Hacking Humans 3.7.24
Ep 280 | 3.7.24

New tools, old problems.


Dave Bittner: Hello everyone, and welcome to N2K CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hey Joe.

Joe Carrigan: Hi Dave.

Dave Bittner: We've got some good stories to share this week and we are joined once again by our N2K colleague and host of the "T-minus" daily space podcast Maria Varmazis. Maria.

Maria Varmazis: Hi, good to be back.

Dave Bittner: Great to have you back. And we will all be back right after this message from our show sponsor. All right, Joe, before we jump into our stories here, and Maria as well, we've got some feedback. Joe, you want to kick things off for us?

Joe Carrigan: Yeah, Alan wrote in with some feedback about episode 278, specifically about Maria's story about Charlotte Cowles. Still not sure if I'm saying that right. And how she was scammed out of $50,000 by putting it into a shoebox and someone pulled up in front of her house with a, in an SUV to take -- or a suburban --

Dave Bittner: Right.

Joe Carrigan: -- to, to drive off with it. Dave, you want to read this one?

Dave Bittner: Sure. It says, "Hi Dave and Joe, thank you both, and Maria, for your recent coverage of the $50,000 in a shoebox scam in the 'Scamming the Innocent' episode. My sister-in-law was nearly victim to something that sounded similar. Because she came to me very early on, I never quite figured out what the scam was and where it was headed. The scam started in a similar fashion. We live in Australia. My sister-in-law was contacted either by instant message or phone in early December 2023. They started off with the same technique of building authority and trust. This time around, the scammers posed as members of the Chinese police investigating a money laundering operation to which they claimed my sister-in-law was suspected to be involved." And he writes, "I should add here, if it's not already obvious, that they have absolutely zero jurisdiction down here and any Chinese investigations on our soil would have to go through an MOU with the local authorities, being the Australian Federal Police." I like how Australians say, "Down here". Because that's what we say, is "down there".

Joe Carrigan: Down under.

Dave Bittner: Down under, that's true. "Anyhow, they used the same spoofing trick to establish their authority. They asked her to Google a police station in Shanghai and to look at the phone number. Then they proceeded to call her from this number and convinced her that they were the Chinese police. They convinced her to take part in a video call via Skype. They were even wearing police uniforms during the Skype video call to further cement their credibility and authority." I'm picturing, you know, those, like, haphazardly pasted on sort of, like, Instagram filter things.

Maria Varmazis: Or a Halloween costume.

Joe Carrigan: That's what I'm picturing, is the Halloween costume. They went to the -- to the Halloween costume place and got, you know, that pop-up thing.

Dave Bittner: Right.

Joe Carrigan: And they just got, like, fake badges and stuff.

Dave Bittner: Right. Turns out they're dressed as, like, US Forest Service officers.

Joe Carrigan: Right.

Dave Bittner: "This is -- this is where she revealed to them details of her driver's license and passport. There was the usual 'don't tell anyone' threats, and they said they would call her every few hours to check in and make sure she was okay. At this point, there was nothing about any money. My sister-in-law called me about a day later because she felt something was off and asked for advice. I work in the field of computer forensics in the public sector. I'm glad she went with her gut and decided to reach out, as it could have ended quite badly."

Maria Varmazis: Yeah, oh yeah.

Dave Bittner: "Because they hadn't gotten to the money part, I wasn't clued in as to how the scam was going to unfold. I thought it could have been an attempt at identity theft, but this was a lot of effort to go into to get the credentials of one person's identity. We played it safe and she went and got replacements for her license and passport, as well as registering herself with a local nonprofit support organization set up to assist those with identity theft concerns." Boy, everywhere else in the things but us.

Joe Carrigan: Yes.

Maria Varmazis: I'm glad you said it, because I was thinking it, too. Like, that sounds like a great service. Why don't we have that?

Joe Carrigan: I want to talk -- we're going to talk about that, this website afterwards because there are good resources on it.

Dave Bittner: Okay. "I also advised her to ignore all further comms from the scammers and explained to her how easy it was to spoof the number that pops up on the phone. I really wish telcos would just fix this already."

Maria Varmazis: Amen to that. Oh my gosh.

Dave Bittner: "It wasn't until I listened to the 'Scamming the Innocent' episode of your podcast where you spoke about the scam from start to finish that helped me learn as to how this particular scam is going to play out. So, thank you for that. There are times when I think about being a target for one of these scams, but instead of handing over a sealed box of cash, I'd fill it with something juvenile, like week-old chicken bones or something. Did someone say glitter bomb?"

Joe Carrigan: So, thank you, Alan, for sending that in. First off, the website that Alan mentions is ID care and it's very Australia and New Zealand-centric. So, but it does have a, what is it, a resources site. It's a got some videos on there that walk you through these scams.

Dave Bittner: Oh.

Joe Carrigan: And those are not particularly New Zealand and Australian-centric.

Dave Bittner: Okay.

Joe Carrigan: They're universal. They have some cheat sheets or, you know, like, flyers. Those are pretty much specific to the area. But the videos are definitely worth checking out. So you can send any family members to this. I also want to say this. I also have the same juvenile urges here.

Dave Bittner: No.

Maria Varmazis: You?

Joe Carrigan: But the thing is, I want everybody to remember, with the scam with Charlotte, the bad guys knew where she lived, and they showed up at her house.

Maria Varmazis: Yeah.

Dave Bittner: Yeah.

Joe Carrigan: With an SUV that probably had more than one person in it. These are not somebody you want to mess with. These are not -- these people are criminals, they're coming after $50,000 that they want really badly. The best thing to happen is what you did here, and that's just hang up the phone and don't -- don't acknowledge them anymore.

Maria Varmazis: Yes.

Dave Bittner: Yeah. We've got some more follow-up here.

Joe Carrigan: Yeah. On the same story, we have Clinton writing in. He says, "All three of the hosts missed the most important detail of the story that could have stopped it in his tracks."

Dave Bittner: Well, thanks for writing in, Clinton.

Joe Carrigan: Clinton raises an important point.

Dave Bittner: Yeah.

Joe Carrigan: He says, "The entire scenario began when they called her and the verification was accomplished when they called her. At any point in time, the journalist in question hadn't said -- had insisted on hanging up the phone and verifying the number on her own and initiating a call herself, the scenario would have failed. Therefore, as I see it, the most important takeaway is never accept anything told you by anyone, unless and until you initiate a phone call and that beyond -- you know beyond a doubt that you're talking to the person or entity you believe you're talking to. Any or all other cases, you should believe this is a scam, period." Couple of things about this. Number one, that's right, that's a best practice. I'm going to say that. But we had a story a couple weeks ago about a guy who was working with, I think it was Capital One Bank.

Dave Bittner: Yeah.

Joe Carrigan: And he called Capital One and tried to tell them what was going on, and they had no idea what was going on, and then the scammers called him back. So he had done something like that and still got mixed up in this and wrapped around the axle.

Dave Bittner: Yeah.

Maria Varmazis: It is the absolute best way to think about things, is if someone calls you, just don't trust it, but, I mean, real life is messier than that.

Joe Carrigan: Yeah.

Maria Varmazis: And I feel like we're sort of setting people up for failure for, like, "Never trust any inbound phone call, because your phone is just an attack vector at this point, so just ignore anything that comes in."

Joe Carrigan: Right. Right.

Maria Varmazis: I mean, okay, that is the ideal if you can operate that way, but I think that is a very difficult way for a lot of people to live. And again, it wasn't like this was one phone call and she was done. This was hours and hours and hours of them working for her -- working at her. And, I mean, I've received phone calls from people that were legit, where they were asking me to verify PII for things like pharmaceutical calls, that kind of thing. And I'm going, 'This is a really bad practice, but this is pretty standard for the healthcare industry.'

Joe Carrigan: Yeah, absolutely.

Maria Varmazis: Where do we draw the line with never trust any inbound phone call? I mean, plus, they had her PII, so, I don't know, they weren't asking her for stuff. They already had it.

Joe Carrigan: Yeah, and again, we're sitting here with the, yeah, I don't want to say that what Clinton said is not correct because it is correct. That is a best practice to hang up the call and say I'll call you right back. And he's right. If that -- if Charlotte had done that, this probably would have stopped right in its tracks.

Maria Varmazis: It's really hard to do that. I mean, it's just --

Joe Carrigan: Right.

Maria Varmazis: -- especially if they have all your information and they're not asking her for it. They already have it, and they're saying, 'We're just checking that this is correct,' that for a lot of people would go, Oh, all right, well, they don't want anything from me because they already have everything they need.

Dave Bittner: Right, right. It short-circuits your skepticism.

Joe Carrigan: Exactly, and that's where I was going, is that your skepticism gets short-circuited because they've actually fired off the fight or flight response, and you do not think clearly, and you do not consider other options. You know, this is the old case I always like to point out of the bear, right? When I tell this story in a lot of talks where I saw the bear on the bike ride. And I don't remember a lot about that portion of the bike ride. I remember the bear. And that's all I remember. And that's the exact same physiological response. We're all laughing because it's hilarious, because I had the crap scared out of me by a bear. But that is exactly the same thing that they're making -- that they're exploiting here.

Dave Bittner: And that is why Joe is no longer welcome at the Yogi Bear ride.

Joe Carrigan: Right.

Dave Bittner: I will add here just a little side note, and I'm pretty sure I've talked about it here before, that one time I had a credit card issue and I pulled my credit card out of my wallet and I turned it over. And I dialed the 800-number on the back of the card. And I was halfway down a phone tree before I realized it was a scammer who was on the phone with me, because I had misdialed the number. And so the scammers knew what the bank's number was, and I guess they had just bought up every fat-fingered close number, you know?

Joe Carrigan: Off by one.

Dave Bittner: Yeah.

Maria Varmazis: Yeah.

Dave Bittner: Or flipping a couple of numbers or whatever. And it sounded like I was at the bank. And something tipped me off and I hung up and called back. And that time, I was much more careful that I dialed the right numbers. So, you know, I think Maria, your point is great that yes, there are best practices, but at the same time. I always joke and say, Meanwhile, here in the real world, it's much more complicated than that.

Joe Carrigan: Yeah, it is.

Maria Varmazis: It is.

Joe Carrigan: I like your explanation, Maria, that it gets -- real life is much more messy than that.

Maria Varmazis: Yeah, I mean, I could go on and on about it forever, honestly, but I just think of all the phone calls I get during the day, 70% of them are spam that I ignore, but the other 30% are from people I don't know that are calling me for legitimate reasons. And am I supposed to not trust any of that? I mean, maybe. One could argue maybe you should never trust any phone call. But, you know, I just -- especially if you've got, like, a lot of family around or something, you're going to get random phone calls and you don't really know what it's going to be about all the time.

Joe Carrigan: Yeah.

Dave Bittner: All right, well, let's jump into our stories here. And I guess I'll kick things off for us. My story this week comes from Brian Krebs over at Krebs on Security, a very well-known security journalist I suppose is the best way to describe Brian. And he was writing about some malicious hackers who are targeting people in the cryptocurrency space. And they're using the online calendar scheduling app Calendly.

Maria Varmazis: Oh my gosh.

Dave Bittner: Yeah, so Maria and I are having a shared moment of terror because we both use Calendly for our --

Maria Varmazis: Yeah.

Joe Carrigan: Is this the one where somebody says, Hey, make an appointment on my Calendly and I'll get back to you.

Maria Varmazis: I live on Calendly. That's how I do most of my job.

Joe Carrigan: I don't know, I find it off-putting when someone sends me that, and, you know, tells me to get on their calendar.

Dave Bittner: Well, I'll tell you in a professional environment, it is a huge time saver and lifestyle upgrade. Because what it does is it lets me, for example, to just put little chunks of time throughout my week when I will be available to do things like interviews for the CyberWire or "Hacking Humans".

Joe Carrigan: Right.

Dave Bittner: Then, if someone wants to do that, one of our producers can send them the link to that Calendly and then they can choose when they want to sign up for a slot. So what it avoids is all the what about Tuesday? Okay, well, no, I can't do Tuesday. Can you go Wednesday?

Joe Carrigan: Right.

Dave Bittner: Well, how about two o'clock? No, four o'clock. And so --

Joe Carrigan: I agree. It's an elegant solution.

Dave Bittner: Yeah, all of that back and forth goes away. I agree it's a little weird I think in a personal situation. Like, you know, Hey, would you like to go out for a date? Sure. Here's my Calendar.

Maria Varmazis: Here's my Calendly.

Joe Carrigan: Maybe that's the problem with it I have, is I just take it too personally.

Maria Varmazis: Can you imagine.

Joe Carrigan: Yeah, I should appreciate the improvement process.

Dave Bittner: Right. Right. So this story follows someone who got scammed. And so because of that, Brian Krebs is not using the real name, so he's referring to this person as Doug. And Doug was reached out to by someone on a -- someone on Telegram, and he was -- Doug was active in the cryptocurrency world. And he got reached out to by someone who's claiming to be someone named Ian Lee from an organization called Signum Capital. And evidently, if you're in the crypto world, both of those names mean something. And to me they do not, but it is a well-known real person and place that has a reputation that is good in the cryptocurrency world.

Joe Carrigan: Ah, okay.

Dave Bittner: So, this person reached out and said, Hey, I understand you have a startup. I like to fund things, we should talk, and they engaged via Calendly. Now, one of the things that Calendly allows you to do, and before we were doing this show, earlier today I was poking around on my Calendly to just figure out, like, Does it do that? Yeah, it does that. It allows you to include an extra link with the event. So, for example, Joe, like, if you'd wanted to book an interview on the CyberWire, you could do so. And once it sent you the invite, that invite could also include a link but the link would be through Calendly so it looks legit.

Joe Carrigan: Ah, so it's like -- it's like having a little bitly right in there with it.

Dave Bittner: Yeah, but you're going to trust it because --

Joe Carrigan: It says Calendly.

Dave Bittner: -- it says Calendly, and you've already done business through Calendly to make all this happen.

Joe Carrigan: Yeah.

Dave Bittner: So you're going to trust it.

Maria Varmazis: Okay. Right.

Dave Bittner: So, that's how things got started. Then, ultimately, when it was time for the two of them to have essentially a Zoom meeting, this person, Doug, clicked on the link, but instead of opening up a video conferencing app, a message popped up on his Mackintosh saying that the video service was experiencing technical difficulties. But no problem. It said, We're working on a solution, please click here as a temporary solution. So what happened then was it downloaded a script to his Mac, which ran the script, which is just -- I believe it was just an AppleScript script, which is sort of --

Joe Carrigan: A bash script?

Dave Bittner: Yeah, it's Apple's version of that. It's a scripting language that comes -- it's part of Mac OS that lets things -- it gives -- it allows you to just run, yeah, run scripts on your Mac.

Maria Varmazis: The automator, right?

Dave Bittner: Exactly. Thank you, Maria. Yeah, it's like an automator. And so that downloaded and executed a malicious Trojan. And at this point, Doug figured out what was going on, and he went into panic mode, in a good way.

Maria Varmazis: Oh, yeah.

Dave Bittner: Backed up all of his documents, changed his passwords, and reinstalled the OS on his computer. Brian Krebs points out, "This is a perfectly sane response, but it means we don't have the actual malware that was pushed to his Mac by the script, because he basically wiped his Mac clean."

Joe Carrigan: Right.

Dave Bittner: Some other security researchers seem to have an idea of what was going on here, what the different types of malware that was installed. Evidently, this is some group who goes by the name BlueNoroff, which Kaspersky Labs says is part of the Lazarus Group.

Joe Carrigan: That all adds up, actually.

Dave Bittner: Yeah. Yeah.

Joe Carrigan: The big crypto guys, the Lazarus Group.

Dave Bittner: Yeah. So, it's an interesting little pathway, and the Calendly link was not one that I'd heard of before. So I guess the bottom line here, it's just another example of be careful, that just because a link comes from a platform that you trust, that doesn't mean that the link is trustworthy.

Joe Carrigan: Yeah, it's -- these things are just little link translators or link obfuscators, just like all the other ones. Like Twitter puts their own link shorteners, like a link shortener service.

Dave Bittner: Yeah. That's the actual name of it. So it's a link shortener service built into the app. Yeah, and taking advantage of legitimate functionality.

Joe Carrigan: Right.

Dave Bittner: Yeah.

Joe Carrigan: Right.

Dave Bittner: Yeah. Maria, any thoughts on this one?

Maria Varmazis: Nothing really to add, no. Not for me.

Dave Bittner: You're looking for another calendar scheduling app, right?

Maria Varmazis: I'm a little nervous now, because, I mean, Calendly is, I'm literally looking at my Calendly account right now.

Joe Carrigan: Right.

Maria Varmazis: Oh my gosh. Well, that's great.

Dave Bittner: Trust no one. Don't take any incoming calls.

Maria Varmazis: Don't take any Calendly links.

Dave Bittner: Don't click any links.

Maria Varmazis: God. Just get off the internet.

Dave Bittner: Soon it's going to be pens and paper all over.

Joe Carrigan: I'm going to go out and buy some land and just farm.

Dave Bittner: There you go.

Maria Varmazis: It really does make you want to live in a cabin in the woods, it really does.

Joe Carrigan: Yeah, it does.

Dave Bittner: Maria, what's your story this week?

Maria Varmazis: All right, so speaking of don't trust a phone call. So my story is not so much about a scam about -- as it is about a possible solution to a scam. And I'm question marking all of the things that I'm saying because I'm not really sure that it is a solution, but it is someone trying a thing.

Dave Bittner: Okay.

Maria Varmazis: And this actually uses AI as a possible clunky solution to one of the oldest scams in the book, especially in Japan and increasingly elsewhere. Where scammers will call up an elderly person and convince them to make a cash transfer using an ATM. And I put a little LinkedIn, sorry, not a LinkedIn, wow, that's where my brains at. Put a little YouTube link in our script here, you can see there's a video. And the first seven seconds are what will display on an ATM in Japan if a person walks up to the ATM while holding a cell phone. And I don't know if you -- yeah. It's very attention-grabbing.

Dave Bittner: So the security camera on the ATM is using, I guess, AI --

Maria Varmazis: Yes, it is.

Dave Bittner: -- to know if you have a phone to your ear.

Maria Varmazis: Yep.

Dave Bittner: And if you do, then it plays this video.

Maria Varmazis: Yes, and the video translates to, Warning, that phone call is a fraud, hang up right now. And it's very, like, alarms and red and blinky and meant to get your attention. And this is actually being rolled out by Japan's National Police Agency, and they're working with Japan's Post Office Bank, which is a lot of -- Japan's Post Office actually has a bank. So, a lot of people get their cash through the Post Office in Japan, especially elderly people. So, this is AI trying to come to the rescue and helping people who are commonly being scammed out of their money. And in this case, they're actually enabling some celebrity help with this guy. I actually happen to know who he is. His name is Keita Tachibana. He's a former, basically, boy band member who has since retired, but he's now working with Japan's National Police, trying to help them clamp down on all these scams that are targeting the elderly there. And --

Joe Carrigan: Oh, good.

Maria Varmazis: Yeah, which is nice. I was like, I don't know if this will actually help because as far as I can tell from the video, literally anyone walking up to the ATM with a phone to their ear is going to get this message, of any age. I don't know if it really matters.

Dave Bittner: Right.

Maria Varmazis: But I imagine that might get really annoying really quickly if you're just having a regular phone call.

Joe Carrigan: Like you're on the phone with your -- your significant other. Or your dog walker.

Maria Varmazis: Oh, no, it's a scam! Hang up right now!

Joe Carrigan: Hang up the phone right now!

Maria Varmazis: Yeah. It's like, I admire the attempt.

Joe Carrigan: Why do you keep hanging up on me?

Maria Varmazis: Why are you calling me a scam? When I was looking, I saw this story, because this just rolled out a few days ago. I was trying to figure out a little bit of the back story here for these scams in Japan. Because again, this is not just Japan seeing elderly people being targeted. Certainly as our world gets grayer and a lot of our national populations get older, this is happening to a lot of people.

Dave Bittner: I feel attacked.

Maria Varmazis: I'm trying to be tactful. Listen, I'm not as young as I used to be. The backstory for a lot of these scams happening in Japan specifically is that these bank accounts that are being used for fraud, for the cash transfers, are actually being sold in the black market by foreign citizens living in Japan who are often coerced or sort of forced by unfortunate circumstances to sell their bank accounts in the black market. So, a lot of times these are people in real distress who maybe have no money because they've lost their job. Also the pandemic saw a huge increase from this. Many of them apparently are, according to a report from NHK Japan, they're citizens of Vietnam. So, there are people who are often trying to raise money to go back home or send home, and they're selling their -- they're being solicited to sell their bank accounts online by crooks, basically. And they're not sure what that's for. And then if they leave the country and then try to return to Japan, they, that person, is being arrested for fraud. So it's like, it's making a bad situation a lot worse.

Joe Carrigan: Yeah, that's the thing about organized crime, is it's usually victims all the way down.

Maria Varmazis: It sure is. Yeah, and what was another little interesting wrinkle to this story is I don't know if you heard about this last year, but the -- Japan's National Police Agency actually floated an idea of closing off all ATM access to any Japanese citizen over the age of 65 to try and prevent this kind of ATM cash scam from happening. Which people were like, That's not going to happen, that's really a bad idea.

Joe Carrigan: Right.

Maria Varmazis: But that's how bad this problem has become, where people are just sending loads and loads of money to scammers. So that -- they were thinking, Well, maybe we just close off the ATMs instead of trying to stop this problem. So --

Dave Bittner: Wow.

Maria Varmazis: Yeah. So this video at an ATM, at national ATMs across Japan, is rolling out right now apparently, and I'm just -- it's an interesting idea to try and stem this problem. But I wonder if people are just going to ignore it as an annoyance.

Joe Carrigan: I watched -- I watched this video first and I had absolutely no idea what was going on because I don't speak any Japanese.

Maria Varmazis: That's fair.

Joe Carrigan: Yeah.

Dave Bittner: Yeah, it reminds me of the, like, the training that in-store cashiers are getting when it comes to gift cards.

Joe Carrigan: Right.

Dave Bittner: You know, how if you walk up to the counter at your local drugstore with a dozen Apple gift cards, the cashiers now are trained to say -- to ask you questions to make sure, or to try to help that you're not being scammed. But I suppose, you know, in the same way that if you're under the scammer's spell, who's on the other end of the phone, in Japan, I can imagine the scammer saying, Now listen, as you walk up to the ATM, they're going to show you this video, and that's just there to trick you.

Maria Varmazis: Yeah.

Dave Bittner: You know, don't fall for it, that sort of thing. Or whatever, they'll come up with some --

Joe Carrigan: Workaround.

Dave Bittner: -- explanation for it. Yeah, yeah.

Maria Varmazis: Yeah, there often is. Yeah. Yeah, and what's interesting is, to me, and something I was thinking about in the previous story also. Sorry, not the previous story. The listener response about the Chinese police agency scam person, if they're speaking Chinese to a person in a country where Chinese is not the main language, that can build trust. You're going, Oh, this person is speaking my native language and that's not normally what happens here. In Japan, if you hear someone speaking fluent Japanese, you might go, Well, this person's clearly not, like, a foreign scammer trying to get money out of me, so I'm going to trust this person inherently. Yeah.

Joe Carrigan: Yep.

Dave Bittner: Interesting. Well, I mean, I wish them well. I hope it works. Like you said, Maria, I think I could imagine this just becoming background noise very quickly.

Maria Varmazis: Yeah.

Dave Bittner: If you see it over and over again, you'll just ignore it. You know, it's like those, have you ever been to one of those gas stations that plays ads while you're pumping your gas?

Joe Carrigan: Ah, I have the solution.

Maria Varmazis: That's why I have an electric vehicle, honestly. Not the reason, but it certainly helps.

Joe Carrigan: Yeah. Can I tell you what you do there, Dave?

Dave Bittner: Oh, yeah.

Joe Carrigan: So, on either side of the screen, there's usually a row of -- or column of four buttons on both sides.

Dave Bittner: Yeah.

Joe Carrigan: Second button down on the right is mute.

Dave Bittner: Yeah.

Maria Varmazis: There you go. News you can use. Yeah. In Japan's case, this is a huge problem with the elderly getting scammed out of cash. So, I know they're trying everything they can to try and stem the tide of this happening, but it's been going on a long time and it's just only getting worse. So yeah, it's an interesting thing that they're trying.

Dave Bittner: Yeah. All right. Well, interesting story. And we will have some links for that story in the show notes. Before we get to Joe's story, let's take a quick break here to hear a message from our sponsor. All right. We are back. And Joe, what do you got for us this week?

Joe Carrigan: Dave, last week, from -- actually from -- we got so much over the course of the last week, so much email --

Dave Bittner: Yeah.

Joe Carrigan: -- that I decided I was going to share some listener stories this week.

Dave Bittner: Okay.

Joe Carrigan: The first one comes from Jax, who says that over the 2023 holidays, he received a text message from Chase Bank that said, This is a fraud alert. Did you approve this purchase? He's like, I don't have an account with Chase. This is obviously a scam. But he doesn't do anything, right? But then it gets the best of him. He gets a little bit worried about it, and he types no and replies to the -- replies to the text with a no, thinking either I'll start to see a scam here or something else will happen. But what happens is he gets a message back that says, You've already responded to this alert, which is weird. So he actually gets on the phone and tries to call Chase, because that doesn't satisfy him. So he calls Chase and he says that he has to go through their automated phone screening wringer, right, which is just a miserable experience and there is no option for I don't have an account but I still want to talk about fraud, right?

Dave Bittner: Yeah.

Maria Varmazis: So that doesn't fit in the phone tree, yeah.

Joe Carrigan: He eventually penetrates the bureaucracy and he gets through to somebody, and they are ultimately able to confirm to him that yes, that message did come from them, but there wasn't any more information they could give him. He had to go to a Chase branch. Which the closest one to him is an hour away.

Maria Varmazis: Oh my God.

Joe Carrigan: So, he's not going to go to a Chase branch, right? So the next thing that happens is he said he got another one in recently, like, within the month of February, and now he's wondering, Should I have gone to the Chase branch? Here's what I think is happening. Somebody has erroneously entered a phone number into their text alerts, or maybe, Jax, you -- have you recently acquired that phone number and that's somebody's old phone number, and it's still getting the text alerts from somebody -- the fraud alerts from Chase for somebody else's account? Because these are coming from Chase.

Dave Bittner: Yeah.

Joe Carrigan: So that's my best guess.

Dave Bittner: But if someone had already responded to it.

Joe Carrigan: It goes to two phones.

Dave Bittner: Right.

Joe Carrigan: The text gets sent to two phones.

Dave Bittner: Oh, I see what you're saying. So you could -- you could have your account set to send all messages to two different phone numbers.

Joe Carrigan: Right.

Dave Bittner: And so the person who's on the other phone number has already responded. I could see that happening. You're -- just -- just being a wrong number.

Joe Carrigan: Yeah, essentially it's a wrong number, or maybe somebody has entered something wrong.

Dave Bittner: Yeah.

Joe Carrigan: They've mis-entered their spouse's phone number or something.

Maria Varmazis: Yeah, it could happen.

Joe Carrigan: Because I don't -- I had to make a conscious effort to remember my wife's actual phone number instead of just going to my Favorites and pushing on her face on the phone, right? That's --

Dave Bittner: And they say romance is dead.

Joe Carrigan: Right.

Maria Varmazis: Pushing on her face.

Joe Carrigan: I have pictures of all the contacts.

Dave Bittner: Honey, I can't wait to bring up your picture every time I call you. Push on your face. Talk to people, push on your face.

Maria Varmazis: A modified version of that Monty Python song.

Dave Bittner: Soon your dulcet tones will be in my ear.

Joe Carrigan: Oh, you've just brought back childhood.

Dave Bittner: Moving on to the next story.

Joe Carrigan: Well, I wanted to say, Jax, if there's a thing that says "Reply stop to stop these messages", I would try that. I don't know if there is for these kind of things. But Rodney has a twofer. Rodney actually got a phone call when he was at work, and it was his mom calling from his aunt's number. And he says -- he says, I'm kind of in the middle of a call right now, is this urgent? And she goes, yes. And she proceeds to say that her dad -- his dad had clicked on an ad, you know, a pop-up alert about Microsoft warning for viruses. And of course they then got access to his computer and showed him that -- "showed them" is in quotes, all the traffic to these porn sites and money laundering and they were going to try to help him. They said -- they tried to isolate him, said they can't use any devices, not even their landline for 10 hours, which is why mom went out and got the aunt's phone number. Apparently, the aunt lives next door. So it was really convenient. So he said, Yes, that is a -- that is a fraud. And he actually got them to get in touch with the bank. The bank said, You've got to come in here. And they put fraud alerts on all three credit bureaus. And they closed their accounts and opened new accounts. Good job on the bank's part there.

Maria Varmazis: Yeah.

Joe Carrigan: He did let -- he did let them know the scammers are playing -- pulling from a playbook here, is what he says. And they create this crisis, they manufacture the panic, and then they come in with the solution. So good work for Rodney and good work for Rodney's mom, realizing something's up and calling Rodney, who is a help desk technician.

Maria Varmazis: Yeah, absolutely.

Dave Bittner: This happened to my dad once.

Joe Carrigan: Yeah.

Dave Bittner: The Microsoft, I think I talked about it here.

Joe Carrigan: Yeah.

Dave Bittner: The Microsoft message popped up on his Mac.

Maria Varmazis: Well, I mean, it's technically possible if you're running Microsoft on your Mac, it's a little --

Joe Carrigan: Yeah, that's, yeah, exactly.

Maria Varmazis: It has happened to my parents, too. I've received screenshots put in a Microsoft Word document and then forwarded to me in my email, saying, Is this legitimate?

Dave Bittner: There you go.

Joe Carrigan: Right. The second story Rodney had is actually two really sad stories. And he talks about these women that he knows, they are tangentially, you know, friends of friends, that have been scammed in romance scams and one of them, it turns out, had actually only realized it was a scam after she had on her own traveled to South Africa and then traveled to Canada to meet this guy. Presumably I'm thinking that this was to meet him when he wasn't expecting her, but she walked into where she was expecting to meet somebody, and the receptionist there said yes, this happens frequently. This is a scam.

Maria Varmazis: Yeah.

Joe Carrigan: So -- but the other one is somebody who is ongoing right now is still getting scammed out of -- out of money on a regular basis. And she is now targeted by four different people which he suspects, which Rodney suspects, may be the same guy, but it may be four different guys in the same gang. And no matter what they tell this woman, she doesn't believe that this is a scam.

Maria Varmazis: Yeah, yep.

Joe Carrigan: And it is really tough. And Rodney wanted to point this out. This is, again, part of the psychological conditioning for this. And I don't know that I can easily relate to this one, but there's no way I'm going to sit here and say that this woman should know better. She doesn't. She's being victimized by at least one person, and they're just taking her money from her. I don't know what the solution is here for this, when you have somebody that you know is being victimized this way. And Rodney points out, this woman is not some average person off the street. She is a CPA and a former CFO for a company. And she's getting scammed out of money by romance scammers.

Maria Varmazis: Yeah, when you want to believe it's true, you can't convince somebody that it's not true. I mean, that's -- I have personal experience with this one. Very, very close family and friends I know have fallen for this. And I should also mention, I know someone who worked at the Nigerian consulate for years, and -- sorry, the American consulate in Nigeria. Let me clarify.

Joe Carrigan: Right.

Maria Varmazis: And literally their job was, a lot of it, helping Americans who had traveled to Nigeria, only to realize the person they were there for was nonexistent.

Joe Carrigan: Right.

Maria Varmazis: And no matter how many times that intervention happened, people still, even if they were there in Nigeria and lost a lot of money, people still believed that that person that they were waiting for was real. So, it's a very difficult problem. And I have, as I said, I know people who have fallen for the scam as well, and I've been part of interventions trying to help this person. I've tried to, you know, lean on any of my expertise that I have to say, Hey, this is definitely not a real thing. If people are convinced it's real, there's -- in my experience, I don't have any happy tale to say here. It's nothing I have ever said has worked. I wish I'd say that.

Dave Bittner: Yeah, that's what I was -- yeah, that's what I was going to ask about. Like, what is a high enough authority for someone that they would -- that you could, you know, put some sense into them. Could you, if I'm thinking, like, do you bring in a police officer? Could you bring in an FBI agent? Could you get their priest or their rabbi? Or, like, who?

Maria Varmazis: So, can I tell you what we tried?

Dave Bittner: Yeah, yeah.

Joe Carrigan: We want to hear this.

Maria Varmazis: We brought in, the person who I know who fell for this scam, we brought in that person's children, we brought in that person's priest, we brought in that person's siblings, and we brought in that many people in the, sort of the broader family network, of which I am a part. We brought in pretty much everyone we could think of, including the person I know who worked at a consulate in Nigeria. And literally none of that worked. And the priest was the person we were hoping would be most effective, as that is a very esteemed person in this person's life. And none of it worked. Like, none of it worked. I honestly, even the bank stopped her and said, You're being scammed, ma'am, and it just didn't matter. So I have to say, this scam is the one that really terrifies me, because I don't know of many success stories where people have been able to get through to someone and say, Hey, this is -- you're being scammed. I know it really hurts, but, you know, this is not real. It's just -- it's a really tough one.

Dave Bittner: Yeah. I mean, I guess, you know, as Joe and I have talked about time and time again, is if you can try to get to them before it happens and inoculate them --

Joe Carrigan: Yeah.

Dave Bittner: -- then you have a better chance of it not happening. But I think to your point, Maria, once they're down that path, it is so hard to bring them back.

Joe Carrigan: They are fully vested.

Maria Varmazis: They sure are. It was really eye-opening to be part of an intervention for such a situation. This was many years ago, and I just couldn't believe it, because we actually tried inoculating this person previously because it was a concern that many of us had had, that this person would be potentially a victim. And it just did not seem to help.

Joe Carrigan: Is this person still being victimized?

Maria Varmazis: No, they are not. They're okay now.

Joe Carrigan: Okay, good.

Maria Varmazis: But I think basically the scammer lost interest. I think the process got -- we managed to extend things enough that the scammer just kind of left this person alone. But it was a very -- it was many dicey months of just trying to figure out how to keep this person from causing harm to herself financially.

Joe Carrigan: Right.

Maria Varmazis: And heartbreak was inevitable, but it was -- it was really tough. And every time I read about these, I go, I remember how hard that was, and you're right. It can be a very well-educated person who intellectually knows that this is a scam, but emotionally it's a different story. And then --

Joe Carrigan: Correct. That's a very important distinction.

Maria Varmazis: Yeah.

Dave Bittner: Yeah.

Maria Varmazis: It's very difficult.

Dave Bittner: All right, well, Joe, you've got one more here.

Joe Carrigan: I do. We can go into it if we have time. This is from 0xSionGod.

Dave Bittner: Okay.

Joe Carrigan: One of those really cool hacker names.

Dave Bittner: Not their real name, no.

Maria Varmazis: Not on the birth certificate.

Joe Carrigan: But he says that wallet drainers like InfernoDrainer and others are constantly using phishing sites to steal millions, and he has an example of a phishing site that was designed to trick users into a wallet-draining app by faking a legitimate wallet security extension. So this is a wallet security plugin called WalletGuard. And it looks like a Twitter tweet, a tweet or an X or whatever it's called now.

Dave Bittner: Right.

Joe Carrigan: Who knows? And it says, Luckily I'm on time. Thanks, WalletGuard, for saving my tokens. But in the bottom, there's a link to what is actually a -- just something that drains your wallets. It just goes in, gets your private keys, sends the private keys out, then I guess the person who -- who receives the information drains the wallets.

Dave Bittner: So you sign up for something to protect your wallet and instead --

Joe Carrigan: Yeah I don't even know if you sign up for it. I think you just download it and --

Dave Bittner: Right.

Joe Carrigan: Yeah, that's all that happens.

Dave Bittner: But I would imagine part of the process here is giving it access to --

Joe Carrigan: Yeah.

Dave Bittner: -- your wallets, which makes perfect sense if you're trying to protect your wallets.

Joe Carrigan: Right. I don't know how much of a use case I would have for WalletGuard itself. I don't know. There's a better security practice called cold wallets, where you keep things off of computers.

Dave Bittner: Yeah.

Joe Carrigan: And you, you know, get a hardware wallet, and you put -- if you're the kind of person that has a lot of cryptocurrency, you don't keep that all in one software wallet.

Dave Bittner: No, I mean, it seems like this is clearly targeting the unsophisticated --

Joe Carrigan: Yeah.

Dave Bittner: -- cryptocurrency investor.

Joe Carrigan: Right.

Maria Varmazis: Well --

Joe Carrigan: Which I'll bet there are a lot of those.

Maria Varmazis: Didn't want to say it.

Dave Bittner: All right. Pregnant pause. All right, well, good stories, and -- but now it is time to move on to our Catch of the Day. [ SOUNDBITE OF REELING IN FISHING LINE ]

Joe Carrigan: Dave, our Catch of the Day comes from Zach, who writes, "Hey guys, great show. Got this in the mail today. My wife actually purchased this item and initiated a return through Amazon. I saw it on the counter and asked if she had done anything with it, and she had not responded to it." She -- he says he finds this hilarious, a real phishing message you can hold in his hands. Now, Dave, I'm going to describe the picture here. It is -- it looks like it comes on an Amazon letterhead.

Dave Bittner: Right.

Joe Carrigan: There are a couple of pictures of a model, or two models wearing tights.

Dave Bittner: Yep.

Joe Carrigan: I guess in the US we might call these pantyhose.

Dave Bittner: Yeah.

Joe Carrigan: But these are -- it's a -- what's interesting to me right off the bat is that his wife has already returned these tights.

Dave Bittner: Yeah, so I'm wondering where -- well, let me read it and then we'll get to our questions. So it reads like this. It says, "Dear valued customer, Thank you for purchasing our fleece-lined tights on Amazon. We hope the product is working well for you. Congratulations! You are chosen as the lucky customer to have a $15 PayPal payment by sharing your shopping experience. Get your PayPal payment now. Write a review and take a screenshot. Email us the review screenshot. A PayPal payment will be sent to you within 48 hours after your review is live online. Any concerns about the product? Please feel free to contact us via mail. We will get back to you in 24 hours during working days, and satisfying solution is promised. Attention, for your account security, please don't attach pictures of this letter when you leave a product review. Hope you enjoy our products. Thank you for being one of our valued customers and for your great trust. Looking forward to hearing from you soon. Yours sincerely, Customer After Sales Team."

Joe Carrigan: And it says here there's an Outlook address. So, here's what I think is going on here. This is just a -- this is actually from the seller --

Dave Bittner: Yeah.

Joe Carrigan: -- on the Amazon site, and they are just trying to buy a five-star review.

Maria Varmazis: Yes.

Dave Bittner: Exactly.

Maria Varmazis: Yeah.

Joe Carrigan: So Zach, if you really want to mess with them, you can just send this directly to Amazon, which is why he says here, "For your account security, don't attach this letter to your reviews."

Dave Bittner: Right.

Joe Carrigan: Because then Amazon will go, ho, ho, ho, hold on, you can't do that, that's against our terms and conditions.

Dave Bittner: Have you ever gotten one of these?

Joe Carrigan: I have never gotten one of these.

Dave Bittner: I have.

Maria Varmazis: I've gotten tons of these.

Dave Bittner: Yeah.

Maria Varmazis: Tons. They come with almost everything I get now. It's amazing.

Dave Bittner: Is that right?

Maria Varmazis: Yeah, I mean, I don't -- I try not to shop on Amazon. As much as I can, I try to avoid it, but when I do, there's often something like this in there saying, Don't tell them we asked you to leave a five-star review. We'll incentivize it in some way. It's so common now. It's, yeah.

Joe Carrigan: I got one, I bought a box of collar stays.

Dave Bittner: Okay.

Joe Carrigan: Like 500 collar stays. And they say --

Maria Varmazis: That is a lot of collar stays!

Joe Carrigan: Yeah, you know what? I'm already out of them.

Maria Varmazis: You lose them every time.

Joe Carrigan: I do, I do. I already -- I was, like, looking in my box this morning, I'm taking the long ones and breaking them off and thinking to myself, I've got to buy more collar stays.

Dave Bittner: Okay.

Maria Varmazis: Wow.

Joe Carrigan: But I got an email that said, Hey, would you mind giving us a review on your collar stays? There wasn't a promise of anything else, right? Just asking for a review.

Maria Varmazis: Why do you review a collar stay?

Joe Carrigan: Right, so I wrote the most sarcastic review.

Maria Varmazis: It's a piece of plastic you put in your collar.

Joe Carrigan: Right. These collar stays are great.

Dave Bittner: I mean, I've fallen down the trap of using substandard collar stays, and let me tell you, a man walks with confidence when he has the right collar stay.

Joe Carrigan: You laugh, Dave, but I actually do have a story about using the wrong collar stays.

Maria Varmazis: Oh my gosh.

Joe Carrigan: You'll see in some stores, high-end stores, they'll sell metal collar stays.

Dave Bittner: Oh.

Joe Carrigan: Never, ever buy those.

Maria Varmazis: That seems very dangerous.

Joe Carrigan: It's essentially like jamming a knife into your shirt.

Maria Varmazis: Oh.

Dave Bittner: Okay. I also would imagine is you have a hard time getting through airport security.

Joe Carrigan: Yeah, that too. That was a concern one time. So yeah, don't buy the metal ones. Just get the cheap 500 plastic count.

Dave Bittner: Or --

Joe Carrigan: Or wear a button-down collar like Dave's wearing right now. But Dave, I want you to look here, right here, right here.

Maria Varmazis: Where the heck would the collar stay --

Dave Bittner: Oh, look at that.

Joe Carrigan: I had to break it off.

Dave Bittner: Now I've got to say, that's one sharp looking collar there. I've got to say.

Joe Carrigan: On the other side, because I pulled this one out.

Dave Bittner: Man, every girl's crazy about a sharp-dressed man.

Joe Carrigan: That's right.

Dave Bittner: There you are, Joe, with your -- your collar stays. Oh boy, you can take that collar stay out and you can use it to press against your wife's face on your phone. It will be irresistible.

Joe Carrigan: Then it won't call.

Dave Bittner: Right. Well, what are you going to do? You know, nothing's perfect.

Joe Carrigan: Yeah.

Dave Bittner: All right. Well, thank you for -- from Zach for sending this in. We do appreciate this. This was a good one. And of course we would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's hackinghumans at n2k.com. That is our show. We want to thank all of you for listening. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. A quick reminder that N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at N2K.com. Our executive producer is Jennifer Eiben. This show is edited by Trey Hester. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: I'm Joe Carrigan.

Maria Varmazis: And I'm Maria Varmazis.

Dave Bittner: Thanks for listening.