Hacking Humans 6.27.24
Ep 296 | 6.27.24

Public pianos and private scams.

Transcript

Dave Bittner: Hello everyone and welcome to N2K CyberWire's "Hacking Humans Podcast" where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is my co-host, Joe Carrigan. Hi, Joe.

Joe Carrigan: Hi, Dave.

Dave Bittner: We got some good stories to share, but first we will be right back after this message from our show sponsor. Alright, Joe, before we dig into some stories here, we have a bit of follow up. What do you got for us?

Joe Carrigan: We do have a bit of follow up. And George writes in to say hello, I'd like to provide a comment concerning pianos. This is harkening back to your story a couple of weeks ago about being, how broken hearted you would be if you thought you were getting a free baby grand piano and did not.

Dave Bittner: Yes, my deep affection for pianos, yes.

Joe Carrigan: Right. In case Dave and Joe are not aware of this TV series, UK Channel 4 has produced "The Piano." The premise of this music competition is that a grand piano is placed in a train station, and selected visitors are encouraged to play the piano in public. Hidden in the background or two famous pianists watching and grading the performance. Dave, would you sit down at the piano play something?

Dave Bittner: I, there was certainly a time in my life when I would have. Actually there was, a when I was in college, I worked as a singing waiter on a lunch and dinner cruise boat in the Baltimore Harbor. And we would often have a couple hour break between our lunch cruise and our dinner cruise. If I was pulling, what we in the biz call a double, so if you've been to the inner harbor, there are several hotels down there. And I would go into one of the hotels which up on their third floor had a big atrium that went like the whole, you know, final four or five stories high. And up on the third or fourth floor there was a grand piano. And I would just go up there and play the piano. And because I was dressed like a waiter, I looked official enough.

Joe Carrigan: And nobody stopped you.

Dave Bittner: Nobody ever stopped me.

Joe Carrigan: Yeah.

Dave Bittner: I, I was wearing a tie and, you know, very sort of uniform look. But it was a nice way to kill some time and unwind and practice the piano and that sort of thing. So, certainly I, I've never been the caliber of what anyone would consider to be a good pianist. I, I always joked that I can play piano just well enough to make people who don't know how to play the piano think that I do know how to play the piano. But anyone who does know how to play the piano would instantly know that I actually don't know how to play the piano.

Joe Carrigan: Okay, well, the selected winner is then part of the annual UK Royal Festival Hall. I, I'm not sure what that is.

Dave Bittner: Yeah, that's cool.

Joe Carrigan: But so you don't think you'd make that cut.

Dave Bittner: No.

Joe Carrigan: He said there are snippets of the TV show available on YouTube. You can watch the entire series if you VPN the Ireland or any UK location and access www.channel4.com.

Dave Bittner: Interesting. Alright.

Joe Carrigan: Because UK TV works that way.

Dave Bittner: I may ask my pal Jason over at "Grumpy Old Geeks" to go to Sweden as we say, to get the series for me. He's, he's, he's quite adept at that.

Joe Carrigan: Yeah, he, he also says thanks for the "Excellent Cybersecurity" podcast and, and briefings.

Dave Bittner: Yeah, I would just add one more thing. There's a wonderful documentary called "Note by Note," which shows the making of Steinway pianos. Quite interesting. If that's. if you're into that sort of thing, if you're, you know, this high level of craftsmanship, that, that comes with Steinway pianos. So I have a link to that. The whole documentary is on YouTube.

Joe Carrigan: Oh, good.

Dave Bittner: So I'll have a link to that in the show notes as well.

Joe Carrigan: Very good.

Dave Bittner: Alright. Well, why don't we move on to our stories. Joe, you want to kick things off for us?

Joe Carrigan: Yes, speaking of going to the UK, I have a story from Gherkin, like the pickle I guess.

Dave Bittner: Right.

Joe Carrigan: I like the pickles. He's a technology reporter with the BBC. And at booking.com, booking.com, the travel site, the head of Internet safety is a woman named Marnie Wilking.

Dave Bittner: Okay.

Joe Carrigan: And Marnie Wilking has said that there has been a 500 to 900% increase in phishing scams that they're aware of at booking.com. And she is saying that these are powered largely by AI. Which is interesting because if you remember back a couple weeks ago, I was talking about the "Verizon Data Breach Investigation Report."

Dave Bittner: Yeah.

Joe Carrigan: And Verizon was saying we see a lot of people using AI to make their programming skills better, but we don't see it getting used a lot in these breaches, these breaches and attacks.

Dave Bittner: Okay.

Joe Carrigan: Now here's the big difference, though, is that Verizon is basing this off of corporate customers, and Ms. Wilking is talking about just regular end users of booking.com.

Dave Bittner: Right.

Joe Carrigan: So I would think, personally, and this is speculation on my part and as, you know, as our listeners know, I am a big fan of wildly speculating. That that is, there's a reason for this. That, that, that what's happening here is that lower skilled attackers are using artificial intelligence to help them write more believable phishing emails for sites like booking.com, and they're targeting customers --

Dave Bittner: Right.

Joe Carrigan: -- of the service. And I, I think that there are two things I think that contribute to this. One is the phishing attacks are getting better. And once they get better, by better, I mean more effective, that leads to more of them. And the other thing is that AI permits the automation of phishing, right. I can just say, here's the list of names. Write me a bunch of phishing emails for them, and, and I'll just take these files and shove them into an e-mail machine, a piece of code I've written --

Dave Bittner: Right.

Joe Carrigan: -- and send them on their way. So now I have the capability to automate and scale much more effective phishing e-mails.

Dave Bittner: Yeah.

Joe Carrigan: I think that is what's leading to this big, big consumer focused phishing attack.

Dave Bittner: Interesting.

Joe Carrigan: The attackers are definitely using AI to launch the attacks. This is Marnie Wilking again. She says that the attacks are mimic e-mails far better than anything that has been done to date. And these attacks try to convince people to give up credit card details by sending them fake convincing looking Internet booking links.

Dave Bittner: Okay.

Joe Carrigan: And after the seller, or someone pays up rather, the scammers either disappear, right, they just go away, they take the money and run, like Steve Miller says. Or they try to scam them with follow on scams, which we've talked about many times in this, on this podcast before.

Dave Bittner: Sure I got a hot one.

Joe Carrigan: Yep, we got a hot one. And one of the things I like to say about these scammers is they will keep coming after you until one of two things happen. You either run out of money or you wise up and realize it's a scam and stop talking to them.

Dave Bittner: Right.

Joe Carrigan: Once you do that, they go away pretty quickly.

Dave Bittner: Yeah.

Joe Carrigan: Once you tell them, I know this is a scam, I'm not talking to you anymore. Goodbye. They leave. Scammers often target websites that look like booking.com and Airbnb because they allow people to list their own places to stay. We talked about Airbnb a couple of weeks ago about somebody having their account hacked, but I didn't know that booking.com also did that where they had, you know, like privately owned homes out there.

Dave Bittner: Right. Right.

Joe Carrigan: I didn't know that was possible. I'm not a big booking.com user.

Dave Bittner: Yeah, me neither.

Joe Carrigan: Also not a big Airbnb user. Have you ever used Airbnb?

Dave Bittner: Yeah, just, well, I, I, my I would say in our family, my wife is the one who leads that charge. But yeah, we've used Airbnb, and we've used VRBO.

Joe Carrigan: VRBO, they say.

Dave Bittner: Yes, to book vacation places and weekends away, that sort of thing, so far.

Joe Carrigan: My son just went down to the beach with a, with a group of people and they used Airbnb, and they said everything was great.

Dave Bittner: Yeah.

Joe Carrigan: It worked well.

Dave Bittner: Yeah, I've been pleased so far.

Joe Carrigan: And, and, and I should, I should be clear. By and large, that is going to be your experience with these folks, right.

Dave Bittner: Yeah.

Joe Carrigan: Also, Wilking said she's not entirely down on AI because they're using AI to remove fake hotels. We've set up AI models to detect those, either block them from getting listed in the first place or take it down before anybody has done a booking. So I think that's good.

Dave Bittner: Yeah, that is good.

Joe Carrigan: And then, this is where I think this article gets a little bit problematic is because Wilking says, or actually not the article. The article is fine. But the, the, the discussion turns into more of a problem area. Wilking says she is calling for hotels and travelers to use two factor authentication. And then she says it involves an additional security check such as inputting a code that is sent to you, calling it quote, "The best way to combat phishing and credential stealing."

Dave Bittner: Okay.

Joe Carrigan: And I agree with that, but that's not particularly helpful when you're getting scammed, when you're entering your, your, your credit card information into a, into a bogus site.

Dave Bittner: Oh, sure.

Joe Carrigan: I don't see how multifactor authentication helps you there, unless you're trying to prevent somebody from accessing your booking.com site.

Dave Bittner: Right.

Joe Carrigan: I don't think the real problem here is what's being addressed. She also urged people to be more vigilant than before when clicking on links. And I, you and I have discussed this. And even though we say this a lot, don't click the link, it's not really helpful advice.

Dave Bittner: Yeah.

Joe Carrigan: I, I don't think don't click the link is not, is helpful device, helpful advice.

Dave Bittner: So it's, yeah, it's, I'd say it's, it's limited in its helpfulness.

Joe Carrigan: Right, exactly. That's a good way to put it. The article talks, quotes Jane Hawkes, who's a travel industry consumer expert. She says that it's time for these providers to step up and make people aware of the scams. They have a responsibility to advise travelers ways to minimize the risk of getting scammed, she said. Consumers should do their own research with due diligence, which I agree with. It is, and in the end it's, it's always going to come down to consumer. But I think these companies have a, have a, have an obligation to their customers here. And I think that just telling people use multifactor authentication and don't click the link, I mean, that's helpful, yes. Those, those are good, good suggestions. But I think more needs to be done here. I like that they're using AI to find these fake ads. I think that's fantastic. That's the kind of thing I think that needs to be done at a corporate level to protect the customers. I mean, if you, if you're having success with that, and those fake listings aren't even showing up to the customers, the customer is not even seeing them or it's happening before the customer is making a booking, that's a win.

Dave Bittner: Yeah.

Joe Carrigan: More of that. Less of the telling the customer to be cautious. I mean, of course, tell the customer be cautious. But that is, that cannot be the sole source, the source, the sole onus of any of these problems. And yeah, I don't mean, I'm not trying to bash booking.com here. I think they're doing a good job of doing both these things.

Dave Bittner: Yeah.

Joe Carrigan: But that's not what we see generally in the, in the real world. Think about trying to get a Facebook account back.

Dave Bittner: Yeah, you know, it's, it's funny you mentioned that, that we've got a story coming up for CyberWire that just came by today that story from Engadget is titled, "How Small Claims Court Became Meta's Customer Service Hotline."

Joe Carrigan: Really. That's good to know because I have a cousin who just lost access to her account.

Dave Bittner: Right. And basically like, I, you know, that's in a nutshell that's what this story's about. That the only way to get Facebook's attention is to take them to small claims court if you need to get your --

Joe Carrigan: I think that's fantastic.

Dave Bittner: -- yeah, if you need to get your account back.

Joe Carrigan: I think that's a great, great tactic because it's small claims court, right.

Dave Bittner: I mean it's a great tactic if you have all the time in the world.

Joe Carrigan: It doesn't take long to get someone into small claims court. It's, it's, it's a, it's, small claims court is, is deliberately low overhead and quick, right. So I guess it depends on where you are.

Dave Bittner: Yeah.

Joe Carrigan: Right. It depends on the state you're in.

Dave Bittner: I mean that's a low, I mean that's, okay. That's a crazy low bar I think.

Joe Carrigan: Okay.

Dave Bittner: I mean you, a million times, you know, their, their excuse is they can't do this at scale, and they shouldn't do this.

Joe Carrigan: Well.

Dave Bittner: And I think there should be, I, well, I guess I wonder, should someone like the Federal Trade Commission get involved to say if you are either uninterested or unable to provide meaningful customer service, then we have a problem with that.

Joe Carrigan: Right.

Dave Bittner: If it, particularly if you have no meaningful competition, right.

Joe Carrigan: Yeah, well, the most important thing that Facebook would say to that is Dave, yes, of course, we have great customer service.

Dave Bittner: Yeah.

Joe Carrigan: We, we take care of our customers. Our customers have phone numbers where they can contact us.

Dave Bittner: Right?

Joe Carrigan: Our users are not our customers.

Dave Bittner: Yeah.

Joe Carrigan: They're our product.

Dave Bittner: Yeah. Alright. We will have a link to that story in our show notes.

Joe Carrigan: It's a, it's a pretty good article.

Dave Bittner: Yeah. My story this week actually comes from something that was actually bothering me over on Facebook.

Joe Carrigan: Ah. Dave, I have, I, I've reached a conclusion.

Dave Bittner: Yeah.

Joe Carrigan: Neither one of us are ever going to get jobs at either Meta or Google.

Dave Bittner: No, I'm okay with that.

Joe Carrigan: It's just not going to happen.

Dave Bittner: No. Yeah, no, not, yeah. Probably never going to advertise on the CyberWire either. Actually, we've had a good relationship with Google, but Meta no, never.

Joe Carrigan: No.

Dave Bittner: So I have noticed a pattern on Facebook that I'm sure will, will ring a bell to many of our listeners. And the pattern is on some of our community Facebook groups. So let's say for example, the local classified ads group.

Joe Carrigan: Ah, yes.

Dave Bittner: Okay. There are two types of ads in particular that are posted over and over and over again. One of them is for air duct cleaning services, and one of them is for car detailing services. And what caught my eye is that basically the same sort of thing is being posted over and over again from different accounts using different photos, but the technique is always the same. And the, the, the, the deal of putting air quotes is always the same. So let's use the air duct cleaning service posts for example, okay. So what will happen is there'll be a post that says, it'll be from an individual and it'll say, hey, you know, I'm, I'm just the start of my own business. I'm really trying to make a difference here and make ends meet. And along with my husband or my business partner, we've got an air duct cleaning service. For $250, we will come clean your air ducts in your house. You don't pay anything until we're done, and we've completed the job and you're happy.

Joe Carrigan: Right.

Dave Bittner: If you're interested, send me a DM, and I'll get you details and we'll get it started. Thanks, you know, Lori Jane.

Joe Carrigan: Right.

Dave Bittner: Right. Now. On the surface, that doesn't sound like an overt scam, because they're not asking for money ahead of time.

Joe Carrigan: Right, then they're promising to do the service first.

Dave Bittner: Right.

Joe Carrigan: Right.

Dave Bittner: Right. But I kept seeing these posted over and over again. And there's a version that works very much the same way with car detailing, slight variations, but it's definitely working off of a script. And so I couldn't help wondering like what's going on here. What's the deal? What's the skin?

Joe Carrigan: What's the end game.

Dave Bittner: Right, what, right. What's the angle? What are they doing here? Because it's definitely not on the up and up, but it's also not a blatant scam.

Joe Carrigan: Right.

Dave Bittner: So I started searching around and lucky for me, so I didn't have to chase this down completely all on my own.

Joe Carrigan: Somebody already found it.

Dave Bittner: Somebody already found it. So there's a YouTube channel called "Pleasant Green," and it's run by a gentleman named Ben Taylor and Ben, on this YouTube channel, most of what he does is he chases down these sorts of scams.

Joe Carrigan: Really.

Dave Bittner: Yeah. And he was wondering the same thing. And so I'm going to walk you through what Ben discovered here, and I do hope we'll have a link in the show notes, of course. I hope everybody will go and, and check it out, if you, I'm willing to say, if you like this show, you will enjoy Ben's YouTube channel. One of the things I like about Ben's channel is that a lot of the folks who go after scammers in an entertaining way are kind of nasty, and it's, it's almost like they're pulling their own gotchas. It's, it's like a revenge kind of thing.

Joe Carrigan: Right.

Dave Bittner: Whereas Ben is not that way.

Joe Carrigan: Now I will say, I like that, Dave.

Dave Bittner: I know you do, but I don't. Ben's is much more driven by curiosity and, you know, trying to figure out what's going on here.

Joe Carrigan: And, and probably to help people to stop from falling for being, you know --

Dave Bittner: Exactly.

Joe Carrigan: The more informed you are about these scams, the less likely you are to fall for them.

Dave Bittner: Absolutely. Absolutely. So he's a kindred spirit to you and I.

Joe Carrigan: Right, right.

Dave Bittner: One of the things that he pointed out that I was unaware of is that the folks who post these things, the, the profiles they create almost always have two first names. So the poster in this case will be David Luke.

Joe Carrigan: Hmm.

Dave Bittner: John, Robert. You know, Jennifer Jane, right.

Joe Carrigan: Right.

Dave Bittner: And not sure why, but once he said this, I started keeping track of the ones I was seeing. He's absolutely right.

Joe Carrigan: Huh.

Dave Bittner: So that's a tell, you know, if you see it being posted by someone who has two first names --

Joe Carrigan: It's like a lot of actors.

Dave Bittner: It's a red flag.

Joe Carrigan: Like Bob Patrick.

Dave Bittner: Right, right. Or the three named actors, right. Or the single name actors like Madonna. So the person's profile is fake, not a real profile.

Joe Carrigan: Right.

Dave Bittner: But so what Ben did was Ben decided he was going to engage with one of these people and try to figure out what was going on. So he sends them a message. They exchange information. Someone calls him, he talks to them, and they say, okay, we're going to, we want to come clean the ductwork in your house. And of course, Ben doesn't want to give him his real address.

Joe Carrigan: Right.

Dave Bittner: So he looks up like a house is for sale on Zillow in his neighborhood. Gives them that address and waits to see what's going to happen. So to Ben's surprise, on the time and date when the person is supposed to come clean the vents, he gets a call from the guy who's at the house to clean the vents.

Joe Carrigan: Really.

Dave Bittner: Yeah, at the house that's for sale, right. So.

Joe Carrigan: Wait a minute.

Dave Bittner: Yeah.

Joe Carrigan: So he sets up a call with a with someone he knows is a scammer.

Dave Bittner: Yep.

Joe Carrigan: And then he gets a phone call from the guy that's there to clean, clean the vents.

Dave Bittner: That's right.

Joe Carrigan: Okay.

Dave Bittner: That's right. So now Ben's wondering what's going on here.

Joe Carrigan: Right.

Dave Bittner: Right, because Ben was shocked that anybody who showed up, he did not expect someone to show up at the house.

Joe Carrigan: Right, right.

Dave Bittner: He figured it was going to lead to some path where someone was going to call him and say oh listen, the guy's on the way, but I need, you know, $100 or, you know, just any of these things where people will start making excuses to get money from you.

Joe Carrigan: Huh.

Dave Bittner: But that didn't happen.

Joe Carrigan: Okay.

Dave Bittner: So he apologized to the person, you know, said, oh, we'll reschedule. So he calls the person who he thinks is the scammer again, and then I'm, I'm paraphrasing here. When you watch the video, you'll, I don't have the exact order of operations completely. Right.

Joe Carrigan: Right.

Dave Bittner: But essentially, what it comes down to is that through asking questions and doing research and so on and so forth, he figures out that this is being run by a call center out of Pakistan. And they're using fake profiles, and they're using real businesses to generate leads for real technicians. So if you call these folks and say, yeah, I want to get my air ducts cleaned. Hey, listen, does your company have a website? They'll say, oh, absolutely. And they will send you the website of a real air duct cleaning company that has nothing to do with anything in this interaction, okay.

Joe Carrigan: Right.

Dave Bittner: In fact, Ben called one of the companies who they claimed was the company was going to be doing the work, and they were like, no, we don't, that's not us. In fact, we're not even in your state.

Joe Carrigan: Right, wow, that's weird.

Dave Bittner: They had, they knew nothing about this. Right. So there's all these little scammy things, there, this is this, this is built on a house of lies.

Joe Carrigan: Right.

Dave Bittner: Right?

Joe Carrigan: It sounds like it. None of this is adding up.

Dave Bittner: Yeah, it is not, none of it adds up. But in the end, it is a leads generation business. So these telemarketers in Pakistan call local tradespeople in your area, people who will clean ductwork, people who will detail your car, and they say, listen, I'm going to sell your services. I'm going to charge 250 bucks. I'm going to give you 175 bucks. Are you good with that? And the trades person says, sure, you want to send me leads? That, that's one of the least fun parts of my business.

Joe Carrigan: Right.

Dave Bittner: And so that's what they do. Now obviously the problem is you have no idea who's showing up at your house.

Joe Carrigan: Right.

Dave Bittner: You have no idea who's coming to clean your car. They could be great.

Joe Carrigan: Yeah.

Dave Bittner: They could be horrible.

Joe Carrigan: Yeah.

Dave Bittner: And there are stories if you search news stories for air duct cleaning scam, for example, you'll find stories where the people come to your house and they say, ah, well, you know, we cleaned the air ducts, but boy, they were a lot dirtier than we thought they were going to be. So -

Joe Carrigan: Yeah, like going to a mechanic.

Dave Bittner: Yeah.

Joe Carrigan: Now your motor mounts are bad. Your engine is going to fall out.

Dave Bittner: That's right. That's right. You need more blinker fluid, or it's just not going to work.

Joe Carrigan: That's right.

Dave Bittner: So they'll either charge you more than they had promised, or they won't actually do the work. There was one news story I saw where basically, you know, somebody came with, you know, the equivalent of a shop vac, stuck it in a vent and ran it for an hour. And then said okay, we're good here, and left, and it --

Joe Carrigan: The truth of the matter is, you probably are just as good as if you got your ducts cleaned anyway.

Dave Bittner: Right.

Joe Carrigan: I mean I got my ducts cleaned when I got a new air conditioner put in.

Dave Bittner: Yeah.

Joe Carrigan: Other than that, I don't think you need to do it.

Dave Bittner: You don't. You don't. And I think they're, they're, they do, there's, there's an aside I think I saw on one of the things I was reading here that like the federal guidance, you know, the folks in the federal government who kind of protect consumers with these things. They said the big problem, or the big confusion is that people confuse dryer vent cleaning with air duct cleaning.

Joe Carrigan: Right.

Dave Bittner: Dryer vent cleaning is very important --

Joe Carrigan: Yes.

Dave Bittner: -- particularly if you have a gas powered dryer.

Joe Carrigan: Absolutely.

Dave Bittner: But air duct cleaning really isn't that important.

Joe Carrigan: No.

Dave Bittner: It doesn't really make that much of a difference. So, so anyway, you don't know who's showing up to your house. And the person who does show up at your house is absolutely not going to be associated with the business that the person who sold you the job claimed they were associated with.

Joe Carrigan: Right.

Dave Bittner: So any of the checking you do of reviews or insurance or any of that stuff, this is a stranger showing up.

Joe Carrigan: Right.

Dave Bittner: And it's the same thing with the car detailing services here.

Joe Carrigan: They're just going out and generating leads for potentially legitimate businesses.

Dave Bittner: Right.

Joe Carrigan: But they're not, they're not vetting these guys at all.

Dave Bittner: No, no.

Joe Carrigan: And you're going to get whoever they want or whoever they can get, whoever they've reached an agreement with.

Dave Bittner: Right. So to what degree, Joe, do we categorize this as a scam?

Joe Carrigan: That's a good question, Dave. Somebody does show up and they will perform the service.

Dave Bittner: Right.

Joe Carrigan: Maybe, I mean, you know.

Dave Bittner: But it was all sold to you under false pretenses.

Joe Carrigan: Yeah, I mean --

Dave Bittner: All of the selling was lies.

Joe Carrigan: Right.

Dave Bittner: Yeah.

Joe Carrigan: Well, Dave, is it usually the case that all the selling is lies? I mean even when you go to get a car, all the selling is lies.

Dave Bittner: But, but in this case, like if I was, if I put a message out to my friends and said hey, I'm looking to have my, like my card detailed.

Joe Carrigan: Right.

Dave Bittner: Right. And they said, hey, you know, call Carrigan's car detailing service. They've been great for me.

Joe Carrigan: Right.

Dave Bittner: And I call and, you know, your, your cousin Lenny comes over and does a great job detailing my car, like that's a line of truthful recommendation and --

Joe Carrigan: Right, Absolutely.

Dave Bittner: And so I guess, in my mind, a big part of this is a scam.

Joe Carrigan: Yeah, it is, I agree.

Dave Bittner: The leading all of the the stuff at the head end is a scam, and the posts that are on Facebook are scams. And I wish that either Facebook or the administrators of the groups would do a better job of shutting these down.

Joe Carrigan: Yeah.

Dave Bittner: But of course we know, we know how that works.

Joe Carrigan: Right.

Dave Bittner: Yeah. So very interesting pathway. I have to say I was surprised to find out that I guess it's less scammy than I thought it was. Like there's actually a chance you could get the thing that you're paying for, but --

Joe Carrigan: I mean the only scam part is the, is the pitch, right.

Dave Bittner: Right.

Joe Carrigan: And, and maybe they're lying to you about being licensed and bonded by the city. You are licensed and bonded by the city, aren't you, Mr. Plow?

Dave Bittner: Yeah.

Joe Carrigan: You know.

Dave Bittner: But I guess the, the, the advice to our listeners is don't engage with these people.

Joe Carrigan: Yeah, don't engage. Don't engage.

Dave Bittner: Yeah, so it is scammy enough --

Joe Carrigan: Yeah.

Dave Bittner: -- to say this is not the path you want to go down.

Joe Carrigan: You know, Dave, whenever I need a service, one of the first things I do is I ask people I know.

Dave Bittner: Sure.

Joe Carrigan: Who, who have you used in the past that you liked --

Dave Bittner: Yeah.

Joe Carrigan: -- for this service.

Dave Bittner: Yeah, absolutely. Hard to beat. Yeah. Alright, we will have a link to that YouTube video in the show notes. Highly recommended, and like I said, I think folks who enjoy this show will find the "Pleasant Green" YouTube channel by Ben Taylor, you're going to like that as well. It's a lot of pretty interesting stuff. So do check that out.

Joe Carrigan: I just subscribed by the way.

Dave Bittner: Excellent. Alright, we will be right back after this message from our show's sponsor. [ Music ] Alright, Joe, we are back, and it is time for our "Catch of the Day." [ Soundbite of Reeling in Fishing Line ] [ Music ]

Joe Carrigan: Dave, our "Catch of the Day" comes from Christopher, who writes, hi long time listener, first submission. The style of this one seems so outlandish. And it is pretty outlandish, Dave.

Dave Bittner: Alright, here it goes. I was planning to say hello, but now I think greetings are unnecessary. First, I already know you and all your loved ones very well. Secondly, the occasion for which I'm writing to you is not the happiest one for a friendly greeting. You've heard that the Internet is a dangerous place infested with malicious links and hackers like me. Of course, you've heard. But what's the point in it if you're so dismissive of your Internet security and don't care what websites you visit. Times have changed. You read about AI judging by your browser history and still don't understand anything. Technologies have stepped far forward and now hackers like me use artificial intelligence. Thanks to it, I can get not only access to your webcam and record your fun with highly controversial video but also to all your devices and not only yours. And I saved a special sauce for this dish. I went further and sent malicious links to all your contacts from your account. Yes, someone was smarter and realized that this was a trap, and you were hacked. But believe me, about 70% of your contact list bought into my scam. They have as many skeletons in their closet as you do. Some turn out to be hidden homosexuals.

Joe Carrigan: No!

Dave Bittner: I've accumulated and analyzed a huge amount of compromising data on you and those with whom you communicate. Very soon I'll start a crossfire. Everyone will receive the full history of correspondence. And there are enough of sensitive moments and recordings from the other contacts' webcam. I can go further and put all these files as well as the recorded fun of you and your hacked contacts with hardcore videos into the public domain. You can imagine it will be a real sensation, and everyone will understand where it came from. From you. For all your contacts and you will be enemy number one. Even your relatives will take a long time to forgive you and forget such a family shame. It will be the real end of the world. The only difference is that there will be not four horsemen of the apocalypse but only one. But there is no such thing as a completely black stripe without any white dots. Lucky for you --

Joe Carrigan: What does that mean?

Dave Bittner: I have no idea. Luckily for you, in my case the three M rule comes into play. Money, money and money again. I'm not interested in your worthless life. I'm interested in people from whom I can profit. And today you are one of them. That's why transfer $1,390.00 in Bitcoin to my address within 48 hours. You don't know how to use cryptocurrencies? Use Google. Everything is simple. Once payment is received, I will delete all information associated with you, and you will never hear from me again. Remember one thing, my crypto address is anonymous, and I generated this letter. You can call the cops, do whatever you want. They won't find me. My demands won't change, but you'll just waste precious time. Hasta La Vista, baby. Wow.

Joe Carrigan: This is awesome in terms of just over the top.

Dave Bittner: Yeah.

Joe Carrigan: This is the, the old sextortion, the old, the sextortion stuff that never really worked, right. Now we have sextortion pros who are literally murdering people.

Dave Bittner: I'm just, I'm a little anxious just having read this.

Joe Carrigan: Yeah.

Dave Bittner: Yeah, it's pretty, pretty. It's a lot.

Joe Carrigan: It's a couple of things. Number one, it's stepped up in the, in the culpability thing. So now I'm not just going to expose you, but I also found out about all your friends.

Dave Bittner: Right.

Joe Carrigan: So they're trying tom trying to make you think that, they, they don't have any information. This is, this is just a, a scam e-mail that people send around spam lists --

Dave Bittner: Yeah.

Joe Carrigan: -- to try to get you to respond. Just to actually to send them Bitcoin. Fortunately, though, Dave, I did look at the Bitcoin address.

Dave Bittner: Oh, you did?

Joe Carrigan: I did. Nobody has sent this guy any money, either in Bitcoin or in Bitcoin Cash. They're both, actually two wallets out there.

Dave Bittner: Huh, interesting.

Joe Carrigan: And I went to a blockchain explorer that showed both of them to me.

Dave Bittner: Huh.

Joe Carrigan: Pretty impressive.

Dave Bittner: Yeah. The, the request for $1,390.00 seems oddly specific to me.

Joe Carrigan: Right, it is. It's interesting that it's in bit coin like two separate words instead of one.

Dave Bittner: Right, which maybe cuts down on filtering or red flagging.

Joe Carrigan: Yeah, yep.

Dave Bittner: Yeah.

Joe Carrigan: And also interesting is that the address is actually real on the Bitcoin blockchain.

Dave Bittner: Yeah, that is interesting. Yeah.

Joe Carrigan: And finally, no, that Bitcoin blockchain address is not private.

Dave Bittner: Right. By virtue of the fact that Joe was able to look it up.

Joe Carrigan: Right, exactly. Right. Also interesting is that he, he is working with, he, one of the things this guy wrote in the e-mail says I see that you do a lot of reading about AI. Who doesn't? That's like I see you're breathing a lot of air over there, Dave.

Dave Bittner: Right, right, right.

Joe Carrigan: Do you like water, Dave?

Dave Bittner: Wait until your friends find out that you use oxygen.

Joe Carrigan: Right.

Dave Bittner: Right.

Joe Carrigan: And then he says, I used AI to hack your account, which is, you know, I mean we, we had stories today about how it's used to generate phishing e-mails, but it's not, I mean and, and actually you can ask it how you, yeah, I guess you could use AI to hack accounts.

Dave Bittner: It's plausible. It's plausible.

Joe Carrigan: Okay, I'll give that a pass. Right, it's plausible.

Dave Bittner: Oh my. Alright, well, our thanks to Christopher for sending that in. And of course we would love to hear from you. If there's something that you would like us to consider for the show you can e-mail us. It's hackinghumans@n2k.com. [ Music ] That is, our show brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. So fill out the survey in the show notes or send an e-mail to hackinghumans@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at n2k.com this episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. We're mixed by Elliott Peltzman and Tré Hester. Our executive editor is Brandon Karpf. Peter Kilpe is our publisher. I'm Dave Bittner.

Joe Carrigan: And I'm Joe Carrigan.

Dave Bittner: Thanks for listening. [ Music ]