The prince, the pretender, and the PSA.
Dave Bittner: Hello, everyone. And welcome to N2K CyberWire's "Hacking Humans" podcast where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner and joining me is Joe Carrigan. Hi, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: And we have a very special guest today, Rob Allen from ThreatLocker. Hello, Rob.
Rob Allen: Hello.
Dave Bittner: Glad to have you with us here today. Maria is on vacation this week. We've got some good stories to share this week, and why don't we jump right in here, Joe? You want to start things off for us?
Joe Carrigan: Yes. I'll start things off. The -- my story actually comes because Maria, our absent cohost, was on Linked In and liked a post from Brian Krebs. Actually she said she found it insightful.
Dave Bittner: Okay.
Joe Carrigan: So it is a post that Brian Krebs put up about the public service announcement that the FBI's internet crime complaint center, that's the IC3, put up on their web page. And they are saying, "Watch out for people impersonating us."
Dave Bittner: Okay.
Joe Carrigan: Right? This is great news, isn't it? I mean this is how, you know -- my comment on this Linked In post, "Is nothing sacred to these scammers?" And then a couple space bars down, "No. Nothing is sacred to these people." So complaints report that initial contacts happened in a number of ways. Some people receive a phone call. Some get an email. Others are approached on social media. And almost all the complaints indicate the scammers claimed they had recovered the victim's lost funds. And said, "Hey. We're here to help. Let us get these lost funds back." Of course this is exactly the same MO as a follow on scam. You know, when you get scammed out of some money somebody else contacts you and says, "Hey. We heard that you lost money. We're going to help you get it back. Send us a little bit of cash to start the investigation and we will begin the process." And again that's just another scam.
Dave Bittner: Yeah.
Joe Carrigan: So this is looking like it's trying to victimize people who have lost money already. At least it does to me.
Dave Bittner: Yeah.
Joe Carrigan: The IC3 says -- has some tips to protect yourself. And they say, "We will never directly communicate with the individual via phone, email, social media, phone apps, or public forums. If further information is needed, individuals will be contacted by FBI employees from the local field offices or other law enforcement officers." So I don't know what that means. Do they just show up and identify themselves? Because if they're not going to call you, notify you in any way --
Dave Bittner: G men show up at your door.
Joe Carrigan: Right. Yeah. Government toughs. Who knows? Scammers will change aliases and tactics. However the scheme generally remains the same so they say never share information with people you have met online or only over the phone. The IC3 will not ask for payment to recover lost funds. This is true. The FBI does not need your money to get your money back. If they've recovered your funds or the funds of a group of people that they're going to distribute, they do that as part of their -- there are no fees associated with that for victims.
Dave Bittner: Right. Right. Yeah. Absolutely.
Joe Carrigan: And finally they say -- and this is what Brian Krebs kind of thought was the funniest thing was they say if you are contacted by these contact the internet crime complaint center and file a report.
Rob Allen: The real one.
Joe Carrigan: The real one. Right.
Rob Allen: Not the fake one.
Joe Carrigan: Not the fake one. That doesn't do you any good.
Dave Bittner: Right. How would you know? I mean -- I mean this is where we are today. Right? I mean, Rob, I'm curious of your take on this because it's we've talked about it here. If you Google internet crime complaint center there's a decent chance something's going to pop up that's not actually them. Right?
Rob Allen: Yeah. Well, I mean fundamentally it comes back to trust no one and nobody. And nothing. And obviously Google search results can be somewhat troublesome too because it's not that difficult for somebody to pay for a, you know --
Joe Carrigan: Malicious ad.
Rob Allen: Exactly. Exactly. A redirect to somewhere you don't want to be going to. So I mean as I said it fundamentally comes back to be very careful. And look. There's obviously I think there's a genuinely a sad part of this which is they're trying to rescam people who've already been scammed. And that is it's unfortunate and quite sad. I mean it's to be honest it's not unlike organizations that pay to, you know, when there's a -- or when they get hit by a ransomware attack. I mean one of the things that you do by paying when you're hit is effectively you're advertising yourselves as somebody who will pay. So in reality you're probably increasing the probability that you're going to get hit again because they're going to go, you know, "Those guys pay so let's him them again." But yeah. There -- it's kind of funny, but it's also kind of sad in that they are retargeting people who've already probably lost money to scammers.
Dave Bittner: Yeah.
Joe Carrigan: Yep. Speaking of the IC3, they have released their annual report for 2024 and they have noted an increase of 33% in losses from 2023. So they are now totaling -- these are just reported losses to the ICC. $16.6 billion.
Dave Bittner: Wow.
Joe Carrigan: This -- we'll put a link to the report in the show notes. I mean there's a lot of cool statistics in here. But I think we have a lot to cover today so --
Dave Bittner: I have read the report and actually last week on the CyberWire I spoke with Cynthia Kaiser who's from the FBI cyber division. And we talked about the report and so if you're interested in some of the coverage there and what they're thinking, the things that they feel are worth highlighting, go check that out over on the CyberWire. Again it's my interview with Cynthia Kaiser. Really interesting stuff.
Joe Carrigan: I will say this. The average loss, the average loss, was $19,000. That is a steep average loss.
Dave Bittner: Yeah. Yeah. That would make a difference in my life.
Joe Carrigan: Right. I will -- and you can temper that with the fact that if you're reporting a small loss -- or if there is a small loss you're probably not reporting it. Right? People -- you know, there's a self selection bias here in the size of the loss. But still $19,000 was the average loss.
Dave Bittner: Wow. That's a lot.
Joe Carrigan: Yep.
Dave Bittner: All right. Well, we will have a link to the report and the story from Brian Krebs for the PSA in our show notes. So do check that out. We'll be right back after this message from our show sponsor. Let's move on here to Rob's story. Rob, what do you have for us this week?
Rob Allen: Just going to talk a little bit without getting in to too much detail about the cyber attack, the MGM cyber attack, that took place not too long ago. Look. We tend not to get, as I said, too detailed about specific attacks and specific incidents, but I do think the really interesting part about this was the social engineering aspect that effectively it was a phone call. Somebody I mean they basically researched their targets through social networks, found somebody who was obviously in the support department, and then effectively called somebody else pretending to be that person. So obviously it turned in to a $100 million cyber event, but it basically started with simple social engineering.
Dave Bittner: Well, let's dig in to some of the details here. I mean I'm the person who got victimized. Presumably I'm working at MGM and someone decided that I was going to be their target.
Rob Allen: Pretty much. Yeah. So basically they then called -- well, apparently they called I don't know if it's the MGM themselves or one of their vendors pretending or pertaining to be that person. Basically again as I said details are somewhat scarce and they don't tend to release them and I think a lot of this reporting is actually from the gang themselves. I think it was scattered spider was the name of the particular gang that perpetrated the attack. But they were the ones who pretty much said that, "We did this through social engineering." But they basically the general consensus is that they managed to get in to the organization's Okta system and reset MFA on certain accounts and basically just snowballed from there.
Dave Bittner: Yeah. I mean once you're in I guess that's kind of the ballgame.
Rob Allen: Especially when it's a support person or a support engineer because they tend to have access to a lot of other things.
Dave Bittner: Right. How do we suppose folks can protect themselves against this? If someone calls and says, "Hey, I'm from tech support. I'm here to help." What sort of things can be in place?
Rob Allen: It's a really good question. I mean again it comes back to the trust no one effectively. So somebody calls you saying they're from support, ring them back. You know, ring support back. I mean obviously if you -- and again it's even more difficult these days with the likes of AI and how easy it is to, you know, generate people's voices. I mean that's the really scary part. You might think that the person on the other phone is a person that you know because their voice sounds like them, but it may not actually be them. But I suppose most organizations will have, you know, a certain modus operandi or a way that their support department operates. I mean put it like this. Like our support guys here generally speaking don't ring me. You know, maybe get a Teams message, that kind of stuff, but I mean it just basically just keep an eye out for anything out of the ordinary. I mean we -- one of the exercises we do from time to time is we actually I subscribe to an AI voice generating service and created a what I call -- So our CEO is Danny Jenkins. So I created an AI Danny. Now as it happens all I used it was to say that Rob was right about everything and he's really good at golf. But I mean I think I could have equally used that to, you know, ring one or -- or to contact one of our infrastructure guys and get them to do something that they very much shouldn't have done. And again who's to know? So basically take everything with a healthy dose of skepticism and suspicion and, you know, if in doubt, hang up and call back.
Dave Bittner: Yeah. Any thoughts on this one, Joe?
Joe Carrigan: Yeah. I agree 100%. Hang up and call back. That is the best way. And if you say, "I'm going to call you right back, what's your extension?" The person on the other end should be able to answer that question without any issue.
Dave Bittner: Yeah. I would add to that that don't let them tell you the phone number to call back. Right? Don't let that -- oh listen. I'm on my mobile device. I'm in the car. So call me here. Right? Like that's --
Joe Carrigan: Okay. Well, no. We can't do this right now. I'll wait until you get back to the office.
Dave Bittner: Yeah. Yeah.
Rob Allen: The other thing actually just to mention in this particular case is that this gang apparently had a lot of either -- well, basically native English speakers. So if you're expecting the scammer on the other end of the phone to be, you know, have a weird accent or sound like Boris from, you know, Moscow, it's not going to happen realistically. They've probably got native English speakers on the payroll that they're using to perpetrate these scams. So it's another thing to just be aware of. Just because somebody speaks beautiful fluent English or U.S English or whatever the case may be, wherever you happen to be, that doesn't mean that they are the good guys.
Dave Bittner: Yeah. I saw another story. I think we may have talked about this where there is a system that will do real time basically accent neutralization for you.
Joe Carrigan: Yes.
Dave Bittner: So if you have any sort of regional accent you speak in to this system and what comes out the other side is whatever you want it to be, but like in the case of here in the U.S it would be sort of a neutral Midwestern accent.
Rob Allen: You mean I can take the Mississippi out of my accent?
Joe Carrigan: Yes.
Rob Allen: Now that would be really cool.
Dave Bittner: Not that we have anyone in mind, Rob.
Joe Carrigan: Yeah. You mean the mississiliffi.
Rob Allen: I'm taking the hint. I'm taking the hint. I'll have it prepared for next time we talk.
Dave Bittner: No. I think probably most people on our side of the pond would probably prefer to have your accent, Rob, actually. Probably work pretty well, you know, if you're a single man at a bar. All right. Well, we will have a link to Rob's story in the show notes. And of course we would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's hackinghumans@n2k.com. Let's take a quick break. We'll be right back after this message from our show sponsor. All right. And we are back. My story this week is kind of I guess it's good news in that law enforcement has arrested a scammer who was part of a Nigerian prince scam. Now what caught my eye about this is that the person they arrested is a 67 year old man from Louisiana.
Joe Carrigan: And I'm looking at his picture right now. I'm going to bet he is not Nigerian.
Dave Bittner: No. Not at all. You would not look at this man and say, "Nigerian prince." He is -- looks like a 67 year old man from Louisiana, and not very happy that he got -- that he's having his mugshot taken.
Joe Carrigan: I love people who smile when they're getting their mugshots taken.
Dave Bittner: Right.
Joe Carrigan: That's one of my favorite things about life.
Dave Bittner: So this gentleman is facing 269 counts of wire fraud and 1 count of money laundering and apparently he was partnering with actual folks from Nigeria.
Joe Carrigan: I see.
Dave Bittner: Who were part of this.
Rob Allen: Were they princes? That's the question.
Dave Bittner: I'm going to go out on a limb here and say probably not.
Joe Carrigan: Okay. Okay.
Dave Bittner: Although --
Rob Allen: Then he is probably a scammer.
Dave Bittner: Although I don't know what the threshold is for being considered a prince in Nigeria so maybe it's not a terribly high bar. I don't know.
Rob Allen: I'm guessing it's being the son of a king.
Dave Bittner: Yeah. Yeah. Exactly.
Rob Allen: Now again obviously I don't know a lot about royalties or that kind of thing, royaltiness.
Joe Carrigan: Royals.
Rob Allen: Royals. Yes. I'm pretty sure a prince is the son of a king. So.
Dave Bittner: Yeah. Well, who knows?
Rob Allen: That's probably the bar.
Dave Bittner: Could be the son of the, you know -- the king of auto sales at Nigeria's used cars.
Rob Allen: That could be a prince.
Dave Bittner: Right. Technically a prince. It's on my business card. But they claim that they had taken hundreds of thousands of dollars from folks. The scam was typical Nigerian prince scam. The claimed that the recipient was the beneficiary of a will and that they were going to inherit at least a million dollars. And then they're asked to send personal information which is then used to con them out of their money. And so this gentleman was wiring money back to co-conspirators in Nigeria. So I guess he was the local guy.
Joe Carrigan: Yeah.
Dave Bittner: You know, like they somehow reached out to him and I'm speculating here, but probably said, "Hey, we need somebody stateside to make this look more legit and we'll cut you in a piece of the action."
Joe Carrigan: Probably has to do with international money moving and if you're going to wire money to an international account maybe that's subject to more scrutiny than just wiring it to another American bank.
Dave Bittner: Yeah.
Joe Carrigan: And, you know, we had a story a couple weeks ago about a woman who was doing something similar laundering money. I can't remember where it was, but she was receiving money directly in to her own bank account and then sending it overseas through cryptocurrency.
Dave Bittner: Oh yeah. I remember that story.
Joe Carrigan: And, you know, I'm -- if you're going to launder money for international crime cartels --
Dave Bittner: Yes.
Rob Allen: That's a big if.
Joe Carrigan: Probably a bad idea to use your own real bank account or, you know, have them -- hey, they're international crime syndicates. Have them set up an account that isn't yours that you have access to.
Dave Bittner: Joe's crypto corner here.
Joe Carrigan: Right. Yeah.
Rob Allen: I mean that's like incredibly good advice.
Joe Carrigan: Yeah.
Rob Allen: I'll be sure to keep it in mind in the future.
Joe Carrigan: Right.
Dave Bittner: Yeah.
Rob Allen: The next time I'm perpetrating a cryptoscam.
Joe Carrigan: Right. It's like money laundering 101. I mean it's --
Dave Bittner: Yeah. Well.
Rob Allen: It's money laundering 101.
Dave Bittner: Crooks are stupid. That's why they're crooks. The local police chief warned people to never give out personal information on the phone or via email or to wire money to anyone they don't know.
Joe Carrigan: Right.
Dave Bittner: So yeah.
Rob Allen: And added 99% of the time it's probably a scam.
Joe Carrigan: Yeah.
Dave Bittner: In this case it is. I guess the sad part is I mean I have a limited amount of sympathy for this man who was part of this criminal enterprise, but the sad part is his co-conspirators over in Nigeria will likely just move on with their business and find another, you know --
Joe Carrigan: Another patsy.
Dave Bittner: Yeah. Another sad sack to take over where he dropped off. And I -- you know what? I'd be willing to bet he wasn't the first and he won't be the last.
Joe Carrigan: Yeah. And that's the thing. These guys don't care about what's his name, Michael Neu. Is that how you say it, N-E-U? They don't care about him.
Dave Bittner: No.
Joe Carrigan: You know, he might have gotten some monetary gain from it, but he's expendable as far as they're concerned.
Dave Bittner: Right. He was convenient.
Joe Carrigan: Yep. So when I say if you're going to launder money for an international crime syndicate, just understand you're just as expendable as the victim is. You know, it's you're going to be exploited like this and when law enforcement comes they're coming for you because law enforcement can get to you here in the United States pretty easily.
Dave Bittner: Yeah. Well, and I think it's a good reminder too, you know, we often talk about warning your friends and family and particularly your elderly friends. This gentleman was no spring chicken.
Joe Carrigan: Yep.
Dave Bittner: And so perhaps this was an offer too good to be true, but you know warn them as well that if somebody comes along and says, "Hey, I got a really easy business deal for you to be a part of," don't.
Rob Allen: And that was, Dave, that was exactly what I was going to say. Like the answer you gave a minute ago about if you're going to launder money for an international crime syndicate and then a really good reason of the reasons why not I would sum that up as just don't.
Dave Bittner: Right.
Rob Allen: End of discussion. End of argument.
Dave Bittner: Full stop. Period. Do not continue. I think that is the wise course.
Rob Allen: Yes. Yeah. No. Don't.
Dave Bittner: Just don't, you know. We should have t-shirts made up that just say don't.
Rob Allen: Don't. Right.
Dave Bittner: All right. Well, that is my story. We'll have a link to that in the show notes. Joe, Rob, it is time to move on to our Catch of the Day. [ Soundbite of reeling in fishing line ] [ Music ]
Joe Carrigan: Dave, our catch of the day comes from the scam subreddit, and it is -- oh. It looks like it's a law enforcement impersonation scam.
Dave Bittner: Yes. So it comes up first of all there is an image of a badge.
Joe Carrigan: Dun dun dun dun.
Dave Bittner: From --
Joe Carrigan: The "Dragnet" theme plays in my head whenever --
Dave Bittner: Yeah. From -- this is allegedly from the Department of Homeland Security. And it says "Very respectfully, special agent, Homeland Security investigations, New York. Human exploitation and trafficking team. Good afternoon. If you're receiving this message we believe you may be a victim of a financial scam. If you are not, please disregard and respond to this email accordingly. If you want to contact us via phone feel free to give me a call at the phone number listed below. We respectfully advise you to change any and all passwords to any social media, financial, email, or other accounts and applications anyone may have had access to. As a reminder, no government official will ask you for any personally identifiable information or money. If someone claiming to be a government official asks you for money to recover funds this is likely a scam. We will only contact you from this official email address or the phone number provided below. Government officials will not contact you via telegram, WhatsApp, or any other messaging application. If you believe you have been a victim of a financial scam, please respond to this email confirming."
Rob Allen: Could I just point something out?
Dave Bittner: Please.
Joe Carrigan: Yeah.
Rob Allen: Government officials will not contact you via telegram or signal unless you're a journalist.
Dave Bittner: I was going to say, "Rob, we've had some evidence to the contrary of that recently." But I think you're right. I think you're right. They will not. How do we rate this one, Joe?
Joe Carrigan: Well, it's got that picture. It's got a badge on it so hey let me show you my badge.
Dave Bittner: Yeah.
Joe Carrigan: How do I rate it? I mean it's got -- I don't know. I guess first off there's some awkward English in here like, "If you are not -- " First it says, "You may be a victim of a financial crime. If you are not, please disregard and respond to this message accordingly."
Dave Bittner: Yeah.
Joe Carrigan: What does that mean?
Dave Bittner: Yeah.
Joe Carrigan: Am I supposed to disregard or respond?
Dave Bittner: Right.
Rob Allen: Accordingly.
Joe Carrigan: Accordingly. Right.
Dave Bittner: And if you're telling me that I've been a scam, why are you giving me the option to not have been scammed?
Joe Carrigan: Right.
Dave Bittner: Just awkward.
Joe Carrigan: Yeah. I mean it's this is more follow on scams. We have a lot of follow on scam stuff today.
Dave Bittner: Yeah.
Joe Carrigan: It's more of a follow on scam trying to look for people who have already been victimized because they're probably easier to victimize again. And this is probably going to be something where they get some information, although it does say no government official will ever ask you for any personal information or money which is weird. Why are they saying that when you know they're going to ask for money?
Dave Bittner: Yeah. Eventually. This is probably just to put you at ease for the initial contact.
Joe Carrigan: Right.
Dave Bittner: And then once you get in touch with them they will immediately try to switch you to telegram, WhatsApp, or any messaging app. Signal. Exactly. Well, it's --
Rob Allen: Only if you're a journalist.
Joe Carrigan: Right.
Dave Bittner: That's right. That's right.
Rob Allen: Or wife.
Dave Bittner: Yeah. That's an interesting aspect, Joe. I mean it closes by saying if you believe you've been a victim of a financial scam please respond to this email confirming. It's a way to get previous victims.
Joe Carrigan: Right.
Dave Bittner: It's filtering. Right? It's filtering people who are -- who have been victims and therefore are sadly probably more likely to be a victim.
Joe Carrigan: Absolutely.
Dave Bittner: Yeah. So don't fall for the badge. Don't respond to something like this. Overwhelming odds are this is a scam and they're just trying to string you along and get some money out of you. Sad. Sad. Sad. All right. We will have a link to that in the show notes as well and again if there's something you'd like us to consider for the Catch of the Day please email us. It's hackinghumans@n2k.com. That is our show. We want to thank all of you for listening. And special thanks to Rob Allen from ThreatLocker for joining us this week. Rob, it was great fun to have you with us.
Joe Carrigan: Thank you, Rob.
Rob Allen: Pleasure, guys. Thank you very much.
Dave Bittner: We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans@n2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. We're mixed by Elliott Peltzman and Tre Hester. Peter Kilpe is our publisher. I'm Dave Bittner.
Joe Carrigan: I'm Joe Carrigan.
Dave Bittner: Thanks for listening. [ Music ]
