Hacking Humans 3.26.20
Ep 91 | 3.26.20

Paging Dr. Dochterman.


Dave Bittner: [00:00:00] Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast. This is the show where, each week, we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: [00:00:19]  Hi, Dave. 

Dave Bittner: [00:00:20]  Got some good stories to share this week. And later in the show, Joe speaks with Scott Knauss. He's a security consultant who was targeted by some scammers. 

Dave Bittner: [00:00:28]  But first, a word from our sponsors at KnowBe4. So who's got the advantage in cybersecurity - the attacker or the defender? Intelligent people differ on this, but the conventional wisdom is that the advantage goes to the attacker. But why is this? Stay with us, and we'll have some insights from our sponsor KnowBe4 that puts it all into perspective. 

Dave Bittner: [00:00:59]  And we are back. Joe, before we jump into this week's stories, we got a kind note from a listener. 

Joe Carrigan: [00:01:06]  OK. 

Dave Bittner: [00:01:06]  They wrote in, actually left a review of our show. They said they love the show, which, of course, we appreciate. 

Joe Carrigan: [00:01:12]  I hope it was a five-star review, Dave. 

Dave Bittner: [00:01:13]  I'm sure it was. 

Joe Carrigan: [00:01:14]  OK. 

Dave Bittner: [00:01:15]  But also, they wanted to remind us, educate us, make the point that - turns out, there is no such word as mischievious (ph). It's mischievous. 

Joe Carrigan: [00:01:26]  Mischievous. Yep. 

Dave Bittner: [00:01:27]  One of us - probably me... 

Joe Carrigan: [00:01:28]  And maybe me because I have said mischievious. 

Dave Bittner: [00:01:31]  I would guess that my default is to say mischievious, and now I will not. 

Joe Carrigan: [00:01:35]  Right. 

Dave Bittner: [00:01:37]  (Laughter). 

Joe Carrigan: [00:01:37]  Me neither because it is mischievous. 

Dave Bittner: [00:01:39]  It is mischievous. Believe me. We searched. 

Joe Carrigan: [00:01:42]  Right. 

Dave Bittner: [00:01:42]  And it's mischievous. 

Joe Carrigan: [00:01:43]  Because I - when Dave told me this, I said, wait. I think it is mischievious, right? 

Dave Bittner: [00:01:46]  Yeah. 

Joe Carrigan: [00:01:46]  That's an acceptable pronunciation. 

Dave Bittner: [00:01:47]  Yeah. 

Joe Carrigan: [00:01:48]  It is not. 

Dave Bittner: [00:01:48]  No, it's not. 

Joe Carrigan: [00:01:49]  It's mischievous. 

Dave Bittner: [00:01:49]  (Laughter) It is not. Are there any other mispronunciations that, dare I say, you hate? 

Joe Carrigan: [00:01:55]  Well, I do hate misappropriation of words. Like, for example, the word literally... 

Dave Bittner: [00:02:00]  Yeah. 

Joe Carrigan: [00:02:00]  ...Means that you are actually doing something... 

Dave Bittner: [00:02:03]  Right. 

Joe Carrigan: [00:02:03]  ...Not that you're figuratively doing something. I contend that Merriam-Webster is contributing to the degeneration of the English language by defining it as a figurative term. 

Dave Bittner: [00:02:13]  I see. Yeah. That is... 

Joe Carrigan: [00:02:15]  That is one - that is a hill I'm willing to die on. 

Dave Bittner: [00:02:17]  OK. That is literally annoying. 

Joe Carrigan: [00:02:20]  It is literally annoying. 

Dave Bittner: [00:02:20]  Mine is - one that gets my goat is Calvary versus cavalry. 

Joe Carrigan: [00:02:25]  Cavalry is the horses, and Calvary is a hill to die on. 

Dave Bittner: [00:02:28]  That is correct. There you go. See; that's a nice callback there. So yeah, it bugs me when people say, call in the Calvary. 

Joe Carrigan: [00:02:35]  Yes. 

Dave Bittner: [00:02:36]  Like... 

Joe Carrigan: [00:02:36]  Yes. 

Dave Bittner: [00:02:37]  No. It's cavalry. 

Joe Carrigan: [00:02:38]  That's a malaproprism. 

Dave Bittner: [00:02:40]  Yes. So anyway - all right. Well, thanks to our kind listener for sending in that note and setting us straight. 

Joe Carrigan: [00:02:46]  Yep, and teaching us because you're never done learning, Dave. You're never really done learning until you're dead. 

Dave Bittner: [00:02:50]  Right, exactly - despite your attempts to die on hills, so... 

Joe Carrigan: [00:02:55]  Right. 

Dave Bittner: [00:02:55]  All right. Well, I'm going to kick things off for us this week. There's a joke that's going around that right now in the time of coronavirus, every podcast is a coronavirus podcast. 

Joe Carrigan: [00:03:04]  Yep. 

Dave Bittner: [00:03:04]  And to this we are no exception. So I'm going to do our part and talk about some of the coronavirus scams that have been making the rounds. This is actually an article from Forbes written by Thomas Brewster. The title is "Coronavirus Scam Alert: Beware Fake Fox News Articles Promising a CBD Oil Cure." So there's a bunch of layers to this. This article starts off with an image, a screen grab from a fake ad, and the headline of the ad says - and it's got the Fox News logo on it. 

Joe Carrigan: [00:03:33]  Yes, it does. 

Dave Bittner: [00:03:34]  It says, while the world is waiting for a vaccine, one mom has found a solution to fight back against the coronavirus outbreak. 

Joe Carrigan: [00:03:41]  Of course she has. 

Dave Bittner: [00:03:42]  It just reminds me of the movie trailer guy. One mom has found the solution to fight back against... 

Joe Carrigan: [00:03:48]  (Laughter). 

Dave Bittner: [00:03:50]  So, OK. 

Joe Carrigan: [00:03:51]  You know, what's amazing about the screen grab that's on here, Dave... 

Dave Bittner: [00:03:54]  What's that? 

Joe Carrigan: [00:03:54]  ...Is that it has, like, a Chrome alert that says, this site wants to send you push messages, push notifications. 

Dave Bittner: [00:04:00]  Oh, no. Could you imagine the layer of hell you would be in if you agreed to that? 

Joe Carrigan: [00:04:04]  (Laughter) Right. 

Dave Bittner: [00:04:04]  Oh, man. 

Joe Carrigan: [00:04:05]  Which circle is that? 

Dave Bittner: [00:04:06]  Right. Yeah. I don't know - one of the inner ones, I suppose. 

Joe Carrigan: [00:04:09]  Yeah. 

Dave Bittner: [00:04:10]  So a lot to unpack here - of course, CBD oil, which is a legitimate medicinal item... 

Joe Carrigan: [00:04:17]  Yeah. 

Dave Bittner: [00:04:17]  ...Legal here in Maryland now. Well, actually, we have marijuana legal... 

Joe Carrigan: [00:04:20]  Yeah, for medicinal use. 

Dave Bittner: [00:04:21]  ...For medicinal use. But part of what's happening right now is because CBD is new and still a little bit mysterious. 

Joe Carrigan: [00:04:28]  Right. 

Dave Bittner: [00:04:29]  So there's a little bit of an educational gap, I think, as to what CBD can and cannot do for you. So the scammers are taking advantage of that gap there, and they're sending out all sorts of messages saying that CBD will cure what ails you... 

Joe Carrigan: [00:04:43]  Right. 

Dave Bittner: [00:04:44]  ...Even if that happens to be COVID-19. 

Joe Carrigan: [00:04:46]  It's a modern-day snake oil. 

Dave Bittner: [00:04:48]  Exactly. Exactly. And this article has a number of examples of text messages that were sent out. 

Joe Carrigan: [00:04:54]  Really? 

Dave Bittner: [00:04:54]  I'll read a couple of them here. One of them says, Paul, scientists just confirmed positive results on testing this coronavirus protection. Claim a free sample for your family. Here's another one. It says, coronavirus alert - this face mask provides an extra layer of safety. Here's another one that says, hi, Kimberly. No one will be safe from the coronavirus anymore. This is the only survival guide you require to overcome the crisis. 

Joe Carrigan: [00:05:17]  Now, this one is interesting, Dave. 

Dave Bittner: [00:05:19]  Yeah. 

Joe Carrigan: [00:05:19]  First off, it's interesting that they've got names for people. They're buying some dataset. 

Dave Bittner: [00:05:23]  Right. 

Joe Carrigan: [00:05:23]  Right. 

Dave Bittner: [00:05:24]  Yeah. 

Joe Carrigan: [00:05:24]  But this one is a very small message that tries to do the typical scare and then - we have the solution. 

Dave Bittner: [00:05:32]  Yeah. 

Joe Carrigan: [00:05:32]  Did you notice that? 

Dave Bittner: [00:05:33]  Yeah. Yeah. 

Joe Carrigan: [00:05:34]  It says, nobody's going to escape, but hey; here's a survival guide. And it does it in, like, maybe 15, 20 words - very small space. 

Dave Bittner: [00:05:40]  Yeah. 

Joe Carrigan: [00:05:41]  Interesting. 

Dave Bittner: [00:05:41]  The one after that - it says, Louise, are you and your family prepared for the coronavirus? This mask can be your lifeline - so similar kind of thing. 

Joe Carrigan: [00:05:50]  Yep. 

Dave Bittner: [00:05:50]  Short and sweet. You know, these all have links, which, of course, take you to, I'm sure, places that are up to no good. 

Joe Carrigan: [00:05:56]  Yes. They're willing to take your money and offer you nothing in return. 

Dave Bittner: [00:05:59]  Yeah. Another thing this article points out is that other things that are being offered are payday loans, which are high-interest loans, basically predatory loans. 

Joe Carrigan: [00:06:08]  Yeah, they're a terrible idea. 

Dave Bittner: [00:06:09]  Yeah, well, they're preying on the weak and the desperate and... 

Joe Carrigan: [00:06:12]  Yeah. 

Dave Bittner: [00:06:12]  ...All those bad things. 

Joe Carrigan: [00:06:13]  Absolutely. 

Dave Bittner: [00:06:14]  Another point this article makes is that AdaptiveMobile, which is a mobile data provider - they've been tracking spam messages that scammers are sending out. And in the past week, 1% of all SMS scam was related to coronavirus. In just a week, that rose to 6.5%. 

Joe Carrigan: [00:06:31]  OK. 

Dave Bittner: [00:06:31]  And I would hazard to guess that it's only going to head in one direction. 

Joe Carrigan: [00:06:34]  Absolutely. Until this pandemic thing is over, it's going to just go up. It's going - I'll bet the curve matches the actual curve of infection. 

Dave Bittner: [00:06:42]  Oh, wouldn't that be interesting? 

Joe Carrigan: [00:06:43]  Yeah. 

Dave Bittner: [00:06:44]  Yeah, yeah. (Laughter) In that case, is correlation actually causation? 

Joe Carrigan: [00:06:49]  Yeah. I mean, you could study why, but I bet - yeah. I mean, they're preying on people's fears. 

Dave Bittner: [00:06:54]  Yeah, yeah. Absolutely. And the mobile carriers are doing their best to try to block these things, but, of course, it's a game of whack-a-mole. 

Joe Carrigan: [00:07:00]  It is. 

Dave Bittner: [00:07:01]  So they do make a point here that something that I was not aware of - that you can forward text messages to your carrier. Evidently, if you forward it to 7726, that's the number that carriers use to gather up these sort of spammy things. 

Joe Carrigan: [00:07:14]  Really? 

Dave Bittner: [00:07:15]  I did not know that. 

Joe Carrigan: [00:07:15]  I did not know that either. 

Dave Bittner: [00:07:16]  Yeah. So there you go. 

Joe Carrigan: [00:07:17]  How about that? 

Dave Bittner: [00:07:18]  And the advice from the mobile carriers is stay safe. Wash your hands. Don't click on strange links. 

Joe Carrigan: [00:07:24]  Yes. 

Dave Bittner: [00:07:24]  Words to live by. 

Joe Carrigan: [00:07:25]  Yeah, all good hygiene practices. 

Dave Bittner: [00:07:27]  Yeah. All right, well, that is this week's coronavirus scam update. Joe, what do you have for us this week? 

Joe Carrigan: [00:07:33]  Dave, my story is 100% coronavirus-free. 

Dave Bittner: [00:07:37]  (Laughter) It's a breath of fresh air. 

Joe Carrigan: [00:07:38]  Yes, it is. 

Dave Bittner: [00:07:38]  OK. 

Joe Carrigan: [00:07:39]  So everybody can get real close to this story. It's not really a story, actually. 

Dave Bittner: [00:07:43]  Yeah. 

Joe Carrigan: [00:07:43]  I've decided that about once a month, until I run out of these scams to talk about, I'm going to talk about old-time scams... 

Dave Bittner: [00:07:50]  OK. 

Joe Carrigan: [00:07:51]  ...And the ways they used to work. And I've picked out three of them today that are classic scams... 

Dave Bittner: [00:07:55]  OK. 

Joe Carrigan: [00:07:56]  ...That may still run today. But they all feed on some kind of human nature factor. 

Dave Bittner: [00:08:03]  OK. 

Joe Carrigan: [00:08:03]  Right? So the first one I'm going to talk about is the fake stolen car scam. 

Dave Bittner: [00:08:06]  All right. 

Joe Carrigan: [00:08:07]  Here's how this works. The victim answers an ad in the paper for a car that's for sale. And the person says, I'm trying to sell it, but I will give you a really steep discount if you pay in cash, right? So maybe it's a really nice car. It's a relatively new car. It's got low mileage on it, and they're willing to sell it to you for five grand... 

Dave Bittner: [00:08:27]  Yeah. 

Joe Carrigan: [00:08:27]  ...But you have to bring cash. That's the only way. They've got to get out of town quickly. 

Dave Bittner: [00:08:31]  OK. 

Joe Carrigan: [00:08:32]  And they say, come to my house, and we'll do the deal. You can drive the car - whatever. You show up at the house. There's the guy with the car. 

Dave Bittner: [00:08:39]  Yeah. 

Joe Carrigan: [00:08:39]  You can drive the car. Everything looks great. Then you go into the house to settle up, and that's when the cops show up, right? 

Dave Bittner: [00:08:46]  Really? 

Joe Carrigan: [00:08:47]  They make a show out of arresting the guy that's selling you the car, and they haul him outside. And then they say to you, what are you doing here? You're buying stolen goods. You know this car is stolen. Nobody sells this car for $5,000, right? Where's the money? We need that for evidence, right? And then the cops take the money from the victim. 

Dave Bittner: [00:09:04]  Yeah. 

Joe Carrigan: [00:09:04]  And then they say, you stay here, and we're going to go ask him some more questions because maybe we're not going to arrest you, right? You're terrified, so you go - you sit still. The cops go out to the car. Everybody gets in the car, and they drive away, right? 

Dave Bittner: [00:09:17]  OK. 

Joe Carrigan: [00:09:17]  The cops weren't real. The house isn't even their house. It's a vacant house, or maybe it's a, you know, it's a house that somebody is on vacation, and you're out five grand. 

Dave Bittner: [00:09:27]  Wow. 

Joe Carrigan: [00:09:28]  Right. So here's one of the things about this. Now, we've talked about the interview we had with Penn Jillette a couple months ago... 

Dave Bittner: [00:09:33]  Yeah. 

Joe Carrigan: [00:09:34]  ...Or about a month ago, I guess. Once you're inside the house and these fake cops come in, the jig is up. They're going to get your money, right? And if you're in the situation where that happens, just give the money to the cops. You might even say, yeah, I know this is a scam, but I'm not going to fight you. Here's the money. Because there are three or four of them and one of you. 

Dave Bittner: [00:09:51]  Right, right. 

Joe Carrigan: [00:09:52]  Right? And they are going to get that money. 

Dave Bittner: [00:09:54]  Yeah. Boy, there's a lot of things here. 

Joe Carrigan: [00:09:56]  Yeah. 

Dave Bittner: [00:09:57]  I would say, first of all, I would not go to a transaction like this alone. 

Joe Carrigan: [00:10:03]  Right. 

Dave Bittner: [00:10:04]  So that's good. 

Joe Carrigan: [00:10:05]  Yeah. 

Dave Bittner: [00:10:06]  I would never go in the house, I don't think. 

Joe Carrigan: [00:10:08]  I would never agree to pay for a car in cash. I would not be comfortable carrying around enough cash to buy a car. 

Dave Bittner: [00:10:15]  Yeah. 

Joe Carrigan: [00:10:15]  I would get a cashier's check... 

Dave Bittner: [00:10:17]  OK. 

Joe Carrigan: [00:10:17]  ...Which is almost as good as cash, right? And it still gives me the capability of stopping payment on it if something goes horribly wrong. 

Dave Bittner: [00:10:24]  Right, right. You know, another thing that this reminds me of is that, for example, I know here in Maryland, the state troopers have special places that you can go to do exchanges like this. 

Joe Carrigan: [00:10:38]  Yes, they do. 

Dave Bittner: [00:10:39]  And they're basically, like, in the parking lot of the state trooper barracks. 

Joe Carrigan: [00:10:43]  Right, absolutely. 

Dave Bittner: [00:10:44]  And there - you know, there's cameras and there's state troopers coming and going and that sort of thing. So, you know, you can say, hey, we're going to - I'm happy to do this, but... 

Joe Carrigan: [00:10:52]  We're going to do this at this location. 

Dave Bittner: [00:10:54]  Yeah. We're going to meet on neutral ground in the parking lot of the state troopers. 

Joe Carrigan: [00:10:57]  Right. 

Dave Bittner: [00:10:58]  And if they don't show up - I would hazard to say that the fake cops aren't going to show up in the parking lot of the state troopers. 

Joe Carrigan: [00:11:03]  That's a much more risky proposition, isn't it? 

Dave Bittner: [00:11:05]  (Laughter) Right. Which again, something that Penn Jillette said, which was there's a high amount of risk with some of these scams. You know, disguising yourself as a police officer carries a certain amount of risk all its own. 

Joe Carrigan: [00:11:17]  Right. 

Dave Bittner: [00:11:18]  Yeah. What else do you have? 

Joe Carrigan: [00:11:19]  The next one is the around-the-corner scam, they call it. This one's also kind of risky for the people that are carrying it out, that are doing it because the first thing they have to do is put a sign over top of a doorbell that says, doorbell's not working. Call this number. 

Dave Bittner: [00:11:32]  Right. 

Joe Carrigan: [00:11:33]  And then when the delivery truck shows up - and they have to know the delivery is coming as well - the delivery guy sees the number, calls the number. And the person on the other end says, oh, yes, the door is broken - the mechanism. We've got someone coming out to fix it later today, but I'll send somebody out, or bring it around the corner, they say. 

Dave Bittner: [00:11:49]  OK. 

Joe Carrigan: [00:11:49]  Right? And then the delivery person is just trying to do their job. 

Dave Bittner: [00:11:53]  Yeah. 

Joe Carrigan: [00:11:54]  So they take the package around the corner or they wait there for someone to come out and meet it, and they say, hey, thanks. And they walk off not knowing that the package has just been stolen. 

Dave Bittner: [00:12:03]  I see. 

Joe Carrigan: [00:12:03]  It's kind of like a more advanced way of porch pirating, right? You're there for a very limited time. If you know there's a camera there, then you can have the delivery guy walk off camera and hand it to you off-camera, so you're not seen. That way, you don't have to be on camera. So it's a good scam. There's not really much you can do to protect yourself against this... 

Dave Bittner: [00:12:20]  Yeah, I... 

Joe Carrigan: [00:12:21]  ...Except insure your packages. 

Dave Bittner: [00:12:22]  Yeah. I would imagine in this case also that they target either vacant homes or places where people are on vacation - that sort of thing. 

Joe Carrigan: [00:12:29]  Yeah. Actually, this is targeted more towards businesses... 

Dave Bittner: [00:12:32]  Oh, really? Oh, I see. 

Joe Carrigan: [00:12:33]  ...And things of that nature. Yeah. There's the apocryphal stories of doing this with a night deposit box, right? 

Dave Bittner: [00:12:38]  Oh. 

Joe Carrigan: [00:12:38]  So imagine I sit there in a fake security guard outfit, and I put a sign on the night deposit box that says the night deposit box is jammed. 

Dave Bittner: [00:12:47]  Oh, right. 

Joe Carrigan: [00:12:48]  Please give your deposit to the security guard sitting to the left. 

Dave Bittner: [00:12:51]  (Laughter). 

Joe Carrigan: [00:12:52]  I'm just sitting there in a chair, collecting night deposit bags all night long. 

Dave Bittner: [00:12:54]  Right (laughter). 

Joe Carrigan: [00:12:55]  The problem with that is it requires me to sit in plain view, right? And I don't know that this happens frequently. I can imagine that it has happened, that people have tried it. But I don't think that goes off without a hitch. I think the cops would see that and go, that's not right. 

Dave Bittner: [00:13:08]  Yeah, yeah. 

Joe Carrigan: [00:13:09]  And somebody's going to jail. 

Dave Bittner: [00:13:11]  Well, and I think also, in these days where everything like that is under video surveillance... 

Joe Carrigan: [00:13:16]  Right. 

Dave Bittner: [00:13:16]  ...Those are harder to pull off than they were in the past. 

Joe Carrigan: [00:13:18]  They are. 

Dave Bittner: [00:13:18]  Yeah. 

Joe Carrigan: [00:13:19]  And the last one I have here today is called the melon drop, OK? And here's how this works. I get some cheap, fragile thing, right? 

Dave Bittner: [00:13:28]  OK. 

Joe Carrigan: [00:13:28]  And I put it into a box, and I wrap it up nicely. And then I go into a crowded place, and I look for somebody looking at their phone. And then I bump into them, drop the cheap fragile thing and make sure that it breaks when it hits the ground... 

Dave Bittner: [00:13:40]  Oh. 

Joe Carrigan: [00:13:40]  ...Right? And then I say to them, what are you doing? You just broke my priceless Ming vase or whatever, right? - or whatever it is. 

Dave Bittner: [00:13:47]  (Laughter) Right, right, right. 

Joe Carrigan: [00:13:47]  I got to look and see if it's still OK. I know it's not OK. Maybe it was broken before I put it in there, but there's just shards of glass or shards of ceramic in there. I make up some sob story about, this was my grandmother's device. Or I just purchased this for $100, right? And I may even have a receipt that says, look, Dave. 

Dave Bittner: [00:14:02]  Yeah. 

Joe Carrigan: [00:14:03]  You bumped into me. You owe me $100 now. 

Dave Bittner: [00:14:05]  OK. 

Joe Carrigan: [00:14:06]  People want to do the right thing. So they might offer to pay for this or offer some kind of recompense for this... 

Dave Bittner: [00:14:12]  Yeah. 

Joe Carrigan: [00:14:12]  ...Right? But the truth of the matter is this is a scam. Nobody is walking around with priceless artifacts and then not paying attention to it. If they are, that's kind of the fault of both parties, I would say. The guy carrying the box is at least as much at fault as the guy looking at his cellphone. The defense against this scam is that it has to happen in a fairly open place. You're not being lured somewhere. You're being targeted out in the open, so you can at least just walk away from this without any further interaction. You can go just, I'm done. Goodbye. 

Dave Bittner: [00:14:42]  Yeah. Good luck to you. 

Joe Carrigan: [00:14:43]  And walk away. Good luck to you. 

Dave Bittner: [00:14:43]  Good day, sir. 

Joe Carrigan: [00:14:44]  Yep. 

Dave Bittner: [00:14:46]  (Laughter) All right. Well - so some interesting, interesting ones. And you certainly can see how some of those might evolve for modern use. I imagine some of those are still in play around the world. 

Joe Carrigan: [00:14:56]  Oh, I would imagine they are. Absolutely. 

Dave Bittner: [00:14:56]  Yeah, yeah. All right. Well, it is time to move on to our Catch of the Day. 


Dave Bittner: [00:15:04]  Our Catch of the Day comes via Reddit. This is a phishing email that someone received and shared with one of the groups that collects these sorts of things. It goes like this. 

Dave Bittner: [00:15:15]  (Reading) I'm Dr. Racquel Dochterman. My specializations are foot and ankle, athletic injuries, shoulder and elbow, trauma and fractures, sports medicine and arthroscopic surgery - also interested in procedures of replacing the shoulders and knees. I am the team physician for Northwestern University in Kirkland - also serve as team physician for the U.S. Women's U-20 national soccer team and other professional sports, including golf, tennis and hockey. I'm also involved with local high school and club sports teams. In addition, I am a consultant for Cirque du Soleil. I am also so much dedicated in helping each and every of my patients to gain maximum and potential physicality through cutting-edge surgical and nonsurgical treatment of musco-skeletal (ph) conditions and individualization of patient education. I learn so much from patients just by listening and learning about their lives. So being a good listener is the most important part of my relationship with my patients. This message was sent to your email because you have an opportunity from the University Office for Students With Disabilities to work with me and other to help and assist students with disabilities frustrated with ignorance and lack of services - but as my interim personal assistant. I really do care so much about social services, children, environment, social action, arts and culture, education, disaster and humanitarian relief and lots more. 

Dave Bittner: [00:16:33]  (Reading) I can assure you this employment is very simple. All you need to do are purchase some items which are needed, mailing of letters and making payments at Walmart. And this employment won't take much of your time and at least two hours daily, three times a week for $450. I am unable to meet up with you for an interview due to the fact that I am away, currently helping the disabled students in Belgium. For all the purchases and tasks to get done on my behalf while I am still away, you will be paid in advance. Some of my personal letters and mails will be forwarded to your residence or nearby post office for you to pick up at your convenience. Upon my arrival, we will discuss the possibility of making this a long-term relationship - that if you really do impress me with your services while I am away. My arrival is scheduled for the end of January 2019. Here's how to apply for the internship. Please send me your information as stated below - full name, contact address, cell phone number, alternate personal email address - different from school email - attached resume - it's OK if you do not have a resume to attach. Best regards, Dr. Racquel Dochterman, clinical counselor, disabled student programs and services. 

Joe Carrigan: [00:17:41]  I like how her name is Dr. Dochterman. 

Dave Bittner: [00:17:43]  Yeah. It's... 

Joe Carrigan: [00:17:44]  (Laughter). 

Dave Bittner: [00:17:46]  Just the level of creativity there is - yeah, Dr. Dochterman. 

Joe Carrigan: [00:17:51]  (Laughter) That's my favorite part. 

Dave Bittner: [00:17:55]  Yeah. I swear I'm not making this up. This is absolutely true. My father's proctologist is named Doctor Butt (ph). 

Joe Carrigan: [00:18:03]  Well - kind of a self-fulfilling prophecy, right? 

Dave Bittner: [00:18:05]  Yeah. I mean, you're in med school. You're thinking, what - which specialty should I pursue? 

Joe Carrigan: [00:18:10]  And someone next you goes, you should be a proctologist, Butt, ha ha ha. 

Dave Bittner: [00:18:14]  Yeah, exactly. 

Joe Carrigan: [00:18:14]  And the guy goes, wait a minute. That might be a good career. 

Dave Bittner: [00:18:18]  (Laughter) Right, exactly. Well, all right. Well, let's unpack this here. Pretty straightforward, what's going on here. 

Joe Carrigan: [00:18:22]  Yes. This looks like a money-muling scam to me, Dave. It looks like they're going to try to get you to either cash some bad checks or do some stuff or maybe just steal your identity with the information that you give here. Don't ever reply to anything like this. 

Dave Bittner: [00:18:33]  Yeah. I could imagine also that they'll start out by paying you in advance for some things and then they gain your trust and then they ask you to start paying for some things. And sooner or later, it escalates. You're paying for more and more things. And then at some point, they stop reimbursing you. And... 

Joe Carrigan: [00:18:49]  I would bet that it doesn't even go that far. I'll bet that you never get a dime from them and that you're just out money. 

Dave Bittner: [00:18:54]  Yeah. 

Joe Carrigan: [00:18:55]  That would be my guess. 

Dave Bittner: [00:18:56]  Yeah, could be. All right. Well, that's a good one. That is our Catch of the Day this week. Coming up next, we've got Joe's interview with Scott Knauss. He's a security consultant who was targeted by some scammers. 

Dave Bittner: [00:19:07]  But first, another word from our sponsors, KnowBe4. Now, let's return to our sponsor's question about the attacker's advantage. Why did the experts think this is so? It's not like a military operation where the defender is thought to have most of the advantages. In cyberspace, the attacker can just keep trying and probing at low risk and low cost and the attacker only has to be successful once. And as KnowBe4 points out, email filters designed to keep malicious spam out have a 10.5% failure rate. That sounds pretty good. Who wouldn't want to bat nearly 900? But this isn't baseball. If your technical defenses fail in 1 out of 10 tries, you're out of luck and out of business. The last line of defense is your human firewall. Test that firewall with KnowBe4's free phishing test, which you can order up at knowbe4.com/phishtest. That's knowbe4.com/phishtest. 

Dave Bittner: [00:20:14]  And we are back. Joe, you had the pleasure of speaking with Scott Knauss recently. 

Joe Carrigan: [00:20:20]  I did. 

Dave Bittner: [00:20:20]  He's a security consultant who found himself targeted by some scammers. It's an interesting tale that he shares. Here's Joe's conversation with Scott Knauss. 

Joe Carrigan: [00:20:29]  My guest today is Scott Knauss. He holds a CISSP and other security certifications. He is the head of Immauss Technology Solutions. And recently, he was targeted by a work-from-home scam. Scott, tell us how this got started. 

Scott Knauss: [00:20:45]  I've been getting a lot of the robocalls and whatnot to my phone recently, just like almost everybody else has, I guess. But my provider has done a fairly good job of filtering those out, and I'm pretty good at just ignoring them. But I started getting SMS messages lately. And I got one that they called me by name, which caught me off guard. And it just started as, you know, a conversational SMS message. And it started with something like, how's your day today? And I'm like, well, that depends. Who is this? And it proceeded from there and, you know, hey, we saw your resume. We'd like to offer you a job. OK. Let's play along, I thought, and see where this goes. To shorten it a little bit here, basically what they were trying to do initially - their first goal was to get me off of SMS messages and get me on to Telegram. 

Joe Carrigan: [00:21:33]  We see that frequently where they move you from one platform to another one. That happens a lot, particularly with dating apps. So was that a clue that this may be a scam? 

Scott Knauss: [00:21:41]  That was one of them. As soon as they start, well, initially started talking about downloading something from the App Store and I'm like, oh, gosh, what is this app going to be? And then they said it was Telegram. I'm like, OK, well, I've already got Telegram. That could be fun. And, you know, the only thing I could think of is that maybe they consider it a little more secure communication then an SMS or maybe just because they can put telegram on a laptop and type faster, which is what I did to aid in my communications with them as well. I put Telegram on my laptop. It also helped me to copy and paste all of the text out of their conversation as well. 

Joe Carrigan: [00:22:13]  Right, because you've done a fairly good job of documenting this. And we'll put some links in the show notes to your documents. What happened once you moved to Telegram? 

Scott Knauss: [00:22:19]  So they told me that, you know, I'd have to go through this interview process. And they would decide whether or not they could hire me or not. They told me that they were working with Scentre Group, which I researched a little bit. They actually are a large real estate conglomerate out of Australia and New Zealand. They're a legitimate company. So I'm like, OK, that could be interesting. Let's see where this goes. But what they're wanting us to do is they're telling me that, well, we're going to be opening up these new offices in your area. 

Joe Carrigan: [00:22:49]  Did they just say in your area or do they give you a specific space? 

Scott Knauss: [00:22:53]  Right. And in fact, that was one of the things they said in SMS. And initially, I kind of burned the SMS message because when they said in your area, I said, well, where exactly do you think I am? 

Joe Carrigan: [00:23:04]  Right. 

Scott Knauss: [00:23:05]  And they said Atlanta, Ga. And I'm like, no, wrong, guess again (laughter). And after that, I didn't hear anything else from them. So they kind of caught on that I knew that it was a scam. Because I already knew that they were jumping to Telegram and my phone number associated with Telegram is a different number than the SMS messages were coming in on, I knew I could jump to it without them recognizing me as the same person. So I just waited a couple of hours before I brought up Telegram and just said someone told me that I should contact you. 

Joe Carrigan: [00:23:30]  Hmm. 

Scott Knauss: [00:23:31]  Right. So I had fun with them, I think. When they asked me for a name, I wasn't going to give them my personal name, so I gave them Stephen C.A. Matthews (ph). And, of course, the initials to that are... 

Joe Carrigan: [00:23:43]  Scam. 

Scott Knauss: [00:23:44]  ...Scam. Yeah (laughter). They didn't pick it up. I kind of thought they might, but no, no, no. They go through this whole interview process, and one of the things that caught me off guard was that their English was quite good. So I figure, you know, either they're native English speakers or they're just using something - I mean, there are so many tools available now to check your spelling - right? - and check your... 

Joe Carrigan: [00:24:05]  And translate. 

Scott Knauss: [00:24:06]  ...Language as well, right? I mean, I do business with clients in two or three different languages. So whenever I'm writing something in another language, I always run it through something because English is my native language, but I don't speak German fluently or Italian fluently, so I run it through a couple of tools to make sure I'm not making grammatical errors. So they're probably doing the same thing, you think? 

Joe Carrigan: [00:24:26]  I think it's entirely possible that you're using the same tools. 

Scott Knauss: [00:24:29]  Right. So they run me through this whole interview, and I'm sure the whole thing was copy and paste anyway. But they asked me all these questions, and I gave them some wonderful answers. Do you have any current jobs? Oh, well, yes, I have three jobs now, and I have owned my own business. But that didn't faze them. They said, oh, that's great. You're one of the best candidates we've interviewed so far. 

Joe Carrigan: [00:24:49]  They probably also pasted that. 

Scott Knauss: [00:24:51]  Yes, I'm sure. I'm sure. It's all part of the script, right (laughter)? 

Joe Carrigan: [00:24:54]  Right. 

Scott Knauss: [00:24:55]  So, you know, I get through the arduous interview process. And we've talked with our managers, and they're happy to offer you this job. And I'm like, OK, great. What's next? Well, we're going to send you a check. We need your address. I'm like, OK, you want my address. No (laughter). 

Joe Carrigan: [00:25:12]  Right. 

Scott Knauss: [00:25:13]  Right. Back up just a tick here. I'm actually in Italy at the moment. So, you know, all this stuff about your area and my address and sending things back and forth - I know they're full of it, right? 

Joe Carrigan: [00:25:24]  Right. 

Scott Knauss: [00:25:24]  So there's no way that they can be legitimate here. So they ask me for an address, and I just make up something. I use bits and pieces of some addresses from my past, and it ends up being in Virginia Beach, not - thinking they're not really going to send anything. But they said, OK, we'll be in touch with you tomorrow with tracking information for the check that we're going to send you. I'm like, yeah, right. So low and behold, the next day, 8 o'clock in the morning, they contacted me and said, hey, here's the tracking number for your FedEx package that we sent to you. And I said, whoops (laughter). They actually sent something. I pulled up the tracking number in FedEx and, sure enough, they were sending me something. But FedEx said, hey, this address isn't valid. Yeah, no kidding (laughter). 

Joe Carrigan: [00:26:06]  Right. 'Cause you made it up, right? 

Scott Knauss: [00:26:08]  Exactly. So, you know, I kind of backtracked with them a little bit. And I was like, oh, I'm sorry. I got the zip code one digit off. I did a little bit of, you know, Google Maps research there and tweaked the address so that it would actually be valid to see what I could get out of them. They're like, oh, well, you need to talk to FedEx and get FedEx to deliver it to you. Maybe you can go over and pick it up. I'm like, that'd be a long drive. I didn't call FedEx. I just told them, yeah, FedEx won't deal with me because I'm not the sender. And they said ugh (ph), and FedEx probably sent it back to them, right? And the whole time I'm thinking, they paid for that (laughter). 

Joe Carrigan: [00:26:41]  Right. 

Scott Knauss: [00:26:43]  So they said, oh, it's OK. Here's what we'll do. We're going to scan a copy of the check and send it to you. I'm like, what am I going to do with that? You can print it and use your bank's app on your phone to deposit the check. I played dumb. You can do that? Really? I didn't know that. I learned something today. Thank you. And they dutifully emailed me a copy of a check the next day. 

Joe Carrigan: [00:27:12]  And to be clear, this is a legitimate service that a lot of banking apps offer, photo-deposited checks. 

Scott Knauss: [00:27:17]  Oh, yes. I receive checks from clients and deposit them by my phone two or three times a month. So, yeah, I know that this is something that can be done. I do it regularly. I'm dubious on whether or not you could scan it, print it and then take a picture of it again as many times as my bank's application has said, yeah, no, the resolution is not good enough. Do that again. I let it sit for a little while and that was what I eventually told them was that, you know, I've printed it at two to three different locations, at my neighbor's printer and I can't get the bank app to accept it because the resolution is not good enough was what I eventually told them. 

Scott Knauss: [00:27:49]  But in the meantime, I take a look at this check that they've scanned me, and it's got a company name on it. Well, it's not Scentre Group, which is the first thing that jumps out at me. So my first thought is, OK, they're just making up checks and checking accounts. This is kind of squirrelly. So I did a little research and, sure enough, not only is the name of the company on the account accurate and exists, but it's got an address on the check that matches up with this company. So I poke around. I do some reverse image searches on the site to make sure they're not faking the site, said, OK, you know what? I'm going to give these guys a call. So the next morning, I called this company. They're down in Georgia. It was a farming group. The first person I talked to, I just told her straight up. She was - you know, a secretary I think answered the phone. 

Scott Knauss: [00:28:34]  And I just said, look, this is me. I'm an independent security researcher, and I've found something rather strange that might be to do with your bank account, and I'd like to help you guys out and make sure that this isn't really you. And she says, let me have you talk with - and she named the guy. And I said, OK. So he picks up the phone, and I says - I tell him the whole story. And I said, now, look, I'll send you some information. I don't want you to think I'm trying to scam you. This is who I am. And he says, OK, well, just - can you send me a copy of the check and I'll have our finance department look at it? Here's my email address. So I emailed it to him. And about 15 minutes after I emailed it to him, he emails me back and said, thank you. Our finance department researched this and it turns out our bank account had been hacked. You know, at that moment, I swelled. I was like, I did something good today (laughter). 

Joe Carrigan: [00:29:26]  Right. 

Scott Knauss: [00:29:28]  We're fighting back against these guys. And every now and then, just a little bit at a time, we have to take every win that we can get, right? 

Joe Carrigan: [00:29:34]  It's a small victory, but it's still a victory. 

Scott Knauss: [00:29:36]  Exactly. Exactly. So actually, you know, I thought of it as it as a dual victory. One, you know, I helped these guys out. And hopefully, they're going to recover from that without too much trouble. You know, as they recover from that, it takes one account away from these guys. So, you know, I saw that as a dual victory. From there, I told them I was going on travel and going to Northern Virginia for the weekend and asked them if they could send it to my sister's house. So I gave them a different address, which happened to be a valid address for my - I have a mailbox at a UPS Store in northern Virginia. And so I gave him that address. 

Scott Knauss: [00:30:09]  And I called The UPS Store in advance, and I said, look - I'm having this thing sent to you. It's a scam. I know it's a scam. But I'd like to get access to it as quick as possible. Can you guys open it for me and take a picture of it and send it to me? And they said, yeah, no problem, man. That's great. As long as you send us something from your verified email address and we know who you are, we'll do it for you. Awesome. Well, somehow I gave them the correct address, and they bungled it. I couldn't believe it. 

Joe Carrigan: [00:30:33]  (Laughter). 

Scott Knauss: [00:30:34]  The - I gave the guys at The UPS Store the FedEx tracking number, and they said, oh, yeah, yeah, we got that one, but it doesn't have your address on it. I'm like, really? It doesn't have my box number on it? And they're like, no, it only has this on it, the address of the building. I'm like, good grief. All right, well, it's the one that's for me. Can you guys open it? Well, it doesn't have your name on it. I'm like, well, no, I wasn't going to give them my real name. 

Joe Carrigan: [00:30:57]  Right. 


Scott Knauss: [00:30:58]  And they're like, well, it doesn't have your box number on it. It doesn't have your address on it. I'm sorry, but we have to send it back. We can't open it for you. I'm like, ah, oh well, because I was really hoping to get another bank account to try to get out of them. I had to take a loss on that one. And at that point, you know, I told them that I had - that I wasn't able to get the check, that they had sent it to somewhere, that it was just to the building, and there's a lot of people in this building. They said, well, ask around; maybe somebody has it. Someone has it. I'm like, (laughter) yeah. 

Joe Carrigan: [00:31:26]  Right. 

Scott Knauss: [00:31:27]  At that point, they got kind of upset with me, or they pretended to be upset, right? They didn't want to send me another check. I'm like, well, can you send another one? (Laughter). No. No, they won't send another check. So I let them sit, stew for a little while, and I just kind of ignored them, I think, for a day. And I came back, and I said, look - you know, guys, I really need this job. Is there some way that we can move ahead with this? What else can I do? Because I really wanted to get to the endgame to find out what their final trick was. And they said, well, maybe. Let me check. 

Scott Knauss: [00:31:54]  And they come back a few minutes later and said, can you come up with the money on your own for the initial startup? I'm like, sure (laughter). So I said, how much, right? And they said $500. I'm like, yeah, yeah, I can do that. And they said, all right, here's what you need to do? Is there a CVS or a Walmart or - and they named a whole bunch of different places - nearby? I'm like, well, sure, there is. Which one? And I said CVS, I think. And they said, all right, well, go to the CVS and call us when you get there. Now, there was a lot more time in here because I drug it out with them for a while just to play with them and partly because I was - I think I was driving at the time, and I didn't feel like messing with them. 

Scott Knauss: [00:32:30]  So I told them that I was doing something else and - which I did several times, which was also the convenience of having it on Telegram - right? - which is so - just, you know, so nice of them to make it easier to mess with them by using messages instead of a phone, right? 

Joe Carrigan: [00:32:43]  Right. 

Scott Knauss: [00:32:45]  Eventually, I told them I was at CVS and asked them, what do I do now? And they said, so you need to go in and buy eBay gift cards. 

Joe Carrigan: [00:32:54]  EBay gift cards (laughter). 

Scott Knauss: [00:32:55]  EBay gift cards. And I'm like, really? All of this effort for a gift card scam? 


Scott Knauss: [00:33:02]  So at this point, I'm like, OK, well, that's their endgame. I know what the deal is now. And they - you know, they sent me a picture of a gift card. And I said, all right, I bought them. What now? And they said, OK, you need to scratch off the back and take pictures of it with your phone and send it to us. I'm like, uh-oh. They're like - they said, what? Well, my kids dropped my phone last week and broke my camera (laughter). So I drug them on for another two or three days before I finally stopped messing with them. And I haven't answered them. I haven't sent anything back to them in two or three days. 

Scott Knauss: [00:33:33]  The last thing I told them was that, you know, I was at the CVS, and I could go home and take the pictures with my iPad and transfer it to my phone and then send it to them on Telegram. And they said, OK, well, when are you going to do this? And I said, well, you know, about an hour or two, maybe. So the next day, when I hadn't sent them anything, they're like, what happened? We waited for you till 8:30 last night. I'm sure you did. And I said... 

Joe Carrigan: [00:33:54]  I hope you actually did wait for me till 8:30 last night. 


Scott Knauss: [00:33:57]  Yeah, exactly. At that point, I said - I didn't answer them. I didn't answer them at all. I waited until, I think, 1 or 2 o'clock in the afternoon their time, and I sent them a message that said, sorry, went out drinking after dinner last night and just now getting up, not feeling so well - bye. And I didn't say anything until... 

Joe Carrigan: [00:34:17]  But that's the end of the conversation, right? 

Scott Knauss: [00:34:19]  ...The next day (laughter). No, no, until the next day. 

Joe Carrigan: [00:34:21]  Oh, the next day, OK. 

Scott Knauss: [00:34:21]  Yeah. Yeah, the next day I sent them something else. And I just said, yeah, I think that the fish that I ate at dinner the other night was bad; I'm going to the hospital now. And that was where I left it. I haven't said anything else to them. I'm thinking, you know, maybe here in a week or two, I'll come back to them and see if I can drag them through something else, just to see, right? But... 

Joe Carrigan: [00:34:37]  (Laughter) That would be awesome. 

Scott Knauss: [00:34:38]  Right. Right. But in the interim, hopefully I won't be able to because after I stopped talking to them, I started reporting everything, right? So they sent me some emails. I pulled all of the reply emails out. They were all Gmail addresses, sent those off to Google. I sent a note to - or an abuse thing with Telegram to their account as well. So hopefully Telegram will be on the ball and shut that down. As of right now, they were last seen four minutes ago. So Telegram hasn't shut anything down. There was a server that I managed to isolate of theirs. At one point, I told them, hey, is this your website? So I registered Scentre Group - with an E at the end - dot com. 

Joe Carrigan: [00:35:20]  So you used a scam trick against them? 

Scott Knauss: [00:35:22]  Yes, I did. 


Scott Knauss: [00:35:25]  And at one point during the conversation, I was like, hey, is this your website? And I wasn't - I was upset because I didn't type it out fast enough. They pasted the correct website in before I could type in my scam link. And I was like, what do I do now? Oh, nuts. What do I do now? I thought about it for a second, and I said, oh, hey, I found this link - is this you guys, too? And I pasted them my link. And three seconds later, ding, I get the hit from the canary token. 


Scott Knauss: [00:35:58]  And unfortunately, there - it was a proxy. They were using a... 

Joe Carrigan: [00:36:00]  Oh, they're using... 

Scott Knauss: [00:36:00]  Yeah. 

Joe Carrigan: [00:36:00]  ...A VPN? 

Scott Knauss: [00:36:02]  Yeah, it was a Gom VPN proxy server running in a vulture.com site. So I hit up the Gom VPN guys and said, hey, I got these scammer guys running through one of your VPNs. Is there anything you can tell me about them? And all they said was, yeah, there's no logs at all on this VPN. Sorry, we can't do anything. 

Joe Carrigan: [00:36:18]  Right. Yeah, that's very common. 

Scott Knauss: [00:36:20]  Yeah, which is what I expected. But had to ask, right? It looks like they're relaying through another account that I've managed to dig out from the email headers. And I contacted them, as well, but I haven't heard anything back from them. So I'll keep pinging folks, try to shut some of this stuff down if we can. But I feel like I've done a good thing, maybe. 

Joe Carrigan: [00:36:37]  I would agree, Scott. It sounds like you've done a good thing. At least, if nothing else, you let one company know that their bank account had been compromised. I think that's an accomplishment. It sounds like this is a fake check scam, where they're looking to steal money from a company they've compromised the banking credentials for and then run it through you as a money mule and get the value back as gift cards, which they then sell. And that's how they make their money. 

Scott Knauss: [00:37:01]  Right. Now, the one other interesting thing that I came across, though, was that, you know, they actually gave me the wrong tracking number one time, too. So I ended up with three tracking numbers from these guys. The first one that they sent me, the one that they sent to the wrong address, was shipped from Mountain View, Calif. I was like, oh, that's interesting. All right. But the second one was shipped from Purchase, N.Y. So do they have people in both of these different locations? Or have they tricked someone into sending these things off for them? 

Joe Carrigan: [00:37:27]  That's a good question. 

Scott Knauss: [00:37:28]  Yeah. 

Joe Carrigan: [00:37:28]  I don't know the answer. 

Scott Knauss: [00:37:29]  I don't know how to figure that out. Yeah - because I thought, you know, maybe they've got some other side scam. It's just in reshipping stuff for them. 

Joe Carrigan: [00:37:35]  Yeah, I'm sure something like that is happening. These guys are usually large operations that have many different tentacles and different organizations. They are set up like corporations. So, I mean, there are even ransomware people that have help desk. When you go to buy your data back, they have a number you can call to get assistance to decrypt your data. 

Scott Knauss: [00:37:54]  That's scary. 

Joe Carrigan: [00:37:55]  All right, Scott. That is a great story. I want to thank you very much for joining us today. 

Scott Knauss: [00:38:00]  Yes, thank you, Joe. Appreciate being here. 

Dave Bittner: [00:38:02]  All right. What an interesting series of events there. 

Joe Carrigan: [00:38:05]  Yeah. That is a long tale. Scott has written up a couple things. One is an article on his web page, and another one is actually a Google Doc that goes through everything that happened. 

Dave Bittner: [00:38:14]  Yeah. 

Joe Carrigan: [00:38:14]  We'll put links in the show notes for that. 

Dave Bittner: [00:38:16]  OK. 

Joe Carrigan: [00:38:16]  It starts off with an SMS message that knows his name, which we talked about earlier with the - with your story with the scams knowing the name of the person associated with the phone number. And then they very quickly move it to Telegram, which is a common technique that we see a lot. 

Dave Bittner: [00:38:32]  Yeah. 

Joe Carrigan: [00:38:32]  So pull back the curtain. On the back end of this, somewhere, there's a company that's been compromised. This farming company in Georgia... 

Dave Bittner: [00:38:40]  Yeah. 

Joe Carrigan: [00:38:40]  ...Had their bank compromised. And they've lost their routing number and their account number. And these people are able to forge checks. 

Dave Bittner: [00:38:46]  Right. Right. 

Joe Carrigan: [00:38:46]  There are tons of applications out there that will let you print checks. 

Dave Bittner: [00:38:50]  Sure. 

Joe Carrigan: [00:38:50]  And they're legitimate applications, right? 

Dave Bittner: [00:38:53]  Yeah. 

Joe Carrigan: [00:38:53]  Like, I don't know exactly how that works. I don't work in accounting. I should ask my wife this. She knows how this works. 

Dave Bittner: [00:38:58]  (Laughter). 

Joe Carrigan: [00:38:58]  So it's easy to easy to carry this out and relatively inexpensive to do this. Once you compromise it - compromise the bank account credentials, then this is one of the ways they're going to capitalize on that - with the money mule scam. Once they found that the check wasn't going to work, they asked Scott to front some money and just buy some gift cards. They just degenerated down to the base level of scamming... 

Dave Bittner: [00:39:20]  Yeah. 

Joe Carrigan: [00:39:20]  ...Here where they say, we need gift - we need gift cards, and we'll take care of it. And they go with eBay gift cards... 

Dave Bittner: [00:39:25]  Yeah. 

Joe Carrigan: [00:39:25]  ...Which don't make any sense to me. 

Dave Bittner: [00:39:26]  No? 

Joe Carrigan: [00:39:27]  You think you have someone on the line who is setting up a business, right? And you think this person is maybe smarter than this. I think that seems like an amateur move. Well, just get us some eBay gift cards, then, you know? 

Dave Bittner: [00:39:39]  Yeah. Maybe they're just cutting their losses. 

Joe Carrigan: [00:39:41]  Yeah. 

Dave Bittner: [00:39:41]  You know, they've come this far with this person. They feel they've got one on the hook, so... 

Joe Carrigan: [00:39:46]  Right. 

Dave Bittner: [00:39:46]  ...We might as well see what we can do. 

Joe Carrigan: [00:39:48]  It's funny that at the end of this scam, they still try to lay a guilt trip on Scott. 

Dave Bittner: [00:39:51]  (Laughter). 

Joe Carrigan: [00:39:52]  You know, we waited here until 8:30 for you. 

Dave Bittner: [00:39:54]  Yeah. 

Joe Carrigan: [00:39:54]  They didn't. I don't think they did, but I hope they did. 

Dave Bittner: [00:39:57]  Well, good for Scott for being able to contact that company and... 

Joe Carrigan: [00:40:00]  Yeah. 

Dave Bittner: [00:40:00]  ...Tip them off that their... 

Joe Carrigan: [00:40:01]  Right. 

Dave Bittner: [00:40:02]  ...Bank account had been compromised. And it was also interesting to me that you sort of have that dilemma when you're trying to report this to someone to convince them that you're not a scammer. 

Joe Carrigan: [00:40:12]  Correct. I've actually run into this myself. I have to do vulnerability disclosure from time to time. And I had a vulnerability I needed to disclose to a small company. I won't talk about who the company is. But I reached out to the person via telephone a number of times and told him to expect an email from me, and he never responded. And I sent him an email, and it came from a JHU email address. And I sent him all the documentation. And as soon as I send the email, I got the phone call back. One of the things I said in the email is, if you want to verify that I am who I say I am, just Google my name followed by the letters JHU. And I'll come up, and you can see my phone number. You can see my email address on a jhu.edu website. 

Dave Bittner: [00:40:53]  Right. Right. 

Joe Carrigan: [00:40:54]  And then I got a phone call back... 

Dave Bittner: [00:40:55]  Oh, OK. 

Joe Carrigan: [00:40:56]  ...Right? 

Dave Bittner: [00:40:56]  Interesting. 

Joe Carrigan: [00:40:57]  And the first thing this guy said was, I didn't respond your phone calls because I thought they were a scam. 

Dave Bittner: [00:41:01]  Yeah. 

Joe Carrigan: [00:41:01]  I said, you know what? That's legitimate. I don't fault you for that. 

Dave Bittner: [00:41:04]  (Laughter) Right. 

Joe Carrigan: [00:41:04]  But these are the vulnerabilities our students found. And you can do with them as you please. 

Dave Bittner: [00:41:10]  Yeah. 

Joe Carrigan: [00:41:10]  But you're right. It is a delicate act. And the way you handle it is just be the faucet of information and don't ask for any information back. 

Dave Bittner: [00:41:17]  Yeah. All right. Well, interesting interview. Thanks to Scott Knauss for joining us. And we want to thank all of you for listening. That is our show. 

Dave Bittner: [00:41:27]  Of course, we want to thank our sponsors that KnowBe4. They are the social engineering experts and the pioneers of new-school Security Awareness Training. Be sure to take advantage of their free phishing test, which you can order up at knowbe4.com/phishtest. Think of KnowBe4 for your security training. 

Dave Bittner: [00:41:43]  Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: [00:41:50]  The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: [00:42:04]  And I'm Joe Carrigan. 

Dave Bittner: [00:42:05]  Thanks for listening.