Back to the office, back to the threats.
Dave Bittner: Hello, everyone, and welcome to N2K CyberWire's Hacking Humans Podcast, where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan. Hi, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: And our N2K colleague and host of the T-Minus Space Daily Podcast, Maria Varmazis. Maria.
Maria Varmazis: Hi, Dave; and hi, Joe.
Dave Bittner: We've got some good stories to share this week, and we will be right back after this message from our show sponsor. All right. We do not have any follow-up this week, so why don't we jump right into our stories. Maria, you want to kick things off for us here.
Maria Varmazis: Yeah. Less of a story, more of a comment, a really long comment.
Dave Bittner: Really. What are you, like in the audience of a lecture or something?
Maria Varmazis: I am. We all love that guy. We love that guy. It's my turn to be that guy today. I was reading this morning in the -- on the Boston Globe, my local newspaper, about the big return to office mandates that are happening. Not so much at our company, Dave, because I am remote. But I know a lot of my friends are four to five times a week back in the office now after several years of being fully remote. And then this story pops up in our inbox from our friends at Bishop Fox about basically a lot of us are rusty at what it means to be sort of a good corporate employee in a physical office in terms of not just being aware.
Dave Bittner: Okay.
Maria Varmazis: Well, I mean, please bathe. Please wear real pants. But, also, do you remember your security awareness training, not just in terms of can you identify phishing or vishing? I hate that word, but you know what I mean, the phone phishing. But, also, do you remember things like badging etiquette, things like that? So the person who wrote this blog post is by Alethe Denis, or Denis, if I want to do the French pronunciation, who is a DEF CON black badge holder from DEF CON 27. So good for her, honestly.
Dave Bittner: Yeah.
Maria Varmazis: She won the Social Engineering Capture the Flag. It's pretty cool. And so this is the point that she's making is Bishop Fox and many other companies offer red teaming, which is like pen testing but more.
Dave Bittner: Right.
Maria Varmazis: Basically, they come into your company and they go, I'm going to try all sorts of ways to get into your company to get certain information, capture some sort of designated info by whatever means we've agreed upon. And I'll take the time that it's going to take. I'm summarizing this very poorly, but it's a really fascinating exercise for a company to opt into because it then exposes all of your weaknesses, not just digitally but also physically. And I feel like security teams know this, but it can be hard for them to get management to buy in. So I wanted to stop there and just ask, have either of you ever been knowingly on the receiving end of like a red teaming exercise or a pen test?
Joe Carrigan: Not -- no. I have not been knowingly on this, but I have worked with people who have done this.
Maria Varmazis: Yes.
Joe Carrigan: When I was working at Accuvant, one of our organizations -- now it's part of a company called Optiv. But we had an organization that did penetration testing, and one of the things they offered was physical penetration tests like this.
Maria Varmazis: Yep. Yeah.
Dave Bittner: I have spent the vast majority of my career being self-employed so -- and co-owning a company with my wife. So I'm just going to leave it there.
Maria Varmazis: Challenges.
Joe Carrigan: You're probably going to know if you set yourself up for red teaming.
Dave Bittner: Yeah, yeah.
Maria Varmazis: A whole other set of challenges with that one. That's fair enough. I don't know about my time when I was at Sophos. But certainly I know at Rapid7, when I worked there, we were basically constantly under some kind of an assessment, either self-imposed or a competitor, presumably, if somebody was trying to get access to what we were doing. And the only time that I know of where I was pretty damn sure that somebody was trying to get past me through the doors, like going past badging etiquette, it was a really harrowing experience because I was working in the marketing department, and we are target number one when you're in marketing. Cybersecurity is like -- marketing and HR.
Joe Carrigan: You're a soft target.
Maria Varmazis: Soft target full of women.
Dave Bittner: It's a department full of pleasers.
Maria Varmazis: Full of pleasers, usually full of women, like, people who like to be nice.
Joe Carrigan: Right.
Maria Varmazis: And I basically got yelled at in one of the sort of more hidden elevator shaft entrances to the office by a guy I could have sworn I recognized who looked like he worked in our sales bullpen, but I wasn't totally sure. And he wanted me to badge him in. I was like, No. I can't do that. That goes against corporate policy. And this guy yelled at me. Like, he just yelled at me. Like, what are you talking about? I'm going to be late for my thing. And I was like, this guy's pen testing me. That or he's an asshole. But, either way, it goes against policy.
Dave Bittner: Either way, either way.
Joe Carrigan: Either way, I'm not letting you in.
Dave Bittner: That's right.
Maria Varmazis: Yeah. And just it -- I think part of the thing that empowered me to feel that way, aside from that he was an asshole to me, was also that I knew that the company had my back because it was part of sort of the corporate culture that we would have regular check-ins about, you know, are you writing your password down and putting it under your keyboard like everybody else? You can't do that here. Don't do that. That's not a good idea. And, you know, that -- I knew that if I had to be late for a meeting because I forgot my badge and I had to go through the front door and check in, that, you know, my C level would have my back. She understood that this was like, you have to do that. And I think at companies where that's not clear, people just think of these kinds of physical security measures as a pain in the rear end. But if people know that they've got -- that all the way up to the top they've got your backs, and they're much more successful. So I don't know. I -- this is just my opportunity to go being on the receiving on end of that really stinks, but I recognize it's important. And I --
Dave Bittner: Did you ever hear how that one ended? Like, who the guy really -- liked, did you have an awkward run-in with him in the lunchroom, you know, a week later? Oh. You do work here.
Maria Varmazis: You know what? He definitely did work there. But we often, as -- but, again, it was part of corporate policy that we didn't let anybody, and we didn't -- I don't know. There's different term for this but, like, if your colleague just goes in with you on your badge, like you hold the door open for them --
Joe Carrigan: Tailgating.
Dave Bittner: Right.
Maria Varmazis: -- I've heard -- yeah. Tailgating. Thank you. I couldn't remember the term for that. We -- that was explicitly not allowed. Even if they had their hands full or whatever, you could not do it. And I know people who work at, like, defense contractors. This is really standard procedure for them. I've seen it, but I think for those of us in, like, the softer corporate world, we often forget that it's a bad idea. But, yeah. He definitely worked at the company, but we were self-assessing all the time, just part of us making sure that we were on top of things. And it was a very valuable exercise. So it may have been that he was legit, but it also may have been that he was working with the security team. I don't know. I will never know how that ended up, but I'm pretty sure it was a pen test. Yeah.
Joe Carrigan: Trust no one.
Dave Bittner: Right.
Joe Carrigan: Trust no one.
Maria Varmazis: Yeah. Me, honestly. Yes.
Dave Bittner: Well, I mean, Joe, you've worked in some secure places.
Joe Carrigan: Yes.
Dave Bittner: I mean, place you're working at now is pretty secure.
Joe Carrigan: Yes.
Dave Bittner: And so what's the --
Maria Varmazis: Don't test the assertion.
Dave Bittner: What's the -- what's the situation there?
Joe Carrigan: Well, it's a different -- it's a different situation because it is mandated in these kind of environments and not just like, hey. It'd be really great. It's like, hey, there's real consequences if you don't do this.
Dave Bittner: Yeah.
Maria Varmazis: Yeah.
Joe Carrigan: So when that's the case, if you're -- you know, I have -- I have seen people try to tailgate, but I haven't seen anybody even try to tailgate in 20 years.
Dave Bittner: Okay.
Maria Varmazis: Wow.
Joe Carrigan: But I was working with a friend of mine. We were -- we were at this -- we were working at a defense contractor, and we were coming in. And I badged in. He badged in. Somebody behind him did not badge in. And my friend stopped him and said, You have to badge in.
Maria Varmazis: Yeah.
Joe Carrigan: Like, put a hand up, like, physically and said, No. You have to badge in. And the guy's like, Really? And he's like, Yeah. Really.
Maria Varmazis: Yes.
Joe Carrigan: No qualms about telling him that. And at that same contractor at one point in time we were in the vending room, and one of the women that I worked with saw somebody. And she said, Hey. Where's your badge? And the guy goes, I left it at my desk. And he was -- he was -- he's like, Can somebody escort me back to my desk? So he was like immediately, like, I've got to correct this.
Dave Bittner: Yeah.
Maria Varmazis: Yeah.
Joe Carrigan: So it was -- it was like -- it wasn't like, Come on. Just let me slide. He's like, No. You're right. And she said, I'm sorry I had to stop you. He goes, No. You did the exact right thing. I'm supposed to have my badge on me at all times.
Maria Varmazis: Yeah.
Joe Carrigan: So it was -- it's a different culture in that kind of environment where, you know -- you know, you help each other out when -- when you -- like, by escorting them back to the -- back to the desk to get the badge and also reminding everybody and people -- when people realize they violated the policy, they quickly -- they quickly correct the problem. They don't try to pass it off as a minor thing.
Maria Varmazis: Yeah. He modeled the correct thing, and that's -- that lets everyone else feel safe to do the same thing and not like, I'm the dork, the one dork who's following security policy. Nobody else does this.
Joe Carrigan: Exactly.
Maria Varmazis: Yeah.
Joe Carrigan: But in the -- in the defense world, that is, if -- not following that policy can have remarkably bad and dire consequences. Like, everybody could be out of a job, right?
Maria Varmazis: Yeah, yeah. I would hope so.
Joe Carrigan: Yeah. So it's not something that gets taken lightly in defense.
Dave Bittner: Actually, you know, I do recall now that we're talking about it, there was one incident that I was involved with, sort of along the side of. I was actually working at the Newseum in Washington, DC, which is no longer there.
Maria Varmazis: RIP. Yeah.
Dave Bittner: Johns Hopkins bought their building.
Joe Carrigan: Yes, they did. Still in the -- still in the we.
Dave Bittner: Right. So for those who aren't familiar with the Newseum, they had quite a substantial broadcast studio facility there, and that's where I was working. I was working on a TV show there. And it was not uncommon for the chief engineer, the person who was responsible for getting us on the air who had to go to a part of the facility called Master Control, which is where all of the devices that put you on the air are, you know, when you --
Maria Varmazis: Sounds so bad ass.
Dave Bittner: Do a satellite or --
Joe Carrigan: Right.
Dave Bittner: Yeah. I know. It is that control. But they're the ones who are actually lighting the candle to get on the satellite to send your signal places. Anyway, like, if I needed something from -- like, I needed a cable or something from Master Control, I'd go to Dennis. And I say, Dennis, I need a cable. He'd go, Here. Take my ID badge and go get it because I didn't have access to Master Control. He didn't want to go with me to Master Control because it was on a different floor. So I would go. And he'd can me his ID badge. I'd go get what I need, come back, give him his ID badge. Turns out security at the Newseum was such that, when you badged yourself into the elevator, your picture would come up in front of the security folks downstairs. Actually, the picture of the person who that ID belonged to would come up in front of the security team. And when you got in the elevator, they would cross check your picture with the picture on the ID.
Maria Varmazis: Nice. Okay.
Dave Bittner: Dennis was about 20 years older than me, 100 pounds heavier than me, and completely bald.
Maria Varmazis: So he's had a rough day.
Dave Bittner: No -- right. Exactly. There's no resemblance whatsoever. So Dennis and I got a little talking to, the loose use of sharing of security badges. But, actually, the other thing they came out with is that they made it so that I had access to Master Control because I had to get in there from time.
Joe Carrigan: Right.
Maria Varmazis: There you go.
Dave Bittner: So anyway.
Joe Carrigan: That's the right way to handle things, Dave.
Dave Bittner: Well, lucky. Fortunately, nobody got fired.
Joe Carrigan: Right.
Dave Bittner: You know, we're -- we were just -- we were totally operating in easier to apologize than get permission mode, which sometimes you've got to do.
Maria Varmazis: Yeah. That often happens. Yeah.
Dave Bittner: Yeah. Right.
Maria Varmazis: Yeah.
Dave Bittner: All right. Well, interesting story, Maria. Thanks for bringing that to our attention there. Joe, you are up next. What do you have for us this week?
Joe Carrigan: Dave, I've got a story that I first saw on CBSnews.com. And then I went to the primary source, which actually comes from fcc.gov.
Dave Bittner: Okay.
Joe Carrigan: And we'll put links to both of these in the -- in the show notes. But the FCC is warning about a group. I love how governments and other security organizations in general love to name these kind of threat actor groups.
Dave Bittner: Yeah.
Joe Carrigan: So they're calling this -- this group Green Mirage. And it's the Enforcement Bureau from the FCC is saying you need to watch out for these guys because what they're doing is they're calling people posing as their mortgage lenders.
Dave Bittner: Oh.
Joe Carrigan: Okay. So these guys have information. And one of the more interesting pieces I'll get to in a minute is actually pretty scary. But they know who your mortgage company is, and they know maybe who your past mortgage company is. So, like, if you've done a refinance, they have that information as well.
Maria Varmazis: It's all public, isn't it?
Joe Carrigan: I don't know that it's public. That's a good question. I know that you buying a house is public --
Dave Bittner: Yeah.
Joe Carrigan: -- because I've recently been through this. Maria, you and I have recently both bought houses.
Maria Varmazis: I want to say that that info is public because I got so much junk mail with my mortgage lender's name on it from third parties that were pretending to be helpful but weren't. I want to say --
Joe Carrigan: That's a good point because, when I refinanced my house, my last house, I refinanced that probably, I don't know, 10 years ago maybe, maybe not. Maybe more recently than that. But I started getting those kind of emails or kind of mails as well --
Maria Varmazis: Yeah. >> Joe Carrigan:-- looking like they were coming from the bank. And they were not. Yeah.
Joe Carrigan: They were coming from somebody else.
Maria Varmazis: Yeah.
Joe Carrigan: So maybe it is public information. Maybe it's out there on --
Maria Varmazis: It shouldn't be.
Joe Carrigan: No. It shouldn't be. I mean, the fact that you buy the real estate, okay. That has to be public information. How you go about financing it privately, that's nobody else's business.
Maria Varmazis: Yeah. It feels icky. Yeah.
Joe Carrigan: It does.
Maria Varmazis: I'm sure a listener can tell us why it should be public, though. I actually would be very curious to learn what the good reason is for that. Anyway.
Joe Carrigan: Yeah. What's the email address, Dave? HackingHumans@n2k.com?
Dave Bittner: That's it.
Joe Carrigan: Send it to us. Let us know if you know why. Anyway, these guys are -- one of the things that's really interesting about them is that they are calling people who have called their mortgage company because they're in some kind of financial distress. Okay. So if you -- if you are in financial distress, one of the things that the mortgage company wants to know is they want to know as soon as possible that you're not going to be able to make your mortgage payment.
Dave Bittner: Right.
Joe Carrigan: Right. And they want to know that for a couple of reasons: one, because they have to manage their own risk; but, two, they really don't want to foreclose on your house.
Dave Bittner: That's right.
Joe Carrigan: They don't want to do that. And the reason they don't want to do that is because they don't want your house. What they want is the money.
Dave Bittner: Right.
Maria Varmazis: You're right. Yeah.
Joe Carrigan: And that's how these mortgage lenders work. And -- and going through the foreclosure process is very expensive. And they know they're probably going to lose money doing it, especially if you're very early on in the mortgage, right? So they don't want to -- they don't want foreclosure. They want to work with you and to negotiate and to come up with some kind of solution to -- to do it. So you can call your mortgage company. You tell them what's going on. Maybe they'll work with you. But what these guys are doing, this Green Mirage group is they're calling people back posing as the mortgage company and then having them send -- send mortgage payment stuff to -- like, real money, sending it to third parties that are like in this thing it says, in quotes, attorneys or representatives. Or they're having these people upload funds to a Walmart Green Dot Money Card account, which to me would be a red flag.
Dave Bittner: Yeah.
Joe Carrigan: Right.
Maria Varmazis: Yeah.
Joe Carrigan: But maybe it wouldn't be to somebody else. But the hardest part of this is many victims are not learning that they've been defrauded until the lender starts foreclosure proceedings because the lender hasn't been paid.
Maria Varmazis: Oh, my God.
Joe Carrigan: And they think they're paying the lender, but they're not. They're paying these scammers. And my question is, it seems odd to me that these scammers are calling people who've called the mortgage company because they're in distress, and then they're getting hit with this scam.
Dave Bittner: Right. I mean, first off, let's set aside the reprehensibleness of this -- of this, this particular scam. This is one of those scams where you're like, okay. You're a really terrible person for doing this. But my question is, how are they doing that? How are they getting in there? How are they -- how are they hitting these people who they -- who are in distress? And it seems from this read -- from the -- my reading of this, of this warning from the FCC that it's disproportionately large in terms of who's getting hit with this, that they're the people who are in distress and calling the mortgage company first. Well, I mean, I would -- to me it points to an insider.
Maria Varmazis: Yeah.
Joe Carrigan: That -- that was the first thing I thought, too.
Dave Bittner: Has access to this.
Maria Varmazis: Yeah.
Dave Bittner: It also seems strange to me that the scammers would be targeting people who are already in financial distress, like, not a big payday if you have somebody who already can't pay their mortgage. I mean, obviously you're hitting someone who's in a emotional state.
Joe Carrigan: Right.
Dave Bittner: So I guess you increase your odds there. And I don't know. Let's say you're -- I'm thinking this through in real time so apologies. But, you know, if your mortgage is $1,000 a month --
Maria Varmazis: I wish.
Dave Bittner: -- and when these folks can get -- I know, right? These folks can get $100 from you because that's what you have, then maybe that's still a win for them.
Joe Carrigan: Yeah. Well, I mean, I think it might be closer to -- I think it's very much like that, but I think it's closer to your mortgage is like 2,500, $3,000 a month, and they're getting 1,000, $1,500 out of you.
Dave Bittner: Yeah.
Joe Carrigan: So, I mean -- because I could see where that would look feasible.
Dave Bittner: Right.
Joe Carrigan: How much money can you afford to pay us this month? Okay. Well, I'm going to have you send that to a -- to an attorney, and we're going to make sure that that -- that that gets tracked. Send a money order to this person. And then the money's just gone. So, I mean, it's -- they have to be able to find out where this money's going, as well. I imagine that the FCC is working on that end of it, and they might be involving other law enforcement -- or, well, FCC is not really a law enforcement organization. They're a -- they're a commission, and they're responsible for the communication systems throughout the US, including the phone system. But --
Dave Bittner: They can levy fines, though.
Joe Carrigan: They can levy fines. That's true. They do have that capability. But they can't criminally prosecute somebody. Can they criminally -- no. They're levying a fine. Because I think about a recent case where somebody was broadcasting incorrectly. Maybe you saw this in one of the ham radio things, Dave. You're a ham radio operator.
Dave Bittner: I am. There was a guy who recently got like a $32,000 fine because he was improperly interfering with firefighters.
Joe Carrigan: Correct. That's exactly the case I'm thinking of.
Maria Varmazis: Oh, yeah. They take that very seriously. Yeah.
Joe Carrigan: Yeah. They do. But that was a -- that was a financial -- like a fine crime, fine -- what he's doing is criminal, but he's not going to do any jail time. He just has to pay a fine.
Dave Bittner: No. But I suspect the FCC, if the -- if need be, they will simply refer you to one of the law enforcement agencies with whom they partner --
Joe Carrigan: Yeah.
Dave Bittner: -- if criminal charges are in order.
Joe Carrigan: Yes. So they can levy fines, but they can't put you in jail. But somebody else can.
Dave Bittner: Yeah.
Joe Carrigan: And some of this stuff is illegal. Some of this stuff. All of this stuff is illegal. It's all wire fraud and money laundering.
Dave Bittner: Right.
Joe Carrigan: So, I mean, those things, the Justice Department is very interested in prosecuting.
Dave Bittner: Yeah.
Maria Varmazis: Yeah.
Joe Carrigan: So make sure -- make sure, if you're -- if you're -- if you're in distress for a mortgage, make sure that you make the calls. And, unfortunately, that's the only thing that I can tell you to do here is don't trust any inbound calls because these guys are spoofing the caller ID of your lender --
Dave Bittner: Right. >> Joe Carrigan:-- when they call. And somehow they know -- it seems that they know when people are in distress. Looks like they've already gotten away with $400,000 --
Maria Varmazis: Yeah. >> Joe Carrigan:-- over the last two years. And -- and, of course, this is saying that this is likely underreported; and it is much more than $400,000 that's been taken.
Dave Bittner: Wow. All right. Well, we will have a link to that in the show notes. And, of course, we would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's HackingHumans@n2k.com. We're going to take a quick break to hear a message from our show sponsor. All right. We are back. And my story this week is actually from a listener who has asked that we keep them anonymous, so we are going to respect that request. But this is an interesting story that came from a Reddit group, a subreddit, and this is the Airbnb hosts subreddit. And yeah. And it's -- I have to say it is not complete yet, but it's far enough along that I feel as though we can talk about it here. So this is the story of an Airbnb host who got an inquiry from a new account on Airbnb -- red flag --
Joe Carrigan: Right.
Dave Bittner: -- asking for a video of the place that they are renting and also asking to take the communication off of Airbnb and over to WhatsApp. Red flag.
Joe Carrigan: That's the red flag. That's a bigger red flag than new account. 222 -- second location. Yep.
Dave Bittner: Yeah.
Joe Carrigan: Right.
Dave Bittner: By the way, some folks pointed out in this Reddit thread that that itself is a violation of Airbnb's terms.
Joe Carrigan: Is it really.
Dave Bittner: Uh-huh.
Joe Carrigan: Okay.
Dave Bittner: All Airbnb negotiations are required to take place on Airbnb's platform.
Joe Carrigan: That is a good policy to have. I think what Airbnb needs to do here is to reinforce that policy and remind everybody of that policy --
Dave Bittner: Yeah. >> Joe Carrigan:-- at all times, like with some periodicity. Remember, if you're conducting a -- conducting any negotiations, it is against our policy for you to take that to another platform. And then, I don't know, maybe I'm just getting too in the weeds here, like I normally do.
Maria Varmazis: I feel AI could actually help here. If they've got an AI running and they notice someone says, let's take this offline, why couldn't they just pop up and say, Don't do that.
Dave Bittner: Right, right. Well, in this case, I'm going to sort of paraphrase what the person wrote here. They said, I agreed to take the chat to WhatsApp. They sent their number cryptically, they're now rapport building like crazy. It seems like I'm talking to an LLM bot, but I can't know for sure. They're asking for a six-month rental off Airbnb. I sent them to a video walkthrough that we did during the photo session. I gave them a price close to the price that would be for a booking, which is like five times what Zillow says my rental rate would be, and they agreed without hesitation. 222 Really. Uh-huh. 222 So let me see if we got this right. So they're doing an Airbnb, which is usually like $150 a night or something like that.
Maria Varmazis: I mean, the --
Dave Bittner: I don't know. Some places are --
Maria Varmazis: -- very hugely. But sure.
Dave Bittner: In the wide range.
Joe Carrigan: And this guy's just saying, I'll charge you whatever that nightly rate is for six months. And that -- that turns out that if you do -- if you fully rent that place for a month, you're going to pay way more than you would just by renting it with a lease, right?
Dave Bittner: Right.
Joe Carrigan: Okay.
Dave Bittner: Right. So before we dig into any more of the story here, any speculation as to, if this is indeed a scam, what is the scam?
Joe Carrigan: Okay. So I'm going to go first here. I'm going to say the fact that the guy agrees or the scammer agrees instantaneously to something that is obviously ridiculous in terms of how much money he's going to have to pay tells me yes, I'm dealing with a scammer. You know, that this -- that is the biggest indicator right there. This is way too good to be true.
Dave Bittner: Okay.
Joe Carrigan: But what's the scam? That I'm not sure of. Maria?
Maria Varmazis: Overpayment is my thinking. That -- that rug pull just feels like it's about to happen. But I don't know. I know very little about Airbnb scams.
Dave Bittner: Well, Maria, that is an excellent guess. The responders in this thread have said that perhaps it is an overpayment scam --
Joe Carrigan: Okay.
Dave Bittner: -- which just a reminder what that means is someone will send you way more money for something than they should, and chances are that they are sending you that money using a stolen credit card or some other ill-gotten gains. Then they reach out to you and they say, Oh, my gosh. I'm so sorry. I overpaid you. Can you please refund the difference of what I owe you? And so you send them the difference using your real money out of your real account. Some time passes. It's discovered that the credit card was stolen. That money gets clawed back from you, so you're out the total amount of the initial payment that came on the credit card and the money that you refunded them out of your own account. So that's how an overpayment scam works.
Joe Carrigan: And it can work that way with checks, as well.
Dave Bittner: Right.
Maria Varmazis: Yes. Sure can.
Dave Bittner: So this person has provided a few updates. The first one said that they sent the person an invoice for two months rent up front, and they didn't get any response. But then things went to the next level. This person got a WhatsApp video call from the people. It says -- I'm going to quote here. It says, It was a very beautiful Asian girl sitting at her desk using her computer to call. It was a short call. She wasn't quite as friendly as her messages are. She said she's coming to my town to visit and wants to meet up to sign the contract and make the payment. After the call, she keeps sending very friendly rapport-building messages and now videos of her playing golf. So now we've gone from a -- so now we've gone from a check overpayment scam to a hot Asian girl cat phishing scam. Lol.
Joe Carrigan: You're getting smashed up in a bag. That's what's going to happen.
Maria Varmazis: Yeah. Why does an Airbnb host want to see you playing golf? I couldn't care less, lady. I mean, seriously. What?
Dave Bittner: They are investing a lot of time in this, so it's definitely going somewhere. But the cards have yet to be laid on the table, so we press on. All right. So the other scam possibility that was suggested here was the fact that the folks asked for a video of the place is indicative of a fake rental scam.
Joe Carrigan: Right. That actually did occur to me that they -- they're going to take pictures out of that video and then make their own Airbnb host account and try to rent out fake -- a fake property --
Maria Varmazis: Oh, my God.
Joe Carrigan: -- or maybe even this guy's property.
Dave Bittner: Right, right. Exactly.
Maria Varmazis: User-generated content, scam edition.
Dave Bittner: Right.
Maria Varmazis: Wow.
Dave Bittner: So this happens places like Craigslist or Facebook Marketplaces. These happen in particular because there's little oversight compared to Airbnb. But Joe is exactly right. They'll take the video that you send them. Then they create their own rental ad. Then strangers look at this place. They say, Oh, I want to rent this place. They send a deposit. They show up to get their keys. There's nobody there. Perhaps there's someone living there who is very confused as to why someone has knocked on their front door looking to rent the place.
Joe Carrigan: Or perhaps somebody has already rented this Airbnb from somebody else and --
Dave Bittner: Yeah. Very often they target folks who are moving from out of town, so they don't have the opportunity to visit the place in person ahead of time. So that was proposed as one of the scams. The third and final update on this is -- refers to a YouTuber who goes by the name Pleasant Green who did a video on pig butchering. And the person writing this story says, This is most certainly a pig butchering scheme. The person is following all the methods in that script except for two things. First, they've gotten much more sophisticated, making a WhatsApp video call with an AI filter and AI voice changer was very convincing. Secondly, they aren't using a crypto investment scam yet.
Joe Carrigan: Right.
Dave Bittner: But this might be heading towards some other business investment scam because she keeps talking about her medical device sales business. The YouTube Pleasant Green said the fattening part of the scheme lasts about a week, so I'll have to endure her daily love letters a few more days to see what the slaughterhouse looks like.
Joe Carrigan: Just be careful.
Maria Varmazis: -- during liturgical camp calendar. Yeah.
Joe Carrigan: That is a slaughterhouse, and you are the pig so just, yeah. Be very, very careful here.
Dave Bittner: Yeah.
Maria Varmazis: They know what they're doing.
Dave Bittner: So, I mean, it's an interesting story. We always say you kind of, you know, take things in your own hands is very risky because the people you're up against here do this every day.
Joe Carrigan: Right.
Dave Bittner: And chances are they're better at it than you are. But, in this case, seems like this person has a village of Airbnb folks behind them. So they're onto it. And, hopefully, you know, all things will all end up well. But it's an interesting tale and hopefully comes to a good outcome. So I'm really glad our listener sent this to us. This is one I hadn't really heard of before.
Joe Carrigan: I have not heard of it, either. It's kind of new to me. But, you know, these guys are going to find ways to scam everything. It looks like -- it looks to me like they're doing like three or four different things here.
Dave Bittner: Could be.
Joe Carrigan: It could be that they're doing all of it, right?
Dave Bittner: Yeah.
Joe Carrigan: Like, they're setting up the fake -- the fake rental. They're also, Hey, while I got you here, why don't I try to lure you with the young, attractive Asian girl. And it's -- it's always, in everything I've seen, for some reason it's young, attractive, Asian women.
Dave Bittner: Yeah.
Joe Carrigan: I'm still trying to figure out why that is.
Dave Bittner: You know, I'm going to get in trouble for thinking about this. But I was thinking about this. I was trying to ponder, like, why -- because you're right. The fact of the matter is, it is always -- on these global scams, it is always young, attractive Asian women.
Joe Carrigan: Right.
Dave Bittner: So here's my question that is wrong. And, Maria, please tell me if I'm stepping out of bounds here.
Maria Varmazis: I'm probably the last person to say so, Dave, but okay.
Dave Bittner: Is the young, attractive Asian woman the universal beautiful woman around the globe, right? Do you see where I'm getting here? Like --
Joe Carrigan: You're saying maybe -- maybe -- maybe that has the broadest appeal.
Dave Bittner: Like, what is a -- Type O blood is the universal donor, right? Like, is to all people of all races, colors, and creeds around the globe, is a young Asian woman considered universally attractive? I don't know the answer to that. But it seems like a plausible explanation for why it always is because, if they don't -- in other words, these scammers aren't getting any pushback, you know that's saying, Oh, sorry. You're not my type, right? Very quickly they're going to learn --
Joe Carrigan: Right.
Dave Bittner: -- that this is an image that works around the world.
Joe Carrigan: Right.
Dave Bittner: And so I wonder about that. I don't have a good answer. I could be completely wrong, and it could be something else.
Maria Varmazis: Say the top 10.
Dave Bittner: What's that, Maria?
Maria Varmazis: I think that type is in the top 10. But, I mean, I -- it's certainly -- if they've been doing it this long, it's working for some reason. So I was going more with, if these pig butchering scams are originating in Asia, it may be an impersonation that is closer to home --
Dave Bittner: Right. Yeah.
Maria Varmazis: -- also. But, yeah.
Joe Carrigan: That is also a good possibility. Also, the region, the Asian region is densely populated.
Maria Varmazis: Huge. Yeah.
Dave Bittner: Yeah.
Maria Varmazis: Yeah.
Joe Carrigan: A lot of the world's population. Now, not all of them are Asians like we're, you know, discussing. You know, people of Chinese, Japanese, Korean, Vietnamese descent, you know, they're --
Dave Bittner: Asia's a big place.
Joe Carrigan: Asia's a big place.
Maria Varmazis: Yes.
Joe Carrigan: And people look there -- people are very diverse from that area.
Dave Bittner: Yeah.
Joe Carrigan: So -- but the question, the question still sticks in the back of my mind. Why is it? I mean, why is it like that?
Dave Bittner: Yeah.
Joe Carrigan: And it's -- I don't know that there's -- that there's a valid reason for it, or maybe there is.
Maria Varmazis: I guarantee they did, like, rudimentary AB testing; and they found that that is what works the best.
Joe Carrigan: That is what works, what has the highest success rate.
Maria Varmazis: Yep. They just --
Joe Carrigan: You're absolutely right. Yep.
Dave Bittner: All right. Well, we will have a link to that Reddit thread in the show notes. Joe, Maria, it is time to move on to our Catch of the Day. [ SOUNDBITE OF REELING IN FISHING LINE ]
Joe Carrigan: Dave, our Catch of the Day comes from William. And it's alleging to be an email that was automatically generated, but it's a crypto scam, Dave.
Dave Bittner: Oh. All right.
Maria Varmazis: Spoiler alert.
Dave Bittner: Yeah. All right. It goes like this. Dear user, action required. We have detected a critical security vulnerability affecting the integrity of your seed phrases. Your funds are at risk and could be withdrawn at any time without your authorization. Taking prompt action is mandatory to secure your digital assets. What you must do: Generate a new seed phrase. Use the secure QR code below to generate a new seed phrase unique to your account. This process is critical to ensuring your funds are protected. Scan the QR code to begin the process. Maintain vigilance. Regularly monitor your accounts for unusual activity, and ensure you follow best practices for securing your wallets. Why this is important: Failure to update your seed phrase immediately may result in unauthorized access and potential loss of your digital assets. This update is mandatory to safeguard your holdings. Then it has contact information.
Joe Carrigan: Right. So William says, Two things stood out to me because of this one. I consider solicited -- unsolicited QR codes immediately suspicious, which is good, as do I.
Dave Bittner: Yeah.
Maria Varmazis: Good.
Joe Carrigan: And the other thing is -- William says, I don't have any crypto. So sending me this message that my cryptocurrency is at risk shows me it must be some kind of -- some kind of scam.
Dave Bittner: Well --
Maria Varmazis: Stands to reason. I mean --
Joe Carrigan: It is.
Dave Bittner: Can either of you help explain this to me? Because I don't have any crypto, and I've never used any crypto. Obviously, I know crypto uses things like seed phrases and so on and so forth.
Joe Carrigan: No, it doesn't, actually, Dave. That's a misnomer.
Dave Bittner: Oh.
Joe Carrigan: So I was going to ask you guys --
Dave Bittner: Am I going to regret asking you this, Joe?
Joe Carrigan: No. Well, maybe.
Maria Varmazis: As I've often said, everything I know is against my will. All right. 111 Buckle in. Strap in.
Joe Carrigan: First off, there are two ways you can hold cryptocurrency. You can hold it yourself --
Dave Bittner: Yeah.
Joe Carrigan: -- in some kind of crypto wallet.
Dave Bittner: Yeah.
Joe Carrigan: Or you can hold it at some kind of exchange.
Dave Bittner: Right.
Joe Carrigan: Now, if you hold it at an exchange, you don't have a wallet; you have an account.
Dave Bittner: Okay.
Joe Carrigan: That's vastly different. So you won't have a -- what this guy is calling a seed phrase, but it's actually not a seed phrase. A seed is -- in cryptography is something different from what this is.
Dave Bittner: Okay.
Joe Carrigan: But what they're referencing is your recovery phrase.
Dave Bittner: Oh.
Joe Carrigan: So you -- if you have a wallet, like, I have a wallet with a small amount of crypto on my phone --
Dave Bittner: Yeah. >> Joe Carrigan:-- just so I can show people how much bitcoin Z I have, which is essentially worthless. But, anyway, they go, Ooh! Really. That much. Yeah. I'm a crypto millionaire, baby. And how much is that worth? About $9. So that wallet has a recovery phrase that is just a bunch of words that you can write down. Okay.
Joe Carrigan: But those words map to bits of your private key.
Dave Bittner: Okay.
Joe Carrigan: So what this is, is they're trying to get you to use -- I'm guessing here, but it looks like they're trying to get you to use a different private key, one that they have knowledge of by going to this -- this website.
Dave Bittner: I see.
Joe Carrigan: Right. So they're going to tell you, here's your new -- here's your new seed phrase. And all that's going to do is give you a new private key on a wallet.
Dave Bittner: Right.
Joe Carrigan: And then you -- then they say, transfer all of your crypto to the wallet with the new seed phrase. But they -- because they have this recover -- it's not a seed phrase at all. But because they have this, the same private keys, as soon as you do that, they have access to it. And then they snatch it, and it goes away.
Dave Bittner: I see.
Joe Carrigan: And that's it. That's -- I think that's the scam here.
Dave Bittner: All right. Well, very good. So beware.
Joe Carrigan: I'm sure everybody absolutely understands 100% of what I just said.
Maria Varmazis: I gotta tell you, I -- I was given some crypto some years ago. And I'm sure it's worth a ton more than it was when I sold it. But, like, the first thing I did was sell it.
Dave Bittner: Oh, really.
Maria Varmazis: I cannot be bothered. I just cannot be bothered. And it was -- it was worth a decent amount of money at the time. It was actually given to me as a gift when my daughter was born. And, yeah. So it's -- it was some time ago, and I'm sure that it was worth a ton.
Joe Carrigan: Somebody offered to give me a bitcoin back in 2016 when it was like $600. And I was like, No. I'll just do this out of the goodness of my heart. I should have taken the bitcoin --
Dave Bittner: Yeah.
Joe Carrigan: -- because that would now be worth 100 grand or something.
Dave Bittner: No. Yeah.
Maria Varmazis: I still have the open dime. I was just looking for it as you were telling this. I was -- I have -- I still have the actual physical device they gave me the bitcoin on, like that -- you know what I mean. It's like the -- it's the open dime device.
Joe Carrigan: It's a physical wallet. Yeah.
Maria Varmazis: Yeah. I still have it. It's -- it probably still has a few cents on it. And I'm just like now I'm wondering. But I just -- I couldn't be bothered to learn all this that you were describing. I'm just going, I don't -- I hate even knowing what I know about regular mutual funds and index funds. I don't want to add this to my knowledge. I just don't want it. Pass.
Joe Carrigan: I love that stuff. I don't know. Maybe growing up in a financing household, I just -- you know, we used to talk about money at the dinner table.
Dave Bittner: Yeah. That explains a lot.
Joe Carrigan: Yeah. We would have conversation about bonds and coupons and -- and, you know, the value of these things, you know, because that's what my dad did for a living. So that's all -- you know. That was dinner table conversation.
Dave Bittner: Yes. All right. All right. Well, thank you, William, for sending that in. We do appreciate it. And, again, if you have something you'd like us to consider for the show, you can email us. It's HackingHumans@n2k.com. And that is Hacking Humans brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to HackingHumans@n2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. We're mixed by Elliott Peltzman and Tré Hester. Our executive editor is Brandon Karpf. Peter Kilpe is our publisher. I'm Dave Bittner.
Joe Carrigan: I'm Joe Carrigan.
Maria Varmazis: And I'm Maria Varmazis.
Dave Bittner: Thanks for listening.
