The AirBnB booking that wasn’t.
Dave Bittner: Hello everyone, and welcome to N2K Cyberwire's Hacking Humans podcast, where each week, we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines, and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan, from the Johns Hopkins University Information Security Institute. Hi Joe.
Joe Carrigan: Hi Dave.
Dave Bittner: We've got some good stories to share this week, and are joined once again by our N2K colleague, and host of the T-minus daily space podcast, Maria Varmazis. Hi Maria.
Maria Varmazis: Hey!
Dave Bittner: We will be right back, after this message from our show's sponsor. [ Music ] Alright, before we dig into our stories here, we have a couple of little bits of follow up. I'm going to start off here, we've got a nice note from someone named Nathan, who writes in, and I don't have the time to read the whole thing here, but Nathan sent in a nice note, talking about how he is a regular listener, and enjoys the show, and partially based on inspiration from some of the things he's heard from this show, he's decided to go back to school and pursue a degree that he had put off years ago and is looking forward to that. So that's really gratifying, and a tip of the hat to Nathan, and we wish him the best.
Joe Carrigan: Yeah, good luck, Nathan. Thanks for writing in and letting us know.
Dave Bittner: Yeah, it is great. What else do we have here, Joe?
Joe Carrigan: Dave, we have someone who didn't leave a name, but we'll call them "M," like someone from James Bond, or perhaps Men in Black.
Dave Bittner: Okay [laughs].
Joe Carrigan: And this person was writing in about our episode with, I think it was Maria's story two weeks ago with-or maybe it was your story, Dave?
Dave Bittner: Yeah, I think it was mine.
Maria Varmazis: Yeah.
Joe Carrigan: With the Chase alert, and we said they should reword it, so it says "did you call Chase?" But he pointed out this was pretty good adversarial thinking here, that there was an easy play for the attackers, they just send you a text message, and then ask you to call the number, their number, and his point is that it is essential, I'll read what he wrote here, it is essential that people use a known good number, saved previously or looked up from a reliable source to call in situations like this. And he says whenever he-I'm assuming it's a he, it could be a she, we don't know. M says whenever they get a new debit card or credit card from the bank, they save and update the password manager with the phone numbers on the back of the card. It can be a good idea to create a contact with that number in your phone as well. I've done that with a lot of my credit cards. But there is a potential drawback of legitimizing an incoming call if the number is spoofed, so each person should decide if the risks of adding contacts is worth it for them or not.
Dave Bittner: Right.
Joe Carrigan: I say you can still add it as a contact, but if you've added it as a contact, you can tell them I understand, I'm going to hang up and call you back and ask for your fraud department, what's your extension, or how do I get back in touch with somebody, or do you have a case number for me?
Dave Bittner: Right.
Joe Carrigan: I'm not going to do this over an inbound call, that's really the big thing. You don't do this over an inbound call, and you don't do this over some number that was given to you. You call the known, good number, and that's the only communication that you trust, is when you make the outbound connection over the known good number.
Dave Bittner: Right.
Joe Carrigan: So that's some pretty good adversarial thinking.
Dave Bittner: Yeah.
Joe Carrigan: Yeah, that you know, that a lot of people, you know it's not-I don't think it's natural for probably 90% of the people in the world, they just don't think adversarially.
Dave Bittner: They have good hearts [laughter].
Joe Carrigan: They have good hearts, right.
Dave Bittner: Must be nice.
Joe Carrigan: It must be-I've told, I told my stories about, on here, about my experiences of adversarial thinking, and how I've appalled people around me with it, and you know, generally, it's not socially acceptable, and that's kind of what these guys are banking on [laughter] actually.
Maria Varmazis: Yeah.
Dave Bittner: Yeah.
Joe Carrigan: So, it's having this kind of level of thinking, and being able to sus this out is important, and it doesn't make you a bad person for thinking adversarially. What makes you a bad person is when you do bad things.
Dave Bittner: [Laughter] Okay, fair enough.
Maria Varmazis: I was thinking out at parties, maybe not so much, right [laughter].
Dave Bittner: That's right yeah, how to not be invited back to a cocktail party.
Joe Carrigan: I would like to click on that, Dave [laughter], I've got a number of people I've been invited to see once [laughter].
Dave Bittner: Aw, poor joe [laughter]. Alright, well, Joe, I tell you what, we'll let you start off things here today. What story do you have for us?
Joe Carrigan: And to be honest, that's fine with me, actually, but I'm always late to parties, Dave. And I am late to this party. Here we are at the end of May, and the Verizon data breach investigation report came out earlier this month, and I don't know why I am always late to this party. It's right about now, around June, that I say to myself, shouldn't the data breach investigative report have come out? And they go, oh, it came out at the beginning of the month.
Dave Bittner: Right.
Joe Carrigan: So this year, they've successfully reached over 10,000 breaches in their report that they analyze, and this is all over 2023. By the way, if you-we'll put a link in the show notes. You can just go out and download the report. You don't have to give their name, you can just say, click, just read it, right? And I love the writing style of this report. It's very tongue in cheek. It got a lot of-it says, you may think this, silly person, or [laughter] a lot of wording like that. It's a fun read. I mean, it's entertaining. I think it's great for a report as technical as this report is.
Dave Bittner: Yeah.
Joe Carrigan: Now, I'm not going to get down to a lot of the technical-eze, but the first thing I noticed from Verizon was how they have revised how they calculated the involvement the human element in breaches and they removed malicious privilege misuse, which is, I don't know exactly what they mean by that, but they do document that elsewhere. But that's not really what I'm getting at. They removed a certain portion from the human factors part of the equation, and that did not change, that human factors are still the biggest factor in breaches, accounting for 68%, basically unchanged from last year.
Dave Bittner: Wow.
Joe Carrigan: There is an interesting thing that they talk about in terms of initial access vectors, and that means how does the bad guy first get in to the-to your network, or get into whatever it is? And usually these are networks, because Verizon has a security business around, protecting business networks. Number one is credentials. They use credentials. And there are a number of ways they do this, but we'll talk about this later, they probably get those through phishing. Number two is actual phishing for initial access. This is where they say here, open this file. They don't necessarily go and send you to credential harvesting site, they just say run this for me and that opens a shell out to them.
Dave Bittner: Right.
Joe Carrigan: Let's them connect in. It's malicious software that gives them control. And number three is exploiting a vulnerability, which is increasing, and close to the phishing for initial access. So it's actually-exploiting a vulnerability is coming up in ways bad guys are getting into networks. In fact, Verizon breaks this down even further about the initial access. They say web app credentials are number one, so somebody phished a web app credential.
Maria Varmazis: Okay.
Joe Carrigan: Phishing is number two, sending an email with malicious attachments, right? And then web app vulnerability is number three. RDP credentials, at number four, at about 10%. RDP is Remote Desktop Protocol-I'm using, that's actually a Microsoft term, but any remote desktop system. VPN credentials, and exploit are number five and number seven respectively, with desktop exploit being number six. So really, the best thing they recommend in this early part of the report is if you can get your web apps behind a VPN, you can reduce your attack surface significantly because they're not really finding a lot of vulnerabilities in VPNs, and they're not really using VPN credentials, because a lot of those credentials actually have one-time multi-factor authentication on them. So you can, if you can do that business wise, do that. For your web apps. Because then, you take away one of the biggest attack surfaces that's being utilized, and that's putting web apps out there, either vulnerabilities, or stuffing credentials into them.
Dave Bittner: Hm!
Joe Carrigan: The other thing is, they said you should definitely not put your desktop, remote desktop connections on the internet. Get those behind a VPN now. There's no reason to have those out there for everyone to access.
Maria Varmazis: Yep.
Joe Carrigan: That should be behind a VPN.
Dave Bittner: Right.
Joe Carrigan: So guess what the big, motivating factor for these data breaches was? Anybody want to guess? It's an easy one, it hasn't changed much.
Dave Bittner: [Laughing] Money?
Joe Carrigan: Money!
Maria Varmazis: [Laughing]
Joe Carrigan: That's right, Dave, money accounts for the motivation of somewhere around 90% of these attacks.
Maria Varmazis: That's low.
Joe Carrigan: Yeah, it is, I think it's 95, actually. I can't remember the number exactly, but it's way up there. I mean, I talk about this frequently, used to say all the different reasons, and now it's-it's mostly money, the next biggest thing at like 5% is espionage, and then everything else is less than a percent.
Dave Bittner: Hm!
Joe Carrigan: So just be mindful, people are out there making money off this.
Maria Varmazis: I'm nostalgic for the days when notoriety was one of the main reasons [laughter, overlapping speaking]-yeah it feels like ancient history.
Joe Carrigan: Yeah, to me too.
Maria Varmazis: Oh, my god.
Joe Carrigan: So take another guess. Who is going to be more likely to breach your network? Is it going to be an internal actor, or an external actor?
Dave Bittner: Uh, hm. Well, alright, I don't want to nit pick you here, but you mean intentionally, or otherwise?
Joe Carrigan: Intentionally or otherwise, that's a good differentiation.
Dave Bittner: Okay. Yeah.
Maria Varmazis: Or otherwise is doing a lot of heavy lifting there.
Joe Carrigan: Right.
Dave Bittner: Right. I mean, I would say your internal people making the stakes is probably your biggest problem.
Joe Carrigan: Yeah, it is a big problem. The external breachers are actually still-still the bigger problem.
Maria Varmazis: Hm.
Joe Carrigan: Of the internal breaches, 73% of these internal actor breaches are error, which you're talking about, everything else, where somebody accidentally does this. So Verizon shows a chart here about how these two values over time are starting to converge, right? External breaches, caused by external actors are going down, and breaches, proportions of breaches, rather, of internal-by internal actors-is going up. They're going to meet, at I guess 50% right?
Dave Bittner: Yeah.
Joe Carrigan: But Verizon says the reason for this is because of the new reporting requirements. So if you have an accidental disclosure of data, now there are mandatory reporting requirements, that you have to report, or you're going to face some kind of fine. So the question is, does this make you guys feel better about this or worse? Because what happened last year when there weren't these mandatory-or in 2022, when there weren't these mandatory requirements.
Maria Varmazis: Right.
Joe Carrigan: People just go oh, well, oops [laughter].
Maria Varmazis: I mean, it doesn't make me feel anything personally, it's just sort of like an acknowledgement of what we knew was happening.
Joe Carrigan: Right.
Maria Varmazis: Yeah, I mean, it's going to alarm a lot of people who maybe don't know that this is sort of how it's always been.
Joe Carrigan: Right.
Maria Varmazis: But I think more transparency is a good thing.
Joe Carrigan: I agree. I agree, and I think you're absolutely right, Maria, what's happening here is we're not seeing anything new. Nothing is happening. I think that what is happening is that people are being forced to be more transparent about when they have accidentally leaked out a bunch of health care records, because somebody said send me this data file.
Dave Bittner: Yeah.
Maria Varmazis: It happens a lot.
Joe Carrigan: Yeah.
Maria Varmazis: I think that's the thing we're going to start seeing some good data around, is how much a lot is [laughs].
Dave Bittner: Right.
Maria Varmazis: I mean, this keeps a lot of people employed, preventing that kind of oopsie [laughter].
Joe Carrigan: It is a pretty steep curve from 2022 to 2023, so if you take a look at the report and look at that graph, you'll see it. They talk about AI in here, they say it's not really being used much for social engineering, but it is.
Dave Bittner: Yeah.
Joe Carrigan: Yeah, not yet, but it is being used for learning how to code, which is making a lot of these bad actors more capable. But they say, this report says, they think they're-these actors believe that their current social engineering tactics are good enough.
Dave Bittner: Hm.
Joe Carrigan: And now, I can focus on the social engineering part of the report, which is what the name of this show, although I did kind of pick out everything from the beginning, of the report that was kind of social engineering related. Pre-texting is the leader in attacks, and attackers are targeting users in email chains with context in their phishing attacks, or in their targeted email attacks. So they're going in there. They're knowing what the email conversation is about. And they're hitting them with context. And people don't see it coming. So it's the biggest, the biggest cause of these breaches from social engineering. Biggest social engineering attack cause. Phishing and pre-texting accounts for 73% of these data breaches. Naturally, here for social engineering, 100% of the actors are external. Nobody is socially engineering their way out of the big organizations [laughter].
Dave Bittner: Hm! [Laughing]
Joe Carrigan: I don't know if that's a meaningful statistic or not [laughter continues]. But credentials are retrieved in about 50% of these breaches. So when there is some kind of data breach, credentials are retrieved, and that might lead to more data being breached. There's a good chance it will. The vectors, this is what is amazing about this. That the vector is almost 100% email.
Dave Bittner: Wow!
Joe Carrigan: They have a section called "ishing in the wind," right? and they talk about the thing I hate so much, you know, phishing, vishing, smishing, quishing, right?
Dave Bittner: Right.
Joe Carrigan: It does-none of that is important. Phishing is what's important. Everything else is less than a percentage of what's going on, it's very close to 100%.
Maria Varmazis: I mean, it makes sense in terms of volume and ease, right? It's just so easy to do that.
Joe Carrigan: Yeah, because like I was talking about two weeks ago, email is just terrible. Anybody can send you an email, why not? And if you can get into what I call the king of social engineering attacks, business email compromises, then you can really make it happen, especially with that context, which is where we're going now. The median transaction size for a successful business email compromise attack, about $50,000. That's the median transaction size. Which means half of them are bigger than that [laughter] and the other half are not, but half of them are bigger than that. This is about the same as it was last year, so it's not really a big increase, but there is something very interesting in this report that I wanted to highlight. The top lesson from the business email compromise discussion in this report is get in touch with law enforcement, as soon as you realize you've been hit. Fifty percent of the incidents where there was a loss were able to freeze and then recover 79% or more of the money they lost.
Dave Bittner: Hm!
Joe Carrigan: Which is impressive to me.
Dave Bittner: Yeah!
Joe Carrigan: More than half of these people got back most of their money, is what this is saying.
Dave Bittner: That really surprises me, actually.
Joe Carrigan: Right. The graph-if you look at the graph, I'm going to use this fancy word here, it's bi-modal, which means it has two peaks, and those peaks are at the extreme of the graph, and the second biggest graph of dots, or stack of dots, is where people got none of their money back. Eighteen percent of the people got none of their money back, but more than 18% got all of their money back. And Verizon makes a point of saying that the biggest indicator, or biggest way you can help move yourself to the right of this graph and get more money back-contact law enforcement right away, because if you get the FBI involved, they can reach out to the banks, and they can stop the money from moving, before it goes overseas, or into other accounts, and gets pulled out by money mules.
Dave Bittner: Hm!
Maria Varmazis: Was there an inflexion point for that, Joe? Because I seem to recall some time ago that some of the common thinking was don't bother. Or maybe I'm misremembering that?
Joe Carrigan: Yeah, there was not an inflexion point that I saw in the data, Maria, or in the report-hold on, maybe I should go look?
Maria Varmazis: I'm just-I'm just anecdotally, honestly, I just remember a time when people were like yeah, you lost that money, it's gone, don't even bother trying to get law enforcement involved, it's not going to help. I'm glad to see that that is definitely no longer the case, it's just-when did that happen?
Dave Bittner: It's interesting, because I think a big part of it was that certainly like local law enforcement just didn't know how to deal with any of this stuff?
Joe Carrigan: Right. Yeah, there's nothing in here that says anything about time horizon, or what time is that inflexion point? But the sooner the better, is what Verizon says here in this report.
Dave Bittner: Hm, interesting.
Joe Carrigan: Yeah, but I was surprised by this. I mean, if we could-if we could make this not profitable just simply by calling somebody at a financial crimes unit and getting it resolved immediately, this would go away. This would stop being an issue.
Maria Varmazis: Yeah. Maybe notoriety can be number one again. Bring back Script Keys [laughter].
Dave Bittner: [Laughing] Right!
Joe Carrigan: I think they're going to find other ways to monetize it [laughter], so that's one of the big takeaways from this report, I would say. Another point is that more users are reporting phishing attempts. It's now up to about 20% of all users [laughter] reporting phishing attempts, which I think is kind of low but it's actually, I guess is pretty good. It's one in five users who receives a phishing email is reporting it. Including, this includes 11% of those who actually click on the link and report it, which is good. Because those people are clicking on the link, and they've already made the mistake of clicking on the link, but then they realize, you know, 11% of them go-or some percentage of them go, no, this is wrong, that was a phishing email, I'm going to report it.
Dave Bittner: Right.
Joe Carrigan: So that means more than 11% are probably realizing this is wrong. By the way, there is one thing in here I wanted to talk about. Alright, take a guess at the time lag between someone opening an email and someone clicking the link. If they're going to click the link, what's that time like?
Maria Varmazis: Oh gee-
Dave Bittner: Seconds, I mean?
Joe Carrigan: Yeah, it is measured in seconds [laughter].
Maria Varmazis: Yeah, yeah.
Dave Bittner: I guess, so the point being that they, if you're a link clicker, chances are, you're not going to have read the email?
Joe Carrigan: Yeah, it's 21 seconds. That's how long it takes.
Maria Varmazis: That's not bad, it's lower than I would have thought. It's like Pavlovian response, don't even read. Click.
Joe Carrigan: Right. Then, if someone is going to enter their credentials once they clicked on the link, what do you think the time lag, from starting to end, to from clicking on a link, to having entered your credentials in?
Dave Bittner: Probably similar?
Joe Carrigan: Yeah, it is 28 seconds.
Dave Bittner: Huh!
Joe Carrigan: So, if somebody is going to lose their credentials, they're going to do it in less than a minute.
Dave Bittner: Wow.
Joe Carrigan: Which is another interesting finding from this-from this report as well. The-
Dave Bittner: It seems-go ahead.
Joe Carrigan: I was going to say the Verizon data breach report is out there, I recommend everybody go out and read it. It's, if you're-it's very readable. It's approachable from a lay person's understanding, but it also has a lot of data in it, which is great. I think it's-maybe it's not approachable for the layperson [laughter], I don't know, it's a good read.
Dave Bittner: It is one of a handful of reports that people really look forward to every year, for all the reasons that you're mentioning here. It seems to me, like, for me, the take-home here is that if you are in a position where you can mandate that, yourself, and the people around you use multi-factor authentication on their email, you should do that.
Joe Carrigan: Yes.
Dave Bittner: Like that is a high impact move that you can make for your-for everybody.
Joe Carrigan: Absolutely. Absolutely stops account takeover, for email accounts, right in their tracks. For a lot of things, right in their tracks, and if you can do that with universal two-factor, some kind of FIDO alliance, universal two-factor product, we always like to suggest my favorite, the YubiKey. I mean, it's not my favorite, it's the one I bought, but [laughter], you know, it's out there.
Dave Bittner: It's the one you have the most sunk cost into [laughter].
Joe Carrigan: Right [laughter continues].
Dave Bittner: So that makes it your favorite.
Joe Carrigan: Yeah, I do.
Dave Bittner: Fair enough.
Joe Carrigan: And my wife uses one. So it's not a high friction device. And that's what FIDO has done, the FIDO alliance has made this to be a low friction device.
Dave Bittner: Yeah, they're great.
Joe Carrigan: Yeah.
Dave Bittner: Alright. Well, interesting story, and we will have a link to the report in our show notes here. Maria, what have you got for us?
Maria Varmazis: Well, this story actually comes from a listener named Ross, so it was in the Hacking Humans inbox, so I figured, let's take a look at this one. And it is about an incident with air BnB, which I feel is like a bit of a punching bag for a lot of us lately, but-
Dave Bittner: [Laughing] Well, they bring it on themselves.
Maria Varmazis: Yeah, something a little weird happened to Ross, and he basically wanted to bring it to our attention, and also have us ask listeners if something like this has happened to them. So here is what happened to Ross. He had recently updated his air BnB and password, because it sounds like he got a notification of an air BnB breach. So he changed his password. He did the thing a lot of people do where he appended an exclamation point, and maybe a number [laughter] to his previous password, and he admitted in the email that maybe that was not complex enough [laughter] because, familiar story to many of us.
Joe Carrigan: Yep!
Maria Varmazis: A few days after this password change occurred, he goes on to say this, "I created an air BnB account back in 2014, when I was living in Salt Lake City. I'm British-" not me, Maria, this is Ross [laughing], "now live in Geneva, Switzerland. While I was at a conference in Leon, France," and last country, I promise, this is again his note, "last September, I received a notification on my air BnB app that my booking starting tonight in London had been approved. So again, he's in Geneva, getting a notification about his London thing, so it doesn't make any sense. I immediately logged in, reset the password, and logged out all accounts. I then canceled the booking, although air BnB would only refund about 33% of the booking, as it was starting that night. They told me they could contact the host, who of course declined to refund the missing, and this is 300 Swiss francs, which is about $300 I suppose? So it's not so much money," says Ross, "but I think this is not an isolated case. Air BnB told me that I can contact my credit card company, and there is a whole other story there, to challenge the charge," which he did. Okay, so that sounds pretty standard, right? There's a fraudulent charge, you then dispute it, sometimes with the app, or the company, the go not our problem talk to your credit card, blah, blah, blah. So here is where it takes a turn. This is sort of what peaked my interest with Ross' story. Two to three months after he challenged the charge, which his credit card company, by the way, had refunded him, his credit card company then reversed the refund.
Dave Bittner: What?
Maria Varmazis: They said actually no, you do owe this money [laughter]. So apparently Air BnB, when they heard about Ross challenging this fraudulent charge, Air BnB provided evidence to the bank saying the booking was not a fraud, and the evidence that they provided to the bank included Ross' IP address from 2014, which actually conflicted with his actual location. So it showed his IP address in Switzerland, but he hadn't been there until 2018. So it's sort of like, what on earth are they providing? So remember, when Ross created his Air BnB account, he was in Salt Lake City-
Joe Carrigan: Salt Lake City.
Maria Varmazis: Not Switzerland. Yeah. So the locations are completely-it's not like they were next to each other. We're talking United States, Switzerland.
Joe Carrigan: But his IP address when he created the account said he was in Switzerland.
Maria Varmazis: No, when he created it, so this is a little confusing, I'll go over it again.
Joe Carrigan: Okay.
Maria Varmazis: When he created his account in 2014, he was in Salt Lake City, not in Switzerland.
Dave Bittner: Right.
Joe Carrigan: Right.
Maria Varmazis: However, Air BnB provided his Switzerland IP address to the bank as proof of his fraudulent charge.
Dave Bittner: Huh, okay.
Maria Varmazis: Which is not correct. It's not correct. So, this then kicks off three more months of back and forth, with Air BnB by Ross, to get that incorrect charge refunded back to him again. What he found out through his bank was that Air BnB basically had provided him the incorrect IP address, again, his Salt Lake City IP, not Switzerland. And he's just saying, did anyone actually look at the IP address dump? Or are they just sending a bunch of random IP like digits and assuming, well Air BnB sent us something. We don't know what this actually means. We're just going to presume that they're correct, and say this guy was actually a fraud.
Dave Bittner: So basically Air BnB is hitting the bank with an avalanche of evidence to just overwhelm them.
Maria Varmazis: And nobody is actually looking at it, or understanding what it means. Because if you did, you would notice, like, well this doesn't make any sense. None of it is matching with each other.
Dave Bittner: Right.
Maria Varmazis: So Air BnB did not provide a data log for the actually fraudulent booking. So, the one that said he was staying in London when he was in France, they never sent that actually fraudulent booking to the bank as proof of fraud. That was also very strange, said Ross, and he was told to contact a lawyer if he wanted that data. So, this whole thing is just very, very odd. So this is how Ross ends his email. "I contacted my bank, as I believe Air BnB may have had a simple standard procedure, to automatically dispute any chargeback claims, which is of course fraudulent in attempts to defraud a bank. My bank is essentially not interested, especially as this is a global company. No win-no fee lawyers are not legal in Switzerland, so I'm not going to spend my own money to go after them. I contacted a national representative here, but much the same, there is no interest in going after a 300 franc claim that might indicate a larger issue. Are they just skimming bits and pieces of money here and there?" Says Ross. So, I thought this was kind of interesting. To me, this seems like just somebody got lazy. And just sent a bunch of logs and are like, you figure it out. We're just saying this is fraudulent.
Joe Carrigan: I think this is standard business practice. That would be my guess. It's a cynical guess.
Maria Varmazis: Yeah.
Joe Carrigan: But, you know, what looks like happened here is that somebody got into Ross' account because, and Ross admits this, he wasn't using the best password policy, you know, hygiene here, but once he realized what was going on, he did everything he should have done, including notifying Air BnB, and notifying his bank, and nobody was in his corner.
Maria Varmazis: Yeah.
Joe Carrigan: Nobody was in his corner, and when he went to the credit card company who, they say, hey, we've got your back, buddy, they actually said no, they actually, Air BnB provided us with this data dump. Here, take a look at it. And it doesn't add up, because of exactly what you said. These guys just, you know, avalanched them, snow stormed them, and yeah, here they are.
Maria Varmazis: Yeah, nobody in his corner is the part that is shocking me, like his bank did a little bit of help, by giving him the data that Air BnB had sent them, saying here you take a look at it. But it just-it's just so odd to me, and not his fault, that he was just completely on his own on this, it took him months of work to just recover this money.
Joe Carrigan: Right.
Dave Bittner: I have a couple of questions. So, what do we suppose was going on with the initial Air BnB fraud here, the fraudulently booked night in London. Do we suppose that was a fraudster looking to spend a night in London, or something else going on there?
Joe Carrigan: That's an excellent question.
Maria Varmazis: Good question. I don't know [laughs].
Joe Carrigan: So here is what it could be. It could be that. It could be exactly as you describe it, or it could be somebody who has set up a fraudulent place to rent, then they go out and they buy cracked Air BnB passwords. They make a reservation for that night. This is one guy with two phone, right? He makes the reservation for that night, he then goes to his homeowner account, you know, his landlord account, and approves the agreement. And then as soon as that email goes out, hey, it's been approved, the actual user goes in, resets the passwords, cancels the reservation, but because of Air BnB policy, they only give back 33%, the remaining 66% goes to the owner of the house, or owner of the property, the person leasing it out. There might not even be a property there.
Maria Varmazis: Okay, I was going to say, if you won property, you have it on Air BnB, this seems like a very inefficient way to make some money [laughing], I don't know, but if you're saying the property is not even real, then okay, never mind.
Dave Bittner: Right. You're only approving the fake rentals that you yourself initiate.
Joe Carrigan: Right, then then, you know, he gets, if he gets back, well, he says he lost $300, so every time I go out and buy a cracked, you know, using a password for an Air BnB account, that might cost me ten bucks, but I make $300.
Dave Bittner: Yeah, that's interesting. I mean, I suppose you'd have to have a bunch of burner phones, or something, you know, accounts, to keep Air BnB from catching on.
Joe Carrigan: Right.
Dave Bittner: You know, the same person keeps trying to rent this place, and--
Joe Carrigan: Or maybe they don't care?
Dave Bittner: Well, that's true, yeah, it's against their interest, I don't know. Yeah.
Maria Varmazis: Yeah, I've heard so many anecdotal stories about people having issues with Air BnB. Not necessarily this kind of thing, but just trying to get money back from issues, and--
Joe Carrigan: Right.
Maria Varmazis: This story just did not strike me as surprising, which is sad. So yeah, I thought it was very interesting, and I really appreciate that Ross sent this through, so I guess, listeners, if you've experienced something like this, let us know, and we'll let Ross know.
Dave Bittner: Yeah. The only other thing I would add here is just based on my own personal experience, and that of, you know, friends, family, all that kind of thing, is just that my understanding is that if you book something like this through American Express, they do have your back. Like, of all the credit card companies, now, you know, American Express is a more expensive bank card to have. It is a bank card, not a credit card.
Joe Carrigan: Right.
Dave Bittner: You know, so there's all kinds of pluses and minuses, like there have been so many times where people have said to me, you know, I had a problem with a merchant, and I called American Express, and they were like, we've got this, don't worry about it, it's done. And it is. You know, and for not small purchases, you know, things that might have cost tens of thousands of dollars, and Am-Ex is just like, no, we've got this, you're good. Don't worry about it. Don't think of it again.
Maria Varmazis: But they do not sponsor this show [laughter].
Dave Bittner: No, they don't, but [laughter], you know, I guess what I'm saying is, is that it is a premium product, right?
Joe Carrigan: Right.
Dave Bittner: And it's not for everybody, because of the fact that it does cost more to use but if you have the means, I highly recommend it. Right?
Maria Varmazis: If he's not in the United States, though, so I mean, is it available?
Dave Bittner: That's true, that's true. That's a good point.
Maria Varmazis: I mean,I would just hope this kind of protection would be available to anyone who is a bank customer, just saying, hey, this is fraudulent, you were just given a whole bunch of basic data spam. Nobody looked at it. It doesn't make any sense.
Dave Bittner: Right.
Maria Varmazis: I have looked at it, I'm telling you. It doesn't make any sense, could you look at it? It shouldn't take three months for this to be resolved. It's just horrendous that this happened.
Dave Bittner: Yeah, that's true. Hm. Well, cautionary tale, and like you said, Maria, I've heard plenty of these stories about folks just getting the runaround from Air BnB as well so, you know, seems like a good deal at the time, but you never know [laughs], you roll the dice, and you take your chances.
Maria Varmazis: Yep.
Dave Bittner: That's right. Alright, interesting story here. There is no link to share here, because this was something sent in by our listener, but as Maria said, if this is something that sounds familiar to you, or you've had a similar thing happen, we would love to hear from you. So please, send us a message. You can do so, our email address is hackinghumans@n2k.com. Alright, we're going to take a quick break to hear a message from our sponsor, and after that, we will be right back with my story. Stay tuned. [ Music ] Alright, we are back, and my story comes from New York Magazine. This is an article written by Ezra Marcus, and it focuses on 21-year-old University of Miami student, Matt Bergwall. And Matt was living high on the hog. Matt seemed to have, he was living a fantasy life for a university student. Had a nice car, a lovely girlfriend, whom he would take on fancy vacations to places like, oh, Dubai-
Maria Varmazis: [Laughing] Good!
Dave Bittner: Drove a Tesla, Gucci clothes, and all this despite just being a college sophomore. He was also very generous. He would be the guy who would pick up the tab at the end of a night out. Pay for all of his friends' Ubers, and he was running in the circles of people who were financially well off. He was hanging out with venture capitalists down in Miami's financial district. He did not come from money. He grew up in Connecticut, you know, just nice, average, middle of the road kind of upbringing. He was tech savvy, but you know, did not come from money. And all of his friends suddenly realized when news was spread around via their own small network of friends, that this gentleman, Matt Bergwall, found himself arrested. And he was implicated in refunding fraud. Evidently, he had caused over five million dollars in losses by exploiting shipping systems, and claiming false refunds. He had an organization called UPS Now, and what he did was he hacked UPS employee accounts to facilitate fraudulent returns. And according to this article, this kind of blew my mind, he had over 10,000 fraudulent returns over the course of little more than a year. So average that out [laughter], right?
Maria Varmazis: Was this an automated process? Was he manually-I mean, my goodness!
Dave Bittner: According to this, he had staff, and he was also providing this as a service. So according to this article, a lot of the trading in this world goes on via Telegram, and so folks would contact him, to be running their own refund scams, and he would facilitate the scams. So, I just want to-before we go any further, let's talk about what a refund scam is, what refund fraud is. So basically at its simplest level, I order something from Amazon, right? I order a microwave oven from Amazon, and the microwave oven gets delivered. I get on the chat with Amazon Customer Service, and I say to them, "I never got my microwave." They say, "Oh, we're sorry, we will refund you the money or we will send you another microwave" right? Usually you choose. And if you're a regular customer with someone like Amazon, and this isn't a pattern, chances are, this is what they're going to do. Right? Because they want to keep you happy. When you're running at the scale of somebody like Amazon, sending out an additional item could very well be the cheapest thing to do. But when folks start doing this at scale, that's when it becomes a problem. So some of the ways that folks do this, to be able to do it at scale is, they will return empty boxes, so this way, they will purchase something, the item comes, they'll send back an empty box to the retailer, but they'll manipulate the tracking ID, so that the package is marked as having had been returned, without actually having gone to the right destination. So in this way, the scammer can keep the product, while still getting a refund. I'm not exactly sure how the, you know, precise details of this work, but-
Joe Carrigan: I'll be that had to do with him breaking into the UPS accounts. L
Dave Bittner: Could be, could be. There was another one here that I thought was clever. They talked about disappearing ink, okay, which to me was like, you know, something you bought at the novelty shop, you know, right [laughter].
Maria Varmazis: You can only see it when you hold it up to the light just so.
Dave Bittner: Right, yeah, so-but no, this is still a thing. And you put the return address in disappearing ink, so the package gets scanned by the delivery service, so in other words, I take this back to UPS, right? I say here is my microwave oven, I'm going to return it. I go to UPS, it gets scanned at UPS, the company, Amazon, gets a notice that hey, this is on the way, it's been put in UPS's system. But by the time it arrives at the warehouse, the ink has disappeared, so now it can't be delivered. But the customer gets the refund, because the customer did everything right. They put it in the system. It was UPS's fault that it didn't reach its ultimate destination. So-
Joe Carrigan: So then does the product come back to the customer?
Dave Bittner: No, the customer just gets the money back. They don't care about the product in this case.
Maria Varmazis: So, I'm guessing that nobody is-the refunds are just automatically being made, as soon as the customer initiates the return and the product tag is scanned. Not when the product is received.
Dave Bittner: In many cases, yes.
Maria Varmazis: Yeah, that seems to be my personal experience. I'm just trying to figure out, like, that seems to be sort of the modus operandi. Okay.
Dave Bittner: Right, and then they talked about some of the more advanced techniques here, which is one of the ones that this gentleman was using, which was using the accounts of the, either the people working for the company, the logistics company, or the delivery company, or like amazon, they'll break into their accounts, and manipulate the statuses of orders. And evidently, allegedly, that's what this person was doing. They had inside access, so that's how they were able to do it at scale. They could go in, and just have, you know, send 100 things back, and go into an account that had the ability to make those things as having been returned. And of you go. This also talks about how evidently there's more and more the folks who work for these companies. So let's say I'm a UPS employee, and they're paying me the minimum amount that they can pay me for something like the job I'm doing. And I have access to this. I will sell my access on the side for some sort of bribe. And so I can make a little extra money on the side by having these things marked. So lots of different ways to go at this, but ultimately, this guy got arrested, the FBI caught him, and the FBI said in this story that in general the folks who are doing this are really bad at it. They're not bad at the scam part, but they're bad at hiding their identities. They tend to be show-offs. They tend to post to social media, what they're doing with the money that they're scamming, and they also tend to be really open about sharing the techniques with other people, pretty much out in the open, and so it does make it easy, easier, for law enforcement to track them down.
Joe Carrigan: Ah, good, right [laughter]?
Maria Varmazis: They're not usually considered the smartest in the bunch, right? You know, if you're being flashy about this kind of thing.
Dave Bittner: no, but I think it's interesting that you have someone here who was able to have this operate at a significant scale. Five million bucks over the course of a year or so, that's a bit operation. And it's just interesting to see how it works. And I suppose there isn't really anything here for our listeners to protect themselves against, because this is pretty much self-contained. The people aren't going after people to scam them with refund scams. You know, we should all be aware of it, because it does make the things we buy more expensive.
Joe Carrigan: It does.
Maria Varmazis: Yeah.
Dave Bittner: Companies having to deal with this sort of thing. But I just thought it was an interesting story, worth sharing. There are a lot more details in the article here. It's a bit of a long read, but it's a good one. The authors suspect that Matt Bergwall might be working with the FBI these days to try to use his expertise to go after some of the other folks who are doing this.
Joe Carrigan: He's trying to bargain himself down for a much lower prison sentence [laughter].
Dave Bittner: Could be. Could be. He has not yet been sentenced to anything, so still in play, but pretty interesting.
Maria Varmazis: Yeah, I think his main, the main mistake he did, was being in Miami. Because if you're in Miami, you're going to want to be flashy. He wouldn't have done that in New Hampshire [laughter].
Dave Bittner: That's right, or if nothing else, the bar for flashiness would be much lower-
Joe Carrigan: Right [laughter].
Dave Bittner: I'm sure than it would be, right?
Maria Varmazis: Miami, you've got that peer pressure. Everybody is flashy, so you're going to want to be flashy too, and that's what got him.
Dave Bittner: Yeah, could be. Could be. Wow. Hopefully he'll straighten up and fly right.
Maria Varmazis: Out of Miami [laughter].
Dave Bittner: There you go. Alright, well those are our stories for this week. Joe, it's time to move on to our Catch of the Day. [ Music ]
Joe Carrigan: Dave, our catch of the week comes from-
Dave Bittner: Your mother!
Joe Carrigan: That's right, my mom [laughter].
Dave Bittner: Oh my, oh, there's a joke in there somewhere.
Maria Varmazis: The dozens on Hacking Humans, okay [laughter]-
Joe Carrigan: So, I got a call from my mom last week, and it was the, you know, Joe's Lifetime Tech Support Call, she said, hey, I sent you an email, that I just received, and I want you to take a look at it. I don't think I owe this money or anything is going to happen, but I want to talk to you before I called the number-I'm like do not call the number [laughter]. I look at the email, while she's on the phone, I just go into my email account, look it up and it's one of these McAffee scams. The text of the message is strange. It starts off Google uses automated systems to discover content from the web and other sources. These system generate search results that provide useful...yeah, yeah, it sounds like either the, like marketing material for Google-
Dave Bittner: Right, it does.
Joe Carrigan: I don't know why this is even in there, but the subject of the message is, your order is confirmed, and then it's a McAffee invoice, Dave. So why don't you go ahead and read-
Dave Bittner: You know what? I'm not, because we've done so many of these [laughter].
Joe Carrigan: Alright.
Dave Bittner: They come up so often. But I think your point is interesting, the body of the email, because that is something we haven't seen before. I agree, this looks just like a cut and paste from an about Google page, somewhere on their website, and I can only guess that by putting in text that was actually generated by Google, they're hoping to get through Google's email filters.
Joe Carrigan: Yeah.
Maria Varmazis: It sounds like an AI text.
Dave Bittner: Right! Google will recognize this as being their own, and say what we couldn't possibly have generated something bad, so let it through.
Joe Carrigan: Yeah, right.
Dave Bittner: In this case it did, because your mom got it.
Joe Carrigan: You might be 100% correct with that, Dave. And Maria, you might also be 100% correct. I wonder if you went to Chat GBT, and said "describe Google to me," what would it say?
Maria Varmazis: When I'm reading it right now, this exactly sounds like what I would suspect of AI, just describing what is Google search? Sort of like a whole bunch of word vomit, and a very pleasant AI voice, about you know, what it is. And yeah, it's friendly fire, I guess.
Dave Bittner: Yeah. By the way, just as an aside, I've seen people are trying to get traction, with referring to stuff that is obviously and poorly generated by AI as being slop. To have slop be the term of our-sort of thing, which I do like.
Maria Varmazis: Slop. Yeah. Bit of an insult to slop.
Dave Bittner: [Laughing] Right.
Maria Varmazis: I like it, though, I like it. That's nice. Adopt that.
Dave Bittner: Alright, very good. Well, if you would like us to consider something for our Catch of the Day, you can email us. It's Hacking Humans at N2K dot com. [ Music ] And, that's Hacking Humans. Brought to you by N2K Cyberwire. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes, or send in email to Hacking Humans, at N2K dot com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's pre-eminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at N2K.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. We're mixed by Elliot Pelsman, and Trey Hester. Our Executive Editor is Brandon Carp. Peter Kilpe is our publisher. I'm Dave Bittner.
Joe Carrigan: I'm Joe Carrigan.
Maria Varmazis: And I'm Maria Varmazis.
Dave Bittner: Thanks for listening. [ Music ]