Podcasts
Hacking Humans
Ep 317
Hacking Humans 12.12.24
Ep 317 | 12.12.24

Silent push, loud consequences.

Show Notes
Transcript

Dave Bittner: Hello everyone, and welcome to N2k's CyberWire's hacking humans podcasts where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner and joining me is Joe Carrigan. Joe.

Joe Carrigan: Hi Dave.

 

Dave Bittner: And our N2K colleague and host of the T-Minus space daily podcast, Maria Varmazis. Maria.

 

Maria Varmazis: Hi. Hi Dave, and hi Joe.

 

Joe Carrigan: Hi.

 

Dave Bittner: We've got some good stories to share this week, and we will be right back after this message from our show's sponsor. All right, no follow up this week so I am going to jump right into our stories here. My story this week comes from an organization called Silent Push, which is a cybersecurity company. They do threat intelligence for folks. And they published a story about a group that they're calling the payroll pirates.

 

Joe Carrigan: I'm going to guess what they do.

 

Dave Bittner: Tough one. They are doing HR phishing scams. So, let's walk through how you get scammed by this group. They start off by having some ads that are branded to keywords that they buy in the usual places. Your Google AdWords, your Facebooks, your all the normal places where people buy ads.

 

Joe Carrigan: Right, and once again, big tech is more than willing to sell ads to criminal actors.

 

Dave Bittner: That's right.

 

Joe Carrigan: Sorry everybody. There's a profit to be had.

 

Dave Bittner: That's right. So, what this does is let's say you are working for one of the companies that they target, and, for example, Macy's is one of the companies that they target. So, you go to your browser. You go to Google, and you do a search for Macy's HR. And up pops at the top of your list the Macy's HR portal, but it is not the Macy's HR portal.

 

Joe Carrigan: It is a malicious ad, isn't it?

 

Dave Bittner: Right. It is a malicious ad, but when you click through it looks to all the world like it is the Macy's HR portal, and of course, they ask you for your login information or I should slow down. They ask you to log in to what you think is the Macy's HR portal, and as you enter your information, meanwhile they are actually entering the real Macy's HR portal. This research says that they likely take that information that you gave them and then they combine it with information they're able to gather elsewhere on the web. For example, your Social Security number, your address. The things that the legit HR organization would use to try to verify that you are actually who you say you are.

 

Joe Carrigan: Right. I want to talk about something similar to that in my story today, but go ahead.

 

Dave Bittner: So, once they get your credentials and they are into your HR account, they start changing things. And the main thing that they are after here is your bank routing information. So, they will go into your HR portal. They will change where your payroll is routed to because most people do direct deposits these days. They will route the money to a new location and then they sit back and they wait, and the payroll happens, and your money goes to their bank account, and it probably takes you a little while to figure out what's happening, and by that time, they're gone. They've got your money and they're on their way.

 

Joe Carrigan: They've pulled it out of the bank because it's not a big amount, right? A paycheck is not a difficult amount of money to move around.

 

Dave Bittner: All things considered, that's right. That's right. It doesn't --

 

Joe Carrigan: For a financial single.

 

Dave Bittner: Yes, right. A single payroll doesn't throw off a lot of red flags on its own, but if you can do this at scale then you can make a lot of money.

 

Joe Carrigan: I'm talking about the money mules. So, you can send a money mule out. Like let's say your paycheck is $2000. A money mule can pull that out of an ATM or a couple of ATM's quickly.

 

Maria Varmazis: That's true.

 

Dave Bittner: Right. They can move it.

 

Joe Carrigan: That's true. It makes it a lot easier to launder that money. Yes, interesting. So, the couple of other bits of information about this group infrastructure wise, they're making use of a lot of the common registrars like name cheap and some of the other inexpensive registrars for the domain names. And they register domains that look legitesque at the offset with the companies that they're trying to target. So, how do we protect ourselves against this sort of thing? Well, of course, vigilance. Easy to say. I would say never click on an ad. Yes, but that's almost impossible, especially with the social engineering that Google and Facebook do, well particularly in this case Google because that's where you're going to to get these ads. In fact, I have found myself using Google less and less. I am starting to use Bing as my search engine. Oh, wow.

 

Dave Bittner: What do you mean wow? Are you saying that's not any better?

 

Maria Varmazis: It's just one of those phrases you just don't expect to hear.

 

Joe Carrigan: Like I can't tell you why. It's just I had the -- a couple of reasons. One, when I enter Google search results into Google, I get these ads that are just intrusive. Like the first five search results look like ads. Google has gone ad crazy with all their products. Like YouTube is a miserable experience if you don't have YouTube Premium.

 

Maria Varmazis: Which I don't.

 

Joe Carrigan: So, when I go to Bing, I don't get accosted with as much and it seems to be the ads are better defined by Microsoft than they are by Google. Also the search results are better.

 

Dave Bittner: Have you tried DuckDuckGo?

 

Joe Carrigan: I have tried DuckDuckGo. Search results not as good, although they're using just Microsoft's search engine.

 

Dave Bittner: They're using Bing. Yes.

 

Joe Carrigan: So, I don't know why they're not as good as Bing. I like Bing better.

 

Dave Bittner: Fair enough. >>> Joe Carrigan: But yes, that's where I am with this. Is I've kind of started to make the switch.

 

Maria Varmazis: Bring back Ask Jeeves. That's what we need. We all want [inaudible 00:06:48] to get rid of our [inaudible 00:06:52].

 

Dave Bittner: I think one of the issues here is that a lot of folks, I was going to say unsophisticated Internet users, but I don't think that's fair anymore. At this point, what does that really mean? But a lot of people think of Google as being the front door to the Internet still. And for a lot of people it is. So, if they're looking for anything they just go right to Google and because traditionally that works, but when these folks are able to buy their way to the top of the search results and Google doesn't do a great job filtering out these ads that appear to be from legitimate organizations, you see you've got to be really vigilante because they are labeled as ads, but it's not in your face. It's not. It's very subtle.

 

Joe Carrigan: Google has a financial incentive for you to click on that link. They get paid more when that happens.

 

Maria Varmazis: And it used to be that if you went to a fishy website, a while ago you would sort of have a spidey sense of this website looks scammy. It doesn't look as well put together, but now with the, I hate to say the phrase but I've got to, the [inaudible 00:08:07] of everything, the professional services that we all sort of use are not looking as professional as they used to. A lot of good websites don't look as good as they should. I don't know. The bar has been so lowered in a lot of things that that spidey sense of this looks scammy, a lot of things sets that off nowadays. It's kind of harder to discern what's real and what's not even if you're really paying attention for it.

 

Dave Bittner: Yes, I agree. I'm trying to think from the HR department's point of view, kind of things they could do to help lock this down more. Obviously education. Telling people don't go searching for our HR portal on Google. Try to make it as easy as possible for your employees to use the internal web portal, and then just lock that puppy down. I mean if there's ever a place to have robust multi-factor authentication, I would say hardware keys.

 

Joe Carrigan: Yes. Every new employee gets two. Just give it to them.

 

Dave Bittner: Right. And require them for your HR stuff. Why not?

 

Joe Carrigan: There's no reason to not except for the cost of like $90 per person for hiring. It's not that big of a cost per person.

 

Dave Bittner: Right. Any other thoughts here for how folks on the HR side might be able to help their users keep this from being a problem?

 

Joe Carrigan: Well, they could buy ads from Google Dave and put the legit site up. That's probably Google's [inaudible 00:09:32]. [inaudible 00:09:32]. Isn't that nice? Wouldn't it be nice if you just bought some ads from us and then your employees wouldn't be getting their paychecks stolen.

 

Dave Bittner: It's like a mob.

 

Joe Carrigan: Right. Hey, it's a nice HR department you've got here. It'd be a shame if somebody were to buy ads and get access to it.

 

Dave Bittner: In fact, that is what you're dealing with. Where we are. We're still waiting for that big ad contract here on the CyberWire from Google, right? That's never going to happen.

 

Joe Carrigan: Not going to happen. No.

 

Dave Bittner: Well, you know what's funny? One of the articles I was reading about this, about this kind of thing pointed out that it's not that Google is doing nothing. They said Google has removed literally billions of fraudulent ads a year and millions of accounts but they just can't keep up.

 

Joe Carrigan: It's whack a mole. These guys can just spit up new accounts very quickly and very easily.

 

Dave Bittner: And as you say Joe, I mean they're dealing with perverse incentives. All right, well we will have a link to this story in the show notes. This is [inaudible 00:10:41] research for the folks over at Silent Push who, of course, they are happy to sell you a solution to this problem.

 

Joe Carrigan: Of course they are.

 

Dave Bittner: But the research itself is quite interesting. All right, let's move on. Joe, what do you got for us this week?

 

Joe Carrigan: Dave, you remember a long time ago when I said I felt left out because I never got any of your scam messages.

 

Dave Bittner: Yes. Nobody loves you.

 

Joe Carrigan: I regret saying that, Dave.

 

Dave Bittner: Oh, my.

 

Joe Carrigan: I want to feel like I'm left out again. So, I got the first one of these. First off, I've been getting all kinds of scam package deliveries text messages. I said that totally wrong. You know, the USPS ones that are obviously just links or Amazon. Here's a link, and Google has done a pretty good job. I'm going to say this about Google. We just got done bashing them, but I do pay Google for my phones and they have done a pretty good job of keeping that kind of stuff out of my inbox. Well, I got one when I was down -- recently I went down to Texas and I got one that was somebody doing this wrong number text thing. And she starts -- I say she like it's really a she. It's probably not a she. But this person starts texting with me and calling me by some wrong name, and I'm like, "No. I'm sorry you have the wrong number." And then we carry on this conversation. Eventually I start saying like, "Yes, well I'm not in Maryland right now. I'm in Texas," and I'm out here hog hunting and coyote hunting. It was fun for a while but then eventually I stop. But at some point in time, this person sent me a picture of a very attractive young Asian women, which is interesting because yesterday as I was leaving my office I got another one that says, "Hey, are you still in Maryland," and I'm like well, that's weird because this is not the same number. But this one said, "Hey Joseph, are you still in Maryland?" That's why it got my attention. And I responded, "Who is this," because I don't know. Maybe it's some -- I get a lot of calls from recruiters from time to time, and it seems to be that those are ticking up right now. I'm getting people from recruiting companies trying to contact me, and I'm not looking for a job so I try to avoid talking to them. But that's what I thought it was, was a recruiter so I said, "Who is this?" And then I get the long intro, "Oh, it's me. I had met you from this place. Don't you remember we had dinner together," and I'm like, "No." And they send me another picture of a different young very attractive woman. And I'm wondering why is it always Asian women? Maybe that's the source? Maybe that's where it's coming from? I don't know. I don't know if there's anything significant about that at all.

 

Dave Bittner: I don't know either, but you're right. I mean whenever you see these people doing screen grabs of these, that is pretty consistent.

 

Joe Carrigan: So, I just ignored that one and sent that one to spam. I just don't have time for this anymore. My point here is this. The second one actually got me. Even if it was only briefly. They got me to respond and engage. I didn't get it as a scam right away because they came in, they had my first name which is what I was talking about earlier, my phone number and name are probably out there in some scammer's system with a bunch of different things. By the way I told the people -- the one I was talking to when I was in Texas that my name was Butch, and she asked for a picture of me, and I just googled redneck with a shotgun and sent the first result.

 

Dave Bittner: Pretty good. I googled redneck with a shotgun and darn it if my picture didn't come up.

 

Joe Carrigan: This looks remotely like me with a shotgun. I'll tell you Dave, the picture is not that far off. If I had a beard it could easily have been me. It was a little younger. So, and this guy was exactly the same build as me. He was a little bit like wow, maybe I shouldn't have googled that.

 

Maria Varmazis: A lot of monkey paws just curling in this story. I'm just hearing it.

 

Joe Carrigan: So, we'll have to ask you later what that reference means. I don't get.

 

Maria Varmazis: The monkey paw? The fingers. Like you are doing things with unintended consequences.

 

Joe Carrigan: Oh, okay. I get it. Like the monkey paw wishes.

 

Maria Varmazis: Yes.

 

Dave Bittner: Call yourself a Simpson's fan.

 

Joe Carrigan: Oh, the Simpson's fan. No, I know the Simpson's. Oh, Maria. Am I right, Maria? So, a lot of unintended consequences. Anyway, my point here is I was wondering what these scams -- what's their endgame? What is it? And I looked around today and I found a company called the Merrimack.com. It's actually a community bank.

 

Maria Varmazis: It's a highway. I live in the Merrimack Valley. It's a river up here.

 

Joe Carrigan: Do you know Merrimack Community Savings Bank?

 

Maria Varmazis: Not personally but it's a thing that exists in the area that I live in. Yes.

 

Joe Carrigan: Okay. Well, they have a nice story here. It looked like a little don't get caught by this scam kind of thing. It was posted on October 17th. We'll put the link in the show notes. The wrong numbered text scams are on the rise. And what it is is it's they'll strike up a conversation with you after you've established this is a wrong number. And then they try to lure you into some kind of scam, and this could take weeks or months to do this. So, they're patient. They are willing to do this. So, how to protect yourself they say ignore texts from people you don't know by responding. You're letting the scammer know your phone number is active and you could be receiving more texts, which happened to you. Exactly.

 

Dave Bittner: Well, I was going to give you a little hard time Joe because when you were describing the second one you said, "I never interacted with these people" but you did.

 

Maria Varmazis: Why did you respond?

 

Joe Carrigan: That's right.

 

Dave Bittner: You let them know that that was an active phone number.

 

Maria Varmazis: It's like the whole joke about people getting solicitors at their front door and people under a certain age never have this issue because none of us answer the door when the doorbell rings. It's like if I wasn't expecting you I am not answering the door. I don't care who you are. The same with the phone. Just don't.

 

Joe Carrigan: It reminds me of the Cathleen Madigan joke where her father was saying that he was a door to door salesman and she said, "What do you do with the people that have the no soliciting sign?" He goes, "Oh, those people buy anything." That's why they have the sign. Yes, this was my mistake here. I thought I was going to have some fun with the first one but now I'm getting hit with the second one. I got actually a third one which may have been an actual wrong number because this person followed up with a call and they were looking for their dad, and I sent them a text said, "Wrong number" and they -- I said I got two texts and a phone call, wrong number, and they were like, "Sorry about that." It was a wrong number and then that was it. I haven't heard anything back from that one yet.

 

Dave Bittner: Do you ever get calls -- do people just call you out of the blue and say, "Did you call this number?" Do you ever get that?

 

Joe Carrigan: I have never gotten that. No.

 

Dave Bittner: I have. I've gotten it a couple of times.

 

Joe Carrigan: Only when I have called a number do I get that.

 

Dave Bittner: I've gotten that a couple of times. Just out of the blue. It's not someone I called. Then I call back and say, "No, I've never called this number," and they're incredulous because somebody has spoofed my number to call them and they're like, "Well, it says right here, this is the number that called me." I did not call you. I don't -- I've never met you. I'm sorry.

 

Joe Carrigan: Dave, you need to go all expert on them. Do you know who I am? [inaudible 00:18:42] would love that.

 

Maria Varmazis: I'm Dave from CyberWire.

 

Joe Carrigan: I'm going to ask you to go to your computer and do a Google search for [inaudible 00:18:49]. I want you to listen to the entirety of the catalog. Now don't click on the first link that comes up because that's hacking humans, and it's totally a scam site. Because somebody bought a Google ad.

 

Dave Bittner: All right. Anything else, Joe?

 

Joe Carrigan: No, that's it. Just you should probably ignore those stupid messages and the people who have written the same, don't engage with these people. You're all 100% correct. I couldn't help myself.

 

Dave Bittner: Do better than Joe. That's the message for the day.

 

Joe Carrigan: Do better than Joe.

 

Dave Bittner: Three hundred and seventeen episodes in ladies and gentlemen. He does it so you don't have to.

 

Joe Carrigan: Can we just say dog footing?

 

Dave Bittner: Yes. Taking one for the team.

 

Joe Carrigan: That is the second time in as many days is I've heard that reference. Now I have to look that up and figure out what that means.

 

Maria Varmazis: It's a stupid tech term.

 

Dave Bittner: So, did you have stroke this week?

 

Joe Carrigan: No.

 

Maria Varmazis: You never heard dog footing?

 

Dave Bittner: You didn't understand dog footing or monkey -- you're a developer. You don't know dog footing or a monkey's paw.

 

Joe Carrigan: No. I know monkey -- I get the monkey's paw.

 

Maria Varmazis: Are you all right, Joe?

 

Dave Bittner: Joe, before you leave today we're taking your blood pressure.

 

Maria Varmazis: Actually I invented these phrases. Me specifically, no one else. You've never heard them before I said them. I'm that brilliant. That's exactly it.

 

Joe Carrigan: Oh, eating your own dog food. I've heard the eat your own dog food thing.

 

Maria Varmazis: Yucky.

 

Dave Bittner: We're going to take a break before our next story here. A quick word from our show's sponsors. Stay with us. [ Music ] All right, we are back, which means Maria, it is your turn. What do you got for us this week?

 

Maria Varmazis: I guess we're all just doing stuff that happened to us this week.

 

Dave Bittner: Sounds like a good one.

 

Maria Varmazis: Yes because I had something pop in my inbox after all the stories that we've been doing recently about people sending invoices through legitimate services that look real that are actually fraudulent. Usually these get caught by our spam folders. They're pretty easy to get flagged. But one actually landed in my inbox, and it was a fraudulent Paypal invoice, but there was something about it that I thought was actually kind of impressive in a bad way. So, that's why I'm highlighting it. Because the ones that just say, "Here's an invoice for some money," yes, yes, you know that those are fake. But the one I received that said here's your invoice, again sent via Paypal legitimately, but of course, fraudulent, had spammed everywhere throughout it. In the subject line, in the message, in the actual fake transaction note. Seeing a charge that doesn't seem right reach out at actual phone number for help, which I had not seen that before where it says basically a fake customer support number.

 

Joe Carrigan: In the subject line.

 

Maria Varmazis: In the subject line. In the message. Even in the note from the seller. It's throughout the message. So, this actually surprised me because they're expecting that someone is going to go, "Oh, this is obviously one of those fake invoices." They know that that's going to be the reaction and they're expecting you to go, "Well, I'm not expecting this. Let me call this phone number." And by repeating it hopefully a whole bunch of times somebody might actually do it. So, I actually did it, but my ISPS was clearly looking out for me because the number was disconnected which I was really disappointed about. So, I clicked the link in the email which was also a really stupid idea.

 

Joe Carrigan: Maria, what have we learned from my story today?

 

Maria Varmazis: I know.

 

Joe Carrigan: Nothing. That's the [inaudible 00:22:25].

 

Maria Varmazis: I've learned nothing. I should be fired. I clicked the link in the email.

 

Dave Bittner: Got bad news for you, Maria.

 

Maria Varmazis: I am now completely compromised. And it indeed -- because I looked at the url. I'm like this is a legitimate PayPal and it actually did go to PayPal. PayPal very nicely at the very top said, "This has been flagged as a fraudulent invoice," so good job PayPal. The phone number in the subject line and the message and all that had actually been changed by that point. And I called it again because I was really curious what would happen if I called that number.

 

Joe Carrigan: So, when you click on the link you see an online version of the invoice.

 

Maria Varmazis: Of the invoice, and the phone number had changed by that point. Who knows how many times they had cycled through new phone numbers? Like whack a mole. But I called that number before I suppose PayPal froze the invoice as fraudulent, and unfortunately my ISP yet again looked out for me and didn't allow the call to go through. But I was really impressed that they were trying to squeeze as much as they could out of this fake invoice by cycling through a whole bunch of fake numbers before PayPal put the pain on them. But yes, I was very impressed by that in a bad way. It was not good. Don't do this. This is bad.

 

Dave Bittner: But let me add just a little bit of color to this which is I was visiting with my father recently, and as I've shared with the show, my father is quite elderly. And he had one of these, and of course, he printed it out to show me because that's what he does.

 

Maria Varmazis: Love that.

 

Joe Carrigan: Did he try clicking on the link by pushing it? Have you, Dave, let me ask you, and be honest with me, Dave. Have you ever pushed on a piece of paper thinking that it would get an interface to work?

 

Dave Bittner: No but I have seen it said that to a toddler a magazine is a broken iPad because I've seen toddlers try to zoom in pictures in magazines.

 

Maria Varmazis: Right. The pinch.

 

Dave Bittner: Using two fingers. So, no, I have not seen my father-my father did not try to click a link on the printed out paper, however, I did have an aha moment with my father not long after he got his first iPhone. He couldn't understand why he was having trouble with it, and I came over to help him with it and he was trying to click the screen with his fingernail. Not the fleshy part of his finger. He couldn't understand why it wasn't working. What's amazing to me about working with my dad with a lot of this tech stuff is that he comes up with things that I never would have imagined.

 

Joe Carrigan: Right. He should be a tester.

 

Maria Varmazis: Dave, my father did the same thing too. I remember he had a really hard time with it. I don't know if this is relevant for the show but when I showed my dad the correct way to tap the screen, it still wouldn't register his finger. It was something about his skin being so dry.

 

Joe Carrigan: That's starting to happen to me too.

 

Maria Varmazis: Yes, I'm just saying so some of it was the fingernail.

 

Joe Carrigan: Is this something with age?

 

Dave Bittner: I believe so. The device believes that your flesh is no longer living.

 

Joe Carrigan: I don't know what it is but I can't turn my alarm off in the morning sometimes. And when somebody calls I can't answer and my wife says, "Just lick your finger and do it." I'm like, "I'm not licking my finger. You lick your finger and do it."

 

Maria Varmazis: You're officially old if you have to do that. I'm sorry. It's the rules.

 

Joe Carrigan: I will say this though. If you lick your finger it works. It works.

 

Dave Bittner: I'll take your word for it.

 

Maria Varmazis: Don't touch anything that Joe has touched is what we're hearing.

 

Dave Bittner: Yes. There's Joe's spit all over everything. So, getting back to my dad, he hands me this printed out invoice, and he says, "What is this," and I say, "That's a scam, dad. There's nothing for you to do here." He says, "It's a scam." I said, "It's absolutely 100% a scam." He says, "Okay." He says, "Should I call the phone number on here?" Okay, we're laughing. We're laughing but no, this is how this works. That's my point. Yes, this is exactly how it works because for some reason he thought that even though it's a scam if he called the number he could set it right. Like he could call them and say, "Stop sending me this," or whatever, but I'd say no, you don't have to do anything. Just ignore it. Leave it alone. Never look at it again. Delete the email and anything like it. So again, he has reactions to things that are beyond my own imagination, which is good for me to learn what's possible, and it's entertaining for our show. So, there you go.

 

Maria Varmazis: And the phone numbers that I dialed were all American phone numbers. I mean they were area codes of areas that I'm not from, but one of them was from Indiana. The other one was from Illinois, and I actually googled them also and they were formerly owned by legitimate businesses. So, it was just really interesting to go down what these scammers were using, and I was imagining the coordination between the phone companies and PayPal on this and just what a pain this must be. So, yes, that was fun. So, that's my first of two stories. The second one was actually kind of a bit of a follow onto a story that I covered a little while ago about job scams that are proliferating through LinkedIn. And I saw another person in my LinkedIn universe post about an experience that they had, and I'm going to keep this anonymous because this is a very painful thing that happened to this person. But a young jobseeker who's been unemployed for about a year now basically fell victim to a job posting they found on LinkedIn. They completed an interview. They got a job offer and completed the tax documentation, identity paperwork, and payroll documents. And unfortunately after going through all of that found out that the job posting was fake and the scammer behind all this cleared out their entire bank account. They basically transferred everything within their bank account either through bitcoin or cashed out through a cashier's check. And I was just kind of -- aside from just feeling really terribly for this person, I also noticed that this person is very young, and I was wondering if people are not having a conversation with younger folks. Now I feel old saying this. Handing over your routing number and your account number is advice -- don't do that. And I remember getting that advice when I was younger when I got my first checkbook, which is how old you know I am. Since checkbooks are not in use much anymore, especially by people under a certain age, I'm wondering if that knowledge has been lost a little bit. That your bank account number and routing number are the keys to the kingdom. You don't just hand that out. You have to be very, very careful with that because I know there's a lot of payroll documentation that's sent especially to freelancers where they're just asking for that information. You don't know who they are. It's very easy for them to do a lot of ACH fraud with that info, and I don't know if people know that that's really information you've got to be extremely careful with. So, I guess it's sort of a maybe to call to action for us for those of us who have younger people in our lives to remind them that that's information you really don't want to give out easily. And if you think that this job posting might be true but you're still kind of iffy on it or just out of an abundance of caution, one bit of advice I saw in the comments on this person's post was about having a quasi-empty bank account just for the purpose of waiting for these deposits to actually clear if it's a real job.

 

Joe Carrigan: I was going to suggest that.

 

Maria Varmazis: Yes. Not giving out your actual bank account information that has your real amount of money in it. Just sort of having a fake one in case it is a scam. A decoy bank account. I can't believe this is the world we live in now, but it is the world we live in now.

 

Joe Carrigan: So, I started doing this when credit card fraud started becoming a problem and we had an ATM card, and the ATM card became like a visa. And I read somewhere that if you got scammed or if someone stole your credit card you wouldn't be liable for any of the charges, but if someone stole your ATM card you might be liable for up to $500 worth of charges. That might be the amount of money you don't get back. So, my wife and I immediately opened another checking account at the same institution, and they're back-to-back. And one of them has the debit card attached to it and the other one does not. So, we say we don't want any debit cards or any checks for this. This is just for us to receive money, and the other one is the one that money goes out of. So, if someone gets a hold of our credit -- if someone got a hold of my debit card right now and went out to spend more than $100 it would get declined because there's not $100 in that account. That money is behind essentially a banking firewall. Now this would require the addition of a third checking account for you to receive the money. So, you'd have a receiving account, a spending account, and a holding account. I don't know if banks are willing to do that though.

 

Maria Varmazis: Yes. I was going to say it's a lot of work. It's a lot of moving money around. It's also assume you even get a bank account which can be tough for some folks.

 

Joe Carrigan: Good point. But if you're not getting a bank account there are other ways to get paid. And I don't know that those ways are scammable like this. I'm just not familiar enough with them.

 

Maria Varmazis: When I was freelancer, most of the time, any requests about sharing account and routing information went through a third party. Like a verifiable business. It was like a payment transaction service that was trustworthy, but sometimes you are just literally sent a pdf and say put your information in this, and you just got to trust that that vendor is who they say they are. It's pretty nerve-wracking.

 

Joe Carrigan: So, when you were a freelancer, did you have a -- is this a service that you paid for that you had out there as a freelancer?

 

Maria Varmazis: No. I was at the mercy of whoever was hiring me. They all had their own different services that they preferred to use. So, I would send an invoice and I would say, "Contact me if you need this information because I'm not putting it on my invoice," but I saw other freelancers would freely put their account and routing number at the bottom of their invoices, and that was a little dangerous.

 

Joe Carrigan: Oh, no.

 

Maria Varmazis: Yes. Yes. People do that because they figure it's an easier way to get paid, but sometimes --

 

Joe Carrigan: Immediately I just want to find one of those guys, have them do some work for me, and then drain his bank account. I mean that's the threat model right there.

 

Maria Varmazis: Unfortunately it happens a lot. So, you as a freelancer, you can go through try to set up your own third-party intermediary using an invoicing service sometimes, but those cost money, and not everybody has the money to pay for that upfront, and if you are working with a more established company they may have one that they want you to use. But if you're a small freelancer doing work for a small business, chances are they just want to get that information directly from you. And there's a lot of trust that goes on there, and sometimes it's abused. And again, I don't know, especially younger folks who are entering the workforce if they know how -- there is no additional firewall set up between your account number and router. That's it. Like if they have those two numbers, that's all they need, and I don't know if people know that.

 

Joe Carrigan: They [inaudible 00:34:09] like an ACH authorization or something like that, right? Or do they --

 

Maria Varmazis: My understanding is they just need your account number and routing information because that's usually all I've ever given out when I've had to do this.

 

Dave Bittner: There's also the element, especially when you're applying for a new job, that you don't want to be the one who's the pain the butt to a potentially new employer. So, they send you an avalanche of paperwork to fill out, and you don't want to be that person.

 

Maria Varmazis: You're so grateful. Especially if you've been out of work for a really long time. At that point you're just like whoever, whatever, yes, please. Pay me.

 

Joe Carrigan: Yes. What can I do to start this money flowing?

 

Maria Varmazis: Correct. The last thing you want to do is put a barrier. So, I'm sure these scammers know all of this and that's exactly what they're banking on, and it just kills me to see that more and more in my LinkedIn feed because I'm on there all the time for work reasons. I'm seeing all these posts from people saying I've been unemployed forever. I'm seeing more of these scams or I got hit by these scams, and it's anecdotal in my case but my goodness. It just really seems to be getting worst out there, so just be careful everybody I guess.

 

Dave Bittner: All right. Well, we will have links to all of our stories in the show notes, and of course, we would love to hear from you. Our email address is hackinghumans@n2k.com. Joe, and Maria, it is time to move onto our catch of the day.

 

Joe Carrigan: Dave, our catch of the day comes from William, and it's a note from Dr. John Schindler who is the secretary general of something.

 

Dave Bittner: Well, what a coincidence. So am I. I'm the secretary general of the hacking humans podcast. I just gave myself a promotion.

 

Maria Varmazis: Please put that in your email signature. That would be amazing.

 

Dave Bittner: Secretary general.

 

Joe Carrigan: Secretary general, Dave Bittner. Hacking Humans Podcast. It says from Dr. John Schindler, secretary general but the email address is [inaudible 00:36:18] at gmail.com. Subject fund refund. Replied to unitedbankforafricac. @gmail.com, and it goes like this. "Attention my dear, after the global financial [inaudible 00:36:35] summit of Paris, the International Monetary Fund has come to the conclusion to pay off your compensation funds. You are in the badge b category that are going to benefit from the world's largest humanitarian aid budgets. With due regards to the instructions from the IMF and the financial stability board, I want to inform you that the financial stability board have arranged your payment through United Bank for Africa to immediately affect the transfer of your 1.75 million dollars via UBA Bank online transfers. The transfer of your fund will be processed and be completed within three working days within which the fund will safely reflect into any designated bank account of your choice. To this effect, you are required to contact Sir. Joseph Warley Mandy, online banking services UBA Bank. Send the below info to Sir. Joseph W. Mandy. Your full name, your full address, your contact telephone, your profession, your ID and driver's license, your bank name, your bank address, your account name, your account number, your swift code, and your routing number. If you have any questions or concerns regarding this payment please do not hesitate to contact us. We are happy to assist you in any way we can. Thanks and best regards, Dr. John Schindler, secretary general, copyright the Financial Stability Board. Copyright.

 

Maria Varmazis: That's the part that gets you.

 

Dave Bittner: You know, I was going to copy this, but I don't want to get them in trouble.

 

Joe Carrigan: You just read it on the podcast, Dave.

 

Dave Bittner: That's right. What are we going to do?

 

Joe Carrigan: They're going to come after us.

 

Dave Bittner: All right. What do we make of this gang?

 

Joe Carrigan: It's an advanced fee scam. That's what it is. You send this information -- actually this is like multiple scams. If you send all this information along they will do whatever they can to steal your identity, drain your bank account, swift code. Nobody -- who knows their swift code, the bank's swift code?

 

Maria Varmazis: Who knows what a swift code is?

 

Joe Carrigan: Well, swift is the --

 

Dave Bittner: Oh, you had to ask, Maria.

 

Maria Varmazis: I don't know what that is. I don't.

 

Joe Carrigan: Swift is like something about secure something something funds transfer.

 

Maria Varmazis: You don't even know what it is, Joe. Come on.

 

Joe Carrigan: I don't know what it is but it's the system that banks use behind the scenes to transfer large amounts of money between each other.

 

Dave Bittner: Internationally.

 

Joe Carrigan: Internationally.

 

Dave Bittner: International system for transferring money.

 

Joe Carrigan: And it's one of the things that the North Koreans have hacked allegedly North Koreans have hacked. The Lazarus Group has hacked it. So, I mean but generally like I don't know that you walk into your bank and go, "What's the swift code here?" I don't know if they'll tell you.

 

Maria Varmazis: Please come with me, sir.

 

Joe Carrigan: Listen, what's the swift code? And while I'm here I need to setup a decoy bank account.

 

Maria Varmazis: So funny. No notes.

 

Dave Bittner: No. Well, all right. Well, thank you, William, for sending this in. We would love to hear from you if there's something you'd like us to consider for the show, you can email us. It's hackinghumans@n2k.com. That is hacking humans brought to you by N2k's CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hacking humans@n2k.com. We're privileged and N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector from the fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize their biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at n2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. Were mixed by Elliot Peltzman and Tre Hestor. Our executive editor is Brandon Karp. Peter Kilpe is our publisher. I'm Dave Bittner.

 

Joe Carrigan: I'm Joe Carrigan.

 

Maria Varmazis: And I'm Maria Varmazis.

 

Dave Bittner: Thanks for listening. [ Music ]

Hacking Humans
Podcast Info
HOST(S):
Dave Bittner
Joe Carrigan
Maria Varmazis
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Joe Carrigan has been a Software and Security Engineer for 25 years and has been working in the security field for more than 15 years focusing on usable security, security integrations social engineering, and security awareness. He has experience in a broad range of fields including authentication systems, embedded systems, data migration, and network communication.
Maria Varmazis is the host of T-Minus Space Daily at N2K and a frequent guest on numerous technology and cybersecurity podcasts. She is an artist, podcaster, journalist, and content creator with over 15 years experience in telling stories that engage and delight. She is always happy to geek out over space and cybersecurity, both professionally and personally!
Schedule: Thursdays
Creator: CyberWire, Inc.
ADVERTISEMENT
KnowBe4
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.