Hacking Humans

Guest Jane Lee, Trust and Safety Architect from Sift joins Dave to discuss the rise of fraudulent online content and fake crypto platforms. Dave and Joe share some listener follow up regarding the debate over "mum" versus "mom" and who speaks which pronunciation more. Dave has two stories this week, one story follows a Twitter thread about a man who shared his story about selling a desk on Facebook and the dangers that come with that. His second story is about how hackers are using a clever new phishing technique to create email threads with multiple responses to trick potential victims into thinking bogus messages are legitimate. Joe shares the story of hackers new way to get information positioning themselves in the middle of your browser between the server and your computer. Our catch of the day has a little bit of everything from Peter who writes in about an email he received pulling out all the stops to get him to give over his information.Links to stories: Twitter thread https://www.cyberscoop.com/phishing-scheme-targeting-mideast-researchers/ Serious Security: Browser-in-the-browser attacks – watch out for windows that aren’t! Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

A network mapping tool that pings IP addresses looking for a response and can discover host names, open communications ports, operating system names and versions. Written and maintained by Gordon Lyon, a.k.a. Fyodor, it is a free and open source software application used by both system admins and hackers alike and has been a staple in the security community for well over two decades.CyberWire Glossary link: https://thecyberwire.com/glossary/nmap

Our UK correspondent Carole Theriault is talking with London insurance market CISO Thom Langford about insider threats. Joe and Dave share some listener follow up from Waldo who writes in to share a video explaining how bad guys are able to hack users. Joe shares a report from Verizon, one of the industries leading phone companies, about social engineering. Dave's story follows a gentleman who was able to steal one million dollars from at least 700 DoorDash drivers, and now police are warning against this sophisticated phishing scam. Our catch of the day comes from listener Ami who writes in to share her victory in catching a scammer after receiving a weird voicemail from a so called police officer.Links to stories: 2023 Data Breach Investigations Report A Stamford man allegedly stole $1M from 700 DoorDash drivers. Police say his victims are hard to ID. Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

A cyber threat intelligence analysis model that defines relationship pairs between four core components in the shape of a diamond of adversary playbook activity across the intrusion kill chain: the adversary, their capability, the infrastructure used or attacked, and the victim.CyberWire Glossary link: https://thecyberwire.com/glossary/diamond-model Audio reference link: “Diamond Presentation v2 0: Diamond Model for Intrusion Analysis – Applied to Star Wars’ Battles,” Andy Pendergrast and Wade Baker, ThreatConnect, YouTube, 4 February 2020.

Guest Sean Gallagher, Principal Researcher with Sophos Xops team, joins us to discuss "'FleeceGPT' mobile apps target AI-curious to rake in cash. Joe shares some listener feedback from Jon about "No Stupid Questions" podcast. Dave's story is from Reddit about a free piano scam. Joe's got a story on a woman pleading with her bank to stop a fake wire transfer, but they were too busy. Our Catch of the Day comes from Rob about a fake student loan help ticket.Links to stories: “FleeceGPT” mobile apps target AI-curious to rake in cash Just ran into the most sophisticated "free piano" scam I've ever seen Wells Fargo bankers tell East Bay customer they're too busy to stop wire scam Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

A US Department of Homeland Security agency tasked with supporting cyber and physical security for US critical infrastructure.CyberWire Glossary link: https://thecyberwire.com/glossary/cybersecurity-and-infrastructure-security-agencyAudio reference link: CISA, 2021. CISA Director Jen Easterly’s Keynote at Black Hat USA 2021 [Video]. YouTube. URL https://www.youtube.com/watch?v=q7bu-L-m4K4.

Unsolicited, unwanted, and sometimes malicious electronic messages indiscriminately transmitted to a large number of people.CyberWire Glossary link: https://thecyberwire.com/glossary/spamAudio reference link: zumpzump, 2007. Monty Python - Spam [Video]. YouTube. URL https://www.youtube.com/watch?v=anwy2MPT5RE.

Toby Pischl, Head of Information & Email Security at Broadcom, sits down with Dave to discuss how Slack and Microsoft Teams phishing is an open door into businesses. Joe and Dave share some follow up regarding a case of a woman claiming to have cancer to receive over $37,000 from donors on GoFundMe. Joe has the terrible story out of Michigan where a high schooler committed suicide after a sextortion scam. Dave has a story on job seekers around the country and how likely they are to fall for a job scam. Our catch of the day comes from listener Albert, who writes in regarding the German phishing emails he keeps receiving.Links to stories: Madison Russo pleads guilty to theft in cancer scheme High school football player Jordan DeMay driven to suicide after Nigerian sextortion scam, anguished family reveals Michigan family sounds alarm on son's 'sextortion' suicide after arrests of 3 Nigerian men Three Nigerian Men Awaiting Extradition For Committing Sexual Extortion 1 in 3 Recent Job Seekers Have Been Tricked Into Applying for a Fake Job Scam Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

A US Department of Homeland Security agency tasked with supporting cyber and physical security for US critical infrastructure.CyberWire Glossary link: https://thecyberwire.com/glossary/cybersecurity-and-infrastructure-security-agencyAudio reference link: CISA, 2021. CISA Director Jen Easterly’s Keynote at Black Hat USA 2021 [Video]. YouTube. URL https://www.youtube.com/watch?v=q7bu-L-m4K4.

This week, Jeremy Fuchs from Avanan joins Dave to discuss how hackers are using replier attacks. Replier attacks are attacks in which hackers change the reply-to address to send emails from what appears to be a reputable company, when in reality it's a spoofed account. Joe and Dave share some follow up from listeners Wayne who writes in with some comments on episode 245, and listener Michael, who writes about his first ChatGPT experience. Dave's story follows the alarming new trend happening, where sextortionists are making AI nudes from people's social media images. Joe's story uncovers the social engineering trick hackers use from their personal scammers handbook. Our catch of the day comes from listener Tim, who shares a message from a "dear friend."Links to stories: Sextortionists are making AI nudes from your social media images Offbeat Social Engineering Tricks in a Scammer’s Handbook Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.