Liar, liar, AI on fire.
[ Music ]
Maria Varmazis: Hello everyone and welcome to N2K CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Maria Varmazis, Host of "T-Minus Space Daily" here on N2K. And joining me is Joe Carrigan. Hi, Joe.
Joe Carrigan: Hi, Maria.
Maria Varmazis: Hello, hello. And listeners, Dave is off this week on a very well-earned vacation, so it is just me and Joe today. And we have some interesting stories to share this week with you. But first, let's get into some updates and then later some follow up. Joe, why don't we go to you first for your update?
Joe Carrigan: Listeners may have heard me a couple times. I brought Fred into the studio, my dog, Fred. Fred passed away on Tuesday at home --
Maria Varmazis: I'm sorry.
Joe Carrigan: -- peacefully and painlessly. So, he is, he is gone. So, if any listeners are wondering how my dog is doing, he's gone.
Maria Varmazis: I'm so sorry, Joe. All of us, like, my heart goes out to you, seriously. As a pet owner. And, I'm just very sorry for your loss. So, my heart's with you.
Joe Carrigan: I'm always shocked how, you know, how much I feel when one of these, one of these animals goes. It's --
Maria Varmazis: Yeah.
Joe Carrigan: And, you know, Fred was, we adopted him late, so it's not like I raised him from a puppy, but still, he was a good dog. He was a good boy.
Maria Varmazis: Sorry, Joe. And I'm sure our listeners are with you, too. Many, many listeners have been right there with you, so our heart goes out to you, Joe, you and your family, and Josie, your other dog.
Joe Carrigan: Yes.
Maria Varmazis: Very sorry for your loss.
Joe Carrigan: Yep.
Maria Varmazis: I have no good way to segue from that, Joe, so I'm just going to --
Joe Carrigan: Just go ahead and --
Maria Varmazis: -- awkwardly just do it.
Joe Carrigan: There is no segue from that.
Maria Varmazis: There's no segue from that.
Joe Carrigan: Joe's dog died. My chickens are doing good. They're outside now. I got them moved outside.
Maria Varmazis: The other question that I'm sure people are going, How are the chickens?
Joe Carrigan: They're outside. They're in the coop and they're doing well and they're loving it.
Maria Varmazis: I'm so glad. Silver lining, if one can be in such a situation. So, I'm glad your chickens are doing well. So, please keep us updated on how they're all doing.
Joe Carrigan: I will. I've got to build a bigger run.
Maria Varmazis: Oh, that sounds like a good project to have.
Joe Carrigan: It is, yeah.
Maria Varmazis: Yeah. We're going to need a bigger run. Anyway, so without further ado, why don't we get into some listener follow-up, and this was a really interesting listener follow-up from, let me make sure I get his name correctly, from listener Michael. And he sent this earlier today, actually. And he wrote, "This is either a very clever new scam or a very poor way for Signal to communicate with users. I know that WhatsApp has its own channel from corporate, but I've never seen one from Signal. If it was from corporate, I don't think it would tell me to review carefully. Cheers to you, thanks for what you do." This could have been a "Catch of the Day", but honestly, we've been talking so much about WhatsApp lately, I felt like this was more of a follow-up, so.
Joe Carrigan: Right.
Maria Varmazis: I'm putting it at the front of the show for reasons --
Joe Carrigan: Sure.
Maria Varmazis: -- that are completely arbitrary. So, the message that Michael sent from, and it's a screenshot from Signal that he sent, the contact name says "Signal Support". And the user says, sorry, the message says, "Dear user, this is Signal Security Support Chatbot. We have noticed suspicious activity on your device, which could have led to a data leak. We have also detected attempts to gain access to your private data in Signal. To prevent this, you have to pass verification procedure, entering the verification code to Signal Security Support Chatbot. Don't tell anyone the code, not even Signal employees." Okay, so.
Joe Carrigan: Yeah.
Maria Varmazis: Yeah, that makes me go, this is very, and thankfully Michael knows this too, is very obviously a scam.
Joe Carrigan: I think it is, yeah.
Maria Varmazis: Yeah, I can't imagine --
Joe Carrigan: I'm opening my Signal app right now to see if I have anything similar.
Maria Varmazis: Yeah, I cannot imagine in any universe Signal, which is the super secure, as long as you don't invite the press to your chat groups --
Joe Carrigan: [Laughter] Right.
Maria Varmazis: -- super secure encrypted chat messaging app, I cannot imagine they would ever have anything like this. And my suspicions were proven correct when I actually went to the official Signal FAQ just to check, because I'm sure they've tried to address something like this. So this is what Signal wrote, "Signal support will never reach out to you first. We will only respond if contacted. Contact with Signal or any Signal representative will only come from an @signal.org email address, not from within the app. If anyone contacts you within Signal claiming to be a chatbot, security, support, or representative from Signal, it is a scam. Immediately select 'Report' and choose 'Report and Block'." So that is Signal's official line there, and Signal is, again, as secure as you can make it, if you don't do anything silly, so don't do anything --
Joe Carrigan: Right.
Maria Varmazis: -- silly.
Joe Carrigan: It's a really good app. I have it. Yeah, I would love for this to be my only means of communication, but there's no way I'm getting my 80-year-old aunts to go into Signal and install this.
Maria Varmazis: It is tough. I have a lot of friends who are on it, some family as well. I was an early adopter of Signal when it was a little harder to use. They've made it a lot easier to use now, and it's still very, very secure. So again, you can't do anything silly like, again, inviting people into your chats that don't belong or, you know, getting or falling for scams if you can avoid it. But I'm very glad that listener Michael knows that this was not trustworthy. And again, Signal says you will never be contacted this way within the app. So.
Joe Carrigan: Right.
Maria Varmazis: Listener beware. Joe, you are up first today for our stories. Why don't you go ahead?
Joe Carrigan: I've got three stories today, but they're all related, closely related.
Maria Varmazis: Wait, you've got --
Joe Carrigan: They're all very --
Maria Varmazis: Okay.
Joe Carrigan: It's essentially one big story. But --
Maria Varmazis: A megastory, if you will. Okay.
Joe Carrigan: I first got the tip-off from a listener, and a guy actually know personally in real life. His name is David. David, and I will not give his last name because I don't know if he would like me to do that.
Maria Varmazis: Bittner?
Joe Carrigan: No, it's not David Bittner. No, it's not.
Maria Varmazis: [Laughter] Okay.
Joe Carrigan: It's a different David.
Maria Varmazis: Davide Bittnair. Okay. No. Okay.
Joe Carrigan: So, the story that he sent me is the last story I'm going to talk about. But the first story I want to talk about is from the New York Times. And it says, "South Korea Targets Cambodia's Scam Industry After Kidnappings, Torture, and Even One Death". So this is talking about the South Korean government. They are dealing with some outrage, outrage in South Korea after 330 people have been reported missing in Cambodia this year, including one 22-year-old university student who was later found dead.
Maria Varmazis: Oh, my God. Okay, sorry.
Joe Carrigan: Others have been, yeah.
Maria Varmazis: Wow.
Joe Carrigan: Others have been tortured and confined by those running a scam. And we've been talking about this for a long time. But now, now South Korea is getting involved, the South Korean government is getting involved. They would like to repatriate about 60 people who have been detained by Cambodian authorities so they can get these people back into their, back into their home country of South Korea. And this article talks about all the, what they're used for. Of course, because they're South Koreans, what they're doing, what these Cambodian scam centers are doing is they are calling back into South Korea and forcing these people to scam their countrymen out of money, which is how this works. It says here they stole at least $10 billion, these Cambodian scam centers, from the United States in the last year. The Treasury Department said that. And the South Korean nationals were defrauded of about $148 million in 2023.
Maria Varmazis: Wow.
Joe Carrigan: So that's the first story.
Maria Varmazis: Yeah.
Joe Carrigan: The second story I have, which is suspiciously related, I mean, not suspiciously, they're all related, is from CBS News, and this story is actually, like, a little bit of good news. The federal government, the US government, has seen $15 billion with a B.
Maria Varmazis: With a B! With a B! Yes, Carl Sagan, with a B.
Joe Carrigan: In Bitcoin, after busting an alleged, one of these global crypto scams.
Maria Varmazis: Wow.
Joe Carrigan: So who they have prosecuted, who they're prosecuting is this guy named Chen Zhi, who is the founder and chairman of Prince Holdings Groups. And they say, the US is alleging that this guy is the head of a vast criminal network in Cambodia built on forced labor. And they are responsible for extracting billions from the United States in terms of, in scams.
Maria Varmazis: Okay, quick question.
Joe Carrigan: Yes.
Maria Varmazis: Was this money in crypto?
Joe Carrigan: It was. They got the money out in crypto. So --
Maria Varmazis: Why am I not surprised?
Joe Carrigan: Cool, because that's the fastest way to get money from point A to point B.
Maria Varmazis: That's right.
Joe Carrigan: Is if I can convince you to go drain, like, my story last week had a woman pumping $20,000 into a Bitcoin ATM.
Maria Varmazis: Yeah.
Joe Carrigan: And I did listen to the episode and at one point in time, I'm embarrassed, but I did say ATM machine.
Maria Varmazis: You know, I noticed that you did that, and I didn't want to say anything.
Joe Carrigan: You let it slide? No. Call me on the carpet every time I do something like that.
Maria Varmazis: Okay.
Joe Carrigan: It irritates me. I was like --
Maria Varmazis: How about PIN number, non-red, Chai tea, any of those? No?
Joe Carrigan: Yeah, anything. Anything from a --
Maria Varmazis: Bao bun.
Joe Carrigan: I don't know what that one is.
Maria Varmazis: Oh, a bao is a bun, but a lot of people say bao bun, which is --
Joe Carrigan: Oh, oh, oh, oh, oh, oh.
Maria Varmazis: Bao.
Joe Carrigan: Did you put Chai tea in there already?
Maria Varmazis: I did put Chai tea. I also put naan bread, N -A -N, N -A -A -N bread. Yeah. Anyway.
Joe Carrigan: Yes.
Maria Varmazis: Those are a lot of my -- irritated.
Joe Carrigan: I did know that Chai is actually Hindi for tea. So when you say Chai tea, you're saying tea tea.
Maria Varmazis: Tea tea, yep.
Joe Carrigan: It's also, Sahara is actually, I don't know which --
Maria Varmazis: Desert desert.
Joe Carrigan: Yeah, it's, it might be Arabic for desert. I don't know, but it's, in some language it means desert. So when you say "Sahara Desert", you mean desert desert.
Maria Varmazis: Yeah.
Joe Carrigan: Right.
Maria Varmazis: Yes. Anyway.
Joe Carrigan: Anyway, there we go. Linguistics Joe. So, there's some quotes in this article that I found interesting. Prince Holding Group's website lists it as one of the largest conglomerates in Cambodia with businesses focused on, ready, real estate development, banking, finance, and consumer services.
Maria Varmazis: Okay, okay. That is, if you look through that with a very dark sense of humor lens, real estate development being these forced labor camps, banking being asset transfers of ill-gained money --
Joe Carrigan: Right.
Maria Varmazis: -- finance, same, consumer services being scamming people?
Joe Carrigan: Right.
Maria Varmazis: I mean, my God, it's so dark.
Joe Carrigan: Yeah, actually --
Maria Varmazis: I'm laughing because it's just, like, that is extraordinarily cynical. You almost have to tip your hat to it.
Joe Carrigan: Yes, but --
Maria Varmazis: Not that I have a hat.
Joe Carrigan: -- I don't know that that's where they're cynical. What they're, I don't think they did this with cynicism. I think this is where, this is how they launder money through real estate development, banking, and finance and consumer services. There is an independent research group that is called Cyber Scam Monitor. They've documented more than 200 online scamming centers and casinos in Cambodia alone by Prince Holdings. Or actually, it doesn't say by Prince Holdings, but if these are, if these guys have casinos, that's like a license to launder money right there.
Maria Varmazis: Yeah.
Joe Carrigan: Especially if you don't have any, know-your-customer requirements in a different country. I mean, you could just say somebody came in, put a billion dollars down, lost it all, bet it all on black and they lost. And we kept it. And that's how we got this money. And the government goes, Okay.
Maria Varmazis: Done.
Joe Carrigan: Right.
Maria Varmazis: What are what are know-your-customer requirements for casinos? Is that, I don't know what that means.
Joe Carrigan: So when, I don't go to casinos on a regular basis --
Maria Varmazis: I don't go to them at all, so this is totally unknown to me.
Joe Carrigan: I haven't been to one, this was, I'll give you an idea of the last time I went into a casino. I went to Kansas City and I went to Isle of Capri, which is a riverboat casino. Which is where, they were allowed to have riverboat casinos. So the way they --
Maria Varmazis: The Isle of Capri Kansas City Casino. Okay, yep, alright.
Joe Carrigan: Yeah. And, you know, my wife and I each went in there. We each took I think 50 bucks in and that was the plan, to walk in and walk out. But we had to sign up.
Maria Varmazis: Smart. Smart.
Joe Carrigan: They had to have a driver's license from us.
Maria Varmazis: Oh, okay.
Joe Carrigan: And we had to create an account with them.
Maria Varmazis: Really?
Joe Carrigan: Yeah. Now, they misnamed my account. They called me Joe Carrington. So I'm like, Ooh, this is an opportunity for me to launder some money.
Maria Varmazis: Alias, yeah, there you go.
Joe Carrigan: But I lost all 50 bucks and that was the end of that.
Maria Varmazis: It just, as someone who has never gambled at all, especially not in a casino, I have the movie James Bond mentality of what casinos are like, where you just walk, again, you just walk in, you do the thing and you leave.
Joe Carrigan: Right.
Maria Varmazis: So I didn't realize that they're not like that. So okay, interesting.
Joe Carrigan: Yeah, so, I mean, there was, to tell you how long ago this was, we were there for a wedding, and the married couple's son has just graduated from high school recently. I think he's going to college now. So I have, that's how long it's been since I've been, since I've done any gambling at any casino. Now I've been, there was a casino that opened here, Maryland Live, and I went into that casino and they had, the minimum at that time for blackjack was $15 a table. I'm like, I'm not doing this. Goodbye. And I left, and that was it. And then I went over to Bass Pro Shop and bought something for Christmas. That was why I was there. But.
Maria Varmazis: That's a very detailed recollection. I just, I just have to hand it to you. All right. Anyway.
Joe Carrigan: So how the question is how did Prince Holdings get away with this --
Maria Varmazis: Yes.
Joe Carrigan: "Mark Taylor, who formerly worked on human trafficking issues in Cambodia for the non-profit Winrock International, said that Chen was embedded in the Cambodian elites and well protected by the government, showing a larger role that Cambodia has played as a safe center for these online scamming centers to prosper." So, that's a quote from the article. So these, this government, Cambodia is in league with these people. And my last story is from the BBC, and this is the one that David sent me. He sent it to me in a blog post, but I found the original source here, and the story is about China. Now, remember we were talking about China going into Cambodia and to Myanmar and trying to get these --
Maria Varmazis: Yeah, was that last week's or maybe the week before?
Joe Carrigan: It was a couple of weeks ago.
Maria Varmazis: Recently, recently, yep.
Joe Carrigan: China has sentenced 11 members of mafia families to death over this.
Maria Varmazis: They do not play. Wow.
Joe Carrigan: China, yeah, China does not mess around.
Maria Varmazis: China don't play.
Joe Carrigan: That's right. The Chinese court has sentenced 11 members of a notorious crime family that ran scam centers in Myanmar, according to the Chinese state media. So, this is the Ming family. Dozens of members were found guilty, and there are varying degrees of punishment here. Some of these guys are going to get executed, like, right away, forthwith. Some of them have a two-year reprieve in which they can appeal their case, and then some of them got life in prison. I mean, China has really, these, they handed, they handed down the sentences to 39 people in this case. So, China's doing something about this, the United States is doing something about this, South Korea is doing something about this. I don't think this problem is going away anytime soon, but, you know, the world is now watching this.
Maria Varmazis: Yeah, it's a global problem.
Joe Carrigan: Right.
Maria Varmazis: It's not, I know when I talk to people who live outside of the United States especially, there is still a mentality with some folks that I know, that this is largely a problem for the Anglosphere or, like, the wealthy Anglosphere.
Joe Carrigan: Right.
Maria Varmazis: And it's just not.
Joe Carrigan: It's not.
Maria Varmazis: Especially with AI. It's really, it is a truly global problem. So, something like this does require a large international response. So, it seems encouraging to me, but I'm with you. I despair a little bit. I just don't know how this, things are going to get much better. It seems just so much easier. Every time we're on this show, it just seems like there's just more tools in the toolkit for the criminals to do their terrible --
Joe Carrigan: Bad guys.
Maria Varmazis: -- stuff. And it's like, Oh, my goodness. Oh, I'm a, I'm just full of rainbows and sunshine today [laughter]. Life is great. It's wonderful.
Joe Carrigan: Yes.
Maria Varmazis: Well, you know, I will say this. It is nice, question mark, knowing that there's some justice is being done in some way, although death penalty. Geez.
Joe Carrigan: Yeah, I'm not a big fan of the death penalty.
Maria Varmazis: Same. Same here. I'm not a fan of that.
Joe Carrigan: Right.
Maria Varmazis: But...
Joe Carrigan: But China going to China.
Maria Varmazis: I feel like as an American, I am in no place to throw stones. So --
Joe Carrigan: Right, that's true.
Maria Varmazis: Let's leave that one there. All right. Why don't we take a quick break and hear a few words from our sponsors? [ Music ] Okay, and we are back. Joe, I just realized I kind of cut you off before we went to an ad break. Were you good, or?
Joe Carrigan: No, I was done. That was it.
Maria Varmazis: Okay.
Joe Carrigan: Yep.
Maria Varmazis: Okay. All right. So, I'm next because Dave's not here. So, speaking of a barrel of rainbows --
Joe Carrigan: We've never made that joke.
Maria Varmazis: Which one?
Joe Carrigan: Dave's not here, man. Are you familiar with that bit?
Maria Varmazis: What is that from?
Joe Carrigan: Oh, no. Well, listeners, we're going, I'm going to educate Maria right after we record this podcast.
Maria Varmazis: Okay, you can tell me now. Now I'm going to be like, that's going to bother me.
Joe Carrigan: It's from a very old Cheech and Chong bit.
Maria Varmazis: Oh, I would not know Cheech and Chong bits.
Joe Carrigan: Oh, okay.
Maria Varmazis: Cheech and Chong, I know who they are.
Joe Carrigan: Right.
Maria Varmazis: I know what they are all about, but I don't have a knowledge of their...
Joe Carrigan: We used to, back in the '80s and late '70s, we used to listen to their records and laugh and laugh and laugh.
Maria Varmazis: Tell me about the old days, Joe [laughter].
Joe Carrigan: We went to the record store and we'd buy a Cheech and Chong record, and we'd get all the drug humor and, oh, some stuff was just frankly racist.
Maria Varmazis: No, no, definitely not.
Joe Carrigan: Yep.
Maria Varmazis: Not back then, never. Alright, no, Dave's not here, and I unknowingly wandered into a reference that I didn't know existed, so that's great, I learned something today, thank you, Joe.
Joe Carrigan: Yep.
Maria Varmazis: So my story, it comes from our friends at Malwarebytes, and they have a report about how AI-driven scams are preying on Gen Z's digital lives. Now, this is something I have talked a lot about on this show, and it's not, the premise of Gen Z being specifically at risk to some of these scams I don't think is going to blow anyone's hair back in terms of news, but I thought it was interesting that there's some numbers to this report. So that is why I wanted to highlight this. Because again, for me, a lot of what I enjoy about this job is learning things that challenge my own perception of scams. And I think before I started on this show, if you had asked me, What generation is most susceptible to some of these scams? I never would have guessed Gen Z. Never. And I just keep learning more and more that that's not correct. So.
Joe Carrigan: We, yeah, we had some early research, Dave and I, before you joined the show.
Maria Varmazis: The pre-Maria years, yes.
Joe Carrigan: Yeah, the pre-Maria years, that the people who are more likely to get scammed were the younger people, but the people who are more likely to lose money, lots of money, were older people.
Maria Varmazis: Yes.
Joe Carrigan: That makes sense, because younger people don't have a lot of money to lose.
Maria Varmazis: And less life experience in general, yes.
Joe Carrigan: Right. And older people have more life experience, are more embittered by, you know, having been scammed before when they were younger, they can see a scam. But, you know, as time goes on, when you amass wealth and somebody calls you and scares you, and then you lose a lot of money. So yeah, there's two sides of this. Young people are more likely to get scammed, but they're more likely to also not suffer, you know, are less likely to suffer grave losses. Old people are less likely to be scammed, but when they are scammed, it's devastating.
Maria Varmazis: Right, grave financial losses.
Joe Carrigan: Correct.
Maria Varmazis: Specifically, but there are other kinds of losses. And to me, I always sound like such a doomer when it comes to AI. AI is making this a lot worse so quickly.
Joe Carrigan: Right.
Maria Varmazis: And I'm a little cynical about this report, not to throw any shade at Malwarebytes, but it was sort of like talking about how AI is making this problem so much worse, especially for Gen Zers, and at the end, they're selling an AI-powered tool to try and help fight this, and I'm going, Oh my God. Anyway.
Joe Carrigan: Yeah, I mean, we will look at the research portion of this.
Maria Varmazis: Yeah, let's look at the research portion of it. So, what they found was 69% of victims and 64% of targets of extortion scams are either Gen Z or Millennial, versus 52% of victims and 40% of targets of the other types of scams. So, you don't have to keep track of all those numbers. It's just, it's almost 70% of victims are Gen Z or Millennial, and 64% of targets. So that just shows you where the targeting is going. Even to your point, they don't have as much money. Clearly, the scammers are seeing those folks as target rich, and it seems to be hitting. Sixty-five percent of the victims and 60% of the targets are male. Forty-five percent of victims and 41% of targets are parents. Fifty-three percent of victims are not white. And 52% of victims and 46% of targets agree with the phrase, I'm more likely to click a link on my phone than on my laptop, which I will say this as a millennial who is very much in the certain tasks require a big computer. I can't do them on the on the phone. I feel a little vindicated on that one.
Joe Carrigan: Right.
Maria Varmazis: But, I mean, a lot of people, all they have is, the whole idea of even having a computer at this point is almost antiquated for a lot of people. So I get for if the phone is your only way to interface with the Internet, then, yeah, you're going to get hit through that.
Joe Carrigan: Yeah, I got some shade thrown my way when I told the, you know, a class full of people, I'm in a class right now, a data science class, a machine learning class, fascinating class, great instructor. I am the oldest guy in that class, including the instructor.
Maria Varmazis: Fun. Including the instructor?
Joe Carrigan: Oh yeah, he's a young guy and he, you know, he's smart and awesome. But yeah, I'm the oldest guy, and I'm like, I sit here, hold on, I've got to plug my camera into my desktop tower, and he's like, What? I'm like, Yes, of course, that's what I have, and I love this thing, I'm never going to stop using it.
Maria Varmazis: Are you the guy who used to bring the CRT to Starbucks and do your work?
Joe Carrigan: No.
Maria Varmazis: Legends.
Joe Carrigan: Right?
Maria Varmazis: Anyway, yeah, no, some, I do feel a little vindicated that some things do require a big computer versus small computer, but again, for many people, their phone is it, so yeah, that's the way you're going to get hit. To your point about older victims losing more money, the damage for younger victims is different. So, what Malwarebytes highlights here, and I really appreciate this, is that the damage is largely emotional and deeply personal. So especially with AI in the mix, the threats that folks are getting are personalized, and of course they're high pressure because that is the way, to make extortion victims feel especially vulnerable. And mobile, the victims of all mobile scams suffer serious emotional, financial, and functional fallout. Extortion victims experience what they call an outsized impact, where 9 out of 10 extortion victims reported emotional harm because of the scam they experienced, 35% experienced blackmail or harassment, 21% experienced damage to their reputation, and 19% faced consequences at work or at school.
Joe Carrigan: Well, what does that mean?
Maria Varmazis: You know, I don't entirely know.
Joe Carrigan: I mean, is it just social consequences? Or, I mean, because that, and I'm not belittling that.
Maria Varmazis: No, it's a very good question. Let me just double check the original source here, because that is a very good question.
Joe Carrigan: Okay.
Maria Varmazis: So one respondent is Gen Z and they wrote, "I didn't lose anything. I was just scared because they wanted to inform all my friends, family, and employers how perverted I was because I supposedly watched porn." Now again, is that threat legit? Questionable, but it's plausible.
Joe Carrigan: Right.
Maria Varmazis: It's absolutely plausible that it is.
Joe Carrigan: But the way a lot of these sextortion scams work, it could be a legit threat. These guys will try to wreck people's lives.
Maria Varmazis: Yeah.
Joe Carrigan: They will try to carry through on their threats because that makes the next victim that they have more ready to pay up, more willing to pay up.
Maria Varmazis: I mean, I will go ahead and say it, I wish people didn't feel shame about watching porn and we could just take that part away, but it's not something I do but at the same time like, you know, I don't, I, it breaks my heart that so many people have their lives ruined over just an allegation.
Joe Carrigan: Yeah, this is not, probably not, I don't know if this is a sextortion thing, then what happens is these guys actively send images to these, particularly to these young men.
Maria Varmazis: Yeah.
Joe Carrigan: And then they wind up, they wind up, you know, because when, you know, when I, you know, when a man is in his youth, you know --
Maria Varmazis: [Laughter] Joe, you don't need to explain it.
Joe Carrigan: Right, okay.
Maria Varmazis: I think everybody here knows.
Joe Carrigan: Right, so I can totally empathize with how you got suckered into this.
Maria Varmazis: Yeah, and of course, again, AI videos being generated, it can be a fake video, but if it looks --
Joe Carrigan: A hundred percent.
Maria Varmazis: -- real enough, it can still be extremely embarrassing.
Joe Carrigan: Absolutely.
Maria Varmazis: And it's horrifying, and, like, a lot of people, famous people, non-famous people, lots of people are experiencing this, and it's just absolutely horrific. So yeah, I can absolutely see why this would be really just damaging, and in the long term, not like a temporary, oh, it's slightly embarrassing. Like, this could really haunt somebody.
Joe Carrigan: Yeah, absolutely.
Maria Varmazis: Especially a young person who might have, like, a really out sense, outsized sense of shame over something like this.
Joe Carrigan: Right.
Maria Varmazis: It just, yeah, I could absolutely see that, so.
Joe Carrigan: Or if you're part of a religious community.
Maria Varmazis: Yes.
Joe Carrigan: You know?
Maria Varmazis: Where these things, like, my opinion is one thing, other people's opinion is very different on this sort of stuff.
Joe Carrigan: Right.
Maria Varmazis: So yes, you could be ostracized.
Joe Carrigan: Correct.
Maria Varmazis: And certainly if you work for a very, an employer who has certain feelings about certain things, like I'm trying to be very circumspect here.
Joe Carrigan: Yep.
Maria Varmazis: But yeah, I could absolutely see some horrible things happening, so, it's awful. It's awful, it's awful, it's awful.
Joe Carrigan: It is.
Maria Varmazis: Anyway, so Malwarebytes has a very interesting little mnemonic that they are, I thought it was nice that I wanted to surface, about a scam response framework that people can try and use. They call it Simply Stop, where S stands for slow down, as in don't let urgency or pressure push you into action. That's great.
Joe Carrigan: Absolutely.
Maria Varmazis: T is test them. If you answered the phone and are feeling panicked about the situation, likely involving a family member or friend, like, you know, a deepfake pretending to be someone that you know, that kind of thing.
Joe Carrigan: Right.
Maria Varmazis: Ask a question only the real person would know, something that can't be found online. I highly recommend using the old '80s trick of have a family password that you don't put anywhere. Back when they used to let any old person pick up a kid from school, this was a thing that I remember as an '80s kid, they would say, Make sure you have a family password.
Joe Carrigan: I can't believe that we actually had to be trained, Don't get in the car with somebody who says they know your mom.
Maria Varmazis: Because the school would be like, You want this kid? Go take him. Yeah, I remember that my family had a password, and only people who were trusted would know that password. So, if that stranger coming to pick you up from school is like, Oh, I'm a friend of your mom's, I'm here to pick you up. And they didn't know that password, then don't get in the car.
Joe Carrigan: Right.
Maria Varmazis: It sounds nuts saying that now, because it's just like, now schools are like a maximum security prison practically.
Joe Carrigan: Right.
Maria Varmazis: It's just like back then they were like, Yeah, just take the kid. But yeah, a family password is a great idea. Make sure it's something that can't be found online. Or my favorite is if you speak a second language, while the AI might be able to figure it out. Like there are some sometimes there's tells in how you speak that language.
Joe Carrigan: Yep.
Maria Varmazis: Like, if somebody's second language, like their Spanish is suspiciously perfect and at home you speak Spanglish, that kind of thing, I don't know. I always thought that was an interesting way to go about it. O is opt out. If it feels off, hang up or end the conversation. You can always say that the connection dropped if you need a cover story. And P is prove it. Confirm that the person is who they say they are by reaching out yourself through a trusted number, website, or method that you've used before. So yeah, these deepfake phone calls, videos, that kind of stuff, trivial to make, trivial to deploy. I hate saying that. So, you have to have some sort of offline way to authenticate the person that you're speaking to is legit. Yeah, so yeah, let's bring back the '80s style family passwords.
Joe Carrigan: I agree. I agree. I've already had to have the conversation because we do this this podcast.
Maria Varmazis: Yes.
Joe Carrigan: You know, tons of my voice is out there.
Maria Varmazis: Yep.
Joe Carrigan: So I have gone to all of my family and I've said, Listen, If you ever get a call from me and it sounds like it's me asking you for money, it's not me asking you for money. Hang up the phone.
Maria Varmazis: That's right.
Joe Carrigan: I will not call you and ask you for money.
Maria Varmazis: I have done very similar with a lot of my family and friends. It's for the exact same reason. And it's not like, we're not, like, big celebrities or anything.
Joe Carrigan: Right.
Maria Varmazis: If you have ever been, you don't need to be. If you've ever been on a webinar, you know, with 20 people attending, guess what?
Joe Carrigan: Right.
Maria Varmazis: Your information is on the internet.
Joe Carrigan: There's enough information to spoof your voice.
Maria Varmazis: That's right.
Joe Carrigan: And we hear stories about this happening all the time. And the places these people are getting the voice samples, they can go to Facebook and --
Maria Varmazis: grab a video of you there.
Joe Carrigan: Just a grab a that you make.
Maria Varmazis: Yeah.
Joe Carrigan: And then they can spoof your voice.
Maria Varmazis: Yeah, not only that, but many, and something I didn't surface in what I was reporting here about the Malwarebytes scam, but I might, not scam, about the Malwarebytes report, something that I guess I will mention now. Many of the scams are also being perpetrated in communities where there's a high level of parasocial trust, like Discord and Twitch, where again, people are streaming or they're, if you're playing a massively multiplayer online role-playing game, MMORPG, and you just have the mic running while you're gaming with other people, that's a great way to get somebody's voice.
Joe Carrigan: Absolutely, you're providing samples to the world.
Maria Varmazis: Yeah, it's not even necessarily public, it's within your community, but if somebody has infiltrated your community, and let's be real, some of these Discord communities have, like, a million plus people.
Joe Carrigan: Yeah, just assume, this is a zero trust thing, assume the breach.
Maria Varmazis: Yep.
Joe Carrigan: Assume that your information is out there.
Maria Varmazis: Yeah, so I really like the acronym, the STOP acronym that Malwarebytes has here. It again is Slow Down, Test Them, Opt Out, and Prove It. Those are STOP. And just, kudos, I really like that. And thank you Malwarebytes for yet again busting my preconceptions about who's really at risk. I appreciate that, so yeah. Okay, let's move on now, Joe, to "Catch of the Day:". [ Soundbite of reeling in fishing line ] So let's jump into our "Catch of the Day" now. This is a really interesting "Catch of the Day" that came from a listener, DarkProphet6, and what I'm going to do is I'm going to read the email, and Joe, you're going to give context into what's being said here, because this is a fascinating, a little more technical than our usual "Catch of the Day", but I thought it was really neat, so I wanted to surface this. So, our listener went to a website that is about a military ID card called a CAC, I guess a CAC?
Joe Carrigan: A CAC, yep.
Maria Varmazis: A CAC, okay. And there's a malicious URL, I'm not going to say what it is, because we don't want people going there. And someone pretending to be Cloudflare brought up a page asking me to verify that I'm not a robot, but slightly different. I knew it was a fake," great, good job.
Joe Carrigan: Right.
Maria Varmazis: "But drilled down to see what they were trying to do. First, they wanted me to copy a string and paste it into terminal."
Joe Carrigan: Okay, so let's start with the beginning here. CAC, and this is another one of those things like CAC card. Don't say CAC card because CAC stands for Common Access Card. It is a US government ID. When I was very, I've known people that have this, and what it is, it's essentially a certificate-based authentication that's protected with a PIN. So people who are in the government or government-adjacent have CACs. When you want to access one of these facilities, frequently websites, you can put the CAC into a CAC reader, enter a PIN, and it will send a challenge response to the CAC, which validates that you do in fact have the CAC in your possession.
Maria Varmazis: Okay, so extremely important piece of identification that only very specific people would have.
Joe Carrigan: Correct. So it's interesting that DarkProphet6 got targeted by this. And I'm wondering, it sounds like he does have a CAC, which means that now I have an underlying concern here. An underlying concern of, like, how do they know he has a CAC? And that's now, that would be my question that I would take away from this. But, so, but then the next part is he goes and someone's impersonating Cloudflare on this website.
Maria Varmazis: Right. The thing that, Cloudflare being the service that basically is a what's the acronym for that? They basically, their service tries to prevent sites from getting DDoSed, to put it in a simple way. So sometimes when you go to a website that's suddenly very popular, you will get a Cloudflare sort of front page that says, We need to verify that you're human by completing a CAPTCHA --
Joe Carrigan: Right.
Maria Varmazis: -- and then it'll let you go, as opposed to, you know, letting a flood of bots go crash a website. That's usually how it's done.
Joe Carrigan: And normally, for me, it's just this, click this box.
Maria Varmazis: Yeah.
Joe Carrigan: And I click the box, and it lets me in. But sometimes it'll say, Hey, look at these pictures and tell me which one of them --
Maria Varmazis: Yeah, it's a CAPTCHA.
Joe Carrigan: Right, the CAPTCHA. Find the bikes or the bus or the crosswalks or the bridges or the steps. Those.,
Maria Varmazis: Yes. So, this is obviously not a Cloudflare, but they want him to copy a string and paste it into terminal. I would never do this. Never ever.
Joe Carrigan: No, it sounds like he's on a Mac or maybe a Linux machine, but no, don't ever do this.
Maria Varmazis: Never paste anything into terminal for any reason that some random website is telling you to do. Please never do that.
Joe Carrigan: Right. Cloudflare will never ask you to paste something into the terminal.
Maria Varmazis: Yeah. Yeah. And our listener kindly provided some screenshots of what they were seeing. And I just want to read what the fake Cloudflare thing says, because some of it sounds familiar and some of it is the needle scratch. "Unusual web traffic detected. Our security system has identified irregular web activity originating from your IP address. Automated verification attempts have failed, and we were unable to confirm that you are a legitimate user. To proceed, please follow these steps for your operating system. Step one, press command" whatever that Doohickey is on the Mac.
Joe Carrigan: It's the Apple. It's just the command key.
Maria Varmazis: "Press command plus space to open Spotlight. Step two, type "terminal" and press return. Step three, click the copy button below to copy the command. And the displayed copy is, I am not a robot Cloudflare verification ID and a whole bunch of numbers. And then step four, paste command plus V the command into terminal and press return." So, my goodness.
Joe Carrigan: Yes.
Maria Varmazis: Okay, so continuing the email, 'It looked like they wanted me to copy an innocuous-looking string. But when I click the "Copy" button and pasted it into text edit instead", thank you, thank you.
Joe Carrigan: Right.
Maria Varmazis: "I then got a long Base64 string that would be decoded and then passed into Bash for execution." Please translate that, Joe.
Joe Carrigan: Okay, so I'm looking at this right here. This is a Bash. It's essentially a Bash script with what's called pipes. So, it echoes this Base64 string to Base64 decode, which then echoes that output to cURL, which is essentially a text-based command line web browser or web resource fetcher that will then create a connection looking for a PHP page. But then it goes piping that to a nohup, which is an operating system term for no hang up Bash. So in other words, it's opening a shell somewhere.
Maria Varmazis: Okay.
Joe Carrigan: This is probably a reverse shell, is what this is.
Maria Varmazis: What does that mean, a reverse shell?
Joe Carrigan: So in other words, this is a common hacking technique, or a lot of malware will do this when you install it. It opens a reverse shell, which means it calls out to some page or to some server out there, and it will open a shell on your computer that gives a remote user access to your terminal, access to your computer.
Maria Varmazis: There you go. Yep. So, it sort of opens a persistent connection to your specific machine.
Joe Carrigan: Correct.
Maria Varmazis: Yeah.
Joe Carrigan: And because of the way firewall rules work, usually these just go right through. A reverse shell connection is essentially your computer asking for a connection to a remote server. So the firewall says, Oh, this is the user inside wanting to connect to something outside. Let's go ahead and let that happen. It's not like the nefarious, Hey, somebody outside is trying to get access here. No, it's the user inside trying to get out. Unfortunately, this is malicious software. This would be malicious software.
Maria Varmazis: Yeah. So the call is coming from inside the house quite literally.
Joe Carrigan: Right.
Maria Varmazis: And you unknowingly, if you were to do this, thankfully our listener didn't, you would be leaving your front door and back door wide open. It's just like, Come on in, anytime.
Joe Carrigan: Right.
Maria Varmazis: So he, sorry, I shouldn't assume. Our listener said, "I copied only the decode part and pasted that into terminal to see what it decoded into, got a website, as you said, that would be passed to Bash for execution and then run in the background, kind of like a persistent remote shell, but I wasn't about to run it to find out." Well done. And our listener said, "I did go to VirusTotal to see what they thought about the URL and some thought it was malicious."
Joe Carrigan: Oh, hold on just a minute. I was wrong about this. This is just essentially the code. This is not a return that he sent. This is actually a carriage return line feed. It's just a cURL command that opens up the connection, and that would run when you run the command that echoes the Base64 string to the decode, and then echoes it and runs it. So, it's really just a really simple command that would give someone access to your computer.
Maria Varmazis: Yeah, yep. And our listener said that on VirusTotal many, but not all, of security software providers, to put it mildly, do flag this website as malicious, but many of them don't, which was interesting.
Joe Carrigan: A lot of them might not do it, but 11 of them found it to be malicious.
Maria Varmazis: That's true.
Joe Carrigan: That would be enough for me to go, Yes, we're not doing this.
Maria Varmazis: This is true. This is true. And they said, "When I did go back to the original website, the malicious URL, it came up clean. Probably thought that if I came back to the site that I was that I was wise to them, so they went away." That's very interesting, that it remembered that you were there and they're like, I'm not going to give you that same challenge again, because you probably either figured out that we're a scam or already did the thing we asked you to do, so you're good.
Joe Carrigan: Yep.
Maria Varmazis: That's amazing. Wow. Joe, have you ever seen anything like this where it's asking you to put something into terminal?
Joe Carrigan: Never. No, this is the first time I'm seeing this, and this is pretty bold and brazen.
Maria Varmazis: Yeah, it is. I thought this was really fascinating. So, many thanks to DarkProphet6, our listener, for sending this in, because I, my jaw dropped when I saw this. And I just thought it was very interesting also that the URL is specifically targeting people who would have this very important sense of ID. And I would really hope, if you have a CAC, you would never, ever run some random website's command into terminal.
Joe Carrigan: Right.
Maria Varmazis: Please. Please.
Joe Carrigan: Please don't do that. Okay, so let's take a quick ad break before we close out. [ Music ] All right, and that is "Hacking Humans", brought to you by N2K CyberWire. We'd love to know what you think of our podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly-changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's pre-eminent intelligence and law enforcement agencies. N2K helps space and cybersecurity professionals grow, learn, and stay informed. As the nexus for discovery and connection, we bring you the people, the technology, and the ideas, shaping the future of secure innovation. Learn how at N2K.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. We're mixed by Elliott Peltzman and Tre Hester. Peter Kilpe is our publisher. And I'm Maria Varmazis. I'm Joe Carrigan.
Maria Varmazis: Thanks for listening. [ Music ]
