The devil IS in the details.
Dave Bittner: Hello everyone, and welcome to N2K CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner and joining me is Joe Carrigan. Hey, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: And our N2K colleague and host of the "T-Minus Space Daily Podcast," Maria Varmazis. Maria, welcome.
Maria Varmazis: Hello, hello.
Dave Bittner: I should say -- I should say, "Welcome back."
Maria Varmazis: Well, thank you.
Dave Bittner: That's right.
Maria Varmazis: I'm surrounded by boxes and I'm very glad to be back.
Dave Bittner: Oh, that's right. So, we didn't reveal this last week, but Maria was actually moving last week--
Maria Varmazis: Yes, I have moved houses.
Dave Bittner: -with all of the -- all of the joy that goes with that, that we all look forward to.
Maria Varmazis: Yes, I'm exhausted.
Joe Carrigan: Yes, I'll bet.
Dave Bittner: All right.
Maria Varmazis: I'm exhausted and everything hurts .
Dave Bittner: But you've got more space in which to be exhausted, so it's--
Maria Varmazis: Yes.
Dave Bittner: -good.
Maria Varmazis: If you hear an echo behind me, it's because it's the boxes.
Dave Bittner: That's right, right. All right, well we've got some stories to share this week. We will be right back after this message from our show's sponsor. All right, before we get going here, we have a couple bits of follow-up. Joe, what do we got?
Joe Carrigan: First, Steven from the UK wrote in. He said, "Hi Dave, Joe, Maria. I greatly enjoy the podcast, informative and enjoyable, a perfect combination." I'll agree with that. "This may not be exactly on point with the theme of the podcast, but I thought I'd share this with you just in case. I live in the UK and recently I received a new debit card from my bank. I was surprised and dismayed to see that a new card had all of the personal -- personal information, rather, on the same side of the card. Just the branding on the front of the card," right? He sent along a picture of it. He blacked out all the credit card numbers so I couldn't go and charge some things to him, which is--
Dave Bittner: Right.
Joe Carrigan: -pretty smart. Pretty smart, Steven.
Maria Varmazis: That you would try it.
Joe Carrigan: He said, "Anyone shoulder surfing closely watching a transaction or snapping the card with a phone camera would be able to use this card for any customer not present transactions. There is potentially enough information on this card to create a false identity. Reasonable address lookup could be attempted with anyone with an unusual surname." So, I want to talk about this a little bit because I have -- oh, he says, and this is the best part. He called his bank, and they said, "We'll take your comments into account."
Maria Varmazis: Circular file.
Joe Carrigan: Right, yes.
Maria Varmazis: Yes.
Joe Carrigan: He said -- his question is, "Am I being too paranoid?" So, I looked through my wallet and I have a credit card that's like this. My Capital One credit card, everything's on one side. The only thing that's on the front, it says, "Capital One" and it has like all these little fancy lines on it, you know?
Dave Bittner: Yes.
Joe Carrigan: And then there's a chip interface, and that's it. You flip it over and you'll see all of the information, including that CVV2 code--
Dave Bittner: Right.
Joe Carrigan: -right? Right next to the credit card number. And he's right. If somebody did take a picture of that, that would be all they needed.
Dave Bittner: And your name is on that side, also?
Joe Carrigan: Name is on that side as well. Yes, everything's on that side. The only thing on the other side is branding. And I looked at all my other cards, and they're all embossed or printed with the credit card number on the front, and the CVV's on the back. Credit card and expiration date on the front. Number and expiration on the front. So, I don't know. I don't think this is a big problem. I mean, if somebody's going to get physical access to your card, they're going to look at both sides anyway.
Dave Bittner: Yes.
Joe Carrigan: But, I mean I guess it does kind of open you up to a, you know, a quick -- quick glance. You know, somebody taking the information very quickly when just looking at one side of the card.
Dave Bittner: I suppose, yes.
Joe Carrigan: Yes.
Maria Varmazis: Yes.
Dave Bittner: I mean, if someone -- let's say someone was taking -- because they'd have to take a picture -- either they'd have to take a picture, or they have a really good short-term memory.
Joe Carrigan: Right.
Dave Bittner: Right, because there's a good amount of information on any credit card.
Joe Carrigan: Yes.
Dave Bittner: But--
Maria Varmazis: Yes, I'm thinking -- American Express has the same model too with the code on the front, if I'm remembering correctly. At least mine does.
Dave Bittner: Yes.
Maria Varmazis: Yes.
Dave Bittner: Yes. Yes.
Maria Varmazis: I imagine these credit card companies feel confident enough in their fraud detection internally that--
Dave Bittner: Yes.
Maria Varmazis: -they probably go, "If we see somebody doing something funny, we'll just cancel your number and give you a new one."
Dave Bittner: Yes.
Joe Carrigan: Well--
Maria Varmazis: I imagine that's probably their thinking, to put words in their mouth.
Dave Bittner: Yes.
Joe Carrigan: Probably.
Dave Bittner: Yes, you can bet they tested it. I mean if it were a big issue, it probably wouldn't be, I would imagine. I wonder how many people actually do transactions with their credit cards these days.
Joe Carrigan: I -- every time I buy gas.
Dave Bittner: Yes, okay.
Joe Carrigan: It goes into the little chip reader and says -- here's something that happened to me one time, recently. It happened to me very recently. I put it in the chip reader, and it says, "What's your -- what's your zip code?"
Dave Bittner: Yes?
Joe Carrigan: I'm like, "Wait a minute. You have the chip reader. You're not supposed to ask me the zip code." Zip code's a verification process from days when you didn't have a chip reader.
Dave Bittner: Okay?
Joe Carrigan: And I don't -- I entered my old zip code, and it still approved the transaction--
Dave Bittner: Huh?
Joe Carrigan: -even though I since updated my zip code. So, I don't think it even uses that. I think it's just bad design.
Dave Bittner: Or to scare away crooks who don't know what the zip code is.
Joe Carrigan: Probably. Maybe. That's a good point.
Dave Bittner: Yes.
Joe Carrigan: Good point.
Dave Bittner: I don't know. Interesting. Yes, I looked at a couple of my credit cards and mine are all mixed. Like, you know, some information on the front, some on the back. If you had asked me, I would have thought that one of them had it all on the back, but it turns out that the name is on the front and all the other information is on the back. The other thing I would think is that if someone were trying to photograph your card, they're from a distance or trying to shoulder surf with you, I would also think it's probably decent odds that just in your handling of the card, you're going to expose both sides of the card--
Joe Carrigan: Yes.
Dave Bittner: -to view. Right, right? So, I don't know. Interesting.
Joe Carrigan: I don't know. I wouldn't worry about it, Steven. I think it's something that you don't lose sleep over.
Dave Bittner: Yes, so I would say, "Steven, yes. You are being too paranoid."
Maria Varmazis: Quit worrying so much.
Dave Bittner: Right.
Joe Carrigan: But, yes, it is a good observation.
Dave Bittner: Yes, absolutely. All right--
Maria Varmazis: It's good to think about these things.
Dave Bittner: -we got another note from a friend of the show, J.J., who has some experience in law enforcement and wrote in and said, I cannot count the number of times I see folks getting scammed with fake checks. In 1987, the U.S. Congress passed a law called the Expedited Funds Availability Act. The law became effective in 1988. This legislation requires banks to make certain amounts of funds available to account holders after a check has been deposited. We touched on this.
Joe Carrigan: Yes, we did.
Dave Bittner: He goes on and says, "Scammers are well aware of the huge difference between availability of funds and a check actually formally clearing. This is why they prod victims to deposit their bogus checks right away to the point where they often try to push victims into doing a mobile deposit. They will even have printed on the back of their fake checks, 'For Mobile Deposit Only.' Often they will have the victim screen shot a copy of their successful deposit because this is essentially a countdown timer for them."
Joe Carrigan: I see.
Maria Varmazis: Oh, okay.
Dave Bittner: Yes. He goes on and says, "If the victim wises up and does not deposit the check or does not part with any money back to the scammer after depositing the check, the scammers will often become threatening. They will threaten the victim with notifying the FBI that the victim has stolen money from them. This has actually worked on some victims. Scammers will also outright threaten the victim with, 'We know where you live. Don't make us come to your door.' Needless to say, this fear also nails some victims."
Joe Carrigan: You know, I imagine--
Maria Varmazis: Yes.
Joe Carrigan: -that that might backfire here in America. You know? If you just--
Dave Bittner: Because of all the guns?
Joe Carrigan: Right. they're going to be like, "Oh, you know where I live? Come on down, buddy."
Dave Bittner: Well, maybe. I don't know. I guess it depends on where you live.
Joe Carrigan: Right.
Dave Bittner: That's--. So, J.J. goes on and says, "In short, I wish they would teach us this stuff in schools. There's a huge difference between available funds after check is deposited, and a check actually clearing. Words are important. Often bank tellers will use the term 'available, but the victim thinks that means cleared."
Joe Carrigan: Right.
Dave Bittner: And then the take home is, he says, "The simplest say to not get caught up in this scenario is whether it's for a job or for a business order or for payment for something you are selling, never accept a check from a stranger."
Joe Carrigan: Right.
Dave Bittner: And he wrote that in all caps.
Maria Varmazis: Yes, yes.
Dave Bittner: You know, I mean that's good. That's great advice. I can't remember the last time I wrote a check, first of all, and accept -- or accepted a check. It just seems like checks have fallen out of favor--
Joe Carrigan: Not with me, Dave.
Dave Bittner: -for a lot of uses. I know.
Maria Varmazis: I just wrote a check over the weekend.
Dave Bittner: Right.
Maria Varmazis: I don't know. I mean, I still have to do the stuff by checks now and then, but I -- yes, not accepting--
Dave Bittner: Well, people aren't writing checks at the store anymore, I think.
Maria Varmazis: Yes, that's true.
Joe Carrigan: No, I don't do that.
Dave Bittner: Everybody's using their debit cards and--
Maria Varmazis: No, no. Grocery stores don't want you doing that.
Dave Bittner: -right. And you know, at the gas station.
Joe Carrigan: No.
Dave Bittner: I think most people, when given the opportunity to make an electronic payment, that is their choice because it is so much faster and more convenient, and instantaneous, too. I don't know. I just can't -- yes, I mean maybe it's me. I'll have to ask my wife, because she does a lot of our bill paying, right? But I don't think we write many checks any -- in fact, I wouldn't even know where in my house to go for a checkbook.
Maria Varmazis: Your wife might know, though. I'm also the keeper of the checkbook.
Dave Bittner: Yes.
Maria Varmazis: I had to write a check over the weekend for kittens that I adopted to give to the shelter--
Dave Bittner: Oh.
Maria Varmazis: -to sort of like -- as the transaction.
Joe Carrigan: You had to write a check to give someone else a cat?
Maria Varmazis: No, no, no. I received two kittens from a shelter.
Joe Carrigan: Oh, okay. All right.
Maria Varmazis: So, I was paying for their microchipping and their vaccinations and all that stuff.
Joe Carrigan: Okay, got it. Yes.
Maria Varmazis: And they're a 501c. The nonprofit code--
Joe Carrigan: Right.
Maria Varmazis: -the 501 thing. And they don't take things like Venmo or whatnot because they don't want anything eating into what little money they have. So, I was like, "I'm writing you a check. But if anything goes wrong, like, here's my phone number." Like, we've already spoken. I felt uncomfortable giving them a check being like, I -- they don't know me from you know, anyone else. So, how do they know that I'm not just like, stealing from them. Thankfully, the check cleared. I'm good.
Joe Carrigan: Right, phew.
Maria Varmazis: I felt bad giving them a check, but it was what they wanted. So, I was like, "Okay. If this is what -- you know, I'm no scammer."
Joe Carrigan: One of the things I hate about when you try to use a check is when -- and I don't do this anymore, but they used to say, "Put your phone number on that and then put your social security number on top of the check as well."
Maria Varmazis: Oh, my gosh. and your driver's license.
Joe Carrigan: "I'm not putting my social security number on a check. You either accept it -- I'll give you a phone number so you can contact me if something goes wrong, but you don't need my social security number if something goes wrong with this check. What are you going to do with that?" And I actually one time had checks printed up that just had my name at the top of them. They didn't have an address. I loved paying bills with those. That was awesome.
Dave Bittner: Why?
Joe Carrigan: Because, it's like, "Here's a check. Go deposit it. Don't bother me."
Dave Bittner: Okay.
Joe Carrigan: You know, it's -- you know.
Dave Bittner: Do either of you remember there were some stores, like department stores where if you wanted to write a check, they would take your picture?
Joe Carrigan: No.
Maria Varmazis: I think that's before my time.
Dave Bittner: Yes. I remember it was a very--
Maria Varmazis: I remember credit cards going [credit card machine sound], but that's about it.
Dave Bittner: Yes, I did the -- the kerchunker [phonetic], but no. When I was a very small boy, I remember up the street from us, there were like -- I want to say it was like a Kmart, and they had a line where if you were going to write a check, you would wait in this line, and they would basically, you know, like a line up picture of you.
Joe Carrigan: Mug shot.
Dave Bittner: Yes, exactly.
Maria Varmazis: Wow.
Dave Bittner: That's how it was. And I don't know.
Maria Varmazis: Maybe we need to return to tradition. Maybe that's what we need to do is go back to that.
Dave Bittner: I mean, you're having your picture taken in every store you go in today, so--
Joe Carrigan: Right, yes.
Maria Varmazis: True.
Dave Bittner: -there's that.
Maria Varmazis: So, we never left. Oh, fair enough.
Dave Bittner: Al right, well let's move onto our stories here. I am going to start things off for us. This is actually a story from the folks at Forbes. This is about a new warning about some email password stealing attacks that's particularly targeting iPhone users. This story came from the folks at the U.K.'s National Fraud and Cyber Reporting Center. That organization is called Action Fraud.
Joe Carrigan: Yes.
Dave Bittner: And that's sort of their version of the -- the FBI has ours here which is the- >> [In unison] IC3. Yes. So that's their version of that. But they've issued a warning for iPhone users. They've received over 1800 reports in the past just couple of weeks about a password stealing phishing campaign. What happens is you get an email and it'll either come through Apple Mail, Gmail, Outlook, the usual kinds of places. It appears to be coming from Apple itself. And it's warning you that your iCloud storage is about to be exceeded, that you're about to run out of room on your iCloud storage. And for iPhone users, iCloud is where most people store their photos and so you can pay for different amounts of storage, and it comes with a certain amount, which is not nearly enough for anyone.
Joe Carrigan: Okay, so this is actually something that--
Maria Varmazis: And these warnings are ubiquitous. Yes.
Joe Carrigan: -something that you get, right? You can actually exceed your storage amount from Apple.
Dave Bittner: Yes, oh yes. In fact, I would say -- well, I'd say it's likely with -- the default amount of storage you get with the device is enough to get you started. It's like those startup ink cartridges they give you with the printer.
Joe Carrigan: Right.
Dave Bittner: You know, like--
Maria Varmazis: About a tiny sliver, yes.
Dave Bittner: Right.
Joe Carrigan: It's just to use the printer for free.
Dave Bittner: Right, it's a few drops of ink in there, but really--
Joe Carrigan: Right.
Dave Bittner: -you're -- yes. So, it's the storage version of that. And then from there, you can up the amount of storage you want, and it's a reasonable -- it's a couple bucks a month or something like that for what is a useable amount of storage directly from Apple. And that's iCloud. So, you get this email, and it appears to be Apple saying that your iCloud storage is almost full. In fact, it has a little graph that shows your storage is almost full. And then it asks you to log into your iCloud account. And of course, we know what happens then.
Joe Carrigan: Right.
Dave Bittner: You're not actually on an Apple website. So, then they get your Apple ID. They try to get your payment card information, other personal financial information. Well, another little detail here is they -- in some of these, they offer up a loyalty program, which is if you sign up right now, we'll give you an additional 50 gigabytes of space for free on iCloud. So, act now. Don't delay. We'll give you even more.
Joe Carrigan: So, they're like -- what's that called? It's not a loss leader, but it's like a -- some kind of promotional thing.
Maria Varmazis: Yes, upsell or not -- is that even an upsell?
Dave Bittner: It's like a call to action, I guess maybe. Yes.
Joe Carrigan: Yes, they're trying to incentivize you to go ahead and click on the malicious link now.
Dave Bittner: Right. Right. Don't wait. We're going to give you something for free.
Joe Carrigan: Right.
Dave Bittner: Which in a way, they do.
Joe Carrigan: Right, yes. We'll give you a colossal headache.
Maria Varmazis: And it's fake all the way down.
Dave Bittner: That's right. That's right. So, the folks at Action Fraud recommend that just be vigilant about this. You can check your storage on your device. You can open the -- in your settings, you can see how much space you have. And if you -- if there is an issue, then you can update your storage on the device. There's no need to go to any websites or anything like that to manage that sort of thing. Chances are you aren't out of space.
Joe Carrigan: Right.
Dave Bittner: In fact, if you get close to being out of space, and I've run into this -- I actually ran into this recently with my father. He was starting to get alerts thrown at him from his -- he has an iPhone. And it warns you on the device to -- and it doesn't cut you off either. It says, "Hey, you're getting close here. You want to do something about this?"
Joe Carrigan: Right.
Dave Bittner: Which is when I get a phone call. Right, that says, "Son, come over. The phone is making -- something I don't understand what it is." So, you know, a couple bucks a month, we upgraded and it's all the storage he'll ever need for evermore.
Joe Carrigan: Right.
Dave Bittner: So. So, just be mindful of this. I guess -- the main thing here is that this is an active campaign is Action Fraud is saying. They're -- 1800 reports in just a couple of weeks means that folks are hammering away at this. So, spread the word. If you get something in your email that says that your Apple iCloud storage is about to run out, odds are, it ain't real.
Joe Carrigan: Right.
Dave Bittner: That is a -- that is a fraud.
Joe Carrigan: My favorite part of this is the little graph that they put on there that says, "Look, you're almost out of space."
Dave Bittner: Right.
Joe Carrigan: It's just a picture they draw, right?
Dave Bittner: Yes.
Joe Carrigan: You know--
Dave Bittner: Yes.
Joe Carrigan: -I just imagine, if you had to do this by hand--
Maria Varmazis: It doesn't even look like the Apple one.
Joe Carrigan: -right.
Maria Varmazis: Yes.
Joe Carrigan: If you had to do this by hand, how would you convince somebody that you're , but you draw a little picture of a little bar graph and--
Dave Bittner: Right.
Joe Carrigan: -point at it.
Maria Varmazis: Well, Apple does have those bar graphs, but it doesn't look like the Apple bar graph. That's the thing. Like, they--
Dave Bittner: Yes.
Maria Varmazis: -you're used to seeing the -- you know, this is how much your apps are taking up. This is how much your photos or your videos, but this is just like a single color. So, it doesn't look like the real deal.
Dave Bittner: Yes.
Maria Varmazis: But it might fool somebody.
Dave Bittner: I think that's an interesting point, too, Maria, because when you think about as a company, how design conscious Apple is.
Joe Carrigan: Right.
Maria Varmazis: Yes.
Dave Bittner: They're meticulous about everything they send out. So, it's a real tell when you see something that doesn't match that -- their look at feel, which this does not. So.
Maria Varmazis: Janky is the way I would describe that email. Very janky. It's not Apple.
Dave Bittner: Right.
Maria Varmazis: Yes.
Dave Bittner: Yes. All right, well we will have a link to that story in the Show Notes. Again, that's from the folks over Forbes. Maria, you're up next. What do you have for us this week?
Maria Varmazis: I have a story that comes to us from Security Researcher Jerome Segura at Malwarebytes, who wrote up an interesting threat, a scam that is taking advantage of public wish lists on ecommerce websites. In this case, it happens to walmart.com but it's similar to like what Amazon has and pretty much -- name a retailer.
Dave Bittner: Right.
Maria Varmazis: So, for folks who don't know what I'm talking about, a wish list, this is a thing that a customer can create on a retailer website. It just requires that the customer create a free account. You don't have to buy anything to do this. But the list that the customer makes then becomes fully public. So, no account is necessary to view the list. So, a lot of people use these for like Christmas wish lists, or Birthday wish lists, or registries.
Dave Bittner: Right.
Maria Varmazis: So, the scammers -- some scammers figured out that, "Hey, if these are publicly viewable and legitimately posted on a retailer's website, maybe there's something we can do about that? We can use that. So, this is the way this process goes as it often happens with nowadays. If somebody were to Google the phrase "Walmart online number -- Walmart phone number." In this case, a malicious Google Ad comes up and it says, "The top sponsor result is Walmart Online Number, Call Now." It's not very elegant grammatically but that's what it is. And the URL shows, according to Google, walmart.com. So, you see an https, walmart.com. So, that add is showing you this is a legitimate walmart.com website. If you're doing just a quick glance as probably you are going to be doing, especially in mobile, that completely passes the sniff test. This is a legit Walmart website. If -- and then Jerome points this out. If you had the wherewithal to check who was actually posting that ad on Google, so this would require clicking that really tiny gray link on the "Who Is This Ad?" thing, you would see the sponsored ad was actually verified by Google. So, it says it's legit.
Joe Carrigan: Yes, that's Google. >>
Maria Varmazis: But the advertise -- yes, they are so helpful, but the advertiser specifically is some random name from some person in Argentina or Vietnam. And a quick FYI for anyone who doesn't know it, Walmart is still very quite famously headquartered in Bentonville, Arkansas USA. Not Vietnam or Argentina. So, and what he -- what Jerome also points out that I love here -- I love -- I hate it really, but this ad also potentially evades Google's ad rules for fraud because it actually does go to Walmart's legitimate website, even though what it does on the website is fraudulent. So, it's like, "Oh, my gosh." So, when you click the spammy ad, you go to walmart.com. You go to a walmart.com customer created wish list. And it says at the top the list name. Instead of you know, Maria's Christmas Wish List, it says, "Walmart Customer Service 1-555--," some fraudulent phone number. And so, it's the headline. So, if you're scrolling on mobile, and you just see that as the top thing, you might go, "Well, that's my number. I'm just going to click that." And away you go.
Dave Bittner: Wow.
Maria Varmazis: And as you might suspect that phone number is not Walmart's Customer Service number. It is the scammer's phone number and that is how they get you.
Joe Carrigan: And they're actually going to Walmart's site because these scammers have set up a Wish List--
Maria Varmazis: Yes.
Joe Carrigan: -that has the first item is the phone number.
Maria Varmazis: Yes. The whole list, the whole way down is just Walmart Customer Service, over and over, with the default image of the Walmart Wish List. It's like a bottle of soap and headphones and a blender or something, with this fake Walmart Customer Service number just listed over and over and over. So, their wish is for you to call the spammy number. So again, just think about it. If you are calling Customer Service, you are probably in a rush. You are probably not really looking -- you're going to be not maybe thinking too deeply about that first phone number that you see that pops up. And especially if you're on mobile, you're going to see -- your phone will tell you, "This is a legit Walmart website," because it is. So, unless you were to look at the full URL, this is actually Wish List, which would be revealed further in. All of this would in a rush, pass the sniff test, which is just amazing to me that they figured this out.
Dave Bittner: Wow.
Maria Varmazis: It's very clever, but like frustratingly so. So, yes, you're just not going to overthink it in many cases and you're just going to click that first item, that spammy phone number, and then the familiar script that we've talked about many times here, that plays out. So, this is where the escalation starts, and this will sound very familiar to our audience. They're going to ask you for your name and email address to verify. You know, you've called Customer Service. Who are you? And then they're going to check your account. And they go, "Oh, it seems you've made a large purchase recently." And then of course, you're going to say, "No, that didn't happen." And then things continue to escalate. There's, "Oh, maybe this is fraud? Oh, this is major fraud. Oh, there's drugs trafficking happening on this account, actually. Oh, it ends up there's a warrant for your arrest, and also the FTC is coming after you." It just goes up and up, so you're going to get passed from Customer Service rep, to a bank, to the FTC, and probably the FBI after that. It just escalates from there. And so, you're just thinking, "I was just calling about this blender I'm having an issue with," and suddenly, you're under threat of arrest.
Dave Bittner: Wow.
Maria Varmazis: It's wonderful. Yes, so of course, all would be well, you can put things right with this messy business with Walmart as long as you take out as much money as possible from your bank and put it into a Bitcoin wallet. And don't worry, they'll stay on the line with you very helpfully, to guide you--
Joe Carrigan: Right.
Maria Varmazis: -through this process. It's wonderful Walmart Customer Service. So, I have to hand it to the scammers. This is very, very clever. I mean, it's evilly clever, but it is--
Joe Carrigan: Yes.
Maria Varmazis: - very clever.
Dave Bittner: Yes.
Maria Varmazis: I couldn't replicate this one, so I'm hoping that this is an issue that Walmart has remediated, but I got to give it to the scammers that this is a very interesting work around and using a legit URL to do something very, very bad.
Joe Carrigan: I think it's going to take a company like Walmart threatening to sue the pants off of Google to get their attention on these malicious ads, because that's what this is.
Maria Varmazis: I hope so.
Joe Carrigan: This is a malicious ad.
Maria Varmazis: Yes, it really is. I mean, that's where it starts. And again, it technically passes their policy, but I--
Joe Carrigan: Right.
Maria Varmazis: -would imagine if it gets flagged, they would go, "Oh, actually its intent is poor." But I mean, my goodness, that again, it's like, "Well, it's technically walmart.com, so it's legit," is just -- oh, my gosh.
Dave Bittner: Yes. It's a low bar.
Joe Carrigan: Yes.
Maria Varmazis: Wow.
Joe Carrigan: Right.
Dave Bittner: Right. Yes, I think my -- well, I think I speak for all of us when I say that our frustration continues with the quality of Google's filtering when it comes to these ads, that it is absurd the degree to which these malicious ads end up at the top of your Google searches--
Joe Carrigan: Right.
Dave Bittner: -over and over again.
Maria Varmazis: How far we have fallen. Yes. I think if you had told me even 15, 10 years ago that this was happening so much on Google, I wouldn't have believed you.
Joe Carrigan: Right.
Maria Varmazis: It's just I can't believe it's just so common now.
Dave Bittner: Right.
Joe Carrigan: It is to the point now for me that any of the Google products that are out there, Google Search, YouTube, anything, they are so heavily advertising laden that they're almost unusable to me. Often when I go, and I go to Google out of habit, and I type in a search, and I get like four ads before I even get to a legit result. And I just go, "You know what? I'm not even looking at this. Bing." And I go to Bing and I do it, and it presents a better user interface or user experience. So, I still get a couple of ads or an ad, but I don't get the deluge of ads that I get with Google--
Dave Bittner: Yes.
Joe Carrigan: -which is--
Maria Varmazis: Yes.
Joe Carrigan: -you go to YouTube and it's just -- it's even worse. I mean, it's so many ads. You know, you're watching a video -- you'll say, "Okay, I've got to watch like five seconds of this ad," and Start, Click, and you'll watch the video for like two minutes, and another ad will come on.
Maria Varmazis: Yes, yes.
Joe Carrigan: It's -- no. This is becoming unusable.
Dave Bittner: Well, I pay for YouTube Premium. I don't see the ads.
Maria Varmazis: Oh, yes. I thought about it, but then the household discussion became, "How do we put an ad blocker at the router level?" because I'm getting really ticked off.
Joe Carrigan: Yes.
Maria Varmazis: So, that's going to be the next home project, as we move in, because I'm really done with it.
Joe Carrigan: Yes.
Maria Varmazis: Trying to show my daughter like a quick video of cats, and suddenly there's an ad for like you know, home insurance. It's like, "Come on, really?" Like, get this out of my face.
Dave Bittner: No, they -- they -- no, they did get me, and I think I've shared the story here before. The reason they got me was that I was in the midst of what I would describe as a home repair emergency where I had a plumbing problem--
Maria Varmazis: Oh.
Dave Bittner: -there was water pouring out of something. And I look -- I went to look up on YouTube how to fix this thing, found a video that would show me how to fix it, but first--
Maria Varmazis: Oh, no.
Dave Bittner: -right?
Maria Varmazis: So, they extorted you.
Dave Bittner: Yes.
Maria Varmazis: This really was (laughing).
Dave Bittner: Right, exactly.
Maria Varmazis: We're going to destroy your home unless you pay for YouTube Premium.
Dave Bittner: Right. It's a shame if your house had a bunch of water damage. For only 19 bucks a month, you can get instant access to these videos. And so--
Maria Varmazis: Gets you all the knowledge of humanity. All right, well.
Dave Bittner: Right. I have to say, if you can afford it, it is a wonderful lifestyle upgrade if you are regular user of YouTube, which I am. My understanding also is that YouTube creators actually get a better payout when someone who is a YouTube Premium subscriber watches their video than from someone who isn't who just watches the ads. So, yes.
Maria Varmazis: Yes. But we are not on YouTube at "Hacking Humans" yet. Yet.
Joe Carrigan: No, and I don't know that we ever will be, with how we just bashed Google on here.
Dave Bittner: Oh, they don't care. They don't care. They just want to run ads on whatever you want to put up there.
Joe Carrigan: Right.
Dave Bittner: All right, well that is an interesting one and again, we will have a link to that story in the Show Notes. Before we get to our next story, we're going to take a quick break to hear a message from our sponsor. All right, we are back and Joe, you are last but not least today. What do you got for us?
Joe Carrigan: I have a story from Interpol, Dave, that kind of ties in with our discussion last week.
Dave Bittner: Okay?
Joe Carrigan: Last week, we were talking about how money got moved around so quickly in the banking system that you -- it was often gone before you could do anything about it. But this story from Interpol talks about a company in Singapore who on July 15th of this year, received an email from a supplier requesting that a pending payment be sent to a new bank account in East Timor.
Dave Bittner: Okay.
Joe Carrigan: All right, red flag. Right? So, the email however did -- came from a fraudulent account, which had a very similar domain spelled slightly different than the supplier's official email address. Interpol calls this a business email compromise attack, but it is not a business email compromise attack. It's an impersonation attack. A very good one, but it's still just impersonation. They didn't breach anybody's email to get in here. They just spun up another email address that looked similar and sent an email from it. Although it is interesting to know, or I would like to know how did they know that these two companies had a relationship and they were expecting a large payment here, because when we get to the payment part, it's pretty big. Unaware, and we're going to get there now actually, unaware, the firm, the Singapore firm transfers a $42.3 million to the fake supplier on July 19th, which is, you know, just a couple of days after they got the request for the change in account information. So, four days later, they transfer $42.3 million. So, even though this is just an impersonation attack, it's a really, really effective one.
Dave Bittner: Right.
Joe Carrigan: These guys got $43 million. Now, four days later, the genuine supplier calls up and goes, "Hey, where's the money?" Right?
Dave Bittner: "Why -- why have you not paid our invoice?"
Joe Carrigan: "Why have you not paid our bill? Normally, you wire us the money." And of course, the Singapore firm goes, "Well, you sent us this email that said we should change your banking details." And the company goes, "Well, that's not our email. You've been scammed." So, now the Singapore company goes, "Oh, no." So, they call the police. The Singapore Police Force, the SPF. They swiftly requested assistance from authorities in East Timor through Interpol's Global Rapid Intervention of Payments, or IGRIP.
Dave Bittner: IGRIP, okay.
Joe Carrigan: IGRIP.
Maria Varmazis: Okay.
Joe Carrigan: Which is a mechanism they say. So--
Dave Bittner: IGRIP sounds like a glove you could buy from Apple so that your iPhone doesn't slip out of your hand.
Joe Carrigan: Yes, it does sound like that, doesn't it?
Dave Bittner: Yes.
Joe Carrigan: And that also sounds like--
Maria Varmazis: Trademark that one. They're going to take it from you, Dave.
Dave Bittner: Yes.
Joe Carrigan: So, IGRIP uses a global police organizations for Interpol. There are 196 countries police networked together to really speed up requests for assistance in financial crimes. So, this phone call between these two businesses happens on July 23rd. And that's when the Singapore Police Force goes ahead and starts activating things immediately. On July 25th, the SPF's Anti Scam Center received confirmation that $39 million was detected and withheld from the fake supplier's account in East Timor. So, they'd already captured more than 90% of the money, four days later, which I think is impressive. You know, this is a wire transfer, so it -- I'm amazed it was not just gone, but additionally, in addition to that, over the next two days, East Timor authorities arrested seven people in relationship to the scam through follow-up investigations and recovered another $2 million. So, they got all but like $1.3 million back out of 43--
Dave Bittner: Wow.
Joe Carrigan: -$42.3 million. Now, last week Maria, you weren't here, but Dave and I were discussing, "Why does this happen? Why can't we do something about this?" And it looks like Interpol has done something about it.
Maria Varmazis: Nicely done, Interpol.
Joe Carrigan: So, I think it's a -- you know, this is great, I think.
Dave Bittner: Yes, we were talking about specifically the clawing back of funds that why -- like what's the difference between the different -- the methods that money gets sent around the world and why is it easy to claw back some -- in some cases when there's been scams and others when there hasn't. And--
Maria Varmazis: That's a great question.
Dave Bittner: Yes, we did get a couple of notes from listeners with -- pointing us in different directions. Unsurprisingly, there are a number of interesting Wikipedia articles about the different methods that bank funds are transferred around the world. And there's a big difference between domestic transfers. So, for example, you know, bank to bank here in the U.S. is one thing, but then once it goes oversees, that's a different thing, and--
Maria Varmazis: Yes. Yes.
Dave Bittner: -the ability for banks to claw things back and there are many situations where for good historical reasons, once the book is settled, once the transaction is settled, that's it. It's done.
Maria Varmazis: Yes, yes.
Dave Bittner: So, make sure it's good before you send it. But so, I appreciate everyone who sent stuff in for us to help us learn about that. I'll tell you another interesting source I came across when I was following some of the breadcrumbs that our listeners sent in was the Federal Reserve. The Federal Reserve has a very robust website that has lots of information about banking and about scams and some--
Maria Varmazis: Wow.
Dave Bittner: -of the programs they put in place, and they have all kinds of systems for categorizing scams and trying to track down scams and figure out who's responsible for what, and they have a really good blog on the Federal Reserve's website that's from experts talking about a lot of this different stuff. So, if this is something you're interested in, I was very surprised to find out that the Federal Reserve actually is a robust source of information. So.
Maria Varmazis: The Fed is a good read. (laughing)
Dave Bittner: I was thinking, only in cases of insomnia would I go to the Federal Reserve's website, but no, it turns out--
Maria Varmazis: I don't know.
Dave Bittner: -if you are a mighty--
Maria Varmazis: I will have to check that out. I just -- last week, I wired a significant amount of money to buy the house I am currently sitting in.
Dave Bittner: Right.
Maria Varmazis: And that was a -- I mean, that is not the first time in my life I've had to do that, but it was a bit of an ordeal unexpectedly. And I don't want to get into it too much just yet--
Dave Bittner: Yes.
Maria Varmazis: -but it definitely made me wonder about why were certain things in place versus other times I've done this. And I think I will actually have to check out the Fed's blog now that you've recommended it, because they might tell me the answer.
Dave Bittner: Yes.
Maria Varmazis: So, who have thunk?
Dave Bittner: Yes, surprisingly interesting. All right, that's an interesting story, Joe, and we will have a link to that in the Show Notes. Joe, Maria, it is time to move on to our "Catch of the Day." [ SOUNDBITE OF REELING IN FISHING LINE ] So, this week's "Catch of the Day" comes from Reddit, and this is actually on the /scambait subreddit. This is where people post occasions of them leading scammers along. And this was one that was unique that I had not seen before. A lot of times, you'll see these pop up and it's ground that we have covered many times here. But this was a new one. Maria, I'm going to ask you to play the part of the celebrity here, and I can't think of -- I can think of no other celebrity that you are more suited to play than this one. When I look at you, I'm sure every morning in the -- you get up and you go to the -- look in the mirror and you say to yourself, "Is that Maria or is that Dolly Parton?"
Maria Varmazis: And my husband says every day the same thing, the moment he wakes up. Yes, seriously. All right, I'll do my best Dolly by way of Massachusetts for you. I'll try to do Dolly proud. I actually really admire her, but I can't do that.
Dave Bittner: Yes.
Maria Varmazis: All right. Hello, my friend. What are you doing?
Dave Bittner: Is it really you?
Maria Varmazis: Yes, it's me, Dolly Parton, sitting on a chair in a late night show and also squatting strangely. I want you to know, I don't have full access to this backup account. I have a media team..I just check once in a while...it's your lucky day. I know there are lots of fake accounts in my name, and pictures trying to hurt others, my fans, and it's really devastating. My management is working it directly with Mark Zuckerberg.
Joe Carrigan: Sure.
Dave Bittner: Dolly, my girl.
Maria Varmazis: Not a single period in that sentence.
Dave Bittner: Dolly, my girl. Facebook's been putting us all through hell. I hear you. Do you have any new secret music coming out? I won't tell anyone, ha ha.
Maria Varmazis: Yes, but I can't share it with you until you are in my VIP. I must say that I have enormous respect for you, considering the manner in which I have made contact with you. I am very glad you are a fan of mine, because where I am today is the support of my fans.
Dave Bittner: What song of yours is your favorite?
Maria Varmazis: "9 dash 5." I know that's not how the song is. "Jolene," "Island in the Stream."
Dave Bittner: My favorite song by you is "Hit Me Baby One More Time."
Joe Carrigan: All right, hold on. First off, I'm going to say, the scammer did his homework. Okay? He knows that "9 to 5" and "Jolene" are both Dolly Parton songs and "Island in the Stream" was her and Willie Nelson?
Dave Bittner: Kenny Rogers.
Joe Carrigan: Kenny Rogers.
Dave Bittner: Yes.
Joe Carrigan: I knew it was another country singer.
Dave Bittner: Yes.
Maria Varmazis: The millennial in me loves the "Hit Me Baby" . Oh, good. I like that. And I also have some little questions to ask you, as a special true music fan of mine.
Dave Bittner: Mostly a fan of your looks.
Maria Varmazis: Thanks for changing that, too. Oh, okay. How old are you and where are you located? How are your family and work?
Dave Bittner: I'm 35. Am I too old for you, Dolly?
Maria Varmazis: No, that'll be okay. Please, I don't want you to share anything I say with anyone, because you know I have to protect my dignity and personality, okay?
Dave Bittner: I don't ever share things people say to me in messages. Geez, Dolly.
Maria Varmazis: Can I see your picture to know who I am talking to? Random woman pictures with hands as claws. Okay, look great. Oh, wait, that's you. That's you. I got confused who was sending the pictures.
Dave Bittner: I think -- I think yes, I'm sending the pictures and it's -- so, it's a woman who I suppose is showing maybe that she has no wedding ring or something, I don't know.
Joe Carrigan: Yes.
Dave Bittner: It's a strange picture. I was surprised that it was a picture of a woman, honestly. But--
Maria Varmazis: Why not?
Dave Bittner: -yes.
Maria Varmazis: Okay, look great. How would you feel if you had the chance to meet me?
Dave Bittner: I'd just have to try to kiss you. LOL.
Maria Varmazis: Love, heart emoji, heart emoji. Are you a member of my VIP fan?
Dave Bittner: Yes, I'm the President.
Maria Varmazis: I don't think so. I do know all the presidents. If you possess my True Fan ID card, you will be granted free access to all my shows. Additionally, you will receive complementary items like my autograph and seasonal gifts.
Dave Bittner: Is the fall seasonal gift pumpkin spice themed? Please say yes?
Maria Varmazis: Yes. Also, you will receive your birthday package, and your name will be added to my official list of fans.
Dave Bittner: Oh, my God. What kind of pumpkin spice gift am I getting?
Maria Varmazis: CD, but only after you buy the card. It costs money, but you can pay for any level.
Joe Carrigan: His pumpkin spice CD.
Maria Varmazis: Three VIP memberships levels. Most expensive lev is $800. We have a ruby and a diamond. The ruby is just $400 and the diamond is just $500. You can get the any one of your choice.
Dave Bittner: I want one of each.
Maria Varmazis: Okay, good. That is even better for you. That'll cost you 15 -- oh, no, let me do math. That'll cost you $1,500.
Dave Bittner: That will be no problem at all because I'm very successful.
Maria Varmazis: When because I don't have much time here. Can you make the payment now?
Dave Bittner: Holy crap. Are you dying?
Maria Varmazis: Yes. I use Cash App and Zelle. How about you?
Dave Bittner: I have bank accounts worldwide, because like I said, I'm very successful. You forgot to be polite and ask what I do? But that's okay.
Maria Varmazis: Okay, good, I love that. Are you a singer too, or what? Can you use BTC?
Dave Bittner: I work--
Maria Varmazis: Bitcoin, right?
Joe Carrigan: Yes.
Dave Bittner: -I work for the worldwide, underground mafia tracking and prosecuting cyber criminals.
Maria Varmazis: I'm going to exit the chat now.
Dave Bittner: All right, that's enough of that. Wow, well done, Maria. Well done.
Maria Varmazis: Oh, thanks. Yes, do you use Cash App or Zelle?
Dave Bittner: I really, really felt like I -- I had Dolly Parton on the other end of the line here. It was just--
Joe Carrigan: Yes, I think this person really felt like she had Dolly Parton on the other end of the line, too.
Dave Bittner: Just really convincing.
Joe Carrigan: I've got to say, I -- still hats off to whoever this is for at least pulling up three actual Dolly Parton songs. They missed the fact that "Hit Me Baby One More Time," is a Brittany Spears song.
Maria Varmazis: If you Google "Dolly Parton songs," the three top songs that come up on Google are, "9 to 5," "Jolene," and "Islands in the Stream."
Joe Carrigan: Okay, all right.
Maria Varmazis: So, they Googled it.
Dave Bittner: Right. That's funny. All right. So, that is a good one. And of course, we would love to hear from you. If there's something you'd like us to consider for the "Catch of the Day," you can email us. It's hackinghumans@n2k.com. [ Music ] And that is "Hacking Humans" brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cyber security. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email to hackinghumans@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your business investment: your people. We make you smarter about your teams, while making your teams smarter. Learn how @n2k.com. This episode is produced by Liz Stokes. Our Executive Producer is Jennifer Eiben. We're mixed by Elliott Peltzman and Tre Hester. Our Executive Editor is Brandon Karpf. Peter Kilpe is our Publisher. I'm Dave Bittner.
Joe Carrigan: I'm Joe Carrigan.
Maria Varmazis: And I'm Dolly Parton. I'm Maria Varmazis.
Dave Bittner: Thanks for listening. [ Music ]
