delivery that failed. The attacker will either state an incorrect address or a missing address as the reason for the package delivery failure. And each of these messages usually comes with a link embedded in them. And this link will redirect the user to the original phishing page. And those phishing pages will discuss how they set it up, they can either set it up on a [inaudible 00:36:50] domain, or they -- most of these they want the senior subdomains of freemium SaaS providers. And the moment these guys migrated to start using freemium SaaS providers, suppose I sign up on one of these providers, and they give me one month of free hosting, I can start doing it at a larger scale. I can start creating these fake accounts and start just blasting out on the internet. And the third piece of the attack of course, is that once -- as a target, if I receive a text message during the holiday season saying that my delivery failed, I am most probably going to go out and click on that and take a look at it, or at least take a peek at it. And the moment I go there, the page -- what we have seen is a level of sophistication that has increased throughout the years. In the past, these web pages used to be just starting web pages. But users say hey, you know what? Your delivery failed, why don't you sign in? These days the attackers have actually built a Javascript into these web pages, which tries to identify your IP location. The moment they get your IP address, they're getting your residential -- approximately of your residential location, and so they are based out of the San Francisco, the delivery scam would say, you know what? Your delivery has been held in a warehouse near San Francisco, and it's being held in this ZIP code. You know, in order to retrieve your package, you need to provide us with the following information where they're asking for your delivery address, they're asking for your personal information, your credit card information, and at this point, I mean if it actually goes through with the scam, at that point the attacker has everything about you.

Dave Bittner: Well, give us an idea of the scale of these campaigns that you're observing here.

Abhilash Garimella: So last month, when the [inaudible 00:38:33] research was being published, we found out that about 3,000 unique phishing domains that were hosting this scam. And that is just on the rise. I think when we last collaborated this a couple of days ago, it was over 6,000 phishing domains that were hosting here.

Dave Bittner: Wow. I mean, I guess I hadn't considered how much more successful a campaign like this can be at the holidays, when people have so many things being delivered from so many different places. It's hard to keep track of, and I can imagine it makes it that much easier to fool folks.

Abhilash Garimella: Oh, absolutely. So at this point, it's -- there is a whole attack cycle. So at this point, there are so many digital landmines for a consumer to purchase anything online and get it delivered successfully. I mean attackers will try to target you with a fake ads on Instagram and Facebook where they're like, hey, you know? You can get Ray-Ban glasses for 30 bucks or Nike shoes for $15. And if you miss those -- I mean, if as a consumer, you're savvy enough and okay, this is fake, and I'm not going to [inaudible 00:39:36]. They're trying to get you with these phishing pages. Fake online phishing pages, where it's giving a heavy discount. If they missed you with the phishing pages, they're trying to get you with these delivery scams. And if they miss you with the delivery scams, and you're savvy enough to avoid all this, there are people who are stealing packages off your porches. So it's -- it's sort of all these digital landmines that have been built around. It's really difficult for a consumer to navigate through.

Dave Bittner: Yes. What are your recommendations? I mean, how should folks best protect themselves here?

Abhilash Garimella: The best way to do it is as a consumer, there are two ways I would usually suggest protection. One of them is the consumer itself, and the other one is from a brand perspective. As a consumer, I mean two parts, right? So if I see a heavy discounted retail store, then I don't go click on it, or if I see a free gift card that is floating out there, I do not go ahead and enter my details into it. Because most of the time, they come out to be fake. And the delivery scams themselves, I would suggest the attackers [inaudible 00:40:38] and bring their details on. USPS.com is the only known or identified domain that USPS actually uses to tell you what packages inside the US. And if you're seeing some -- I mean maybe you're seeing walmarts.co, which has a USPS page or let's say USPSS.com, where the attackers are trying to confuse the targets with common misspellings. That is something we need to be -- the consumers need to be careful about.

Dave Bittner: And you know, are there any systems that folks can use, any automation that they can take advantage of? Is this the kind of problem that if somebody's really concerned about it, that they can throw a little bit of money at?

Abhilash Garimella: Oh, absolutely. I think from a -- they need not actually throw money at it. From a consumer perspective there are multiple tools that can do it for free. For example, we have a -- Bolster actually has a free community model, which is called checkphish.ai. If you have a suspicious link, you can just go scan it in there to see whether that's a legitimate site or if that is a fake website. Right? If you say USPSS.com, and you are like, is this a real package or is that a phishing page? You just scan it and we're going to tell you for free whether that is a phishing page or not. But from -- when it from to a brand perspective, as a brand, if you're trying to protect your consumers, you know, as USPS is, or as the Nikes and Adidas and Superdrys of the world, if you're trying to protect your consumers, then definitely we would, they would need to build automation to start protecting these, or go work with a vendor who has the ability to protect these. [ Music ]

Dave Bittner: Joe, what do you think?

Joe Carrigan: Constant increase in these phishing campaigns, year over year, for the past three years.

Dave Bittner: Yes.

Joe Carrigan: It's interesting. Impersonation is key to these scams.

Dave Bittner: Yes.

Joe Carrigan: As Abhilash says. Abhilash gives a good breakdown of the process here. First they register a domain, then they send out messages, and then they get the money.

Dave Bittner: Yes.

Joe Carrigan: You know, it's a typical scam that we hear about a lot. He talks about the domain squatting, the typosquatting, or using these freemium sites that offer one free month. This is a similar business model -- a lot of sites offer this, but it really enables these scammers to get a month of free scamming, you know? At little to no cost.

Dave Bittner: Yes.

Joe Carrigan: Probably they use a stolen credit card. It may not even be valid, right?

Dave Bittner: Right, right.

Joe Carrigan: It just has to pass whatever algorithmic check the software has in it.

Dave Bittner: Sure.

Joe Carrigan: Abhilash talks about the method of delivery, these scam text messages, some of them have started coming in on Signal and on Telegram. I got to tell you, Dave, if I got messages from any government agency on Signal or Telegram, I'd be very suspicious. Even one as benign as the US Postal Service.

Dave Bittner: Yes?

Joe Carrigan: I'm actually a big fan of the Postal Service. They're -- I think they do a good job.

Dave Bittner: Yes.

Joe Carrigan: But if they sent me a text message on Signal, I'd be like, wait a minute. That doesn't -- first off, that doesn't make sense.

Dave Bittner: Right.

Joe Carrigan: Second off, I don't know that I want my government sending me messages on Signal.

Dave Bittner: Okay.

Joe Carrigan: I don't know that I want that.

Dave Bittner: Yes.

Joe Carrigan: That was a pretty good observation about how these phishing pages have gotten so advanced that they now have Javascript on the backend that resolve your IP address, and do a geo lookup, and then they start making the next page of the scam, on the website more applicable to you by knowing your geography. Or at least having a good chance at knowing your geography.

Dave Bittner: Right.

Joe Carrigan: There's a good chance that the information they get is wrong, right? Like if you're using a VPN and you're coming out of Seattle, and you live in Maryland, and they say it's -- you know, we have this package at the Tacoma warehouse.

Dave Bittner: Right.

Joe Carrigan: Right? You're like, Tacoma, Washington? That doesn't make any sense. Why are you telling me about this?

Dave Bittner: Right.

Joe Carrigan: But if you're not doing that, it's fairly trivial and accurate a lot of the time, so it lends credence to this.

Dave Bittner: Sure.

Joe Carrigan: To this scam. Online shopping is a goldmine for these. And Abhilash points that out. You know, first they try to get you with the fake sites. If they can't get you with the fake sites, they get you with the missed delivery scam. And finally if they can't get you with that, they just steal whatever it is off your porch, right? There's opportunity for crime all the way in -- at every step of the way in this process.

Dave Bittner: Right.

Joe Carrigan: You know? Fortunately for me, it works almost every time. I don't know that I've ever had anything being stolen off my porch.

Dave Bittner: Yes.

Joe Carrigan: But I have had malicious Google ads redirect me, and I've talked about that on the show. Redirect me to the wrong site, and victimize me that way. I hate -- oh, I'm still angry about that, Dave. Still angry and embarrassed about it. You know, I tell people thank you for telling your story, so I'm going to tell my story.

Dave Bittner: Yes, yes.

Joe Carrigan: I like that there are sites that you can scan the URL. Bolster has one. VirusTotal has one. There are a number of them out there. I think you mentioned one time that was like a complete URL detonation service.

Dave Bittner: Right [laughs] right. Yes, I don't remember which one that was.

Joe Carrigan: I can't remember either.

Dave Bittner: There are lots of those things out there.

Joe Carrigan: There are.

Dave Bittner: And there are good ones you can use.

Joe Carrigan: Yes. So you know, go ahead and use one of them. And if you are a business, take protection of your customers seriously, and your customers' data seriously. You know, make sure your customers know the communication channels you're going to send across. Make sure they're clear that you're not going to send them a message on Signal or Telegram. Or you're only going to send an email to a specific email address. I will say this, Dave. Recently I've been getting delivery confirmation emails from UPS when I order something from Amazon.

Dave Bittner: Okay.

Joe Carrigan: And they're accurate. They're not saying, your shipment's been delayed. They're saying your shipment will be there tomorrow.

Dave Bittner: Okay.

Joe Carrigan: Here's the tracking number.

Dave Bittner: Alright.

Joe Carrigan: And I'm like, well, that's my order. But how did UPS get my email address? I guess Amazon gave it to them?

Dave Bittner: Sure.

Joe Carrigan: So -- but, I don't know. That's kind of an unexpected communication channel for me. So I'm immediately suspicious of it.

Dave Bittner: Yes.

Joe Carrigan: So if I got one of those emails, even if it was legitimate, from UPS going we can't deliver this, I'd go, oh this is a scam.

Dave Bittner: Yes.

Joe Carrigan: But I don't know if UPS does that. And in fact, if they do do that, then what happens is, it just goes back to Amazon and I take it up with Amazon. That's the process.

Dave Bittner: Right. Right. Alright. Well, our thanks to Abhilash Garimella for joining us. Again, he is the head of research at Bolster, and we do appreciate him taking the time. [ Music ] That is our show. We want to thank all of you for listening. A quick reminder that N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. Make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Stokes. Our mixer is Elliot Pelzman. Our executive producers are Jennifer Iban and Brandon Karpf. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: And I'm Joe Carrigan.

Dave Bittner: Thanks for listening. [ Music ]