The illusion of influence.
Bogdan Botezatu: Generative AI is now fueling cyber crime. It's fueling it to such a rate that we start doubting whether it is real or not. And for most people it is very difficult to answer that question correctly.
Dave Bittner: Hello, everyone. And welcome to N2K CyberWire's "Hacking Humans" podcast where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hey, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: We've got some good stories to share this week and later in the show my conversation with Bogdan Botezatu who's director of threat research at Bitdefender. We're talking about audio deep fakes. We'll be right back after this message from our show sponsor. All right, Joe. Before we dig in here we've got a little bit of follow up.
Joe Carrigan: We do.
Dave Bittner: This is from a kind listener named Lara. I don't know if it's -- I suppose well I --
Joe Carrigan: She's -- I'm assuming she's writing from London so I would say just like it's spelled. Lara. That's why they call me --
Dave Bittner: Some would say Lara. Like an American.
Joe Carrigan: Right. Or Laura.
Dave Bittner: Lara. Okay. Lara. It's probably Lara. There you go. Lara writes in and says, "Hey, guys. London based listener here. Please bear with me. It's Piccadilly Circus. Not circle." Okay. Point taken. Next Lara says it's a tube subway station, not a train station.
Joe Carrigan: Okay. I did --
Dave Bittner: Once again.
Joe Carrigan: So thank you for the clarification. It is a tube station. Isn't that called the underground? London underground?
Dave Bittner: I suppose.
Joe Carrigan: But they call it slang as the tube.
Dave Bittner: Right.
Joe Carrigan: Right.
Dave Bittner: But you see I think one of the issues here is that Europe has such vastly superior public transportation than we do.
Joe Carrigan: Well, of course they do, Dave.
Dave Bittner: Partly because things are closer together, I guess. So trying to take a train is --
Joe Carrigan: Flying from D.C to Kansas City is the same as the distance from Warsaw to Paris.
Dave Bittner: Okay.
Joe Carrigan: This country is huge.
Dave Bittner: So like for me if I'm taking the D.C metro I would still consider that taking a train because it's running on tracks. Right? Train tracks.
Joe Carrigan: Right.
Dave Bittner: But I do appreciate the subtle distinction that Lara's making.
Joe Carrigan: I will say here on the east coast there is a distinction between subway systems. Like you can get on the metro.
Dave Bittner: Yeah.
Joe Carrigan: Then you can get on Amtrak which is more like a rail and then wind up on the New York subway system.
Dave Bittner: Yeah.
Joe Carrigan: At Grand Central.
Dave Bittner: That's true. And we have commuter rail which is different from Amtrak which is our train -- our passenger rail.
Joe Carrigan: Right.
Dave Bittner: That's hard to say. National passenger rail system. All right. Continuing on. Lara says you don't need a ticket. You just have a card. There are no paper tickets any longer. All right?
Joe Carrigan: We don't know how old the story was, but yeah. That's the way the metro works now too.
Dave Bittner: Yeah. Tickets are about seven pounds. The guy spend 20 pounds. I have no clue what he bought, but it wasn't a one way ticket. Well, I mean if you -- if you have a card I suspect you can load up that card with as much money as you want. So also if this was someone who was unfamiliar with the money, right --
Joe Carrigan: Right. Or how things work.
Dave Bittner: Right. They might just say, "Oh, well. You know, what do I got here? I've got -- all right. I've got a 20. I'll just put this on the card. Whatever." And then last, but certainly not least, Lara says Americans get recognized and scammed everywhere because of how clueless you guys look.
Joe Carrigan: I love this.
Dave Bittner: Yeah. Guilty. Yep. The mere fact most Americans say things like, "I'm going to Europe" as if it was a country makes you a target.
Joe Carrigan: Okay. Yeah.
Dave Bittner: Okay. So turnabout is fair play. I would point out our producer Jen made the point that if Lara's coming on this side of the pond it is likely that she would say, "I'm going to America."
Joe Carrigan: Yes.
Dave Bittner: Which is two continents.
Joe Carrigan: Yes. Not just one. Two of them.
Dave Bittner: Right. Right. So to be fair we don't know Lara. She might just say that she's going to visit the United States in which case --
Joe Carrigan: I've already covered the difference between or the difference in distances. And a lot of times when people are going to Europe they will go to multiple countries. So like you can go to Germany and then France and then Switzerland and then anything else.
Dave Bittner: That's true.
Joe Carrigan: In fact the only time I've ever been to Europe I went to Ireland and Northern Ireland which is part of the United Kingdom. So even staying on one little tiny island, the island of Ireland, I went to two countries.
Dave Bittner: Right. Yeah. And I don't -- I don't know. I mean for an American to say we're going to Europe --
Joe Carrigan: Right.
Dave Bittner: Because we are taking a European vacation. To your point, we're probably visiting multiple countries because they're so darn close together. Why not?
Joe Carrigan: They are right next door to each other. They're smaller than states, Dave.
Dave Bittner: Right. Right. Right. So it's an issue of scale. All right. Well.
Joe Carrigan: My favorite thing is when somebody comes to the U.S and says, "I'm going to drive down to Disney World and then fly out to -- fly out to California and see the redwoods." And how long are you going to be here? A week. You're not doing all that.
Dave Bittner: Yeah. That's true. Right. No. They do -- there is a tendency to think that especially when you get out west the --
Joe Carrigan: So huge.
Dave Bittner: Spread out.
Joe Carrigan: I was thinking about Los Angeles the other day, how big that city is.
Dave Bittner: Yeah.
Joe Carrigan: Like when you fly out of it you're up in the clouds before you're out from underneath of it. It's huge.
Dave Bittner: Right. It's a mile wide and an inch deep.
Joe Carrigan: Right. Yeah. It's very low, but it's so enormous.
Dave Bittner: Yeah. Well, Lara, thank you for writing in.
Joe Carrigan: Thank you. And we do love -- we do love hearing this good natured ribbing.
Dave Bittner: Yes. You're a good sport and we appreciate it and we will -- we wear our ugly Americanism of -- on our sleeves as a point of pride, I guess.
Joe Carrigan: Almost. Yeah. Kind of.
Dave Bittner: Yeah. At least we acknowledge it.
Joe Carrigan: Yes.
Dave Bittner: All right. Well, thank you for writing in. We do appreciate it. And of course we would love to hear from you if there's something you'd like us to cover on the show. You can email us. It's hackinghumans@n2k.com. All right, Joe. Let's dig into some stories here. You want to start things off for us?
Joe Carrigan: Yes. I want to start off by talking about PCI dash DSS or PCIDSS. This is --
Dave Bittner: Oh goody.
Joe Carrigan: Payment card industry data security standard. Now you might say, "Oh goody," Dave.
Dave Bittner: I might say, "Oh goody" with sarcasm. Yes.
Joe Carrigan: Right. But first off version four of the standard became mandatory on April 1 of this year.
Dave Bittner: Well, it's about time.
Joe Carrigan: Got released about two years ago and now it's -- now it's required. And there were some changes to the standard that I think are pretty good.
Dave Bittner: Okay.
Joe Carrigan: I'm going to go so far as to call them awesome.
Dave Bittner: All right.
Joe Carrigan: In the old standard --
Dave Bittner: Wait. Wait. Wait. Before we dig in, what is this? What is this? What is PCIDSS? What is it?
Joe Carrigan: Excellent, excellent point, Dave. I was just rolling along as if everybody knew what this security standard was.
Dave Bittner: Slow down, egghead.
Joe Carrigan: PCI is short for the payment card industry which is an organization of people that are -- that work with payment cards.
Dave Bittner: Right. Right.
Joe Carrigan: And the DSS is the data security standard which dictates that if you're going to accept credit cards and hold credit card data there are certain security standards to which you must adhere.
Dave Bittner: Okay.
Joe Carrigan: It is the reason that now all the gas stations in the United States have chip readers in them.
Dave Bittner: Right.
Joe Carrigan: That has been delayed. I think that's now part and parcel of this. Everybody has to have that.
Dave Bittner: Okay.
Joe Carrigan: In fact I can't remember the last time I saw a gas pump without a chip reader which is good.
Dave Bittner: And this is an area where we have lagged the rest of the world.
Joe Carrigan: Yeah. It is.
Dave Bittner: We've always been a year or two behind. So it's --
Joe Carrigan: There's great people over in London. They were way ahead of us.
Dave Bittner: Well, of course. Over at Piccadilly circle.
Joe Carrigan: Right. Don't -- no more lag. So there have been some changes. And of course all these data security standards -- NIST releases their own. But this is a private sector data security standard and it's called the PCIDSS. And the changes that I want to talk about are the changes to the social engineering portion of the standard.
Dave Bittner: Oh. Okay.
Joe Carrigan: So in the past a broad security awareness campaign would have sufficed to meet the requirement of the data security standard. So as long as you had some kind of security awareness thing going on at your company then you could check the box with PCI.
Dave Bittner: And this is for someone who takes credit cards.
Joe Carrigan: This is for someone who takes credit cards. Now I'm going to say this. There are different layers of people that take credit cards. Like not every small business can comply with these requirements. Right? So they'll use something like square or --
Dave Bittner: PayPal. Something like that. Yeah.
Joe Carrigan: PayPal. Yeah. That's another good one. And what they do -- what those companies do is they totally remove that responsibility from the business owner, the small business owner, and they encrypt that data completely along the traffic so that the small business owner never really sees the credit card.
Dave Bittner: Right.
Joe Carrigan: They never really have it in their custody. So if their systems get breached, someone gets access to them, they're not going to get any credit card information because it's been secured by these other third party providers which is a great business model.
Dave Bittner: Yeah.
Joe Carrigan: Because not every small business can afford to comply with the PCIDSS.
Dave Bittner: Right.
Joe Carrigan: But you can -- you can just go out and get a square account, pay a little bit more per transaction, which you as a small business can probably just jack your prices up a little bit more to compensate. And you're in business which is great. You can take payment cards.
Dave Bittner: Right.
Joe Carrigan: The new requirement -- and this I think is very good wording. Targeted security awareness training tailored to the specific risks faced by company employees. That's great because if you just have a security awareness campaign that doesn't answer the mail on what kind of threats you're going to be receiving, it's -- it's of very little use to you. It also mandates the use of a couple of technologies including anti-phishing filters which are like anti-spam filters just on your email. And then social engineering simulation tools.
Dave Bittner: Oh. Okay.
Joe Carrigan: Much like the ones provided by our sponsor KnowBe4.
Dave Bittner: Yeah.
Joe Carrigan: Other companies also provide them, but they're out there. These are phishing tools. You can even do, you know, training. You know training that provides, you know, when you click on the link you actually wind up clicking on a training link.
Dave Bittner: Right.
Joe Carrigan: And oh. You clicked that and you shouldn't have. What I like about that model is that it's quick. It's on demand when it's needed. And it doesn't take a lot of time.
Dave Bittner: Yeah. And it's -- it's catching the person -- catching's probably not the right word here because you're not -- it's not like a gotcha sort of catch. But you're -- you're catching the person at the very moment when they --
Joe Carrigan: They've made the mistake.
Dave Bittner: When they've made the mistake and so they're primed to learn that lesson.
Joe Carrigan: Yes.
Dave Bittner: Yeah.
Joe Carrigan: You know the article -- by the way, I'm referencing an article from IT Online.
Dave Bittner: Okay.
Joe Carrigan: And we'll put a link in the show notes, but this article adds that it might be a good idea to implement policies around social media usage. I hadn't even considered that as -- I don't know that it's part of the PCIDSS here. But it would be a good thing to do at work.
Dave Bittner: For your employees.
Joe Carrigan: For your employees. Yeah. Tell them how they're going to use Facebook, you know, at work. You know, because if you're -- or Linked In. If you're on Linked In, think about this. You're on Linked In. Linked In has a messaging service, Linked In messenger.
Dave Bittner: Right.
Joe Carrigan: And somebody knows where you work and if they're hitting you at nine to five Eastern daylight time they know you're probably at the office. And they can send you a message going, "Hey. I'm looking. I want to share this with you." Maybe it's a job opportunity. "Hey, can you review my resume? Here's a document." And it's just a link to a phishing site. They can get your office 365 credentials stolen that way. I mean these -- this is a very good point is what I'm saying.
Dave Bittner: Yeah.
Joe Carrigan: Put some policy around how your employees interact on social media while they're at the office.
Dave Bittner: So I mean it strikes me that in the same way that, you know, insurance companies help make homes and offices safer by saying, you know, if you install sprinklers you're going to get a lower insurance rate, this is the PCI folks saying you're going to do these things and it's going to make everybody safer. We're going to require this.
Joe Carrigan: Yes. Because their insurance companies are saying, "You're going to require this."
Dave Bittner: Yeah. That's a good point. Yeah.
Joe Carrigan: Doing these things kind of make -- doing all these things like that -- complying with this new standard is going to make your employees a lot more likely to be able to recognize and handle social engineering attacks when they're happening. You know, if you leave your employees out in the wilderness, even if you don't do payment cards or they're not payment card handling people, you're just leaving them open for these kind of attacks. And there are plenty of third parties out there that can help your organization with these compliance requirements and other compliance requirements as well. So I would say take advantage of that. I know you're a small company. If you're a small company you can't afford the massive security budget. So use a company like square that you just never even see the credit card information.
Dave Bittner: Right.
Joe Carrigan: But still make sure that you have anybody that accesses your bank accounts taking some security awareness training and some -- and understand what the risk is.
Dave Bittner: And I mean I think this emphasizes that an organization as large and widespread as the folks who handle PCI feel like this is time well spent.
Joe Carrigan: Yes.
Dave Bittner: Right? This is -- yes. This is an investment in your employee's time.
Joe Carrigan: Yes.
Dave Bittner: But the time they spend on this ultimately could very well save you a ton of time and money on the headaches of dealing with a data breach.
Joe Carrigan: That's right. And one of the things I like about this is it's kind of a mandatory compliance for a business that wants to manage its own credit card systems.
Dave Bittner: Right.
Joe Carrigan: So it's kind of like the heavy hammer coming down on these businesses. But again it -- we find ourselves in the same situation like all this money you're going to spend on this will be well spent if nothing happens.
Dave Bittner: Right. Right. Yeah. Yeah.
Joe Carrigan: That's the measure of success with cybersecurity professionals is nothing happens.
Dave Bittner: Right. All right. Well, that is interesting indeed. And, like you said, we will have a link to that story in the show notes. My story this week, Joe, I'm actually going to focus on a letter we got from a listener.
Joe Carrigan: Okay.
Dave Bittner: This is from a listener named Deanna [assumed spelling] who asked that we share this story. So I'm going to read it.
Joe Carrigan: Okay.
Dave Bittner: Says, "Dear Hacking Humans team, I'm writing you amid a harrowing situation involving my recently widowed grandmother who has fallen victim to pig butchering. Despite our family's best efforts to intervene, she is being manipulated to an extent that has resulted in severe financial loss and emotional turmoil for all involved. My grandmother whom I'll refer to as Nana after selling her husband's truck became entangled with a scammer known as Richard. This relationship originated from the sale, though it's unclear if it was online or through another channel. This person has isolated her from our family beginning with my uncle, a recently retired police officer. After extensive investigation, my uncle uncovered that Richard was impersonating a deceased man and presented numerous inconsistencies in his story. Despite presenting this evidence to Nana, she has become increasingly alienated from us. Richard has convinced her of his false identity and a fabricated scenario where he's currently detained by the IRS in Atlanta, urging her to marry him. Nana, deeply misled, is prepared to travel to marry him and we are unsure of his motives possibly aiming for marriage for immigration or other fraud purposes. She has lost approximately $85,000 to this scam and recently sent her driver's license to an unknown recipient increasing our concerns about further identity theft or looming property fraud. Efforts to intervene through banks and legal channels have been unsuccessful as she is still deemed capable of handling her personal affairs. Our family feels powerless as this situation worsens and even with my fiance's extensive background in cybersecurity we find ourselves at a loss. We would appreciate any advice, resources, or if you could highlight this story on your platform to raise awareness about the dangers of social engineering scams targeting the elderly. Thank you for your commitment to educating people on these critical issues. Sincerely, Deanna."
Joe Carrigan: Heartbreaking.
Dave Bittner: Yeah. It really is.
Joe Carrigan: Yeah. This is going to keep going until Nana realizes this is a scam or she runs out of money. One of those two things are going to happen.
Dave Bittner: Do you want to go through this just bit by bit and sort of we'll narrate it as we go?
Joe Carrigan: Sure.
Dave Bittner: So we start off here with Nana sold her husband's truck. So I'm assuming here that this is a deceased husband. So she's a widow.
Joe Carrigan: Yep.
Dave Bittner: So she's selling the truck and someone comes along to buy the truck.
Joe Carrigan: Yeah. It could have been that she sold the truck to another buyer and got some cash for it and this guy just so happened to start talking to her when she was trying to sell it.
Dave Bittner: So it could have happened through the process of selling the truck.
Joe Carrigan: Or it could have been that this guy somehow made off with the truck as well.
Dave Bittner: Yeah. So either way that's what prompted the relationship here. So we've already we've got, you know, Nana is in a position of vulnerability. Right? She is -- she's in the process. She's still, I suspect, grieving.
Joe Carrigan: Yep.
Dave Bittner: She's selling something that was the property of her former loved one. And so she's vulnerable.
Joe Carrigan: Yeah.
Dave Bittner: And this person comes along and likely takes advantage of that. Let's talk about the isolation. Deanna says that Nana has been isolated from the family even including an uncle who's a retired police officer.
Joe Carrigan: Retired police officer. Yeah. That's -- that's amazing. I mean it's -- it doesn't surprise me. But, you know, if this is one of her sons, I would guess, that's a retired police officer, if it's the author's uncle --
Dave Bittner: Could be.
Joe Carrigan: Or maybe a son in law. But, you know, if you have someone you've known and trusted all your life and they're telling you this is a scam, the influence this guy has over this woman is remarkably strong.
Dave Bittner: Yeah. He's woven a spell over her. And that's --
Joe Carrigan: That's exactly what happened. He's convinced her that he genuinely loves her and she believes it.
Dave Bittner: Right.
Joe Carrigan: So you're arguing against what is her truth. Not objective truth, but her subjective truth which is very hard to argue against.
Dave Bittner: Right. And her heart is all intertwined in it because he is -- he's put her in this situation of feeling like there's some sort of deep intimate relationship here. The thing about being retained by the IRS in Atlanta, I suspect there's nothing to that. You know, it's just putting a distance between them, an excuse why he can't -- why they can't meet in person.
Joe Carrigan: You know here I might actually think it might be worth -- depending on where you live in the U.S, it might be worth a trip to Atlanta to the IRS office. You know? Go in there and say, "Hey, my nana says you're holding her boyfriend here in a detention cell. We'd like to see him." And see what the IRS says.
Dave Bittner: Is there IRS jail? I mean --
Joe Carrigan: There is not IRS jail. No.
Dave Bittner: Okay. Yeah. So again I don't think there's anything to that, this notion that he wants to marry her. I don't think there's anything to that.
Joe Carrigan: No. That's just all part of the romance scam.
Dave Bittner: Right. And he's already taken her for $85,000.
Joe Carrigan: Yep.
Dave Bittner: This thing about sending her driver's license off, I mean that's frightening.
Joe Carrigan: Watch your bank account because somebody else is going to be opening bank accounts in her name.
Dave Bittner: Right. Right. Here's proof of my ID.
Joe Carrigan: Right.
Dave Bittner: And I don't know like a driver's license is not like a credit card where you can just cancel it if it doesn't work anymore. You know? I mean it's still --
Joe Carrigan: Still valid.
Dave Bittner: It's a valid ID. She could get it replaced, but it would basically be a duplicate of the one that she mailed off.
Joe Carrigan: Yeah. Depending on how the state does driver's license numbers, you're right.
Dave Bittner: So I would definitely put some kind of credit monitoring in place.
Joe Carrigan: Yeah. If it's possible, I would freeze her credit and freeze her tele checks so that nobody else could open a bank account in her name.
Dave Bittner: Yep.
Joe Carrigan: Because that's what's happening next with that ID.
Dave Bittner: Right. Right. In terms of additional advice I think one of the challenges here I mean normally what I would say is try to find someone who Nana respects who's in a position of authority.
Joe Carrigan: Yeah. We've had story after story where even that doesn't help.
Dave Bittner: Right.
Joe Carrigan: Maria was on one time telling the story about somebody that wouldn't listen to the priest, wouldn't listen to the police officer. And this sounds very similar. What I would say is see if you can slow things down a little bit. See if you can not totally stop it. Maybe sell it to her like, "We're not going to totally stop sending this guy money, but we're going to slow down a little bit and see what happens."
Dave Bittner: Right.
Joe Carrigan: And then if you can do that perhaps the guy will lose some interest. Although if he's done his -- if he's done the homework of really isolating her, it's a -- it's a problem. It's really a problem.
Dave Bittner: One thing I wonder, you know, there's mention of as we said a family member who's a police officer. I wonder if bringing in a higher level law enforcement person could be helpful.
Joe Carrigan: That might help.
Dave Bittner: At the level of loss that we've had here I would think, first of all, get in touch with your local police. But then also your local FBI field office.
Joe Carrigan: Yeah. And then maybe have -- I don't know. If you still have friends at the police department, maybe get like 20 police officers together and have them all tell her it's a scam.
Dave Bittner: Or the chief of police or there's someone who she would -- I mean to me an FBI agent coming to the home --
Joe Carrigan: Right.
Dave Bittner: Might be an increase in authority that she would take seriously. And someone in that position or someone who deals with the scam side of this might be able to break that spell.
Joe Carrigan: Right.
Dave Bittner: Be able to say, you know, "I'll bet this is what happened. Right?" And Nana will say, "How did you know?" And the person will say, "Because this is what always happens."
Joe Carrigan: Right.
Dave Bittner: You know that sort of thing to try to, you know, metaphorically you grab her by the shoulders and shake her to break the spell of what's going on here. You know, she is her own person and there's not any -- it's her money to do with what she wants. That's the thing. It's legally if she wants to, you know, take all her money and throw it out in the street she's allowed to do that.
Joe Carrigan: Right.
Dave Bittner: And so --
Joe Carrigan: Yeah. And I'm not -- I don't know that that's a problem, but in this case, in these cases, it certainly is a problem.
Dave Bittner: Right. Now it is a crime for someone to be defrauding her.
Joe Carrigan: Yes.
Dave Bittner: So you can come at it at that -- you know my relative is a victim of a crime. But again, you know, trying to get them to lock things down is really hard. You can -- there are things you can do if you're -- if you're able to get some -- some buy in from her, there are things you can do like having alerts on bank accounts and things like that. These are useful for the elderly. So, for example, I have a thing with an elderly member of my family where if more than let's say $5,000 flows out of a bank account I get a notification.
Joe Carrigan: Right.
Dave Bittner: Right? Now in order for that to happen that person had to agree to that. So you can't just have it done. But if you could convince her that this is in everyone's best interest for no other reason than just to slow things down, maybe it will help.
Joe Carrigan: Yeah.
Dave Bittner: My heart goes out to you, Deanna. I mean this is not an easy situation.
Joe Carrigan: No. This is terrible.
Dave Bittner: Yeah. It is really heartbreaking.
Joe Carrigan: If our listeners have anything to say that might held Deanna, I would love to hear it.
Dave Bittner: Yeah. If there's anybody out there who's had success here in breaking that spell, I'd love to know what worked.
Joe Carrigan: Yeah. Me too.
Dave Bittner: Because I suspect there are folks out there who've been in this harrowing situation. So thank you, Deanna, for sending in your note. We do appreciate you taking the time for that and like I said we're sorry that you're in this situation and we hope for you the best.
Joe Carrigan: We do indeed.
Dave Bittner: All right, Joe. Well, let's go from there and let's take a moment and switch gears and it's time for our Catch of the Day. [ Fishing line reel ] [ Music ]
Joe Carrigan: Dave, our catch of the day comes from Kenneth who just sent us an email. You like dogs, Dave?
Dave Bittner: I love dogs.
Joe Carrigan: We got Fred sitting right here next to us.
Dave Bittner: That's right. Fred the dog is in studio today. Fred has come back.
Joe Carrigan: Fred the cybersecurity dog.
Dave Bittner: He's on his best behavior. He has not started going through any trash cans or nosing anyone or anything like that. So Fred is just being a very good boy.
Joe Carrigan: Yes. He is.
Dave Bittner: Yeah.
Joe Carrigan: Now you've said his name. He's coming.
Dave Bittner: Oh. Hi, Fred. Don't ruin it, Fred. Okay. So what do we got here, Joe?
Joe Carrigan: So the reason I asked if you like dogs is this is a puppy scam.
Dave Bittner: Oh. Okay.
Joe Carrigan: It's a letter from an esteemed cardiologist.
Dave Bittner: All right. It says, "Hello. My name is Dr. Doris Linder [assumed spelling]. I am a cardiologist by profession. I work for major hospitals. I came across your email address through surfing the internet affiliated with the U.S Chamber of Commerce. My late grandmother was a puppy breeder. She died about four months ago and she left a female English bulldog and a female Yorkie before she died. One of the female puppies recently had a litter of three puppies. They are so adorable, but due to my job as a cardiologist it does not give me the proper time to take good care of these babies. I would have loved to take care of them myself, but due to the nature of my job I almost do not have time for myself. So I am currently after finding for them a caring and loving parent who would take good care of them and are willing to adopt. If you are generally interested in having one or more of them, please do feel free to email me immediately for more details and information. Dr. Doris Linder. Sent from my Android device with canine mail. Please excuse my brevity."
Joe Carrigan: Funny that they're using a canine mail client which is an Android mail client and they're --
Dave Bittner: That's a real thing?
Joe Carrigan: Yeah. It is.
Dave Bittner: Okay.
Joe Carrigan: I looked at it. I was like that's kind of odd.
Dave Bittner: I thought it was just reinforcing the scam. Like this person loves dogs so much they're even using a dog email program.
Joe Carrigan: That's a real app.
Dave Bittner: Okay.
Joe Carrigan: Yeah. This is -- this is obviously just a scammer who's just going to say -- send you pictures of dogs that they found on the internet and then demand money from you. And you're going to send the money and the dog's never going to show up. There is no dog. There are no puppies.
Dave Bittner: Right. Right. They're going to try to get you on the hook for who knows. Spaying and neutering or flea powder or whatever. Something the dog needs.
Joe Carrigan: Yeah. If you go -- if you go like get another dog like Fred, do you know how much a puppy, a goldendoodle puppy, costs? It's like two grand.
Dave Bittner: Yeah.
Joe Carrigan: We adopted Fred from a rescue. Didn't pay nearly that much. We just paid the adoption fee. But yeah. 2,000. There's a lot of money in dogs.
Dave Bittner: Yeah. Yeah. It's a shame.
Joe Carrigan: It is.
Dave Bittner: All right. Well, thank you, Kenneth, for sending that in. We do appreciate it. And of course we would love to hear from you. You can send us your catch of the day to hackinghumans@n2k.com. [ Music ] Joe, I recently had the pleasure of speaking with Bogdan Botezatu who is the director of threat research at Bitdefender. And we're talking about a hot topic. This is audio deep fakes.
Joe Carrigan: Right.
Dave Bittner: Here's our conversation.
Bogdan Botezatu: The short story is that we're investigating scams that propagate through social networks. For instance because we're working on a solution that helps people detect such scams. I'm not going to go into too much detail about a product, but one of the things that makes it stand out is this unique combination of technology and human intervention. You know to stay on top of these threats we need to manually analyze them and look into what the outcomes of specific scams are. So what we're doing is chase these scams on social media, dissecting them, looking at what the scammers are using, how they're going to monetize or how they're going to capitalize on these victims. And then we log these into a file. Of course part of the investigation is reporting them to the social network that drives this advertising. But up until now we're pretty skeptical about the outcomes of reporting. These scams still propagate. They still keep going because probably cyber criminals are pumping huge amounts of money to have them displayed to potential victims. So this is briefly why we know so much about scams. We're not using exclusively automated technologies to identify the scams. We have real people looking into that.
Dave Bittner: Yeah. Well, let's dig into some of them here. I mean for our listeners can you describe what a typical one of these looks like? What kind of celebrities are we talking about and what are they trying to do here?
Bogdan Botezatu: Okay. I'm going to go with the high profile list of celebrities. I'm not sure if too many of our listeners know where Romania is. It's a small country in the European Union that has the capital city in Bucharest and is mostly known for the stories about Dracula. Dracula was born in Transylvania. We also have a president and a national governor and a couple of high profile celebrities that are always present in the news cycle. And a cyber criminal decided to go for all of these people, impersonate them, and put words into their mouths. So because they have huge presence in -- on television and on the internet, it's very easy for cyber criminals to sample out pieces of video and audio with them, put all of this information into an AI algorithm, and have samples of their voice trained. Right? After this happens they will usually take regular footage and mix in specific text, usually claiming that these people are endorsing give aways or investment opportunities or whatnot, to gullible people. And with these endorsements, fake endorsements, they will purchase ads on platforms, target specific audiences, and then have everybody see a one minute video how to get rich quick. And of course a lot of people fall victim to that because these celebrities have a very deep cultural impact, I would say, into the nation. When the president tells you that there is a get rich quick scheme that other members of the government are hiding away from you you will tend to believe that because it has everything. It has greed. It has the conspiracy theory. It's cool. And it's being narrated by a person in flesh and bones behind the camera. Right?
Dave Bittner: Some of the ones that you all sent over for us to look at, there was one here from Oprah and there was one from Jennifer Aniston who are certainly well known celebrities here in the United States. It was interesting to me that they both really follow the same pattern. These are give away scams. Oprah's was giving away some kind of car seat and Jennifer Aniston's was giving away a Macbook Pro. Both for ridiculously low amounts. Is that sort of the pattern that is very common here where it's some kind of deal that's too good to be true?
Bogdan Botezatu: Yes. It goes even better than that. Why pay something for goods when you can get them for free? A couple of weeks ago there was a scam company impersonating Mr. Beast. That's a YouTube celebrity that's very well known for charity work. He allegedly was giving away a free iPhone 15 to people. All you had to do was pay for shipment and the device was yours. So and you know what? While these devices were in short supply on the shelves of supermarkets and stores he had 10,000 units to give. All for free. Imagine that you know when people see that there is goods of high value given away for free they'll take the chance. Right? Particularly if they had a debit card or the prepaid card that doesn't carry too much value. So even if you fall victim to that, yeah, you're not going to miss out too much money. But thing is that when you're giving out this information the scam goes further. These people are collecting credit card information so they can wire money to your account and then use the credit card data to do online shopping. And they're usually -- purchase digital currencies like Bitcoin or Ethereum to launder money coming from different other victims. So even if you're not losing anything because you have no money into that account, you're still helping people out launder money coming out of cyber crime. So nothing gets wasted in this industry.
Dave Bittner: It's a really interesting insight into some of the psychology behind this. You know it's like some of the people who -- I don't even -- I'm not even sure I want to say the word fall for it because it sounds like for some people it's like playing the lottery. You know, where they -- there's probably part of their mind that knows this is a scam, but for $5 or for $10 or for free, what have I got to lose? Right? And I may come away with a Macbook Pro.
Bogdan Botezatu: Yeah. Yeah. There's this example that I keep bringing up to the point of where I'm repeating myself way too often. There's a well known comic created by XKCD. I'm sure that you're familiar with XKCD. That is called "The 10,000." The moral of this comic is that every single day there's 10,000 people discovering what happens when you mix coke with mentos. They discover it for the first time. They have no idea what happened and they learn what happened the same day. This goes absolutely perfect with cyber crime. Every single day there's by analogy 10,000 people who are being defrauded for the first time. They had no idea cyber crime existed. They were like, you know, virgin. And at this point they encounter the scammer for the first time and they're falling victim for that because they don't have the education and they don't have the experience to stay away from that. So yeah. They learn that cyber crime exists the hard way.
Dave Bittner: It's interesting to me also that you mentioned, you know, that you and your colleagues do report this to the social media platforms. But I mean I suppose you could say it's against their interests to try to shut these things down because of -- well, they're being paid for. They're being paid to put these in front of people.
Bogdan Botezatu: I was not allowed to say that out loud, but thank you for pointing people in the right direction.
Dave Bittner: But you're not going to disagree with me.
Bogdan Botezatu: Yes. Now I'm sure that it's not greed exclusively. It's not just we'll let that run, that ad run, until its budget gets depleted. I'm sure that there are some technical challenges like, you know, video is very difficult to inspect automatically. I'm not going into detail that, you know, sites like YouTube can fingerprint, for instance, video for copyrighted music and they cannot do that for scams.
Dave Bittner: Right.
Bogdan Botezatu: Impersonating people. But probably there are the sheer volume of ads these networks run would not allow them to manually police each and every video ad that they deliver. But they could do better. They could, for instance, automate or prioritize in an automated way ads that get a huge number of reports because it's not just us reporting these ads. It's a lot of people who are tech savvy and stumble across them, report them, and then nothing happens.
Dave Bittner: Yeah. I have to say it's very frustrating for me as, you know, someone who does take the time to report these things over and over again and they just keep popping up on my timeline. It's just maddening.
Bogdan Botezatu: Every minute the ad stays online it makes a lot of victims. We know that there are a lot of victims because the forums and Reddit threads are full of people who give their account about how they got scammed and tell people that they have learned a lesson the hard way. This is fun because when you're going through these reports you realize that there's not one single outcome that hackers stick to. They have different scenarios to exploit people. There's scenarios where they just want the credit card number for credit card fraud. They just want information for ID theft. They might want enough information, for instance, to tweak the scam from a financial one to a romance scam and then to a bigger financial one. There are multiple outcomes. A couple of weeks ago we learned that some cyber criminals would initiate a scam, pay out a low value return of investment to the victim, and then advise them to invest more and more and more. By the time they have invested a lot of money, the will be like, "You know what? You have like $50,000 gathered in your account. We need you to withdraw it. And we will happily withdraw it -- we will happily assist you wire the money into your account. You don't have anything to do other than plugging your phone into the computer, install this tool utilities, and close your monitor off. Give us 10/15 minutes and then you'll have the money loaded into your account." Right? It sounds stupid, but there's a lot of people who heed that and they will connect the device. They will install a piece of software that automatically links the phone to the computer by the Android bridge, for instance. And the second application would be a remote access tool. So cyber criminals now have access to the computer browser and they have access to the device that receives the second authentication factor in the form of SMS, for instance. And all of a sudden money will start leaving the account rather than arriving into the account because cyber criminals will keep transferring all the funds that the person has in the banking account. That's why a lot of European banks, for instance, have become so paranoid that they will lock down accounts and temporarily freeze cards whenever they identify a remote desktop solution running along the browser that opened up a new banking session.
Dave Bittner: Interesting. So what are your recommendations here? I mean for -- for those of us who are sharing this kind of thing with our friends and family, I mean what -- what kind of information should we share?
Bogdan Botezatu: First of all I would say that education is a big part of helping people navigate through this new reality. If there's one thing that we realized in -- since the advent of Chat GTP, for instance, because we keep referencing Chat GPT as the first formal AI that the regular people could interact with -- you just chat with a bot. It behaves like a human. It gives you a solution. It is empathetic. It is compassionate. It helps you out. Right? That's when people understood that AI can have a huge, huge power. And the advent of these formal generative AI is now fueling cyber crime. It's fueling it to such a rate that we start doubting whenever we see something whether it is real or not. We start asking ourselves questions. What I'm seeing now, is it real or it is special effects generating -- generated by the AI? And for most people it is very difficult to answer that question correctly. There will be a lot of people who are mistaking AI generated content with reality. And for a very few pool of people the difference will be visible just because it's advertising something too good to be true. So back to the original question, I would say that education plays a key role because there's no greater tool than common sense. When you see something given away for free that costs thousands of dollars you should ask yourself, "Why am I receiving that?" And what makes it possible for people to unlock this economical glitch that brings infinite wealth with limited resources? If you're aware of the fact that nobody gives anything for free just out of the goodness of their heart to strangers on the internet, you'll already have this sixth sense activated. Secondly I would say that we should start looking into technologies that offer a deeper level of protection than what we're seeing on screens. At this point it's a little bit difficult for technology to correctly identify AI generated content that goes into the realms of scams, but this AI generated content is just the top layer of a more elaborated scam. You probably saw that incident a couple of weeks ago in which a Singapore employee was instructed to wire $24 million to an external bank account.
Dave Bittner: Right.
Bogdan Botezatu: And the order -- the order came from the CEO himself. And the employee was like, "I'm not sure about that. You know, I'll have to validate with you. Are you in the office?" "No. I'm not in the office. I'm working remotely." "But can we jump quickly into a call?" "I'm going to call like XYZ from finance and we're going to sit together. Make a decision and then you will help us wire the money." And he indeed jumped on a Zoom call with the CEO and three other colleagues. They reached an agreement. The employee wired the money just to learn out that he was the only human in the call. The other one -- the three colleagues were AI bots and the CEO was a fraudster. So these scams are so elaborated that they don't only rely on ads showing off on people's screens. Elaborated scams usually start with a background check of the victim. The usual parts of the kill chain. Learning out their phone number, their whereabouts, their list of colleagues, their list of friends. Unfortunately social media makes it so easy for cyber criminals to mount a lot of information, piece it together, and then generate the perfect scam. Yeah. AI is just the icing on the cake. It's the final layer of technology that basically seals the deal. [ Music ]
Dave Bittner: Joe, what do you think?
Joe Carrigan: Dave, I really liked that at Bitdefender they're examining these scams to the point where they're wondering what the end game is. The want to really understand the anatomy of the scam which is great. Of course it's always money is the end game, but they really want to know how the scammers are getting the victims there.
Dave Bittner: Yeah.
Joe Carrigan: And they want to see what the gimmick is. It's interesting that one of the things I thought was really telling in this article was that Bogdan doesn't think that reporting these scams to social media -- to social media companies helps. He said, "I don't think it helps." And my first thought was I wonder why.
Dave Bittner: Yeah.
Joe Carrigan: Again social media is making money from these scams as well. I mean they're just the front end. They're part and parcel of the scam. They like to pretend that they're not taking part in this and Bogdan says he doesn't want to say that they are. I'll say they are. They're making money off this, Dave. And that's why they're not involved in it.
Dave Bittner: If nothing else, it just drives engagement.
Joe Carrigan: Right.
Dave Bittner: Right?
Joe Carrigan: Yeah which is almost like their currency.
Dave Bittner: Yeah.
Joe Carrigan: So they sell the ads. They collect the cash. And I just remain more and more unconvinced that they're doing anything about it. I'm starting to think this might be part of their business model.
Dave Bittner: I'm with you. It's aggravating.
Joe Carrigan: It is. They're impersonating Romanian political figures in Romania. Vladimir Tepes would not have tolerated that. But they're also doing Oprah and Jennifer Aniston. I actually looked up the video, found the video, of Jennifer Aniston. It sounds very much like Jennifer Aniston.
Dave Bittner: Yeah.
Joe Carrigan: It doesn't look like it's exactly right, but it does sound almost exactly. I can't tell that it's not Jennifer Aniston.
Dave Bittner: Right.
Joe Carrigan: Mr. Beast is also a great target for these scammers. I have an appreciation slash hate relationship with Mr. Beast. I don't watch his videos generally. I find his -- I find his presence on my YouTube feed annoying.
Dave Bittner: Okay.
Joe Carrigan: But my son is a big advocate and says he does a lot of philanthropy work and does give away a lot of stuff.
Dave Bittner: Yes. I have heard that.
Joe Carrigan: But so I'm going to just I'm going to put my personal disdain for him aside. I'd said it's terrible that he's such a great target for this. Because he has a reputation of being such a nice guy and of giving stuff away, these scammers can take advantage of that and impersonate him.
Dave Bittner: Yeah.
Joe Carrigan: And it's a great tool. When I say great I mean I imagine that it's highly effective. It's probably one of the more effective ones that they have.
Dave Bittner: Yeah.
Joe Carrigan: Because he does this kind of stuff all the time. All of this is possible because there is tons of training data out there for these people. There's tons of training data out there for me and you too, Dave. So I'm still waiting for someone to send in an audio deep fake of me saying something. So they gather up some of the training data. They make the fake endorsement video with the audio. And then they buy ads on the social media platform and they push it out and people get hooked.
Dave Bittner: Yeah.
Joe Carrigan: I -- there was one thing he talked about within this thing where they will -- when you're talking about get rich quick schemes they will invoke the conspiracy theory kind of thing. I'm fascinated by conspiracy theories.
Dave Bittner: Yeah?
Joe Carrigan: Like I -- I don't think most people who are part of the flat Earth movement believe that the Earth is actually flat.
Dave Bittner: Okay.
Joe Carrigan: But I think that I think there's an attractiveness to it. You know, we're looking at a little bit of Poe's law here which means that if someone's online you can't tell if they're being serious or not.
Dave Bittner: Okay.
Joe Carrigan: When they talk about something. But there are other conspiracy theories out there. Like Kennedy assassination. Right? They love that one. That was actually technically a conspiracy. Right? There were more than one -- or maybe it was just Lee Harvey Oswald.
Dave Bittner: Where are we going here, Joe?
Joe Carrigan: Right. Well, my point is these things are attractive. Right? They're attractive to believe and they will hook somebody who's already kind of vulnerable to believe that the system's rigged against them and that's why they haven't gotten rich. Now they're finally going to get the secret. Right?
Dave Bittner: Yeah.
Joe Carrigan: Like I got an email one time that says, "Hey, we'd like you to join the Illuminati." And I was like there was a small -- I was like, "Yeah right." But there's a small voice inside in the back of my head that goes, "You could be so powerful." I was like, "You, sit down. I don't want to hear from you again."
Dave Bittner: Well, but it's also like we've talked about. There could be a certain level of pre-filtering.
Joe Carrigan: Yeah. Absolutely. That's an excellent point. And kind of what I'm dancing around here is that you get the conspiracy theory guy and he's like, "Oh. Okay. Now what do I got to do? I know this isn't going to be free." You know because nobody gives away anything for free. And they get the money.
Dave Bittner: Yeah.
Joe Carrigan: There was one interesting angle that came up in this story, in this interview rather. It's when Bogdan is talking about the -- you know, you play the lottery to get the [inaudible 00:54:04] pot or something or the iPhone or the laptop. And you pay like five bucks with a credit card. And if they can get your credit card information and your banking details, now they can load money into your bank account and spend it on your credit card. And you may not be aware that they're doing that because when you log into your bank account what do you look at? The balance.
Dave Bittner: Right.
Joe Carrigan: You don't look at the transactions right away. Maybe if you go through it with a fine toothed comb. Right? Maybe once a month you look at that and you see, hey, something's going on here.
Dave Bittner: Right.
Joe Carrigan: But if you're just logging in you might not see that for a while.
Dave Bittner: Right. And with electronic statements it's not like the UPS guy is going to show up with your transaction record, you know. The truck is full of them. Right?
Joe Carrigan: Yeah. The UPS guy won't show up. Somebody from the department of treasury will because you're money laundering is what's going -- you're laundering money.
Dave Bittner: Right.
Joe Carrigan: And that's what these guys are doing. They're going out and spending it on cryptocurrency and now they've got their cryptocurrency and they haven't had to risk anything. And the only thing they've done is put you at risk.
Dave Bittner: Yeah.
Joe Carrigan: It's a perfect crime, Dave. He tells a story about people connecting their phone to their PC with an app on it that gives the user control of the PC. That's terrifying to me. You know, because this is all a mystery to a lot of people. Just install this app and then hook it to your computer and I'll take it from here. Turn your monitor off so you're not watching what's going on.
Dave Bittner: I'm here to help.
Joe Carrigan: Right. Also I think it's encouraging though that banks are now recognizing when someone is coming through over a remote desktop system, some kind of RDP, and they're shutting down the connections which is great. That's fantastic. One of the key points here is that the AI generated media is just the new -- he called it the top layer in very old scams. We're still looking at scams that have been around for years and years and years before the internet was a big thing. Even longer than that. They were just -- now we're putting that veneer of AI on top of it. So what do you do to protect yourself? Of course you educate yourself. Educate those around you. Tell everybody you can about what the scams look like. Remember that if something is too good to be true that should be a big red flag.
Dave Bittner: Yeah. Absolutely. All right. Well, our thanks to Bogdan Botezatu for joining us. Again he is the director of threat research at Bitdefender. And we do appreciate him taking the time. [ Music ] And that's "Hacking Humans" brought to you by N2K CyberWire. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your team while making your teams smarter. Learn how at n2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. We're mixed by Elliott Peltzman and Tre Hester. Our executive editor is Brandon Karpf. Peter Kilpe is our publisher. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening. [ Music ]
