Final approach to scammer advent.
Dave Bittner: Hello, everyone and welcome to N2K CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner and joining me as always, is Joe Carrigan. Hey, there Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: And our N2K colleague and host of the "T-Minus Space Daily" podcast, Maria Varmazis. Maria?
Maria Varmazis: Hi, Dave, and hi, Joe.
Joe Carrigan: Hi, Maria.
Dave Bittner: Hi, Joe. Hi, Maria.
Maria Varmazis: Hi, I'm going to do this every week.
Dave Bittner: We've got some good stories to share this week. We'll be right back after this message from our show's sponsor. All right, before we dig into our stories, we've got some follow-up here from a listener who wrote in with some information about FEMA. So, this is following up -- we were talking about some of the going's on after the terrible hurricanes --
Joe Carrigan: Yes.
Dave Bittner: -- that hit the southeast here in the United States. And someone wrote in with some good information about FEMA. The Critical Needs Assistance, which is -- remember we were kind of recalling that there was an immediate fund that you could -- right, Joe? You remember that?
Joe Carrigan: Yes.
Dave Bittner: Yes, so that's the Critical --
Maria Varmazis: Yes.
Dave Bittner: -- Needs Assistance Fund. And that is indeed what that is for. So, basically, the bottom line, I'm not going to read the whole email from this kind listener who wrote in but the bottom line is disasterassistance.gov is pretty much the one-stop shop for everything you can want to know about these sort of situations and what FEMA can and cannot do for you. And then also, there's resources at the Better Business Bureau to protect yourself from folks who are out there trying to scam people. This listener also recommended calling 211 to find local resources, if there is an emergency. And also, wanted to remind folks that a lot of what happens through FEMA is tied to your home address. So, be careful to not apply for multiple things using the same address. Like you can run into issues with that. Or someone could use your address without you knowing it and get funds that were intended to be for you. So, disasterassistance.gov is the main link to check out, and we thank our listener for writing in and clarifying some of that. We do appreciate it. And of course, we'd love to hear from you. If there's something you would like to share with us, you can email us. It's hackinghumans@n2k.com. All right, we'll let's jump into our stories here this week. I'm going to kick things off. This is a story from the New York Times. It's called, "Their Parents are Giving Money to Scammers, And They Can't Stop Them." And it's kind of a tragic story here. There's two folks that they talk about in this story, but I'm going to just talk about one of them. This was a gentleman named Chris Mancinelli, and when his father passed away, his father Alfred, Chris went to his father's home. He father was 79 years old when he passed and he went to his home and he went in and there on the refrigerator were some family photos, pictures from his grandchildren, crayon drawings and snapshots of his grandchildren, but also on the fridge was a photo of Alexa Bliss, a WWE wrestling star. Now, let me pause here and ask, are either of you familiar with Alexa Bliss?
Joe Carrigan: No.
Maria Varmazis: I'm not, no. Nope.
Dave Bittner: Neither of you have your Alexa Bliss action figures?
Joe Carrigan: Doll? No.
Maria Varmazis: Was there something else, Joe?
Joe Carrigan: I like when people say, "They're not dolls. They're action figures." I'm like, "They're dolls. They're dolls."
Dave Bittner: Yes, they're -- yes, they're dolls. But I put a photo of Miss Bliss in our Show Notes here so the two of you can --
Joe Carrigan: Let's scroll down and take a look.
Dave Bittner: -- check out what Miss --
Maria Varmazis: Yes, okay.
Dave Bittner: -- Bliss looks like. Maria, why don't I give you the honor, since it won't -- you're less likely to get in trouble describing this lovely lady than either Joe or I are. What? Well, your words, not mine. So, in the self-interest of both Joe and me --
Maria Varmazis: Oh, I see. I see now.
Dave Bittner: -- why don't you describe -- yes.
Maria Varmazis: She's got a rocking, hot bod, everybody, and she's very athletic and she's wearing skimpy clothing, and she's just great.
Joe Carrigan: She's in good shape.
Dave Bittner: Yes, long, blonde hair.
Joe Carrigan: Yes.
Maria Varmazis: Good for her.
Joe Carrigan: She looks like exactly like I expect when you said, "female WWE star."
Maria Varmazis: Yes, yes. She looks like she is in fantastic physical shape.
Dave Bittner: Yes, oh I imagine you have to be for that job.
Joe Carrigan: I mean, there have been some really fat guys in that job.
Dave Bittner: Oh, that's true. That's true.
Joe Carrigan: George "The Animal" Steele was a big, fat guy.
Dave Bittner: Yes, I mean --
Joe Carrigan: Strong. Strong.
Dave Bittner: -- Andre the Giant was no string bean.
Joe Carrigan: Right, yes, exactly.
Dave Bittner: Anyway, Chris found out that his father believed that he was in a romantic relationship with Alexa Bliss. And over the years, his father had sent nearly a million dollars to this imposter. Obviously, this person was not actually Alexa Bliss, the WWE star. This was someone --
Joe Carrigan: Man, that's awful.
Dave Bittner: -- pretending to be Alexa Bliss. Alfred, the father, his nest egg was nearly a million dollars. And at some point, it had gotten down to just about $100,000. And Chris, his son, decided to intervene and --
Joe Carrigan: Right.
Dave Bittner: -- and moved his father's funds to a secure account in the hopes of protecting them from further loss. And his father was furious at him, sued him, and demanded that the money be returned.
Maria Varmazis: Oh, no.
Dave Bittner: He was convinced that he and Alexa had a real relationship, and he refused to believe otherwise. And this resulted in the family not communicating, you know, disowning children, not being able to see granddaughters, just terrible, terrible pain for the family that you know, lasted through when the father died. There was no reconciliation here.
Maria Varmazis: Aw, geez. That's heartbreaking. Infuriating.
Dave Bittner: So, after his father passed, Chris put together a bit of a timeline of this and he says that it seems to have started back in 2018, and he credits the pandemic as kind of deepened his father's vulnerability, the isolation from the pandemic, you know? And I think -- I think we can all relate to feeling lonely or vulnerable during the pandemic at one point or another.
Maria Varmazis: Yes, oh 100%.
Joe Carrigan: I kind of liked it.
Dave Bittner: And so, this relationship with -- what did you say?
Joe Carrigan: I kind of liked it.
Maria Varmazis: We're both giving our feelings and you're like, "It was great."
Joe Carrigan: That's right.
Dave Bittner: All those pesky people.
Joe Carrigan: So, for my extravert cohosts.
Dave Bittner: Sit home by myself and --
Maria Varmazis: I am not an extravert. I'm not an extravert.
Dave Bittner: -- not have to be bothered by all you people.
Maria Varmazis: Joe, I was basically taking care of a three-year old all day. I'm not an extravert. I just got worn out.
Joe Carrigan: Oh, oh.
Dave Bittner: Oh.
Maria Varmazis: Yes.
Dave Bittner: I have extra Bert -- I have extra Bert. I have extravert abilities --
Joe Carrigan: Did you have extra Ernies?
Dave Bittner: -- but I do enjoy my solitude when given the opportunity.
Joe Carrigan: Yes, oh I love my solitude from time to time.
Dave Bittner: Yes. This had gone so far that Alfred had even considered selling his home and he had taken out loans against his car. He had put his television in hock to send more money to the scammers. He never actually met anyone, but they had convinced him that this you know, fake Alexa -- there were times when she needed help with money for surgery. That she needed help being protected from Vince McMahon, the guy who runs the World Wrestling Organization.
Joe Carrigan: Oh, my gosh.
Dave Bittner: So, super deep, and the person had you know, fallen for this horribly. And you know, Chris, the son, it's just heartbreaking, you know, because --
Joe Carrigan: Yes.
Dave Bittner: -- these scammers, not only do they take away the father's resources, and in doing so, any resources that could have been passed along to the family on -- when the father passed away.
Joe Carrigan: Right.
Dave Bittner: But also, it just broke up the family.
Joe Carrigan: Yes.
Dave Bittner: I mean, it -- everyone felt betrayed. And they felt like they had lost their grandfather, their father and their grandfather, to these scammers. The father was so trusting of these scammers and it's just heartbreaking. It's so hard when someone believes in this sort of thing and they think that there's real -- I was going to say real love, but even just a real relationship.
Joe Carrigan: Right.
Dave Bittner: You know, I have a neighbor who's going through this in real time.
Joe Carrigan: Really?
Dave Bittner: Yes, yes.
Maria Varmazis: Oh, God.
Dave Bittner: A young man who has some challenges in life, has some physical challenges in life. And lives with is -- and he's in his 20s, lives with his mother near me, and I've spoken with his mother about this, about the romance scam. But, yes, there's a woman in Florida who's basically fleecing him and the thing is, he's an adult, right?
Joe Carrigan: Right.
Dave Bittner: He's not a child. He's an adult. He gets to do what he wants with his money. It's his money.
Joe Carrigan: Yes.
Dave Bittner: And --
Joe Carrigan: Have you talked to him?
Dave Bittner: -- I have not yet crossed paths with him to speak with him. When I do see him, I am going to talk to him.
Joe Carrigan: Yes, I'd like to know how it goes. I have a prediction about how it goes.
Dave Bittner: Yes.
Maria Varmazis: Yes.
Dave Bittner: Yes.
Maria Varmazis: I actually oddly have some experience on the one angle that we haven't covered, not me personally, but I have friends who are somewhat public figures that have been impersonated by scammers.
Dave Bittner: Oh, wow.
Maria Varmazis: And when they go to events, sometimes people who are convinced that they've been in a relationship with them, come up to them like a -- you know, to get an autograph or you know, like a meet-and-greet event?
Dave Bittner: Right.
Maria Varmazis: And it's -- in some cases, people don't know that they've been impersonated until that moment. But other folks find out ahead of time and they actually try to intervene to the person saying, "You know, we've been -- I'm so glad to finally see you in person. I've sent you all that money. How is your dad doing?" or whatever. And you know, you only get a little bit of time to actually tell them, "I'm not the person you've been speaking to. Like, you're being taken advantage of. I would never ask you for money." And sometimes, that gets through, but in other cases, the person just goes, "Oh, you're being coy. I get it. You're being shy about our relationship." And it just --
Joe Carrigan: Right.
Dave Bittner: Wow.
Maria Varmazis: -- the denial runs so deep. I mean, you just -- you just kind of don't know what to do at that point, but --.
Dave Bittner: Yes. No, it's heartbreaking. There's more to this story, and so, we will have a link to the story in the New York Times, but you know, this is -- these are becoming so common now. And the heartbreak here is so deep and the financial loss. So, I guess the lesson to our listeners is, check in, you know? Be on the lookout for this sort of thing and just make sure that -- I guess the hope is if you can catch it early on, then maybe you'll have some chance of heading it off at the pass, but it really is a tough one.
Joe Carrigan: Yes, it's awful.
Dave Bittner: Yes. All right, let's move on here. Maria, what do you have for us this week?
Maria Varmazis: Oh, this -- it's a pretty simple one, I think. Sort of an update to an ongoing issue that I'm sure a lot of our listeners who work in IT have been encountering. This one is from our friends at Wallarm who have some new research about DocuSign API abuse, and that's sending out a whole bunch of convincing looking invoices at scale. So, folks who have been working in IT for ages can tell you, there have been for ages, email security issues where you get Square, DocuSign, I'm trying to think of other, like all sorts of services that businesses often use impersonated and phishing emails. Sorry, what was that? Big point?
Joe Carrigan: PayPal.
Maria Varmazis: PayPal, yes.
Joe Carrigan: Yes, because PayPal has their own interface that you can use.
Dave Bittner: Right.
Maria Varmazis: Yes, and these have been getting abused for years. So, that is nothing new. And the typical scam is, you know, you get a convincing-looking invoice that you didn't expect but maybe you figure you forgot something, and you click on a link. It takes you to a phishing website. Your credentials get exposed, etcetera. This is a slightly different flavor on the old scam that Wallarm is exposing. And this one specifically abuses the, in this case, the DocuSign API to send a valid-looking invoice for a product. And it relies on essentially human error at an organization, because the -- in many cases, this product actually has been requested by the organization. So, they are expecting an invoice. Somehow the scammers I suppose either know or anticipate this. And they essentially use the DocuSign API to create an invoice, that again, is coming from a real DocuSign URL. In this case, usually docusign.net. And then the scammer tacks on an additional charge in the invoice that wasn't supposed to be there. But they kind of sneak it in. And then the idea is the recipient at the organization misses that detail, still signs the invoice through DocuSign, puts in all their bank information, and then the scammer actually receives the funds in their direct bank account. So, to me, it sort of reminds me of like, those birds that sneak into like a nest and push the other eggs out. I don't remember what that was called. Is it brood parasite, apparently? I'm like that's sort of like a brood parasite. Yes, which is like, that's an interesting little twist on this very common scam. And so, Joe, you mentioned that PayPal allows people to send these things out. It scaled DocuSign [inaudible 00:14:46] as well, because I mean, my God, how many DocuSign emails have you all gotten in the last month? I mean, I get a ton. So, you can -- DocuSign does make it easy by necessity to automate Spray and Praise, sending out tons and tons of emails through their API, but unfortunately, it does make it hard to detect these incoming attacks and these incoming fraudulent emails, because it is that cat and mouse game. I was reading on -- I went down a bit of a Reddit rabbit hole on this one to figure out what people are doing about this. This is way outside of my lane. I've never worked in IT, so I'm just trying to figure out like what people are doing. But I was reading some folks saying that essentially, they had to -- it got so bad that they had to essentially manually stop every single email that says it's from DocuSign, and then manually approve them one by one, because they just cannot stay on top on these kinds of scams. Which is like, what a nightmare for business.
Joe Carrigan: Well, I mean, the solution is just tell people, "I'm not doing business with you if you're going to do DocuSign." I mean, but that's not going to work so well.
Maria Varmazis: That's hard.
Joe Carrigan: We want to use DocuSign.
Maria Varmazis: Yes, that's right. Yes.
Dave Bittner: Yes, and you also -- you often find yourself in a business relationship where you are not the alpha person in that relationship, you know? Like, if you're a small contractor and you're doing business with Anheuser Busch, you know, you're not going to go to them and say, "Listen, we can't use DocuSign." They're going to be like, "We use DocuSign." Right?
Maria Varmazis: And you don't get a say in this.
Dave Bittner: And that's it. Right, exactly.
Maria Varmazis: Yes, exactly.
Dave Bittner: If you want our money, this is who we use, and that's the way it goes. Just real quick, backing up here, Joe, for the folks in our audience who may be scratching their heads, can you give us a brief description of what an API actually is?
Maria Varmazis: Nope.
Joe Carrigan: So, an API, it stands for Application Programming Interface, and it allows you as a programmer, to write code that then calls some web service somewhere. I'm imagining this is a web-based API, a web API, but other API's can be like with like remote procedure caller or some other way of -- there's hundreds of ways to do it. But this is probably a web-based API where you go out and you say, "I'm going to get either -- I'm going to essentially automate doing something with a web service." And it's a -- usually a pretty simple interface that you just have to format correctly and that's what 99.9% of software development is, is formatting things correctly and code formatting and actually there's more to it than that. I'm exaggerating. But yes, it's just a way to automate interacting with DocuSign.
Dave Bittner: Yes, yes.
Maria Varmazis: Yes.
Dave Bittner: So, APIs really enable and empower automation.
Joe Carrigan: and they speed it up. They make it --
Maria Varmazis: Yes.
Joe Carrigan: -- I mean, so a scammer can really go ahead and do this.
Dave Bittner: Yes.
Maria Varmazis: Yes, and get data out there really fast. That's like the beauty of an API, but also the huge risk that they also can entail. And Joe, I actually had a --
Joe Carrigan: It sounds like a problem at DocuSign.
Maria Varmazis: -- it does sound like a problem with DocuSign, although again, them being one of the huge orgs that is targeted for this kind of abuse, I mean -- I mean, I wish them the best of luck. I mean, my goodness, that sounds like a really hard one to tackle. But I was -- they had a white paper about, "What You as an Organization Can Do About It," and a lot of their recommendations were essentially, "Hope your IT team has enough money to have really fancy tools to fight this. But they did say something about --
Joe Carrigan: Right.
Maria Varmazis: -- which was like, "Okay, great. That's wonderful." Enforcing DMARC reject or at least quarantine policies, is like this is getting [inaudible 00:18:09]. Joe, can you explain what that means because I think that that -- I thought that was kind of neat, but --.
Joe Carrigan: So, DMARC actually stands for Domain-Based Message Authentication and Reporting and Conformance, which is an email authentication policy that -- also, you can get reports as well. It builds on top of SPF and DKIM which are -- I'm not going to go down into the weeds on those, but they add linkage for the domain it was from, and they look for signatures from it as well. So, presumably, somebody using the API might not have access to a signature. I don't know how that --
Maria Varmazis: Hopefully not.
Joe Carrigan: -- how well that would work.
Maria Varmazis: Yes.
Joe Carrigan: It would be interesting to see if this is an issue that exists if you put on DMARC Deny, which means, if it doesn't have a DMARC record and I can't validate it, I'm not going to even receive the email.
Dave Bittner: Right.
Maria Varmazis: Yes, yes. Yes, which again, it just comes down to, "I hope you have enough money in your org to do this," which just frustrates me, but yes.
Joe Carrigan: Right.
Maria Varmazis: Yes.
Dave Bittner: Yes, I mean I guess the -- the quick thing here would be just to have extra scrutiny for anything coming from DocuSign.
Joe Carrigan: Yes.
Maria Varmazis: Yes.
Dave Bittner: Which, you know, whether or not that's practical or not, that's where we are.
Maria Varmazis: Yes, yes. It is.
Dave Bittner: Yes. All right, interesting. Well, we will have a link to that story in the Show Notes. Before we get to Joe's story, let's take a quick break to hear a message from our sponsor. And we are back. Joe, you are up. What do you got for us this week?
Joe Carrigan: Should I talk about the election?
Dave Bittner: No.
Maria Varmazis: No.
Joe Carrigan: I actually wanted to just talk about this a little bit.
Dave Bittner: People listen to our show to get away from that kind of stuff.
Joe Carrigan: I want a show. I have done something right on Facebook --
Dave Bittner: Okay?
Joe Carrigan: -- because -- have you guys been looking at Facebook since the election?
Dave Bittner: I've checked in.
Maria Varmazis: Yes.
Joe Carrigan: Have you seen -- what does it look like? Does it look like a dumpster fire?
Dave Bittner: Well, I mean, I'd say no more than usual.
Joe Carrigan: Well, okay.
Dave Bittner: But --
Joe Carrigan: I have seen almost no political posting on Facebook.
Maria Varmazis: Really?
Joe Carrigan: Yes, really.
Dave Bittner: You mean, even from your friends?
Joe Carrigan: Yes, even from my friends. The closest I get, I get the ones that are vaguely political. Like I think I saw one of your posts, Dave that was not political, but something else --
Dave Bittner: Yes.
Joe Carrigan: -- that kind of -- tangential. And then I had another friend who said, "Nothing is ever as bad or as good as it seems."
Dave Bittner: Okay.
Joe Carrigan: Right? And that's -- that's been the extent of what I've seen. I've seen tons of ads, though.
Dave Bittner: Yes.
Joe Carrigan: I scroll through and I see ad after ad after ad. But, no. I have gone through enough times and said, "I'm not interested in seeing anybody else's political opinion."
Dave Bittner: Okay.
Joe Carrigan: I don't want to see it. I don't want to hear it. It's not what I do with my life. It's not how I spend my time. It's not what I think about. I don't want to see it. And I think that something has happened where I'm not -- I've done enough complaining or enough saying, "I'm not interested in this," that I don't see it.
Dave Bittner: A squeaky enough virtual wheel --
Joe Carrigan: Right.
Dave Bittner: -- that Facebook has thrown up its virtual hands and said, "Don't show Joe anything political."
Joe Carrigan: Right.
Maria Varmazis: Joe has won over Zuckerberg.
Dave Bittner: [inaudible 00:21:08] pays off.
Maria Varmazis: Holy cow.
Joe Carrigan: Although, I'll tell you, I am seeing tons of ads.
Dave Bittner: Yes.
Joe Carrigan: And I get lots of links to all the pages I'm following as well.
Dave Bittner: Yes.
Joe Carrigan: Which are stomp pages.
Dave Bittner: Yes. No, it's --
Maria Varmazis: Well, what's different there? I mean, ads and stupid pages are always, always -- like there's no change.
Joe Carrigan: Right.
Maria Varmazis: That's exactly what my Facebook's been like for years, although it says probably a lot more about me, to be honest.
Joe Carrigan: So, aside from that, I just wanted to say, "Yay, me."
Dave Bittner: Congratulations.
Maria Varmazis: Yes.
Joe Carrigan: Here's something where Facebook has actually produced a pleasant user experience, or at least not a negative one.
Dave Bittner: Right, that's the high praise that we can --
Joe Carrigan: Right. I can say this. Using Facebook after the election, for me, did not suck.
Dave Bittner: Yes.
Joe Carrigan: But it did require a lot of upfront work.
Dave Bittner: Okay.
Maria Varmazis: Sorry, that has not been my experience at all.
Joe Carrigan: Yes.
Dave Bittner: Yes.
Joe Carrigan: I'm sure. I'm sure that most people listening to me right now are like, "How does he do it?" And I'm like, "I don't know. I just started complaining about I don't want to see this." Whenever anything -- anybody posted anything political, didn't matter if I agreed with it or not, I was like, "I don't want to see it." And that apparently works, if you do it long enough.
Dave Bittner: Okay.
Maria Varmazis: All right, I'm going to try it.
Joe Carrigan: All right, so actual -- actual stories. Let's see, I have this one that's actually from the middle of last month. It came out. It's from Okta. Actually, it's actually on cve.org. It's a -- which is Common Vulnerability Enumeration. Okta found out that if -- there was something with their Okta verify for iOS, Version 9.251 beta and 9.27, allow push notification responses through the iOS context sensitive feature that allows authentication to proceed regardless of your selection. Okay, so if you click Authorize, the connection is authorized. If you click Don't Authorize, the connection is authorized.
Dave Bittner: Oops.
Joe Carrigan: Now, this is not -- yes. This is like the part of social engineering that I think is part of social engineering, but a lot of people will say, "No, this is just a software bug."
Dave Bittner: Okay.
Joe Carrigan: It is a software bug. That's 100% correct. And it's probably not a software bug with the underlying security principles. It is a UT, or as they say in the biz, UIX --
Dave Bittner: Yes?
Joe Carrigan: -- User Interface Experience. It's a UI bug. This is someone who just called the same function on two parts of a form or web app or whatever it is, that -- it's not a web app. It's a phone app. On two parts of the interface, they called the same function. That's my guess. I'm speculating but I'll bet that's what it was.
Dave Bittner: Okay.
Joe Carrigan: So, that's a problem caused by a human doing something wrong.
Dave Bittner: Right.
Joe Carrigan: So, this illustrates how there's this general sense out there that, "Oh, the computer says this. It must be right." No. No. Humans write software. Humans are vulnerable and fallible. Therefore, software is vulnerable and fallible. So, keep that in mind.
Dave Bittner: Well, humans write software for now.
Joe Carrigan: For now, correct? Yes, I'm sure there's [inaudible 00:24:18].
Maria Varmazis: You almost have to study it well.
Dave Bittner: I will just -- I'll add to your story here, Joe, that things have not been going well for Okta lately. And for folks who aren't familiar, Okta, they are in the authentication business.
Joe Carrigan: Yes.
Dave Bittner: Like, that's what they do. They -- if you need a widget for your app or you know, whatever, you can get it from Okta, and they'll take care of that part of it for you. And they recently had another bug where if your username was longer than 52 characters, you didn't have to have a password to log in.
Maria Varmazis: Uh, oh.
Joe Carrigan: Well, that's just because your username is as long as a username and the password should be, Dave.
Dave Bittner: Yes, so [inaudible 00:25:07] of course --
Joe Carrigan: I'm joking, of course.
Dave Bittner: -- it had something to do with -- there was some sort of hashing issue with something, blah, blah, under the hook, you know, technical kind of things. But --
Joe Carrigan: They're not validating input. That's my guess.
Dave Bittner: Yes. I do believe that is -- was among the things I read about the problem --
Joe Carrigan: Yes.
Dave Bittner: -- but, so, yes. But not good to fear Okta right now.
Joe Carrigan: No. Okay, so that was my first story. Second story actually is a social engineering story, and it has to do -- this is from the BBB. And it has to do with a new scam that's going around. And since we're now entering -- we're exiting out of silly season --
Dave Bittner: Yes.
Joe Carrigan: -- as Dave likes to call it, and we're going into now the Christmas Holiday or Christman, Hannukah --
Maria Varmazis: Oh, our liturgical calendar, yes.
Joe Carrigan: Yes, that's right. That's right.
Dave Bittner: We're on final approach.
Joe Carrigan: We're on final approach for all these shopping schemes.
Maria Varmazis: Scammer advent.
Dave Bittner: Right.
Joe Carrigan: That's what it is. That's a good one, Maria. So, here we are, Scammer Advent.
Dave Bittner: Yes. Whoa, what did we get today?
Joe Carrigan: Right.
Dave Bittner: Oh --
Joe Carrigan: Can you imagine your scammer advent calendar?
Dave Bittner: Yes, I can. There's your million-dollar idea, Joe. Scammer advent calendars. So, you're probably online, and as Dave likes to say, minding your own business and you decide to purchase from some website or maybe you get an email that says, "Hey," it looks like it's from Amazon or Best Buy or wherever you shop. It's not, but it looks like it is. So, you go there and there's this incredible deal on something, and you go to enter your credit card information, and it says, "Your credit card's been declined." And you're like, "Huh, that's funny. This card has plenty of room on it." So, you try it again. Nope, declined again. So, what do you do, Dave? What's the first thing you do? I get a different credit card.
Joe Carrigan: You get a different credit card. That's exactly right. And you try it again. Nope, that one's declined, too. Maybe you try as many as three credit cards --
Dave Bittner: Yes.
Joe Carrigan: -- and they all get declined, or at least they're told. What's happening behind the scenes is that the bad guys are collecting all your personal information, and they're telling you the card is declined so that you enter more credit card information. And then, they're charging your credit card more than they told you they were going to charge for something they're not going to send you.
Maria Varmazis: Oh, wow.
Dave Bittner: Wow.
Maria Varmazis: Oh, wow. All right.
Dave Bittner: So, they're using the card declined --
Joe Carrigan: Right.
Dave Bittner: -- to get me to give them --
Joe Carrigan: another credit card.
Dave Bittner: -- more credit cards --
Joe Carrigan: Yes.
Dave Bittner: -- and then all the credit cards I give them, they're fraudulently charging.
Joe Carrigan: Yes, and there is one story in here where somebody entered a -- consumer entered a -- to make a purchase on a website, got the declined message, retried with the same card and obtained the same error message. Then they got an alert from their credit card company, almost instantly, said that a $2500 charge was declined.
Dave Bittner: Wow.
Joe Carrigan: Now, that's probably a legitimate decline because they might not have had $2500 on a credit card.
Dave Bittner: Right.
Maria Varmazis: Yes.
Joe Carrigan: I mean, I have credit cards that have limits close to that. Right? I mean --
Dave Bittner: Sure. Sure.
Joe Carrigan: -- so that credit card is never going to have $2500 on it, which is good for this person. But so, they're just -- what they're doing is they're just getting more information from you. They're stealing your identity. They're actually collecting all your personal information as well, and then they're just charging your credit card and hoping to get away with it. I don't know how effective this is going to be. I think if they go for these $2500 charges, they're going to get busted and it's not going to work.
Maria Varmazis: Yes, they got greedy.
Joe Carrigan: I think if they go for $10, $15, they'll just -- it'll work all day long.
Dave Bittner: Well, but I wonder was the $2500 charge the one that tripped up the bank. You know, like do they start, because I've seen a lot of these things where they'll start with like a dollar. Right? Just to see if it's a usable card.
Joe Carrigan: Right.
Dave Bittner: And then they escalate.
Joe Carrigan: Yes.
Dave Bittner: They're like, "All right, let's try $100. Well, that worked. Let's try $1,000." You know?
Joe Carrigan: Right.
Dave Bittner: And they go from there. So, I wonder if it's something like that? But I mean, how do you protect yourself against this?
Joe Carrigan: Well, the BBB has several tips. They say, verify that you're shopping at a legitimate website.
Dave Bittner: Yes.
Joe Carrigan: Scammers like to use fake and lookalike web domains, and we've seen how those can get really good.
Dave Bittner: Yes.
Joe Carrigan: Using different alphabets that look -- you know, that have the letters that look kind of like, I guess Roman alphabet is what we use? I don't know. Is it Roman? It's Roman, right?
Dave Bittner: I think so.
Joe Carrigan: Yes. And then --
Dave Bittner: It's not Egyptian.
Joe Carrigan: Right. That's just a bunch of pictures.
Dave Bittner: It's not Greek. You're welcome, Maria.
Maria Varmazis: Thank you.
Joe Carrigan: Stop at the gamut. That's where we catch on. Watch out for emails and texts with ads. Now, I don't know. I've never clicked on a text and gotten and text and go, "Oh, I think I'll go buy that." Never. No. Me either.
Maria Varmazis: Well, that's you.
Joe Carrigan: Right, that is me. You're right. It is me, old man, who hates getting a text message. Don't be fooled by great offers. That's a big one. That is one that works on me. And research the business. Look them up. Of course, the BBB says, "Look them up on bbb.org."
Dave Bittner: Sure.
Joe Carrigan: And use the BBB scam tracker. And use a credit card with some extra protection. You know, like --
Dave Bittner: Yes.
Joe Carrigan: So that when you say, "Hey, that's a fraudulent charge. I need you to turn that credit card off, get me a new one and not charge me for that."
Dave Bittner: That may be the best advice of all.
Joe Carrigan: Yes.
Dave Bittner: We've talked here before about how you know, there are premium credit cards and Amex comes to mind.
Joe Carrigan: Yes.
Dave Bittner: You know, you'd pay a lot more for the privilege of using that card, but if something does goes wrong, they just fix it.
Joe Carrigan: Right.
Maria Varmazis: Yes.
Dave Bittner: And so, you know --
Joe Carrigan: That is nice.
Dave Bittner: Yes. Interesting. I guess too, if you -- if you get a card declined, and you know it's a card that has available balance, probably the thing to do is to call the credit card company before you whip out another credit card.
Joe Carrigan: You know, this actually happened to us recently. My wife had a credit card. Why was she trying to use it? Because she was calling somebody, I think, giving them the card over the phone for something we had to pay for. She wasn't there in person. And it got declined like three times.
Maria Varmazis: Were they overseas?
Joe Carrigan: No, no it was -- we had to take our dog to an emergency vet. That's what it was.
Dave Bittner: Oh, okay.
Joe Carrigan: And they might have been using something like Square or something.
Dave Bittner: Okay.
Maria Varmazis: I mean, I've had this happen to me when I've tried to buy things from retailers that are overseas, because my credit card will go, "That's a weird location to be using this for."
Joe Carrigan: Right.
Dave Bittner: Yes.
Maria Varmazis: And sometimes when you're buying stuff online, you have -- like you don't really necessarily think about where you're buying it from. So, yes, that can happen.
Joe Carrigan: But anyway, she winded up using a different card that worked, and when I called the credit card company, I'll tell you, it was Capital One, I said, "What's going on? You seeing these declines?" They're like, "Oh, yes. That card's not activated." I'm like, "Whoa, wait a minute. She used it two days ago to buy groceries." And they're like, "Oh yes, that was a card present transaction. This was a card not present transaction."
Dave Bittner: Oh.
Joe Carrigan: So, I don't know what system the emergency vet was using.
Dave Bittner: Interesting.
Joe Carrigan: Yes, my dog got into it with one of my daughter's dogs and I had to go up.
Dave Bittner: Oh.
Joe Carrigan: She's fine.
Dave Bittner: Okay.
Joe Carrigan: They're a couple of dum-dums, these dogs. I love them.
Dave Bittner: Yes, they can't help it.
Joe Carrigan: Yes.
Dave Bittner: All right, well we will have a link to these stories in our Show Notes. Joe, Maria, it is time to move on to our "Catch of the Day." [SOUNDBITE OF REELING IN FISHING LINE]
Joe Carrigan: Dave, our "Catch of the Day" comes from William. I'm just going to go ahead and let you read this, Dave.
Dave Bittner: All right. It goes like this. "Dear Unhappy Beneficiary, I felt that it was needful to confide in you something that I found very disturbing in relation to your financial transaction that has appeared unending, even with the substantial amount you have put into it. No doubt, the outcome has been very distressing and damaging for you, but I must make it very clear to you. At no point, must you divulge our correspondence to any third party without the permission of Mr. Mark Baumgardner [phonetic] who has done well in making sure your funds were not illegally confiscated as it were. No doubt, a lot of things missed the right way, but a lot has been straightened to accommodate your request for withdrawal of your funds via the recommended platform. Without any iota of delay, kindly reply to me, if you choose, as quickly as you can for more information. In any case, you might need a lead to its urgent and positive finalization. It is important you reply with your full details for reconfirmation and further directives and positive advice. Sincerely, Mr. Christopher Wilson, Chief of Protocol Office of the Due Process Unit. [inaudible 00:33:57] Unit United Nations Headquarters, New York."
Maria Varmazis: Who would this work on?
Joe Carrigan: Somebody.
Maria Varmazis: Oh, my Lord.
Joe Carrigan: I'm not even sure what they're asking for here.
Dave Bittner: What, like there's --
Maria Varmazis: It's all this business speak. Like what is this?
Joe Carrigan: Yes.
Maria Varmazis: Like the ask is not clear. How is this effective? I don't think [inaudible 00:34:19].
Joe Carrigan: I have a question for you, Maria.
Maria Varmazis: Yes?
Joe Carrigan: Do you know how the word "iota" got to be -- mean "something very small"? It's a Greek letter. Is it the same etymology?
Maria Varmazis: No, that's a good -- you know, what? I took an etymology class many years ago, and I think back then I knew. I do not know now. I'm just -- I'm still laughing at the idea of writing in an email, "Mr. Christopher Wilson," to refer to oneself. That's just --.
Joe Carrigan: Right.
Maria Varmazis: I'm still kind of stuck on that.
Dave Bittner: That's Mr. Wilson to you.
Joe Carrigan: Right.
Maria Varmazis: And also, [inaudible 00:34:45] having a Payment Review Unit, which just -- wow. Okay, anyway. No, so how did iota -- how did [inaudible 00:34:53] become a thing?
Joe Carrigan: It's [inaudible 00:34:56] -- that makes sense because -- yes, because it's the I is actually like a J, right? Like a J or a Y [inaudible 00:35:02].
Maria Varmazis: A backwards J, yes, yes.
Dave Bittner: So, you don't know the answer either, Joe?
Joe Carrigan: I don't know. No, I [inaudible 00:35:08].
Maria Varmazis: Oh, you were asking me if I knew. Oh, no, I have no idea.
Joe Carrigan: Okay, great. Homework.
Maria Varmazis: I know everything related to Greek stuff. In fact, I have [inaudible 00:35:18].
Dave Bittner: Well, come on, Maria. So --
Maria Varmazis: I know, my cards are [inaudible 00:35:23].
Dave Bittner: Well, we've created a cliffhanger for our listeners and some follow-up for ourselves. So, when we come back next week for a follow-up, we will start off with the story of -- you know what? Let's do this. Let's --
Joe Carrigan: Do it now.
Maria Varmazis: Just Google it.
Dave Bittner: No, no, no. Here's what we're going to do. Here's what we're going to do. Okay?
Maria Varmazis: I'm doing it now.
Dave Bittner: Joe and Maria, the two of you, when we're done, you're going to decide -- one of you is going to look up the real reason of how iota got to mean a small thing.
Joe Carrigan: Okay.
Maria Varmazis: I mean, I have a theory.
Dave Bittner: The other is going to come up with a fake reason for why it is a thing. And then I'm going to choose which one is the real story.
Joe Carrigan: Okay.
Dave Bittner: All right?
Joe Carrigan: Okay.
Maria Varmazis: Okay.
Dave Bittner: All right? So, one of them's real. The other one, not real, but has to sound real, because your goal is to trick me into choosing the not real one.
Maria Varmazis: Oh, geez.
Dave Bittner: Got it?
Joe Carrigan: Let me see if I can -- I'll take the fake one, Maria.
Dave Bittner: Well, now I know. You can't --.
Joe Carrigan: Okay.
Maria Varmazis: We're really good at this.
Dave Bittner: I wonder which one of you has the real -- you're horrible at this game, Joe.
Joe Carrigan: Dave, we'll blind it, Dave. We'll blind you to who wrote what.
Dave Bittner: I see. So, I won't know which -- I won't know [inaudible 00:36:50] or reading the one that you actually wrote.
Joe Carrigan: Well, you can read them both. You'll read them -- we'll them put in the document, and you can read them both and then you can decide.
Dave Bittner: All right.
Joe Carrigan: And mine will be the fake one.
Dave Bittner: Am I going to regret coming up with this fun little thing?
Joe Carrigan: Probably, yes.
Maria Varmazis: I like it. I like it.
Dave Bittner: All right, okay. All right, and let's [inaudible 00:37:12]. Listeners, no spoilers.
Joe Carrigan: Yes.
Dave Bittner: Yes, no spoilers. And I am going to do my best over the course of the next week to avoid learning.
Maria Varmazis: We're doing [inaudible 00:37:23] semantics on "Hacking Humans." Is that the segment we're doing?
Dave Bittner: Yes. We'll have a whole new podcast.
Joe Carrigan: [inaudible 00:37:31] would be proud.
Dave Bittner: Yes, there you go. All right, that is our "Catch of the Day." I don't know if we mentioned that this came from a listener named William and William, we thank you for sending that in. This is a good one. We do appreciate it. That is our show. We want to thank all of you for listening. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes, or send an email to hackinghumans@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's pre-eminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your team smarter. Learn how at n2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. We're mixed by Elliott Peltzman and Tre Hester. Our executive editor is Brandon Karpf. Peter Kilpe is our publisher. I'm Dave Bittner.
Joe Carrigan: I'm Joe Carrigan.
Maria Varmazis: And I'm Maria Varmazis.
Dave Bittner: Thanks for listening. [ Music ]
