The band is finally back together.
[ Music ]
Dave Bittner: Hello, everyone, and welcome to N2K Cyberwire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner and joining me is Joe Carrigan. Hey there, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: And our N2K colleague and host of the "T-Minus Space Daily" podcast, Maria Varmazis. Maria.
Maria Varmazis: Hi, Dave, and hi, Joe.
Dave Bittner: We've got some great stories to share this week, but before we get to that, we have got a lot of follow-up. Actually, before we get to that, I feel like today we finally got the band back together.
Joe Carrigan: Right. Yew, I mean --
Maria Varmazis: I know. Here we are.
Joe Carrigan: It's been a while since --
Dave Bittner: Yes.
Joe Carrigan: -- we've all been here.
Dave Bittner: Right. Maria was out, and then I was out, and Joe has been the stalwarts regular.
Joe Carrigan: Yes, for once.
Dave Bittner: The glue holding --
Maria Varmazis: Thanks for holding it all together, Joe.
Dave Bittner: That's right.
Maria Varmazis: We owe you.
Dave Bittner: That's right. Yes. So, we've got lots of follow-up this week. Let's -- why don't we -- I'll tell you what, why don't each -- there's three things here, so why don't each of us take one. Joe, you want to take this first one?
Joe Carrigan: Sure, I'll take the first one. It says, "Hi, Dave, Joe, and Maria. I love your show. You are part of my weekend routine. I listen to "Hacking Humans" while I clean my fish tanks."
Dave Bittner: Oh, I used to have fish tanks.
Joe Carrigan: Me too.
Dave Bittner: Yes.
Joe Carrigan: I had a fish that lived like 15 years.
Dave Bittner: Wow.
Joe Carrigan: One African cichlid.
Dave Bittner: Okay. Yes, I had some Oscars for a while. They were -- they were friendly.
Joe Carrigan: There we go, right down the rabbit hole.
Maria Varmazis: I was going to say chickens? Fish? Okay. I guess we're doing this.
Dave Bittner: Oh, we'll get to chickens. Trust me.
Joe Carrigan: "This is a follow up from your story on May 1st with the IC3 impersonations." I think that was a story I did.
Maria Varmazis: I think so, yes.
Joe Carrigan: "In that story, you noted that the IC3 stated that they would never contact someone by phone, e-mail, public forum, etcetera. And Joe wondered aloud how they would contact someone if -- if they needed to. I've actually had that happen and I have the answer. While the ICC will not contact you directly, they will pass the information to the local FBI field office and an agent there will do the communication. As a CIO at a school, I once received an e-mail from just such an FBI agent. I initially thought it was a scam, like all other emails from the FBI." Go figure. That would be my first reaction too, "Oh, the FBI doesn't want to talk to me." "However, it was professional and well-written and seemed legitimate. I am in Central New Jersey and the agent said that it was -- that he was from the Newark Field Office. I searched for that office and called the main number, which did match the number that -- that I was given in the e-mail," which is what you should do, right? Look it up in a trusted source. That's a -- that's a good idea. "And asked the agent, it turned out that the e-mail was real. He wouldn't give me any details, but he wanted to let us know about a vulnerability potentially applicable to us that the FBI has discovered during investigation. The whole thing was very intriguing and very helpful." Okay, this seems to me like they are aware of somebody doing something and they're watching some network traffic where they're seeing this whatever organization he's a CIO of, of whatever this school is, they're getting hit with something.
Dave Bittner: Right.
Joe Carrigan: So, he's letting them know that that's -- that's what's going on. But he can't give any details, probably because it's an ongoing investigation. "Anyway, I just wanted to pass along that information. That's actually how they make the contact. I learned not every e-mail claiming to be from the FBI is necessarily fake." I guess that's true.
Dave Bittner: Yes.
Joe Carrigan: "Thank you and keep up the good work," and that's from John.
Dave Bittner: All right, terrific. Well, thanks, John, for sending that in. Our next bit of follow-up will be read by Maria. Go for it.
Maria Varmazis: Okay. "Hey, Dave, Joe, and Maria, I have a question about class action lawsuits. How can we verify these are legit when they appear in our mailbox or inbox? I hate to pass up free money due to corporate misconduct," also same, "but my skeptical mind has a tough time filling out these legal forms and sending them off to some random place. How can I verify that I'm not sending my info to some scammer? The company being sued will not have the info posted on their website. When I look at the website they provide or search for it, I'm often taken to some specialized URL like Walmartclassactionlawsuit. officesofBittner CarriganandVarmazis.com." Kudos to that, "which is exactly the sort of URL I'd create if I was going to start up a class action lawsuit scam. If you've already covered this, please direct me to the episode. From, Scott." I have -- I have the exact same question, actually. I get these in the mail all the time and I've been sort of hunting on these a lot of the times because I -- they give me the ick, but it is free money and I kind of want it.
Dave Bittner: Yes.
Maria Varmazis: So, what -- yeah, I don't know what the advice is here aside from -- yes?
Dave Bittner: Well, It's free money. It's never very much free money.
Joe Carrigan: Right. It's like five bucks, right?
Dave Bittner: Right. Right.
Maria Varmazis: Three cents.
Dave Bittner: Well, yes, but I understand what Scott's getting at here. So, I did a little digging, and there are some places online where you can -- you can check out the legitimacy of the class action lawsuits themselves, and I'll have a link to a couple of these. There's classaction.org, which is kind of a clearinghouse database of all the class action lawsuits. And then there's the National Association of Attorneys General.org.
Joe Carrigan: NAAG.org.
Dave Bittner: It's NAAG.org.
Maria Varmazis: NAAG?
Dave Bittner: Yes, how about that?
Maria Varmazis: Attorneys General, yes.
Dave Bittner: They need a --
Joe Carrigan: Two ways, yes.
Dave Bittner: -- they need a better marketing person.
Maria Varmazis: NAAG.
Dave Bittner: But they have a database of multi-state settlements, so, which I think the bigger class action suits are often that. But so, I mean, well, that's a starting point. I -- I think the point is a good one, that the URLs for these things are often very wacky and so I think the skepticism is well warranted.
Maria Varmazis: Yes. I sometimes -- sometimes I only get these by e-mail. Like they -- they don't arrive -- and when they arrive in the mail, I'm maybe slightly more inclined to think this might be legitimate, but maybe.
Dave Bittner: Right.
Maria Varmazis: But a lot of times, I just get an e-mail and I'm going, "Yes, I don't know."
Joe Carrigan: Right.
Dave Bittner: Yes, that's true. I mean, I -- I guess I would look around for coverage of that particular class action suit because I do see quite often in press releases and -- and so on, the links will be included there. And so, maybe that's a more, at least, if nothing more, it's a place to double-check the link --
Joe Carrigan: Right.
Dave Bittner: -- just to see if you're onto something. But --
Maria Varmazis: Fair enough. Yes.
Dave Bittner: -- yes. I mean, the skepticism is warranted, but on the other hand, that's how they get you because you're not going to go after your $10 because it might be a scam. And so, it's not worth going after the $10 and then the lawyers just get the $10.
Maria Varmazis: Oh, so we can't let the lawyers win is what we're hearing. Okay, got it.
Dave Bittner: No, I mean, not if we -- not if there's an alternative.
Joe Carrigan: Yes.
Maria Varmazis: True.
Dave Bittner: Everybody hates lawyers until you need one.
Joe Carrigan: Right.
Dave Bittner: Right?
Maria Varmazis: Fair. Fair enough.
Joe Carrigan: I actually don't hate lawyers anymore. We have had need for lawyers recently, and I've really come to respect a lot of these people.
Dave Bittner: Yes. Yes, absolutely.
Maria Varmazis: Real estate. Really, really like having lawyers for a lot of that. Yes.
Joe Carrigan: Yes.
Dave Bittner: No, no, absolutely. All right. Well, thank you, Scott, for sending that in. I will field our final bit of feedback this week. This is from Kenneth, who writes in and says, "Hi Maria, Joe and Dave. Is there an order in which I should greet you? Should I have included the chickens in the greeting?" Kenneth continues and says, "I was thinking all about the, 'Your privacy is important, but not important enough for us to do basic cybersecurity hygiene instead of paying executives more.' Letters that I and family members have received, especially from healthcare companies. We froze all credit reports back at the Equifax breach, we've -- the free credit monitoring from various breaches." There's a lot more here, I'm going to condense kind of what Kenneth is going at. Kenneth basically wants to know two things, two questions. "What is the market for private healthcare info for most citizens? In other words, who buys it and what do they do with it?" That's an excellent question. I actually looked it up and medical information is much more valuable than other information.
Joe Carrigan: It is.
Dave Bittner: So, for example, and these numbers are all -- always take it with a --
Joe Carrigan: They're notional, to say the best -- to say the least.
Dave Bittner: There you go. There you go. That's a great way to put it.
Maria Varmazis: That's a [inaudible 00:08:35] way of putting it.
Dave Bittner: Social security numbers sell for around $15. Credit card details sell for as little as $3, but medical information starts at around $60. And the reasoning for that is medical information has a long shelf-life. Your medical history does not change, where your credit card number can be canceled.
Maria Varmazis: That's a good point.
Dave Bittner: You know? Your --
Maria Varmazis: Oh man.
Dave Bittner: -- your credit can be locked down. Your -- your social security number is only worth so much. But for things like identity theft, also the -- the research I did pointed to medical fraud, and also, extortion are ways that folks can come at you with your medical information. They could impersonate being you or get fake medical services, but also, let's say you've had some condition that you don't want anyone else to know about, they can come at you for that. So, that makes the medical information a lot more valuable. Ken, the second question is, "What if any personal behavior should we change on receipt of one of these letters? In other words, other than meeting breach disclosure laws, what is the use of such a letter?" Well, I think Ken --
Maria Varmazis: Great question.
Dave Bittner: -- is exactly on the nose here.
Joe Carrigan: Right.
Dave Bittner: There is no other use for this letter other than breach disclosure.
Joe Carrigan: Right.
Maria Varmazis: What do I do with this letter?
Joe Carrigan: Well, you can use that letter and sign up for your next year free identity monitoring services, which we all get now all the time for free.
Dave Bittner: Yes.
Maria Varmazis: Yes.
Dave Bittner: And you can put it in your file for the inevitable class action lawsuit that's coming.
Maria Varmazis: There you go.
Dave Bittner: Coming the following year. I mean, I think it's -- I think it's mostly a heads-up kind of thing. To me, those letters provide you a data point for if you suddenly saw targeted attempts at identity theft. In other words, let's say there was a breach at, you know, XYZ Clinic where you have a lot of medical information and suddenly you started getting information that said, "Hey, we really need you to log into your account at XYZ Clinic," or, you know, something related to that that seems more like more of a coincidence. Just be mindful of that. Do you guys have any other insights on either of these questions?
Joe Carrigan: I will tell you this, your doctor's office does not need your Social Security number. Don't give it to them because when they get breached, that'll be part of the breach. Your insurance company, you probably can't get away from doing that, but your doctor's office doesn't need it.
Maria Varmazis: Maria, anything? My only reflection is honestly, it just all feels very inadequate. The question of what do I do with this information always comes up for me as well. And we touched on this a bit last week. There -- there isn't much and that just doesn't feel great. And there should be something else that we could do and there isn't. And there's -- there's no point that I'm trying to get to aside from, I don't like that.
Dave Bittner: No. I mean, I guess the big picture, write your -- your congresspeople, ask for more robust privacy laws and penalties for these sorts of things. Other than that, move to Europe.
Joe Carrigan: Yes.
Maria Varmazis: Yes, yes.
Dave Bittner: Enjoy the warm embrace of GDPR. All right. Thank you, Kenneth, for writing in. And of course, we would love to hear from you. If there's something you'd like us to share on the show, you can e-mail us. It's HackingHumans@n2k.com. [ Music ] All right, let's get to our stories here. Joe, you want to kick things off for us?
Joe Carrigan: Yes, I'm going to talk about two things. Last week, Dave, you missed it, but I talked about some influencer fakery that happens online with -- with weights. And when I talked about that in my office, my office mate, Michelle, who is a listener to the show, she enjoys the show.
Maria Varmazis: Hi, Michelle.
Joe Carrigan: She said, "You know what else they have? They have fake private jet sets."
Maria Varmazis: Oh, I've seen -- yes, I've seen these. Yes.
Joe Carrigan: You can -- whenever you see an influencer sitting on a private jet, they're not sitting on a private jet. They're on some set, maybe in LA, that's where they seem to be centered. But you can actually Google where around me there are some. You know, "Are there any of these around me?" There are. There are plenty of these. You have to go -- Maria, there's one in Boston. I found one in -- in Boston. So, you can take a picture for as little as $45 an hour, with a one-hour minimum. You can go into a -- into a set that looks just like a Learjet. There's even fake jets outside the window. So, or you can have it so that they have clouds outside of the window, so it looks like you're flying. You know, it's like those backdrops you roll down.
Maria Varmazis: I feel like recording an episode of "Hacking Humans" from there.
Joe Carrigan: Right.
Maria Varmazis: Next time, I'll record from there.
Dave Bittner: I saw one incident of this where someone made it appear as though they were on a jet plane going somewhere, and basically they had -- they had imitated the look of the jet window by using a toilet seat. Right? Because it's the same shape.
Joe Carrigan: Right.
Dave Bittner: And it's white plastic.
Joe Carrigan: Yes.
Dave Bittner: And so, by just showing the edge of it, you know, the curve of the edge of a toilet seat. And then beyond the toilet seat was a picture of the sky. It, you know, and they're kind of holding a drink up like, "Oh, here I am in first class on my way somewhere fancy."
Joe Carrigan: Right.
Dave Bittner: Yes. So.
Joe Carrigan: But they're just sitting next to a toilet seat.
Dave Bittner: Yes, exactly in their basement.
Joe Carrigan: Which I would say, the least fancy thing you can do.
Dave Bittner: Yes, that's true. That's true.
Maria Varmazis: Forced perspective is [inaudible 00:14:09].
Dave Bittner: Let's class up the joint. Bring me my toilet seat.
Joe Carrigan: Right.
Dave Bittner: Yes.
Joe Carrigan: So, I was -- I was amazed to see that. And again, that was something that didn't occur to me that -- that these people do. They just take fake pictures. And since seeing that, I've seen a picture of somebody, I think it was on Instagram or something. I was -- I don't know why I was there, but I was there. And -- and there's a picture of -- of a lovely young woman sitting on a -- on a plane. And I'm like, "It's probably fake. It's probably fake." And you can even get a picture of yourself walking into a plane on the -- at these sets. Some of them are actually like fuselages.
Dave Bittner: Okay.
Joe Carrigan: So, I mean, it's amazing. Don't believe anything you see from these influencers. They're -- they're up to no good.
Dave Bittner: All right.
Joe Carrigan: So, that's the first thing.
Dave Bittner: Yes.
Joe Carrigan: It's just more of my bemoaning the influencer mindset. The other one is I want to talk about -- this actually comes from a news organization, and I can't remember which one it is, KENS Five, K-E-N-S Five. And it's written by Jimmy Baker. The scammers followed the news cycle. And when they follow the news cycle, have you guys been getting any news? Like I watch the news in the morning when I get up and I'm drinking my coffee. The latest thing that I've seen multiple times is that the Real ID requirements are coming into -- into play now.
Dave Bittner: Yes.
Joe Carrigan: So, what this is, is you have to have an identification that meets Real ID requirements, which is a federal requirement, to be able to board a plane now.
Dave Bittner: Yes.
Joe Carrigan: And our IDs here in Maryland have actually been compliant for a while.
Dave Bittner: Okay, I was going to ask you. I have no idea if my ID is Real ID requirements, so that's a relief.
Joe Carrigan: Right. Well, I'm going to tell you.
Maria Varmazis: I feel like for our non-US listeners, we should probably explain what this is because in a lot of countries they have a national ID --
Joe Carrigan: Right.
Maria Varmazis: -- but we don't have a standardized national ID in the US and every state's driver's license is different.
Joe Carrigan: It's different, correct.
Dave Bittner: Yes.
Maria Varmazis: So, this is sort of an attempt to streamline that with this -- with the standard called Real ID. But it's been a mess and they've delayed it many, many, many years because there's a lot of states just can't get there.
Dave Bittner: Oh, yes.
Joe Carrigan: Yes, I think they're done delaying it.
Maria Varmazis: Yes, I think --
Dave Bittner: Well, yes.
Maria Varmazis: -- but it's been like decade -- over a decade of delay or something.
Dave Bittner: We'll see.
Joe Carrigan: Right.
Maria Varmazis: Yes. Yes.
Joe Carrigan: We'll see.
Dave Bittner: We'll see how compliance goes. Yes.
Joe Carrigan: So, there is -- there is a form of national ID in the United States, it's a passport, and that's about it. But every country has a passport, and you don't need a passport. You know, nobody -- if you are pulled over by a police officer here, they will never ask you for a passport.
Maria Varmazis: Yes, but there's no like -- there's no thing that every single American citizen has that you can reliably say that everyone's got one, whereas a lot of countries, there is a national ID that everybody gets.
Joe Carrigan: Yes, right. And for -- for the -- the Real ID, it's not -- it's more of a standard. Like, your -- your state driver's license or ID card must have the following features, like a hologram, it's got to have two pictures of the person, and it's got to be -- have some anti-counterfeiting things. Well, the scammers know. The scammers know that this is a news story that's making the rounds. So, guess what they're doing? Capitalizing on it.
Maria Varmazis: Of course.
Dave Bittner: Okay.
Joe Carrigan: How - how odd.
Maria Varmazis: This liturgical calendar now adds the Real ID in there?
Joe Carrigan: Right? Well, I would say this is not something that would go on the liturgical calendar because this is like a once in a -- once in a lifetime kind of event, right? This is not something happens cyclically, not every year. But it is a news event that they're -- that they're actually going to -- they're going to follow. And it starts with some kind of phishing e-mail where scammers use fake emails, text messages, or even contacting you on social media, which I would be shocked to see the Maryland Motor Vehicle Administration try to reach out to me on social media. And they say, "Hey, we are trying to catch up with you. You need to get your ID -- make it become a -- a real ID." and then they're going to send me to some web page that actually is -- looks legitimate, but of course is fake and then it's just the regular scamming from there on out. This is really we're just talking about the hook here.
Dave Bittner: Yes. There are ways you can check to see if your -- if your ID is Real ID compliant. So, Dave, there's actually a tool if you look -- if you follow any of the links that anybody links to. Our -- our amazing Maryland government has changed this webpage, so you can't -- none of those older links work anymore. You actually have to go to the Maryland Motor Vehicle Administration's webpage and search for Real ID. And you can enter your driver's license number and it will tell you if you have a Real ID. And I do. I do have a Real ID. ID? All right. Well, that's good.
Joe Carrigan: All right. Good and ready to go. I don't know about Massachusetts, Marie. I'm sorry, I didn't check.
Maria Varmazis: Yes. No, I -- I was going to say our -- our state IDs, our driver's licenses were not Real ID compatible. So, in the last X number of years, I can't really remember, there's been this huge push, at least where live, to get people to go back to the RMV, bring a whole bunch of documentation with you so you can get a new license that is now Real ID compliant. And there are so many stories of people showing up with their documentation and they find out that it's not the real thing or -- or it's not the right stuff and they have to wait hours and have to keep going back. It's partially part of the reason why I think this thing has been delayed, and especially if you're in a state where your driver's license is like a piece of paper that's been laminated.
Dave Bittner: Right.
Maria Varmazis: Trying to get from that to like a card is a whole thing. Yes?
Joe Carrigan: I'm trying to understand this. Are you saying that your motor vehicle administration is not an -- the epitome of government efficiency? That's it's not -- it's not a -- it's not a pleasant place to spend that afternoon?
Maria Varmazis: No. And -- and the lines are extra-long now because everyone's trying to rush and get these things done.
Joe Carrigan: They're clamoring to get their real ID.
Maria Varmazis: But in -- in fairness, I want to actually be fair to the people. I don't think I've ever said this in my life. How people are also not really understanding what's required of them, so they're showing up with the wrong stuff or not enough stuff. I mean, I -- when I had to get mine done, I want to say five years ago, I -- I follow the rules. I got it done pretty efficiently, but there are a lot of people around me who just showed up with their license and said, "Give me a Real ID," and they -- they just didn't read anything. They didn't understand. So, you know, there's -- you know, there's plenty of blame to go around, but it's -- it's been a mess.
Joe Carrigan: So, now that I have my Real ID, do I need another like social security card and tax return and something that says, "Yes, he lives there," or -- or do I have the Real ID and that's sufficient? Can I get a new license with that? That's a good question.
Dave Bittner: You need a Realer ID.
Joe Carrigan: A Realer ID.
Dave Bittner: Really Real ID.
Maria Varmazis: And then there's the Realest, the Pokémon evolution of your driver's license, yes.
Joe Carrigan: So again, here we are. Remember, scammers watch the news. If you see something pop up like this, and just because you saw the news, that that actually should be a reason to give you pause and go, "Well, wait a minute. Let me think about this for a second. I need to -- I need to actually go to the state organization that does this and look up how -- whether or not I have a Real ID. There are no fines to pay. If you don't have a Real, there's no financial penalty for not having a real ID. So --
Maria Varmazis: But you won't be able to board a plane, though.
Dave Bittner: Right. That's what I'm waiting for is when --
Maria Varmazis: Yes.
Dave Bittner: -- when it comes into effect, how strict are they going to be? And because, you know, as soon as people start getting turned away from airplanes, all hell's going to break loose.
Joe Carrigan: Right.
Maria Varmazis: Yes. Yes.
Dave Bittner: Because people are already wound up enough at the airport of trying to get through security and all that good stuff that --
Joe Carrigan: This seems like looked at an airport and said, "How can I make that worse?"
Dave Bittner: Right.
Maria Varmazis: Yes.
Dave Bittner: Exactly.
Maria Varmazis: A family of eight on their way to Disney for that long-awaited vacation only to be turned away because they had the wrong ID. I can hear the headlines now. It's just coming. You just know it.
Joe Carrigan: It's going to be a mess.
Maria Varmazis: Yes.
Dave Bittner: Yes. I have a story, but we're running long --
Joe Carrigan: Okay.
Dave Bittner: -- so I'm not going to share it.
Joe Carrigan: I also had something I was going to say, but I'll shut up, too.
Dave Bittner: All right. All right. Tell you what, let's move on to Maria's story. What do you got for us this week, Maria?
Maria Varmazis: All right. I'll try to move through mine pretty quickly. May 8th is apparently Scam Survivor Day, which I just wanted to highlight first, because I did not know that. I've been getting emails from the US National Cybersecurity Alliance about this. They have a really interesting push about fighting fraud shame, which is a really great phrase. And a great term that I think our -- our listeners would be really interested in maybe incorporating into their world. And they have a blog post that we'll link to that I -- I thought was very useful about helping people with fraud shame. So, people who've been victims of fraud. We talk about this a lot on the show, how to mitigate -- like not making them feel ashamed because again, it's not their fault what's happened. So, there's -- there are a couple really nice tips in there, but there's one that I just wanted to read because I just thought the -- the verbiage was great. "If you are the victim of cybercrime, report it. It doesn't matter if you feel ashamed about it, you are a victim and you deserve help. Losing money and data is not the price of admission for the Internet."
Joe Carrigan: Right.
Maria Varmazis: I just -- I thought that was such a great frame.
Joe Carrigan: That's a great way to put it.
Maria Varmazis: Yes, just going to tattoo that on my forehead. It's not the price of admission for the Internet. If this happens to you, it's not your fault. And -- and definitely report it. So yes, just thought that was awesome. So, we'll definitely link that blog post for people. So, a story for us to discuss. This one came from actually Joe Wilkins at Futurism, but also via Joe Carrigan at "Hacking Humans" who said this to me. So, thanks, both Joe's. And this was a highlight of the book that came out last month called "Careless People" by Sarah Wynn-Williams. Have you all heard about this book? It's been in a few news cycles because it -- she's a former Facebooker.
Dave Bittner: Oh, yes, yes. This is the -- this is the -- the woman who worked at Facebook, right?
Maria Varmazis: Yes.
Dave Bittner: So, sort of an expose?
Maria Varmazis: Yes, yet another one of those, "I worked there when I didn't realize it was as evil as it was, and I saw some nasty stuff behind the scenes, and I'm going to tell you everything now that I'm very clear of the shrapnel." So, that's --
Dave Bittner: Okay, right, right.
Maria Varmazis: -- I'm a little cynical about these kinds of books because it's like, "Oh, really?" But she was at Facebook from 2011 to 2017. At some point in her career there, she was their public policy director, and this book, like many of these tell-alls about Facebook, has a lot of confirmation of what has either been known or suspected for some time. And by the way, I just re-upped my Facebook account that has been dormant for five years. So, the timing on this was just horrible because I'm going, "Oh, I'm back again. God."
Joe Carrigan: You reopened it?
Maria Varmazis: I had to because of my kids' school stuff. There's literally no other way for me to find out what the heck's going on. Like, and you can't even get past that -- that wall now that says you have to have an account. So, I'm just like, "Okay, I can't even read it anymore." So, I had to re-up my old account and they -- they drew me back in. So, as for the -- the revelations from Wynn-Williams, some of these go beyond what even what I had suspected. And as you both know, I'm pretty cynical about this stuff. So, things like tracking user locations, likes and interests. That's child's play. We knew that. Monitoring mood based on interactions, posts and comments. Words used, par for the course. I think we all would assume. Looking for specific words, especially ones that indicate the person writing it is in significant emotional distress. Serving up ads to take advantage of that distress, exploiting human vulnerability, you know, hacking a human.
Joe Carrigan: Oh, my God.
Maria Varmazis: Yes, they do that too. The one that was really new to me that is getting some headlines is, according to Wynn-Williams, Facebook was also tracking when adolescent girl users, why are they on Facebook? Different question, but adolescent girl users deleted their own selfies and then served them beauty ads to them, at that same moment. So just, I had to sort of let that one marinate a second. So, I'm just imagining they've uploaded a selfie and they've noticed that they've got like a double chin or lacking that certain glow that they're looking for. Here you go, please buy this very expensive face cream. It's just beyond icky. And again, we've -- we've covered allegations of stuff like this for many years. None of this is going to necessarily shock people of its kind, but I think the specificity is always just -- just makes me stop and go, "What the heck?" Some of these allegations were surfaced back in 2017 in a news report by The Australian, and then when that came out, Facebook actually released a counter-report saying, "We dispute those allegations, and they were misleading," and Wynn-Williams says when that came out, all the people who were fired as a result of that 2017 report were let go for basically doing exactly what they were employed to do, so they were the fall guys. And meanwhile, the company was still working on making the micro, micro-targeting that they had said that they were going to distance themselves from. They were going to make it available to the advertisers themselves and not just Facebook. So allegedly, according to the book, standard disclaimers here, but I just, yes, oh is right. Joe, when you sent me this, I was like, "I don't want to talk about this," but I -- I think we should.
Joe Carrigan: Yes, but I think you kind of have to.
Maria Varmazis: You kind of have to, but bleh. Yes.
Dave Bittner: I -- I wonder if, and this is not an original idea, but that, you know, if we put social media in the same category that we put pornography you know, Playboy magazine, that one that -- you know, you got to be 18 to use it. You can't --
Joe Carrigan: Right.
Dave Bittner: -- you can't -- kids should -- shouldn't be using this stuff because it's demonstrably dangerous.
Joe Carrigan: Yes.
Dave Bittner: And all these bad things come out of it, and the companies are demonstrably despicable when it comes to targeting the children.
Joe Carrigan: Yes, they are.
Dave Bittner: So, let's keep them off of it.
Maria Varmazis: Don't trust them as far as you can throw them. I mean, just -- just keep them -- keep it really arm's length. Yes.
Dave Bittner: Yuck.
Maria Varmazis: It's just a -- thanks, Joe.
Joe Carrigan: Sorry, Maria.
Dave Bittner: This is your fault, Joe.
Joe Carrigan: It probably is.
Maria Varmazis: Yes, when I responded to you, I was like, "Gross. Ugh, but yes, I'll cover it."
Dave Bittner: Not too gross for me to use for my story this week.
Joe Carrigan: It's great content, Joe, thanks.
Dave Bittner: Right, right. All right, we will have a link to that in the Show Notes. I'll tell you what, before we get to our next story, let's take a quick break to hear a message from our show sponsor. [ Music ] And we are back. My story this week comes from the folks over at Cybersecurity News. And this is about fake social security statements. So, this is research from the folks over at Malwarebytes, a cybersecurity company. They have found a campaign that is targeting Americans via emails that seem to come from the Social Security Administration. And the messages tell people that their Social Security statement is ready to download.
Joe Carrigan: Which -- which by the way, I got one of these the other day and I thought to myself, "I got to take a look at that," because like every two years, if you have a Social Security Administration account, you get this e-mail.
Dave Bittner: Yes.
Joe Carrigan: This happens for real. Now, my plan is not to click on any links in the -- in the e-mail, but rather go to ssa.gov and log in with my account. I'm going to check my e-mail to see if I have it right now. Go ahead, Dave. I'm sorry. I didn't mean to interrupt.
Dave Bittner: Well, so the file -- so they're -- they're asking you to open a file. And of course, the file is not a statement. The emails look legit. They have all the appropriate Social Security Administration branding, the formatting, everything. But -- but under the hood, there is -- there are executable files. And these executable files install an app called Screen Connect, which is a legit remote access tool.
Joe Carrigan: Oh, no.
Dave Bittner: But once installed, it gives attackers the keys to the kingdom, full control over your machine. This is linked to a group that the researchers have dubbed Molotari, which is named after the sketchy domains they use, like @molitari.icu and gomolitari.cyou. I don't know what the cyou domain is. I don't know where that leads to. Yes. And they're after the usual things, personal data, financial information, all that stuff. They are compromising WordPress sites to distribute the emails, which makes them look like they come from trusted sources, and they embed the e-mail text as images to try to get past e-mail filters. So, once the ScreenConnect software is up, they've got your machine. They're remotely controlling your machine, so they can run scripts, they can steal files, they can install more malware. And ScreenConnect is a real tool, so it can slip past your antivirus because there are situations where it's legit. So, the notion here is don't trust an e-mail just because it's got a federal logo. Do what Joe does, which is if you get one of these emails, go to Social Security Administration's website and just log in from there. Don't click on any links in any emails.
Joe Carrigan: Yes. You can also go to socialsecurity.gov. And actually, this e-mail actually looks legit. So --
Dave Bittner: The one you got?
Joe Carrigan: The one I got, yes. Looks like it's actual -- actually from the Social Security Administration. So, this is what bugs me about this. I mean -- I mean, I don't blame the Social Security Administration for this. I mean, these hackers just -- or these -- these hackers, they're phishers. They're not even hackers. These guys are just -- they're just capitalizing on other things. This might be part of the liturgical calendar.
Dave Bittner: Right, I don't know.
Maria Varmazis: I think that it might also be taking advantage of some fear in the news cycles about things that might be going on with Social Security and access to it being diminished or getting messed up because of stuff going on. So, I know there's -- there's been a lot of that in my family circles discussion about make sure you have backups of those statements in case data goes away. So, I -- I think they might be capitalizing on that, maybe.
Dave Bittner: Yes, a little extra anxiety there makes you curious. I was thinking too, like, you know, Joe and I are a little closer to this becoming a real thing, a real need and concern han you are, Maria. You know, we're a little closer to those years where keeping an eye on where you stand in terms of your social security, just for financial planning --
Joe Carrigan: Right, you need to know.
Dave Bittner: -- is a necessary thing, yes. Yes. What, you know, ten years from now or 15 or in Joe's case, next month.
Joe Carrigan: Right. More like 20, 3, I don't know. At what time do they just start sending me checks because they have to?
Dave Bittner: Right, right. Listen, sir. You can no longer put this off. You have to take this government money.
Joe Carrigan: Right, right.
Dave Bittner: Whether you like or not.
Maria Varmazis: And they do force you at a certain point.
Joe Carrigan: They do, and I think it's 72 years old now.
Dave Bittner: Oh, is that right?
Joe Carrigan: Yes.
Dave Bittner: I didn't know that.
Joe Carrigan: Yes, it's -- at a certain age, they make you get on Medicare and they make you take Social Security benefits. And they also make you withdraw from your -- your tax deferred retirement accounts, like your IRA or your 401K.
Dave Bittner: Okay, interesting.
Joe Carrigan: All that happens.
Dave Bittner: All right.
Joe Carrigan: And I think it happens around 72.
Dave Bittner: Okay. Well, very good.
Maria Varmazis: Tell us when you find out, Joe.
Dave Bittner: That's right.
Joe Carrigan: I'll let you know in at least another --
Dave Bittner: We'll -- so, we'll look forward to that on our next episode.
Joe Carrigan: No. I'm not that old, come on. I know my hair has all gone gray. I've still got a couple good decades in me, Dave.
Dave Bittner: Oh, Grandpa Joe. Grandpa -- only one of us on this show is a grandparent.
Joe Carrigan: Yes.
Dave Bittner: All right, let's move on.
Joe Carrigan: And I love my grandchildren. They're all beautiful.
Dave Bittner: Before Joe starts throwing things. All right, Joe, Maria, it is time to move on to our Catch of the day." [ Music ]
Joe Carrigan: Dave, our catch of the day comes from a listener named Richard, and it is an e-mail that comes from the Chevrolet Motor Truck Company.
Dave Bittner: Richard -- in Richard's e-mail, Richard said like, "I've got pure gold for you guys." And Richard -- Richard was not overselling it.
Maria Varmazis: No.
Dave Bittner: Here it goes, it says, "Form Chevrolet Motor Truck Company. I'm Lena of Chevrolet Motor Truck and I am writing to inform you about your Chevrolet Motor Truck winning that brought by the United Embassy, which has been on our office for so long due to the pandemic virus, we could not deliver the Chevrolet truck in your funds worth on $30 billion USD. Now it has settled down slowly. The government of USA in the White House of Michigan, the Chevrolet Motor Truck have been mandated to be delivered to your address as soon as possible. Thanks, God bless you."
Maria Varmazis: And also, with you.
Joe Carrigan: Yes, that's right.
Maria Varmazis: Not a single piece of punctuation to be found.
Joe Carrigan: Right, yes.
Dave Bittner: No. It's one big run-along, run, run-on sentence.
Joe Carrigan: Can you fit $30 billion in a Chevrolet motor truck?
Dave Bittner: Ooh, that's a good question.
Joe Carrigan: I'd like to know, $30 billion. Your funds of 30 billion -- who's going believe, I'm -- I'm getting angry about this, but somebody is going to believe it. Thirty billion dollars, do you have any idea how much money that is?
Dave Bittner: It's a lot.
Joe Carrigan: It's a lot of money.
Maria Varmazis: I -- I would like to know. If somebody wants to give me some so I could find out, I would be very happy.
Dave Bittner: Right, if you want to take -- take the bullet and figure out if $30 billion will fit in the back of a Chevrolet truck. The thing is, if somebody gives you $30 billion, they can keep the truck because you can go and buy a truck for a small percentage of $30 billion. You, in fact, you could buy every Chevrolet truck coming on July.
Maria Varmazis: Possibly the entire company.
Dave Bittner: Right, right, right.
Maria Varmazis: Oh my, God.
Joe Carrigan: Let's see, $30 million in -- in $1 bills would weigh 66,000 pounds, so $30 billion in $100 bills would weigh 660,000 pounds --
Dave Bittner: Okay.
Joe Carrigan: -- in $100 bills.
Dave Bittner: That would exceed the carrying capacity of your average Chevrolet truck.
Joe Carrigan: Yes, you'd need a dump truck full of money is what you need. I don't even know if you can't carry that much in a dump truck.
Dave Bittner: No, you'd need like a freight train.
Joe Carrigan: Yes, I mean, that's a lot of weight.
Dave Bittner: Yesh, absolutely.
Maria Varmazis: Just need larger denominations.
Dave Bittner: This is very silly.
Maria Varmazis: Yes.
Joe Carrigan: Yes, well, I mean, $100 is the largest one they have, isn't it?
Dave Bittner: Yes, I think that's it. Yes, I don't think there are any regularly minted bills that are bigger than 100 anymore. There's the one Montgomery Burns had.
Joe Carrigan: Right. That's right. The $1 trillion bill.
Dave Bittner: Yes.
Joe Carrigan: Well, that's very nice. Can I see it?
Dave Bittner: Yes, yes. Again, this is very silly, but delightfully so. I -- I don't, I -- I -- I really am trying to reverse engineer how this came to be, this -- this word salad. Like, what was this run through that somebody -- that this was generated somewhere. It must have been through automation.
Maria Varmazis: Speech to text?
Dave Bittner: Obviously. Yes, not -- well, that's a good guess. I mean --
Maria Varmazis: Voice to text kind of thing, yes. Maybe voice to text in another language and then translated?
Joe Carrigan: Maybe.
Dave Bittner: Yes.
Maria Varmazis: But how do they misspell pandemic as pendamic. That's the only misspelled world -- word, and it's a very interesting typo.
Dave Bittner: Right.
Maria Varmazis: When I've gotten spam like this, it often is just the text with literally nothing else. So, there's no phone number, no e-mail, no attachment. Maybe Gmail, in my case, stripped it all out. But I love it when I get this and it's literally just this text, and I'm like, "Okay, thanks for random message that I can do nothing with if I was going to fall for it. I'm not sure what I'm supposed to do." This did have an e-mail address to -- to follow up with, but I -- yes. I mean, talk about pre-filtering somebody who's ready to be hooked. I mean, that's the sad reality of this that there probably are. You must receive this $30 billion. It's been mandated.
Dave Bittner: Right, right. All right, well, Richard, you tell no lies. This was pure gold.
Joe Carrigan: It was great, thank you.
Dave Bittner: Thank you for sending it in. That's -- I think that's the most fun one we've had in a while. And of course, we would love to hear from you. If there's something you'd like us to include for our catch of the day, you can e-mail us. It's hackinghumans@n2k.com. [ Music ] And that is our show brought to you by N2K Cyberwire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an e-mail to hackinghumans@n2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. We're mixed by Elliot Peltzman and Tre Hester. Peter Kilpe's our publisher. I'm Dave Bittner.
Joe Carrigan: I'm Joe Carrigan.
Maria Varmazis: And I'm Maria Varmazis.
Dave Bittner: Thanks for listening. [ Music ]
