Hacking Humans 8.8.24
Ep 301 | 8.8.24

Phishing for votes.

Transcript

Dave Bittner: Hello, everyone, and welcome to N2K Cyberwire's "Hacking Humans" Podcast, where each week we look behind the social engineering scams, the phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is my N2K colleague and host of the "T-Minus" Daily Space podcast, Maria Varmazis. Hey, Maria.

Maria Varmazis: Hey, how is it going?

David Bittner: Not bad. Not bad. Joe is a bit under the weather this week, and so we wish him the best and a speedy recovery and look forward to having him back on the show as soon as he is up to it. That said, we will be right back after this message from our show sponsor. [ Music ] All right, Maria. Before we jump into our stories here, we have a couple of items of quick follow-up here.

Maria Varmazis: Cool.

David Bittner: We got a note from a gentleman named Will who just had a few suggestions in response to our call-out for some help with protecting our loved ones' computers. I specifically was asking if folks knew of any additional filters for Gmail to help with.

Maria Varmazis: Oh, yes. Yeah, I remember that.

David Bittner: You know, my elderly father, who, you know, gets bombarded with phishing type of thing. Now granted, Gmail does do a good job of filtering most of them, but every now and then one will sneak through.

Maria Varmazis: Yeah.

David Bittner: So, Will wrote in, had a few suggestions here. One was to use a web browser called LibreWolf. Are you familiar with that? That's a new one to me.

Maria Varmazis: I am not. Yeah, that's a new one to me, too, but I will need to look that up. I use a browser called Arc, which is a Chrome fork, but that's an interesting one.

David Bittner: Right.

Maria Varmazis: Yeah, I -- that's an interesting one. I will definitely have to look that up.

David Bittner: Arc I'm familiar with. Will says that Libre, because it's Libre, you think?

Maria Varmazis: LibreWolf. Yeah.

David Bittner: Wolf Library, I guess. He says it's a fork of Firefox, and it has a real privacy and security focus. And then, of course, installing uBlock Origin, a great extension that really tamps down on a lot of things. Everything, you know, ads on web pages, but that's a great one to use.

Maria Varmazis: Yeah, go sign onto that one.

David Bittner: And then he also recommends NextDNS, which is a kind of a third-party DNS supplier, and that helps filter out some of the bad sites. I've used some of these before. There's the one, there's the free one, I think it's called five nines -- or three, five nines? Anyway, it's like 9.9.9.

Maria Varmazis: Oh, yeah, yeah.

David Bittner: Yeah, and it's one of the major providers. I can't remember off the top of my head who it is, but similarly, if you do your DNS searching, which is how, just real quick, it's how the internet converts IP addresses to domain names and vice versa. So when you put in Google, it converts that -- it looks it up on a DNS list, and then converts that to Google's IP address, and the connection happens magically and mystically behind the scenes. But that has to be handled by a server who does that lookup for you, and so these servers have a level of filtering built into them. So if there are known bad sites, known IP addresses that are bad, they will block that connection and prevent you from connecting either intentionally or inadvertently. So I think it's another good bit of advice here. Did you ever use anything like that, Maria?

Maria Varmazis: I have not. You know, I've not used NextDNS. I think I'm using Google's DNS, to be honest with you, which is -- I don't know why I've got that, but that's probably the one I'm using. But these are all things that someone with some moderate amount of tech savvy could easily do. This is not, I mean, even basic to moderate, I would say. I know I could do all three of these things for my mother, for example. I wouldn't ask my mom to do it, although if my mother was more tech savvy, she definitely could. But I could definitely do it for her, so I think these are very doable. These are some very good, actionable ideas. I like it.

David Bittner: And they're kind of set it and forget it. You know, that's the other thing. You can do these, as the more tech savvy person, you can do this for your loved one, and then they don't have to do anything else. They just run behind the scenes and help make things a little safer. So --

Maria Varmazis: Yeah. I'm taking notes.

David Bittner: -- thank you, Will.

Maria Varmazis: I'll be doing these, honestly.

David Bittner: We've got another note from a listener named Stu, and I'm highlighting this because as the host of the CyberWire, Maria, it is my job to pronounce a lot of words that I am not familiar with. And so I would say a large proportion of the listener feedback that I get is people reminding me when I have mispronounced a word.

Maria Varmazis: Ain't it grand? Yeah.

David Bittner: Oh, it's so much fun. You know, I do my best. I mean, I do. If there's something I'm not familiar with, I make every effort to look it up and find someone native to that area pronouncing that word so that I can at least make a good run at it. But quite often, evidently, I fail, and so people remind me about that.

Maria Varmazis: Hopefully, very kindly and with love.

David Bittner: But this time -- this time --

Maria Varmazis: Yes.

David Bittner: Yes, yes. This time, Maria. This time, Stu wrote in on my pronunciation -- I say our pronunciation of Portsmouth over in the U.K. and commended us on getting it correct.

Maria Varmazis: Hooray.

David Bittner: Right?

Maria Varmazis: Or should I say, Huzzah?

David Bittner: Huzzah. Brilliant. Brilliant.

Maria Varmazis: Oh, brilliant. Yes. Brilliant. What century are we in? Yes. Nobody says Huzzah anymore. Well, congratulations on a nice email.

David Bittner: Yes. I will take the win. So thank you, Stu, for writing in. And, of course, we'd love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's hackinghumans@N2K.com. All right. Let's jump into our stories here. Maria, why don't you kick things off for us.

Maria Varmazis: Well, I've got a story of a new phishing campaign from the security firm Verity. They did a little deep dive on a phishing campaign that is specifically targeting who else but Donald Trump and his 2024 presidential run, specifically his supporters, are being targeted by this phishing campaign, not Donald Trump himself. Let me just clarify that one. So the phishing campaign looks -- has a setup of a clone of Donald Trump's official fundraiser page, which I don't know if you've ever been on them, but they don't look like a legitimate website to me, even when they are. So I don't know how you could tell what a fake one looks like, but please don't flame me everybody.

David Bittner: Oh, really?

Maria Varmazis: They have a very weird -- I don't know. The UI looks really weird and off to me, but whatever. The phishing campaign solicits people to go to this website, and it's looking for donations specifically in cryptocurrency. That is the differentiator here, because I did not know this, but apparently, you cannot donate. It doesn't look like you can donate cryptocurrency to Donald Trump's legitimate campaign finance donation, whatever you call it, bucket.

David Bittner: Right, right, right.

Maria Varmazis: You can't donate cryptocurrency to Donald Trump legitimately, but this campaign is looking for crypto and that's what they are soliciting from its scammees. So this campaign has been active since late May, and I thought the timing was also interesting because Donald Trump showed up to a Bitcoin conference, the BDC conference in late July, where he actually was speaking at length about how much he loves crypto and how he wants to do all sorts of things for the crypto community. So I could easily imagine somebody at that conference or listening to the conference on X or whatever going, I love that guy. Definitely want to donate crypto to him and finding this page and going, this sounds exactly like the person I just heard online. Let me give him some of that crypto I've been hearing so much about from him.

David Bittner: Right, right, right, right.

Maria Varmazis: But it is actually a phishing site. So it looks like the last time at least Verity has seen a victim was actually July 22nd, which was before the conference, but maybe they haven't updated it since then. I'd be curious to see if things have ticked up since then. But it looks like the phishing campaign is being traced to China. Of course, we can never really know for sure, but we don't know what hacking group might be behind this. But it's very interesting to see that they figured out that you can't actually donate crypto to Donald Trump legitimately, so you might as well do it in a fake way. Yeah, I just thought that was an interesting little flavor.

David Bittner: That's interesting. Well, and it makes me wonder, I don't know the answer to this, but I wonder, are there any restrictions or guardrails on making donations to political campaigns via cryptocurrency? I don't know to that.

Maria Varmazis: Yeah, I don't know. I don't either. That's that was the sort of the question in the back of my mind, too, is maybe Trump can't solicit Bitcoin or Ethereum or whatever he's using.

David Bittner: Right.

Maria Varmazis: But I could have sworn -- see, this is the part that's confusing me, because doesn't he have like his own Trump coin or -- I don't know enough about the man, and I don't want to get blamed, but I could have sworn he had stuff. I don't know.

David Bittner: Yeah, well, I would -- yes, and I wouldn't surprise me. Look, obviously, any politician wants to make it as easy as possible for you to donate to them in any way possible.

Maria Varmazis: Yeah.

David Bittner: So it strikes me that, certainly, at the national level, I would imagine that if this sort of thing was viable, then both of the national campaigns would be making this possible, and the fact that they're not makes me wonder if there's a reason for that.

Maria Varmazis: Yeah.

David Bittner: Like you say, you can imagine somebody saying or doing a Google search for well, I mean, let's say you caught wind that former President Trump was speaking at this event, and you did a Google search for President Trump cryptocurrency, I would imagine -- it's not hard to imagine that a site like this would pop up and say, you know, hey, supporters, true patriots, you know, here's how you can show your support for the campaign with -- donate in Bitcoin or Ethereum or whatever to click here and away you go.

Maria Varmazis: And I honestly that that's probably what they were thinking, because I don't think phishing scams tend to rely on people donating cryptocurrency or sending money via crypto that much. I mean, they do. It's usually the much harder lift compared to just the more common, you know, dollars.

David Bittner: Yeah.

Maria Varmazis: So the fact that these phishing scammers figure that this will be successful enough to actually run a campaign speaks to a number of different things, as you said, that people are going to be looking for this. So yeah, I would be curious if Verity does a follow up now that the cryptocurrency conference has occurred. Well, that's a lot of alliteration in that sense I just said. Now that that conference has happened, I'd be very curious to see if there was an uptick because you can monitor because it's crypto.

David Bittner: Right.

Maria Varmazis: You can monitor what's going on with the wallets. So I'd be curious to see if they've seen any tick in donations to these fraudulent wallets. So yeah, maybe we should do a little digging and see if that's happened. Yeah.

David Bittner: Yeah. All right. Well, we will have a link to that story in the show notes, and we're going to take a quick break. Before we get to my story, we're going to hear this message from our show sponsor. [ Music ] And we are back. Maria, let me ask you this. Have -- in your lifetime, have you ever had your sights set on a fancy sports car? Was this something you ever aspired to?

Maria Varmazis: I have not, but does a fancy sports bicycle count?

David Bittner: Oh, I see. At one point, you saw the movie Breaking Away and you were like, oh.

Maria Varmazis: That is my husband's favorite movie. When we were dating, he's like, you have to see this movie. [ Laughing ] Some of those bikes can cost an awful lot of money. Not as much as a Ferrari, though.

David Bittner: Yeah. My wife has one of those fancy bikes. She has one of those -- I think it's made by Fuji and it's made of like -- the frame is carbon fiber. All I know is you can pick it up by your pinkies.

Maria Varmazis: Yes. It's a lot of fun. It's a lot of fun. I have a really lovely steel Bianchi, and it's a vintage frame. I got it for free, though.

David Bittner: Oh.

Maria Varmazis: So I didn't -- but if I had bought it, it would have been tens of thousands of dollars, but I inherited it.

David Bittner: Oh, nice. Sounds like you did well.

Maria Varmazis: So I got really lucky. I got really lucky. I got really lucky.

David Bittner: Yeah. Yeah. Well, we digress. My story today is about the folks from Ferrari.

Maria Varmazis: Oh, Ferrari, yeah.

David Bittner: A well-known, high-end sports car company, if there ever was one.

Maria Varmazis: I've heard of them. Yeah.

David Bittner: Yeah, yeah. Have I ever been in a Ferrari? I don't think I've ever been in a Ferrari.

Maria Varmazis: Have you been in a Lambo or an Aston Martin or any of those?

David Bittner: I have. Yes, I've been in many -- I've been fortunate enough to be in many exotic sports cars. I think exotic sports cars are like what they say about boats. What's better than having a boat is having a rich friend who has a boat.

Maria Varmazis: That's right. Yeah.

David Bittner: I think sports cars are similar.

Maria Varmazis: Or a Bentley --

David Bittner: Yeah. Yeah, so I've been lucky enough to have friends who have some fancy cars, and they've been willing to take me for rides and even let me, you know, behind the wheel a little bit. But I don't think I've ever been inside a Ferrari. I've certainly seen them at the car shows. But this story is about one of Ferrari's top executives who got a suspicious WhatsApp message that purported to be from Ferrari's CEO, who's Benedetto Vigna. How did I do there? Is that passable?

Maria Varmazis: That was pretty nice. It convinced me, so --

David Bittner: Thank you.

Maria Varmazis: It convinced me, so -- [ Laughing ]

David Bittner: So, yeah. So Benedetto Vigna is the CEO at Ferrari, and this WhatsApp message was about a supposed acquisition and the story will sound familiar to listeners of our show. The message said that there was a confidential deal going on, that they needed this executive's discretion, mentioned a non-disclosure agreement and a coordination with Italy's market regulators, as well as the Milan Stock Exchange. But it was in the voice of -- there was a phone call that followed up on this, which sounded like the CEO of Ferrari.

Maria Varmazis: Uh-oh.

David Bittner: Yeah. Now the executive that the phone call targeted noticed that the number that came up was not the number that he'd had in his address book for Ferrari's CEO, but the imposter claimed that they were calling because of confidentiality and saying that there were potential issues, that this deal had something to do with China, and they were worried about espionage and all that sort of thing. The executive that they were targeting became suspicious because the voice sounded a little off. And so -- I love this. The executive said, according to this article, they quoted, and he said, Sorry Benedetto, but I need to identify you. He posed a question, "What was the title of the book Vigna had just recommended to him a few days earlier?"

Maria Varmazis: Okay.

David Bittner: Right, and the scammer did not know the title of the book. So the Ferrari executive hung up and ended the call and that prevented it from going any farther.

Maria Varmazis: Huh.

David Bittner: Right?

Maria Varmazis: Smart. Okay. Whereas I would go -- I forget the name of the title because my brain is Swiss cheese, but I know the one you're talking about.

David Bittner: Right.

Maria Varmazis: Yeah, and what was the name of that book by any chance? Do we know?

David Bittner: The name of the book was Decalogue of Complexity, Acting, Learning, and Adapting in the Incessant Becoming of the World. Sounds like a real page turner. [ Laughing ]

Maria Varmazis: Oh, my goodness. Yeah, that's just from the tip of the tongue right there.

David Bittner: Yeah. All right, yeah.

Maria Varmazis: Wow.

David Bittner: I mean, you know, so first, yeah, I wouldn't remember -- yeah. I wouldn't remember that.

Maria Varmazis: It was the one that starts with a D. I don't know. Something about acting, yeah.

David Bittner: Right. Well, kudos that he thought to actually say, I need this information that you would, you know, hopefully readily remember.

Maria Varmazis: Right. This is what everybody's afraid of happening now. It is happening. That is terrifying. That's not great.

David Bittner: Well, but I think what this speaks to is this notion that you should have some kind of a passphrase with folks that you interact with. It can be family. It can be your business people. Anybody who in your life is in a situation where they may ask you to do something that could potentially be financially disastrous or otherwise. Just come up with some silly passphrase that everybody in the family knows or everybody in the business knows, and you can say, you know, what's the passcode? And if they don't know it, then you end the call, and you dig deeper, and they accidentally stumbled across that in this case.

Maria Varmazis: Yeah. I love that he asked about the book. That's -- if you don't have that one, you can do something like that. That's very clever. Glad they were -- I'm glad they were on their toes because this could have ended very differently.

David Bittner: That's right. That's right.

Maria Varmazis: Yeah, yeah.

David Bittner: Hopefully, maybe for Christmas this year, he'll get a bonus Ferrari.

Maria Varmazis: How many do you think he has already?

David Bittner: I don't know. I was thinking about that. I would imagine that's probably one of the perks if you're a high-up executive at Ferrari is that you get a Ferrari.

Maria Varmazis: One would hope. Otherwise, what is the point? But, you know, yeah. You just get a 10% employee discount. That's it. Just a little off the top.

David Bittner: Right. Right. Right. Ten-percent off your next Ferrari.

Maria Varmazis: That's it. That's all.

David Bittner: Don't spend it all in one place. Yeah. That's funny. Well, we'll have a link to that story in the show notes. Real quick. There was another story here that caught my eye. I just want a tip of the hat to my own home state. Joe's also, the great State of Maryland has become the first state to pass legislation to help combat gift card fraud, and I actually ran into this over the weekend. This past weekend, I was going to a family event, and I bought a gift card for some relatives who were expecting their first baby. And so I bought them a little gift card to go with a little greeting card, and what I noticed when I took the card up to the cashier, the cashier actually had to like peel off, remove, a piece of cardboard that was on the back of the card to reveal the barcode underneath. And this is on the card so that it's obvious to the cashier if the card has been altered.

Maria Varmazis: Oh, okay.

David Bittner: Because a bad guy, if they want to -- because that barcode on the back of the card is the -- that's the business end of a gift card, right?

Maria Varmazis: Right. That's right.

David Bittner: So what the bad guys used to do is they would just sit there and scan the barcodes or when they were scratch offs, they would scratch them, you know, until you couldn't see that it had been a scratch off. But this way, by having a piece of cardboard that you actually have to physically remove, it becomes obvious to the cashier whether or not this card has been tampered with. And Maryland is now requiring that with gift cards.

Maria Varmazis: It's a piece of cardboard? Is that what they're -- well, okay. Yeah.

David Bittner: Some kind of method of securing the physicality of the card. So the cardboard is one way. You know, I would imagine they could, you know, lock them up the way that they used to lock up CDs at record stores, you know, and put some kind of thing on. That seems a bit extreme, but I suspect the cardboard will probably be the way to go.

Maria Varmazis: Yeah

David Bittner: And then also, folks who sell gift cards in Maryland have to register with the state.

Maria Varmazis: Wow.

David Bittner: I'm not really, yeah, I'm not really sure what that's about. I guess it's just a little hoop to jump through to make sure that people are aware of the rules and are properly trained and that sort of thing. But, you know, I think this is a good thing. I think anything we can push toward making gift cards more secure and requiring that, I think ultimately, you know, that's a good thing for the consumers. So hopefully Maryland is leading the way here, and other states will copy-and-paste our legislation, and we'll see this becoming a thing across the nation.

Maria Varmazis: Let's hope. It really speaks to the prevalence of this problem. So I'm glad to see legislators responding. It's an encouraging sign.

Dave Bittner: Yeah, absolutely. All right. Well, that is my story for this week. I'll have links to both of my stories in the show notes, of course. Maria, it is time to move on to our "Catch of The Day." ( Soundbite of Reeling-in Fishing Line ) [ Music ]

Maria Varmazis: All right. I'll do my best Joe impression. Okay, so Dave, our catch of the day comes from the Scams subreddit, and there's a text message that is being sent to a plus-40 country code, which is not the UK. What country is plus 40? Oh, goodness.

David Bittner: I don't know.

Maria Varmazis: But it has the pound. Oh, maybe it is the UK. I don't know. The currency in this text message is in pounds. So we'll just say it's the UK.

David Bittner: There you go.

Maria Varmazis: And this is what the text message says. It's actually an iMessage text message. "All right. Listen up. Nothing personal, but you messed with the wrong person. That escort you tried to meet? She's not just anyone. She's got connections, and she's got people looking out for her. You think you can just waste her time and get away with it? Think again. You owe her 500 pounds, and you've got two hours to pay. Transfer it or you'll be dealing with me, and we will involve your" u-y-o'r-e, your, "family in this" -- weird comma placement. "I've got details form you," weird comma placement. "You can't run away form us." Weird period placement. "If you don't answer, we will come and take the cash for 1,000 pounds for this mistake." Another weird period placement. "And trust me, you don't want to deal with me and my boys. Consider this your only warning. If you" -- bleep, I don't think I should say that word on this family podcast.

David Bittner: If you F about, yeah.

Maria Varmazis: "If you F about, you're going to find out. Tick-tock, time's running out," dot, dot, dot, dot.

David Bittner: Ominous.

Maria Varmazis: This sender is not in your contact list. Report junk.

David Bittner: You think?

Maria Varmazis: Oh my goodness.

David Bittner: So what do you think is going on here, Maria?

Maria Varmazis: Just nonsense. [Laughing] I mean, just would somebody fall for this? Of course, somebody might find this very intimidating, but this seems like a -- "the escort I try to meet," question mark. I mean, what the heck is the guy talking about? I have no idea.

David Bittner: Well, so I looked it up, and there could be a little bit more to this.

Maria Varmazis: Oh, really? Okay.

David Bittner: Yeah. So what I learned was, evidently, there are folks who set up fake escort services on some of the online dating platforms, and I guess they don't do this on Craigslist anymore, but they -- that used to be a place for it. I guess it's mostly the online apps where someone will say, you know, if you're looking for some companionship or an erotic massage or something like that.

Maria Varmazis: Oh, Okay.

David Bittner: Please reach out to me and I will -- but these folks set up fake instances of that, and then when someone inquires to get more information, they get this.

Maria Varmazis: Oh, so it's a honeypot.

David Bittner: Yeah.

Maria Varmazis: Got it. Oh, well, that's terrible.

David Bittner: Right.

Maria Varmazis: So this is targeted. I thought it was just one of those random spams that you get in your inbox sometimes where you're just like, what on earth is this?

David Bittner: Yeah.

Maria Varmazis: Oh, so it's targeted. Well, that's dastardly, isn't it?

David Bittner: Yeah.

Maria Varmazis: Although "you can't run away form us." [ Multiple Speakers ]

David Bittner: Right. Right. Playing -- I mean, there's multiple layers of fear here. There's the fear of these tough guys themselves, which I suppose is plausible in this particular line of business.

Maria Varmazis: Yeah. Yeah.

David Bittner: But also the fear of being exposed to your friends, family, and loved ones for having been curious about reaching out for this type of, you know, service. So I think that's an element of this as well. You don't you don't want this to get out, to go any further than this message.

Maria Varmazis: Oh, yeah. That would scare the pants off somebody, not literally maybe, but yeah.

David Bittner: They put the artificial time horizon on here. You've got two hours to pay or else. So, yeah, it's an interesting one. This is one I hadn't seen before, and I was a little surprised at the research to find out that because like you, I thought this was just one of those random shotgun things where it's just a threat and a certain number of people will respond to it, but --

Maria Varmazis: Yeah, yep.

David Bittner: It turns out it's a little more targeted than that.

Maria Varmazis: Oh, well, and the bad grammar would convince me that this was legit because I would not expect someone intimidating me for money to get the correct usage of your, yeah.

David Bittner: Right. Rocco wasn't at the top of his class.

Maria Varmazis: No. No Oxford commas or nothing.

David Bittner: No, no. All right. Well, we would love to hear from you. Of course, if there's something you'd like us to include for our "Catch of The Day," you can email us. It's hackinghumands@n2k.com. [ Music ] That is "Hacking Humans" brought to you by N2K CyberWire. We would love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumands@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at N2K.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. We're mixed by Elliot Peltzman and Tré Hester. Our executive editor is Brandon Karp. Peter Kilpe is our publisher. I'm Dave Bittner.

Maria Varmazis: And I'm Maria Varmazis.

David Bittner: And we hope Joe gets well soon so he can be back.

Maria Varmazis: We miss you, Joe.

David Bittner: Thanks everybody for listening. We'll see you back here next time. [ Music ]