Podcasts
Only Malware in the Building
Ep 9
Only Malware in the Building 2.4.25
Ep 9 | 2.4.25

Cyber Groundhog Day and romance scams.

Show Notes
Transcript

Dave Bittner: Selena, I don't know what's going on with Rick, he has been acting super weird lately.

 

Selena Larson: Yes, ever since that day -- well the day -- you know --

 

Dave Bittner: Shh, shh, shh, here he comes, here he comes; shh.

 

Rick Howard: It happened again, guys.

 

Selena Larson: Hey, Rick, how's it going?

 

Dave Bittner: Yes, you okay, buddy?

 

Rick Howard: No, I'm not okay. Every day is the same, I wake up, grab my coffee, and it's like nothing changes; same emails, same headlines, same spammy pop-ups. It's like my life has been caught in a loop.

 

Selena Larson: Caught in a loop, or maybe you just forgot to clear your cache?

 

Rick Howard: Ah, very funny, okay? [Laughter] But this is serious. Yesterday I saw an article about a phishing scam, today same article. Even the typos are identical.

 

Dave Bittner: Okay, Rick, let's think this through. Are you suggesting that you are stuck in a time loop? >> [Fading voice] Time's a flat circle.

 

Rick Howard: Yes, it's like I'm reliving the same day over and over. Yesterday -- or was it today, I did the crossword puzzle, and guess what, I knew all the answers.

 

Selena Larson: That sounds like muscle memory?

 

Rick Howard: It's not just that, I can even predict what you'll say next, like Selena, you're about to tell me to relax.

 

Selena Larson: Well, I was going to say that?

 

Rick Howard: See? Okay.

 

Dave Bittner: Okay, okay, Rick, this is getting ridiculous. Do you know what's really going on here?

 

Rick Howard: What, some kind of time looping ransomware attack, or maybe wait, a new APT messing with my brain?

 

Dave Bittner: Rick, you retired. [ Music ] >> [Computerized voice] Congratulations, Rick. Enjoy your retirement. Please hand in your badge, company laptop, and your American Express business credit card. There is free coffee and Pop-Tarts in the lobby. Thank you.

 

Rick Howard: What?

 

Selena Larson: Yes, Rick, this isn't Cyber Groundhog Day, it's called "retirement".

 

Rick Howard: No way, retirement wouldn't feel like this.

 

Selena Larson: Sure it would, it's called "free time".

 

Dave Bittner: Lots and lots of free time.

 

Rick Howard: You mean this is it, the same day on repeat until the end of time?

 

Selena Larson: I mean, only if you make it that way.

 

Dave Bittner: Why don't you pick up a hobby? Pottery's nice, or maybe skydiving.

 

Rick Howard: Skydiving?

 

Selena Larson: Or maybe write another book.

 

Rick Howard: Okay, that's actually not a bad idea.

 

Dave Bittner: See, there we go, welcome to retirement, day two. [Laughter]

 

Selena Larson: I was going to suggest maybe write some malware, Rick, but a book is a much better idea. [Laughter]

 

Dave Bittner: Mm-hmm.

 

Rick Howard: Yes, I'd be really good at writing malware, yes, sure. [Laughter]

 

Dave Bittner: How are you coding chops looking, Rick? [Laughs]

 

Rick Howard: Yes, let me fire up ChatGPT, okay? [Laughter] [ Music ]

 

Selena Larson: Well, today given that it is February, a month of romance, I thought, you know, it might be good to talk about romance scams and the unfortunate variety that we see that can be very, very successful, very, very expensive, and unfortunately, very sad.

 

Rick Howard: Dave, let me explain this to you, this romance thing, okay, you probably don't have any experience with it, so you know --

 

Dave Bittner: Me? [Laughs]

 

Rick Howard: Yes, it's very complicated. [Laughs]

 

Dave Bittner: I was going to say how adorable it is at how young Selena is that she thinks of February as being a month of romance. [Laughter] Like how comparatively early she is in her marriage experiment where -- or experience, rather, did I -- oh paging Dr. Freud, paging Dr. Freud. [Laughter] You know, I don't know, what, it's 32 years for me, Rick. How many years of marriage for you so far?

 

Rick Howard: I am over 40.

 

Dave Bittner: This is a quiz.

 

Rick Howard: Yes, over 40

 

Dave Bittner: It is a quiz, so you've got to get it right.

 

Rick Howard: Do I have to get it exactly right? Oh.

 

Dave Bittner: Yes. Well, you'd better, yes. I mean, I don't know -- I know for me there are consequences, but I don't know how it is for you, so yes. Well, tell you what, let's just go along with that. Yes, Selena, an entire month of romance. [Laughter] [ Music ]

 

Selena Larson: Well, unfortunately the scammers don't have a specific month in which they will target people. It is open season all months of the year. And I think it is pretty insidious and definitely worth talking about pig butchering, or as Interpol recently said we should call it, something like "romance baiting". So the typical words --

 

Dave Bittner: Well, we don't like, what, "pig butchering" because it elicits such great romance ideas, is that the idea?

 

Selena Larson: Yes, so actually it's actually kind of interesting. And I'd be curious to get your guys' take on this as journalists and folks who talk to a wide variety of people from your everyday users to CISOs at various companies. But Interpol is really calling for a shift in the language because, you know, it could be dehumanizing or victim shaming using the term "pig butchering". But I've seen people who are actually working in this space and are experts in pig butchering and have done a lot of work that say, "No, that language that we're using is actually getting to the core of this. Like the idea of pig butchering is in investment scam they talk to the potential victims, they sort of, quote, unquote, "fatten them up with", you know, these ideas, and romance, and they get them to invest lots and lots of money. And they get, you know, little payouts over time that appear to be growing their investment and then of course the rug is cut out from under them and their money is stolen. And that's where the sort of the "butcher" comes in. But it's actually originated from the Chinese Sha Zhu Pan. I might be saying that incorrectly, but it was -- when that translation was a little bit like "pig butchering". So that threat originated in China and when it came over to the West they started using this term "pig butchering" So it's kind of interesting, even having a debate over the language itself, but it is very, very insidious. And there have been reports that it can be up to $75 billion lost to pig butchering. Overall from some recent reporting that came out last year from the University of Texas, Austin, we've seen reports from IC3, of course, in the scam report that was $3.6 billion lost to cryptocurrency investments, a lot of this is pig butchering. So it's obviously -- regardless of the name, it's a very, very costly threat.

 

Dave Bittner: I think the term "pig butchering" is okay as a term of art within the security community, but I think it's correct to not use it with the victim --

 

Selena Larson: Hmm.

 

Dave Bittner: -- to not come at the victim and say, "Hey, you got pig butchered." You know, like that's not helpful. You know, it reminds me of back, oh, decades ago, you know, we wouldn't call a girl ugly, you would say, "She has an unconventional beauty." [Laughter]

 

Selena Larson: A face for radio, Dave, one might say?

 

Dave Bittner: Right; right, "When I look at you --

 

Rick Howard: And so -- well that's what --

 

Dave Bittner: -- time stands still," in other words, you have a face that could stop a clock. [Laughter]

 

Selena Larson: Right.

 

Rick Howard: Well, I'm with you, Dave, I really -- especially for the security community, names are important, all right, and sometimes they kind of all kind of mush together, they all sound so similar. "Pig butchering" has the benefit of standing out and it's like, "Whoa, 'pig butchering', okay, at least I know what that is." But I agree, we shouldn't shame those victims and call them things like that. But I wasn't going to do that anyway, so I guess we're okay.

 

Selena Larson: Absolutely. Well, and I think one thing that has shown throughout 2024 and hopefully in turn that continues into this year is victims who have been impacted by the scam oftentimes people who they're close to or their families are talking about it. And they're saying, you know, "This is how the scam works." And for those of you who might not be familiar, it's actually really interesting, underpinned by organized crime, much of it originating in Southeast Asia, and essentially it is a text message, a WhatsApp message, some chat says on various social media platforms, "Hey -- " if I'm messaging you, Rick, they would say, "Hey, John, how's it going? How are you," or, "I can't bring that casserole dish to the potluck later." And they have these sort of benign conversation starters, they're trying to entice you into a conversation, and then ultimately very often they tend to be romantic flavors targeting people who often have money that they can potentially easily part with, but then it builds up over time and this relationship that you have with this person on the internet turns out to be a scammer.

 

Dave Bittner: There's a couple things there, Selena, that you could help me clarify here, right? There's kind of two pieces. First it's a long-range scam -- I mean a long-running scam. This is not going to benefit right away. It takes days, weeks, months to get the payout if they're successful. Is that correct?

 

Selena Larson: Oh, absolutely. They do take the time to really build up that relationship. And there's often times where you can get some of your money out. So they'll let you take some of your money out to sort of lend credibility to this platform that you're investing in, or this, you know, opportunity that you're investing in, so --

 

Dave Bittner: So you can get more later, yes.

 

Selena Larson: So you get more later, yes. And of course it's not a real platform that you're investing in, it's the scam, and they're showing you what you want to see and they're, you know, trying to convince you of things. And you're never able to pull out more than you've invested in the platform. So they do have, you know, that type of control over your money. [ Music ]

 

Dave Bittner: And the second thing is this is not, you know, teenagers in the basement doing this, this is warehouses of people --

 

Selena Larson: Yes.

 

Dave Bittner: -- trying to do these scams, right? And also, there -- am I right about this, there are mostly indentured servants; is that a fair way to say that?

 

Selena Larson: Oh, absolutely, yes.

 

Rick Howard: There's a human trafficking element --

 

Dave Bittner: Yes, yes; yes.

 

Rick Howard: -- to all this behind the scenes.

 

Dave Bittner: Yes.

 

Selena Larson: Yes, it's really sad. It is very much organized crime, both in the physical space and the digital space. Many times people are lured into -- essentially trafficked into doing this type of work. They're presented as, "Oh, we have this job for you in this physical location. Fly to this country or this -- " you know, "region and we'll meet up with you at the airport and take you to a compound," in which you are basically forced into working like this. And the New York Times actually did some fantastic reporting about this a few months back. And there's been some other investigations into many of these compounds in Southeast Asia that are essentially, you know -- it's like modern-day slavery or like you were saying, indentured servitude, for a lot of these things so --

 

Rick Howard: That was being nice. It's not really that at all, it's trafficking, is what Dave said. You know --

 

Dave Bittner: Yes.

 

Rick Howard: -- it's more than that.

 

Dave Bittner: You are not given the option to leave.

 

Rick Howard: No.

 

Dave Bittner: And the article I was looking at in "Wired" said that they believe over 200,000 people have been trafficked to some of these scam centers in Southeast Asia. So you think about that, and that's a community.

 

Selena Larson: Yes, absolutely. And what I think is really interesting is this entire business model -- because that's what it is, right, it's a business model. I hate -- you know, I hate applying that idea of, you know, --

 

Dave Bittner: No, that's exactly what it is, yes. Yes.

 

Selena Larson: -- "entrepreneurship" to criminals. But yes, this business model is essentially based purely on social engineering. So it doesn't take a whole lot of technical ability to lure these types of victims. Obviously you have to have the internet, you have to have a mobile device. You have to do -- you know, oftentimes it does do some research, for example, looking at people's LinkedIn, or social profiles, or, you know, various other digital footprints to see what might work, you know, what type of lure can I use on this person, or what are they kind of interested in? And you know, if you are given a script, you work off a script, these people are saying, you know, "This is a tried and true method of social engineering somebody into investing money into this big platform." So you know, it's a step-by-step script-based process. And it's interesting because it's -- it really is -- like it's a digital threat, but it's also very much a psychological threat. And I think that that -- in my opinion -- I've said this, you know, many a times but my opinion the worst types of crimes are like the romance scamming or the ones that sort of really prey on people's vulnerability as individuals and as people and emotions. You know, obviously you don't want businesses to lose lots of money, but these types of things can force people. And there have been reports where people have done self-harm as a result of a lot of this loss, so it's -- yes it's really sad.

 

Rick Howard: So it's -- going with Dave's number it's 200,000 people running these kinds of ops. And assuming they're trained, how many ops can they run at the same time, do you suppose? It's in the 20s, 50s, 100s at the same time? What do you think?

 

Selena Larson: Oh, yes, I would say hundreds because, you know, these people are going to be talking to multiple people at the same time. Yes, and it's pretty interesting, I have a colleague that regularly engaged in these types of conversations and to see, you know, the playbook, it's the same playbook over and over that they're using. And from a technical perspective, it's interesting because they are sort of using the same web design, the sort of the same like backend. So you can rate detections pretty easily for a lot of these sites if you know what you're looking for in terms of like the code on the website, the -- you know, the various web responses, some of the domains that they're using; you can track them that way as well. But from the more social and psychological perspective there are -- the TTPs, if you will, of human brain hacking are also very similar, the same language, the same conversations, the same sort of like enticement. So it's very interesting. And it's been incredibly successful, but at the same time I think more and more people are becoming aware of it so that's a positive. [ Music ]

 

Dave Bittner: I know someone who is falling victim to this sort of thing.

 

Rick Howard: Oh, no.

 

Dave Bittner: Yes. It's a neighbor of mine. And it came to my attention because this person who is a good bit younger than me said, "I ran into this person, you know, out on the streets, you know, in the neighborhood where we live, and they said, 'Hey, good news, I'm engaged'." And I thought to myself, "Oh, well, that's -- all right, congratulations, that's really great," you know, and, "Well, tell me about her." [Laughter] Right, and, "Well, she doesn't live here. She lives in Florida. And -- but, you know, I'm super excited." And you know, this is a person who is a little bit down on their luck, this is a person who has some physical disabilities that keep them from having full mobility, so they spend a lot of time online and playing videogames, and you know, all that kind of thing. And I ended up chatting with this person's mother, and she said, "Yes, this person is scamming him, like just she's just bleeding him out of money." And it's not large amounts of money. You know, we're not talking about losing someone's retirement account or anything like that, because this person doesn't have that kind of money to be stolen. But there's no talking him out of it. I've spoken to him, his mother has spoken to him. You know, there's -- the veil is so much over his eyes, and the allure of just having someone who has interest in him --

 

Rick Howard: Yes, pay attention.

 

Dave Bittner: -- is so powerful that -- and I guess you balance that with he can afford it, right? I mean, it's not putting him out on the street, it's not --

 

Rick Howard: It's like watching a ballgame, going to a baseball game or something.

 

Dave Bittner: Exactly. Exactly. And so, you know, who knows how many dozens or hundreds of folks this person has on the hook. And it seems to me like this is a low-level kind of person compared to the folks who are running this out of, you know, foreign countries. But it's heartbreaking. It is absolutely heartbreaking. Because the -- like I said, there's no convincing this person that the love is not true, and everyone else can see that it's a scam. And I don't know how you fight that. I don't know how you help someone who's in that situation. And it's so hard to see someone you care about even, you know, a friend, a neighbor, falling victim to this sort of thing.

 

Rick Howard: Yes, mostly cyber people, you know, reach for the technical solution.

 

Dave Bittner: Right.

 

Rick Howard: And there isn't one here, right, that we -- you know, there's no -- we know that --

 

Dave Bittner: Right.

 

Rick Howard: -- it's a scam. Everybody else knows it's a scam --

 

Dave Bittner: Right.

 

Rick Howard: -- but you've got to convince the brain that it's --

 

Dave Bittner: Right, this person's --

 

Rick Howard: Right.

 

Dave Bittner: -- an adult.

 

Rick Howard: Yes.

 

Dave Bittner: It's their money, they can do, you know, what they want with it. So could be a lot worse. [ Music ]

 

Selena Larson: It's a good point, too, that you mention, you know, it's lower dollar values; because pig butchering or the sort of investment romance scams are just one type of romance scam, right? I mean, there's a lot -- going back centuries confidence scammers have happened. In fact, I was just reading Agatha Christie, she has multiple books in which young men scam elderly women out of their money because, you know, they pretend that they're, you know, interested in them, or whatever. And it's kind of like a tale as old as time, and it kind of goes back to your point like there isn't really a technical solution to this. It's an awareness issue, it's a discussion issue, it's an education -- I think it's part it's an education issue. But yes, I mean, I think what makes me have some hope are you see people like celebrities coming out and talking about these types of things like, "Hey, somebody's using my likeness to pretend to be in love with you. Don't fall for it." Like one of my favorite NBA players, Jared McCain, he was going to be rookie of the year, got injured, plays for the Philadelphia 76ers, he's amazing. But he did a little PSA, an Instagram ad that says, "Hey," you know, "if you get a DM from someone pretending to be me, don't fall for it." And he did this great educational video really targeting younger people who might not necessarily be aware of these types of things and who might, you know, get really excited that a famous basketball player is going to potentially be, you know, interested in them or whatever. And so I thought that that was -- it was really cool to see because it just randomly popped up on my feed and I'm like, "Wow, this is great that we're thinking about ways of better educating people, having people in high-profile positions be like, "Hey," you know, "this isn't -- this is how these scams work," and kind of breaking it down in, you know, young people speak, you know. [Laughter] Hit the Zoomer language.

 

Dave Bittner: Hmm. Mm-hmm.

 

Rick Howard: I'm so past that milestone, and I have no idea what you're talking about. [Laughter]

 

Dave Bittner: Yes, I'm with you. [ Music ]

 

Selena Larson: Stay tuned, there's more to come after the break. [ Music ]

 

Dave Bittner: I think when it comes to some social engineering scams, we have made progress, right? And I think about things like gift card scams where they're trying to send people off to the drugstore or the grocery store to buy gift cards. And I think we've done a good job of educating the folks who work at the grocery store or wherever where someone walks up with a fist full of gift cards that they're going to intervene.

 

Rick Howard: That sounds like a Clint Eastwood movie.

 

Dave Bittner: A fist full of gift cards?

 

Selena Larson: A fist full? [Laughter]

 

Dave Bittner: Yes, it's the remake. I don't know how it's going to be -- kind of brought it up to date, but this fist full of bitcoin, right? And it's even to the point where the automated systems, you know, that -- the actual point of sale device if it notices a bunch of gift cards coming through, it will pop up a thing to the person running the register, or if you're going through self-checkout, you know, it will say, "Hold on here," you hear some questions to ask. So I think we're doing well in recognizing that this sort of thing is happening and putting some steps in place to slow people down, but I wonder if either of you have any thoughts on like what are some of the things we could put in place for this to slow people down to get in the way of a process here?

 

Rick Howard: Oh, you're talking about a cure for loneliness, Dave. You know, and like Selena said, that's been going around since the beginning of time. I don't know -- I don't have a good solution for this.

 

Selena Larson: Well, I do think that when it comes to technical solutions, a lot of it does kind of depend on platforms taking action, right, because a lot of this is technically enabled by various platforms and --

 

Rick Howard: The platforms are going in the opposite direction of moderation.

 

Dave Bittner: Right. [Laughs]

 

Rick Howard: Right, so we -- that's not going to happen, okay?

 

Dave Bittner: Pig butchering is free speech. [Laughter]

 

Rick Howard: "Pig butchering is free speech," that's a sentence I never thought I would hear, okay? [Laughter]

 

Selena Larson: Yes, I mean, I think it's an interesting puzzle when it comes to kind of putting the onus on platforms regardless. But there is some good news in this. So back in November, it was reported that Meta removed two million accounts that were related to pig butchering scams. And there was essentially a coalition that was announced, the Attack Against Scams coalition that has a lot of some of these major players, big social networks, technical vendors that are kind of trying to come up with solutions to this problem. And I think, you know, in much the same way that we have become collectively better at identifying, detecting, and preventing things like gift card fraud, for example, is a great example where you have these like checks in place. I think in large part, that awareness in some of those checks in place kind of forced an evolution to maybe leaning in a bit more to things like investment scams. And I think there was this like perfect storm, this maelstrom of like cryptocurrency exploding, Matt Damon being on the Super Bowl saying, "Invest in Bitcoin," you know, beautiful people, Beyonce --

 

Dave Bittner: Is that what that commercial was about?

 

Selena Larson: Yes.

 

Dave Bittner: I -- [laughter] -- I did -- until you said that, I did not know that.

 

Selena Larson: Yes, just like, yes, these commercials being like, "Oh, yes, crypto is for everyone." And so you have this like this perfect storm of like, "Okay, we're aware of these other scams." But you know, I have people who I trust telling me that it's okay to invest in these things, and then you have these scammers being like, "Oh, have you heard of this," and kind of like leaning in and, you know, holding onto that idea of, you know, people being interested in investment. And what's actually kind of interesting, too, is -- I don't know, Purport recently put out some research about how some of the groups that are conducting the pig butchering and romance fraud have also expanded to include job scamming. So some of these lures are a lot more related to employment. So we're in an interesting time right now where, you know, a lot of people are looking for jobs. There's, you know, especially sort of work-from-home remote jobs, a point potentially in our society that is sort of exploiting this potential vulnerability of people who are looking for jobs and saying, "Okay, like this could be something easy for me. I can click on -- - do these reviews and make some cryptocurrency," except of course, it's fake. But it's interesting because if you look at some of the wallets, there is overlap in the scam types and the payments. And you know, there is this romance fraud, but there's also this job fraud. So it's like a whole ecosystem of fraud, I think, that's really reactive to what is most convincing to a general populous at this time. [ Music ]

 

Dave Bittner: I did hear a rumor of a potential solution for this. It's the -- and you guys can tell me if you see this is happening, but the generation behind Selena, the teenagers that are in school now, there is a small but growing movement of self-selecting off those social media platforms.

 

Selena Larson: Hmm. Mm-hmm.

 

Dave Bittner: They are deciding that it has not been good for the generation in front of them and some of them, and it's a growing movement. Like I said, it's only a rumor, I can't give you any data, but that sounds very promising to me.

 

Rick Howard: Well, let's -- here's hoping. [Laughter]

 

Selena Larson: Honestly, I love that, learn from our mistakes as millennials. [Laughs]

 

Dave Bittner: Oh, yes, that's what humans do best is learn from previous --

 

Rick Howard: Yes.

 

Dave Bittner: -- generations' mistakes. You know, I did hear a story and it -- I think I might have covered this on "Hacking Humans", I can't remember; but where a gentleman who got scammed is going after the banks that set up the accounts that his money was transferred into, and he's going after them saying that they had inadequate "know your customer" procedures in place. Because obviously banking is highly regulated and there are these regulations where banks supposedly have to know who their customers are. And if they fall short on that, then what this person's looking for is liability. And I think, you know, there is another way to move the needle. If you put someone on the hook for this, then now you've got someone who has a vested interest in shutting it down, right?

 

Rick Howard: I love that idea. And the banks have been pretty good about some -- you know, and credit card companies have been good at that -- those kinds of things. And you know, the antifraud stuff they've done over the last 20 years has been phenomenal. I've always thought that the social media platforms should have something like that. You should know who all your customers are, right, then it starts getting to free speech issues and all that kind of thing. And that's -- I don't think it's ever going to happen. But I would love to know that person on the other line on Facebook is really who she says she is.

 

Dave Bittner: Right; yes.

 

Selena Larson: And I think, too, we've seen this with cybercrime. There have been -- we've talked about this on the podcast, even previously over the last year some really good collaborations across law enforcement, public/private sector, both in the US and abroad with law enforcement partners, to focus on doing these takedowns and disruptions and, you know, arresting people; certainly things like sanctions against various countries who we often see in response to things like significant APT attacks, things like that. And so I think, you know, having sort of like broad coalition of people who are focused on disrupting this problem; because I think part of the reason why it got so bad is because there is a bias in cybersecurity and technology that scams are just not as important or worth, you know, focusing on. There is -- it can -- oftentimes it can be harder to sort of track it down. But --

 

Dave Bittner: Yes; but what did you say the dollar figure was, Selena, it's --

 

Rick Howard: She said it was in the billions, or was it trillions?

 

Selena Larson: Well, I saw one study that said $75 billion lost to pig butchering. That was published last year. And then, you know, just in the last year, the FBI I see three reports said it was $3.6 billion to investment scams and that's, of course, just here in the US. So it's a significant issue. And I think, you know, when we -- there was this -- I think there's a mindset that a lot of people still have that, "Well, you shouldn't fall victim to that. You -- this is your fault because you are susceptible to this," like, "This is your fault," and as opposed to, "You are a victim of this predator and this crime that happened." And so I think that narrative is changing a lot, is shifting a lot, and I think that that can only be good for tracking, targeting, and disrupting this type of threat. [ Music ]

 

Rick Howard: And I think it might be easier, too, if -- especially when you're thinking of these warehouses of scammers, okay, I think you can find the country that's up in the network, right, where the traffic has to go through and say, "We should not be allowing that warehouse to be functioning." And I think that could be done technically. And since it's so much money, it might be worthwhile doing it. It would be -- it's different if it's just grandma, you know, but if it's -- you know, if it's 500 people scamming billions of dollars, that might be worth shutting that IP address off.

 

Selena Larson: Yes, exactly, like the enterprise, like you've got to disrupt the whole business; yes. [Laughs] Mm-hmm.

 

Dave Bittner: Yes. Well, and there has been some progress with that. There's been, you know, international political pressure from folks like Interpol who have taken down some of these places, but it's the old whack-a-mole and there's always a place in the -- somewhere in the world where somebody's willing to look the other way for some kind of grift. And I think there's also the attitude that as long as you're not scamming your countrymen, then that's probably okay.

 

Rick Howard: Yes, it's somebody else's problem.

 

Dave Bittner: So that's hard as well, yes. Well, this is a tough one. And I think education is key. I think, kind of to Selena's point, that it's really important to let all your family members know that there's no shame in this, right, that you are a person that they can go to if they find themselves falling victim to something, that you're not going to judge them, you're not going to think they're stupid, you're not going to make fun of them, so that they don't feel embarrassed, or alone, or that they have nowhere to go. That's a huge part of this as well. These people are so good at isolating their victims, right?

 

Rick Howard: They are, okay, and great at moving them down to the ultimate path of giving them lots of money, right, that's -- like Selena said, it is a campaign that works. It is hit, repeat.

 

Dave Bittner: Yes. I think it's also really frustrating because certainly local law enforcement are not equipped to deal with this, you know. Time and time again, I hear stories where somebody gets scammed out of even just a few thousand dollars, which -- that's a lot of money. You know, in the pig butchering world, that's not a lot of money, but to an individual, that's a lot of money. And they think to themselves, "What am I going to do?" And they call the local police and the local police say, "I'm sorry, there's nothing we can do for you. It's just gone." And I don't know how we get past that because -- I mean, the fact of the matter is it is gone, there is no getting it back. But I also think there's an attitude with law enforcement that because this is a nonviolent crime that it's not worth running down.

 

Rick Howard: They have to prioritize, right, because, you know, law enforcement has limited resources. If you want them --

 

Dave Bittner: Absolutely; absolutely.

 

Rick Howard: -- spending time on this or, you know, solving the eight murders that came across your desk right; and so yes.

 

Dave Bittner: But I think looping back to something Selena was talking about earlier, it is not victimless, right, the emotional and psychological burden that people take on when they fall victim to this is huge. So this idea that it's victimless, I think we need to get past that idea as well.

 

Rick Howard: And that's really hard because when that stuff comes up, our initial reaction is always, "How could you fall for that?" You know --

 

Dave Bittner: Yes.

 

Rick Howard: -- we're always judging the people. And you're right, we need to get past all that.

 

Selena Larson: Well, and I think a very effective way of communicating some of these things is using media and pop culture. So for example, there was an episode -- or the last season of "Truth Detective" there was a romance scam subplot where one of the characters was having a romantic relationships with a woman overseas via text and it was very similar, "Oh, we're getting engaged," this and that. And you know, from a viewing audience, as soon as the phone was on the screen the first time, I said, "I know what is happening here." [Laughter]

 

Dave Bittner: We all did.

 

Selena Larson: But -- yes, but --

 

Dave Bittner: The only person that didn't was the guy on the phone, right, so --

 

Selena Larson: Yes, but from like if you're viewing this as a person who might have never been exposed to this before, like I think that's a really interesting way of, you know, it's bubbling up to the mainstream, we're having these conversations. It's a plot in a book that I'm currently reading is scamming elderly victims out of their money by socially engineering them essentially. And so it's really interesting because I -- for some reason, I've recently had a lot more sort of like -- these storylines are popping up in places where it isn't the main -- like cybersecurity or technology isn't the main plot here. It's conversations, it's leaking into murder mysteries, it's leaking into, you know, television, it's, you know, people on Instagram who have huge followings being like, "I will never send you these." And so I think we have -- I hope at least we've kind of gotten past that, "We can't talk about this. This is so embarrassing. This is so humiliating." I think there's a lot of -- scams tend to do that, they tend to make you feel bad. And oftentimes the tactics are, "Don't tell anyone that you're talking to me. Don't tell your mom that we're having this conversation. Don't tell, you know, your colleagues that you have a girlfriend." Like they sort of try to isolate you. And I think human nature, we want to talk to people, we want to communicate. And I think the more that we do that, the more that we can educate people and tell people about this, and get it into parlance, you know, that isn't just like, "Cybersecurity pig butchering," but it's, you know, watching someone's dad fall victim to this horrible thing on a television show that you're watching is I think how we're going to kind of get past this; and of course, working together and solving these troubles. And I encourage everyone who works in cybersecurity and InfoSec to take a step back and when you hear something like this, try and remove your bias. Because, you know, like Rick, you said, the gut instincts is, "Well, you fell for this; like this is your fault." But I really, really encourage people to think about it from the perspective of the victim of someone who has been emotionally manipulated into doing something. And I think, you know, if we can all kind of get over these biases, we'll be a lot better equipped to help solve these problems.

 

Rick Howard: Well, for one, I'm just grateful that you brought up the last season of "True Detective" because it is excellent, okay?

 

Selena Larson: It's so good. [Laughter]

 

Dave Bittner: See, there you go, Rick, you've got plenty of time now in your retirement --

 

Rick Howard: I do; I want to go look at that now. That's a --

 

Dave Bittner: -- to check out -- and he's just binge-watching everything. You know, it is a shame, when Rick was working in tech, he was constantly pushing for innovation, and in retirement the only thing he's pushing is this news button. [Laughter] It's, "What day is it? What time is it?"

 

Rick Howard: Or repeat; yes, repeat.

 

Dave Bittner: Yes. No, no, no.

 

Selena Larson: Well, you know, Rick, people in retirement tend to be high targets of some of the scams that we're talking about today, so --

 

Rick Howard: Well, I was going to mention to you guys, I met this girl online and she, you know -- [Laughter]

 

Selena Larson: Is she sending you pictures of her food, and her uncle's business, and -- that's -- they love doing that.

 

Rick Howard: My wife's not too happy about that, but I told her it's totally legit, okay, totally.

 

Dave Bittner: Okay.

 

Rick Howard: Totally; sure.

 

Selena Larson: It's real, it's real; yes, absolutely.

 

Dave Bittner: Yes, she's just looking for some mentorship.

 

Rick Howard: That's all it is; that's right. [Laughter]

 

Dave Bittner: Absolutely. [ Music ]

 

Selena Larson: We'll be right back. [ Music ]

 

Dave Bittner: All right, friends, well this was a very interesting conversation, and -- but not an easy one, but I think it's important.

 

Rick Howard: No, no.

 

Dave Bittner: So hopefully this is the kind of show that folks can spread around and share with their friends and family, and maybe vaccinate some folks against some of these scams. It's so important. [Dog barks]

 

Selena Larson: I'm sorry, guys, the mailman came and Ben has a lot of opinions about this. And I think, you know, Dave, to your point, I hope our audience shows people -- the people that they love use this as a Valentine's gram --

 

Rick Howard: Okay.

 

Dave Bittner: If nothing --

 

Selena Larson: -- to warn them against the horrors that persist. [Laughter]

 

Dave Bittner: Oh.

 

Rick Howard: I just want Elliott, our sound engineer, to know that the dog barking wasn't mine, okay? So Elliott --

 

Dave Bittner: Yes. [Laughter] Yes. Oh, nothing more romantic, "Oh, honey, I love you. Here's a link to a podcast about scams." [Laughter] "Terrific."

 

Rick Howard: A really depressing pig butchering discussion.

 

Dave Bittner: Yes, yes. Let's --

 

Selena Larson: "This discussion of brain hacking and emotional manipulation reminded me of you." [Laughter]

 

Dave Bittner: Yes. That's great. That's good. All right, friends, thank you so much; great fun --

 

Rick Howard: Yes, and it's good to see you guys.

 

Dave Bittner: -- and we'll talk to you guys next time.

 

Selena Larson: And that's "Only Malware in the Building", brought to you by N2K Cyberwire. In a digital world where malware lurks in the shadows, we bring you the stories and strategies to stay one step ahead of the game. As your trusty digital sleuths, we're unraveling the mysteries of cybersecurity, always keeping the bad guys one step behind. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you ahead in the ever-evolving world of cyerbersecurity. If you like the show, please share a rating and review in your podcast app. This episode was produced by Liz Stokes. Mixing and sound design by Tre Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher.

 

Dave Bittner: I'm Dave Bittner.

 

Rick Howard: And I'm Rick Howard.

 

Selena Larson: And I'm Selena Larson. Thanks for listening. [ Music ]

Only Malware in the Building
Podcast Info
HOST(S):
Selena Larson
Dave Bittner
Selena Larson is a Staff Threat Researcher and Lead, Intelligence Analysis and Strategy at Proofpoint on the Threat Research team. She collaborates with fellow researchers to identify and investigate advanced cybercriminal threats and develop actionable threat intelligence. Previously, she was a Cyber Threat Analyst for the industrial cybersecurity firm, Dragos, and a cybersecurity and privacy journalist.
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monthly
Creator: N2K