False flags and fake voices.
Dave Bittner: Hello, everyone, and welcome to "N2K" CyberWire's "Hacking Humans" podcast, where, each week, we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hey, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: And also joining me is the host of the T-Minus Space Daily Podcast, Maria Varmazis. Maria, welcome back.
Maria Varmazis: Thanks for having me. Good to be back.
Dave Bittner: We have some good stories to share, and we will be right back after this message from our show's sponsor. All right, Joe. We've got some follow up before we dig in here. What's going on?
Joe Carrigan: Right. We have some follow up on Maria's story from a couple of weeks ago with Ross from Airbnb. Also, this person didn't leave a name, but they did say that they are loving having Maria on the show.
Maria Varmazis: Thank you.
Joe Carrigan: I would agree. It's wonderful. So this person's take on Ross is that it is not a nonexistent property and that their guess was it isn't a scam, but more of a fraudulent type of booking where they were trying to have some kind of party. So basically, they book a house for a party. They can trash the house. Nobody knows who made the booking because it's fraudulent. And then Ross would have gotten stuck with all the bills and everything. So that's what -- that's what this person said. They also say they don't store their credit card information in the apps, so they can avoid these kind of fraudulent charges, which I think is a good idea. Next, Lawrence writes in to talk about Dave's comments about American Express. He said, "I listened to your podcast over the weekend, and you mentioned American Express fraud protection. I have been a 30-year card holder in two countries, and I can say that American Express has credit products that do not offer the same features as the bank cards."
Dave Bittner: That do offer. That do offer.
Joe Carrigan: That do offer the same features as the bank cards. Sorry. But they are -- they're actually credit cards. And he will confirm that they do stand behind their customers before they stand behind the merchant. Not really a problem. Finally, Tait writes in to say that, "Your stories about the various ways scammers get control of victims bank accounts reminds me of one of the things I do to make sure I'm talking to the banking representative. Kind of a reverse verification code. I ask the representative for their email address, and once confirming that the email domain is the bank's domain, I email them a random number generated by an RNG. It could also be a random phrase." He gets this number from a website. "If they are able to repeat the number or the phrase, then it gives me a high degree of confidence that they are the real deal. I'm interested to know what you guys think of this process." So here's my thinking on it. It's a good idea. I still say don't trust the inbound call. A couple things that somebody could go about getting around this. And one is, if they have a lookalike domain, like, let's say, capitaloneonline.com or something like that, then you, Tait, as the average -- as the super user, you probably would be fine doing this if you know what you're doing. But I don't know that I would tell the general public to do this. I would say hang up and call the bank back. That's what -- that's my recommendation. What do you guys think?
Maria Varmazis: You know, I -- something about this makes me wonder if the representative would want to give out their email address, especially if they're a third-party contractor, which a lot of these customer support reps tend to be. I just -- I just have a feeling that even if you asked a reputable CSR, they might not want to give you their email, unless it's a much more high-touch thing. Yeah, I don't know if -- I don't know if that would work. I mean, it's an interesting idea. But yeah, I think just saying don't trust an inbound call and call them back is pretty safe. That might be just by far the safer way to go.
Joe Carrigan: Dave?
Dave Bittner: Yeah, I agree. I mean, I agree with what you're saying, Joe, about the possibility of there being a lookalike website. And then the other thing, too, is, like, it's so hard to trust even the information you look up today. Right?
Joe Carrigan: Right.
Dave Bittner: So, you know, they -- someone sends you an email with an email address. You look at their email address. I don't know. There's so many hoops to jump through. I think the -- what Maria said, the overall thing is just don't trust the inbound call.
Maria Varmazis: Can the email also be compromised? Now that I'm thinking of it, I mean, is it not possible?
Dave Bittner: Yeah, right. It could be a business email compromise scam. So you can't trust anybody.
Maria Varmazis: Turtles all the way down.
Dave Bittner: Exactly. Exactly. Just, you know, store gold under your mattress. That's the solution. Extract yourself from civilization and live your life.
Maria Varmazis: Yeah. Thoreau had the right idea. Yep. Yep. Yep.
Dave Bittner: There you go. All right. Well, thanks to all of our listeners for writing in to us. Of course, we'd love to hear from you. You can email us. It's hackinghumans@n2k.com. Joe, why don't you start things off in terms of stories here with us today?
Joe Carrigan: Dave, I got two of them today because the first one is pretty quick. But it's a good reminder. The city of Gooding, Idaho has been scammed out of $1 million.
Dave Bittner: Wow.
Joe Carrigan: And this is the old scam that we've talked about many times in the show, but it's still happening out there. This is the one where somebody impersonating a contractor -- in this case, it was one of their sewage processing contractors. They impersonated the contractor and told city officials to make a payment to a new account. And these guys sent off $1,092,519 to the scammers. And they were not able, as of yet, to recover it. So be mindful. You need to have good policies out there. All the technology in the world will not protect you from an impersonation attack of this nature. Maybe if you have -- if you have your email set up really restrictively. But then you can't provide the services. But anyway, it's out there. And these guys say that it looked really good, which I don't doubt. I doubt it looked -- I don't think -- I'll bet it looked fantastic.
Dave Bittner: Yeah, for that kind of money?
Joe Carrigan: Right. Exactly. So this story comes from KTB -- KTVB7 out in Idaho, out in Boise. My next story actually comes from Mackenzie Tatananni, who works for the Daily Mail. And this is a story about a scammer that took a Las Vegas woman for $9,000 after he turned up on her doorstep. So the way this starts is the woman gets a phone call. And, of course, they're spoofing her bank number, so she thinks it's their bank on the caller ID. Here we are again with the inbound call. The person on the other end of the line said, "Hey, you need to check your account. Make sure there are no fraudulent charges." And she checks her account, and there are fraudulent charges. Of course, this guy knew that already. The scammer -- I love this. The scammers, then feigning alarm -- right, "my goodness," touching pearls, I can just see it -- offered to send an associate to her house. Ten minutes later, someone appears at her house with an access code. And she took the woman's card, her debit card, and cut it in half in front of her, and put it into an envelope to take it with her. This person then left and continued to use the card, because they didn't actually cut it all the way in half. They didn't damage the strip or the chip on the inside. They knew where to cut it.
Maria Varmazis: Oh. Sleight of hand.
Joe Carrigan: Yeah. So now they're magicians. Exactly.
Maria Varmazis: It's Las Vegas, baby.
Joe Carrigan: Right. It's card tricks.
Maria Varmazis: Oh, my God.
Joe Carrigan: So she called her bank. She realized -- she realized at some point in time that she was in -- on the phone with the original caller. And then she goes, "Oh, I've been locked out of my account. Oh, I have just fallen victim to a scam." So she calls her bank. She has lost $9,000. As of right now, she hasn't gotten that returned to her yet, but we'll see how this goes. This is not the first time, actually. Back in May, Las Vegas Police announced the arrest of another man who was doing a very similar attack. They were going around saying, "I'm from your bank. Give me your debit card. Let me enter your PIN number to validate it. Oh, yep, you're scammed. Let me clip this card in half. I'm going to take it. We'll be in touch to get you a new one. Look for a new one in the mail. See you later." And then they go off on a spending spree.
Dave Bittner: I have to say, I've done business with a lot of banks. And there's never been any who provided that level of customer service where someone -- you know, I mean, you have a problem -- we've all had situations where, for whatever reason, a banking organization or a credit card company has said, "Hey, listen, something happened, and we need to send you a new card." But they're like, "Hey, something happened. We need to send you a new card. So sorry that the next few days are going to be a pain in the butt." Right?
Joe Carrigan: Right. Because your card will not work.
Dave Bittner: Right. Right. But, you know, I've never, ever heard of anybody offering to come to the house to swap out a card or collect my old one.
Joe Carrigan: Right. That's the important thing. In this process, when the bank realizes your card has been compromised, they can disable it and make it worthless from their end. They don't need to have physical access to your card to do this, you know, because it all is part of some approval system. And if you swipe a dead card, it's going to get denied. Declined. So yeah, you don't need to give anybody your card. The card is worthless when the bank deactivates it.
Dave Bittner: Yeah. I would say also just, I mean, this is -- given everything else, this is a silly suggestion that it would even get this far. But if it got this far, insist on cutting the card up yourself.
Joe Carrigan: Yeah, that's true.
Dave Bittner: I mean, but that's -- that's even silly to even get to that point.
Joe Carrigan: If it gets this far, you should have somebody else call the police, so when the guy shows up, they can arrest him.
Maria Varmazis: Yeah. Having someone show up at your house? Oh, my gosh. Yeah, I'd be amazed if I could just get them on the phone when I call them. That would be -- that would be nice.
Joe Carrigan: Right. Yeah. If you could get your bank to answer your phone call.
Maria Varmazis: Or be open at standard -- yeah, anyway, that's an old complaint, isn't it? Nonbusiness hours.
Joe Carrigan: It is an ancient complaint.
Maria Varmazis: I know.
Dave Bittner: What a strange escalation, though. I mean the amount of -- the amount of manpower that that takes. And --
Joe Carrigan: It could just be one guy.
Dave Bittner: It could be, but it also --
Maria Varmazis: It's a high-touch scam.
Joe Carrigan: It is.
Dave Bittner: The risk.
Joe Carrigan: The risk, yeah, because they have video of this guy, security video from her doorbell camera.
Dave Bittner: That's what I was just going to say. Everybody has a ring doorbell now.
Joe Carrigan: There's pictures all over the place. I think this guy is probably going to get arrested.
Maria Varmazis: Yeah, not smart.
Dave Bittner: Does he have, like, a big, bushy, fake mustache and a big fake nose?
Joe Carrigan: Right. Groucho Marx eyebrows.
Dave Bittner: Thick side brown. Yeah, exactly. Right. Wow. All right. Well, I mean, that's -- that's new to me.
Joe Carrigan: He's wearing a ski mask in Las Vegas.
Dave Bittner: Right. Right. Exactly.
Joe Carrigan: It's 150 degrees. I know. I run cool. Yeah, I'm still cold.
Dave Bittner: All right. Well, we will have links to both of those stories in the show notes. Moving on to what I have for us this week, I thought I would take a few minutes and go through the First Quarter 2024 Threat Report from Avast. Avast is a security company, and they have some security products that people use to help protect themselves.
Joe Carrigan: I used to use their free software for antivirus. They used to make their antivirus free for the -- for individual users.
Maria Varmazis: Yes, it's a familiar name for many of us. Yep, I recognize them. I didn't use them, though, because I was working for a competitor, but I knew them.
Dave Bittner: Yeah. There you go. So, I mean, there's some really interesting things in here. We're all just going to, in the time we have, go through some of the sort of high-level basic types of things here. But the view that they have on the market is interesting, the data that they can gather by being a company who protects folks against things. I will say the report is a little bit self-serving in that some of the data they provide includes, you know, and you'll hear the threats, and here's how we blocked them. And here are the threats, and here's how successful we've been in blocking them. And, you know, I can't fault them for that. That's, you know, part of how this all works. But at the same time, it's interesting to track the success in blocking them. I'd say the top of their list, and a particular interest to us, is that they said nearly 90% of the threats that they blocked were social engineering attacks. And the vast majority of it is coming over mobile, which is, you know, not surprising. I would say probably the vast majority of time people spend these days is on their mobile devices, certainly a generation below you and I, Joe.
Joe Carrigan: Am I unique? My wife was calling me an old man last week when I refused to look at something on my phone because I would rather look at it on my computer.
Dave Bittner: Your phone is a computer, Joe.
Joe Carrigan: Right.
Maria Varmazis: You have to do big tasks on the big screen. It is known. Yes.
Joe Carrigan: Yes. Yeah, exactly. And I needed to use my password manager anyway, which isn't on my phone. I don't have one on my phone. It's only on my laptop or my computers. All my computers. On all my computers. So I had to go upstairs and log in with that anyway.
Dave Bittner: To answer your question --
Maria Varmazis: Oh, yeah. Go ahead.
Dave Bittner: To answer your question, Joe, yes, I think that does make you an old man.
Joe Carrigan: Okay.
Dave Bittner: And I would say I am in the same category, because there are certain things that I would still default to wanting to do that on my computer computer rather than my mobile computer.
Joe Carrigan: And Maria is going to give us a litmus test, I think.
Maria Varmazis: Yeah, there's a litmus test is, how do you book airline tickets?
Joe Carrigan: On my computer.
Maria Varmazis: Yeah. Yeah. I think that's the dividing line generationally. Yeah. Yeah. I also use a computer. That's just too serious to use a phone for. I still don't trust it. But I know people younger than me definitely are more comfortable using their phone, and I'm like, ah, no, thanks. So yeah.
Dave Bittner: I think that maybe the generational divide is that we've been around long enough to have tried to do this with mobile devices were awful.
Joe Carrigan: Maybe that's right.
Maria Varmazis: Yeah, maybe.
Dave Bittner: We were burned so many times that we're just, all right, I'm never doing that again. Even though, I mean, so many online experiences are designed to be mobile first these days.
Joe Carrigan: I still think they all suck. I'm just not a fan. I really am not a fan. Maybe I'm just old manning this a lot right now.
Maria Varmazis: Not everybody has a computer computer anymore. I mean --
Joe Carrigan: That's true. That's true.
Maria Varmazis: I mean, that's not an option for some folks. It is just a phone.
Joe Carrigan: My wife has a computer. One of her biggest problems with it is every time she fires it up, it has to go through all the updates because she so rarely uses it. She does everything on her phone.
Dave Bittner: I will tell you, I prefer the mobile version of Amazon to purchase from them over my desktop computer. Yeah. So that's a habit that I'm in.
Joe Carrigan: I think Amazon does a good job. I do buy things on my phone with Amazon.
Dave Bittner: Yeah. Yeah. Anyway, back to the Avast Report. We know how we all feel. They've seen a significant increase in scams overall. Scams are up 61% on mobile and 23% on desktop. And they're tracking things like deep fakes, what they're calling AI manipulated audio, but also a big uptick in scams on YouTube. So scammers are hijacking YouTube accounts. They're sliding into the comments on YouTube accounts. They're creating YouTube accounts that are inherently scammy, which, you know, we've all seen those. And then they're using deep fake technology on YouTube accounts to, particularly when you talk about things like cryptocurrencies -- they actually have a sample video in this report of someone who's a big wig at one of the big crypto companies. And it's a total fake video of that person talking about this great offer, the kinds we always see where they're going to -- you know, today is your lucky day. We're giving away free crypto, free coin. But it's pretty convincing. If you were an unsophisticated viewer, you could totally fall for that kind of thing.
Maria Varmazis: So when they say mobile, they mean also apps -- mobile apps, right? Not just SMS that's being sent to your phone?
Dave Bittner: Correct. Correct. Yep. Yep. Absolutely. There's some good news here. They are seeing some decline in some things. Coin mining was down by 28%.
Joe Carrigan: Really?
Dave Bittner: Yeah. Yeah. And they're saying that's the XMRig coin mining -- I guess it's sort of a software as a service kind of thing -- is way down.
Joe Carrigan: XMRig is a Monero mining software.
Dave Bittner: Yeah. So it's way down.
Joe Carrigan: Really?
Dave Bittner: Some other ones are up, but overall, coin mining is down by 28%, which is interesting.
Joe Carrigan: I wonder if that's because Ethereum went to proof of work over proof of -- or proof of stake over proof of work.
Dave Bittner: And I was wondering the same thing. No, I wasn't. So --
Maria Varmazis: You want to explain the difference, Joe, for those of us who don't quite know?
Joe Carrigan: In proof of -- in proof of work, that's what mining -- traditional mining is. Right? You have to find a hash value changing only something called a nonce. And the nonce is a random number that you use just once. And you have to find a hash value below a certain value, which means that the first set of binary digits have to be zeros.
Dave Bittner: Right. And that sound you're hearing is people tuning into other podcasts, ladies and gentlemen.
Maria Varmazis: Okay. A little sad I asked. You lost me already. Sorry.
Joe Carrigan: Well, that's -- that's computational work. So you're proving that you've done the work. And then there's proof of stake, where you demonstrate that you have the coins. And then that -- by that, you get a random chance of getting to generate a new block. So it doesn't have the computational math behind it anymore. It just randomly assigns fairly to somebody who has stake in the cryptocurrency.
Dave Bittner: So they've made it easier.
Joe Carrigan: They've made it less work intensive and, like, exponential. Like, it takes almost no energy to do it --
Dave Bittner: I see.
Maria Varmazis: Oh, that's good.
Joe Carrigan: -- which is the real reason that they're doing it.
Dave Bittner: Oh, okay.
Maria Varmazis: I thought it might be because bitcoin is not -- I mean, I know it's not the only coin, but it's not worth as much?
Joe Carrigan: Well, bitcoin is worth way more than Ethereum. This was Ethereum that went to proof of stake.
Maria Varmazis: Compared to where it was. Yeah. No. Okay.
Dave Bittner: So, I mean, you know, that's good that the overall coin mining is going down.
Joe Carrigan: Yeah.
Dave Bittner: They are seeing a continued rise in phishing. They're seeing, as I said before, deep fake videos and cryptocurrency scams and increased use of automated uploads and SEO poisoning. So something we talk about here a lot, which is, you go to search for something, your chances are you may find a scam website rather than the --
Joe Carrigan: Rather than the actual website. It's happened to me so many times.
Dave Bittner: They're talking about state-sponsored spyware continues to be a thing. And they put a particular focus on people going after people's iCloud accounts.
Joe Carrigan: Wait, Dave. Dave, are you saying that governments like spying on people?
Dave Bittner: I'd say some governments make -- yeah, some governments in particular do like spying on people and each other. Again, iCloud accounts are particularly valuable because they can be the keys to a very valuable system. People -- for whatever reason, people with Apple accounts are more valuable on the black market than people with Android accounts. They tend to spend more money on more expensive things. So wrapping up here, they do have some key recommendations here. Of course, they're talking about some enhanced security measures, things like multifactor authentication. They point out that there's been some activity in the open-source community and that people need to really take a look at that. We've talked about stories about some of the weaknesses in open source, about how projects can be undermanned or, you know, under-resourced. And that can be a real problem. They recommend regular security audits to help detect malware and remote access Trojans, those kinds of things. And then, of course, user awareness, just letting -- making sure that people are aware of what's going on, what to look out for, especially phishing. And they emphasize the importance of verifying sources, which is exactly what we were talking about earlier in the show. Right? So this is just an overview. I mean, this report does dig into a lot of things pretty deeply. They've got a lot of really interesting charts and data to back it up. So we'll have a link in the show notes there. And I do recommend you take a look. Again, it's the Quarter 1 2024 Threat Report from Avast. That rolls trippingly off the tongue. But -- as these reports often do. That's what it is. All right. We're going to take a quick break here, and when we come back, we will hear from Maria. Stay tuned. [ Music ] All right. We are back. Maria, what do you have for us this week?
Maria Varmazis: Well, I think it's interesting that all of our previous stories talked about deep fakes and also verifying sources. And that is very on the nose for my story. And it relates to the Paris Olympics, which is coming up awfully fast. I didn't really -- I'm not really paying attention to it, to be honest. But it's July 26 to August 11. And the torch is already on its way to Paris. And because it's in the news, many people are starting to pay a lot more attention to it. And as we all know, as we've talked about on the show a lot, whenever there's a big event, scammers take advantage of the renewed interest and all the attention. So, you know, I think about tax season, there's always the tax scams every year, the holiday scams around, you know, the holiday season. I remember when Ashley Madison was going on, there was a lot of, like, where you in this hack, find out, you know, with this link to this very fishy website. And now, of course, at the Olympics, it's like every two years, or every four if you only care about the summer, there are scams. So there are a few opening salvos of what we might be able to expect as things ramp up towards the Olympic season. So there's one that was neat that's a deep fake actually. And it's not a scam so much as it's just disinformation. But it's featuring a fake Tom Cruise in a fake documentary where he blasts -- and, again, this is fake Tom Cruise -- he blasts the Olympics for its corruption. And the greatest of ironies is the source of this disinformation is purportedly of Russian origin.
Dave Bittner: For sure. Of course it is.
Joe Carrigan: I'm shocked.
Maria Varmazis: Whomst could believe such a thing? Yeah. And then the Olympics -- the Olympic Committee, I guess, is the official organization running this, they've put out a bunch of warnings that they've seen a number of actual scams targeting people who are interested in attending the event. These are probably not going to shock listeners, but they're things like, hey, we've got a free ticket. All you need to do is send us money for the postage, and we'll send it your way. And, you know, just here's a -- we're going to email you out of the blue, and just log into this website and just fill out the information, and there you go. Free ticket to the Olympics, because, you know, we need help filling the seats at the opening ceremony.
Joe Carrigan: At the opening ceremony.
Maria Varmazis: I guess. I don't know. Yeah, I suppose. I mean, if someone thinks a month out from the Olympics that not all the tickets have been sold out, I don't know what to tell you. But that is a scam that's going around.
Joe Carrigan: So is Russia still banned from the Olympics?
Dave Bittner: I think so.
Maria Varmazis: I honestly don't know.
Joe Carrigan: Yeah. I don't follow it that closely.
Maria Varmazis: I don't follow it, either.
Dave Bittner: I believe so, but I think there are workarounds for some of their athletes to still compete but not officially under the Russian flag. But I'm not 100% sure on that.
Maria Varmazis: Yeah, they can be unaffiliated or something. Yeah. And the thing with the ticketing scam is the -- sort of the crux of it is that they need your details so they can mail you a paper ticket. But the Olympics doesn't do paper tickets, so that's just sort of an FYI. The one that's an interesting sort of level on top of that for the Olympic scams are fake travel sale offers. So in many cases, again, it's an unsolicited email that arrives in a person's inbox. And it's a phish, of course. But sometimes it's a -- you are looking up information on where to stay in Paris, and you come across a website that says, here's a package deal. We'll either pick you up at the airport, or here's a really great hotel and something like that for the Paris Olympics. And then, of course, you get to Paris, and nobody is there to pick you up at the airport, or that hotel doesn't exist, or the hotel doesn't know who you are. So as you might have guessed, this being the Paris Olympics, this tends to affect people who speak French. These scams tend to hit the francophones. But I know many of us are going to hit Google Translate if we haven't already booked our tickets. And you can get into some trouble that way if you don't know the sort of landscape of French travel websites.
Dave Bittner: Well, the good news is that if you do show up in Paris and there is no hotel room, the Parisians are famous for their hospitality.
Maria Varmazis: I'm sure you'll easily find an empty hotel in Paris during the Summer Olympics.
Dave Bittner: Absolutely. No problem at all.
Maria Varmazis: No problem whatsoever.
Joe Carrigan: They will happily take in English speakers.
Dave Bittner: Most of all, they love Americans.
Joe Carrigan: Right.
Dave Bittner: Worry not. You'll be in good hands.
Maria Varmazis: Yeah. So if you, for some reason, think a month before the summer Olympics that you can find a hotel and tickets to the Olympics, godspeed and good luck. But if you're going to attempt this anyway, make sure you use a reputable vendor. Do a little research, and don't just go with the first search result.
Joe Carrigan: All right. Can I ask a question? Do either of you think that it would be worth the trip to go see any of these sporting events live, like in the Olympics? Because at first --
Maria Varmazis: If I knew somebody competing, yeah, I would.
Joe Carrigan: Oh, if I knew someone competing, I'd be there. Yeah. Or I'd consider going. I don't know that I'd be there. But, I mean, like, you're going to watch, like, a track and field event, like someone throwing a javelin. And then you're going to sit down for another 15 minutes while the next guy comes up and gets ready to throw a javelin. I mean, there are other sports. There's, like -- the Rugby Sevens will be there. I might watch that. But I don't know that I'm going over to France to watch a Rugby Sevens tournament.
Dave Bittner: I don't think that's what it's about. I think -- I mean, I think it's an entire umbrella of Olympics experience. I think it's a whole vacation. And you go to multiple things. I don't think many people go to the Olympics just because they are a fan of one particular sport. I think if you're going to go to an Olympics, it's a once in a lifetime kind of bucket list sort of thing. I mean, I'm sure there are people who go to all the Olympics, but they're probably few and far between. But --
Joe Carrigan: Well, suffice to say I don't get it.
Dave Bittner: Yeah. Some people will go to a Super Bowl because they want to know what it's like to go to a Super Bowl. And I'm sure being in the environment, just the opening ceremony, must be an amazing shared experience to be in a stadium like that with all those people and the music and the lights and the pageantry, all that sort of thing.
Maria Varmazis: It's a big party. Yeah. A lot of people would love to go do that kind of thing, especially if you're somewhat local and you're like, why have the time off? Why not go see some of the best athletes in the world, I suppose? Like, I'm not going to fly across Atlantic for that, but if I was -- if it was nearby, I might go.
Dave Bittner: Yeah. That's interesting. If it was in the US, I wonder -- I wonder if I would go.
Maria Varmazis: That will happen relative -- like, aren't we going to get the LA Olympics sometime in the future again?
Dave Bittner: Yeah, I think so. I don't know. I don't keep track these things closely. They come up. I watch them. I enjoy them. And then I spend the rest -- the following three years of my life, once again, not being interested in pole vaulting.
Maria Varmazis: Fair enough.
Dave Bittner: But I enjoy it -- I enjoy it when it's on. And, you know, I admire the athletes. But yeah, it's -- you know, it is what it is. All right. Well, that is very interesting, Maria, and we will have a link to that story in the show notes. Joe, Maria, it is time to move on to our catch of the day. [ Music ]
Joe Carrigan: Dave, our catch of the day comes from Clinton. And it is a -- I don't want to spoil it, because from the -- from the get go, it looks like a standard invoice scam. But it's got a twist to it.
Dave Bittner: All right. I will read it. It says, "Hello. Your payment went through successfully with your checking account. If you did not authorize this charge, please contact us immediately. Here's your invoice. Apple Global Incorporated sent you an invoice for $1,399 US. Invoice details. Note from seller. 'Your payment proceeded successfully with your checking account. A charge of $1399 US will be auto debited from your PayPal account. If you did not authorize this charge, please call PayPal. Our services are from 6am to 6pm Monday through Sunday.'" And there's an invoice number.
Joe Carrigan: Right. Here's why I picked this one out, because this is a legitimate PayPal email. It is a scammer using the PayPal system to send out bogus invoices. But -- but they have figured something out. The very first top of the message says, hello, comma, your payment went through successfully with your checking account. If you did not authorize this charge, please contact us immediately. If you look at the 'to' address, right, which is directly below the message, it is sent to your payment went through successfully your checking -- with your checking account, blah, blah, blah. Right? So this is obviously supposed to be like where you put Dave Bittner. Right? So it says, Hello, Dave Bittner. Here is your invoice. But they have figured out that they can cram as much text as they want into the 'to' field, you know, the description field of the email address. And that's what they've done to scare you into thinking that this debit has already taken place from your checking account.
Dave Bittner: So they figured out a way to basically get a free text field at the top of the interaction that they can put whatever they want in there.
Joe Carrigan: They can put whatever they want in there.
Maria Varmazis: There's no character limit up there?
Joe Carrigan: There's no -- it's a big character limit, if there is one. It's big enough to cram this entire two sentences into.
Dave Bittner: Right. That's interesting.
Joe Carrigan: So it's a combination. This is what we love to see -- well, we don't love to see this, but what we frequently see -- we always see. I won't even say frequently. This always happens. These attacks evolve, and here we have the convergence, like, almost like a hybrid. Like, you're crossbreeding different species of plants to see what you get. Right? They have crossbred the fake PayPal invoice with the fake invoice scam. And they're both invoice scams, but now they've got this really effective proto hybrid. Fantastic. Thank you, Clinton, for sending this in. This is a really good catch. I thought this was -- I thought this was remarkably interesting because of how it is being -- how PayPal is being exploited here.
Dave Bittner: Right. Yeah. I mean, how often is it that we see something that we haven't seen before? And this is something that we haven't seen before.
Joe Carrigan: This is new. So keep an eye out for it.
Dave Bittner: Interesting.
Maria Varmazis: It's evolved.
Joe Carrigan: Yeah. The telltale is when you look at the 'to' field on the email, because this one says to your payment went through successfully, blah, blah, blah.
Dave Bittner: Right. Now Joe, would you say that that is faulty input field validation? Is that how you'd categorize that?
Joe Carrigan: Dave, I would absolutely say that. There should be a much shorter character limit on this. I understand why PayPal did this because some developer said to himself or herself, well, I don't know what the longest possible name for this is. I know that an email address can only be like 250-something characters long, or maybe it's 100 -- I can't remember how long, but an email has a limit. But the description field may not have a limit. But maybe they just went to the SMTP RFC and said, how much can I cram into this field? And that's what they put there. That's what the developer allowed to go in. So, yeah, I don't know. I don't know. I would say, yes, this is bad input validation. But it's not -- I wouldn't say it's a bug. I would say it's kind of like a --
Dave Bittner: It's a behavior.
Joe Carrigan: It's a behavior. Yeah, it's unintended behavior.
Maria Varmazis: That's a nice exploit, isn't it? Yeah.
Dave Bittner: I wonder if it's coming through via, like, a web interface or via an API also.
Joe Carrigan: Oh, that's a good question.
Dave Bittner: If you're coming in through an API, is that a possible workaround, too?
Joe Carrigan: Yeah. I don't know the answer to that question.
Dave Bittner: Well, hopefully PayPal gets on top of this.
Joe Carrigan: For sure they're on it right now, Dave. Crack team of developers. They don't care.
Dave Bittner: I mean, the chief security officer at PayPal is listening to "Hacking Humans" right now and just picked up their red phone and called the development team and said --
Joe Carrigan: Put a character limit on that.
Dave Bittner: -- stop the presses. We have a fix. All right, folks. We would love to hear from you. If there's something you'd like us to consider for our catch of the day or anything on the show, you can email us. It's hackinghumans@n2k.com. [ Music ] And that is "Hacking Humans," brought to you by "N2K" CyberWire. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes, or send an email to hackinghumans@n2k.com We're privileged that "N2K" CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. "N2K" makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your team smarter. Learn how at nt2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. We're mixed by Elliot Peltzman and Trey Hester. Our executive editor is Brandon Karp. Peter Kilpe is our publisher. I'm Dave Bittner.
Joe Carrigan: I'm Joe Carrigan.
Maria Varmazis: And I'm Maria Varmazis.
Dave Bittner: Thanks for listening.