Hacking Humans

Guest Chris Sherwood, owner of Crosstalk Solutions, joins Dave to talk about passkeys. Joe shares some listener follow-up about "revert" and side-loading applications on Android phones. Joe's story came from a listener named Kyle who sent this as a Catch of the Day (COTD) about a phishing scam email conversation about event sponsorship. Dave discusses something he saw on Mastodon from user Bjorn about some fraudulent bank charges and stopping a scam in process. Our COTD is from listener Alec about a potential dating scam offering over Instagram.Links to follow-up and stories: Follow-up on side-loading applications (Note, we do not recommend you install any of these applications.) Mastodon thread about social engineering involving fraudulent banking charges. Chris Sherwood's passkey explainer video on YouTube Passkeys directory website Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

A session and user authentication Zero Trust tactic that allows a user to access multiple applications with one set of login credentials.CyberWire Glossary link: https://thecyberwire.com/glossary/single-sign-onAudio reference link: English, J., 2020. What is Single Sign-On (SSO)? SSO Benefits and Risks [Video]. YouTube. URL https://www.youtube.com/watch?v=YvHmP2WyBVY

Oren Koren, CPO and Co-Founder of Veriti, discusses the need for caution in online shopping. Topics include a sneaky Amazon ad leading to a Microsoft support scam, a shed builder falling for a vanity scam, and analyzing a phishing email impersonating eBay. The speakers emphasize the importance of online shopping safety and share tips to minimize risks.

From the intrusion kill chain model, a malicious code delivery technique that allows hackers to send code of their choosing to their victim’s browser. XSS takes advantage of the fact that roughly 90% of web developers use the JavaScript scripting language to create dynamic content on their websites. Through various methods, hackers store their own malicious javascript code on unprotected websites. When the victim browses the site, the web server delivers that malicious code to the victim’s computer and the victim’s browser runs the code.

The podcast covers various interesting topics like Hawaii fire scams, a banking glitch in Ireland, mobile beta-testing scams, and tracking down scammers on Twitter. They also discuss the emotional toll of romance scams, the manipulations in Google Maps, and frustrations with law enforcement's response to cybercrime. One of the hosts shares a personal experience with a hotel reservation scam and emphasizes the importance of healthy paranoia in their line of work. Overall, they provide insights into different scam tactics and the efforts to catch and report scammers for justice.

From the intrusion kill chain model, the first part of an exploitation technique where the hacker tricks their victims into revealing their login credentials. In the second part of the technique, hackers legitimately log into the targeted system and gain access to the underlying network with the same permissions as the victim. Hackers use this method 80% of the time compared to other ways to gain access to a system like developing zero day exploits for known software packages. The most common way hackers steal credentials is with some version of a phishing attack.

They discuss generative AI and authentication, a device that records phone calls, the FBI warning against scammers posing as NFT devs, and test their scammer catching skills. They analyze various scam scenarios and discuss using AI against AI for online safety. The podcast also explores the impact of AI on online authentication, unproductive conversations on social media, and the use of AI algorithms to differentiate groups based on skin pigmentation.

An authentication process that requires two different factors before granting access.CyberWire Glossary link: https://thecyberwire.com/glossary/two-factor-authentication

Dave Baggett from INKY joins Dave to dive into the latest phishing trends and discuss a broader view of how AI is being used by both the good guys and the bad guys. Joe's story this week dives into the APT with an entirely too cool name, Midnight Blizzard, that has been conducting targeted social engineering towards the popular Microsoft Teams. Dave's story this week follows a Facebook Market user who dodged one scam, just to fall right back into another one. Our catch of the day comes from listener Mauricio who writes in an shares a funny voicemail regarding a "potential W-2 refund."Links to stories: Midnight Blizzard conducts targeted social engineering over Microsoft Teams Seller dodges Facebook Marketplace scam only to fall into another trap Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

From the intrusion kill chain model, the delivery of a “lure” to a potential victim by pretending to be some trustworthy person or organization in order to trick the victim into revealing sensitive information. According to Knowbe4, the word “phishing” first appeared in a Usenet newsgroup called AOHell in 1996 and some of the very first phishing attacks used AOL Instant Messenger to deliver fake messages purportedly from AOL employees in the early 2000s. The word is part of l33tspeak that started in the early days of the internet (1980s) as a shorthand to let readers know the author was part of the hacker community. In this case, the letters “ph” replace the letter “f” in the word fishing, as in “I fish, with an ‘f,’ for bass in the lake.” In hacking, “I Phish, with a ‘ph,’ for login credentials from key employees at my target’s organization.