Hacking Humans

James Dyer and Jack Chapman of Egress join to discuss "Cybercriminals don’t take holidays: How bad actors use this two-step phishing campaign to weaponize out-of-office replies." Dave and Joe share some listener follow up from Ron, who has a suggestion about registration specific email accounts. Joe has two stories this week, one where he shares some good news on a scammer who received some justice after taking part in a $66K romance scam. His second story is on social media and how it is a breeding ground for scammers. Dave's story this week follows how Google-hosted malvertising leads to a fake keepass site that looks genuine. Our catch of the day comes from our very own editorial staff who share an interesting email they received from the infamous National Security Department. Links to the stories: N.J. man sentenced to prison for taking part in $66K romance scam Social media: a golden goose for scammers Google-hosted malvertising leads to fake Keepass site that looks genuine Have a Catch of the Day you'd like to share? Email it to us at [email protected].

A word, phrase, or sentence formed from another by rearranging its letters. For example, cracking a columnar transposition cipher by hand involves looking for anagrams.

Thanks for joining us again for a very special and scary episode brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Hacking Humans co-host Dave Bittner is joined by Rick Howard in this series where they view clips from their favorite movies and television shows with examples of the social engineering, scams, and schemes you hear Dave and co-host Joe Carrigan talk about on Hacking Humans. In this episode, Dave and Rick watch each of the selected scenes, describe the on-screen action for you, and then they deconstruct what they saw. Grab your bowl of popcorn and join us for some frightfully fantastic scams and frauds. Links to this episode's clips if you'd like to watch along: Dave's clip from the movie: Halloween III Rick's clip from the movie: Get Out

Mallory Sofastaii, a consumer investigative reporter from WMAR TV, is joining Dave and Joe to discuss some recent scams she's seen in her reporting. Dave and Joe share some listener follow up from Kenneth who writes in with a suggestion on creating separate email addresses. Dave's story this week follows fake browser scams and how one has gotten a face lift, and what it looks like now. Joe's story is on a new term WIRED is calling "obituary pirates," people who create YouTube videos themselves casually reciting information about loved ones deaths. Our catch of the day comes from Joe this week, he shares an email he received from one of his old email addresses. Links to the stories: Widow loses life savings in romance scam that started on a gaming app Tech support scams escalating: Victims’ computers locked, accounts emptied The Fake Browser Update Scam Gets a Makeover The Bizarre Cottage Industry of YouTube Obituary Pirates Have a Catch of the Day you'd like to share? Email it to us at [email protected].

A class of software-security-weakness-issues where independent researchers discover a software flaw before the owners of the code discover it. Zero-day, or 0-day in hacker slang, refers to the moment the race starts, on day zero, between network defenders who are trying to fix the flaw before hackers leverage it to cause damage. It is a race because on day zero, there is no known fix to the issue.

Joe Oregon, Chief of Cybersecurity at CISA, sits down to discuss the tabletop exercise that CISA, the NFL, and local partners conducted in preparation for Super Bowl LVIII. Joe and Dave share some listener follow up from Rory who wirtes in to talk tin foil hats. Joe's story shares the interesting finds after conducting a cybersecurity survey at ISI. Dave's story follows the 77 year old woman, Marjorie Bloom, who ended up losing over $600,000, her whole lifes savings by falling for a common tech scam. Our catch of the day comes from listener Damien who writes in with an email from the "federal reserve bank of USA" to inform him that he has received a car with $16.7million attached to it and he needs to claim it. Links to the stories: How this 77-year-old widow lost $661,000 in a common tech scam: ‘I realized I had been defrauded of everything’ CISA, NFL, and Local Partners Conduct Cybersecurity Exercise in Preparation for Super Bowl LVIII Have a Catch of the Day you'd like to share? Email it to us at [email protected].

A unified security incident detection and response platform that connects to multiple tools in the security stack via APIs, collects telemetry from each, and attempts to correlate that telemetry into a coherent threat picture. CyberWire Glossary link: https://thecyberwire.com/glossary/extended-detection-and-response Audio reference link: Film Major. 2022. Enemy of the State (1998) Faraday Cage HD Tony Scott; Will Smith, Gene Hackman Jon Voight [Video]. YouTube. URL https://www.youtube.com/watch?v=n3gy4otg-24

Brett Johnson, Chief Criminal Officer at Arkose Labs, sits down with Dave to discuss his history & ways to make fraud efforts less lucrative for bad actors. Dave and Joe share some listener follow up from Graham about one way that helps him stay safe against fake URLs. Dave's story is about bomb email attacks, in which someones email is spammed with hundreds to thousands of emails in hopes of hiding important information contained in one of the thousands of emails, perhaps from a financial institute. Joe's story is on how the FBI is warning the public to beware of tech support scammers and how they are targeting financial accounts using remote desktop software. Our catch of the day comes from listener Norman, who shares a story about how his Steam account got hijacked and how a hacker impersonating a Steam employee was trying to help him. Links to stories: New Registration Bomb Email Attack Distracts Victims of Financial Fraud FBI Warns Public to Beware of Tech Support Scammers Targeting Financial Accounts Using Remote Desktop Software Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

The art of convincing a person or persons to take an action that may or may not be in their best interests. Social engineering in some form or the other has been around since the beginning of time. The biblical story of Esau and Jacob might be considered one of the earliest written social engineering stories. As applied to cybersecurity, it usually involves hackers obtaining information illegitimately by deceiving or manipulating people who have legitimate access to that information. Common tactics involve phishing attacks and watering hole attacks.

Dov Lerner, a Security Research Lead from Cybersixgill, sits down with Dave to discuss how inflation hasn't affected the Dark Web, including how the cratering of cryptocurrency may have affected things. Joe and Dave share some follow up from listener Pelle, who writes in about their grandmother who was scammed over the phone for her PIN, among other information, allowing the scammers to get away with much more than money. This week, Joe's story comes from a listener named Kyle, who shared an article about protecting against AiTM (adversary-in-the-middle) phishing techniques that bypass multi-factor authentication. Dave's story is about a new video being released that shares the most common WhatsApp scams and how to avoid them. Our catch of the day comes from listener Vlad, who shares his story regarding an email he received stating he is owed 1 million dollars, and how he's not falling for the scammer’s latest attempt. Links to stories: Protect against AiTM/ MFA phishing attacks using Microsoft technology How to avoid the most common WhatsApp Scams 2022 WhatsApp Scams in 2022: What to Look out for Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

A cyber information-sharing U.S. Government organization designed to foster the public-private partnership. CyberWire Glossary link: https://thecyberwire.com/glossary/joint-cyber-defense-collaborative Audio reference link: Jen Easterly. 2021. CISA Director Addresses the National Technology Security Coalition [Video]. YouTube. URL https://www.youtube.com/watch?v=ucb1FQXqsao

This week our guest is, Sam Crowther, Kasada CEO, he's sharing his team's findings on "Stolen Auto Accounts: The $2 Price Tag on Your Car’s Identity." Joe and Dave share some listener follow up from Steve who writes in sharing an email he thought to be a scam, but turned out it was real. Listener Derek writes in with a question regarding AI and phishing emails. Joe's story comes from Proofpoint as they share their 2023 State of the Phish report. Dave's story follows an email that was sent out saying that the receiver has had a sexually explicit video leaked to an adults-only website, and to remove the video in question from the site, the receiver can send $200. Our catch of the day comes from listener Tony who writes in to share an email he and his school received claiming that the person who sent the email found pornographic material on the schools website. Links to follow-up and stories: 2023 State of the Phish Yikes! My sex video has been uploaded to YouPorn, apparently Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

The process of evaluating the security of a system or network by simulating an attack on it. Sometimes called "ethical hacking" or white hat hacking. The phrase started to appear in U.S. military circles in the mid 1960s as time sharing computers became more necessary for daily operations. Computer security experts from Rand Corporation began describing computer compromises as “penetrations.” By the early 1970s, government leaders formed tiger teams of penetration testers to probe for weaknesses in various government systems.

Thanks for joining us again for another episode of fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Hacking Humans co-host Dave Bittner is joined by Rick Howard in this series where they view clips from their favorite movies and television shows with examples of the social engineering scams and schemes you hear Dave and co-host Joe Carrigan talk about on Hacking Humans. In this episode, Dave and Rick watch each of the selected scenes, describe the on-screen action for you, and then they deconstruct what they saw. Grab your bowl of popcorn and join us for some fantastic scams and frauds. Links to this episode's clips if you'd like to watch along: Dave's clip from the movie: Matchstick Men Rick's clip from the movie: Mr. Robot

This week our guest is, John Hammond from Huntress and he sits down to talk about spoofing and evasion techniques used by hackers. Dave and Joe share a bit of follow up, including a question form listener John who writes in asking about a passkey discussion in the last episode. Joe has a story from Reddit this week, where someone posted about a dispute they are having with their wedding caterer, where the company is saying the couple still owes them over $5,000 after the wedding has happened for umbrellas, the person posting wants to know what they should do about this argument. Dave's story is from Retool, where they are warning customers after an employee of theirs fell victim to a phishing scheme through SMS. Our catch of the day comes from the University of Alabama department of engineering, where the receiver of a suspicious looking email is being "sued" after owing $300 and not paying it back. Links to follow-up and stories: Accelerating the Availability of Simpler, Stronger Passwordless Sign-Ins When MFA isn't actually MFA Wedding caterer charging us $5,000 post-wedding for their accountant’s error Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

Tools that automate the identification and remediation of cloud misconfigurations. CyberWire Glossary link: https://thecyberwire.com/glossary/cloud-security-posture-management Audio reference link: Josh Whedon. 2005. Serenity [Movie]. IMDb. URL https://www.imdb.com/title/tt0379786/

Andrew Hendel, CEO at Marshmallo, joins to share tips to safeguard your feelings and identity in the online dating world. Dave and Joe share some listener follow up from Gareth, who writes in to discuss strange emails he has been receiving. Dave's story follows a woman who was spared jail time after being manipulated by hackers into money laundering. Joe's story is from listener Doug who wrote in to the show to talk about the site he is in charge of and discusses a website he uses called "Buy me a coffee," where his viewers can buy him a coffee, and how he has been experiencing some weird instances with the payment methods of that website. Our catch of the day comes from listener Brandyon who shares an interesting way he was offered to make $600 a week. Links to follow-up and stories: Woman 'manipulated' by hackers into money laundering Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

An electro-mechanical device used to break Enigma-enciphered messages about enemy military operations during the Second World War. The first bombe–named Victory and designed by Alan Turning and Gordon Welchman– started code-breaking at Bletchley Park on 14 March 1940, a year after WWII began. By the end of the war, five years later, almost 2000, mostly women, sailors and airmen operated 211 bombe machines in the effort. The allies essentially knew what the German forces were going to do before the German commanders in the field knew. Historians speculate that the effort at Bletchley Park shortened the war by years and estimate the number of lives saved to be between 14 and 21 million.

Guest Chris Sherwood, owner of Crosstalk Solutions, joins Dave to talk about passkeys. Joe shares some listener follow-up about "revert" and side-loading applications on Android phones. Joe's story came from a listener named Kyle who sent this as a Catch of the Day (COTD) about a phishing scam email conversation about event sponsorship. Dave discusses something he saw on Mastodon from user Bjorn about some fraudulent bank charges and stopping a scam in process. Our COTD is from listener Alec about a potential dating scam offering over Instagram. Links to follow-up and stories: Follow-up on side-loading applications (Note, we do not recommend you install any of these applications.) Mastodon thread about social engineering involving fraudulent banking charges. Chris Sherwood's passkey explainer video on YouTube Passkeys directory website Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

A session and user authentication Zero Trust tactic that allows a user to access multiple applications with one set of login credentials. CyberWire Glossary link: https://thecyberwire.com/glossary/single-sign-on Audio reference link: English, J., 2020. What is Single Sign-On (SSO)? SSO Benefits and Risks [Video]. YouTube. URL https://www.youtube.com/watch?v=YvHmP2WyBVY

Oren Koren, CPO and Co-Founder of Veriti, is discussing the need for vigilance and caution when navigating the online shopping landscape. Dave and Joe share quite a bit of listener follow up, one listener writes in for some clarification on the "AI versus AI" episode regarding Google giving their source code so they can do business in China, when in fact it was 2 other companies. Listener Miguel brings our next bit of follow up, he writes in to discuss financial crimes and shares a story based on a story shared on the show. Our last piece of follow up is from listener Will, who shares a way to expand your website links the best way that works for him. Dave's got the story on an Amazon ad in Google search that looks so real, it's been scamming people redirecting visitors to a Microsoft Defender tech support scam that locks up their browser, the one that Dave had to help his father with a couple weeks back. Joe's story follows a Cambridge shed builder who thought he was getting an award, when in fact all he got was a scam. Our catch of the day comes from the European union agency for cybersecurity that received a suspicious looking email from Ebay. Links to stories: Sneaky Amazon Google ad leads to Microsoft support scam Cambridge shed builder thought he was getting an award, but it was a vanity scam Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

From the intrusion kill chain model, a malicious code delivery technique that allows hackers to send code of their choosing to their victim’s browser. XSS takes advantage of the fact that roughly 90% of web developers use the JavaScript scripting language to create dynamic content on their websites. Through various methods, hackers store their own malicious javascript code on unprotected websites. When the victim browses the site, the web server delivers that malicious code to the victim’s computer and the victim’s browser runs the code.

Selena Larson and Tim Utzig discussing research titled "Twitter Scammers Stole $1,000 From My Friend—So I Hunted Them Down." Joe and Dave share a bit of follow up this week, they discuss Hawaii fire scams, and listener Steve writes in regarding some comments about the recent scammer quiz Joe and Dave took, lastly listener John writes in and shares his thoughts on a discussion a couple weeks ago regarding Google Maps. Joe has two stories this week, one is regarding how Joe was close to being scammed by a fake website, the second story is from listener George who wrote in this week sharing about the Bank of Ireland and the latest banking scam causing a technical issue tricking people into thinking they had money, when they really didn't. Dave's story is from the FBI, on a new scam where people are being tricked through mobile beta-testing applications. Our catch of the day comes from listener Richard, who writes in with "a new tip on Crypto." Links to stories: Bank of Ireland glitch let customers withdraw money they didn’t have Cyber Criminals Targeting Victims through Mobile Beta-Testing Applications Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

From the intrusion kill chain model, the first part of an exploitation technique where the hacker tricks their victims into revealing their login credentials. In the second part of the technique, hackers legitimately log into the targeted system and gain access to the underlying network with the same permissions as the victim. Hackers use this method 80% of the time compared to other ways to gain access to a system like developing zero day exploits for known software packages. The most common way hackers steal credentials is with some version of a phishing attack.

Blair Cohen from AuthenticID joins Dave to discuss how generative AI and authentication go hand in hand. Joe and Dave share some follow up from listener Robert who discusses an ad for a device that uses ChatGPT to record phone calls on your device. Dave helps his dad out with his computer and shares the tale. Dave also shares a story this week on the FBI warning against scammers who are posing as NFT devs to try and steal your crypto. Joe and Dave test their scammer catching skills while taking a test to see if they are smarter than the average scammer. Our catch of the day comes from listener Steve who writes in to share a receipt he received that looked quite suspicious. Links to stories: FBI warns of scammers posing as NFT devs to steal your crypto Are you smarter than a scammer? Play this game. Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

An authentication process that requires two different factors before granting access. CyberWire Glossary link: https://thecyberwire.com/glossary/two-factor-authentication

Dave Baggett from INKY joins Dave to dive into the latest phishing trends and discuss a broader view of how AI is being used by both the good guys and the bad guys. Joe's story this week dives into the APT with an entirely too cool name, Midnight Blizzard, that has been conducting targeted social engineering towards the popular Microsoft Teams. Dave's story this week follows a Facebook Market user who dodged one scam, just to fall right back into another one. Our catch of the day comes from listener Mauricio who writes in an shares a funny voicemail regarding a "potential W-2 refund." Links to stories: Midnight Blizzard conducts targeted social engineering over Microsoft Teams Seller dodges Facebook Marketplace scam only to fall into another trap Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

From the intrusion kill chain model, the delivery of a “lure” to a potential victim by pretending to be some trustworthy person or organization in order to trick the victim into revealing sensitive information. According to Knowbe4, the word “phishing” first appeared in a Usenet newsgroup called AOHell in 1996 and some of the very first phishing attacks used AOL Instant Messenger to deliver fake messages purportedly from AOL employees in the early 2000s. The word is part of l33tspeak that started in the early days of the internet (1980s) as a shorthand to let readers know the author was part of the hacker community. In this case, the letters “ph” replace the letter “f” in the word fishing, as in “I fish, with an ‘f,’ for bass in the lake.” In hacking, “I Phish, with a ‘ph,’ for login credentials from key employees at my target’s organization.

Thanks for joining us again for another episode of fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Hacking Humans co-host Dave Bittner is joined by Rick Howard in this series where they view clips from their favorite movies and television shows with examples of the social engineering scams and schemes you hear Dave and co-host Joe Carrigan talk about on Hacking Humans. In this episode, Dave and Rick watch each of the selected scenes, describe the on-screen action for you, and then they deconstruct what they saw. Grab your bowl of popcorn and join us for some fantastic scams and frauds. Links to this episode's clips if you'd like to watch along: Dave's clip from the movie: HEARTBREAKERS Rick's clip from the movie: Star Trek: The Wrath of Khan Dave's Second clip: Russian Restaurant Dave's Third clip: Funny scene 3

Raj Ananthanpillai from Trua joins Dave to discuss privacy concerns and what you shouldn't share with ChatGPT. Dave and Joe share some listener follow up from Clayton who shares some comments on a previous episode where Dave discusses bomb threats to retail stores for ransom. Dave's story follows Google rapidly trying to correct bogus airline phone numbers that were discovered this week. Joe's story is on an Android app called "Spyhide" which is a phone surveillance app, that has been collecting private phone data from tens of thousands of Android devices around the world. Our catch of the day is from listener Isak who writes in to share a comedic spam email he received. Links to stories: Called a bogus airline customer support number? Google is hustling to fix that Spyhide stalkerware is spying on tens of thousands of phones Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

A cloud based sensitive information management system that allows users access across multiple devices. CyberWire Glossary link: https://thecyberwire.com/glossary/icloud-keychain Audio reference link: Ellen’s Tips For iOS, 2022. How To Master iCloud Keychain to Keep Your Passwords Safe and Secure [Video]. YouTube. https://www.youtube.com/watch?v=Tl3E29iUvgE

Perry Carpenter joins Dave to discuss his book "The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer." Joe and Dave share some listener follow up on messing with scammers, and how dangerous that actually can be. Joe's story follows hackers trying to steal your secrets using infected USB drives. Dave's story is on a tech executive and how they fell victim to a dating site scam, where the perpetrator was able to gain $450,000 from someone who just thought they found their soulmate. Our catch of the day this week comes from listener Ryan, who writes in sharing a renew license scam from New Zealand, with a carefully crafted email, made to look like the real thing. Links to stories: Tech Executive Falls Victim to $450K Scam on Dating Site: The Cruel 'Pig-Butchering' Scheme Going Around The Spies Who Loved You: Infected USB Drives to Steal Secrets Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

A subset of the internet where communications between two parties or client-server transactions are obscured from search engines and surveillance systems by layers of encryption. The U.S. Navy designed the original Darknet by developing The Onion Router network, or TOR, back in the 1990s. Roger Dingledine and Nick Mathewson deployed the first alpha implementation in 2002 with some initial funding by the Electronic Frontier Foundation (EFF.) The TOR Project became a non-profit in 2006 and is funded by the U.S, Sweden, different NGOs, and individual sponsors.

Mallory Sofastaii, consumer investigative reporter from WMAR TV, is discussing animal rescue organizations on Facebook pages being taken over by hackers. Listener George writes in to share how his bank is not doing enough to protect against fraud going on. Dave's story follows scammers using new tricks, across the nation, to receive bitcoin and gift cards after threatening stores with bomb scares. Joe has the story on Chinese hackers that have targeted the Commerce Secretary Gina Raimondo and other State and Commerce Department officials. Our catch of the day comes from listener Steve who shares a fishy looking email stating that he is going to be the beneficiary to "Thirty Nine Nine million, eight hundred thousand dollars." Links to stories: Scammers Target Stores With Bomb Threats, Seeking Bitcoin and Gift Cards Chinese Hackers Targeted Commerce Secretary and Other U.S. Officials Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

1. A wireless access point installed by employees in an office or data center environment as a convenience to connectivity without the consent or the knowledge of the network manager. 2. A wireless access point, sometimes called an Evil Twin, installed by a cyber adversary in or near an office or data center environment designed to bypass security controls, gain access, and/or surveil the network traffic of the victim’s network. Both kinds, the employee installed and the adversary installed rogue access points, increase the attack surface of the organization. The employee installed device, because of its electronic footprint range, might make it easier for hackers and mischief makers outside of the organization’s network to bypass the corporate security controls and gain access without permission. The adversary installed device is designed specifically to bypass the security controls of the target network.

Guest Jane Lee, Trust and Safety Architect from Sift joins Dave to discuss the rise of fraudulent online content and fake crypto platforms. Dave and Joe share some listener follow up regarding the debate over "mum" versus "mom" and who speaks which pronunciation more. Dave has two stories this week, one story follows a Twitter thread about a man who shared his story about selling a desk on Facebook and the dangers that come with that. His second story is about how hackers are using a clever new phishing technique to create email threads with multiple responses to trick potential victims into thinking bogus messages are legitimate. Joe shares the story of hackers new way to get information positioning themselves in the middle of your browser between the server and your computer. Our catch of the day has a little bit of everything from Peter who writes in about an email he received pulling out all the stops to get him to give over his information. Links to stories: Twitter thread https://www.cyberscoop.com/phishing-scheme-targeting-mideast-researchers/ Serious Security: Browser-in-the-browser attacks – watch out for windows that aren’t! Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

A network mapping tool that pings IP addresses looking for a response and can discover host names, open communications ports, operating system names and versions. Written and maintained by Gordon Lyon, a.k.a. Fyodor, it is a free and open source software application used by both system admins and hackers alike and has been a staple in the security community for well over two decades. CyberWire Glossary link: https://thecyberwire.com/glossary/nmap

Our UK correspondent Carole Theriault is talking with London insurance market CISO Thom Langford about insider threats. Joe and Dave share some listener follow up from Waldo who writes in to share a video explaining how bad guys are able to hack users. Joe shares a report from Verizon, one of the industries leading phone companies, about social engineering. Dave's story follows a gentleman who was able to steal one million dollars from at least 700 DoorDash drivers, and now police are warning against this sophisticated phishing scam. Our catch of the day comes from listener Ami who writes in to share her victory in catching a scammer after receiving a weird voicemail from a so called police officer. Links to stories: 2023 Data Breach Investigations Report A Stamford man allegedly stole $1M from 700 DoorDash drivers. Police say his victims are hard to ID. Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

A cyber threat intelligence analysis model that defines relationship pairs between four core components in the shape of a diamond of adversary playbook activity across the intrusion kill chain: the adversary, their capability, the infrastructure used or attacked, and the victim. CyberWire Glossary link: https://thecyberwire.com/glossary/diamond-model Audio reference link: “Diamond Presentation v2 0: Diamond Model for Intrusion Analysis – Applied to Star Wars’ Battles,” Andy Pendergrast and Wade Baker, ThreatConnect, YouTube, 4 February 2020.

Guest Sean Gallagher, Principal Researcher with Sophos Xops team, joins us to discuss "'FleeceGPT' mobile apps target AI-curious to rake in cash. Joe shares some listener feedback from Jon about "No Stupid Questions" podcast. Dave's story is from Reddit about a free piano scam. Joe's got a story on a woman pleading with her bank to stop a fake wire transfer, but they were too busy. Our Catch of the Day comes from Rob about a fake student loan help ticket. Links to stories: “FleeceGPT” mobile apps target AI-curious to rake in cash Just ran into the most sophisticated "free piano" scam I've ever seen Wells Fargo bankers tell East Bay customer they're too busy to stop wire scam Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

A US Department of Homeland Security agency tasked with supporting cyber and physical security for US critical infrastructure. CyberWire Glossary link: https://thecyberwire.com/glossary/cybersecurity-and-infrastructure-security-agency Audio reference link: CISA, 2021. CISA Director Jen Easterly’s Keynote at Black Hat USA 2021 [Video]. YouTube. URL https://www.youtube.com/watch?v=q7bu-L-m4K4.

Unsolicited, unwanted, and sometimes malicious electronic messages indiscriminately transmitted to a large number of people. CyberWire Glossary link: https://thecyberwire.com/glossary/spam Audio reference link: zumpzump, 2007. Monty Python - Spam [Video]. YouTube. URL https://www.youtube.com/watch?v=anwy2MPT5RE.

Toby Pischl, Head of Information & Email Security at Broadcom, sits down with Dave to discuss how Slack and Microsoft Teams phishing is an open door into businesses. Joe and Dave share some follow up regarding a case of a woman claiming to have cancer to receive over $37,000 from donors on GoFundMe. Joe has the terrible story out of Michigan where a high schooler committed suicide after a sextortion scam. Dave has a story on job seekers around the country and how likely they are to fall for a job scam. Our catch of the day comes from listener Albert, who writes in regarding the German phishing emails he keeps receiving. Links to stories: Madison Russo pleads guilty to theft in cancer scheme High school football player Jordan DeMay driven to suicide after Nigerian sextortion scam, anguished family reveals Michigan family sounds alarm on son's 'sextortion' suicide after arrests of 3 Nigerian men Three Nigerian Men Awaiting Extradition For Committing Sexual Extortion 1 in 3 Recent Job Seekers Have Been Tricked Into Applying for a Fake Job Scam Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

A US Department of Homeland Security agency tasked with supporting cyber and physical security for US critical infrastructure. CyberWire Glossary link: https://thecyberwire.com/glossary/cybersecurity-and-infrastructure-security-agency Audio reference link: CISA, 2021. CISA Director Jen Easterly’s Keynote at Black Hat USA 2021 [Video]. YouTube. URL https://www.youtube.com/watch?v=q7bu-L-m4K4.

This week, Jeremy Fuchs from Avanan joins Dave to discuss how hackers are using replier attacks. Replier attacks are attacks in which hackers change the reply-to address to send emails from what appears to be a reputable company, when in reality it's a spoofed account. Joe and Dave share some follow up from listeners Wayne who writes in with some comments on episode 245, and listener Michael, who writes about his first ChatGPT experience. Dave's story follows the alarming new trend happening, where sextortionists are making AI nudes from people's social media images. Joe's story uncovers the social engineering trick hackers use from their personal scammers handbook. Our catch of the day comes from listener Tim, who shares a message from a "dear friend." Links to stories: Sextortionists are making AI nudes from your social media images Offbeat Social Engineering Tricks in a Scammer’s Handbook Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

The act of searching through an organization's trash for discarded sensitive material. CyberWire Glossary link: https://thecyberwire.com/glossary/dumpster-diving Audio reference link: “Better Call Saul jimmy digs in the Sandpiper trash scene,” uploaded by Robert Bowersock, 18 September 2022.

Thanks for joining us again for another episode of fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Hacking Humans co-host Dave Bittner is joined by Rick Howard in this series where they view clips from their favorite movies and television shows with examples of the social engineering scams and schemes you hear Dave and co-host Joe Carrigan talk about on Hacking Humans. In this episode, Dave and Rick watch each of the selected scenes, describe the on-screen action for you, and then they deconstruct what they saw. Grab your bowl of popcorn and join us for some fantastic scams and frauds. Links to this episode's clips if you'd like to watch along: Dave's clip from the movie: Ocean's 8 Rick's clip from the movie: Avengers Endgame

This week, our CyberWire UK Correspondent Carole Theriault is talking with Paul Ducklin from Sophos about where ChatGPT could be going in the future. Joe and Dave share quite a bit of follow up from listeners, discussing several people writing in about dating apps and the men who use them, along with a question from listener Bryan who asks about an email scheme an intern working for his company received. Joe's story hones in on AI, discussing in particular how artificial intelligence is changing the social engineering game forever. Dave has the story on how hackers hide malicious links within pictures to redirect users to phishing sites. Our catch of the day comes from listener Cyrus, who shares an email they received about benefits with a hilarious twist. Links to stories: How AI Is Changing Social Engineering Forever The Picture in Picture Attack Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

The manipulation of search engine optimization, SEO, to promote malicious sites in search engine results. CyberWire Glossary link: https://thecyberwire.com/glossary/search-engine-optimization-poisoning Audio reference link: Brown, B.E., 2021. The Ending Of The Waldo Moment Explained [Video]. YouTube. URL https://www.youtube.com/watch?v=HsWja44-EMg.

Bala Kumar of Jumio joins to discuss how travel companies can combat the exponential rise in fraud and ensure their traveler is who they say they are. Dave and Joe share some listener follow up, with the first from Matt, who writes in with a strange Dick's Sporting Goods story about gift cards and credit cards. Our second follow up comes from listener King, who writes in regarding the QR discussion in episode 243. Dave's story follows how almost every US state has sued a telecom company after being accused of routing billions of illegal robocalls to millions of US residents on the do not call list. Joe's story is about a family losing $730,000 in a wire fraud scam, but with a twist ending. Our catch of the day comes from listener William, who writes in with an email laced with so much fraud, Gmail didn't even want Joe to open it to read it for this episode. Links to stories: 48 states sue phone company that allegedly catered to needs of robocallers Family loses $730K in wire fraud scam — and gets it all back Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.