When a scammer meets the Force.
Dave Bittner: Hello everyone, and welcome to NK2 Cyberwire's "Hacking Humans" podcast where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan. Hey, Joe!
Joe Carrigan: Hi, Dave!
Dave Bittner: Maria Varmazisis off this week, but she will be back next week. She had some business to attend to, so she says hello and she misses everyone after the winter break, but we will enjoy having her back next week. We have some good stories to share this week, and later in the show, Joe and I welcome Rishika Desai. She's from a company called Bfore.ai. We're discussing a recent blog post that they had. This is about social media ad account rentals, which is a growing area of brand impersonation. Alright, before we dig into any of that, let's dig into our followup. Joe, what have you got for us?
Joe Carrigan: We got chicken update, Dave.
Dave Bittner: [laughs] Oh thank goodness.
Joe Carrigan: I'm sure everybody was, like, over the Christmas break, or New Year's break, you're like how are Joe's chickens?
Dave Bittner: I'm sure. Yes.
Joe Carrigan: The chickens are doing well. I said before we left on the break, I said I'm going to be working on a new chicken run.
Dave Bittner: Yes.
Joe Carrigan: I got most of that done, but then on Saturday of this week, right before we're recording this, I broke something in my ankle. So --
Dave Bittner: Let me ask, were you mountain climbing; were you sky diving?
Joe Carrigan: Excellent question, Dave.
Dave Bittner: Were you scuba diving, were you --
Joe Carrigan: No. I was doing something much more mundane.
Dave Bittner: Yes.
Joe Carrigan: I stood up, Dave. That's -- [laughs].
Dave Bittner: Okay. Wow [laughs].
Joe Carrigan: It's a stress fracture on an old injury is what it is. And I was moving the walls -- I built this thing -- you know, I conceived of this thing as a big box and then built walls. And I had moved one of the walls out. I had built a nice Dutch door, Dave. I'm really proud of the Dutch door.
Dave Bittner: Okay. Fair enough.
Joe Carrigan: So I moved the Dutch door out with my son's help. And then I picked up one of the regular walls that doesn't have anything on it, just a featureless wall, because that was light enough for me to carry. Carried it in. And I was putting in either some supports or actually beginning to nail wire to it, because these chickens, Dave, it took one of my chickens about five minutes to find her way to the top of the run.
Dave Bittner: Oh.
Joe Carrigan: And be standing -- this thing is six feet tall, six feet three inches tall. And it is -- she hopped up on a little thing inside and quickly hopped up -- I had to put a ramshackle, makeshift roof on it. I'm planning on building a roof.
Dave Bittner: Okay.
Joe Carrigan: But that's on hold right now because I can't walk around the house very much. I'm walking with a cane; I've got a boot on my foot.
Dave Bittner: Yes. Your ankle is currently not load-bearing.
Joe Carrigan: No, it is not. I mean, actually the ankle is fine. It's actually this extra piece of bone that's not even supposed to be there that's fractured. The only thing it does is hurt. That's all it does.
Dave Bittner: That's the only purpose it serves?
Joe Carrigan: Is cause pain.
Dave Bittner: Okay. But they're not threatening to go in and take it out. You've just got to sit this one out?
Joe Carrigan: I've just got to sit this one out, right? I did talk to my friend who's an orthopedic PA, and I said can I just cut this open with an Exacto knife and get the Dremel tool in there? And he goes, you're joking, but that's pretty much what we do when we do surgery on this.
Dave Bittner: Wow. Alright. Well, we wish you a speedy recovery.
Joe Carrigan: Yes. I hope this is not long-lived.
Dave Bittner: No. No. That's fun. Because you know, injuries take longer to heal the older we get, right?
Joe Carrigan: Yes. And I got this thing, like I said, standing up. This is the most old-man injury I've ever incurred.
Dave Bittner: Right.
Joe Carrigan: You know? The original injury that this is an exacerbation from was much more cool.
Dave Bittner: Yes?
Joe Carrigan: Yes.
Dave Bittner: From ages ago?
Joe Carrigan: From ages ago, yes. Back in college.
Dave Bittner: Oh, okay.
Joe Carrigan: Yes.
Dave Bittner: Well, that's good.
Joe Carrigan: Yes.
Dave Bittner: Alright, you can tell me that story offline.
Joe Carrigan: I'll tell you that story offline.
Dave Bittner: Alright, well, speaking of stories -- see what I did there? Let's jump into our stories, and I'm going to lead things off for us here. This actually is a story from the folks over at Reuters. It's an interesting one of those cool, interactive scrolling web pages, and it's all about how cybercriminals plot to rob a Target in a week or less. And basically what's happened here -- well, let me set the table -- set the tale for you. Set the -- set the -- whatever. Set the -- what am I setting? I'm setting something.
Joe Carrigan: You're setting the story.
Dave Bittner: There you go, setting the story.
Joe Carrigan: The scene. You're setting the scene.
Dave Bittner: Ah! That's what I'm looking for, Joe! Scene. Whew! Boy. I'll take words that are just out of reach for 500.
Joe Carrigan: Currently some of my brain is in my ankle.
Dave Bittner: That's right. So I think we've all had this thing where your phone buzzes, and you get a message from a number that you don't recognize. And smart folks, like you ignore it. I look at it. Probably -- Maria would just click on it.
Joe Carrigan: Right.
Dave Bittner: Because she's not here, so we can blame it on here.
Joe Carrigan: Maybe Mabel Johnson will answer it [inaudible 00:05:17].
Dave Bittner: There you go. And it says something nondescript like, Hi, my name is Sam. Nice to meet you. And for some people out there, this is a chance encounter. Maybe the first step of some comfort or some romance. And according to this report from Reuters, after some police raids in the Philippines, they uncovered some things that explain how these moments come to be. They found detailed handbooks.
Joe Carrigan: Really?
Dave Bittner: Step-by-step guides for how to groom strangers, build intimacy, and ultimately get their money. So these were manuals that were written in Chinese and English. And basically they're instruction books for social engineering, for emotionally manipulating people. They spell out how to invent a believable persona, what sort of job to claim, what sort of hobbies you should know about. Even things like zodiac signs. [ Joe Carrigan laughing ] There are a couple of things in here that are noteworthy in how blunt they are. One of the Chinese manuals said -- I'm quoting here -- a woman's IQ is zero when in love.
Joe Carrigan: [laughs] I know a number of guys that applies to as well. Myself included.
Dave Bittner: [laughs] It says -- another item promises that once emotions are in place, money will follow naturally. Of course they're talking about, you know, pig butchering.
Joe Carrigan: Right.
Dave Bittner: For going after people to get their money. It talks about how the scammers adapt to their targets. Middle-aged women are described as lonely and overburdened. Career-focused professionals should be met with admiration and confidence. Conservative personalities should be offered excitement and escape. So basically they go through this process of feeling you out. It's kind of like a choose-your-own-adventure book.
Joe Carrigan: Really?
Dave Bittner: Well you know, if you run into someone with these personality aspects for, you know, like I just said, someone who's conservative, then you're going to go down a certain path.
Joe Carrigan: When you say "conservative," you don't mean politically conservative, right? You mean like, they don't say a lot.
Dave Bittner: Yes, yes.
Joe Carrigan: Or they don't want to take risks?
Dave Bittner: They're not someone out seeking adventure.
Joe Carrigan: Right.
Dave Bittner: So that's -- you want to offer them the thing that they don't get in their normal day-to-day life.
Joe Carrigan: And pretend you're going to offer it to them risk-free.
Dave Bittner: Exactly.
Joe Carrigan: Yes.
Dave Bittner: Exactly. Paying them lots of compliments and things like that. Other things that are in this handbook, they say daily messages are mandatory. Small requests are a good way to build rapport. Remind people to eat on time. Call me tonight. Trust me. Follow my lead. They say that speed matters. One of the handbooks outlined a seven-day arc. On Day 1, you make contact. On Day 2, you introduce investing. On Day 5, you establish romance. And by Day 7, you present a fake investment platform.
Joe Carrigan: Seven days to the fake investment platform.
Dave Bittner: Yes. Seven days. Which you know, compared to some scales, that's a long game, right? I mean, that's --
Joe Carrigan: Yes. Compared to like, the panicked calling with the threats and -- you know, like hey this is the IRS and you owe us money. Those are very short-term. But seven days is pretty short time horizon. We've seen some of these scammers work these things for months.
Dave Bittner: Yes, that's true. That's true. And these folks are playing a long game.
Joe Carrigan: Yes.
Dave Bittner: This article talked to some victims. There's a woman named Beth who, she named someone who claimed to be named Richard on the Tinder platform after a divorce. And within weeks, they were engaged. Within a few more weeks, she'd sent him tens of thousands of dollars.
Joe Carrigan: Oh, man.
Dave Bittner: And eventually, lucky for her, her financial advisor intervened.
Joe Carrigan: Excellent. Good work on that guy.
Dave Bittner: Yes. Made sure that --
Joe Carrigan: Or girl. I don't know [inaudible 00:09:28].
Dave Bittner: Guy or gal, yes. Made sure that, you know -- I guess, set her straight.
Joe Carrigan: Right.
Dave Bittner: What was going on here. So the story touches on things that we've talked about a lot here. Things like shame, things like isolation.
Joe Carrigan: Right.
Dave Bittner: Questions that never get answered. Just sort of leaving people hanging.
Joe Carrigan: You know what, the questions that never get answered, I wonder if there's, like, some kind of psychological component where the victim is actually -- just fills in the blank themselves. Like with a lot of these scams, particularly we saw this when -- years ago, I was doing the old-timey scams.
Dave Bittner: Right.
Joe Carrigan: Right? Which essentially are the same scams that are being run today.
Dave Bittner: Yes.
Joe Carrigan: They were just run in person. Where the goal was to let the victim fill in the blanks, and come up with their own ideas. And I'm wondering if that's why they leave some of these questions unanswered. Not because they couldn't answer them, but because getting the victim to answer them is better.
Dave Bittner: Yes.
Joe Carrigan: From their perceptive. Psychologically worse for the victim, but better for their success rate.
Dave Bittner: I think that's certainly plausible. One thing -- an additional thing that I thought was perhaps it's just a way to keep them on the hook, to keep them kind of emotionally agitated [inaudible 00:10:53] leave them wanting more.
Joe Carrigan: What do we call that? The information gap?
Dave Bittner: Yes.
Joe Carrigan: Yes, they want the information so they're going to stick around to get it.
Dave Bittner: Right. You know, it's like when you get a message from your boss that says, Can we talk?
Joe Carrigan: Yes.
Dave Bittner: Right?
Joe Carrigan: Augh. I have nightmares about that, Dave.
Dave Bittner: It's the worst information gap there is, right?
Joe Carrigan: Yes. Yes. I think now in my career, if my boss asked -- sends me an email and she says "can we talk," I have got to -- I would respond to that like, that's an unacceptable information gap to leave in a message.
Dave Bittner: [laughs] Well, it reminds me also of, like, when our kids were in school, and the school nurse would call and say, everything's okay.
Joe Carrigan: Everything's -- right. Right. And they do that because they know that the information gap is devastating.
Dave Bittner: Yes.
Joe Carrigan: So they say everything -- that's the first sentence out of their mouth if everything's okay.
Dave Bittner: Right. So the scammers, you know, they want to leave you guessing.
Joe Carrigan: Right.
Dave Bittner: Say oh, next time we speak, I have something I need to share with you. And now you're on pins and needles wondering what it's going to be.
Joe Carrigan: I got to tell a story about this.
Dave Bittner: Okay.
Joe Carrigan: When I was in my brief but failed sales career, I worked with this guy -- let's call him Larry.
Dave Bittner: Okay [laughs].
Joe Carrigan: That was actually his name, but I'm not going to tell you what his last name was.
Dave Bittner: Okay.
Joe Carrigan: But he was kind of this smarmy sales guy. And one of the things he said was, when you call and leave a message for somebody, say hey, I got great news. Give me a call back, right? And then when they call back, ask what the great news is. They'll call you right back, because you told them you have great news. And I tried this on my sister.
Dave Bittner: [laughs] Okay.
Joe Carrigan: I said hey, great news! Give me a call back. And she calls back, and she goes hey, what's the great news? And I'm like, I don't have any news. I just wanted to see if that would work, to get you to call back. One of the sales guys I work with said -- and she's, like, alright, I'm going to hang up now.
Dave Bittner: Right. Thanks, Joe. Yes.
Joe Carrigan: So very frustrating. But my question to Larry was, so what's the great news? What do I tell them? He goes oh, just tell them you got $3 off on a product, and you give them a $3 discount.
Dave Bittner: Yes.
Joe Carrigan: And tell them, isn't that great? That's just like the worst way to go about it
Dave Bittner: Yes. Yes, yes [laughs].
Joe Carrigan: Intellectually dishonest sales. Maybe that's why I failed at that. Just because I couldn't bring myself to be that way.
Dave Bittner: Yes. No, I understand. I understand. And then sadly, a lot of those things work.
Joe Carrigan: They do work.
Dave Bittner: [laughs] So these manuals, they end with a final instruction to the scammer. They say never focus on just one target. And if one connection burns down, move on.
Joe Carrigan: Right.
Dave Bittner: Keep messaging.
Joe Carrigan: Don't worry about it.
Dave Bittner: Keep phishing. Yes. Keep multiple balls in the air.
Joe Carrigan: This again sounds like a sales thing.
Dave Bittner: Yes. That's true.
Joe Carrigan: This is exactly what they tell you in sales.
Dave Bittner: Yes.
Joe Carrigan: It is -- I mean, what you're looking at here, Dave, is the front-end of a business, and the inside salespeople.
Dave Bittner: Right.
Joe Carrigan: There are no outside salespeople in this business, because everybody's doing everything over the internet, over the phone.
Dave Bittner: Yes.
Joe Carrigan: But it is, this is lead generation and business development.
Dave Bittner: Yes. So this is one of those articles, like I said at the outset, it's one of those interesting visual presentations where it's very graphically rich. So we're going to have a link to this in the show notes, and I would recommend, this is one you could send around to your friends and family and coworkers, because it's not just informational, it's educational. So I think you could land with a lot of people, the play element of it might make some of these things sink in a little better, make it a little easier to consume.
Joe Carrigan: Yes!
Dave Bittner: So we'll include that link in the show notes, and we hope you do check it out. Alright. That's what I've got. Joe, what do you got for us this week?
Joe Carrigan: Dave, this week I want to talk about the Crowdstrike 2025 Global Threat Report.
Dave Bittner: Okay.
Joe Carrigan: Which came out. My office -- actually, my former office mate Michelle, we've now since moved. So we'll put a link to the report in the show notes. You have to enter some information. She came into my office today and said, have you seen this report yet? And I was like, I have not. And there are some interesting facts we're going to get to in this. But first thing I want to say is, Crowdstriking, that is a cool cover for a report.
Dave Bittner: [laughs] Okay yes. I see. Yes. I agree.
Joe Carrigan: It's got, like, a cyberpunk guy with a mohawk, cyberpunk guy with a black hat. You know, it's really -- and it doesn't look like a typical cybersecurity image on the front of it, but I think it is AI-generated.
Dave Bittner: Well, this is kind of Crowdstrike's thing, too. If you -- in trade shows, they have these big mannequin models of threat actors and that sort of thing. They throw a good party also, by the way.
Joe Carrigan: Do they?
Dave Bittner: Well you know, cybersecurity companies have a lot of money. So yes, they throw very nice events. But yes. [inaudible 00:15:55] They did invest in striking graphic design for this particular product.
Joe Carrigan: Yes. So some -- the first quote here that I want to talk about comes very early in the report. The number of new named adversaries tracked by the Elite Crowdstrike Counter-adversary Operations Team continues to expand, and established adversaries are consistently adding new targets, more sophisticated techniques to their invasion, intrusion, and exfiltration arsenal. So nothing's getting better essentially is what this is saying. Now there is a good bit of -- it says [inaudible 00:16:34] sales, salesmanship going on in this report as well, so.
Dave Bittner: Yes.
Joe Carrigan: Keep that in mind. This is a marketing tool for them. But the data in here is legit. And since we're talking data, let's talk about some terrifying statistics that are in this thing.
Dave Bittner: Oh, goody.
Joe Carrigan: Yes. Breakout time. What do you think is the average time for someone to move out of the first machine that's been compromised on a network. Average time?
Dave Bittner: So what you're saying is they get access to the initial machine that they break into.
Joe Carrigan: Right.
Dave Bittner: And then they start moving around --
Joe Carrigan: Correct.
Dave Bittner: -- on your --
Joe Carrigan: On your network.
Dave Bittner: Network.
Joe Carrigan: Pick a time.
Dave Bittner: A few hours, I guess? Something like that?
Joe Carrigan: Forty-eight minutes.
Dave Bittner: Wow.
Joe Carrigan: That's the average time. The fastest observed breakout time was 51 seconds. That's got to be an automated attack.
Dave Bittner: Yes.
Joe Carrigan: There's got to be automation involved in that. This is the lowest that Crowdstrike has ever seen for this metric.
Dave Bittner: Okay.
Joe Carrigan: Voice phishing attacks, and then they put in parentheses "vishing," which I like. They're not really saying this is voice phishing. And I hate that term, "phishing."
Dave Bittner: I know you do.
Joe Carrigan: These are scam calls. They are up 442% between the first half of 2024 and the second half of 2024. So the data in this report is from 2024.
Dave Bittner: Okay.
Joe Carrigan: Even though it's a 2025 report. And I'm not sure when in 2025 it came out. But it might be a little older. But this is an interesting thing. The next interesting statistic is attacks related to initial access are up, accounting for 52% of vulnerabilities that Crowdstrike observed. And access broker advertisements increased 50% year over year. So the first kinetic -- you know, there's a whole kill chain for these attacks. And getting access is, like, the first thing you really need to do in order to do something.
Dave Bittner: Right.
Joe Carrigan: And there actually is things you can do before you do that. Like there's reconnaissance, and then there's, like, maybe some phishing or a phone call or something. But once you get access, a lot of times -- in fact, there are people out there whose business model is I'm just going to get access and sell it to the highest bidder.
Dave Bittner: Right. Yes. Like you say, these access brokers are the ones who -- they sell you the keys to get in.
Joe Carrigan: To get in. And the advertising for that has increased over 50% from the years.
Dave Bittner: So business presumably is booming.
Joe Carrigan: Right. Yes. Getting the access is -- they're doing well. And I don't know if this is advertisement for hey, we'll get you in; or hey, I've got in, here's the credentials.
Dave Bittner: Yes.
Joe Carrigan: The valid account abuse accounted for 35% of cloud incidents. So this is still a problem, and one of the big factors in this is people putting cloud access tokens in code that gets checked in somewhere. Or gets put on a website or something.
Dave Bittner: Right.
Joe Carrigan: You got to take precautions to make sure that's not out there. Here is the most interesting statistic, and the one that actually Michelle highlighted to me when she brought it in. Seventy-nine percent of detections in 2024 were malware free detections. That means these were just social engineering attacks. They just called in and talked to somebody, and said hey, we got -- you know, here's some BS story. Let me get access to your system. They would then use that, you know, do something. I'm going to outline a story of how it works with a specific group here in a minute.
Dave Bittner: Okay.
Joe Carrigan: But if you go back to 2019, that was only the case 40% of the time. In other words, almost 2/3 of the time, there was malware involved. Now, almost 80% of the time, no malware.
Dave Bittner: Yes.
Joe Carrigan: You're just getting the access, and we're socially engineering our way in to this system, this company, and we're exploiting the existing system and living off the land. There's no malware.
Dave Bittner: Yes. And I wonder how much that points to the -- back to the malware detection is getting better and better.
Joe Carrigan: Yes.
Dave Bittner: So they can't rely on that to the degree that they used to be able to, and they have to just use social engineering.
Joe Carrigan: It may be a factor.
Dave Bittner: Yes.
Joe Carrigan: It may be also that these guys are scaling up and they're just going with the easier attacks.
Dave Bittner: Right.
Joe Carrigan: Right? The other thing is that, like you said, malware in these situations is not going to be like, bespoke malware. It's going to be some kind of commodity malware. And that's going to show up almost instantaneously in a -- with a scanner. So as soon as you copy a file to a disk that's malware, if it has a fingerprint that is recognizable by the antivirus on the machine, it's going to get quarantined. I think your point is 100% valid. That this stuff doesn't really work anymore. But you know what? PowerShell is not malware, right?
Dave Bittner: Right.
Joe Carrigan: The Bash shell in a Linux system is not malware or a maxis. It's not malware. It's normal software. And I can run commands in that that do very malicious things.
Dave Bittner: Right. So the point being there are preexisting, preinstalled bits of software on everyone's computer --
Joe Carrigan: Right.
Dave Bittner: -- that are capable of good and bad [laughs].
Joe Carrigan: Yes.
Dave Bittner: So that tends to be what we're seeing here, and the term for that is "living off the land."
Joe Carrigan: Yes.
Dave Bittner: Yes.
Joe Carrigan: Yes.
Dave Bittner: Interesting. What else here, Joe?
Joe Carrigan: There's a case study in here about this threat actor they call Curly Spider. And this report goes into how they name these different threat actors. Normally, like, if it's from China they call it something panda.
Dave Bittner: Right. Right.
Joe Carrigan: It's interesting that there's no threat actors from the United States listed.
Dave Bittner: Yes. We've talked about that over on Cyberwire. Like, you know it should be, like, Patriotic Eagle.
Joe Carrigan: Right [laughs]. Curly Eagle.
Dave Bittner: Yes. Canada would be Apologetic Beaver.
Joe Carrigan: Apologetic Beaver, right [laughs]. Beavers.
Dave Bittner: Yes.
Joe Carrigan: I did find that Columbia has the ocelot.
Dave Bittner: Oh, okay.
Joe Carrigan: So if it's out of Columbia -- the country, not this town that we live in.
Dave Bittner: Yes.
Joe Carrigan: Or actually used to live in. I have moved out of Columbia. But the ocelot, every time I hear "ocelot," I think of two things. I think of the archer, Babou, and then I think of Salvador Dalí who had an ocelot named Babou, which is a reference to the joke.
Dave Bittner: Oh. See, I think of Phineas and Ferb, because Dr. Doofenshmirtz was raised by ocelots.
Joe Carrigan: right [laughs].
Dave Bittner: Whenever I think of Dr. Doofenshmirtz, the thing that immediately flashes to my mind is, "baking soda volcano." Well, anyway.
Joe Carrigan: Dr. Doofenshmirtz is my icon on the Disney:, by the way.
Dave Bittner: Alright. So what happened with Curly Spider?
Joe Carrigan: Curly Spider -- "spider" is what they call their e-crime unit. So in other words, they're not nation-state associated. They're just out there.
Dave Bittner: Okay.
Joe Carrigan: They emerged as one of the fastest and most adaptive e-crime adversaries out there, and they say that what happens is, the way this organization works is, the user receives a huge amount of spam [inaudible 00:24:01] charities, and newsletters, and financial offers, and all this other stuff. And as soon as they get that, they get a telephone call from someone pretending to be from IT. And they're saying hey, we see you're getting a lot of spam. This is caused by malware or maybe outdated spam filters. The user is then instructed to install an RMM tool. I guess that's some kind of remote management. Like Microsoft Quick Assist or Team Viewer. And if it's not already present, the adversary will use this tool to establish control. And once they're in, that's the game.
Dave Bittner: Right. Right.
Joe Carrigan: So they will install backdoors and a lot of -- like I said, these things -- you don't need to install malicious software as a backdoor. You can just open up a reverse shell with a command prompt.
Dave Bittner: Yes.
Joe Carrigan: So as soon as you can have access to the machine, you can be in.
Dave Bittner: Yes.
Joe Carrigan: These guys operate very quickly too.
Dave Bittner: Yes. Alright, well we will have a link to the Crowdstrike 2025 Global Threat Report. We'll include that in our show notes. And of course we would love to hear from you, if there's something you'd like us to consider for the show, please email us. It's hackinghumans@N2K.com. We're gong to take a quick break here. We'll be right back after this message from our sponsor. [ Music ] Alright, Joe. We are back. And joining us here today is Rishika Desai. She is from a company called Bfore.ai. And we're talking about a blog post that they recently posted about some of their research. It's title "Want to Scam Someone's Customers? Rent Their Social Media Ad Accounts." So tell us the story here. How did this originally come to the attention of you and your colleagues?
Rishika Desai: So while we were on one of our initial level of investigations, we identified that there were certain websites which had a page title, or page description, which said that rent a Facebook account or rent a Facebook ad account, or black hat Facebook advertising account. So such were the keywords that we observed on certain websites. Now it wouldn't be as interesting to us unless we also saw that there was so many different Telegram accounts associated with them. And then they had significant number of subscribers to their channel. When we went in-depth [inaudible 00:26:41] we realized that they're actually selling an ad account which does not even belong to an agency. So for me a different case altogether if it was a legitimate agency. But they were using some unethical practices to host certain ad accounts which different businesses can rent out to run their ads. And that's how we carried out our investigation.
Dave Bittner: Well, take us through how this works. I mean, this is about taking advantage of existing ad accounts.
Rishika Desai: Yes.
Dave Bittner: Walk us through the fraud here.
Rishika Desai: Alright. So let me start from the basic or give you a perspective from a business, right? There are certain legal businesses that operate in certain zones that is considered non-compliant with the ad agencies. Now if you're running a business [inaudible 00:27:33] legally sanctioned to have some campaigns running, some sort of marketing running, in a way that we get our [inaudible 00:27:40] revenue. We get different views or customers reaching out social media pages or website, right? So as a legal business, if you're operating in the zone where it does not fit compliant ad agencies, they might tend to ban the business or the account that you're working on, right? To give you a basic example, let's say I work crypto, right? Or some drugs that have very unsolicitated [phonetic] claims like they will help in losing weight in 10 days or something like that, right? So such false narratives are often caught by platforms which are helping you promote [inaudible 00:28:20]. Now in such cases, with the fear of having your account banned, what these agencies do is that they reach out to a service, which is again operating in this unethical zone, where they have two ways of generating the account. Either they compromise an existing account where fake [inaudible 00:28:39] details are used of different customers, and those people are not even aware that their account is used in this entire fiasco. Our second thing is the manually clear such accounts by generating fake identities with the help of AI. So there was this one website that we saw, which also has an embedded service on generating fake documents such as driving license [inaudible 00:29:06] details for random customers. And then they use it to make an ad account, which is then further used for renting to other businesses. And that is where the entire black hat or like gray [inaudible 00:29:20] comes to the picture.
Joe Carrigan: So they use, like, a completely synthetic identity?
Rishika Desai: Yes.
Joe Carrigan: For the creating of these accounts, these ad accounts.
Rishika Desai: Yes.
Joe Carrigan: I'm assuming that they're using the Social Security number, maybe an EIN number or something like that here in the US to get around, or to at least on the surface of it, to comply with tax regulation?
Rishika Desai: Yes. That is correct. That is correct. Now if you see like I mentioned, there are two ways to it. One is like you mentioned, creating a synthetic account. Second one, if you have come across certain data breaches that happen on the cybercrime forums, you must have realized that they also push out certain PII, which we call as personally identifiable data. Now in that case, if somebody wants to have a valid number, let's say a valid driving license number for the tax purpose, the numbers could be taken from such breaches, where people have uploaded their sensitive documents and use that to synthetically generate an artificial ID, with the face matching of that of the perpetrator.
Dave Bittner: Now are these services only being used by criminals or are there some gray areas here as well?
Rishika Desai: Certainly there are gray areas. Definitely. Like I tell you, certain kinds of business, for example if you have a crypto-related website. Or let's say where you're introducing new tokens regularly. Now because such is the industry of crypto where putting anything out there as a social media campaign could be considered as manipulation if it's not done correctly, right? So certain businesses would be with the fear of getting your account permanently banned on those ad marketplaces [inaudible 00:31:18]. That is also [inaudible 00:31:22].
Dave Bittner: Now once a rented ad account goes active, what sort of campaigns do you all typically see being launched here?
Rishika Desai: There is one interesting example that was just covered in the blog. So let me give you an example of that, like, item from India, and recently the government had banned crypto and gambling websites [inaudible 00:31:45]. So assuming that happened during the start of September 2025, by the time it was 25th September, we saw short ads running for, like, one hour only on Meta platform, Meta ads library, where they were promoting again crypto and gambling websites. Right? So the goal is to basically gather as much audience to a particular website, and what better than social media, right? So this was one example which we observed was recent and was not therefore a long period of time, but it had a potential to reach significant amount of people there on social media.
Dave Bittner: What's the importance of the speed here? You mentioned that some -- that these ads typically aren't up for very long. Are they trying to stay ahead of being shut down?
Rishika Desai: Yes. Yes, that is true. Because some time or later, they realize that these accounts, even though they are running crypto ads are still non-complaint with the platform policies, right? But given the platform [inaudible 00:32:48] social media has, which any social media has, even a one-hour ad could reach millions of people in no time. Now that is the scale of the campaign that you take into consideration as an alternate to setting up a domain and then waiting for it to reach the right people. Let's say through SMS spamming or let's say through email phishing. Right? So this is one way, like, within minutes, your ad could reach so many potential people, and in a way, social media kind of plays on algorithm, right? So there is [inaudible 00:33:25] that all the people who are looking for crypto-related something will get that ad at the exact moment. And because the right kind of audience is being attracted to that campaign, this is where the potential of launching a campaign and it reaching the right people, and the malicious abuse of it in the future is highly possible.
Joe Carrigan: I have a question about these accounts that have been taken over. Have you seen any impact on the account owners? These are presumably people who have legitimate business requirements, and somebody is using their account because it's been compromised. I imagine that if they start running -- if the bad guys start renting out that account to post scam ads, that account gets bad, then that can have a really bad impact on the legitimate operations of a legitimate business.
Rishika Desai: Oh yes. Yes. It does have. Now the thing is, what I have learned during this investigation is that the ad platform quietly favors those accounts, which kind of have been complaint for a long time. They have regular history of doing timely payments, or let's say their ads are getting [inaudible 00:34:37] right? Now given that all of this is compliant, and suddenly one day they receive a warning that your account is under review and we might potentially ban it. Or sometimes they will impose a hard ban on the account, where nothing is considered, not even an appeal, it is just banned outright. So in that case, they don't just ban the account, they ban the entire entity that is associated with that account, which involves your name, your domains, your bank accounts, or even your business number, right? So all of this identification majors are taken into consideration, and the next time you try to set it up, they're going to flag it outright, saying that okay, we have identified a potential malicious campaign once, and they're not going to let you create an account using the same entities. So it definitely does a significant damage on a legitimate business owner running an ad on his individual account.
Dave Bittner: How does it play out, the people who have the accounts, who have the ad accounts, that they don't notice it right away?
Rishika Desai: There is a possibility, but normally the credentials that are provided to you is provided by the agency, so it's them who makes sure that the account that you're getting, the access and everything is sorted in a way that detecting activity would be [inaudible 00:36:00] or maybe the user would be permanently locked out or the personal information changed. All the factors are possible.
Dave Bittner: And these are scammy ads? I mean, what happens when a victim clicks on one of the ads that pops up in their social media feed?
Rishika Desai: Like every time an ad is run on social media, you might be seeing the small horizontal bar below every ad that says Click Now, Book Now, Inquire Today, right? So they are redirected to one of the malicious domains setup or [inaudible 00:36:33] the threat actor or cybercriminal wants a user to go, right? From there, the domain phishing element comes into the picture where they could be probably asked to enter credentials or prompted for downloading of malware. So there entire motive of launching that ad campaign on the phishing domain would be successful after that.
Dave Bittner: So what are your recommendations, then? How should people best protect themselves against this sort of thing?
Rishika Desai: Well, in one of our investigations, we saw like for example that ad which ran for one hour, right, in that case, we observed that the account that was promoting this particular ad was [inaudible 00:37:20]. It had like zero followers. It had no other credible activity to be associated with. So it's very simple. If you're seeing any activity from an account, from a social media account, instead of clicking, I think we should pause for a minute and see if it's really the account from on which we wish to engage, right? Now the thing is, many a times, there could also be a possibility if we talk about Twitter or Instagram -- X or Instagram, any account that is promoting something will have a blue tick, right? So it's a verified account, but even then because of this hack, we often see that tricking the users into visiting a malicious website. So in that case again, we should just stop and review that whether this user is really the person I could trust for let's say a crypto website redirection, or a fake healthcare advisor-related redirection, right? The whole game for any user who is not aware that what they are clicking on is potentially a malicious campaign, is just to wait and watch whether do I really want to be associated with it?
Dave Bittner: Yes, maybe if you're scrolling through one of these social media platforms and you find something that's interesting, assume that the ad is malicious, and if it's something you're interested in, just go look it up yourself.
Rishika Desai: Exactly. Why don't you click on the [inaudible 00:38:54] simply take the name of the product or something that you're interested it, and just go and Google it [inaudible 00:39:01] land on a real website than clicking on that ad and being redirected, or having multiple redirections you don't even know where you're going to land.
Dave Bittner: Alright. Well, thanks so much for joining us, and for sharing this information. Again, we will have a link to this blog post in our show notes. We do appreciate you taking the time. Thanks so much, Rishika.
Rishika Desai: Thank you so much, Dave. [ Music ]
Dave Bittner: Alright. Good stuff. Well Joe, it is time for our "Catch of the Day." [ SOUNDBITE OF REELING IN FISHING LINE ] [ Music ]
Joe Carrigan: Dave, our "Catch of the Day" comes from the scam bait subreddit on Reddit. This looks like -- well, I don't like how this opens, Dave. I got a feeling I'm going to be playing the guy in blue since it opens with "Are you still alive, old man?"
Dave Bittner: You are correct, Joe. You are correct. I will say at the outset that this is one of my favorite "Catch of the Days" ever.
Joe Carrigan: Okay.
Dave Bittner: And as we make our way through, I think it will be crystal clear why it is. So --
Joe Carrigan: I think I already see it.
Dave Bittner: So I will start here. So -- are you still alive, old man?
Joe Carrigan: Who is this?
Dave Bittner: This is Valentina. Didn't you save my number?
Joe Carrigan: I did not.
Dave Bittner: We exchanged numbers at the charity party last month. Don't you remember?
Joe Carrigan: At the Sausage Convention?
Dave Bittner: Wait, isn't this Scott's number?
Joe Carrigan: No, this is Han.
Dave Bittner: Oh my gosh, I'm so embarrassed. I actually called a stranger an "old man."
Joe Carrigan: It's okay dear, happens all the time. I'm getting older. How are you?
Dave Bittner: Han, thank you for your understanding and politeness. Nice to meet you. I'm 37. If you don't mind, may I know your age?
Joe Carrigan: Sixty-nine, but aging like a fine wine.
Dave Bittner: Yes. I like to communicate with older people which can always help me learn new knowledge. I come from Singapore and live in Los Angeles. Where are you from?
Joe Carrigan: I'm originally from Corellia, but now I'm all over the country.
Dave Bittner: [laughs] the person has posted a picture of Han Solo from Star Wars in the cantina.
Joe Carrigan: In the cantina, right before he shoots Greedo.
Dave Bittner: Right [laughs]. And then continues and says --
Joe Carrigan: This is back before the Kessel run, when I still had my looks.
Dave Bittner: You look very mature, a bit like an actor in an old movie. If only she knew.
Joe Carrigan: [laughs] Right.
Dave Bittner: [laughs] This is me. I own a jewelry company, and I'm also a jewelry designer. What do you do?
Joe Carrigan: And it's a picture of a very attractive Asian woman.
Dave Bittner: Yes.
Joe Carrigan: And we've noted this before, that this is --
Dave Bittner: Almost universal.
Joe Carrigan: Almost universal, right.
Dave Bittner: Yes. Yes.
Joe Carrigan: This is what happens. Okay. Let me get back to this. Oh wow. I'm retired now, sweetheart.
Dave Bittner: LOL. Sixty-nine is indeed the retirement age. What did you do before you retired?
Joe Carrigan: Actually I was a chauffeur for a royal family, if you can believe that. Long time ago; far, far away.
Dave Bittner: I don't quite understand what that is.
Joe Carrigan: It's okay. I was basically a pilot.
Dave Bittner: In my eyes, this is a very cool career. I'm glad to meet an excellent friend. Are you traveling alone or with your wife now?
Joe Carrigan: My wife passed away unfortunately, after our son had an incident with his uncle. Things became difficult.
Dave Bittner: Sorry. So do you usually have any hobbies, like traveling, fitness, yoga, reading, music, golf? And do some charity work in my spare time.
Joe Carrigan: Mainly I spent time with my friend Chewy. Sometimes I feel like I'm the only person who can understand him [imitates Chewbacca].
Dave Bittner: It's always interesting to travel with good friends. To be honest, in the seven years I came to the US, I only had one bestie. She was also my assistant and the rest were business partners. I only talk to them about work.
Joe Carrigan: I'll have to come take you for a spin in the Falcon sometime. The Falcon -- like a Ford Falcon, right? Not the Millennium Falcon. This is pretty good. Anyway, always looking for new friends. And then he sends another picture of a much older Harrison Ford.
Dave Bittner: Yes. Still, this is the current version of Han Solo, right?
Joe Carrigan: Yes.
Dave Bittner: The sequels' version.
Joe Carrigan: Looking ruggedly handsome.
Dave Bittner: There you go.
Joe Carrigan: If you could live with being around this for a few hours. My son had these pictures done for me before he changed.
Dave Bittner: LOL Looking forward to it. You look like a gentlemen. Your son's photography skills are commendable. Do you use WhatsApp or Telegram? This is my work phone where we can communicate better.
Joe Carrigan: Never heard of them.
Dave Bittner: If you think it's okay, you can download a Telegram in the App Store. It only takes 2 to 5 minutes to complete the download.
Joe Carrigan: Hold on a moment, my son just stopped by. Such a pleasure to see him.
Dave Bittner: Okay. Then you download it quietly. I don't want others to know that we know each other. Let me know when you finish downloading. I will share my Telegram business card with you later. After you finish downloading, you can click on my business card to send me a message there directly.
Joe Carrigan: And then another picture of Valentina and I'm assuming this is the business card.
Dave Bittner: Yes.
Joe Carrigan: But [laughs] Han is saying wait, he seems angry. I wonder where this is going [laughs].
Dave Bittner: Okay. You can take care of him first, and keep time with your family.
Joe Carrigan: I think you should call the police. He has murder in his eyes [laughs]. Ben, no! Then there's a picture of Han Solo --
Dave Bittner: -- being bisected with a light saber [laughs].
Joe Carrigan: Yes. A red light saber from Kylo Ren I'm assuming. Right? Is that the -- I'm not really a big fan of the newer movies. So -- I know, Dave. Such a philistine.
Dave Bittner: Yes. Oh.
Joe Carrigan: Does your mother like dogs too or just you?
Dave Bittner: What? My mother likes dogs, and I also like dogs. I have a Pomeranian and a French bulldog.
Joe Carrigan: Awesome. They're the best. Could you by chance go to your local store and pick me up an Apple gift card? I'll pay you back. Valentina, I just need four gift cards for $1,000 each. Then send me the code. Oh, we can't say this on the air, Dave.
Dave Bittner: F-U.
Joe Carrigan: Right. I know. It's the "I know" picture right before Han gets frozen in carbonite.
Dave Bittner: Right. When Princess Leia says "I love you," and Han says, "I know."
Joe Carrigan: May the Force be with you, dumbass [laughs]. Star Wars is great. You should watch them sometime.
Dave Bittner: There you go. So see why I love this one, Joe?
Joe Carrigan: I do! Not only is it funny, but it's chockfull of references to your favorite movies series.
Dave Bittner: There you go. Yes. This is the scam bait that I wish I had come up with myself.
Joe Carrigan: Yes.
Dave Bittner: It's delightful. And interesting that they came across someone -- I suppose interesting but also on reflection not surprising that perhaps they came across someone who has no idea who Han Solo or Harrison Ford is.
Joe Carrigan: Dave, I hate to break this to you, but I work with quite a few young people who have never seen a Star Wars movie.
Dave Bittner: Oh. Okay.
Joe Carrigan: And I don't know what to tell them.
Dave Bittner: [laughs] Yes. Well, you know. I mean, it's their lives to live, right?
Joe Carrigan: Yes.
Dave Bittner: Alright. Well, we will have a link to that series of posts over on Reddit, so do check that out. And again, if there's something you'd like us to consider for our "Catch of the Day," please email us. It's hackinghumans@ N2K.com. [ Music ] [ Music ] And that is "Hacking Humans," bought to you by N2K Cyberwire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes, or send an email to hackinghumans@N2K.com. This episode is produced by Liz Stokes. Our executive producer is Jenifer Eiben, remixed by Eliot Pelzman and Tré Hester. Peter Kilpe is our publisher. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening. [ Music ]
