The “t” that tricked.
Dave Bittner: Hello, everyone; and welcome to N2K CyberWire's Hacking Humans podcast where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan. Hi, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: And our N2K colleague and host of the T-Minus Space Daily podcast, Maria Varmazis. Maria.
Maria Varmazis: How are you, gentlemen?
Dave Bittner: Doing well, thank you. We've got some good stories to share this week. Also joining us later in the show is Nati Tal head of Guardio Labs. We're discussing the growing danger of homograph attacks. And we will be right back after this message from our show sponsor. All right. We are back. And we have some follow-up here. I'll take this one, Joe.
Joe Carrigan: Okay.
Dave Bittner: This one's from a listener named Robert who writes in and says, Greetings from the Great White North, which I assume means Canada.
Joe Carrigan: Canadia.
Maria Varmazis: Hi, Canada. Hi, friends.
Dave Bittner: Robert writes in and says, I was listening to Joe's comments about credit cards and payments at drive-thru's and restaurants. All I have to say is, when will your country catch up to the rest of the world when it comes to things financial?
Maria Varmazis: Don't hold your breath.
Dave Bittner: Robert, Robert, I am so with you here. I am so with you. He says, How long did it take your country to adopt chips in credit and debit cards after the rest of the world adopted them? Absolutely true.
Joe Carrigan: It was a long time.
Maria Varmazis: Yeah.
Dave Bittner: He says, Every drive-thru I use, the machine comes out of the window on the end of a stick. If we tapped our debit or credit card for the payment, the attendant never gets to touch my card. In restaurants, at the end of the meal, the server asks, Do you need the machine?
Joe Carrigan: The machine.
Dave Bittner: The machine is brought to you at the table. Your card is never taken away. Yeah.
Joe Carrigan: I've seen this in a number of restaurants, actually, where they have -- they have these devices on the table that you -- of course, because it's America, why miss the opportunity to sell something? But you can also get -- you know, get this thing to play games for your kid --
Dave Bittner: Yeah.
Joe Carrigan: -- for like $1 for the meal --
Dave Bittner: Yeah.
Joe Carrigan: -- or whatever. But these things also -- also are the point-of-sale system for the restaurant.
Dave Bittner: Right. Well, and more and more I see the waiters and waitresses themselves --
Joe Carrigan: -- carrying the thing with them.
Dave Bittner: Yeah. Having the little terminal.
Maria Varmazis: Yeah. I've seen that a lot more, too. Yep.
Joe Carrigan: Right.
Dave Bittner: I think that's really growing in popularity.
Joe Carrigan: Yes.
Dave Bittner: I think customers like it. I think it makes everything faster.
Joe Carrigan: It does. I don't have to wait for the waiter to come back with my credit card, which is one of the longest waits in dining out.
Dave Bittner: But I think especially as folks, when -- like, when you want individual checks for your meal, that device can just go from one person to the other.
Joe Carrigan: Right.
Dave Bittner: You know, they don't -- yeah.
Maria Varmazis: Oh, yeah. That's true.
Dave Bittner: So it's a lot easier.
Maria Varmazis: Yes. Splitting the bill is a lot easier, which I know waiters hate -- sorry, servers. They hate it.
Dave Bittner: Yeah.
Maria Varmazis: Yeah. That makes it a lot easier. Yeah. Don't the stores have to buy that? Isn't that part of the reason this has taken so long is they have to front that investment?
Joe Carrigan: Yes. Actually, I'll tell you a big driver in the delay for chip and PIN or just using a chip is -- was gas stations. Gas stations had already spent huge amounts of money on infrastructure for pay at the pump but didn't have a chip in it, so they had to replace all that infrastructure with chip technology.
Maria Varmazis: Oh, geez.
Dave Bittner: Yeah.
Joe Carrigan: That's one of the big drivers behind the delay.
Dave Bittner: Yeah.
Maria Varmazis: And that's why they decided to put those ads there that blast at us every time we're at the gas station now. It's great.
Joe Carrigan: Here's a pro tip. On the left-hand -- right-hand side, second button down is mute.
Maria Varmazis: Oh, yeah. The worn out button is the one I use.
Dave Bittner: Right, right.
Maria Varmazis: That's how you know.
Dave Bittner: Robert had some other comments about -- I guess I had spoken about carrying cash, and Robert agreed. He says, I feel better knowing I have a backup plan. And there are times when I don't want my purchase tracked by our financial overlords, and I pay in cash so --
Joe Carrigan: I get it.
Dave Bittner: Yeah. Thank you, Robert, for writing in. We agree that, as usual, being Americans, we think we have it the best when we actually have it the worst. USA, USA. How's your healthcare up there in Canada? What's it like? All right. So that is our follow-up. Why don't we go into our stories here. Joe, you have the honors this week. You want to start things off.
Joe Carrigan: I do. And, yes. The first one I have comes out of Jackson, Tennessee. And these are two stories I have that are about the same thing, and we'll put links to both these stories in the show notes. But the headline of the first story is China's Xi hails Thailand's strong action against scam centers. And what is happening here is President Xi of China and the Thai Prime Minister, Her name is -- I'm just going to say her last name -- Shinawatra. And I don't think I'm butchering that too badly. But Prime Minister Shinawatra has been working at resolving the problem of these scam centers that are happening along the Thailand Myanmar border. What's happening, we've talked about this in the past where people are tricked into coming to Thailand or Myanmar. And, when they get there, they're told, Hey. Come in here. We have this great job for you. But once they get there, they're just essentially kidnapped and put to work as slave labor, making outbound calls to their home countries to try to scam their countrymen out of -- out of, you know, money.
Dave Bittner: Right.
Maria Varmazis: Yeah.
Joe Carrigan: It's a billion-dollar industry. Well, apparently the Prime Minister of Thailand has shut down a number of these places. And China is saying this is really great because China doesn't want the Chinese people getting scammed. But, as the pair met, 61 people rescued from scam centers in Myanmar were returned to Thailand, defense secretary -- one of their defense secretaries said, the Thailand defense secretary. About 34 of these people were Chinese. The rest of these people come from Indonesia, Ethiopia, and other countries in Africa. So they're -- it doesn't matter where you come from. They're probably just going to put you back scamming people in that country. So I would imagine that the Ethiopian people who were kidnapped and abducted and put to work here were probably calling back into Ethiopia, scamming Ethiopians because, when you do that, you have somebody who speaks the language, right.
Dave Bittner: Right.
Maria Varmazis: Yeah.
Joe Carrigan: They know the culture. They get it. So the other story comes from CNN from Kocha Olarn, Kocha Olarn. And the way -- one of the ways this is going down is that Thailand is cutting power to these -- these scam sites, these locations, these -- these buildings.
Dave Bittner: Right.
Joe Carrigan: So in power grids, there's no such thing as, like, a -- you know, a totally localized power grid, especially when you have smaller countries, smaller regions and things like that. So Thailand apparently controls the electric supply to where these centers are. And, as of Wednesday afternoon, at least one of the scam compounds was still operating. But it didn't look like the other ones were still -- still working because Thailand just shut the power off.
Dave Bittner: Right. They cut off their internet, too, I believe.
Joe Carrigan: Yeah. It's interesting.
Maria Varmazis: That's one way to do it. Yeah.
Joe Carrigan: Here's something that's interesting about these, about this article is that this article says that these scam factories, many of which are run by Chinese crime syndicates, have proliferated in Myanmar, which is actually in the state of a civil war right now. So it makes sense that you go to a country that has bigger things to worry about and start setting up organized crime operations there.
Dave Bittner: Yeah.
Joe Carrigan: Then -- but, you know, what my question about that is, what's China's influence there? Is there any -- anything they can do about these -- these Chinese crime syndicates, or are these Chinese crime syndicates more global operations? Probably more global operations just run by Chinese nationals, and there may not be much that China can do about it.
Dave Bittner: Yeah. Who knows what the internal status of things is, to what degree do folks look the other way or tolerate or, you know, who knows?
Maria Varmazis: Get a kickback.
Dave Bittner: Yeah. Get a kickback.
Joe Carrigan: Yeah. Get a kickback. That's 100% a real possibility.
Maria Varmazis: Yeah.
Dave Bittner: One of the -- we covered this on the CyberWire, and one of the statistics that caught my eye was that they were saying that there's -- they believe there's upwards of 100,000 people who've been abducted to run these scams.
Joe Carrigan: That's a lot of people.
Dave Bittner: Yeah. It's a lot of people. These are -- these are villages.
Joe Carrigan: Right.
Dave Bittner: Yeah.
Joe Carrigan: These are villages full of people. And we had a story a couple -- maybe a year ago about a Vietnamese guy who managed to get out of one of these places and -- by swimming across a river --
Dave Bittner: Yeah.
Joe Carrigan: -- and then found somebody that was -- fortunate -- he was fortunate enough to find, like, a farmer or somebody that, you know --
Maria Varmazis: I remember that story. Yeah.
Joe Carrigan: -- lived nearby that he was able to communicate with.
Maria Varmazis: Yeah.
Joe Carrigan: And was able to get out of there and lead -- lead police back to the -- back to the location. And one of the other things that shocked us, again, as Americans about this was that the entire control over all these people was maintained with one gun and like 47 bullets or something like that, right? It wasn't a lot by -- well, by American standards.
Dave Bittner: Right.
Maria Varmazis: How many bullets do you need, I mean.
Dave Bittner: All of them.
Maria Varmazis: Yeah. I mean, I don't know. Every -- when we talk about these stories, I often wonder if there's a stronger word than scam that one could use because it just doesn't --
Joe Carrigan: Slavery.
Maria Varmazis: Yeah.
Joe Carrigan: This is slavery.
Maria Varmazis: It's slavery. Yeah. Exactly that because it's just -- a scam just makes it seem like it's, oh, you know, it's a -- you know, a con man doing a thing. But, yeah. It's slavery.
Joe Carrigan: Right.
Maria Varmazis: I mean --
Joe Carrigan: No. This is -- this is slavery. This is one of the most reprehensible things one person can do to another.
Maria Varmazis: Yeah.
Dave Bittner: All right. Well, I mean, on the one hand, it's good that we're seeing some movement here; and we've got international cooperation --
Joe Carrigan: Yeah. I think that's great.
Dave Bittner: -- and recognition to try to, you know, shut these things down. But when you hear -- when you compare the numbers that we're -- we have dozens of people being repatriated --
Joe Carrigan: Right.
Dave Bittner: -- versus 100,000 people --
Joe Carrigan: 100,000 people still missing.
Maria Varmazis: Yeah. There's a lot of work left to be done. But it's good to see that there's efforts there. All right. We will have links to that story in the show notes. Maria, what do you have for us this week? Well, there's some interesting stories going around in the corporate sphere that have been popping up on LinkedIn that are AI-related that I just find, like, car-crash fascinating just knowing that this is happening. So there's this story that's been going viral in the last few days, that is viral on LinkedIn, so for whatever that's worth, by a gentleman named David, who is the CTO of a company called VidLock Security Lab. So their whole thing is they're basically a cybersecurity company thinking about cybersecurity in code all the time. But, also, I looked at David's LinkedIn, and he's also a cybersecurity guy. Like, that's his background. So just keep in mind that this is a company that is very public about the fact that they're thinking about security all the time. So David was doing a technical interview with a candidate to work at his company. And like a lot of these technical interviews, we've talked about this in the past. This is a -- usually starts remote, a video conference, like a Google Meet chat. And David noticed pretty early on, I guess, in the call that the candidate he was talking to, his face and neck looked really weird. Like, the person was answering his questions, I suppose competently. But something was off. Like, his Spidey sense was going off. And, thankfully, he took a video of what was going on because this is one of those things where you really need to see the video because it really does speak for itself. But I'll do my best to convey. Essentially this -- this person he's talking to, the face looks like a normal, like, a European White -- guy's face, but there's, like, a chunk of his neck that looks like it's been taken out by the background of -- the wall behind him. So there's some weird video artifacting going on.
Joe Carrigan: Right.
Maria Varmazis: So that's a pretty good indication that something's not right here. But -- yeah. Go ahead.
Joe Carrigan: I could see this being dismissed as this guy just has a virtual background.
Maria Varmazis: Yes.
Joe Carrigan: And his head keeps popping in and out of that background.
Maria Varmazis: Yes.
Joe Carrigan: It kind of looks like that.
Maria Varmazis: It does, it does. And, like, that is definitely a real possibility, the plausible deniability of, like, you know, we've all seen these wonky virtual backgrounds. You know, I'm not always sitting on the bridge of the Starship Enterprise. I know it's hard to believe. But sometimes it betrays, you know, that I'm actually in my office.
Joe Carrigan: Is that your virtual background, Maria?
Maria Varmazis: I would like you to think that it is. Yes.
Joe Carrigan: Enterprise D?
Maria Varmazis: Of course, of course. So David wrote in this really nice and short post on LinkedIn, he's -- this happened to him just two days ago from the day of our recording. He wrote, Number one, the candidate, all of his answers were clearly from ChatGPT. He wrote, I could smell the GPT four-bullet-point style responses a mile away. And that point number two, he was clearly using software to change his appearance so not a virtual background. It was actually his face. And the way that he asked the guy to prove that he was who he appeared to be, he simply asked him, can you just wave your hand in front of your face for me. Like, just -- just move your hand, which would normally, if you're using some sort of video filter, that would disrupt the filter. And the guy repeatedly just wouldn't do it. Like, he -- looks like he's pretending to not understand the question. Or he waved the hand sort of to the side of his face but not in front of his face. And the thing that I love the most is -- well, I hate and love, really. David wrote that this was actually the second time in two months that he has encountered this exact situation while trying to hire somebody --
Dave Bittner: Wow.
Maria Varmazis: -- which is just nuts because, again, he's a cybersecurity guy hiring for a cybersecurity company. So you would think people trying to fool somebody with, you know, an AI video filter would maybe choose an easier target. But maybe people just become so emboldened, they're like, Yeah. I'm going to do it.
Joe Carrigan: Now, I heard a similar story about this about a year ago from somebody I know. They said they had an interview candidate on a Zoom meeting, and this person was -- whenever they asked a question, he was -- he would, oh, hold on. Let me think about that for a second. Hold on. And then he would just --
Maria Varmazis: Type, type, type, type, type.
Joe Carrigan: Right. He would just read the question off of -- off of the ChatGPT response. And it was obvious he was doing this.
Maria Varmazis: Yeah.
Joe Carrigan: So they -- and the funny thing was that the guy he was talking to was like, this was for an entry level position. He didn't need to answer these questions the way he did, the way ChatGPT did. He just needed to come close with an answer out of his own head and I would have hired him.
Maria Varmazis: Yeah. Well, there's the -- even before ChatGPT was a thing, there was the old version of keep your phone line open. And then your friends would sit on Google Docs and sort of type the answer in collaboratively. So if you could buy a few seconds of time, like, all your friends would -- I'm not saying I did this or knew anyone who did this.
Joe Carrigan: Right.
Maria Varmazis: But it used to be a thing. It's probably still a thing. But there -- there was one comment on David's post that had me thinking about this also. And they said that, essentially, you could have a whole group of people applying for these remote jobs using the same AI mask. And, essentially, you could all have these people pretending to be the same fake guy interchangeably. So this sort of stopped me in my tracks. Like, yes; I could see that being absolutely possible.
Dave Bittner: This reminds me in the '90s, I want to say the mid-'90s, there was a very forgettable film, sci fi/horror film --
Joe Carrigan: That's probably one of my favorites.
Dave Bittner: -- called The Puppet Masters.
Joe Carrigan: That was Kiefer Sutherland. And -- or no. Donald Sutherland.
Dave Bittner: Donald Sutherland.
Maria Varmazis: Donald Sutherland. There you go.
Dave Bittner: Yes.
Joe Carrigan: That -- it was a good movie.
Dave Bittner: Sure it was. Yeah.
Maria Varmazis: May he rest in peace.
Dave Bittner: And -- but one of the plot points was there were these aliens, and they would attach themselves to the humans. They were kind of like Stingray shaped.
Joe Carrigan: Right.
Dave Bittner: And they would attach themselves to the back of your shoulders and the back of your neck. They'd kind of -- into your spine from the back. So what I would -- this reminded me of there's a scene in the movie where there's like this general, you know, an Army general who's reporting in via video. And he's saying, you know, everything's good here. The aliens haven't, you know, they've been unsuccessful. And the people that he's talking to says, You know, General, we're going to have to ask you to turn around so that we can see your back, so we can see, you know, the back of your neck. And the signal cuts out because, of course, he's -- he's been taken, actually been taken by the aliens so.
Maria Varmazis: Yeah. Wave your hand in front of your face.
Dave Bittner: That's what this reminded me of.
Maria Varmazis: Yes. Exactly. Just wave that hand in front of the face. I'm sure you both have encountered the sort of Whack-a-Mole of identity verification measures that are going on for anything video nowadays, for financial reasons or HR. I mean, it just seems like, for these scammers, getting past the HR screen is a given now. And people are going all the way through to the interviews --
Dave Bittner: Right.
Maria Varmazis: -- if not beyond that. It's just -- it's wild. So I suppose everybody needs to have an on day, on-site day for an interviewee to just make sure that that person actually exists, right, because, yeah. Clearly it's getting too easy for people to fake it now.
Dave Bittner: Wow. This is fascinating. All right. Well, we will have a link to that story in the show notes. Before we get to our next story, let's take a quick break to hear a message from our sponsor. And we are back. Instead of a story this week, I have a special treat for all of us, actually. Joe joined me on a conversation that I had recently with Nati Tal. He is the head of Guardio Labs, which is a cybersecurity company. And they recently did some research about the growing danger of homograph attacks, which is a type of attack we've talked about here before. But they're seeing some escalations of this and some combinations with other attacks. So here's our conversation with Nati Tal. So today we are talking about some research that you all recently did, and this is kind of centering on this idea of homograph attacks. Can we start off with some high-level stuff here. Can you give us a little of the story of what brought this to your attention.
Nati Tal: Well, homograph attacks have been with us for four years already. And specifically, in the recent weeks, we've seen those attacks come back to us in a new, I don't know, a new theme or so using also the deception of homograph and different kinds of characters used in domain names to look like other domains but also abusing sponsored search results on Google all at the same time, which makes it quite powerful for the scammers, of course.
Dave Bittner: Well, for folks who aren't familiar with what a homograph attack actually is, can you describe that for us.
Nati Tal: Let's do that with an example.
Dave Bittner: Yeah.
Nati Tal: So, for example, and if you get an email or an SMS with a message from a service you usually use, like your email account or your bank or even some kind of government, let's say IRS or some kind of other division, you need to go to their site and do some important issues like, I don't know, check your bank account, do some tax reports. You're usually getting those messages in emails or SMSs; and you have a link inside of them. You click on the link, and you go to your account or to the website where you can do whatever you need to do. And, in most cases, of course, those emails and SMSs are legit; and you go to the right site. But, if you look carefully in the domain name itself, sometimes it looks like the site you're looking for. Let's say bankofamerica.com. It looks like Bank of America. But, if you look closely -- and sometimes you can't even notice with your eyes. You actually need to test this string in your computer. Some of the letters are not exactly those you are used to use. For example, the letter A can be typed in as the A in the American or US language. But it can also be a critical or some kind of other sign that looks like a but it's not exactly. And because domain names today are not only using English letters but they can use any kind of letter on all types of coding and languages and so on, those handles can sometimes use those switches moving from the regular A to something that looks like an A, register a new domain that looks almost exactly like the real one, and use this domain for scamming.
Dave Bittner: And how is this tying into using the Google Ad Services as well? Are they kind of doubling up on their techniques here?
Nati Tal: Yeah. Well, first of all, they're using the -- you know, you look at the domain; it looks legit. But if you also get this domain or link to this service by searching for it on Google, you double up on the reputation of this result. Because they are so used to just click on the address bar and type in Bank of America, again, just an example, and you get the first result, which is probably Bank of America. Just click on it and move on with what you need to do with the bank. But, if you get the search result which is sponsored, meaning someone paid for Google or for any kind of other company with this kind of service to get to the top of the list, and you're using a domain that looks like Bank of America, this is, like, flawless. You can fool everybody, including us with 20 years of security experience. It doesn't matter. If the first result is Bank of America and the domain is Bank of America for the human eye, it's flawless. You just click on it and get fooled all around.
Dave Bittner: Well, my cohost, Joe Carrigan, is here in the studio with me. And, Joe, this is something we talk about all the time.
Joe Carrigan: Frequently.
Dave Bittner: But it seems as though they have taken this to perfection here.
Joe Carrigan: Right. Like, if you -- well, I mean, I just did some experimental Googling around, if you will, and looked -- looked up something that eventually I'm going to need the service for. And when my Google results come back, the very first one, two, three results are for -- are sponsored, which means somebody's paid to have this put in. Then there is a businesses -- businesses section. And then, beyond that, there is what looks like regular search results. And then all the way down the bottom, again, there's another one, two, three sponsored results, which means that this page has, like, six sponsored results, which is six opportunities for a malicious actor to purchase one of these ads and put it into my search results using a domain with one of these homographs in it that -- that you really can't tell is a -- is essentially a bogus link.
Dave Bittner: So, Nati, what's to be done here? I mean, this is a case where you literally can't believe your eyes, right?
Nati Tal: Exactly. And, again, there are many ways to fool us. And it starts with domains that look alike or sub domains that using, you know, like a sub domain like amazon.com.fake.com, again.
Dave Bittner: Right.
Nati Tal: And those kinds of sites are so easy to create. And -- and, in some cases, they are even using link shorteners like Bitly or even abusing link shorteners of reputable services like Twitter, X; or LinkedIn. So you don't even see the actual domain. You just see a short link, which is quite common, also, for, you know, for benign services. And you click on it, and you get to a spam page. So homographics or any kinds of domain manipulations are so common, and you just can't escape those. And, again, when you search for something mostly -- and, again, it's like -- it's like a simple tip, just don't click on sponsored results because, again, the -- if there is a sponsored result, it means someone wanted it to be there. Again, not all are scammers, of course. And if you look for some kind of service, you will probably get a sponsored result which is relevant for you. But make sure you are familiar with this website and you know what to -- what you're going to get when you will click on that link. So, if you can dismiss sponsored results, just do that, first of all. And, second of all, there is no escaping from that. You really need some kind of -- of a security layer that is beyond your eyes or even sometimes your common knowledge or instinct because -- and I'm -- and I'm saying that as a -- you know, a security expert with 20 years of -- of experience. It doesn't matter. I also get fooled by those kinds of scams if they are quite good. And, unfortunately, they are just getting better and better in their work. So you need some kind of an unbiased security layer in the form of any kind of an extension for your browser that checks everything that you are browsing to on your -- an application for your phone. Everywhere you use the internet, you need some kind of extra protection.
Dave Bittner: I wonder --
Nati Tal: This is what we do here at Guardio, after all.
Dave Bittner: Yeah. Are there any browser plugins that specifically look for these alternate characters that could, you know, pop up and say, Hey, someone's using a non-English look-alike for some letters in this URL. Are you sure you want to go here? Has anyone to your knowledge created such a thing?
Nati Tal: So I'm a bit biased, but this is exactly what we are doing here at Guardio.
Dave Bittner: Well, how convenient.
Nati Tal: So, again, Guardio is exactly, again, not only looking for specific abuses of domain names but also looking on the content of the web page and how you, you and all million of other users got to this page and realizing which of those pages is really legit, which is trying to scam you, SMS messages, messages, emails even, instant messages you get from unknown numbers. The scammers will just use any kind, any form of communication to reach you and sometimes even just grab on your own intent, like with Google search. You're searching for something. Let's say, you know, the latest buzzword is DeepSeek, right? Everybody's talking about it and looking for it and trying this new service. And scammers are also realizing that, okay. DeepSeek is a good keyword to grab on, on sponsored results or create domains that look like DeepSeek. And every time there is a new buzz, scammers are on it immediately.
Joe Carrigan: Right away. So --
Nati Tal: And, again, you need to check the website itself. You need to check the -- how you get to this website. And -- and, again, you need some kind of protection, unbiased protection because the more those scammers get more creative and using the latest technology like AI or generative AI, it will be harder and harder to realize you're being scammed.
Joe Carrigan: I was thinking about a browser-integrated password manager. Dave and I have talked about this before. You might not be able to tell that you're not at bankofamerica.com. But you're -- if you have one of those browser-integrated password managers, it'll know, Hey, that's not the right site because this is -- because -- it's not encumbered by the actual graphic. It's looking at the -- at the -- that -- the binary text underneath, and that doesn't match. So it won't enter the passwords for your banking site into that site.
Nati Tal: Right.
Joe Carrigan: I don't -- but I don't know if that's, like, rock solid.
Nati Tal: Yeah.
Joe Carrigan: Better than nothing.
Nati Tal: Again, it's not bulletproof.
Joe Carrigan: Yeah.
Nati Tal: And, after all, we are talking about people.
Joe Carrigan: Right.
Nati Tal: And like your -- like your actual title says, Hacking Humans, this is exactly it because, if the tactics, most of the tactics by scammers are trying to make you scared about something that is happening and be -- and hurry up and enter to your site, the website and check that everything is okay. And because they are using these kind of tactics, you will sometimes won't even notice that your password manager, for your example, is not auto completing your password in this website.
Joe Carrigan: Right. And you might just force it.
Nati Tal: Exactly. And -- and because of all those tactics and because they are using that on scale, they are attacking with an -- instantly, millions of people with the same scenario, even if 1% of those millions of people will get fooled, just think about how much money. And it's so sad to be scammed like that, and so many people -- and they -- all they did was just send one SMS to a million accounts. Cost them nothing, and so much money get lost in the scam.
Dave Bittner: Nati, would you say it's fair to say that you just simply should not click through any sponsored ads or content that come up on your browser anymore?
Nati Tal: Well, of course, if you can not do that, it would be better. But, again, if we say that, so are we sure that other links are okay? So maybe we want to click on them, as well, and so on. So it's a bit -- it's a bit problematic to say don't click anything. Just don't use the internet. You will be safe.
Dave Bittner: Right, right. Never leave your house.
Joe Carrigan: Right.
Nati Tal: Yeah. Exactly. We need some kind of certainty when we are using the internet. We need some kind of someone that is looking around our back and making sure everything is okay. And also, after all, if we put ourselves on the other side for a second, the entire economy of the internet is based on advertising at the end of it. You know, it's free because we are the product. And we can just say, okay. No more advertising. No more sponsored results. We just -- we will have no internet in the end of it. So we need to live with the -- with the risks. But we need to be more aware of those. And, again, using other -- other kinds of tools and security, there's -- there are many kinds, not only browser extensions, not only applications. There are many kinds of security layers that even the common people need today, not only, you know, companies and corporates that are using those amazing products, yeah, by cybersecurity companies all around the world. The common people need those kinds of security tactics as well.
Dave Bittner: Right. Yeah. Never think that you don't have something of value that someone wants. Well, Nati, thank you so much for taking the time for us. We appreciate you joining us and sharing your expertise.
Nati Tal: Thank you, thank you. It was nice talking. And, again, awareness. This is the most important part.
Dave Bittner: All right. Interesting stuff. And thank you to Nati Tal for joining us. He and his colleagues there at Guardio are doing some interesting things. And, Joe, thank you for joining me and helping me out with that interview.
Joe Carrigan: Well, I'm happy to do it, Dave.
Dave Bittner: Yeah. All right. Well, it is time to move on to our Catch of the Day. [ SOUNDBITE OF REELING IN FISHING LINE ]
Joe Carrigan: Dave, our Catch of the Day comes from Kenneth, who sent this in. It's very typical. It's a -- an invoicing scam. But it's got some interesting aspects for Kenneth uniquely that we're going to talk about later. The subject is, Unexpected payment attempt with an order number from it says -- it said it's coming from order verification, sent using Zoho Books.
Dave Bittner: Hmm. Okay. It goes like this. We've noticed an unexpected payment attempt on your PayPal account. A charge of $699.99 or.00789 bitcoin from an unknown IP address in Texas. To safeguard your account, we have temporarily put this transaction on hold. What you need to know: This payment does not match your usual activity, and we need your confirmation. If you did not authorize this transaction, it is critical to take immediate action. Need assistance? Our Resolution Center is available 24/7. There's a 800 number.
Joe Carrigan: That's actually, Dave, not an 800 number.
Maria Varmazis: No. No, it is not.
Joe Carrigan: Which we'll get to in a minute.
Dave Bittner: Okay. All right. And then it lists some details about the actual transaction. Says your next steps with, again, that phone number to call. It says, If you did recognize this purchase, no further action is required. The transaction will be processed as usual. And then it says, Stay secure. We will never ask you for your password, PIN, or financial details via email. Always double check unexpected messages before taking action. Important. This is an automated notification. Replies are not monitored. If anything feels off, contact us right away. Protecting you is our priority. Best regards, PayPal Security Team.
Joe Carrigan: This is not the PayPal Security Team. Protecting you is not their priority. Scamming you --
Maria Varmazis: Spoiler alert. Yes.
Dave Bittner: Okay.
Joe Carrigan: If you call these guys, they're going to do all that software stuff that they install a bunch of stuff on your computer, and you're going to -- they're going to take all your money.
Dave Bittner: Yeah.
Joe Carrigan: That's what's going to happen.
Dave Bittner: Yeah.
Joe Carrigan: Typical scam. But what's interesting is Kenneth, he wrote, I think this was interesting. I'm currently in Hawaii, and they used a Hawaii area code for the number to call.
Dave Bittner: Huh.
Joe Carrigan: Which is why -- that's the 808 number. I was like, 808. Where is that? Hawaii. And then I read the email from Kenneth. Oh. This is interesting. It leads -- he says, It leads to the bigger question, how are they learning this, or is it random? I don't think it's random. I don't think it's random. Kenneth says he actively -- actively interferes with tracking, but he knows it still occurs. There must be some tie between these attackers and data brokers, even though I use a data broker deletion service. He says he didn't look at the -- at the PDF. I think Kenneth is onto something here. I think there is something going on behind the scenes. I don't know if they're just buying data from a data broker to make their phishing attempts better, and they're using the legitimate -- they're posing as legitimate customers to buy data brokers. Here's the question, though. The bigger question is what part of data brokering is legitimate?
Dave Bittner: There's so much data brokering.
Joe Carrigan: Right.
Dave Bittner: I mean, it's absurd how much they're -- even if you opt out of everything --
Joe Carrigan: Right.
Dave Bittner: -- they are still tracking you.
Joe Carrigan: Tracking all kinds of stuff.
Dave Bittner: Yeah.
Joe Carrigan: But it's not PII, Dave. It just uniquely identifies you and ties you to your habits.
Dave Bittner: Right.
Maria Varmazis: It's what keeps marketing departments working around the world, sadly. They love that stuff. Yeah.
Joe Carrigan: I think he's onto something. Maybe they're buying the data. Maybe somebody -- somebody has breached a data broker, and they're just exfiltrating the data. I don't think it's like a data broker being nefarious here. I don't think that's the case.
Dave Bittner: Yeah.
Joe Carrigan: I think they're just using a data broker for their -- for their intended purposes but just misusing them.
Dave Bittner: The other thing that strikes me about this, as you were saying, because I said, here's an 800 number. And you corrected me and said, it's not an 800 number.
Joe Carrigan: Right.
Dave Bittner: But, like, in 8 -- the whole existence of 800 numbers is obsolete, right?
Maria Varmazis: Oh, yeah.
Dave Bittner: I mean, there's no such thing as long distance anymore.
Joe Carrigan: Right.
Dave Bittner: So you don't need to have a toll-free number. That's a relic from land lines.
Joe Carrigan: Yes.
Dave Bittner: I would hazard to say a lot of younger kids probably don't even know how an 800 number works. Maybe they've heard of it, but they've never used one.
Joe Carrigan: Yeah.
Maria Varmazis: I think, for those of us who remember it, it sort of is the unofficial this is a business phone number, but --
Joe Carrigan: Right.
Dave Bittner: Right.
Maria Varmazis: -- I have -- I've been seeing them going away across the board anyway. I'm getting a lot of phone messages that are, you know, to a direct area code. I don't almost ever see an 800 or 866 or anything like that anymore.
Joe Carrigan: Yeah.
Dave Bittner: Yeah.
Joe Carrigan: I don't see it either.
Dave Bittner: No, I don't. I don't, either. I just did -- I'd never thought to think about it, but I guess that's just something that's fading away into the mists of time.
Joe Carrigan: Like so much of our childhood.
Dave Bittner: That's right. That's right.
Joe Carrigan: One final note here from Kenneth. Thanks for the informative and entertaining show every week. Keep Maria. I find her better than most of the interviews.
Dave Bittner: Well, there you go, Maria.
Maria Varmazis: Thanks.
Dave Bittner: You come back next week.
Maria Varmazis: All right. Since he says so. Thanks, Kenneth. I'll stick around.
Dave Bittner: Because it was really on the edge there. But Kenneth put us over the time. So you can come back. You come back this week. Why don't we make a new rule. Every week, if someone writes in and says to keep Maria, then she can come back the next week. Otherwise, eh.
Maria Varmazis: Eh.
Dave Bittner: What do you think about that?
Joe Carrigan: Otherwise, Maria will probably still be on the show next week.
Dave Bittner: Yeah. Count on it.
Joe Carrigan: Last week I was sitting here. I know -- I knew Maria was going to be -- oh, how was the space conference, Maria? I wanted to ask you about that.
Maria Varmazis: It was great. Very, very, very rewarding and exhausting. But, Dave, you know. Doing these events, it's tiring.
Joe Carrigan: Dave and I have a question. Are astronauts cooler than we are?
Maria Varmazis: Yes.
Joe Carrigan: That was my -- that was my guess last week.
Dave Bittner: Yeah, yeah.
Maria Varmazis: Yes. They're even cooler than you can possibly imagine.
Dave Bittner: Yeah. I just think, like, the advantage Maria now has at cocktail parties because she can just say, Well, you know, last week, I was chatting with an astronaut.
Maria Varmazis: Yeah, yeah. I have a running count of the number that I've met and interviewed. And it's, like, well over a dozen now. It's like, yeah. Are you kidding me! It's great.
Dave Bittner: That's very cool.
Joe Carrigan: You ever met Mike Collins?
Maria Varmazis: I have not, no. Would -- yeah. Is he still alive?
Joe Carrigan: Apollo 11.
Maria Varmazis: Yeah. Is he still alive?
Joe Carrigan: I think so. I don't know.
Dave Bittner: I thought Buzz was the last one.
Joe Carrigan: No. Buzz passed away.
Maria Varmazis: No. Buzz is very much alive.
Joe Carrigan: Oh, no. I'm sorry.
Dave Bittner: Saw buzz on the TV commercial last week so.
Joe Carrigan: I'm thinking of Neil Armstrong. Neil Armstrong passed away.
Dave Bittner: Yeah. Neil's gone. But Buzz is still around.
Maria Varmazis: Yeah. I was going to say Michael Collins --
Dave Bittner: As cantankerous as ever.
Joe Carrigan: Yeah.
Maria Varmazis: Yeah. He's in his 90s now. I met Charlie Duke, though.
Joe Carrigan: -- somebody in the face who said that he didn't land on the moon.
Dave Bittner: Yes, he did. Yes.
Joe Carrigan: My hero.
Dave Bittner: Yeah. My response was, if you're going to come at somebody who landed on the moon, you know, count on the fact that that person is more of a badass than you are.
Joe Carrigan: Right.
Maria Varmazis: And that is a fact.
Dave Bittner: Right.
Maria Varmazis: That is a fact.
Dave Bittner: All right. We are sidetracked here, so I'm going to get us back on track. Thank everybody for listening. That is Hacking Humans brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans@n2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. We're mixed by Elliott Peltzman and Tré Hester. Peter Kilpe is our publisher. I'm Dave Bittner.
Joe Carrigan: I'm Joe Carrigan.
Maria Varmazis: And I'm Maria Varmazis.
Dave Bittner: Thanks for listening.
