Hacking Humans

Delve into the latest in social engineering scams, including a wild tale of a fake app used to outsmart a bike thief. Discover the alarming rise of subscription scams that exploit consumers with deceptive mystery boxes and hidden fees. The hosts also discuss the SHIELD Act, aimed at banning revenge porn and the implications for encryption. Tune in for a listener's experience with a suspicious email offering a 'free gift,' serving as a classic scam alert. It’s a rollercoaster ride through the digital jungle of fraud!

Welcome in! You’ve entered, Only Malware in the Building. Join us each month to sip tea and solve mysteries about today’s most interesting threats. Your host is ⁠Selena Larson⁠, ⁠Proofpoint⁠ intelligence analyst and host of their podcast ⁠DISCARDED⁠. Inspired by the residents of a building in New York’s exclusive upper west side, Selena is joined by ⁠N2K Networks⁠ ⁠Dave Bittner⁠ and our newest co-host, Keith Mularski, former FBI cybercrime investigator and now Chief Global Ambassador at Quintel. Being a security researcher is a bit like being a detective: you gather clues, analyze the evidence, and consult the experts to solve the cyber puzzle. On this episode, our hosts discuss the growing trend of cybercriminals using legitimate remote monitoring and management (RMM) tools in email campaigns as a first-stage payload. They explore how these tools are being leveraged for data theft, financial fraud, and lateral movement within networks. With the decline of traditional malware delivery methods, including loaders and botnets, the shift toward RMMs marks a significant change in attack strategies. Tune in to learn more about this evolving threat landscape and how to stay ahead of these tactics.

Please enjoy this encore of Word Notes. Software users are allowed access to data or functionality contrary to the defined zero trust policy by bypassing or manipulating the installed security controls. 

As Maria is on vacation this week, our hosts ⁠Dave Bittner⁠ and ⁠Joe Carrigan⁠, are sharing the latest in social engineering scams, phishing schemes, and criminal exploits that are making headlines. Joe and Dave are joined by guest Rob Allen from ThreatLocker who shares a story on how a spoofed call to the help desk unraveled into a full-blown cyber siege on MGM Resorts. Joe’s story is on a new FBI warning: scammers are impersonating the Internet Crime Complaint Center (IC3), the very site where people go to report online fraud. Dave's got the story of a so-called “Nigerian prince” scammer who turned out to be a 67-year-old man from Louisiana, now facing 269 counts of wire fraud for helping funnel money to co-conspirators in Nigeria. Our catch of the day comes from a scams subreddit, and is on a message received from the Department of Homeland Security reaching out to a user to share that they are a victim of fraud. Resources and links to stories: Investigating the MGM Cyberattack – How social engineering and a help desk put the whole strip at risk. Brian Krebs LinkedIn FBI Warns of Scammers Impersonating the IC3 IC3 2024 Report 'Nigerian prince' scammer was 67-year-old from Louisiana, police say Have a Catch of the Day you'd like to share? Email it to us at ⁠hackinghumans@n2k.com⁠.

Please enjoy this encore of Word Notes. The state of a web application when it's vulnerable to attack due to an insecure configuration.  CyberWire Glossary link: ⁠https://thecyberwire.com/glossary/owasp-security-misconfiguration⁠ Audio reference link: ⁠“What Is the Elvish Word for Friend?”⁠ Quora, 2021.

This week, hosts dive into the nefarious world of scams, including the rise of fake banking apps that trick sellers into losing their goods. They also tackle the dangers of AI hallucinations, revealing how malicious software can hide in misleading packages. A shocking smishing campaign targeting toll payments is uncovered, with criminals impersonating services to steal sensitive information. Plus, listeners share their own experiences with suspicious messages, adding to the discussion of trust in digital communications.

Please enjoy this encore episode of Word Notes. A broad OWASP Top 10 software development category representing missing, ineffective, or unforeseen security measures.CyberWire Glossary link: https://thecyberwire.com/glossary/owasp-insecure-designAudio reference link: “Oceans Eleven Problem Constraints Assumptions.” by Steve Jones, YouTube, 4 November 2015.

This week, a heartfelt discussion unfolds as one host reflects on the emotional impact of losing a loved one. The chaos surrounding Trump’s tariff policies is linked to a surge in phishing scams, showcasing how scammers exploit confusion. The 'blessing scam' targets vulnerable elderly women, leading to financial disaster. Meanwhile, new FTC rules promise easier subscription cancellations. Plus, Montclair University warns about a deceitful free travel trailer offer, highlighting the clever tactics of cybercriminals.

Please enjoy this encore of Word Notes.A broad class of attack vectors, where an attacker supplies input to an applications command interpreter that results in unanticipated functionality. CyberWire Glossary link: https://thecyberwire.com/glossary/owasp-injectionAudio reference link: “APPSEC Cali 2018 - Taking on the King: Killing Injection Vulnerabilities” YouTube Video. YouTube, March 19, 2018.

This week, the hosts dive into the murky waters of social engineering scams and phishing schemes. They discuss a staggering $8.2 million seizure from a romance scam linked to cryptocurrency and explore the alarming 'pig butchering' scheme that has left a Maryland woman devastated. Personal anecdotes reveal troubling toll payment issues and how scammers exploit innocent targets. Plus, a humorous breakdown of a fake message from Elon Musk sheds light on celebrity scams, blending caution with entertainment.