Hacking Humans 2.8.24
Ep 276 | 2.8.24

Scamming just isn't what it used to be.


Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hi, Joe.

Joe Carrigan: Hi, Dave.

Dave Bittner: We got some good stories to share this week. And we are joined once again by our N2K colleague and host of the "T-Minus Daily Space" podcast, Maria Varmazis. Maria!

Maria Varmazis: Hi. Good to be here.

Dave Bittner: It's great to have you back. We will have our stories after a word from our sponsor. [ Music ] All right, Joe. So before we jump into our stories here with our very special guest, Maria --

Joe Carrigan: Mm-hmm.

Dave Bittner: -- we've got a good bit of follow-up here today.

Joe Carrigan: We do.

Dave Bittner: You want to start things off for us?

Joe Carrigan: A significant amount. Yes, Dave. All of our follow-up today is anonymous. And the first one reads, "Hi, guys. I'm in recovery from addiction, but from a time -- or for a time, more than five years ago, I was around and involved with the underbelly of society. Listening to one of your recent episodes about the gift card scams, you had a listener write in that she had gotten her balance stolen from the gift card before they actually tried to use it. I know people who would shoplift the gift cards off the rack and bring them back home and then scratch off the scratch off, that little part under -- "

Dave Bittner: The silver part.

Joe Carrigan: -- the silver part --

Maria Varmazis: Oh yeah, the fun part. Yeah.

Joe Carrigan: Right. Exactly. " -- and then get the numbers. I know at the time, taking gift cards off the rack was pretty low stakes since they don't have any value associated with them. So they weren't being monitored by any kind of security protocols. Then they would actually order off eBay a roll of the scratch-off stickers."

Dave Bittner: Oh, the silver stuff.

Joe Carrigan: This is the part we were missing, Dave. I didn't know you could just buy a roll of that stuff.

Dave Bittner: Who knew?

Maria Varmazis: eBay has got everything. Yeah. Geez.

Joe Carrigan: "So they would then roll that, reapply it, the scratch-off sticker over the numbers, and bring it back to the store and pretty much reverse steal the gift cards onto the shelves. "

Dave Bittner: Yeah.

Joe Carrigan: "Then they would track those serial numbers on a website called Gift Card Granny." I don't know why it's called Gift Card Granny. Maybe because your grandmother always gives you gift cards.

Dave Bittner: That's good enough for me.

Maria Varmazis: Sure.

Joe Carrigan: "And when the balance showed up, they would do something on that website to either buy other gift cards or cash them out for some percentage on the dollar." I think it's like 80 cents per the dollar that you get.

Dave Bittner: Okay.

Joe Carrigan: So like if your grandmother says, well, I know he likes to eat. Here's an Olive Garden gift card for 100 bucks.

Dave Bittner: Right.

Joe Carrigan: You go, I'm never going to use this. I'm going to go get 80 bucks out of this, and somebody gets 20 of Nana's dollars.

Dave Bittner: Okay.

Joe Carrigan: Right? So, okay. He's not sure about many more details about how it worked. But that's pretty much how the front end of the scam worked.

Dave Bittner: Okay. So this pretty much confirms our suspicions about, you know, people stealing the cards, getting the numbers, and putting them back. But you're right. We were missing that -- We're missing the availability, the easy availability of that silver scratch-off part. That's interesting.

Joe Carrigan: Right. Yeah. You can just put that back on the gift card. And it goes back on the shelf, and no one is any the wiser.

Dave Bittner: Yeah. That's interesting. I wonder if grocery stores and places that sell gift cards if they've upped their game when it comes to monitoring the gift card rack or not. I don't know.

Joe Carrigan: That's a good question. You know what? Next time I go to the store, I'm going to make a point of looking at the gift card rack and see what's going on there.

Dave Bittner: Maybe that suspicious guy lurking around the gift card rack.

Joe Carrigan: I'm the suspicious guy whenever I walk into a grocery store.

Dave Bittner: Sir, can we help you? [Laughing]

Joe Carrigan: Security starts following me.

Dave Bittner: Right, exactly.

Joe Carrigan: This guy is going to steal something.

Dave Bittner: Yeah.

Joe Carrigan: I don't look like that at all. I mean, I just walk in, schlub around the place, get angry, and walk out. That's usually how it goes for me.

Dave Bittner: Walking out without purchasing anything.

Joe Carrigan: Yeah.

Dave Bittner: Right. Okay.

Maria Varmazis: The lack of gift cards.

Joe Carrigan: Right.

Dave Bittner: Yeah. All right. Well, we've got some more feedback here. Someone writes in and says, "Hey, guys. First, wow, Joe, I would never have placed you as a metalhead. I tend to favor that genre of music but do listen to pretty much anything that has a good beat and talent." Anyway, I want to talk --

Joe Carrigan: So we were talking a couple of weeks ago about expert testimony from musicians.

Dave Bittner: Right.

Joe Carrigan: And I mentioned Dave Lombardo. And --

Dave Bittner: Yes.

Joe Carrigan: Yes.

Dave Bittner: Yes. For folks who are -- longtime listeners will know that Joe is quite the metalhead.

Joe Carrigan: Yes.

Dave Bittner: Going from, you know, back in the day when he had a full collection of heavy metal T-shirts that still fit him. [Laughing]

Joe Carrigan: You didn't even know me, and we've never talked about this. They don't still fit me. I don't even have them anymore.

Dave Bittner: That's right.

Joe Carrigan: I actually ran a heavy metal show on the radio.

Dave Bittner: Yeah.

Joe Carrigan: For my college.

Dave Bittner: That's right.

Maria Varmazis: Oh, that's awesome. That's great.

Dave Bittner: Mm-hmm. So this listener goes on and says, "Anyway, I want to touch on a subject that you have mentioned a few times recently. A couple episodes ago, you mentioned how the spammers are using easy-to-use services that offer free trials and such. I believe you mentioned Azure in this. Well, funny thing after that episode, I noticed I started getting a few spam messages sent from, you guessed it, on Microsoft.com. They always contain a couple of images only and no text in the body. The subject is usually something like, please verify or that I've won a Harbor Freight, Makita, or Robi something. Most get caught by spam filters, but a few have actually made it through." This person goes on and says, "On a scammer's note, you all mentioned Andy Cohen going public about how he got scammed. This story actually reminds me of Wells Fargo. I have notices that when I go in, they verify my accounts by sending me a text message to my cell. In our everyday lives, we are told not to give these pins out if asked for them. But Wells Fargo is using this as a way to identify you. I find this strangely wrong."

Joe Carrigan: Okay. So this is actually part of the Wells Fargo multi-factor authentication on their website.

Dave Bittner: Okay.

Joe Carrigan: And what they're doing is you have to register a phone with them. And when you log in, they say we're going to send you a text message.

Dave Bittner: Yeah.

Joe Carrigan: And this is the SMS method of multi-factor authentication.

Dave Bittner: Yeah.

Joe Carrigan: You know, you think of multi-factor authentication as something you know and something you have or something you are. When you take two of those things, and those are the multi-factors. So you know your username and password. You have your phone --

Dave Bittner: Right.

Joe Carrigan: -- to verify it. And yes, for all the -- all the aficionados of multi-factor authentication, SMS is the worst kind of multi-factor authentication. But it is a lot better than nothing.

Dave Bittner: Right.

Joe Carrigan: A whole lot better. Like -- But never mind. But yes, this is normal. Now, so here's the -- here's the workflow. You are on the website, and you're logging in.

Dave Bittner: Mm-hmm.

Joe Carrigan: And you enter your username and password. It says we're going to send you a code. You say send me the code. You get the code, and then it says, what's the code? You enter the code. That's a normal workflow, right?

Dave Bittner: Yeah.

Joe Carrigan: Another normal workflow that I've actually seen from Comcast and T-Mobile is I call into these services. And they say we're going to send you a code to verify it's you. Now, I've called into the service, so I know who it is I'm talking to.

Dave Bittner: Mm-hmm.

Joe Carrigan: And then they send me a code, so I give it to them. But on the inbound call, when you get the call, then you get the text number. Don't give that number back.

Maria Varmazis: Yeah.

Joe Carrigan: Because that's how the scam works. I know this seems like really convoluted like and very nuanced. But if somebody calls you and says, hey, I need to verify your identity, you really need to verify their identity.

Dave Bittner: Right.

Maria Varmazis: Yeah.

Joe Carrigan: That's what needs to happen. And the only way to do that is by calling the known good number.

Dave Bittner: Yeah.

Maria Varmazis: Yeah, that distinction is really important, which direction it's going. Right after we did that story, I think three days later, a friend of mine contacted me that they had just gotten affected by that scam. And it was how I found out that our local credit union had been breached because, apparently, almost all of the customers were getting this same phone call directly. They had enough PII to sound credible that it could be from our credit union. And so they presented themselves as, you know, from the bank and said, we're going to send you a bunch of text messages to make sure you are who we think you are.

Joe Carrigan: Right.

Maria Varmazis: And our credit union didn't have that little message in the SMS thing saying, we will never call you and ask you for this number.

Joe Carrigan: Right.

Maria Varmazis: Which I've noticed that a lot of bigger places will make sure to include that. But not everybody's got that, which seems like a nice thing to have.

Joe Carrigan: It should be part of the workflow, I think.

Maria Varmazis: It really should.

Dave Bittner: This person goes on and says, "My PII has been part of many data breaches."

Joe Carrigan: Join the club.

Dave Bittner: "Do you -- " Right. Exactly. "Do you all have any ideas on what anyone can do to protect themselves from these kinds of breaches? Many of the security and monitoring services like LifeLock and Incogni and so on seem like a money grab. But these services can be late on delivering news of a breach. My big thing is that I have a special needs child who is not going to be able to be as active on maintaining any kind of data protection if anything happens to me or their siblings. Their PII has also been breached with mine multiple times. I've frozen all of my family's social security numbers, but that only really protects credit."

Joe Carrigan: Yeah. So freezing your credit is a great way to go at all three of the major credit agencies.

Dave Bittner: Yeah.

Joe Carrigan: That's really your biggest risk. Somebody opening a line of credit in your name or your child's name is going to be a huge headache. So also, the other thing I would say is if you have identity theft insurance available at your employer, I'd definitely look into getting some of that. There are a couple of things I want to say. Number one, assume that your data has been breached. Never give out information again on the inbound calls. Just, say, hang up. I'll call you back. Or say -- I guess you have to say that first and then hang up. And remember, if someone does commit fraud and opens an account in your name or your child's name, don't ever agree that you owe that money. That is -- You are a victim just like the bank is a victim. And don't let this bank -- They're going to try to, I've seen situations where they try to push somebody to say, you know, you just got to admit that you owe this debt. And once you do that, it's all over. You know, they might be able to win a court case. At least, that's what I understand. Again, not a lawyer.

Dave Bittner: Yeah. Well, just this week, we saw -- we reported over on the CyberWire that the state of New York is suing Citibank. And one of the things that they're upset about is that Citibank was saying that they have no responsibility if someone follows the instructions of a criminal.

Joe Carrigan: Mm-hmm.

Dave Bittner: So they're going to duke it out over that.

Joe Carrigan: Yeah. I'd like to see how that turns out. I hope it doesn't turn out well for Citibank.

Dave Bittner: Yeah.

Joe Carrigan: And finally, I'd like to say, you know, I don't know exactly what the situation is with the special needs child. That's a broad term, right? So I don't -- I don't know where on the -- I mean, it's not even a spectrum. It's more like a two-dimensional plane, right? Maybe even three-dimensional, very complex. So make sure that your child is not the only person that's involved in the financial decisions. Make sure there's somebody else there that has this child's best interest at heart at all times.

Dave Bittner: And then last bit of follow-up here from someone who goes by "The Computrix" on Mastodon wrote in and said, "I need to defend Walmart a bit." So Joe, remember a few episodes ago, you and I were taking cheap potshots at Walmart?

Joe Carrigan: Yes, yes, we were.

Dave Bittner: Which I mostly stand by. But Computrix writes in and says, "They provide college degrees for any of their employees. Many of my cybersecurity students are only able to attend college because Walmart is paying for them to do so. This includes books. One student is a delightful older gentleman who works the night shift restocking shelves. To have watched his growth since 2020 is amazing. And now he has opportunities he would not have had. Anyhow, it's hard to defend a major company like Walmart, but even a stopped clock is correct twice a day."

Maria Varmazis: Fair enough.

Joe Carrigan: I think that's a good -- a very good benefit that Walmart offers.

Dave Bittner: Yeah, it's a great point. It's a great point. I mean, I think most of the issues I have with Walmart are kind of broader philosophical, societal issues.

Joe Carrigan: Right.

Maria Varmazis: Yeah.

Dave Bittner: The Walmart effect on small towns and things like that has been greatly documented. But no, this is a great point. And I appreciate The Computrix writing in and sharing that little bit of information with us.

Joe Carrigan: Interesting. I wonder if they will pay for a master's degree.

Dave Bittner: [Laughing] Probably not.

Maria Varmazis: We should find out. I would love one. Why don't we do it?

Joe Carrigan: Exactly.

Dave Bittner: I'm getting my Ph.D. through Walmart.

Joe Carrigan: Right.

Dave Bittner: Yeah.

Joe Carrigan: Hey, welcome to Walmart. Would you like a sticker? I'm getting my Ph.D.

Dave Bittner: Yeah, sure you are, pal. All right. Well, as always, we would love to hear from you. You can send us an email. It's hackinghumans@n2k.com. All right, let's jump into our stories here. And I want to remind everybody that our special guest today is Maria Varmazis. She is the host of the "T-Minus" podcast right here on the CyberWire network. And some of you are probably familiar with her from her regular appearances over on "Smashing Security" as well. Maria, it's great to have you back. And I have to say, before we jump in here, that one of the reasons I invited you back was the overwhelming amount of positive response and letters from listeners who said, please have Maria back as soon as possible.

Maria Varmazis: Oh, my gosh. You guys can't see it, but I'm blushing. [Laughs] That's really kind. I love talking about this kind of thing. It's an honor. I really enjoy it. So thank you for having me back. Thanks, everybody, for asking for me back. That's really nice.

Dave Bittner: Yeah. All right, Maria, what do you got for us today?

Maria Varmazis: Oh, gosh, I wish this was a happy story. So strap in for this one, everybody. Well, late January, many folks, especially in the US, you might have seen in the news that a lot of social media tech CEOs did one of their regular parades before a congressional committee to be yelled at about how their poor content moderation policies are literally getting minors killed only for them to do absolutely nothing about it and not be held accountable in any real way. Hooray.

Dave Bittner: Good times. Good times.

Maria Varmazis: Yeah. Yeah, great times. So, in that vein, I thought we should look a little bit today at what is going on. And one of the crimes involved here is called sextortion. And as the name implies, criminals are coercing adults and increasingly minors, meaning teenagers, into sending sexually explicit material. And then the criminal will extort that minor for money, lest those images be shared with their families, friends, co-workers, classmates, the public in general, you name it, like Nana. You know, it's blackmail.

Dave Bittner: Mm-hmm. It is.

Maria Varmazis: And the apps that teens are commonly used are often commonly targeted by sextortionists. So big ones are Snapchat, Instagram, and one that I admittedly had not heard of called WiZ, which is a dating app for teens, which --

Joe Carrigan: Why?

Maria Varmazis: Yeah, that was -- Yeah.

Joe Carrigan: Who thought this was a good idea?

Maria Varmazis: Red alert when I heard that that even existed. But yeah, it exists. And not a big surprise. It is a big target for sextortion crimes. So what the criminals will often do, as they often will with any kind of extortion crime, is they're going to use a lot of social engineering. So, in this case, it's catfishing. The criminal will pose as an attractive member of presumably the opposite sex. And in many cases, it's a pretty young lady they pretend to be. And they will connect to the profile of like the hunky football player or some such. And over time, slowly, that scammer will make friends with the victim's friends, really get embedded in their social networks, build a lot of trust. Like there's no rush here. Over time, slowly, things heat up to a boil. And then the sextortionist convinces the victim to send them some sort of sexually explicit imagery or a video. And then that's really when it gets really bad because the criminal now has their leverage, and the threats start. And these threats are awful. Basically, they threaten to show everyone that that person knows on their social network, including their family and their teachers and their friends and their teammates, the sexually explicit video. And in a panic, many times, the victim will pay up because the extortion money is often $200 or some amount.

Dave Bittner: Right.

Maria Varmazis: But then it just escalates the demands, as we might imagine, as we've seen with ransomware sometimes too, right?

Joe Carrigan: Right. Oh, I got some money out of you. I'm going to get more money out of you.

Maria Varmazis: Yeah. And if you don't pay up, guess what? I'm still going to do the thing I've threatened. Big surprise, right?

Dave Bittner: Right.

Maria Varmazis: So the weapon really here is shame. And again, these sextortionists are targeting, I mean, they're minors, they're children. So, you know, shame is a very powerful weapon in this case. And there's a lot of embarrassment. And the teens feel like they can't tell anyone. And it's really terrible. And unfortunately, they're targeting predominantly teen boys and young men. So many of these victims of these sextortion crimes will sometimes try to find support with other victims. Reddit is a popular place where people will go and sort of compare notes on what they've experienced. And people have noticed that the messages that they're receiving from the sextortionists are often not just super similar but practically copy and paste of each other. And that's not a coincidence at all.

Joe Carrigan: No, this is -- these guys have a script that they're following.

Maria Varmazis: They sure do.

Joe Carrigan: Right.

Maria Varmazis: And like any -- and like any campaign, even a terrible one like this, the criminals have optimized their scam. So someone who has looked into this is the Network Contagion Research Institute. And they published a really thorough report on all of this that I found gripping but extremely sad and alarming news. But it's a highly recommended reading. And they have reported that incidents of this sextortion crime have -- I got to say this number slowly because I can't believe it. Incidents of this crime have surged 1,000% over the last 18 months. Just astonishing. And NCRI wanted to figure out why this was happening. And to do so, they took a look at a group in West Africa that's doing a lot of these crimes. And they're called the Yahoo Boys, no relation to the search engine or the company. It's just what they call themselves.

Joe Carrigan: I think actually it does have a relationship. I think those guys --

Maria Varmazis: Oh, does it!

Joe Carrigan: Yes, because they use Yahoo email addresses.

Maria Varmazis: Oh, man. I was meaning professionally. Like they're not professionally affiliated.

Joe Carrigan: No, no.

Dave Bittner: No, it's not the Yahoo HR team who's doing a little moonlighting.

Joe Carrigan: No, it's not.

Dave Bittner: No.

Maria Varmazis: If they use Yahoo, it's not Yahoo's fault. But yeah.

Joe Carrigan: No, no.

Maria Varmazis: Or is it? I know. I was kidding. So the Yahoo Boys apparently seem to target high school university athletes. That seems to be a lot of who they go after, as well as high school student groups in general. And even sometimes, young professional athletes we've seen get caught up in these sextortion crimes. But the reason is, when you think about it, kind of easy to understand. A lot of times, these athletes have a lot of public information available to them to be, you know, that's good fodder for a social engineer.

Joe Carrigan: Right.

Maria Varmazis: And often, because they're athletes on teams, they're very connected to their peers and to a broader social network. So you get in with one athlete, and then you can befriend the entire team. And then once you're friends with the whole team, you now have social proof that you're a legitimate account and you're a real person. And you're not, oh, I don't know, a catfisher operating out of Lagos.

Joe Carrigan: Right.

Maria Varmazis: And that helps your validity, and you sell the scam. And a lot of times, many times, these criminals are also using old, hacked accounts that they've acquired on the dark web in breaches so they can use accounts that look valid. Maybe they have a high snap score or, you know, they've got a lot of activity. So they pass the initial sniff test like, oh, this is actually a real person that's trying to connect with me.

Joe Carrigan: Right.

Maria Varmazis: So, Joe, as you mentioned, the Yahoo Boys have scripts that they use. And they don't just have scripts. They have best practices that they've published, training videos. Yes, canned scripts and even live stream videos of them actively extorting their victims, where they talk about what to tell them as they're actually walking them to a Bitcoin ATM. It's really harrowing stuff. And none of this is hard to find. It's all on Instagram, TikTok, Snapchat, Scribd, and YouTube. And a lot of the --

Joe Carrigan: Instructional videos.

Maria Varmazis: These instructional videos are there. And it absolutely violates the platform's content rules against criminal activities, of course. But that hasn't stopped these criminals from using this platform. Nonetheless, they're using things like basic code language, like calling their marks clients to evade basic content filters. And as you also might imagine, AI and deep fakes are making all of this even worse. So I just wanted to bring this to people's attention and say, you know, the term is called sextortion, which sounds kind of cutesy. But the bigger point here is that this is targeting minors predominantly. And so far, 21 minors have committed suicide as a result of being victims of sextortion crimes. And that number is an estimate. And it's probably a very low one.

Joe Carrigan: Right. Yeah.

Maria Varmazis: So, yeah, the NCRI report says that sextortion is the most rapidly growing crime targeting children in the United States, Canada, and Australia.

Joe Carrigan: Yeah, we had a story about this a while ago about a young man named Jordan DeMay, who did end his life.

Maria Varmazis: Yeah.

Joe Carrigan: And it's heartbreaking -- heartbreaking to hear that. Some of the people responsible for that have since been extradited to the US.

Maria Varmazis: Yeah.

Joe Carrigan: I don't know what's going on with it yet.

Maria Varmazis: Yes. Yeah, it's nice to see some people being held responsible for what they're doing. But the impetus to me -- Obviously, we want the criminals to stop what they're doing. The impetus to me is on the social media companies.

Joe Carrigan: Yeah, absolutely.

Maria Varmazis: They need to be doing a whole hell of a lot more.

Dave Bittner: I saw just, as you were mentioning, the congressional testimony. And I was watching some news reporting on that. And they had the mother of one of the children. She had a teenage son who had committed suicide, having been the victim of this. And, you know, the reporter asked her what she thought about the testimony. And she was pretty dismissive of it. You know, she said these companies come, and they talk, and they say all the things that they think they want the congressional folks to hear. But then they don't really change anything.

Maria Varmazis: No.

Dave Bittner: And they spend a lot of money lobbying to make sure that they don't have any real rules applied to them. And meanwhile, kids are dying.

Maria Varmazis: Yeah, kids are dying. I mean, it's not -- As I said, the term sextortion might sound kind of cutesy, but I mean, children are actually dying. So it's one of those -- The impetus is on social media companies that need to do more. I'm not going to hold my breath. I really wish they would, and they need to. In the meantime, to try and make yourself be less likely to be a victim, make your account private. Be very wary of who you friend. Tell your children, tell your teenage contacts that those friend lists are, even if you have a private profile, if you friend somebody, your friend list then becomes available to a potential extortionist. And then that's how they embed themselves.

Joe Carrigan: Mm-hmm.

Maria Varmazis: And that always remember that things like screenshots are a thing. Apparently, a lot of times, the sextortionists are -- they eventually will move conversations over to Snapchat because Snapchat seems to be a little more secure than other social media platforms because it disappears images and messages. But those disappearing images and messages really aren't. So it gives people a false sense of security, and they let their guard down. So just be careful and definitely make sure you can -- If someone you know has been a victim of this, you know, save all the evidence, block report, never pay the extortion, deactivate accounts that are affected. And please tell a trusted adult, minors, if you're listening, tell a trusted adult who can help you because you're a victim here.

Joe Carrigan: Right. And this is not permanent. I know it seems like it's permanent. It's not permanent. You know, it's going to be very temporary. It might be a little bit embarrassing, but it is survivable. And like you said, Maria, the truth of the matter is these kids are victims of these criminals. And, you know, they're violating actually some pretty serious laws in the United States. And if we get them, if we can get our hands on them, things don't go well for them.

Dave Bittner: Yeah. You know, this reminds me of -- I think that like a lot of parents out there who've been through having teenagers, you know, one of the things that my wife and I did, and this is not new or unique to us, this is a, I think a technique that's been around for decades, is when it comes to alcohol and drunk driving is telling your kid, you know, if you find yourself in a situation where you don't feel safe, you call us. And we will come and pick you up no matter where you are. And you will not be in trouble for that, you know, because you being safe is way more important than, you know, you made a bad choice to drink or, you know, whatever -- whatever it was. But I think that philosophy can be applied to this as well, to tell your kids proactively, you know, if you find yourself in trouble with something like this, let us know, and you will not be in trouble for it.

Maria Varmazis: And we'll help you. Yeah.

Dave Bittner: Right.

Joe Carrigan: Right.

Maria Varmazis: Yeah. The embarrassment can't be understated. I mean, I can only imagine how mortifying this must be. But it's -- that shame is really, it is the weapon. And if a kid is alone and doesn't feel like they have anyone to turn to, that can become deadly. So I think it's on all of us to try and take that shame away and let especially minors know that like this is definitely -- they're a victim and there's help for them.

Joe Carrigan: Right.

Dave Bittner: Yeah, absolutely. All right. Well, let's move on to my story, which it is impossible for it to be anything but a little lighter than yours, Maria.

Maria Varmazis: [Laughing] I'm so sorry.

Joe Carrigan: Oh, Maria, that story is an important story.

Maria Varmazis: Let's clear the air a little bit.

Dave Bittner: Oh, it's important. It's absolutely important. Yeah.

Joe Carrigan: Right.

Dave Bittner: It's a hard act to follow, that's all. [Laughing]

Maria Varmazis: Something lighter would be great. I would love that.

Joe Carrigan: Yeah, right.

Dave Bittner: My story is about rainbows and puppy dogs.

Maria Varmazis: Awesome.

Dave Bittner: No. Actually, I've got two stories here because they're short. And we'll have links to both of these in the show notes. The first one is some research that the folks over at Cofence published. They're a cybersecurity company. And they were looking at some of the most common phishing email themes of 2023. And they broke this down into different quarters of the year and things like that. And so I'm going to skip some of those specifics because they're not really relevant to us. But the major themes are things that we talk about here: finance, that came in at 54%; notification scams, which is 35%; shipping scams, 7%; and what they call response scams, which are 3%. None of this really tracks or surprises me, rather. And this is what they categorize as their major themes. So these are really the top things that they see. They had another level that they call moderate themes. And this included document scams. So someone sends you a PDF, a voicemail scam, something with travel assistance, scam faxes, which are still a thing. And yeah, legal scams. Yeah, I recently had an interaction. I think I've mentioned this here. I had an interaction with my doctor where I asked him if I could email them something. And they said no, but you can fax it. And I said, I'm sorry. I left my fax machine in 1995. So I won't be faxing that to you.

Maria Varmazis: Just send them the black sheets of paper over and over to eat up their toner.

Dave Bittner: Right, exactly. Get them to move on, yeah. [Laughing] And then they also have minor themes, which are the ones that they don't see as much of. And some of those were benefit scams, tax scams, job application scams, and closing scams. Those are the scams where someone's buying a house and things like that.

Maria Varmazis: Oh, yeah.

Dave Bittner: Yeah. The other thing I wanted to touch on today was actually a report from the FBI that they had put out some notice that scammers, it seems more and more, are hiring couriers to collect cash from people when they scam them.

Maria Varmazis: Couriers?

Dave Bittner: Couriers, right.

Maria Varmazis: Oh, gee.

Dave Bittner: So what will happen is a scammer will get somebody on the line, and they will have them either go to the bank and withdraw cash. An interesting wrinkle that this story talked about is they'll have people converting their money into precious metals. So they'll buy gold or something like gold, silver, diamonds, whatever it is. And then they'll have the courier come and pick up either the cash or the gold or whatever it is that's valuable, something that's valuable yet anonymous, right? Because you can go anywhere, and you can't go anywhere, but you can go to a precious metals dealer with your gold, right? And which I know is something all of us have done all the time.

Maria Varmazis: Who among us have not?

Dave Bittner: Right, exactly. Taken a big block of -- a brick of gold --

Maria Varmazis: An ingot, if you will.

Dave Bittner: -- to trade in for some farm animals or something. I don't --

Joe Carrigan: Every time I sit down at this microphone, I have to put tape around my Mr. T style size collection of gold chains I have.

Dave Bittner: That's right.

Maria Varmazis: Yeah, Joe, you jangle a lot.

Joe Carrigan: So just to keep it so the mic doesn't pick up all my chains.

Dave Bittner: Your Mr. T starter set.

Joe Carrigan: Right.

Dave Bittner: Absolutely. So the point they're making here is, number one, the scammers are getting more bold about this. And then the couriers don't know. You know, they're, you know, they're innocent when it comes to this. Generally, they're just being hired to be a courier. Go pick up a package from this person. They don't know what's in there. But it's another red flag, right, that if someone says they're going to send a courier over to pick up some money or really anything of value, that is a huge red flag that someone is not on the up and up. Because, you know, the FBI, the IRS, your bank, they don't send couriers over to pick up cash --

Joe Carrigan: Or gold bars.

Dave Bittner: -- or gold bars, right? It just doesn't work that way. But so spread the word. Evidently, this is something that the FBI is seeing more and more of enough that they've concerned that they've put out a flyer about this sort of thing. So those are my stories this week. Joe, what do you have for us?

Joe Carrigan: Dave, I saw an article on Axios from Sam Sabin that was called "The companies aren't paying ransoms like they used to." Those companies, it's just not like the good old days of ransomware, Dave.

Dave Bittner: [Laughs] Instead of cryptocurrency, they're using gold bars.

Joe Carrigan: Right. Yes.

Maria Varmazis: Yeah. We've evolved.

Dave Bittner: Right.

Joe Carrigan: But Sam actually links to a report from Coveware that has been tracking ransomware since 2018. And that's where I went. But this report covers a lot of stuff. But I really wanted to focus on this payment issue that ransomware gangs are starting to experience.

Dave Bittner: Okay.

Joe Carrigan: My heart breaks for them, of course. There are two dimensions here. Number one, the first dimension, is the number of victims who pay. If you go back to the first quarter of 2018, 85% of companies -- or 2019 -- 85% of companies were paying the ransom to the ransomware actors. Now, in the last quarter of 2023, 29% have paid the ransom. So of the people who got hit, only 29%, a little less than a third, paid the ransom, which is way down from almost all of them, 90% -- 85%. The other issue is that during the same -- the same time frame, it was 2018, they have a -- This data actually starts in quarter three of 2018. And the median attack has ramped up in terms of value, right? So how much do you think that people -- what do you think the median value is for a ransomware attack? Well, it's around $200,000 now. And you can watch it over time. It's kind of gone up to this $200,000 mark. Now, in the last quarter or third quarter of last year, that mean was $750,000.

Dave Bittner: Wow.

Joe Carrigan: So that mean was like almost four times the median, which means that there are some large outliers that are pulling that average up. And that most of the, you know, half of the occurrences are below $200,000. And of the ones that are above $200,000, some of them are really, really, really far above $200,000. Now, in the fourth quarter of last year, that mean dropped by 33%. So the mean, those larger payments are much, much smaller. So those outliers are getting closer to the median. Now, this is not enough to say this is a trend, right? It's one quarter. Although the downward trend of people paying is what I would call a trend. So why are people not paying? Coveware points to two major things. First, organizations have gotten on the bandwagon with good backups. So the ability to restore from backup is there. And then they're doing the math, right? And they say, hopefully, they have some idea how long it's going to take to restore from backup. They can do a cost estimate of would it be cheaper to restore from backup. Or would it be cheaper to assume that the data can be decrypted in place? Now, if the data can be decrypted in place, how much of it do we get back? Because the answer is very rarely 100%.

Dave Bittner: Yeah.

Maria Varmazis: Yeah.

Joe Carrigan: In fact, it's like 100% in fewer than 10% of the cases. So if you do the math, you know, how likely are you to even get your data back? And if you do get your data back, how likely are you to get that? Now, you've come down to a value proposition of at least a quarter, right? Like, in other words, if the cost differential between me restoring it and using the ransomware to restore it, if that is a million dollars, then I shouldn't pay more than $250,000 in ransom, right?

Maria Varmazis: Okay.

Joe Carrigan: And this is a very naive calculation, you understand, right?

Maria Varmazis: Yeah, back of the napkin, yeah.

Joe Carrigan: Right, back of the napkin math, exactly.

Dave Bittner: I'll take your word for it. [Laughs]

Joe Carrigan: I'm saying that the value of the ransom is 25% of the delta between the costs.

Dave Bittner: Okay, math boy. Whatever you say.

Maria Varmazis: That's assuming that the data is all of equal value, but okay. How sensitive is the data?

Joe Carrigan: True enough, true enough.

Dave Bittner: My eyes glazed over a while back.

Joe Carrigan: Sorry about that.

Dave Bittner: Keep going, keep going.

Maria Varmazis: He said percentages.

Dave Bittner: Yes. Weird means and mediums and averages and, oh, this is like math class. Go on, Joe, go on, bring us home.

Joe Carrigan: So some people are just saying, no, I'm not going to pay the ransom. We're just going to restore it. The other reason is because they're not trusting the promises of the cyber criminals to not disclose this information, which was the add-on that they started talking about like back in 2020 or something like that.

Dave Bittner: Mm-hmm.

Joe Carrigan: In fact, there's a great quote. I'm going to read this. "Data-driven reluctance to pay for intangible promises from cyber criminals, such as promises not to disclose or misuse stolen data and promises to exempt the company from future attacks or harassment." So that's the reasoning. They're using data, right? We know you're not going to honor what you say. You're going to come after us again. You're going to sell our data anyway.

Dave Bittner: Yeah.

Joe Carrigan: There's no sense in paying you the ransom to keep it to yourself. That's not even part of our calculus. And I don't know, Dave, but if you remember all the way back to when this started happening, my advice was don't make this part of your calculus because you can't trust these people.

Dave Bittner: Yeah.

Joe Carrigan: And now there's data that backs this up. You can't trust them, and they're not paying it. There's much more to this report.

Maria Varmazis: It's a bad deal.

Joe Carrigan: Yeah, this is a bad deal. But here's my question. I would recommend taking a look at the Coveware report. It's really good. Has a lot of interesting stuff. Talks about the merits of outlawing ransomware payments. Like, could you criminalize that for companies? Would that further decrease these things?

Dave Bittner: Right.

Joe Carrigan: But here's my question. As these ransomware payments start to go down, right, and these ransomware gangs or actors start making less and less money, what are they going to do next? Now, we've already seen one thing they do next, right? Where they look in the data, and then they go after the people in the data and start extorting them.

Maria Varmazis: Yep.

Dave Bittner: Right, right. I mean, a lot of them aren't even bothering to encrypt anymore. They're just doing straight extortion.

Joe Carrigan: Yes, that's right.

Maria Varmazis: Yeah. I mean, I would think surgical strikes might also, sort of in that vein, surgical strikes might be very interesting. But that's sort of what they've always done too. So, I mean, the ransomware was always, for the most part, casting a broad net, right?

Joe Carrigan: Right.

Maria Varmazis: So if that doesn't work for a while, go back to what they used to do and be a little more targeted.

Joe Carrigan: Yeah.

Dave Bittner: I wonder, too, about the amount of influence that insurance has on this. Because on the one side, you would think that organizations that have insurance, they would be more likely to pay because it's not coming out of their pocket. But on the other hand, these days, in order to get insurance, you really have to up your game when it comes to proving to the insurance company that you have all sorts of things in place that will help keep you from getting ransomware in the first place. And that, to me, seems like a bit of a virtuous circle.

Joe Carrigan: Right. Yeah, it does -- That is a good -- I never heard the term virtuous circle. That's a new one. And now my mind's stuck on it.

Maria Varmazis: It's a nice phrase.

Joe Carrigan: It is. But I'm also wondering, as you're talking about that, I'm wondering if these insurance companies are saying that we're not paying the ransomware guys. We're just going to pay for you to restore your data. Because number one, we don't know if you get your data back. And number two, we don't want to finance them.

Dave Bittner: Right.

Joe Carrigan: And we know that over the long term, this is going to be the way to go to reduce risk is to take the profit motive out of it.

Dave Bittner: Right, right. That's an interesting way to think of it, that your insurance company is your -- is your partner in getting your data back, whichever path you take on that journey.

Joe Carrigan: Right.

Dave Bittner: Yeah, interesting.

Maria Varmazis: Hmm. That's an interesting idea.

Dave Bittner: All right. Well, we will have a link to the report here in the show notes. And again, we would love to hear from you. If there's something that you would like us to cover here on the show, you can email us. It's hackinghumans@thecyberwire.com. Before we get to our Catch of the Day, we are going to take a quick break to hear from our show sponsor. [ Music ] All right, we are back. Joe, it is time for our Catch of the Day. [ Soundbite of reeling in fishing line ]

Joe Carrigan: Dave, our Catch of the Day comes from William, who writes, "I received this phishing scam the other day. Obvious scam to the trained eye. But if your business does a lot of social media business, this is really scary. And this is a Facebook Messenger scam."

Dave Bittner: Okay. It goes like this. "Important notification: Your Facebook page is scheduled for permanent deletion due to a post that has infringed upon our trademark rights. We have reached this decision after a thorough review and in accordance with our intellectual property protection policies. If you believe this to be a misunderstanding, we kindly request you to file a complaint seeking the reinstatement of your page prior to its removal from Facebook." And there's a link to the request for review. "We understand that this situation may impact your ongoing business operations. However, please be informed that if we do not receive a complaint from you, our decision will be final. Your cooperation and understanding are greatly appreciated. Should you have any inquiries or apprehensions, please feel free to reach out to us. Sincerely, Facebook Support Team."

Joe Carrigan: "Copyright. No reply. Facebook Meta Platforms Incorporated. Attention Community Support, 1 Facebook Way, Menlo Park." I can never remember which park it is, and I'm reading this, and it looks like it's Menlo.

Dave Bittner: Yeah.

Joe Carrigan: This is obviously fake. Actually, I saw somebody on my Facebook feed post about this and say, is this real? And I said no. Definitely a scam.

Dave Bittner: Yeah, but I can see what's going on here. I mean, particularly if you are relying on Facebook for some or part or all of your living, this -- And I suspect what they're doing here is they're getting you to a fake Facebook login --

Joe Carrigan: Right.

Dave Bittner: -- page to get your credentials.

Joe Carrigan: I would bet that's exactly what they do. And then you log in, and then they go in, they steal your page, and then they kick you out as administrator.

Dave Bittner: Right.

Joe Carrigan: And now they have all your followers.

Dave Bittner: It's interesting to look at the URL here, which goes to --

Maria Varmazis: I was just thinking that.

Dave Bittner: Go on, Maria. Describe it.

Maria Varmazis: I was just -- At the end of it, there's a tracking parameter at the end of the URL. I think it's a tracking parameter. It certainly looks like one. The question mark FB equals meta.

Joe Carrigan: Yes.

Maria Varmazis: Which seems to imply to me that this is like a really broad campaign. And they're trying to get some stats on where they're getting people to click from. That's kind of amazing to think if that's what that is.

Dave Bittner: Right, right.

Joe Carrigan: That is -- that is -- a parameter gets passed along with the -- with the URL string.

Dave Bittner: Yeah. What caught my attention is that instead of going to Facebook, it goes to some website called c8ke.com. And the -- instead of an a in cake, it's the number eight. So it's c8ke.com or something. Yeah, c8ke.com. Yeah. Lots of red flags, but certainly worth looking out for.

Joe Carrigan: My sister's name is Kate. And she used to, when she was a teenager, sign her letters K8.

Maria Varmazis: Yeah. Oh yeah.

Dave Bittner: Did she dot her I's with hearts?

Joe Carrigan: No.

Dave Bittner: Okay. Good. [Laughs]

Maria Varmazis: Maybe when she was younger.

Dave Bittner: Yeah. That's right. That's right. [ Music ] All right. Well, that is our show. We want to thank all of you for listening. And of course, we want to especially thank our special guest, Maria Varmazis. She is the host of the "T-Minus" podcast right here on the CyberWire podcast network. You can find that wherever your podcasts are listed. Do check it out. It is quite good. I enjoy it every day.

Maria Varmazis: Thanks.

Dave Bittner: Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. A quick reminder that N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. Our executive producer is Jennifer Eiben. This show is edited by Tré Hester. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: I'm Joe Carrigan.

Maria Varmazis: And I'm Maria Varmazis.

Dave Bittner: Thanks for listening. [ Music ]