Hacking Humans

This week we are joined by N2K CyberWire's very own Catherine Murphy, and she is sharing her family's experiences with Lurie Children's Hospital's recent cybersecurity incident. Dave shares a story on the dangers of Googling airline customer service numbers when an issue occurs. Joe shares another story on scary scams that are costing people millions of dollars, now getting the FBI involved. Our catch of the day was found from the Washington University in St. Louis from their Scam of the Month posting, which shares another tale of a scam, this time trying to recruit for an open vacancy as a research assistant for undergraduates. The scammers pose as a Professor of Computer Science and Engineering to try and get students to sign up for this fake job posting. Please take a moment to fill out an audience survey! Let us know how we are doing! Links to the stories: I’m begging you not to Google for airline customer service numbers Elaborate scam involves gold bars and couriers; cost a Maryland woman $2 million Scammers Use Couriers to Retrieve Cash and Precious Metals from Victims of Tech Support and Government Impersonation Scams Scam of the Month: RESEARCH ASSISTANT VACANCY FOR UNDERGRADUATE Ransomware gang claims to have made $3.4 million after attacking children’s hospital Have a Catch of the Day you'd like to share? Email it to us at [email protected].

In this case Identity is the set of credentials, usually electronic that vouch for who you are and theft is to steal. The theft of a person's identity for purposes of fraud.

This week we are joined by Maria Varmazis, host of the N2K daily space show, T-Minus. She discusses how AI is being used as a possible solution to one of the oldest scams in the book in Japan. Dave and Joe share some listener follow up, one from listener Alan and one from Clinton, who both write in about a recent episode and they share their thoughts on the story of Charlotte Cowles being scammed out of $50,000. Dave shares a story about calendar meeting links, from Calendly, a popular application for scheduling appointments and meetings, being used to spread mac malware. Joe shares write ins from several listeners, some writing in to share experiences with scams they have come across, others writing to warn others on scams they have seen used in the real world. Our catch of the day comes from Zach with an oddity, getting scammed by mail! Please take a moment to fill out an audience survey! Let us know how we are doing! Links to the stories: Japan’s new ATMs automatically play anti-fraud videos to people talking on mobile phones【Video】 Fraudsters in Japan use foreigners' bank accounts in cash grab 【警察庁】ATMで携帯電話…AIで検知し警告表示 特殊詐欺の被害増受け Calendar Meeting Links Used to Spread Mac Malware IDcare You can hear more from the T-Minus space daily show here. Have a Catch of the Day you'd like to share? Email it to us at [email protected].

A probability simulation technique used to understand the impact of risk and uncertainty in complex problems.

Mike Kosak, Principal Intelligence Analyst at LastPass, is discussing passkeys, threat actors, and Volt Typhoon. Joe shares a new free certification you could get if you are looking to get into the field. Joe also shares a terrifying story about how everyone can be conned, and it's not as obvious as it may seem sometimes. Dave's story is warning Costco members of a new phishing scam that attempts to steal their credit card information. Our catch of the day comes from listener Pryce who shares an email they received regarding a charge they are getting from "NortonLifeLock." Links to the stories: FREE Entry-level Cybersecurity Training + Certification Exam Put your smugness away. You are not too clever to be conned. New Costco Membership Scam Targets Members' Credit Card Information Have a Catch of the Day you'd like to share? Email it to us at [email protected].

A software, hardware or hybrid encryption layer between two devices on the network that makes the traffic between the sites opaque to the other devices on the same network.

This week we are joined by Maria Varmazis, host of the N2K daily space show, T-Minus. She brings us a scary story from a woman who never thought she'd ever be scammed. Dave and Joe shares some follow up before getting into their stories, they share a story from a listener who sent in a LinkedIn link about scammers targeting Walmart. They also share a question from listener Cynthia, who asks about bank scam covered before, and how to respond to these scams. Dave shares a story from an anonymous source this week, who writes in about the dangers of crypto scams. Joe has two stories for us this week, the first one being from a friend of his that works for a company that specializes in military contracts. This company was hiring an employee and received three emails that all were very similar to one another, sharing that this is a red flag and wanted to write in to share the dangers of this scam. The second story is a very similar story to the one covered on Andy Cohen a few episode ago, and shares how a Jefferson county couple were scammed out of hundreds of thousands of dollars. Our catch of the day comes from listener Thomas who shares a story on AI voices sounding like famous people and his experience. Links to the stories: The Day I Put $50,000 in a Shoe Box and Handed It to a Stranger I never thought I was the kind of person to fall for a scam. Phishing scam dupes Jefferson County couple out of $137K Phishing bank scam dupes Golden couple out of $137K SCAM HELL Walmart ‘gift card scammers’ caught spending $15k on jewelry, big-screen TVs and lobster tails at Sam’s Club You can hear more from the T-Minus space daily show here. Have a Catch of the Day you'd like to share? Email it to us at [email protected].

From the intrusion kill-chain model, the delivery of a “lure” via a text message to a potential victim by pretending to be some trustworthy person or organization in order to trick the victim into revealing sensitive information. Smishing is a portmanteau word made of two other words, the acronym “SMS” and the cyber coinage “Phishing“. It’s a text-message-centric variation of the email-based phishing scams that have been around since the 1990s. The term “Smishing” arose in the late 2000s.

Aaron Walton, Threat Intel Analyst from Expel is discussing some things to look out for in 2024. Joe and Dave share some listener follow up from Mateusz, who shares some positive news with us. Dave's story is about a romance scammer coming clean after failing to woo CBS News reporter, Erica Johnson. Joe's story is on the latest decision from the FCC, and how they voted to ban scam robocalls that use AI-generated voices. Our catch of the day comes from listener Chuck, just in time for tax season, he warns against a phishing scam he received about his taxes. Links to the stories: Romance scammer reveals how he tricks women after failing to fool Go Public reporter FCC votes to ban scam robocalls that use AI-generated voices Have a Catch of the Day you'd like to share? Email it to us at [email protected].

A network switch configuration setting that forwards a copy of each incoming and outgoing packet to a third switch port. Also known as SPAN or Switched Port Analyzer, RAP or Roving Analysis Port, and TAP or Test Access Point. When network managers and security investigators want to capture packets for analysis, they need some sort of generic TAP or Test Access Point. You can buy specialized equipment for this operation but most modern switches have this capability built in.

This week, we are joined by host of N2K's T-Minus Space Daily podcast, Maria Varmazis, she sits down with Joe and Dave to discuss sextorion materials that were found on popular social media apps such as, TikTok, Instagram, Snapchat and YouTube. Joe and Dave share quite a bit of follow up, Joe starts with an anonymous listener writing in sharing their story on gift card scams. Dave shares another anonymous listeners comments, sharing about what they think of Andy Cohen going public on how he got scammed. Finally, Joe and Dave hear from a listener by the name of "The Computrix," who says they need to defend Walmart. Dave share's his story about the most common phishing email themes of 2023. Joe's got the story of ransomware not being paid the same way as it used to be by companies, and share the two different angles on that. Our catch of the day comes from listener William, who writes in with a phishing scam that caught his eye. Links to the stories: Sextortion training materials found on TikTok, Instagram, Snapchat and YouTube, according to new report Most Common Phishing Email Themes of 2023 Companies aren’t paying ransoms like they used to New Ransomware Reporting Requirements Kick in as Victims Increasingly Avoid Paying FBI: Scammers Are Sending Couriers to Collect Cash From Victims You can hear more from the T-Minus space daily show here. Have a Catch of the Day you'd like to share? Email it to us at [email protected].

A reflection or amplification distributed denial-of-service attack in which hackers query Internet network time protocol servers, NTP servers for short, for the correct time, but spoof the destination address of their target victims.

Jaeson Schultz, Technical Leader from Cisco Talos, is discussing "Spammers abuse Google Forms’ quiz to deliver scams." Dave's story discusses the disturbing new trick up a scammers sleeve to get you to fall for their schemes. Joe has two stories this week, the first a warning to those who pick up scammers phone calls and what that can lead to after gaining access to your voice. Joe's second story follows a band of organized thieves and how they have been targeting high-end homes across Metro Detroit. Our catch of the day comes from listener Van, who writes in to share a fun catch from a scammer who left a voicemail. Links to the stories: Spammers abuse Google Forms’ quiz to deliver scams Scammers are stealing people's faces for live video calls All it takes is one sentence for AI to clone your voice Expert says alleged recording of racist, antisemitic rant by Pikesville High principal could be fake Videos: Organized crews smash glass, use jammers to break into high-end Metro Detroit homes Have a Catch of the Day you'd like to share? Email it to us at [email protected].

From the intrusion kill-chain model, the delivery of a “lure” via a text message to a potential victim by pretending to be some trustworthy person or organization in order to trick the victim into revealing sensitive information. Smishing is a portmanteau word made of two other words, the acronym “SMS” and the cyber coinage “Phishing“. It’s a text-message-centric variation of the email-based phishing scams that have been around since the 1990s. The term “Smishing” arose in the late 2000s.

Abhilash Garimella from Bolster joins to discuss a USPS phishing campaign abusing freemium dynamic DNS and SaaS providers. Dave and Joe share some follow up, one was from listener Mike who wrote in to tell us about a breach at Resend, another was regarding a previous episode on grief and the internet, and finally Joe and Dave discuss a listeners response to a previous episode regarding an SMS scam a listener wrote in about. Dave shares a story on Walmarts relaxed security methods and how scammers may be exploiting them. Joe shares a couple articles relating to the ever growing pop star Taylor Swift and how criminals are using her face to scam. Our catch of the day comes from Joe this week, and he shares an interesting looking email he received from "Apple." Links to the stories: Facebook users targeted with “I’ll miss him so much” scam Incident report for January 10, 2024 How Walmart’s Financial Services Became a Fraud Magnet Taylor Swift, Selena Gomez deepfakes used in Le Creuset giveaway scam No, That’s Not Taylor Swift Peddling Le Creuset Cookware Have a Catch of the Day you'd like to share? Email it to us at [email protected].

A network switch configuration setting that forwards a copy of each incoming and outgoing packet to a third switch port. Also known as SPAN or Switched Port Analyzer, RAP or Roving Analysis Port, and TAP or Test Access Point. When network managers and security investigators want to capture packets for analysis, they need some sort of generic TAP or Test Access Point. You can buy specialized equipment for this operation but most modern switches have this capability built in.

This week we are joined by the host of T-Minus, N2Ks very own Maria Varmazis brings her own story and discusses with Dave and Joe. We start off with Joe, and he brings in the story of Andy Cohen and how he fell victim to a credit card scam and shares what he had learned through the experience. Maria shares Arctic Wolf Labs' story and how they have investigated several cases of Royal and Akira ransomware victims being targeted in follow-on extortion attacks dating back to October of 2023. Lastly, Dave shares his story warning YouTube users about videos promoting cracked software that is distributing Lumma Stealer. Our catch of the day comes from listener Jon, he shares and email that had made it through his spam filter. You can hear more from the T-Minus space daily show here. Links to the stories: Exclusive: Andy Cohen fell victim to a credit card scam. Here's what he learned Follow-On Extortion Campaign Targeting Victims of Akira and Royal Ransomware Beware! YouTube Videos Promoting Cracked Software Distribute Lumma Stealer Have a Catch of the Day you'd like to share? Email it to us at [email protected].

NDR tools provide anomaly detection and potential attack prevention by collecting telemetry across the entire intrusion kill chain on transactions across the network, between servers, hosts, and cloud-workloads, and running machine learning algorithms against this compiled and very large data set. NDR is an extension of the EDR, or endpoint detection and response idea that emerged in 2013.

Frank Riccardi sits down to discuss how cybercriminals exploit people’s fondness for reused passwords to launch credential stuffing attacks. Dave and Joe share a bit of follow up, one from a listener named Steve who shares some push back from the 23andMe story from last week, and the other from a listener named Michael who shares a story of unpaid toll scams. Joe shares the story of a Utah exchange student and how he fell victim to a cybersecurity kidnapping, and now authorities are trying to figure out how it happened. Dave shares a scam about tragic fake posts that lead to a "win now" website, that has been flooding his Facebook feed. Our catch of the day comes from Jon who writes in to share a suspicious email that made it through the spam filter in Google. Links to the stories: After Utah exchange student cyber kidnapping, we're looking at how the scam works Have a Catch of the Day you'd like to share? Email it to us at [email protected].

Technology, software and hardware deployed without explicit organizational approval. In the early days of the computer era from the 1980s through the 2000s security and information system practitioners considered shadow IT as completely negative. Those unauthorized systems were nothing more than a hindrance that created more technical debt in organizations that were already swimming in it with the known and authorized systems.

Alethe Denis from Bishop Fox is talking with Dave and Joe with her take on the 23AndMe breach. Dave and Joe share some follow up from listener Michael, who writes in to share thoughts on our catch of the day from last episode, regarding the voice mail from Spectrum. Dave shares a story on email security, and how human factors have a heavy influence on it, especially with people's vulnerability to phishing and social engineering. Joe has two stories this week, his first story is a good wrap on the holiday's and gift card scams. Joe's second story is a jump on tax season quickly approaching, and how the IRS is helping taxpayers by providing penalty relief. Our catch of the day is a good example of what not to do when phishing/scamming people, luckily the receiver was smarter than the sender. Links to the stories: How Human Elements Impact Email Security "Vanilla Gift" card issuer faces lawsuit over card-draining scam risk IRS helps taxpayers by providing penalty relief on nearly 5 million 2020 and 2021 tax returns; restart of collection notices in 2024 marks end of pandemic-related pause News Insights: 23AndMe with Alethe Denis, Security Expert - Red Team Have a Catch of the Day you'd like to share? Email it to us at [email protected].

Matt Lewis from the NCC Group joins to discuss how cybercriminals can decode your personality through AI conversations to launch targeted attacks at you. Dave and Joe share some follow up from listener Sydney, who writes in to share her thoughts on an FCC proceeding and how it could be of greater relevance to IoT security than SBOMs and HBOMs. Dave also shares a story from a listener from last Christmas, sending a warning to holiday shoppers. Dave has two stories this week, he shares one regarding an announcement on holiday scams coming out. His other story follows Zelle finally caving in to provide some relief to scam victims. Joe's story follows new crypto-theft attacks and warns people against the new tactics. Links to the stories: 2023 Holiday Shopping Scams Zelle finally caves after years of refusing to refund scam victims Microsoft: BlueNoroff hackers plan new crypto-theft attacks Have a Catch of the Day you'd like to share? Email it to us at [email protected].

Thanks for joining us again for another episode of a fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Hacking Humans co-host Dave Bittner is joined by Rick Howard in this series where they view clips from their favorite movies and television shows with examples of the social engineering scams and schemes you hear Dave and co-host Joe Carrigan talk about on Hacking Humans. In this episode, Dave and Rick watch some holiday classics, describe the on-screen action for you, and then they deconstruct what they saw. Grab your Christmas cookies and join us for some fantastic scams and frauds. Links to this episode's clips if you'd like to watch along: How The Grinch Stole Christmas (2000) How The Grinch Stole Christmas (Cartoon) The Greening of the Grinch (magazine)

Adam Bateman, Co-Founder & CEO at Push Security, is sharing some of the latest phishing trends his team has been observing. Dave and Joe share some listener follow up from Michael, who writes in with a new idea, calling it "eDeception." With the holiday season practically here, Joe shares a story about gift card scams, reminding everyone to be safe this holiday season. Dave's story follows a new iPhone update regarding stolen device protection in an upcoming version of iOS. Our catch of the day comes from listener Van who sent in an audio catch about Spectrum users. Links to the stories: Amid holiday shopping, thieves utilize new scam eliminating gift card balances iOS 17.3, Now in Beta, Includes New ‘Stolen Device Protection’ Feature Have a Catch of the Day you'd like to share? Email it to us at [email protected].

The resilience discipline of controlled stress test experimentation in continuous integration/continuous delivery environments, CI/CD environments, to uncover systemic weaknesses. CyberWire Glossary link: https://thecyberwire.com/glossary/chaos-engineering Audio reference link: Farnam Street, 2009. Richard Feynman Teaches you the Scientific Method [Website]. Farnam Street. URL https://fs.blog/mental-model-scientific-method/

Seth Blank, CTO of Valimail, joins to discuss the implications on email security on behalf of DMARC. Joe and Dave share some follow up regarding Meta, who is the parent company to Facebook and Instagram, and how they are now in a lawsuit over steering predators to children in New Mexico. Joe shares how he was almost hacked, as scammers used Peacock to lure him in. Dave's story continues with popular streaming apps being impersonated, this time with Disney+ falling victim. Joe's story follows the U.S. Attorney’s Office, the FBI, and State and Local Law Enforcement Officials sharing another "Don't click December" PSA. Our catch of the day comes from listener Mauricio, who writes in sharing a phishing email, from "PayPal," saying he has an invoice of almost $600. Links to the stories: Facebook and Instagram Steer Predators to Children, New Mexico Attorney General Alleges in Lawsuit Threat actors impersonate Disney+ with considerable guile U.S. Attorney’s Office, the FBI, and State and Local Law Enforcement Officials Release Second “Don’t Click December” PSA Have a Catch of the Day you'd like to share? Email it to us at [email protected].

From the intrusion kill chain model, a program that provides command and control services for an attack campaign. While the first ever deployed RAT is unknown, one early example is Back Orifice made famous by the notorious hacktivist group called “The Cult of the Dead Cow,” or cDc, Back Orifice was written by the hacker, Sir Dystic AKA Josh Bookbinder and released to the public at DEFCON in 1998.

Mike Price from ZeroFox sits down to discuss what 2023 phishing trends mean for the broader industry as we quickly approach 2024. Dave and Joe share a serious write in from listener Michelle who shares her pleads for her aunt, who she believes is being catfished. Listener Marc also writes in with an email that claims to be from "Walmart," that he is quite suspicious of. Joe's story follows Meta, and how they have designed products to target and harm kids. Dave's story is on bad bots and the dangers they pose with fake businesses that are maximizing their illicit earnings. Our catch of the day comes from listener Konstantin, who shares and email received from scammers claiming to be "McAfee," trying to get payment of almost $600. Links to the stories: Meta Designed Products to Capitalize on Teen Vulnerabilities, States Allege Breaking (Bad) Bots: Bot Abuse Analysis and Other Fraud Benchmarks Have a Catch of the Day you'd like to share? Email it to us at [email protected].

A mathematical method by which one party (the prover) can prove to another party (the verifier) that something is true, without revealing any information apart from the fact that this specific statement is true. CyberWire Glossary link: https://thecyberwire.com/glossary/zero-knowledge-proof Audio reference link: Staff, 2022. Zero Knowledge Proofs [Video]. YouTube. URL https://www.youtube.com/watch?v=5qzNe1hk0oY

Chip Gibbons, CISO at Thrive, sits down with Dave to talk about how to defend against social engineering attacks in banking. Dave starts us off this week with a story about Amazon opening up its selling market to Pakistani residents, and what consequences that led to for the organization’s business. Joe's story follows a scam targeting soldiers in the Army. The Army warns against unknown individuals purporting to be noncommissioned officers that are calling said soldiers and asking them for money to fix a "pay problem" and, if questioned, threatening them with a punishment. Our catch of the day comes from listener Manie who writes in about a scam found when trying to download a HDRI (High Dynamic Range Image). The scam involves a fake ad asking for people’s cell phone numbers as soon as they click on a button that reads "download here". Manie shares how after she clicked the ad, she realized the mistake and immediately researched more before proceeding further. Links to stories: Amazon finally authorized Pakistani sellers. A wave of scammers followed Army Warns of Scam Targeting New Soldiers Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

A social engineering scam where fraudsters spoof an email message from a trusted company officer that directs a staff member to transfer funds to an account controlled by the criminal.

Thanks for joining us again for another episode of fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Hacking Humans co-host Dave Bittner is joined by Rick Howard in this series where they view clips from their favorite movies and television shows with examples of the social engineering scams and schemes you hear Dave and co-host Joe Carrigan talk about on Hacking Humans. In this episode, Dave and Rick watch each of the selected scenes, describe the on-screen action for you, and then they deconstruct what they saw. Grab your bowl of popcorn and join us for some fantastic scams and frauds. Links to this episode's clips if you'd like to watch along: Dave's clip from the movie: Chicago P.D. Rick's clip from the movie: The Imitation Game

A U.S. law designed to improve the portability and accountability of health insurance coverage. CyberWire Glossary link: https://thecyberwire.com/glossary/hipaa Audio reference link: Dr. Dana Brems, 2021. Doctor reacts to “HIPAA violations” [Video]. YouTube. URL https://www.youtube.com/shorts/Ksk00s8a_IU

John Wilson, Senior Fellow, Threat Research at Fortra, joins to discuss email impersonation attacks which found that nearly 99% of these threats can be classified as business email compromise. Dave and Joe share some listener follow up from Terry, who writes in with some comments on episode 262 regarding cybersecurity jargon used. Joe's story comes from a listener this week, this individual writes in sharing the horror story he had to deal with when him and his wife ended up on a target list for scammers. Dave's story follows Elon Musk and Joanna Gaines, co-host of the HGTV show "Fixer Upper," and how they are selling a scam device that claims to lower your electricity bills. Our catch of the day comes from listener William, who writes in sharing an email he received from the"Tampa International Airport Police Department Florida," saying they want to release his fund with the service of DHL Courier Company. Links to the stories: Worst fake "power saver" plug yet Better Business Bureau Elon Musk Energy Saving Device: The Scam You Need to Know About Have a Catch of the Day you'd like to share? Email it to us at [email protected].

A physical security access control device consisting of an enclosed hallway with interlocking doors on each end where both doors can’t be open at the same time. A person presents credentials to the entry doorway. If authorized, the entry door opens and the person walks into the mantrap. The man trap exit door will not open until the entry door closes. The person presents credentials to the exit door. If authorized, the exit door will open. If not, the person is captured in the man trap until security arrives to handle the situation. Physical security leadership installs man traps to separate unrestricted areas from restricted areas, to prevent tailgating by uncleared personnel, and to impede access by unauthorized persons.

This week we are joined by Harry Maugans from Privacy Bee who sits down to discuss how our digital breadcrumbs, old and new, are coming back to haunt us. Joe and Dave discuss some follow up from listener Phil, who writes in with a question about the safety of IoT and consumer devices. Dave's story follows the ever so popular YouTube, and its implemented measures to prevent users with ad blockers from watching videos. Joe shares a personal story from a friend regarding a scam he had fallen for, where the scammer got personal information and threatened him, asking for $500. Our catch of the day comes from listener John who found a hilarious text conversation on reddit that he just had to share. Links to the stories: YouTube's ‘War’ on Adblockers Shows How Google Controls the Internet Have a Catch of the Day you'd like to share? Email it to us at [email protected].

A qualitative public framework for rating the severity of security vulnerabilities in software. CyberWire Glossary link: https://thecyberwire.com/glossary/common-vulnerability-scoring-system Audio reference link: Peter Silva, 2020. What is Common Vulnerability Scoring System (CVSS) [Video]. YouTube. URL https://www.youtube.com/watch?v=rR63F_lfKf0

James Dyer and Jack Chapman of Egress join to discuss "Cybercriminals don’t take holidays: How bad actors use this two-step phishing campaign to weaponize out-of-office replies." Dave and Joe share some listener follow up from Ron, who has a suggestion about registration specific email accounts. Joe has two stories this week, one where he shares some good news on a scammer who received some justice after taking part in a $66K romance scam. His second story is on social media and how it is a breeding ground for scammers. Dave's story this week follows how Google-hosted malvertising leads to a fake keepass site that looks genuine. Our catch of the day comes from our very own editorial staff who share an interesting email they received from the infamous National Security Department. Links to the stories: N.J. man sentenced to prison for taking part in $66K romance scam Social media: a golden goose for scammers Google-hosted malvertising leads to fake Keepass site that looks genuine Have a Catch of the Day you'd like to share? Email it to us at [email protected].

A word, phrase, or sentence formed from another by rearranging its letters. For example, cracking a columnar transposition cipher by hand involves looking for anagrams.

Thanks for joining us again for a very special and scary episode brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Hacking Humans co-host Dave Bittner is joined by Rick Howard in this series where they view clips from their favorite movies and television shows with examples of the social engineering, scams, and schemes you hear Dave and co-host Joe Carrigan talk about on Hacking Humans. In this episode, Dave and Rick watch each of the selected scenes, describe the on-screen action for you, and then they deconstruct what they saw. Grab your bowl of popcorn and join us for some frightfully fantastic scams and frauds. Links to this episode's clips if you'd like to watch along: Dave's clip from the movie: Halloween III Rick's clip from the movie: Get Out

Mallory Sofastaii, a consumer investigative reporter from WMAR TV, is joining Dave and Joe to discuss some recent scams she's seen in her reporting. Dave and Joe share some listener follow up from Kenneth who writes in with a suggestion on creating separate email addresses. Dave's story this week follows fake browser scams and how one has gotten a face lift, and what it looks like now. Joe's story is on a new term WIRED is calling "obituary pirates," people who create YouTube videos themselves casually reciting information about loved ones deaths. Our catch of the day comes from Joe this week, he shares an email he received from one of his old email addresses. Links to the stories: Widow loses life savings in romance scam that started on a gaming app Tech support scams escalating: Victims’ computers locked, accounts emptied The Fake Browser Update Scam Gets a Makeover The Bizarre Cottage Industry of YouTube Obituary Pirates Have a Catch of the Day you'd like to share? Email it to us at [email protected].

A class of software-security-weakness-issues where independent researchers discover a software flaw before the owners of the code discover it. Zero-day, or 0-day in hacker slang, refers to the moment the race starts, on day zero, between network defenders who are trying to fix the flaw before hackers leverage it to cause damage. It is a race because on day zero, there is no known fix to the issue.

Joe Oregon, Chief of Cybersecurity at CISA, sits down to discuss the tabletop exercise that CISA, the NFL, and local partners conducted in preparation for Super Bowl LVIII. Joe and Dave share some listener follow up from Rory who wirtes in to talk tin foil hats. Joe's story shares the interesting finds after conducting a cybersecurity survey at ISI. Dave's story follows the 77 year old woman, Marjorie Bloom, who ended up losing over $600,000, her whole lifes savings by falling for a common tech scam. Our catch of the day comes from listener Damien who writes in with an email from the "federal reserve bank of USA" to inform him that he has received a car with $16.7million attached to it and he needs to claim it. Links to the stories: How this 77-year-old widow lost $661,000 in a common tech scam: ‘I realized I had been defrauded of everything’ CISA, NFL, and Local Partners Conduct Cybersecurity Exercise in Preparation for Super Bowl LVIII Have a Catch of the Day you'd like to share? Email it to us at [email protected].

A unified security incident detection and response platform that connects to multiple tools in the security stack via APIs, collects telemetry from each, and attempts to correlate that telemetry into a coherent threat picture. CyberWire Glossary link: https://thecyberwire.com/glossary/extended-detection-and-response Audio reference link: Film Major. 2022. Enemy of the State (1998) Faraday Cage HD Tony Scott; Will Smith, Gene Hackman Jon Voight [Video]. YouTube. URL https://www.youtube.com/watch?v=n3gy4otg-24

Brett Johnson, Chief Criminal Officer at Arkose Labs, sits down with Dave to discuss his history & ways to make fraud efforts less lucrative for bad actors. Dave and Joe share some listener follow up from Graham about one way that helps him stay safe against fake URLs. Dave's story is about bomb email attacks, in which someones email is spammed with hundreds to thousands of emails in hopes of hiding important information contained in one of the thousands of emails, perhaps from a financial institute. Joe's story is on how the FBI is warning the public to beware of tech support scammers and how they are targeting financial accounts using remote desktop software. Our catch of the day comes from listener Norman, who shares a story about how his Steam account got hijacked and how a hacker impersonating a Steam employee was trying to help him. Links to stories: New Registration Bomb Email Attack Distracts Victims of Financial Fraud FBI Warns Public to Beware of Tech Support Scammers Targeting Financial Accounts Using Remote Desktop Software Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

The art of convincing a person or persons to take an action that may or may not be in their best interests. Social engineering in some form or the other has been around since the beginning of time. The biblical story of Esau and Jacob might be considered one of the earliest written social engineering stories. As applied to cybersecurity, it usually involves hackers obtaining information illegitimately by deceiving or manipulating people who have legitimate access to that information. Common tactics involve phishing attacks and watering hole attacks.

Dov Lerner, a Security Research Lead from Cybersixgill, sits down with Dave to discuss how inflation hasn't affected the Dark Web, including how the cratering of cryptocurrency may have affected things. Joe and Dave share some follow up from listener Pelle, who writes in about their grandmother who was scammed over the phone for her PIN, among other information, allowing the scammers to get away with much more than money. This week, Joe's story comes from a listener named Kyle, who shared an article about protecting against AiTM (adversary-in-the-middle) phishing techniques that bypass multi-factor authentication. Dave's story is about a new video being released that shares the most common WhatsApp scams and how to avoid them. Our catch of the day comes from listener Vlad, who shares his story regarding an email he received stating he is owed 1 million dollars, and how he's not falling for the scammer’s latest attempt. Links to stories: Protect against AiTM/ MFA phishing attacks using Microsoft technology How to avoid the most common WhatsApp Scams 2022 WhatsApp Scams in 2022: What to Look out for Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

A cyber information-sharing U.S. Government organization designed to foster the public-private partnership. CyberWire Glossary link: https://thecyberwire.com/glossary/joint-cyber-defense-collaborative Audio reference link: Jen Easterly. 2021. CISA Director Addresses the National Technology Security Coalition [Video]. YouTube. URL https://www.youtube.com/watch?v=ucb1FQXqsao

This week our guest is, Sam Crowther, Kasada CEO, he's sharing his team's findings on "Stolen Auto Accounts: The $2 Price Tag on Your Car’s Identity." Joe and Dave share some listener follow up from Steve who writes in sharing an email he thought to be a scam, but turned out it was real. Listener Derek writes in with a question regarding AI and phishing emails. Joe's story comes from Proofpoint as they share their 2023 State of the Phish report. Dave's story follows an email that was sent out saying that the receiver has had a sexually explicit video leaked to an adults-only website, and to remove the video in question from the site, the receiver can send $200. Our catch of the day comes from listener Tony who writes in to share an email he and his school received claiming that the person who sent the email found pornographic material on the schools website. Links to follow-up and stories: 2023 State of the Phish Yikes! My sex video has been uploaded to YouPorn, apparently Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

The process of evaluating the security of a system or network by simulating an attack on it. Sometimes called "ethical hacking" or white hat hacking. The phrase started to appear in U.S. military circles in the mid 1960s as time sharing computers became more necessary for daily operations. Computer security experts from Rand Corporation began describing computer compromises as “penetrations.” By the early 1970s, government leaders formed tiger teams of penetration testers to probe for weaknesses in various government systems.