Convinced, compromised, and confirmed.
[ Music ]
Dave Bittner: Hello everyone and welcome to N2K CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines, taking a heavy toll on organizations around the world. I'm Dave Bittner and joining me is Joe Carrigan. Hey there, Joe.
Joe Carrigan: Hi Dave.
Dave Bittner: And our N2K colleague and host of the "T-Minus Space Daily" podcast, Maria Varmazis. Maria.
Maria Varmazis: Hi, Dave, and hi, Joe.
Dave Bittner: We've got some good stories to share this week, so stay with us. So we have a ton of follow-up this week, and I guess I will take the honors and start off here. We got, a listener wrote in with a very detailed accounting of a story about how their husband was the victim of his sextortion scam. And they wisely told their husband to stop engaging with the scammer. And for damage control, they posted on Facebook that they'd been hacked just in case the scammers acted on their threats of humiliation, you know, try to get in front of it, let everybody know this has happened. And I'm going to read from part of our listener's letter here. They write in, "Here's where things get interesting and here's the reason I feel like I need to share my particular story. Mere seconds after I posted my warning that I'd supposedly been gotten by a social engineering attack and was doing damage control, my post was absolutely mobbed by bots offering password recovery and account recovery services, legal aid, help obtaining financial clawbacks, etc. I was floored by how many there were, how instantly they showed up, and how much pressure they applied. You have to act fast. I can help you. Please message me immediately. Reporting it won't help. I would know, you have to talk to a specialist, but do it quickly because otherwise he might not be able to help you, and on and on and on. I reported as many as I could, but it was like playing whack-a-mole. What's more, they started liking each other's comments and started commenting on other unrelated recent posts of mine, which I can only assume was meant to disguise the fact that they were not my friends and I had never interacted with any of them before, so they could potentially get at uninvolved third parties who were dealing with something similar. I barely use Facebook at all these days. Sean was not aware of how out-of-control the bot problem had become. It was a pretty sharp wake-up call and I think it may be what prompts me to finally delete my Facebook account altogether. I was just trying to cover my own rear and I absolutely don't intend to provide an attack vector for scammers. I sincerely hope that no one sees any of these comments and falls for it, because I'd feel absolutely terrible if my attempt to damage control for one scam resulted in any of my friends or relatives getting hit by another. Love the show and really appreciate all we do for awareness on these issues."
Maria Varmazis: Wow.
Dave Bittner: The first came to mind to me, I describe this as, like, digital piranha.
Joe Carrigan: That's a good analogy.
Maria Varmazis: It's the feeding frenzy, right? Yeah.
Dave Bittner: Right. Right. They smell blood in the water and they just attack.
Joe Carrigan: Right.
Dave Bittner: And, you know, in mere moments the entire horse carcass can be stripped of all of its flesh.
Maria Varmazis: Down to the bone. The trend these days [laughter].
Dave Bittner: So yes, I have seen this sort of thing, not to this degree, but I've seen the bots just jump into action. And I wonder how, I mean, how does it work? How are they monitoring feeds for this sort of thing? Are there Facebook APIs where they can just manage every, or monitor everything that's coming through the public feed? I don't know.
Joe Carrigan: My guess is that they have some kind of app that is web scraping or something, some kind of, you know, it's like an API, but maybe they're just using the web interface instead of some API. But they're probably monitoring, once they are starting this sextortion scam, they probably start monitoring all the families' feeds for stuff like this.
Maria Varmazis: Yep.
Joe Carrigan: Because it's probably the same organization doing this. That would be my guess.
Maria Varmazis: And they have --
Joe Carrigan: And of course they have --
Maria Varmazis: I was going to say public posts on Facebook are a notorious cesspool. Like, I think I mentioned this some months ago, I had to re-enable my old Facebook account, which is ancient. I don't post on it, and I noticed that if any time anyone I know uses or makes a post that's public, they always get these awful spam comments, kind of no matter what. So don't make public posts on Facebook, but of course if you're trying to get found, you can't get found. But, yeah, they get swarmed kind of no matter what you post if it's public, I've noticed.
Dave Bittner: Yeah, so I would say, you know, lock down your Facebook account so that any of your posting only goes to your friends. And that way it's harder for people to scrape them publicly like this. And in this case, all you want to contact are your friends.
Joe Carrigan: Right.
Dave Bittner: So that would help. The one time I saw this was I was looking for some tickets for a local theater group, like a community theater group, and I knew the event was sold out. And I posted to Facebook, I said, Hey, does anybody have any extra tickets for this event tonight? And somebody I didn't know replied and said, Yeah, I have a couple tickets, be happy to sell them to you. And I was like, Oh, great, how much? He was like, $500 each. I was like, What are you talking about?
Maria Varmazis: I'll take it, wait.
Joe Carrigan: To a local theater event?
Dave Bittner: It was like a, you know, it was like a $10, you know, sort of little community theater fundraiser thing. So, obviously this bot was standing by looking for someone looking for tickets, and would just jump in at any time opportunistically, and lie, and say, Oh sure, I've got tickets to that, and here they are, and hope for the best. So, yeah, it's just a cesspool. Well, thanks for sharing this. This is very interesting and again, I think probably a solution or at least a mitigation to this is to lock down your Facebook account so that it is not public. Of course, the ultimate mitigation is to get off Facebook altogether, but.
Joe Carrigan: Yes, wouldn't that be nice?
Maria Varmazis: It would be nice, and then some of us get drawn back in, even when we've been off of it for five years.
Joe Carrigan: I think Maria and Dave, both of you have tried to stop your Facebook accounts, and both of you are still on Facebook, if I recall correctly.
Dave Bittner: Yeah, I took about a four-year break.
Maria Varmazis: Yeah.
Dave Bittner: Yeah.
Joe Carrigan: Okay, I'm going to try to experiment, because I'm recording from home today. I actually have access to my Facebook account. At the beginning of this, right now I'm going to say, Here's a public post I'm making, actually have to set the post to public. I'm thinking about buying some tickets to a baseball game, unfortunately it's sold out. And I'm just going to post this and see what happens. And by the end of the show, we'll come back to it.
Maria Varmazis: I love this idea! Thanks for being the guinea pig. Because I'm not doing that. No thank you.
Joe Carrigan: I'll delete the post before the end.
Dave Bittner: Speaking of not doing that, our next letter [laughter].
Maria Varmazis: Don't do what I did.
Dave Bittner: Someone writes in and says, "I listened and smiled when Maria boldly clicks on suspected links to see where they go. I myself am curious --
Maria Varmazis: To boldly click on links no one should be clicking. Worst Star Trek spin-off ever.
Dave Bittner: One thing I do is to use www.shouldiclick.org, which tells you if it's safe to click on a link. They paste the suspected link there and let their system and browser deal with any potential drama. They'll show you a screenshot and a few details they found and a recommendation on whether you should click the link or not. Yeah, I think that's great. I love these kind of things, what do they call it, pre-detonating the webpage.
Joe Carrigan: Right.
Maria Varmazis: Yeah.
Dave Bittner: It's like a webpage bomb squad, you know.
Maria Varmazis: The old school.
Joe Carrigan: Like in Monsters Incorporated?
Dave Bittner: Yeah, exactly. Exactly.
Maria Varmazis: Or the link expanders back when there was a lot of those link shortener spam, actually it's still a thing. But when you didn't know where that link shortener was going to take you, you would put it in the link expander and it would tell you, This actually redirects you to this terrible website, do not go there. Or you're going to get Rick Rolled, or whatever, you know.
Joe Carrigan: Rick Rolled, I used to have an app that would tell me when I was about to get Rick Rolled because my son is a notorious Rick Roller.
Maria Varmazis: I had an extension for a while that would just warn me if that link was actually a Rick Roll.
Joe Carrigan: Yeah, I had it too.
Dave Bittner: I just got Rick Rolled a lot.
Maria Varmazis: Enjoy the ride.
Dave Bittner: So that was from Chris, who had some nice things to say as well. And Maria, you dropped a note in here.
Maria Varmazis: I did. For reasons that are completely unrelated to me clicking links, my own internet's been really slow since I started.
Dave Bittner: Oh, sure. Totally unrelated.
Maria Varmazis: My husband wanted to make sure I mentioned that on the show. He was like, Our internet's been really slow [laughter].
Dave Bittner: I see. So he's, your loved ones are publicly shaming you now.
Maria Varmazis: I mean, honestly I --
Dave Bittner: How cavalier you are.
Maria Varmazis: I just mouse over. I don't actually click.
Dave Bittner: That's what they all say.
Maria Varmazis: You know what? I deserve it. I deserve it. It's fine. It's fine.
Dave Bittner: All right, Joe, you want to take this next one?
Joe Carrigan: I will. This one comes from George. He says, "Hi there, about a month ago, there were several Sikhs covering Joe's chicken dilemma." That's, we were talking about the episodes, right? We still talk about chickens from time to time.
Dave Bittner: Sure.
Joe Carrigan: The coop is done and we're putting the run in and they'll be going outside soon. "My wife received the attached magazine "Out of the Blue" with quotes around it. She does not have any current magazine subscriptions, so this was a surprise. She tried to contact the publisher who immediately tried to upsell her more magazine subscriptions. She was then informed per the publisher that the data broker who subscribed her to the magazine was subcom.com with a phone number, and he lists the phone number here. The website does not work, and the phone number goes to an automated out-of-the-office mode, which is great. If you want to cancel a subscription, that's what you want. You want, he immediately suspected this was an attempted scam, like what the FCC reported in the past, and he has a link to that, you know, how subscriptions, how to stop subscriptions you never ordered. And then the question was or did Joe conjure up the chicken deities for the "Hacking Human" listeners? Because the picture he sends is the cover of Elle Magazine from May of this year, and it has a picture of Addison Rae, you know who Addison Rae is?
Maria Varmazis: No.
Dave Bittner: Well, not until this moment.
Joe Carrigan: Not until now. She is a social media influencer and now she's moving into singing and acting.
Dave Bittner: Okay.
Joe Carrigan: But she is holding a chicken.
Dave Bittner: Let me tell you, that is one good looking chicken.
Maria Varmazis: Okay, what kind of chicken is that, Joe?
Joe Carrigan: I don't know. It's a black lace. It might be a Wyandotte. I think it might be a Wyandotte. I don't know.
Maria Varmazis: Okay.
Joe Carrigan: But it is, it is, it says, "Fox in the hen house." Ha ha.
Dave Bittner: I got it. I got it.
Joe Carrigan: Thank you for all the excellent and humorous podcasts. Oh, by the way, she did wind up, George's wife did wind up getting it canceled. Remember the old adage about things that show up in the mail. If you didn't order them and they show up, they're yours to keep.
Dave Bittner: Right.
Joe Carrigan: You can keep them.
Dave Bittner: Right.
Joe Carrigan: And if you didn't sign up for a subscription to a magazine, don't pay the bill. I didn't sign up for this.
Dave Bittner: Right. Right.
Joe Carrigan: Thanks for the free magazines.
Dave Bittner: Yeah, yeah. All right, we've got one more bit of follow-up here. This is a listener named John wrote in and said, "When you cited a poll recently about people's use of strong unique passwords, I wonder how much the respondents could explain what 'strong' and 'unique' mean for passwords.
Joe Carrigan: That's a good question.
Maria Varmazis: Great question.
Dave Bittner: Taking a few characters onto the end of a single word is neither strong nor unique, but I would imagine a sizable percentage of the population would disagree with this opinion. Joe, I imagine you're champing at the bit to respond to this.
Joe Carrigan: I think John raises a very good point here. And this is an excellent point. I don't know how you would test for this in a survey though aside from asking do you use strong and unique passwords for each website, and then maybe you could ask can you define what a strong and unique password looks like. You know, passwords are passé.
Dave Bittner: Yeah, that's a good one.
Joe Carrigan: Passwords are passe. It's time to move on to pass keys and multi-factor authentication with some kind of universal 2-factor. We have to do that because the password... Humans are just not good at passwords. We should just say that. We're not good at passwords.
Dave Bittner: Right. Right. My response to this is that, which is what, Joe, you always talk about, which is that you should not know any of your passwords.
Joe Carrigan: Yeah, that's a good point. Oh, yeah. That's what I should have said, Dave, is that people should know, people should use a password manager and let that thing derive a password for you. I don't know any of my passwords that I don't need to enter on a TV [laughter]. I do know those because --
Maria Varmazis: Yeah, they're annoying.
Joe Carrigan: -- I'm not entering a 25-character random password, but all of my financial institutions, 25-character random passwords at least. Some of them are even longer than that, you know? And then there's always multi-factor authentication on the accounts I care about. And, you know, you do the risk model. You do the risk model for each and every site that you visit. You know, if you're, if you're, what happens if someone gets access to your Disney Plus account? They put up a new profile, and then you have to delete the profile and sign yourself out of all the devices and change your password.
Maria Varmazis: They pay your bill for you.
Joe Carrigan: No, that never happens [laughter].
Maria Varmazis: Wouldn't it be lovely?
Joe Carrigan: It would be, yeah.
Maria Varmazis: It would be nice. Yeah, so I remember I had a coworker whose idea of a strong password was using Shift. So when her finger would go from 1 all the way across the number keys at the top, she's like, oh, I need to do a different one, Shift. Right. Right. number keys at the top she's like, Oh, I need to do a different one? Shift.
Joe Carrigan: Right.
Dave Bittner: Right.
Maria Varmazis: I've now changed my password.
Dave Bittner: Right.
Maria Varmazis: Yeah, so we go from 102 to 102!. Yeah, exactly.
Joe Carrigan: That's called keyboard walking, and that is also bad because every single one of those keyboard walks is in the password databases.
Maria Varmazis: Oh yeah, there's no question. That's's a very, very bad idea. It's so bad that even I won't do it [laughter].
Joe Carrigan: Right. That's pretty bad.
Dave Bittner: Wow. All right, well, thanks to everybody for writing in. We do appreciate it, and of course, we'd love to hear from you. You can write us at hackinghumans@n2k.com. [ Music ] Alright, let's jump into our stories here. I'm going to start things off for us. This is a story from "The Record", which is a cybersecurity news site, and they are chronicling some China-linked hackers who are using fake websites impersonating major brands to steal people's payment data. And some of the brands include Apple, PayPal, Nordstrom, Hermes, is that the right way to say it? Hermes?
Joe Carrigan: Her-mees?
Maria Varmazis: You drop the H, Hermes.
Dave Bittner: Hermes, okay, got it. All right, and Michael Kors. So, you know, premium brands it would seem like, at least Nordstrom and Hermes are. And they're using thousands of these websites that mimic the real retailer design. So, in some ways they're lifting the real websites, duplicating them and all of the functionality is there up to and including putting in your payment information. They have some legitimate Google Pay widgets on them to get people to pay, to put in their payment information or to gather up the funds through Google Pay.
Joe Carrigan: Amazing.
Dave Bittner: But there's no product. So you go through and you think you're going to buy what you're going to buy, and you do not get your stuff, even though when you check out, it appears as a regular checkout, it appears, you know, everything looks on the up and up, but ultimately you will wait a little while and you'll wonder to yourself, Hey, where's my iPhone or where's the thing I ordered from Nordstrom? And they never come. And all they do is they get both the money that you put in and your payment information as well. So that's basically what they're harvesting. Again, they're sourcing this back to China. They're not sure how many victims or losses have resulted from this scam. They say many fraudulent sites were taken down, but thousands remain active. And I just wonder, like, how do you fight this? Because I'm imagining they're also using very convincing URLs.
Joe Carrigan: Yeah, they're probably using domain squatting, the kind of, well, that's not domain, it's impersonation. It's not buying a domain and sitting on it for a while. It's, they're actually buying domains that look similar, or lookalike domains, that's the term.
Dave Bittner: Right, right.
Joe Carrigan: They're looking for lookalike, or they're using lookalike domains, so like the Nordstrom may have the, maybe the Swedish O in one of the O's.
Dave Bittner: Right, right, they're using, what is it, the Unicode characters that look exactly the same, but --
Joe Carrigan: Yep.
Dave Bittner: -- are not exactly the same.
Joe Carrigan: Are not exactly the same, that's correct.
Maria Varmazis: Yeah, because these are not, you know, bootleg websites, right, where people kind of know that you're maybe taking a risk to buy something that's a little iffy, but maybe it could be worth it if it's, you know, a convincing fake. Some people are willing to take that risk. This is not that situation, right? Like, people completely believe these are legit.
Dave Bittner: Right, right.
Maria Varmazis: Yeah, that's, yeah.
Dave Bittner: But again, so how do you fight this? Because we can't trust search engines.
Joe Carrigan: No, you can't.
Maria Varmazis: No, not anymore.
Dave Bittner: I mean, some, I mean, I guess with major brands, you know that, you know, Apple.com, PayPal.com, Nordstrom, so if I manually type it in, don't take a link from a place like Facebook or any of the other social media places.
Joe Carrigan: The real question is, the real question here for me is how are they starting this chain of events? What's the first step? Are they buying fraudulent ads on Google? We've seen that. Are they using Facebook as, like you suggested Dave, and just putting ads on Facebook that are just straight up scam ads. Are they using some kind of search engine optimization that raises their site to the first page of results? That really matters in how you face this.
Maria Varmazis: Maybe for certain items that people are looking for, they're not necessarily going to, you know, Nordstrom.com, but they're looking for a high value item that Nordstrom would probably maybe sell, and then that's how they lure them in. I could see that being a possibility.
Joe Carrigan: Yeah, absolutely. I will tell you one of the things I think would be really helpful here, and that is if a company like Apple or PayPal or Nordstrom or Hermes, one of these companies found out that, like, Facebook or Google was leading their customers to different websites, fraudulent websites, and they just slap them with a huge lawsuit. They just keep slapping them with huge lawsuits until they do something about the problem that they have, which is these fake ads. I think that's the only way you get a company to pay attention, because they don't care as long as their shareholders are happy. Well, start angering their shareholders. Start scaring their shareholders. Start doing that, you know?
Dave Bittner: Yeah.
Joe Carrigan: That's what has to happen.
Dave Bittner: It's like a Godzilla versus Mothra movie, right? You get the two big giants duking it out --
Joe Carrigan: Right.
Dave Bittner: -- you know, with big lawsuits.
Joe Carrigan: Yeah, that's what you do.
Dave Bittner: Yeah. Alright, well we'll have a link to the story in the show notes. This is kind of a cautionary tale, just, you know, be extra vigilant when you are going to these sites. Because some of these are big purchases. You know, you're going to buy something like a laptop or an iPhone or, you know, whatever. Even an Hermes watch would probably be very expensive.
Maria Varmazis: Hermes, some of their bags are extraordinarily expensive, like tens of thousands of dollars. So yeah.
Joe Carrigan: Does it do a different job than a regular bag?
Maria Varmazis: No, it's all just bragging to other people that you can afford this expensive bag. It's a whole thing. Look up the Birkin bag and go down that rabbit hole and enjoy.
Joe Carrigan: The Birkin bag.
Maria Varmazis: Yeah, the Hermes Birkin bag, yes.
Dave Bittner: All right.
Maria Varmazis: B-I-R, not, not, okay, never mind. I'll tell you offline.
Dave Bittner: Okay. All right, let's move on here. Joe, what do you have for us?
Joe Carrigan: So I have a story from Ravi Lakshmanan from "Hacker News". And this is a story that is based on some research done out of Trellix which is the company that I think now owns the McAfee Virus Scanner and their EPO product, their e-policy orchestrator, which I actually used to do integrations on long ago. But it's just interesting to see where these companies go, and that one has a really interesting history. Anyway, they're quoting Trellix researcher, Srini Sridhapati, and they're talking about this phishing scam that, you know, Dave, you had a story a couple weeks ago about a phishing scam that was like a resume-based phishing scam, where they would send you to a website. This has a lot of similarities. The targets are completely different. In Dave's story, they were targeting HR people. Here, they're spear phishing CFOs from, and other financial executives at banks, energy companies, insurers, investment firms. And these, they're located across the world, around the world. So what they're doing is they're impersonating a company called Rothschild and Company. You ever heard of the Rothschilds? Rothschild.
Maria Varmazis: Rothschild.
Joe Carrigan: Yes, Rothschild. Yes, you can never get their name right. That's a big financial services firm, very big. And if you were a CFO or a financial executive, they send this to you and go, Hey, we're looking to recruit people. So it's kind of like the opposite way of, Hey, I'm looking for a job. It's, Hey, we're looking for somebody.
Dave Bittner: Oh.
Joe Carrigan: So if you open up the email that they send you, it's an infected zip file that contains a JavaScript that downloads a second file that's a Visual Basic script. I'm getting too in the weeds here, but that download happens automatically. Then immediately after that, that file opens up and downloads, does four things or two things. First, it downloads three things. I don't know how many, a lot of things. First, it downloads two things. I don't know how many. A lot of things. First, it downloads two Microsoft Installer files, right? One of them is for Netbird, which is a remote access tool, like a help desk access tool. And we all see, we've heard about a lot of these kind of bad guy implementations of this, but these tools have real uses.
Maria Varmazis: Yeah, of course.
Joe Carrigan: The other thing it does is it downloads OpenSSH, which is a server so they can access your computer remotely without using the interface that you're using, like your desktop. Then it creates a local admin account that's kind of hidden and it enables remote desktop protocol. That's everything that the third file does. So it's, you open the file, that downloads a second file, which then downloads a third file and does all this malicious stuff. Okay, so it is a very complicated attack, a pretty advanced attack. And Siddhapati says that, it is a very complicated attack, a pretty advanced attack. And Seedhapati says that, this is a quote from Sri Sidhapati, "The attack isn't your typical phishing scam, it's well-crafted, targeted, subtle, and designed to slip past technology and people. It's a multi-stage attack where the adversaries use social engineering and defense evasion techniques to create and maintain a persistent access to the victim system." Oh, there's one thing in here that I totally forgot to mention. One of the other similarities between the attack that you were talking about a couple weeks ago and this one is this one is also using a CAPTCHA service. And they say it's using the CAPTCHA service to avoid things like Cloudflare flagging it as a phishing landing page. So if you put that CAPTCHA service on the front of that, then these other tools that, you know, take a look at it, use AI to say, Hey, this is trying to look just like Microsoft's page and it's a login page. But that automatic system can't get past the CAPTCHA, so it doesn't flag it as a phishing page. But you, the human, are very good at getting by CAPTCHAS. So you do, and then you wind up at the phishing page. So a lot of similarities to this and the other attack. These things are getting really, really advanced, these phishing attacks. They're getting really advanced and really hard. Once you've clicked on that, once you click on that JavaScript, it's pretty much game over. These installs happen so quickly.
Maria Varmazis: In milliseconds, right?
Joe Carrigan: Yeah. It's, you know, all that stuff I described in that long, drawn-out explanation happens almost immediately. And then you're hosed. That person has access to the backend. If you are a CFO of a large financial institution, that's a lot of damage that somebody could do.
Dave Bittner: Well, the other thing that strikes me about this is the social engineering component of it, which is you're getting interest and offer from a very high-profile elite organization.
Joe Carrigan: Absolutely.
Dave Bittner: So there's a component of flattery here --
Joe Carrigan: Yes.
Dave Bittner: -- that, you know, this elite organization is interested in you and so not only are you being flattered, it could be that you're seeing dollar signs, right? But then also, I could see that someone would be hesitant to report a problem because your coworkers might say, What, are you looking around for other work?
Joe Carrigan: Right, that's a good point, Dave. There's two prongs to that, isn't there?
Dave Bittner: Yeah.
Joe Carrigan: You know, obviously the upfront stuff of, Hey, look, we're the Rothschilds organization, and we're Rothschild, I'm going to get hung up on that all day. I'm going to just stop.
Maria Varmazis: We literally never talked to you before, but suddenly we're throwing money at you. I trust this immediately. Yeah, okay, well, that's definitely how business works, right?
Joe Carrigan: I still get some emails.
Maria Varmazis: Yeah, like a cold email from somebody saying, Hey, I'm from this really famous firm and I'm giving you money?
Joe Carrigan: I do get cold emails from companies I've heard about. They're like, Hey, we're hiring. We just got a new contract in here. We'd like you to take a look and go apply for some things. And they send the link along, but, you know, I like my current job, so I don't look at them.
Maria Varmazis: Yeah. No, the thing that occurs to me when you were describing the chain of events was, I was thinking to myself, I would hope that there'd be some local control that would stop this attack in its tracks at several different points. Like being able to open a zip file, that shouldn't necessarily be able to happen depending on your level of permissions. And certainly launching something that launches a JavaScript that hopefully one could stop depending on how locked down it is. But creating a local admin account, that shouldn't be easy to do. I mean, again, I'm thinking like, This should be locked down, but I know it's not. Obviously that's why it works right but there's so many points in which in this attack where I'm thinking, That shouldn't be allowed to happen.
Joe Carrigan: It's got a long kill chain, is what you're saying.
Maria Varmazis: It does, but clearly it's working so, you know, it's not being stopped, right. Yeah, that's, I think there would be opportunities for somebody to be able to put the brakes on this if there's some awareness there but of course the attackers are banking that there isn't, so yeah. Especially if you've got a C-level being targeted they probably don't want those lockdowns happening on their accounts.
Dave Bittner: Yeah, that's exactly what I was going to get to, is there I can imagine there being a tension here between the necessity to lock down a C-level person's computer because of all the goodies that they have access to, but also that person's resistance to having any roadblocks thrown up in their way when they have stuff they want to do.
Joe Carrigan: Right.
Maria Varmazis: Yep. Yeah, I remember there was a discussion at one of my previous employers about this exact thing about potentially the C-level should have the most locked down machines of anyone at the company because they were such frequent targets of this kind of thing, especially since we were a cyber security company. So it was like, Yeah, you're going to be getting attacks like this all the time, so your machine should basically just be able to read things, and that's it. That's it, read permissions only. But of course, if you're a CFO who's got a lot of things that you've got to look at, then that becomes a problem. So yeah, there's a tension there. I'm just remembering being able to create a local admin account, I'm going, that should not be easy.
Joe Carrigan: It shouldn't be impossible.
Maria Varmazis: But at the same time, if you want to install a font, then you need local admin privileges. So there you go.
Joe Carrigan: But if you're a CFO, why are you installing fonts?
Maria Varmazis: Because you want a pretty PowerPoint presentation.
Joe Carrigan: I don't want to send emails in wingdings.
Maria Varmazis: You would be surprised. I had a CFO who had a custom email font that he sent. That's how we actually knew whether or not he was being phished. Because, or the phish was coming from him or not, was the email was using a default font, and we said, No, this guy always uses a weird font, so we know it's not him.
Joe Carrigan: He always uses Comic Sans.
Maria Varmazis: It was like this bizarre sort of cursive-y, fake cursive-y script in, like, bright, bold blue. It was almost illegible, and it was very annoying. But we knew when it was, like, this email from supposedly the CFO and it was just standard Calibri or whatever going, Oh no, that's not him. It's definitely a phish.
Joe Carrigan: This is easy to read. I don't have to copy and paste this into a text editor.
Maria Varmazis: Correct. Yep.
Dave Bittner: No, that's not Bob. What happened to Bob? All right. Well, we will have a link to that story in the show notes. I'll tell you what, let's take a quick break here to hear from our show sponsor. We will be right back. [ Music ] And we are back. Maria, you're up. What do you got for us?
Maria Varmazis: Well, it occurred to me that a lot of the stories that I cover tend to have a very large US focus, and I thought it'd be interesting to look around at the rest of the world and see what's going on, especially when it comes to consumer protections. Because many times when we cover a story, you know, we're all based in the US, we go, Well, there's not much that can be done for us in the US, because we're all kind of on our own on a lot of this stuff. But it's not the case in the rest of the world when it comes to some of these scams. So let's go elsewhere for today's story. Let's go to Australia. So I've got a story from ABC News Australia, and it starts with this heartbreaking profile of a young man who was trying to buy a home in Sydney. He's 24 years old and he put $109,000 down for a home deposit. And this is every homebuyer's worst nightmare. I just went through homebuying less than a year ago. This was my nightmare. And he got a fake email from someone pretending to be his real estate lawyer, his conveyancer is the word that they use in Australia. And it had fake information on where to basically send his home downpayment and fake bank details. And he sent that $109,000 before he realized it was a scam. Like, on the morning he was supposed to get his keys, which is just, oh my God. And he went to his bank saying, Listen, I've just been scammed, please help me get that money back. And even though he was super fast about it, he did not get his money back and the bank was not able to help him. So he filed a complaint with the Australian Financial Complaints Authority, which is, for our US listeners, a better, roughly equivalent to the US CFPB dispute resolution. That's sort of the somewhat equivalent, but not quite. And the AFCA said that the bank had warned him, like, Hey, you've got to make sure where you're transferring this money is the correct place, so we can't have them reimburse you the money that you lost, because the bank did their job, saying, Be careful. And that was all the bank needed to do. So for this young man who lost all his money, he ended up getting his house because his family helped him fill in the blanks with the money that he lost. But he had absolutely no cash left over for, you know, actually improving this house that he bought. The long and short of this story is, Australia has been recently taking notes from the UK in rolling out, unfortunately not in time for this gentleman, but rolling out this thing called "confirmation of payee", which has been in existence in the UK since 2020. And basically confirmation of payee warns users if the account name does not match the routing number and account number. So if there's a weird mismatch there, it'll tell you before any money is sent, Hey, something's fishy here. Australia has been rolling this out in over the last year at least, and it sounds like it's pretty much ready to go for prime time, but it's not exactly the same as what the UK system has been doing. And I should note for our US listeners, we have nothing like this [laughter]. We have little bit --
Joe Carrigan: I've heard, I've heard of something like this coming, although I don't think it's ready yet. But I think this is interesting, the confirmation of payee, and I can't remember where I heard this, but there's some kind of, that uses the same data points. Who are you sending this to? I'm sending this to this title company. Well, that account is owned by Joe Carrigan. You can't send Joe Carrigan $109,000 that's intended for this title company.
Dave Bittner: Right.
Joe Carrigan: And I'm pretty sure it was a US-based thing. I mean, but --
Maria Varmazis: Yeah, so the differentiation --
Joe Carrigan: We don't have it.
Maria Varmazis: Yeah, we don't have anything national. And I think Canada is also working on something like this, but they don't have it yet either, but they're further along ahead. So for me, as a US person, I'm thinking there is no national standard here, like a confirmation of payee standard, across all US banks. Some financial institutions have some sort of things like this in some parts of the United States. So some will say, Hey, if you're trying to do what we have, the ACH system here, the automated clearing house, is that what it stands for? They will some, yeah, ACH is our sort of version of the routing number, basic, our financial listeners are going to pillory me on this, but the ACH is what we use [laughter]. I'm not a financial person, this is probably pretty clear right now. But I'm sure some of you have encountered where they'll do like a microdeposit saying, Hey, we're going to give you one cent and two cents and just verify the amount over the next week to say that we've actually deposited to the correct place and then we'll send the final amount. I've seen that with my financial institutions. Or they'll have you log into your bank in the other, they call it instant account verification. It's a login sharing thing where they'll say, you want to add your bank to do a deposit, you have to log into your bank while in our app and then verify that you actually own this thing. So it's sort of a system to catch this. But again, it's piecemeal. As somebody thinks in the US, it's piecemeal and it depends on who you have and how advanced your bank is and that sort of thing. And there's certainly no regulation about this, so don't hold your breath on that one. Yeah, and Zelle apparently has a sort of system about this as well and Zelle is used a lot in the States for some of this kind of thing. The thing that was interesting to me about confirmation of payee in the UK is that it basically holds the bank really responsible for if somebody gets scammed. So the bank has to reimburse the victim. On average, apparently, the UK banks reimburse almost 90% of the money of the person who gets scammed. So the banks have really stepped up and said, we're going to make sure we protect you. And if we fail to do that, we will do a lot to make sure we get you as much money back as we possibly can. In Australia's case, this is the big complaint in Australia right now, is that scam losses there only covered 2% to 7% on average. So, the banks are still doing more than that, certainly compared to the United States, in terms of trying to protect their consumers, but money may not come back to you if you are scammed. So it's still the COP, the confirmation of pace in Australia still puts a lot of the burden on the consumer. Although again, I'm coming from the States, I'm going it's better than what we have, but I think people would like it to still be better. So the UK model to me, it clearly is sort of a gold standard where they're both saying, Hey, we want to make sure that the names align with these bank accounts that you're trying to get money to or from, and that if somebody's unrecognized or seems to be doing an imposter situation, we're going to flag that instantly and that if you happen to get scammed despite that, we're also going to make sure we get you money back. That sounds pretty fantastic. So I would love to hear from our listeners, because I know we have a lot of listeners who are financially savvy, and also in the world of finance institutions, what other similar protocols are in place around the world. Because coming from the United States, I don't think I'm going to see anything like this anytime soon, except for the piecemeal sort of thing that we have going on right now, bank by bank. But I'd be very curious what other countries are doing. And yeah, I just, I thought this was fascinating. So I guess kudos to Australia for taking some good steps here and certainly advocates in Australia want more things to happen. But this sounds like a fantastic step to follow the UK's model on this.
Dave Bittner: I have friends who are bankers, commercial bankers, and they've talked to me about just a huge percentage of their time that's taken up dealing with scams. The clients being scammed is just relentless and it's a huge time suck, and so there's lots of motivation to get this under control. But, you know, if you made the banks liable, then boy, you could bet they'd throw technology at it.
Maria Varmazis: You bet. Yeah, when I was going through my house buying and selling process last year, it was just terrifying going through where we have the money wiring process, lots and lots of money being moved. And this was quite literally phone calls going up the banking chain. It was about as lo-fi as one might imagine and it was oddly comforting. Actually, that this was slow, it was also very frustrating because it held up a lot of the paperwork on my side. But it would be nice if we could make this easier but also stronger as opposed to, Let's hope this phone call reaches the right person, who in my case was on vacation and couldn't be reached, so it held up my closing for several days. It was very annoying.
Dave Bittner: Well, you know, because everything here in the US is based on a profit motive, I can't help thinking about, you know, I don't even know if this exists anymore, but it used to be that if you went to an airport and you're about to take a flight, there was a little kiosk where you could buy last-minute life insurance, you know what I'm talking about?
Maria Varmazis: Oh my gosh.
Joe Carrigan: Is that still a thing?
Dave Bittner: I don't know. But it used to be.
Maria Varmazis: I have never seen that. That's fascinating.
Dave Bittner: Right. There's a little kiosk and you could, I don't know, it wasn't expensive but you could buy last-minute life insurance and it was just, you know, playing off of people's fear of flying. But it was legit. If the plane crashed, which planes almost never do, there'd be an extra little something for your loved ones. And I can't help thinking, like, for major transactions like settling mortgages and things, could there be an opportunity here for a, you know, small last minute insurance policy that the money will go through and the vast majority of times the money does go through. But if you happen to be victimized, then the whatever it would be, $10, $100, who knows?
Joe Carrigan: Depending on how often this happens, you'd have to have an actuary look at this.
Maria Varmazis: It might be viable, yeah.
Joe Carrigan: But here's my thinking on this. This Louis May guy received a fake email from someone posing as his conveyancer, which is a real estate attorney in Australia. Was that a business email compromise attack? Was that coming from... I mean, how'd they know to email him? This seems like he should be saying something to the conveyancer or getting somebody to sue the conveyancer or saying to the conveyancer, Hey, I hope you have errors and emissions insurance because I just got scammed out of $109,000 because someone impersonating you from your email sent me an email that said put the money over here. That's where I think the blame lies and the liability lies.
Maria Varmazis: Yeah, I mean, I remember, again, Joe, you've recently sort of gone through this process too, I think. There were all sorts of disclaimers saying if you get any kind of email from anybody that's not literally directly me, and also if you don't get a phone call about it, do not trust that email. Because a lot of this information becomes public record once it starts going through the legal system. So I have to wonder if maybe that's what it was, is something public essentially was intercepted, for lack of a better term.
Joe Carrigan: Yeah, it could be.
Maria Varmazis: Yeah, everything that I remember going through this twice last year, and it was literally like everything had to be verified in person or by phone call. Email was just not to be trusted. It was a starting point of basically, Hey, we're moving on to the next step. Do not convey anything through this. Everything, you need to call someone. Which is just wild to me that that's how it's still going, at least states-wise.
Joe Carrigan: That's fine. I think it is.
Maria Varmazis: I mean like I appreciate it. I didn't want to lose my money obviously.
Joe Carrigan: It cost you a couple extra days and I get that that's frustrating but your transaction happened.
Maria Varmazis: I didn't want to lose my money but, you know, it's also, like, it was 2024. It's like, what year is this?
Joe Carrigan: Well, I will never forget when I was standing in line at a, this was probably 20 years ago. It was, I mean, it was two houses ago because I remember the polling place and there was somebody standing in front of or behind me going, Why are we standing in line to do this? Why aren't we doing this online now? And I turned to her and said, If we did it online, I guarantee you my candidate would win every time. And I just stared at her and you don't want that.
Dave Bittner: Right, right. Especially the way you vote, Joe.
Joe Carrigan: Right, that's right.
Maria Varmazis: Early and often, right?
Joe Carrigan: Right, yeah. Well, just once, but it was some radical fringe party. Yeah.
Dave Bittner: All right, well, again, we would love to hear from you. If there's something you'd like us to consider for the show, please email us. It's hackinghumansatn2k.com. Joe, Maria, it is time to move on to our Catch of the Day. [ Soundbite of Reeling in Fishing Line ] [ Music ]
Joe Carrigan: Dave, our Catch of the Day comes from Jim, and it's a pretty good one. It looks like it's an iMessage from an iPhone --
Dave Bittner: Yeah.
Joe Carrigan: -- that Jim just got from an email address from somebody named Paula.
Dave Bittner: Okay, so yeah.
Maria Varmazis: Okay, this is from Paula. Hello, I'm Emma from the HR team at WorkRemotely, and we recognize that you have excellent potential for career advancement and would like to introduce you to a remote high-paying job opportunity. Location, flexible anywhere. Hours, 30 to 90 minutes per day. Training, comprehensive free training provided. Compensation, $200 to $3,000 per day. Paychecks are paid daily. Recruitment requirements, age 24 plus. Benefits, 401k and health insurance upon hire and 20 to 30 days paid annual leave, helping you achieve a better work-life balance. If you would like to know more, please write to me via WhatsApp or Telegram. And the Telegram address is @Linda [laughter].
Joe Carrigan: So Jim has some comments. He said, these guys really need to up their game. The claims are beyond ridiculous, but sadly some folks will fall for it, which is correct. The annual salary of over three quarters of a million dollars for only working 90 minutes a day. You can work from anywhere, there's free training and you get 30 days of off a year paid. It's that, I mean, if you want to pay, if somebody wants to pay me three quarters of a million dollars a year, I don't need any paid vacation, Dave and Maria. I'd be happy to take just the three quarters of a million dollars a year.
Maria Varmazis: Seriously. Take that to the bank.
Joe Carrigan: If I don't, if I happen to take a couple days off and you just don't pay me for those days, that's fine. That's fine. I'd be happy, right? And then finally Jim points out that Paula is using Emma's email to ask him to contact Linda, which seems legit.
Maria Varmazis: But Emma also, Paula, Emma, Linda.
Joe Carrigan: Yeah, Paula is using, did I say that right? Paula is using, Paula is using Emma's email, yeah, Linda --
Maria Varmazis: Emma's using Paula's email to contact Linda.
Joe Carrigan: Right.
Dave Bittner: What, are we in middle school?
Joe Carrigan: Right. Yeah.
Maria Varmazis: Paula, Linda, Emma.
Joe Carrigan: I heard from Jenny that Maria likes you and that you should tell Stacey.
Maria Varmazis: Check yes or no on this box, pass the note.
Dave Bittner: Right. Right. Oh my goodness. All right. Well, that's a good one, and don't fall for it.
Joe Carrigan: No. [ Music ]
Dave Bittner: That is "Hacking Humans", brought to you by N2K's CyberWire. We would love to know what you think of this podcast. We are conducting an audience survey through the end of this summer. You'll find the link in the show notes and we do hope you will check it out. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. We're mixed by Elliott Peltzman and Tre Hester. Peter Kilpe is our publisher. I'm Dave Bittner.
Joe Carrigan: I'm Joe Carrigan.
Maria Varmazis: And I'm Paula Emelinda Maria Varmazis.
Dave Bittner: Thanks for listening.
