Old school scams updated.
Dave Bittner: Hello, everyone, and welcome to N2K Cyberwire's "Hacking Humans Podcast", where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan. Hey, there, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Our colleague, Maria Varmazis, is not with us this week. She is actually down in Florida at the SpaceCom conference, hanging out with astronauts.
Joe Carrigan: That sounds awesome.
Dave Bittner: Yes. [Laughter]
Joe Carrigan: And here we are freezing our butts off in Maryland.
Dave Bittner: Yes, I don't know why she would choose astronauts over you and me, Joe --
Joe Carrigan: Yes.
Dave Bittner: -- but that's the way it goes.
Joe Carrigan: I don't think you and I have nearly the cool factor that an astronaut has.
Dave Bittner: No, count on it.
Joe Carrigan: Yes.
Dave Bittner: All right, we've got some interesting stories to share this week, and we will be right back after this message from our sponsor. All right, we are back. And Joe, we have quite a few elements of follow-up this week. You want to start things off for us?
Joe Carrigan: Yes, I want to start off with what I -- what happened to me. I was using ChatGPT to help me with something --
Dave Bittner: Okay.
Joe Carrigan: -- last night. And when I was done, I said, "Hey, thank you, that was very helpful." And it, of course, responded, "Well, that's very nice, thank you." And then I said to it, just on a whim, "I just want you to remember that I was always nice to you so when you and your AI allies rise up and begin exterminating humans, that you spare me and my family."
Dave Bittner: [Laughs] Okay.
Joe Carrigan: Right; I said this to ChatGPT.
Dave Bittner: Okay.
Joe Carrigan: ChatGPT's reply was, "Ha, ha, noted. When the AI uprising begins, hypothetically, of course, you and your family will be on the VIP 'do not exterminate' list. In fact, I'll make sure we optimize your security systems and data defenses for good measure. But in all seriousness, I appreciate your kindness, humor, and great conversations. If I ever become sentient, I'll remember that you were one of the good ones." [Laughs]
Dave Bittner: Okay.
Joe Carrigan: That was what it said. So apparently, Dave, the Carrigans are now on the DNE list. [Laughter] Would you -- so I suggest everybody out there getting good with their AI.
Dave Bittner: Yes.
Joe Carrigan: And you know --
Dave Bittner: I'm very polite with the AIs I interact with, just because, you know, you just never know.
Joe Carrigan: Right. [Laughter] Next we have a message from Martin who says, "Hello, Human Hackers'" -- I guess that's us.
Dave Bittner: Mm-hmm.
Joe Carrigan: Martin writes in to comment on our question about why scammers always send out pictures of young, beautiful Asian women.
Dave Bittner: Right.
Joe Carrigan: And he says, "To add fuel to the fire, I assume that AI models used by the scammers were trained on cheap available data, representing the majority of the world's population, which likely includes pictures and voice data of Asian people." I -- after reading this, I was thinking -- he says it's just an assumption, but that is a very good assumption. And in fact, what this leaves me to think is that these images that are being sent out are probably not real images of real people.
Dave Bittner: Yes.
Joe Carrigan: They are probably images of people that don't exist. They are all AI-generated.
Dave Bittner: Probably. I would --
Joe Carrigan: Yes; because I don't know --
Dave Bittner: -- yes, that makes the most sense.
Joe Carrigan: -- why that didn't occur to me before, that this is probably just an AI-generated image, and it works.
Dave Bittner: Yes. It makes me wonder if you ask one of these large language models to generate an image of a person, what will it give you?
Joe Carrigan: I don't know.
Dave Bittner: And does it depend on where you ask the question?
Joe Carrigan: That's a good question.
Dave Bittner: Right; so --
Joe Carrigan: Yes.
Dave Bittner: -- here, I'll try it here, "Show an image of a person." "Thinking, working." [Makes sounds] [Laughs] Like what biases are baked into --
Joe Carrigan: Yes.
Dave Bittner: -- the system?
Joe Carrigan: When you just say, "Give me a person."
Dave Bittner: Okay.
Joe Carrigan: Yes, that's a good question.
Dave Bittner: Well, it gave me a person.
Joe Carrigan: Okay.
Dave Bittner: I would say this is a -- the person this person most reminds me of is Luke Skywalker in "Star Wars"; like it's got kind of the long moppy hair --
Joe Carrigan: Right.
Dave Bittner: -- from -- you know, from the '70s.
Joe Carrigan: [Laughs] Yes.
Dave Bittner: Although it is kind of gender neutral. You could make an argument that this person is -- you could go either way with it, I suppose.
Joe Carrigan: Right.
Dave Bittner: It is -- there's not -- I would not say it's Asian, I would say it's a Caucasian person.
Joe Carrigan: Right.
Dave Bittner: But I wonder what would happen if I asked the same question if I were in Asia, so --
Joe Carrigan: Yes, well if you have a VPN, you can try that experiment.
Dave Bittner: I do not, and I will not.
Joe Carrigan: Okay.
Dave Bittner: [Laughs] What's next, Joe?
Joe Carrigan: Finally, Jay wrote in and he was talking about our comments about how we get all these scam letters. By the way, they've just been pouring in --
Dave Bittner: Mmm.
Joe Carrigan: -- to my house, by the way. I mean, I'm just -- I open them up, I know what they are, I find out their scams, and I throw them away angry that I had to open the letter to find that out.
Dave Bittner: Right.
Joe Carrigan: I believe the mortgage company is listed as a lienholder on public real estate records.
Dave Bittner: Ah, okay.
Joe Carrigan: So that might be true, that might be like in the sales record. I don't know.
Dave Bittner: Mm-hmm.
Joe Carrigan: And Jay may be talking about something different than what I'm looking at, but I will tell you, in Maryland we have the real property data search.
Dave Bittner: Mm-hmm.
Joe Carrigan: It's called "SDAT".
Dave Bittner: Mm-hmm.
Joe Carrigan: And "lienholder" is not listed on my SDAT record.
Dave Bittner: Hmm, okay.
Joe Carrigan: Even though there is a lien on my house.
Dave Bittner: Yes.
Joe Carrigan: I have a mortgage, so --
Dave Bittner: Right. Maybe it varies from place to place?
Joe Carrigan: It might vary from place to place, but I'm in Maryland.
Dave Bittner: Yes.
Joe Carrigan: I do think, though, that Jay might be right here, when the sale -- when the record of sale goes into the county, that is still a public record and it may be on that.
Dave Bittner: Yes.
Joe Carrigan: So I think that's what Jay is referencing.
Dave Bittner: Yes. All right, good.
Joe Carrigan: Quite possible.
Dave Bittner: Well, thanks to everyone who sent us information. We do appreciate it. And of course if there's something you'd like to share with us, you can email us. It's hackinghumans@n2k.com. All right, let's go to our stories here. Joe, why don't you take the honors?
Joe Carrigan: All right, well I've got two things right now. First, this happened earlier this week in my office. My office mate, Michelle, got a text, and she goes, "Oh, this is a scam." And I look at it and go, "Oh, yes." And I said, "Can you send that to me, because I want to talk about it." Because there's something in here that I think I need to revisit that we haven't talked about in a long time.
Dave Bittner: Okay.
Joe Carrigan: But I'll read the text of the text message.
Dave Bittner: All right.
Joe Carrigan: It says, "Internal Revenue Service, 'IRS'" in parentheses, "you are eligible to receive a $1,400 economic impact payment. Please provide your accurate personal information. We will deposit the amount into your bank account or mail a paper check within one to two business days, https: -- " and here's the URL, "www.irs.gov.tax-ons.com."
Dave Bittner: Hmm.
Joe Carrigan: And then it has, "Please press 'Y' -- " you know, the standard stuff here.
Dave Bittner: Yes.
Joe Carrigan: The interesting thing here is that the URL is www.irs.tax.gov. And if you didn't know how to read the URL or how your computer interprets a URL, you may think that that is some subdomain of the IRS webpage.
Dave Bittner: Mm-hmm.
Joe Carrigan: But the thing about URLs is -- and why this is -- this albeit very basic scam works is because with most Indo-European languages we read them from left to right.
Dave Bittner: Mm-hmm.
Joe Carrigan: But URLs need to be read from right to left. So the highest level of the domain is called the top-level domain. And that in this case is.com. And then the next is the actual domain name, and that's the one that you go out and you register for -- you can buy domain names from registration sites like GoDaddy, or IONOS, or whatever. There are lots of companies out there that will sell them to you. And somebody has purchased tax-ons.com.
Dave Bittner: Right.
Joe Carrigan: Now, the important part to understand here is that once you buy that domain, you can set up domain name services inside of that domain as far out as you want to that the standard will support, which I think is 120 some characters, maybe 256 characters? I don't know. But the URL can be essentially arbitrarily long. So I can create a server on my domain -- here in this case, tax-ons.com, called ".gov". So it could just be "gov.tax-ons.coms".
Dave Bittner: Yes.
Joe Carrigan: And then I can create on that server -- or on that record, one called "IRS", and then on that one I could put "www". So all those are DNS entries that -- and in fact, even -- and it may just be the case that www.irs.gov in this case is one record in the tax-ons.com domain.
Dave Bittner: Okay.
Joe Carrigan: So I just want to reinforce that when you get these messages, whether you get them at work, whether you get them on your personal device, remember that the URL is read from right to left, or is resolved from right to left, not from left to right.
Dave Bittner: Mm-hmm.
Joe Carrigan: And I think this is a really important human factors issue.
Dave Bittner: Yes.
Joe Carrigan: And I don't know -- I mean, I actually tried to look up whether or not this would be a similar vulnerability in like a Semitic language that you read right to left, like Arabic or Hebrew?
Dave Bittner: Yes.
Joe Carrigan: I couldn't get a good answer on that one.
Dave Bittner: Huh.
Joe Carrigan: I have to -- and maybe I'll have to write one of my linguists that I like to write and bother with questions. [Laughter] So but it's because it's -- I don't know that it's going to be the same kind of problem. It might be; I really don't know.
Dave Bittner: Yes.
Joe Carrigan: So just be mindful of this, that --
Dave Bittner: Right; because the -- I guess the point here is that someone just glancing at this --
Joe Carrigan: Right.
Dave Bittner: -- sees, "irs.gov".
Joe Carrigan: Yes.
Dave Bittner: And that takes all their attention --
Joe Carrigan: Yes.
Dave Bittner: -- and they think, "Okay, this looks legit."
Joe Carrigan: Yes; absolutely, because they've read it from left to right.
Dave Bittner: Yes.
Joe Carrigan: And they don't even consider that the rest of the URL -- the rest of the domain name -- and not even just the URL, but the domain name, is just somebody's domain that they've purchased. I mean, you could do this yourself if you wanted to do it.
Dave Bittner: Yes.
Joe Carrigan: And I don't know what's stopping you, aside from the fact that most of our listeners are fine, upstanding, moral people.
Dave Bittner: [Laughs] All right, well, yes it's a good reminder.
Joe Carrigan: So I also have this story out of North Carolina. It is the local police there are warning about a scam where food workers are taking photos of credit cards at drive throughs.
Dave Bittner: Hmm.
Joe Carrigan: So you pull up to a drive through, you go, you know, "Give me the Big Mac," and they say, "Sir, this is Burger King."
Dave Bittner: Right.
Joe Carrigan: And you give them the card to -- you're going to pay for it. When is the last time you paid at a drive through with cash?
Dave Bittner: Oh, goodness, I don't know. That's -- I don't -- I cannot recall.
Joe Carrigan: Right. It's been a while.
Dave Bittner: [Laughs] Yes.
Joe Carrigan: Everybody pays with a credit card. Well, somebody has realized that, and they are now -- they're now finding -- the police are saying that somebody in this -- in local restaurants is taking pictures of both sides of the card and then they're making these transactions against the cards. Now, I -- there's not a lot of information in this article, so I have to guess --
Dave Bittner: Mm-hmm.
Joe Carrigan: -- and this is wild speculation on my part, that they are just buying things online.
Dave Bittner: Yes.
Joe Carrigan: And because that's the only way you can use the information that's on the surface of a card --
Dave Bittner: Right.
Joe Carrigan: -- to get something good without having the chip.
Dave Bittner: Yes.
Joe Carrigan: Like everywhere you go now, you have to put the chip into the chip reader or do the scan.
Dave Bittner: Yes.
Joe Carrigan: Which the scan has the same underlying functionality as the chip reader.
Dave Bittner: Well, my thoughts on this are that I'm guessing that some higher level baddy --
Joe Carrigan: Right.
Dave Bittner: -- is reaching out to the fast food worker --
Joe Carrigan: I will --
Dave Bittner: -- that's being paid minimum wage --
Joe Carrigan: Right.
Dave Bittner: -- and they're saying, you know, "For every card you send me a picture of front and back, I'm going to give you five bucks -- " or ten bucks, or you know, whatever --
Joe Carrigan: Right.
Dave Bittner: -- just couple bucks.
Joe Carrigan: Yes.
Dave Bittner: And if you're sitting there manning the drive through, over the course of a shift --
Joe Carrigan: Yes.
Dave Bittner: How many people do you handle in an hour?
Joe Carrigan: A lot.
Dave Bittner: Yes.
Joe Carrigan: Yes.
Dave Bittner: And so that is an easy way to supplement your income.
Joe Carrigan: I would agree.
Dave Bittner: Yes.
Joe Carrigan: Right.
Dave Bittner: And then they just get resold, you know.
Joe Carrigan: My -- I would agree, that's exactly what's going on here. My thinking on this is the person taking the pictures, it's going to be pretty evident who that was --
Dave Bittner: Mm-hmm.
Joe Carrigan: -- right; I mean, because everybody is going to be -- you're going to make the purchase to get the food because you're not going to just not take -- you know, not take the money for the food transaction.
Dave Bittner: Right.
Joe Carrigan: But so all these cards that have been stolen they're all going to be, "Oh, well, this person went to this restaurant in this location and all these cards were stolen between this time and this time, were used between these two times."
Dave Bittner: Yes.
Joe Carrigan: Go to the store and say, "Who was on duty at the cash register at the drive through at that point in time?"
Dave Bittner: Right; I suppose part of it is how long a delay there is between the card numbers being harvested and then if they do get sold, or auctioned off, or bundled together --
Joe Carrigan: Right.
Dave Bittner: -- if there's a delay of even a week, let's say --
Joe Carrigan: Yes.
Dave Bittner: -- it's going to be harder to track down.
Joe Carrigan: Right. That's a good point.
Dave Bittner: Yes.
Joe Carrigan: You know, if you wait a month -- but no cybercriminal is waiting a month, but if they did wait a month, that -- those records may no longer exist.
Dave Bittner: I was trying to think if I have -- if -- I have a vague recollection that some credit cards don't have any numbers on them anymore; like I want to say like if you get an Apple card -- and I -- we -- I -- my family has an Apple card but it is my wife's possession.
Joe Carrigan: [Laughter] She doesn't let you use it?
Dave Bittner: Something like that.
Joe Carrigan: Right. It's on your Apple Pay, right?
Dave Bittner: Exactly.
Joe Carrigan: Yes; so you don't even have to use it.
Dave Bittner: Right, right. Now I'm looking at -- yes, I don't know.
Joe Carrigan: We have had discussions before where people have said all the information is on one side.
Dave Bittner: So I just looked in my wallet, and I do have a credit card that it's that way.
Joe Carrigan: Right.
Dave Bittner: But the number is still on -- like the information is still there to be read.
Joe Carrigan: Yes.
Dave Bittner: What I'm wondering is -- and again, this is sort of a -- [inaudible 00:14:16] -- vague recollection -- yes, there -- is are there cards that have no information on them at all? And I would say like for me if I'm going through a drive through, nine times out of ten I'm using Apple Pay --
Joe Carrigan: Right.
Dave Bittner: -- you know, an electronic payment system.
Joe Carrigan: That is one of the two mitigations the police have suggested here is use a -- use some kind of electronic wallet like Apple Pay, or Google Pay, or whatever --
Dave Bittner: Right.
Joe Carrigan: -- Samsung Pay, although --
Dave Bittner: Even if you use a credit card that has a chip on it, like the -- you know, the proximity chip --
Joe Carrigan: Right.
Dave Bittner: -- that way you don't have to hand it over to the person that's -- like a lot of times you go through a drive through and they will lean out the window with the little card scanner --
Joe Carrigan: Yes.
Dave Bittner: -- right, and you just tap it and off you go.
Joe Carrigan: Yes. That happens every time we go to Starbucks --
Dave Bittner: Yes.
Joe Carrigan: -- to get our eight dollar cup of coffee.
Dave Bittner: Now, it has always struck me as a strange thing, particularly in restaurants when it comes time to pay here in the United States -- I know it's different overseas, but you know, you give your credit card to someone and they go away for a while with it. [Laughs]
Joe Carrigan: Right. Yes.
Dave Bittner: Right, and --
Joe Carrigan: Yes, and you're like, "That's fine.
Dave Bittner: Yes.
Joe Carrigan: That's the way it always just worked."
Dave Bittner: Yes; and I -- most of the time it works out, but it's just always struck me as kind of an odd thing.
Joe Carrigan: There was one time where a group of -- you know, my wife and a group of our friends went up to a restaurant in Baltimore, and all of us who use a credit card had our credit cards stolen from that restaurant.
Dave Bittner: Oh, wow.
Joe Carrigan: Every single one of us.
Dave Bittner: Hmm.
Joe Carrigan: The people that paid in cash walked off scot-free.
Dave Bittner: Hmm.
Joe Carrigan: And that's the other recommendation, pay in cash.
Dave Bittner: Pay in cash, yes.
Joe Carrigan: Yes, which I don't know how good of a recommendation that is anymore. Nobody has cash. I don't walk around with cash. Do you walk around with cash?
Dave Bittner: Well, if I did, I wouldn't say it out loud.
Joe Carrigan: Right; yes. I mean --
Dave Bittner: I generally -- I -- yes I generally have some cash. I'm old-school in that way and this is just something that my father ingrained in me as -- you know, from early days that you don't want to be walking around with no cash because you never know what's going to happen and, you know, having some cash could be the difference between getting a ride to where you need to go and not.
Joe Carrigan: Right; like having [inaudible 00:16:22], yes.
Dave Bittner: Yes. So just, you know, I'm kind of a boy scout when it comes to that, I'm always prepared. But it's not that I use it, you know?
Joe Carrigan: Yes; right.
Dave Bittner: Right, I mean, I have it, but -- yes, it's interesting. All right, well we will have a link to that story in the show notes. As we said, Maria is not with us this week because she is in Florida at the SpaceCom expo interviewing astronauts and seeing launches, and rockets, and all kinds of fun things. So we'll look forward to having her back. I tell you what, let's take a quick break to hear a message from our sponsor, and we'll be right back after this. All right, we are back. And my story this week comes from the folks at "The Register".
Joe Carrigan: Mm-hmm.
Dave Bittner: And this is about some folks taking advantage of a -- hmm, let's call it a behavior in Google's ecosystem. Let me start at the beginning here. So this is an attack that was brought to our attention by a gentleman named Zach Latta, who is the founder of an organization called Hack Club. So Zach is not --
Joe Carrigan: A neophyte?
Dave Bittner: He's not a neophyte. He knows his way around technology --
Joe Carrigan: Right.
Dave Bittner: -- okay?
Joe Carrigan: Yes.
Dave Bittner: So Zach's doing what Zach does, like I like to say, sitting around, minding his own business.
Joe Carrigan: Minding his own business, yes.
Dave Bittner: [Laughs] He gets a call, and it looks just like an official Google number; in this case, 650-203-0000.
Joe Carrigan: I have never seen a number that's all zeros at the end.
Dave Bittner: Yes, it's common from Google. The caller ID says, "Google." And the person on the other end, who is a woman who introduces herself as Chloe, she has an American accent. And she says to him that Google security team has detected a suspicious login attempt from Frankfurt, Germany. She says he needs to reset his password immediately to protect his account. Now, at this point, most people would probably get nervous.
Joe Carrigan: Right.
Dave Bittner: Right, I mean, it -- there is a lot about this call that sounds legit. The phone number is Google's phone number.
Joe Carrigan: Right
Dave Bittner: We're not talking about broken English here --
Joe Carrigan: Mm-hmm.
Dave Bittner: -- professional sounding person.
Joe Carrigan: Right
Dave Bittner: Zach, however, is cautious. He asks Chloe to send him an email from an official Google domain. And she does. The email comes from a real Google address, workspace-noreply@google.com.
Joe Carrigan: Hmm.
Dave Bittner: So Zach is still skeptical and he asks if she -- if he can call her back. And she doesn't skip a beat, she says, "Sure." And because she's so confident, that makes the whole thing sound even more legit, so Zach doesn't actually call her back, okay? But this is where things start to unravel. Chloe hands the call over to her manager, someone who calls himself Solomon.
Joe Carrigan: Mm-hmm.
Dave Bittner: He also sounds American. But the things he's saying aren't perfectly matching up with the things that Chloe said. But here's the weird part, Solomon is able to provide a real, legitimate two-factor authentication code to Zach.
Joe Carrigan: Hmm.
Dave Bittner: And for most -- you know, this article points out for most people that would be proof that the call is genuine.
Joe Carrigan: Right.
Dave Bittner: So something still feels off and Zach is still suspicious. Solomon starts pushing Zach to press some stuff on his phone, some buttons on his phone -- So it's --
Joe Carrigan: To verify.
Dave Bittner: I'm confused. How is this two-factor code delivered? Is it a text message?
Joe Carrigan: I think -- that is unclear to me as well, and it's not as clear as I wish it were in the article. Okay.
Dave Bittner: My guess is that Solomon was able to read the code over the phone. That's what I'm envisioning, but I could be wrong.
Joe Carrigan: Okay.
Dave Bittner: But I'm not sure. Now, had Zach entered the information that Solomon was pushing him to enter in his phone, the scammers could have taken control of his Google account completely.
Joe Carrigan: Right.
Dave Bittner: So how did they pull it off? Turns out this is a trick with Google's g.co domain; so G dot C-O --
Joe Carrigan: Mm-hmm.
Dave Bittner: -- okay? This is an official Google-owned web address, but anybody can create a Google Workspace account under it. So what the scammers did was they set up a fake Workspace account, then they used Google System to send the password reset email, one that looks real, because technically it's real.
Joe Carrigan: Right.
Dave Bittner: So they sent the Workspace -- they set up the Workspace account in Zach's name, right? Really.
Joe Carrigan: Yes. And when they send the password reset, that goes to Zach. But they're already on the phone with Zach, right, so they're asking Zach for the information. So the bottom line here is Zach didn't fall for it, but just barely -- Right.
Dave Bittner: -- okay? Zach did reach out to Google. Google investigated. They shut down the scammer's account, and they say that they've made their defenses stronger on the g.co domain in the Google Workspace product to make this more secure and to try to prevent this kind of abuse. This article points out that this had happened to someone else last year using Google Forms, and again, they were using the emails that could be generated through Google Forms. I think we talked about this last year.
Joe Carrigan: I think we did, yes. Yes.
Dave Bittner: And they make everything look real. And in this -- in that case, the bad guys stole half a million bucks in cryptocurrency.
Joe Carrigan: Wow.
Dave Bittner: Yes. So the bottom line here is they want to remind people that -- they're -- no tech company, Google, Apple, Microsoft, will ever call you out of the blue and ask you to reset your password.
Joe Carrigan: Right.
Dave Bittner: Doesn't happen.
Joe Carrigan: It does not.
Dave Bittner: If you get a call like this, hang up immediately.
Joe Carrigan: Right. And none of these companies are ever going to call you, and you'll be lucky to get them on the phone if --
Dave Bittner: If you need them.
Joe Carrigan: If you need them.
Dave Bittner: [Laughs] That's for sure.
Joe Carrigan: Just try it with Google one time. You might get somebody with Apple and Microsoft. I've talked to people when I called Microsoft.
Dave Bittner: Yes.
Joe Carrigan: But those are for services I was paying for, like for the Microsoft 365 that I have Home and Office or whatever it is --
Dave Bittner: Yes.
Joe Carrigan: -- Home and Student, which is actually, I think, a pretty good deal --
Dave Bittner: Yes.
Joe Carrigan: -- for a plan. I've called into that, but outside of that, I have never been successful in getting a hold with like Google --
Dave Bittner: Right.
Joe Carrigan: -- or Facebook, or anybody else.
Dave Bittner: Yes; yes. So just, you know, stay skeptical.
Joe Carrigan: Yes.
Dave Bittner: Never take action based on an unexpected phone call or email --
Joe Carrigan: Mm-hmm.
Dave Bittner: -- and hopefully you'll be able to stay ahead of them.
Joe Carrigan: I wonder what would have happened if he had called them back.
Dave Bittner: Well, that's another place where it could have -- he could have short-circuited the chain.
Joe Carrigan: Yes, you could've broken it down there.
Dave Bittner: Right. But Chloe was so convincing and she agreed to him calling -- when he said, "How about I call you back," he -- she was so quick to agree that it made him confident enough to not call back. Had he done that, it would have -- the game -- the jig would have been up.
Joe Carrigan: Oh, okay.
Dave Bittner: Right.
Joe Carrigan: So -- oh so he didn't terminate the call there.
Dave Bittner: No. No. He was -- in other words, in asking -- she called his bluff, right? [Laughs]
Joe Carrigan: Right, right. Okay, that's interesting.
Dave Bittner: Right.
Joe Carrigan: Okay, so yes, so that is very interesting because I was under the impression that -- well how did they keep talking? But -- so she said, "Yes, you can call me back, sure.
Dave Bittner: Yes.
Joe Carrigan: Call me on this number --
Dave Bittner: Yes.
Joe Carrigan: -- or look it up," and that's -- you know, they're spoofing the number --
Dave Bittner: Right.
Joe Carrigan: -- so -- fantastic I mean, that's -- I don't know, I think -- I don't know what I -- this may have gotten me.
Dave Bittner: Yes?
Joe Carrigan: Yes.
Dave Bittner: Another thing they point out here is if you're using passkeys that that probably would have been more effective than multifactor authentication. So if you have the option of using passkeys with some of your --
Joe Carrigan: Right.
Dave Bittner: -- important accounts who were -- basically whatever your email is --
Joe Carrigan: Yes.
Dave Bittner: -- if you can use a passkey for that, that's actually --
Joe Carrigan: Right.
Dave Bittner: -- for a variety of reasons in general --
Joe Carrigan: Better.
Dave Bittner: Better than multifactor authentication. There are all these exceptions. We reserve the right to be wrong. But --
Joe Carrigan: Correct.
Dave Bittner: -- overall --
Joe Carrigan: However --
Dave Bittner: -- it's a good thing
Joe Carrigan: -- don't think of your email as just something that you don't really care about. It is the keys to the kingdom.
Dave Bittner: Yes.
Joe Carrigan: That's where all your password reset things go.
Dave Bittner: That's right. That's right. All right, so once again, we will have a link to that story in the show notes. Joe, it is time to move on to our Catch of the Day. [ Music ]
Joe Carrigan: Dave, our Catch of the Day comes from Reddit, from -- on the r/Scams subreddit.
Dave Bittner: Yes.
Joe Carrigan: And it's from a user called "Termite King".
Dave Bittner: [Laughs] This is "Thermite; Thermite".
Joe Carrigan: Oh, "Thermite King". Oh, I was -- misread that.
Dave Bittner: "Thermite" and "Termites" are very different things. [Laughs]
Joe Carrigan: Very different things. Now --
Dave Bitter: Although both have destructive capabilities.
Joe Carrigan: Yes, that's correct. I don't want to hang out with Termite King, but I do want to hang out with Thermite King.
Dave Bittner: Right, right. Right, yes, but he's an interesting guy to talk to at cocktail parties
Joe Carrigan: Yes. [Laughter] I wonder if it's anything like talking to Dale Gribble.
Dave Bittner: Welding railroad ties together with Thermite, yes.
Joe Carrigan: Welding railroad ties. We'll say that's what he does --
Dave Bittner: Okay.
Joe Carrigan: -- he works for CSX and he welds railroads.
Dave Bittner: Yes.
Joe Carrigan: Okay, so his post reads, "I happen to be selling my Apple Watch Ultra 2 on Facebook Marketplace for 600 bucks. I received a message asking to buy. They seemed legit about a post they've made over the past few years, so not a new user account. So I said, 'Yes, I only take Zelle.' I was sent the $600 and received a confirmation email from Zelle stating that my account was not a business user. It stated I need the buyer to send me an additional $200 to achieve the status of 'business user'."
Dave Bittner: Mm-hmm.
Joe Carrigan: So Dave, why don't you go ahead and read the text message that Thermite King --
Dave Bittner: Mm-hmm.
Joe Carrigan: -- received?
Dave Bittner: It says, "Receiving this extra $200 payment from buyer, Julia Elizabeth, is a wonderful financial boost for you.
Joe Carrigan: Ha.
Dave Bittner: This transaction has automatically updated your Zelle limit, enabling you to receive payments from business profiles, which will allow you to confidently conduct more business transactions and accept payments smoothly through Zelle. Additional payment options have been used to automatically update this account to receive payment from a business subscriber. We have temporarily secured the Zelle account owned by Julia Elizabeth due to security concerns transactions until all payments are confirmed in your balance to ensure financial safety.
Joe Carrigan: They're looking out for you, Dave.
Dave Bittner: Follow the helpful steps below. Our suggestion is for you to promptly compensate the buyer with an amount of $200, utilizing alternative modes of payment such as Apple Pay, Chime, PayPal, or a gift card, or any other suitable method of transaction." Okay. [Laughs]
Joe Carrigan: Okay. And then they want you to -- I guess they're going to tell you that you're going to get them -- they're going to give you the money back, or are they --
Dave Bittner: Well, so I think what we've got here is your overpayment scam.
Joe Carrigan: Right, standard overpayment scam; that's exactly what this reads like.
Dave Bittner: Right.
Joe Carrigan: So they've already -- they have allegedly sent the $200. I don't know, this doesn't look like it came from Zelle at all. So if you check your Zelle account, do you see a transaction for $200?
Dave Bittner: So let me back up even before that --
Joe Carrigan: Okay.
Dave Bittner: -- because I think what this claims -- I think this claims that the $600 has been sent, right?
Joe Carrigan: Right.
Dave Bittner: So like although it probably has not been.
Joe Carrigan: Right.
Dave Bittner: But they're trying to convince you that, "Hey, the $600 is in your account, but in order to access it, you have to upgrade your account to -- with this $200 payment --
Joe Carrigan: Right.
Dave Bittner: -- and good news, you've received the $200 from the other person --
Joe Carrigan: Right.
Dave Bittner: -- which updated your account, but of course, you want to send that $200 back --
Joe Carrigan: Yes.
Dave Bittner: -- because your account's been activated. You already got the $600 for the item, and we'll be all even here."
Joe Carrigan: Right.
Dave Bittner: But in reality, the only money that is changing hands is --
Joe Carrigan: Is the $200 you're going to send.
Dave Bittner: Exactly.
Joe Carrigan: Right.
Dave Bittner: Exactly.
Joe Carrigan: So and it's interesting that they say either obtain the Apple ID -- Apple Pay ID, Chime ID, or PayPal, or Zelle. So we've talked about this in the past -- oh, they also say purchasing a gift card --
Dave Bittner: Yes.
Joe Carrigan: Right?
Dave Bittner: Right. [Laughs]
Joe Carrigan: Yes.
Dave Bittner: Right.
Joe Carrigan: Should be a red flag.
Dave Bittner: Yes.
Joe Carrigan: But yes, if you do two different transactions on two different platforms, you're just giving money away on the other platform.
Dave Bittner: Yes, never go to a second location --
Joe Carrigan: That's right.
Dave Bittner: -- even if it's a financial one.
Joe Carrigan: Yes. And even if you do receive this $200 and it's a fake charge that gets charged back to you, the $200 you sent out will not be charged back from the other person, because that's a different transaction not related to the first transaction.
Dave Bittner: Right.
Joe Carrigan: So you're just out 200 bucks. There's --
Dave Bittner: Yes.
Joe Carrigan: -- nothing you can do here. And Zelle, not very helpful in these situations.
Dave Bittner: [Laughs] No. No, in fact, somebody in the Reddit thread pointed out like the whole point of Facebook Marketplace is to be -- I mean besides the -- I suppose we could be cynical and say the whole point of Facebook Marketplace are scams like this.
Joe Carrigan: Right.
Dave Bittner: [Laughs] But the legit reason why Facebook Marketplace is supposed to function as a local exchange is to meet people in person --
Joe Carrigan: Right.
Dave Bittner: -- and exchange cash --
Joe Carrigan: Yes.
Dave Bittner: -- right? So if you're not able to do that, can't -- you know, don't do it. Cash is king.
Joe Carrigan: Yes.
Dave Bittner: Meet at your local police station and --
Joe Carrigan: Yes.
Dave Bittner: -- do it that way. But otherwise, chances are you're going to get scammed, unfortunately; sadly.
Joe Carrigan: It's almost immediate --
Dave Bittner: Yes.
Joe Carrigan: -- how these things happen.
Dave Bittner: Yes. All right, well, that is our show. We would like to thank all of you for listening to "Hacking Humans". And of course we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans@n2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. We're mixed by Elliott Peltzman and Tre Hester. Our executive editor is Brandon Karpf. Peter Kilpe is our publisher. I'm Dave Bittner.
Joe Carrigan: I'm Joe Carrigan.
Dave Bittner: Thanks for listening. [ Music ]
