Despicable donation request scamming.
Dave Bittner: Hello everyone and welcome to N2K CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner and joining me is Joe Carrigan. Hi Joe.
Joe Carrigan: Hi Dave.
Dave Bittner: And our N2K colleague and host of the "T-Minus" space daily podcast, Maria Varmazis. Hello, Maria.
Maria Varmazis: Hello, hi.
Dave Bittner: We've got some good stories to share this week, but we will be right back after this message from our sponsor. All right, we have no follow-up today, so we're going to jump right into our stories, and I'm going to do the honors this week. This is actually a story from an organization called Ampyx Cyber, a cyber security company, but they have kind of like a scam reporter on staff, who kind of does awareness videos about scams. And this is one I had not seen before. This is about artificial intelligence-generated fake people selling scammy goods online.
Joe Carrigan: Are the goods real?
Dave Bittner: Well, we'll get to that.
Joe Carrigan: Okay.
Maria Varmazis: All right.
Dave Bittner: There are goods. Whether or not they're good goods --
Joe Carrigan: Right.
Dave Bittner: -- we're going to get to. So, what this comes down to is someone pretending to have a leather goods store online. And we're talking about a leather artisan named Grace, who puts in her ads that after more than three decades of artisan leather work, Grace is hanging up her tool belt. She's worked her career and it's time to retire, but before she does, she's putting everything on sale.
Maria Varmazis: Oh, how generous.
Dave Bittner: A really, a good, good sale. So you could get up to 80% off these amazing leather bags. Now, Grace, I don't know if you guys could click through to the link I put in the show notes. Grace is a fine looking, I'd say older woman. She has silver hair. She has a very nice smile. Looks like someone you would enjoy having a conversation with, as someone you could put your trust in. Nothing, no red flags about Grace herself, but of course, Grace is not real.
Joe Carrigan: Grace doesn't exist?
Dave Bittner: Grace does not exist, no. And in this image, she's wearing what you would expect a leather worker to wear. She's got kind of a leather smock on, she's got some work gloves.
Joe Carrigan: It does seem to me like she's missing a finger in this picture.
Maria Varmazis: She looks like an aged up version of Princess Catherine, now that I look at it.
Dave Bittner: Oh, okay. I'll take your word for it.
Maria Varmazis: I look at her --
Joe Carrigan: I'll have to take your word for that as well.
Maria Varmazis: I'm not, like, a big royal watcher, but it just struck me immediately. I'm like, She looks, her face looks almost exactly like her. Just eerie.
Dave Bittner: Okay. Yeah, okay. Well, I'd say, I mean, she looks, she's looking right at the camera. She appears to be someone who has confidence, right? Certain amount of style. So again, this is someone I would put my trust in. No red flags about Grace herself.
Maria Varmazis: No hesitation? Just definitely?
Dave Bittner: No hesitation. Yeah.
Joe Carrigan: Except I'm still wondering how she lost that finger.
Dave Bittner: Yeah. Well, I mean, she's a leather worker, you know?
Joe Carrigan: Right.
Dave Bittner: That tracks.
Joe Carrigan: Cut it off with the leather scissors.
Dave Bittner: Right. It's like, what's the thing about to have confidence in your shop teacher, they should have all of their fingers. So what happens is these ads pop up in your social media feed, and specifically Facebook and Instagram. And as I said, she's shutting down her workshop after 34 years, but you can own a piece of her legacy. She says, Our handcrafted leather bags are not just accessories, they're statements of style and quality. Each one tells a story, not just of leather and design, but of dedication, passion, and the journey we've been on together.
Joe Carrigan: You know --
Maria Varmazis: Together?
Joe Carrigan: Hold on.
Maria Varmazis: I just met you, Grace.
Joe Carrigan: You're right. This sounds to me like every artisan, I mean, it sounds like whatever AI is doing this is pulling from all the artisan crap that's already out there as it's training data.
Dave Bittner: Yeah.
Joe Carrigan: You know, no, there is no story behind this bag. I, you know, there isn't a story behind the bag until I buy the bag and take the bag with me everywhere. Like, my big backpack, we talk about that all the time.
Maria Varmazis: Yes.
Joe Carrigan: Why do we talk about that? Because I've had it for 10 years, it is Joe's backpack.
Dave Bittner: Right.
Maria Varmazis: Even I know about your backpack. Right. I've learned.
Dave Bittner: You need a backpack sherpa is what you need, Joe.
Joe Carrigan: Right. So, I mean, so it sounds to me like the AI is just pulling from similar, similar, you know, sales marketing stuff.
Dave Bittner: I think that's exactly right. I mean, it's kind of, what was the joke? What was the J. Peterson on Seinfeld? All of the, they had similar descriptions, all the products.
Maria Varmazis: Oh my God, the catalogs. Yes.
Joe Carrigan: Right. That's the one where, that's the same place where Elaine starts getting comma in happy one episode, right?
Dave Bittner: Yeah, yeah.
Maria Varmazis: Dang, I haven't thought about that in a while, yeah.
Dave Bittner: As this article points out, Grace is fake. Deep fake analysis shows that the images of her are very likely generated by AI. She actually speaks in some of the ads because there are video clips, and people are pretty convinced that that's AI generated as well. So what do you guys suppose happens if you decide to buy one of these bags that are 80% off? So just for example, bags that once listed as high as $695 now sell for $139.95.
Joe Carrigan: You get one of two things. Either you get nothing --
Dave Bittner: Yeah.
Joe Carrigan: Or you get, like, a $20 bag out of somewhere in Asia or Bangladesh. Or, well, Bangladesh isn't Asia but, you know, it, where these things are made and they just make some kind of bag that looks generic like it would be artisan, and then you get that and it costs the company 20 bucks and they sell it to you for a hundred and some odd dollars.
Dave Bittner: Yes. Maria?
Maria Varmazis: That sounds about right.
Dave Bittner: You concur? Ding ding ding!
Maria Varmazis: Yes, I would concur with that, yep.
Dave Bittner: That is exactly what happens. You do get a bag.
Maria Varmazis: Oh.
Dave Bittner: But the bag you receive is made out of plastic, not leather.
Joe Carrigan: Oh, it's not even that good. So it's not even like a --
Dave Bittner: No.
Maria Varmazis: It's vegan leather, right?
Joe Carrigan: It's not the knock-off.
Dave Bittner: They have a term, PU leather.
Maria Varmazis: PU leather!
Dave Bittner: And then PU stinks. Right. Which is, like, poly --
Joe Carrigan: It's just polyurethane.
Dave Bittner: Is that what PU is?
Joe Carrigan: Yeah, probably polyurethane.
Maria Varmazis: Yeah, plastic. Plastic leather.
Dave Bittner: Yeah, polyurethane. So it's plastic leather. You remember back in the day, Joe, we called it pleather.
Joe Carrigan: You're right. We had pants made out of that.
Dave Bittner: Right, right.
Joe Carrigan: They were hot. Not breathable, pleather. Yeah.
Maria Varmazis: Literally.
Dave Bittner: In your heavy metal band days, Joe, did you ever have pleather pants when you were on stage?
Joe Carrigan: No, I was not the pleather band kind of heavy metal guy. I was the jeans kind of heavy metal guy.
Dave Bittner: Got you.
Maria Varmazis: Got you.
Joe Carrigan: Yeah.
Dave Bittner: So there are lots of complaints about these. People say things like, If I could give zero stars, I would. Not leather. Nothing like the image or description on the website. Total trash vinyl, not leather. Smell horrible. So there's the PU.
Joe Carrigan: Right.
Dave Bittner: So, these organizations got an F rating from the Better Business Bureau because the ads are deceptive. But if you try to return this, that is very troublesome because --
Joe Carrigan: There's no way to do that, I'm sure.
Dave Bittner: There's a way to do it, but you have to send the bag back to China, which is where the bag was made. Joe, you called that. This is not an artisan craftsperson here.
Joe Carrigan: Right.
Dave Bittner: You know, like, I imagine, like, we're all imagining a little shop somewhere in the suburbs of Boston.
Joe Carrigan: Right. Right, like the Old Yankee Workshop. Right.
Maria Varmazis: The Old Yankee Workshop. The guy in his van out back working on his leather.
Dave Bittner: Right, exactly.
Joe Carrigan: That was a woodworking show, Yankee Workshop.
Dave Bittner: It was, yes.
Maria Varmazis: And it was the "New Yankee Workshop", which was always on after "This Old House".
Joe Carrigan: Right.
Dave Bittner: Exactly. But before we begin, let's take a moment to talk about shop safety.
Joe Carrigan: I will say this, the "New Yankee Workshop" guy never really talked about safety a lot because, you know, he didn't have power tools. It was all hand tools.
Maria Varmazis: Is that show, really? Anyway.
Dave Bittner: No, not really. "New Yankee Workshop" had lots of power tools. I don't know what you're thinking of, Joe, but it's not that show.
Joe Carrigan: No, no, no. What am I thinking of then? What's the guy --
Dave Bittner: I don't know. Okay. I don't know.
Maria Varmazis: He had, like, all power tools. His collection was the envy of everyone I know who does woodworking.
Dave Bittner: Yeah, yeah. I mean, that shop was something to be seen.
Maria Varmazis: Yeah.
Dave Bittner: Absolutely. No sawdust floating around in that.
Maria Varmazis: No. Yeah, sorry, I was like, I dispute that, sir.
Dave Bittner: So, there's other scammy things about this. If you try to initiate a return, they make it look like you're contacting PayPal, but it's not actually PayPal. It's a page on their website that looks like PayPal but isn't. The people who wrote this article tried to get in direct touch with the folks who are running this operation, and they insist that it's all in the up and up and these people really exist and blah blah blah.
Maria Varmazis: That's worse somehow.
Dave Bittner: But obviously, yeah, it's not true.
Joe Carrigan: Right.
Dave Bittner: So the bags are low-quality bags, mass produced, made out of plastic in China. And if you buy one and try to return it, it is -- you have to jump through lots of hoops, send it back to China, and you'll only get a fraction of what you paid for it. So these folks who wrote this article also reached out to Facebook and Instagram, where the ads are largely running.
Joe Carrigan: Oh, boy. Let me guess.
Maria Varmazis: Should have had a lot of luck. Sure it went real well.
Dave Bittner: Yeah, no luck there.
Maria Varmazis: I'm shocked.
Dave Bittner: But it is interesting that there are dozens of stores, and I'm putting scare quotes around stores, that are spun up with this whole Grace scam.
Joe Carrigan: Grace being the model's name.
Dave Bittner: Grace being the model's name, yeah. So it's multiple stores that are spun up doing this, and evidently it works. It's a scam that works. So be mindful. We will have a link to the story in the show notes. There's also a helpful video here that kind of takes you through it, if you want to see the videos that the scammers are putting up that is using the AI to try to convince you to buy this. You can take a look. So buyer beware, and that is my story this week. We will, as I say, we will have a link in the show notes. Joe, you're up next. What do you got for us?
Joe Carrigan: So first off, I would like to say, No, I was not thinking of the "New Yankee Workshop". I was thinking of the "Woodwright Shop" --
Maria Varmazis: Oh.
Dave Bittner: Okay.
Joe Carrigan: -- which is the guy I used to love to watch.
Maria Varmazis: Okay.
Joe Carrigan: He did everything with old-style hand tools. And because of that, didn't really talk a lot about safety, although I guess when he was swinging that axe between his feet. That's a, it was a great show.
Dave Bittner: Yeah.
Joe Carrigan: I loved it. I mean, it's like, it was like that and Bob Ross. I could watch either one of those things --
Dave Bittner: Okay.
Joe Carrigan: -- for a whole day.
Dave Bittner: Very gratifying.
Joe Carrigan: Yes.
Dave Bittner: Just watch, yeah. Yeah.
Joe Carrigan: So I kind of went down a rabbit hole with my story, because I wound up with the first story which is we're going to put a link to both these stories in the show notes. They're both from CBS News. This first one is from Sheena Samu at CBS, and it is talking about the sentencing of six people in a romance scam. So one of the women, or actually the one woman that was sentenced, her name is Jennifer Gosha. She is a former US Post Office employee and Iraqi veteran who was sentenced to three years of probation, plus, with the first six months being on house arrest with limited movement for her involvement in the fraud case. Now, I'm going to come back to the victims, to the victim here, because that's the rabbit hole I went down.
Dave Bittner: Okay.
Joe Carrigan: But the other two people that were sentenced were both Nigerian nationals. One pled guilty and got 10 years. The other one pled not guilty and was convicted on all accounts, all counts, rather, and got twenty years in prison.
Dave Bittner: Wow.
Joe Carrigan: The reason that Miss Gosha only got six months was because she was kind of duped into this by her ex-boyfriend who was one of the scammers. And she says she regretted "getting sucked into this dumbass scheme". Quote from her.
Maria Varmazis: Oh. All right.
Dave Bittner: Eloquent testimony.
Joe Carrigan: Right. It doesn't say. So, okay, yes, I will agree with that. But one of the victims connected to this scam was Laura Kowal. And then they link to another story where they talk about Kowal's disappearance. She was a retired healthcare executive from Galena, Illinois, and this group of people, Kowal got involved in a romance scam through Match.com with somebody who called themselves Frank Borg. Resistance is futile. I had to say it, Dave. I had to say it.
Dave Bittner: I know. If you didn't, then Maria was.
Maria Varmazis: I was thinking it.
Joe Carrigan: And what started out as a telephone romance quickly increased to more and more desperate requests for money. At first, Ms. Kowal sent money willingly. She was a widow, by the way, and later it appeared that she was being coerced, and over two years they wound up getting $2 million out of Ms. Kowal.
Dave Bittner: Holy smokes.
Joe Carrigan: So, the story that this story links to talks about her disappearance and her unfortunate eventual death. So, what happened is she wound up, they found her car near a river, and further downstream they found her body. And her daughter is very involved in this case in doing all kinds of work to try to try to find out what happened. But the police have classified this as a suicide. However, there's weird stuff going on. Like, her last text message to one of our friends was, "All is fine" or "Everything's okay" or something like that. Which may or may not indicate suicide, but in her car, they found the packaging for a cell phone, a burner phone, that she didn't have in her possession, which is kind of strange. But she started getting involved as a money mule after she had been scammed out of the money. And I think, I don't know, maybe her daughter suspects that at some point in time, she said, I can't do this anymore, and maybe this was not a suicide. So, it's an interesting couple of stories. We'll put links to both of them in the show notes. But the first story is the good news, that somebody has been punished for this and a couple of people are getting a good amount of time out of this, 10 years and 20 years. The judge did note that the woman who only got six months was not really all that involved in it as well and may have also been coerced into it. So, you know, the funny, what strikes me about this whole set of stories is you don't really think about what happens after the romance scam and how there's really an opportunity here for someone who's malicious to just move in and go, Well, you know what, maybe we can help you out. Maybe you can make some money back. Maybe you can start doing this for us and moving the money around. Now, these guys are all based out of I think it says West Africa, but they're probably out of Nigeria. And another one says here Ghana. Yeah, so the money eventually winds up over in Africa somewhere. And it's, you know, we know that there are tons of groups over there. We know that the Nigerian government is actually pretty cooperative with the United States in extraditing these guys. I'm quite sure that's how these two Nigerian nationals wound up over here to get tried and sentenced. If you think you hate Nigerian scammers, try being Nigerian and in the government over there. They really don't like it.
Maria Varmazis: Yeah, I can imagine.
Joe Carrigan: It's not something, they want to help and get these guys busted as quickly as they can.
Dave Bittner: Right.
Joe Carrigan: So they're very happy in getting them extradited. But the fear and the coercion, I want to get back to that, that once you've been victimized by these guys, they continue to victimize people by coercing them and then having them become the legs here in the United States for getting the money and moving it around and sending it back to Nigeria. And there's tons of ways once you get a mule that you can do that. And if you don't care about the mule, if the mule is expendable to you, you can even have them commit crimes that will eventually get them caught, and then you just move on to another mule. So I don't know, how do you defend yourself against this? I mean, there's all the telltale signs of the of the romance scam in all these stories. But again, we've talked about this as well, that once, when these people are in the thrall of these scammers, it's really difficult to talk them out of it.
Maria Varmazis: Yeah. Yes.
Joe Carrigan: You know, I don't know maybe there's got to be done into this, into what the most effective way to do this is, and hopefully it doesn't just involve you losing all your money as the victim.
Maria Varmazis: Or being re-victimized, right.
Joe Carrigan: Or being re-victimized, exactly.
Dave Bittner: Right, right. Yeah, you think about what it must do to someone's feelings of self-esteem and self-worth and all that sort of thing to have lost that much money --
Joe Carrigan: Right.
Dave Bittner: -- and to have to face your family.
Joe Carrigan: Yeah.
Maria Varmazis: Yeah, it's an existential crisis, like how do you pay your bills? You've got to do something to fix this, right? I'm sure a lot of people are in a tailspin after this has happened and they're trying to fix it. I wonder, for people who've gone to the press with their stories about their romance scams, also, I'm hoping, has anyone clued them in to them, this being a possibility for being reached out to by the scammers as a follow-up?
Joe Carrigan: Yeah, I don't know about that specifically. So, like, when you come forward, I think that once you come forward, I don't know, maybe you're more inoculated than the average person against these kind of things.
Maria Varmazis: Yeah.
Joe Carrigan: But there are follow-on scams that happen to people, but usually it's not when they've been when they've come forward and they go, You know what, I got scammed. There was a story a couple of weeks ago about a, I think it was a French woman they got scammed by the Brad Pitt scam. You know, I'm Brad Pitt and I'm in the hospital?
Maria Varmazis: Did we cover that? I want to say --
Dave Bittner: No, we didn't.
Maria Varmazis: No, we didn't.
Joe Carrigan: This French newspaper took it down because people began haranguing her and blaming her.
Maria Varmazis: That helps.
Joe Carrigan: Yeah, exactly.
Maria Varmazis: Well, maybe the discussion needs to be for those of us who talk about stuff like this that we need to add this into how we discuss things about romance scams. Saying, you know, even after you think the scam is done, there can be sort of this even more awful next step.
Joe Carrigan: There are follow-on scams.
Maria Varmazis: Yeah, because I don't know if people are aware that this is even a thing. One would hope that people's awareness would be higher after experiencing this scam, but as we've often covered, oftentimes it's families are involved and they're trying to help and, you know, emotions are caught up in this. So do people's families even understand that there could be a follow-on scam? I mean, gosh, it'd make a bad situation worse.
Dave Bittner: Yeah.
Maria Varmazis: But again, that instinct comes into play with wanting to fix the problem that maybe you started, and it just gets you in a deeper hole. So maybe that just needs to be part of our conversations, not just here, but more broadly.
Dave Bittner: Yeah.
Joe Carrigan: Right.
Dave Bittner: The only other thing I'll add is that if you feel as though you have a strong enough relationship to do so, you can set up alerts on your loved one's bank accounts.
Joe Carrigan: Right, if they let you.
Dave Bittner: If they let you, right. So, you can say, if a transaction larger than this amount occurs, let me know.
Joe Carrigan: Right.
Dave Bittner: And so that's a way to help with this sort of thing. But not everyone, you know, money is a funny thing, right? People have a tremendous amount of privacy when it comes to money, and it's just one of those things that people don't always like to share information or access to. And that's understandable.
Joe Carrigan: Yeah.
Dave Bittner: But particularly as someone gets older and, you know, if you're a family member looking to help protect their nest egg, hopefully you can make the case to say, Look, I want to do this to help protect you.
Joe Carrigan: Right.
Dave Bittner: So.
Joe Carrigan: Maybe there's a place for a creative banking product here, where your bank is now somehow responsible for the management of the money and if they think that you're getting scammed and they see the evidence of it, then they can just say no, we're not sending this money to these people because we think you're getting scammed.
Dave Bittner: Right.
Maria Varmazis: I'm sure that will go over well.
Joe Carrigan: Yeah, I mean --
Maria Varmazis: I understand though.
Dave Bittner: Yeah, I mean, that's the thing. You're an adult, it's your money.
Joe Carrigan: Right. You know. Yeah.
Dave Bittner: But, you know, do whatever you want with it.
Joe Carrigan: What would you call that? It wouldn't be a custodial account, but it would be some kind of protective account? I don't know, because as we age --
Maria Varmazis: You mean just like a pause? Just like, Hey, just, you know, we're not going to say you can't do this. But we're just going to maybe say you've got to wait 48 hours or something or.
Dave Bittner: Yeah, there's a cooling off period.
Maria Varmazis: Cooling off period. But I'm thinking also --
Joe Carrigan: For your family members to buy in.
Maria Varmazis: Yeah. Well, I mean, what about people who are going through all this and their family has no idea. A lot of times people go --
Joe Carrigan: Right.
Maria Varmazis: -- through these romance scams, they get scammed, and then it becomes shame. They don't talk about it anywhere and, you know, they don't reveal it and they go, Okay, well, I got scammed I got taken but I don't need to tell anyone. Again, are they aware that there's actually a follow-on that could be coming days, weeks later? So I think this needs to be part of the discussion.
Dave Bittner: Yeah. All right. Well, we will have links to both of the parts of this story in our show notes. Let's take a quick break to hear a message from our sponsor. And we are back. Maria, you are up. What do you have to share for us this week?
Maria Varmazis: Well, no murder mysteries. We're going to get to the heart of what really matters right now. I'm going to talk about restaurants and Restaurant Week and reservations.
Dave Bittner: Oh, all right.
Maria Varmazis: That's something completely different. So the last five or so plus years, due to me being a parent of a young kid plus the pandemic, I have not been eating out at restaurants nearly as much as I used to when I was in my 20s. But the landscape of making a reservation at a restaurant has changed so much. It was never, you know, at popular places, it was never super easy, but usually it was, like, you call or you use an online reservation system and you could usually find something. I have found, at least for me in the last year or so, going up to a restaurant that looks completely empty with a group of four-plus people and being told, Actually, we're completely booked, even though there's nobody in the restaurant.
Dave Bittner: Right.
Maria Varmazis: And if you're lucky, you get maybe a table in the back and that restaurant just never fills up. And I've been trying to figure out.
Joe Carrigan: They just don't want you in the restaurant.
Maria Varmazis: Yeah, I smell, that's actually what it is.
Joe Carrigan: I get that a lot, actually.
Maria Varmazis: Yeah, it happens to me every single time. What's going on with that?
Joe Carrigan: Right.
Maria Varmazis: And it's something I've been talking with my friends about. We've all been sort of noticing this anecdotally. And we all stumbled upon something, finding out that there's a whole sort of black market auction system for reservations that's been happening with the ease of making online reservations at popular restaurants. So, for example, there's a Tiki restaurant in the Boston area that I love that's really tiny. I mean, it's literally right up the side of a bus station in Harvard Square. It can only fit a very small amount of people every day. And getting a reservation at this place is never easy, but now it's nigh impossible. And I found that if I wanted to make a reservation through this auction system, it's like $500 just to place a bet that I could maybe get that reservation. So to say nothing of actually paying for it. And coincidentally, our friends at Datadome --
Joe Carrigan: Wait. I'm confused.
Maria Varmazis: This is a bidding system, yes.
Joe Carrigan: Right, and I have to bid, I have to put $500 of my own money, real American money --
Maria Varmazis: Yep.
Joe Carrigan: -- up? And if I don't get the reservation, am I out $500?
Maria Varmazis: No, I would imagine it's like an eBay auction, someone would outbid you and you just don't pay that money.
Joe Carrigan: Oh, oh, okay, so you have to make a bid and you don't actually pay the money, but in order to get the reservation, you're going to have to pay the 500 bucks.
Maria Varmazis: That is my understanding. I have never done this because I don't want to support this system, for the record.
Joe Carrigan: No, I think this is completely awful.
Dave Bittner: Is the restaurant in on this?
Maria Varmazis: No, this goes to a third-party broker. So here's, yeah, so there's a big black market for this stuff. And I know New York City's trying to ban things like this, but it's a war of attrition and all that kind of stuff. And our friends at Datadome, so security research coming out of Datadome, have actually been taking a look at this. So it's not just me going, What the heck? They took a look at this whole system in the context of New York City's Restaurant Week. And are you both familiar with Restaurant Week? Should I explain what this is? I'm not sure if people know.
Dave Bittner: I'm familiar, we have one here where we live, so I'm familiar with it, but go ahead and describe it for folks who might not be familiar.
Maria Varmazis: Sure thing, yeah. So the idea behind Restaurant Week, especially in New York, is twice a year for a week or so, now it's, like, two weeks at a time, all the major restaurants, or restaurants that want to bring new people in the door, they will offer a fixed price menu for that set period of time. And if you can get a reservation, you can eat an incredible fixed price meal at a really high-end restaurant that maybe you couldn't normally have afforded. When I was a student in New York City, this was the way a lot of us would get access to restaurants that were otherwise completely out of our price range. So the Datadome folks noticed that all of the online reservation systems that are used for doing Restaurant Week reservations in New York City were completely vulnerable to botnets, basically snatching up huge amounts of reservations at a time before a real person could, and then scalping them. Which in their research, they rightly point out, this actually hurts restaurants a lot, because if people aren't going to pay, you know, 500 bucks just to bid on a reservation, then suddenly that restaurant has a reservation that isn't actually going to get filled.
Dave Bittner: Right.
Maria Varmazis: So, yeah, so this isn't a thing, this is not a thing for us as the end user to necessarily do something about, but it's something that I'm sure the restaurants are very well aware of is a huge pain, and certainly it's great that these online reservation systems, I'm not going to name names, but they're very integrated in search result pages and they're very easy to sign up for, but unfortunately that means that the botnets also are finding them very, very easy to use. And Datadome is asking that maybe these online reservation systems put some kind of a speed bump in place to prevent mass signups, just so we don't have credential stuffing or mass account creations or scalper activity happening. But that would, again, that would put some friction in the signup service that is probably not as great for end users. So I don't know what the conclusion is here, but I'm just glad that other people are noticing that it is really hard to get a reservation pretty much anywhere nowadays, and it shouldn't be this darn hard. And maybe there's something going on on the black market that's making this worse. So, that is me, and I don't smell, gosh darn it.
Dave Bittner: I don't see how it's possibly sustainable. Like, you know, you described earlier the thing of walking into a restaurant that's mostly empty.
Maria Varmazis: Empty, yeah.
Dave Bittner: Yeah, but them saying that we're completely booked and so you luck into a table, but no one shows up for any of those. How, that's, for the restaurant that's not sustainable.
Joe Carrigan: Right. This is also where you could do it like a denial of service attack against a restaurant you don't like, right? Just go out and make all the reservations and then have nobody show up.
Maria Varmazis: Yeah. Yeah, I mean --
Dave Bittner: So competing restaurants are going after each other this way.
Joe Carrigan: Yeah.
Maria Varmazis: Yeah, I mean, I would love to hear from folks, and I'm sure high-end restaurants, they don't really care because they're always in demand, and this makes them even seem more exclusive, so the value of those reservations seems to go up. And when I was reading the commentary on the bidding website for, I don't want to name the website, because, again, I don't like this business model.
Joe Carrigan: Right.
Maria Varmazis: They're basically arguing that, you know, high-end hotels and their concierge services, this is essentially the kind of thing that they used to do. You know, you'd go to, like, the Ritz and walk up to the concierge and go, Can you get me a reservation at this hot restaurant? Here's some money, please make this happen. They're saying, Well, we're just taking that process and putting it online. But again, there's no friction. So bots are just like, Woo! Let's grab all of these. So yeah.
Dave Bittner: Right.
Joe Carrigan: So how much, here's my question, or maybe a proposed solution here. Although I don't know that this would work, I'm assuming that everyone, every bot making a reservation costs this company nothing.
Maria Varmazis: Yeah.
Joe Carrigan: Is that right? Is that a good assumption?
Maria Varmazis: I would assume that, for next to nothing, pennies, yeah.
Joe Carrigan: So if a restaurant said, Okay, you're going to make a reservation with us, the average per person bill here is, say, $50, your reservation is going to cost you $25 per person --
Maria Varmazis: Yes.
Joe Carrigan: -- and if you, you know, you show up and you eat, we will apply that to your bill.
Maria Varmazis: Right, like a deposit.
Joe Carrigan: As part of the prepaid. Right, you make a deposit, essentially, and now, like, I got a table for four, I've got to put down 100 bucks.
Maria Varmazis: Yeah.
Joe Carrigan: And does that make this intractable for the reservation company, the reservation auctions?
Maria Varmazis: I have seen that on reservations. Like, there's a restaurant that my husband and I love to go to for our anniversary, and they actually do that. But they are also one of the more high-end restaurants in our case in Boston, and so I think they can afford to do that. I imagine places that aren't as high-end, that would probably drive away a lot of their customers. So I think restaurants are in a really, really a bit of a bind here. Because if you're, you know, super in demand, you can do whatever you want.
Joe Carrigan: Right.
Dave Bittner: Yeah.
Maria Varmazis: But if you're trying to drum up business, putting up that kind of a barrier saying, Hey, pay some money up front before you've had the meal, that's a lot to ask.
Dave Bittner: Yeah, not great for goodwill.
Maria Varmazis: No, it doesn't feel great.
Joe Carrigan: The problem is, you know, the restaurant is, here the restaurant is not, they're not part of the problem, right?
Maria Varmazis: No.
Joe Carrigan: They're just another victim in this scam. Or, I don't know, maybe they're not victims if they're actually getting their reservation sold. But I mean, it's like ticket scalpers. These people are making money on this, on just being able, I don't like this at all.
Maria Varmazis: It should be free. It should be free to make a reservation. Like, I don't under, that's just a fundamental thing that makes me mad. It's like, you can't experience a new restaurant, you can't, you know, try new stuff if there's all these money barriers being thrown up in your face. You know, happy to pay a bill after I've had the meal, but don't ask me to put money down first if I don't know anything about you. So it's just, yeah.
Joe Carrigan: The other solution is do what all the big chain restaurants do and just don't take reservations.
Maria Varmazis: Right.
Joe Carrigan: Yeah, I hate that. I won't dine with them. If I call and I say I need to make a reservation, they'll be like, Oh, we don't take reservations. I say, I'm not eating there. Have a nice night.
Maria Varmazis: Yeah, there's all sorts of problems with that model, too. So, yeah. Or just take phone-only reservations.
Joe Carrigan: Yeah, phone-only reservations. I mean, that's how I make a reservation. I still call the restaurant and make a reservation.
Maria Varmazis: But that's automated with bots, too, now. Google will call you. Like, you can use that Google service that will call the restaurant on your behalf.
Joe Carrigan: Yeah, I don't want that either.
Maria Varmazis: Yeah.
Joe Carrigan: I don't want any of this. Nobody asked for this.
Dave Bittner: Joe's just going to put his money into a good backyard grill.
Joe Carrigan: Right, I have a really good backyard grill. It's a Weber, it's nice. Yeah, it cooks really good. I'm not allowed to use it because I burn everything up. But my wife and son use it, and they do a really good job. I don't get to cook beef anymore. I only get to cook seafood and other things.
Dave Bittner: All right, we will have a link to the story in our show notes. Joe, Maria, it is time to move on to our Catch of the Day. [ Soundbite of reeling in fishline ] [ Music ]
Joe Carrigan: Dave, our Catch of the Day comes from the subreddit scams over on Reddit. I haven't seen this one yet, Dave.
Dave Bittner: Well, this is a fun one.
Joe Carrigan: Okay. I tell you what --
Maria Varmazis: Can I just tell you something? The OP is very clearly Greek. I'm looking at it.
Dave Bittner: Oh, is that right?
Maria Varmazis: Yeah.
Dave Bittner: Okay.
Maria Varmazis: There's a thing at the top that says, translate into Greek, in Greek, in the post.
Dave Bittner: Oh, see, I wouldn't have known that.
Maria Varmazis: Yeah, that's really funny. It doesn't have any relevance to the actual story, but it's just, that's making me laugh looking at that.
Joe Carrigan: Is that with the Greek letter is?
Maria Varmazis: The Google Translate thing that says translate into Greek and then in the user's name it says, Amena, which means me. So, you can --
Dave Bittner: Alright, well I'll tell you what, Maria, why don't you and I team up on this and I will start off, so I will be the person reaching out to you and you'll be the respondent.
Maria Varmazis: I'll be Amena. Sounds good. I'll do that.
Dave Bittner: Yes, you'll be that.
Maria Varmazis: I'll be that.
Dave Bittner: It starts off and it says, it says, Hello, I came across your campaign ad on GoGetFunding.com about needing donations for your cause, which I'm very touched by. However, I've not donated yet, but I will soon make it on your GoGetFunding campaign page once I'm done with what I'm doing. May the good Lord be with you through this hard time.
Maria Varmazis: Good morning. Thank you so much for your prayers and for your willing to help. It happened that I just read your email after arranging the final appointment for my baby's examination. However, we are still lacking the funds needed to travel to the clinic for the test. And just before reading your message, I texted my husband. Let's pray we'll find a way to make it happen. I am so grateful to God for answering my prayers and to you for appearing in our lives with your help. God bless you.
Dave Bittner: Hello, I would like to inform you that I just donated 2,000 euros to your campaign to help your cause and I hope it helps in every way possible. Furthermore, I got an email from them which I will attach a screenshot of the copy to this email, as they said the funds would not be reflected or released to your account yet. As was stated in the email, there is an error at your end and you should reach out to them at gogetfunding@programmer.net to get it resolved as soon as possible.
Joe Carrigan: Wait a minute. Is this two scammers working against each other?
Maria Varmazis: No. No, no, no.
Joe Carrigan: This person is actually does have a GoGetFunding.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: I've got to wait for it.
Maria Varmazis: Yes. Yep.
Dave Bittner: Okay. All right. And so the attached email says, This is to inform you that Pastor Tao Zhen donated 2,000 euros to your account. Still, the donation has been placed on hold in our escrow payment system and will not be reflected on the campaign page or released into your PayPal account until the error that prompted us to withhold the donation has been resolved. Reply directly to this email to learn more about the error. We'll then walk you through every step to fix your account and release the donation to your PayPal account. We're very sorry for the inconvenience. Thanks, the GoGetFunding Team.
Maria Varmazis: And then they say, Hello what's wrong with my account?
Dave Bittner: Thanks for using GoGetFunding. This is to inform you that the donation of 2,000 euros has been made by Pastor Tao Zhen, but placed on hold by us until you have completed the biometric signature security settings. The biometric signature security settings is a procedure introduced to protect each of our platform users and also ensure the smooth flow of making and receiving donations without any issues or delay. Your account will not be activated to receive the donation that has been made to you until the biometric signature security setting has been completed by you, as it is only after then that the hold on the donation would be lifted and fully deposited into your account. Kindly reply to this email so we can walk you through the steps for completing the biometric signature security settings. Thanks, the GoGetFunding Team.
Maria Varmazis: Yes, please proceed. What should I do?
Dave Bittner: Thanks for getting back to us. To complete the biometric signature security settings, you can activate your account to receive the donation. You are required to go to the nearest store to get an Apple iTunes gift card --
Maria Varmazis: Oh my Lord.
Dave Bittner: -- of 50 euros.
Joe Carrigan: Did I wait for it or what? I was trying to figure out where this was going. I mean, this just takes a hard left turn to the gift card right there.
Maria Varmazis: Yeah, I was like, okay, okay, whaaaaat?
Joe Carrigan: Across three lanes of traffic.
Dave Bittner: Exactly. Once you've gotten the gift card, take a picture of the gift card to reveal the code on it. The card redeem code serves as an essential tool in facilitating the biometric signature security settings. Also, you are required to append your signature on a piece of paper and send a picture of it to us. You can also get the gift card online on our website, which would be delivered to your email to save you the hassles of going to the store. Once we've received the necessary information, the biometric signature security setting will be processed and completed to activate your account and receive the donation within 10 to 15 minutes along with 50 euros for the biometric signature security setting. Once the biometric setting is completed, the 2,050 euros will be released, deposited, and reflected in your PayPal account. This is the 2,000 euros and 50 euros used for the Apple iTunes gift card purchase.
Joe Carrigan: I see.
Dave Bittner: Thanks, the GoGetFunding Team.
Joe Carrigan: See, the fact that they're going to give you that money back makes it seem more trustworthy, Dave.
Dave Bittner: Yeah. Right. Yeah. And then the gift card's just kind of a middle thing, right? Just a verification.
Joe Carrigan: Right, right. A verification thing.
Dave Bittner: But, like, the two, I mean, I've made the exact same noise that both of you did when I was reading through this. When it took the hard turn into a gift card scam, I did not see that coming. That was --
Maria Varmazis: No.
Dave Bittner: -- that just came out of nowhere.
Maria Varmazis: So it's just sort of Pastor Tao Jen just put a different hat on and just, I'm guessing? Because --
Joe Carrigan: Yeah, it's all the same guy.
Maria Varmazis: Oh yeah, definitely.
Joe Carrigan: Right.
Dave Bittner: Yeah. Yeah. So taking advantage of someone in need, stringing them along by saying you're going to help them, it seems like in this case it is a medical need for a child.
Joe Carrigan: Right.
Dave Bittner: So how despicable is that?
Joe Carrigan: Yes.
Dave Bittner: And then ultimately just being a lousy 50 euro gift card scam.
Joe Carrigan: Right. Awful. Awful.
Dave Bittner: Alright, well we will have a link to that in our show notes and of course we would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's hackinghumans@n2k.com. [ Music ] And that is "Hacking Humans" brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans@n2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. We're mixed by Elliott Peltzman and Tre Hester. Our executive editor is Brandon Karpf. Peter Kilpe is our publisher. I'm Dave Bittner.
Joe Carrigan: I'm Joe Carrigan.
Maria Varmazis: And I'm Maria Varmazis.
Dave Bittner: Thanks for listening. [ Music ]
