Hacking Humans

Keith Jarvis, Senior Security Researcher from Secureworks Counter Threat Unit (CTU), shares his thoughts on the alarming rise of infostealers and stolen credentials. Dave and Joe share some listener follow-up from Ron who writes in about a book, entitled "Firewalls Don't Stop Dragons" by Carey Parker, which he finds as a helpful resource when it comes to cybersecurity. Dave's story follows password management companies and how they might not be as safe as what we presume them to be, most notably the LastPass breach in the last month. Joe has two stories this week, his first on a 19 year old TikToker who was arrested for running a GoFundMe scam while portraying on the popular social media app that she was diagnosed with 3 different types of cancer. Joe's second story is on Marines outsmarting artificially intelligent security cameras by hiding in a clever way that the AI could not recognize. Our catch of the day comes from listener Tim, who writes in about an old scam with a new twist, and how he was able to figure it out.Links to stories: Password Managers: A Work in Progress Despite Popularity 19-YEAR-OLD TIKTOKER ARRESTED FOR RUNNING GOFUNDME SCAM... Over Fake Cancer Diagnosis U.S. Marines Outsmart AI Security Cameras by Hiding in a Cardboard Box Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

A branch of the US Department of Commerce whose stated mission is to “promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”CyberWire Glossary link: https://thecyberwire.com/glossary/national-institute-of-standards-and-technologyAudio reference link: Center, M.I., 2022. 2022 Meridian Summit: Cultivating Trust in Technology with NIST Director Laurie Locascio [WWW Document]. YouTube. URL https://www.youtube.com/watch?v=o43Y9Tk8ZVA (accessed 1.26.23).

J. Bennett from Signifyd discusses the fraud ring that has launched a war on commerce against US merchants over the past few months. Joe and Dave share some listener follow up from Jon who writes in about an email he almost fell victim to. Joe shares two stories this week, the first on how scammers were seen posing as tech support at two US agencies in an attempt to hack their employees. Joe's second story is on a woman trying to steal 2.8 million for an elderly Holocaust survivor. Dave's story follows how an ad scam was able to break through over 11 million phones. Our catch of the day comes from husband and wife, Chad and Jen, who write in sharing a scam that Jen almost fell for. An email from "iTunes" confirming a payment of over $100 hit the music lover's inbox that she didn't authorize. The scammers went on to explain the rules behind the payment, making sure to include that if she did not make this purchase to notify them immediately.Links to stories: Scammers posed as tech support to hack employees at two US agencies last year, officials say 36-Year-Old Woman Accused of Using Romance Scam to Swindle $2.8M from Elderly Holocaust Survivor A Sneaky Ad Scam Tore Through 11 Million Phones Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

A team responsible for responding to and managing cybersecurity incidents involving computer systems and networks in order to minimize the damage and to restore normal operations as quickly as possible.CyberWire Glossary link: https://thecyberwire.com/glossary/cirtAudio reference link: Avery, B., 2017. 24 TV May 05 Season4 [WWW Document]. YouTube. URL https://www.youtube.com/watch?v=Gq_2xPuqI-E&list=PLGHedLavrFoGsea1ZCHBm9-nK5FdM3_Kd&index=10.

Cybersecurity interview with ChatGPT.In part one of CyberWire’s Interview with the AI, Brandon Karpf interviews ChatGPT about topics related to cybersecurity. Rick Howard joins Brandon to analyze the conversation and discuss potential use cases for the cybersecurity community.ChatGPT is a chatbot launched by OpenAI and built on top of OpenAI’s GPT-3 family of large language models.Cyber questions answered by ChatGPT in part one of the interview. What were the most significant cybersecurity incidents up through 2021? What leads you to characterize these specific events as significant? What were the specific technical vulnerabilities associated with these incidents? Who were the cyber actors involved in each of these attacks? Do you think it's valuable to attribute cyber attacks to specific actors?

Nadine Michaelides from Anima People sits down with Dave to discuss preventing insider threat using behavioral science and psych metrics. Joe and Dave share some follow up regarding a Facebook scammer who is targeting Joe, as well as a letter from listener Richard who write in about business emails and the compromised warning signs they send about dangerous emails coming from outside the company. Dave shares a story about hackers who are setting up fake websites to promote malicious downloads through advertisements in Google search results. Joe's has two stories this week, one is about the latest scam in the parking ticket realm, and the second story follows West Virginia police warning residents of a Walmart scam where the scammer send you a "free 50 dollar Walmart gift card." The catch of the day comes from Penny who writes in about a scam that almost sucked her in through an email from "McAfee."Links to stories: Hackers push malware via Google search ads for VLC, 7-Zip, CCleaner That Surprisingly Real Looking Parking Ticket May Be Fake! Don’t Fall for Latest Scam McMechen Police issue warning about Walmart scam in area Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

A software program installed unintentionally by a user that typically performs tasks not asked for by the installer. CyberWire Glossary link: https://thecyberwire.com/glossary/potentially-unwanted-programAudio reference link: Butler, S., 2022. Potentially Unwanted Programs (PUPS) EXPLAINED [Video]. YouTube. URL https://www.youtube.com/watch?v=5L429Iahbww (accessed 1.6.23).

Rohit Dhamankar from Fortra’s Alert Logic joins Dave to discuss the decline in ransomware attacks and lessons learned from the front lines. Dave and Joe share some listener follow up from Keith regarding Dave's story from last episode and how he recognizes the scams being mentioned and offers his opinions on the matter. Joe shares two stories this week, one about his ironclad gift he gave to his wife, with his second story following the buzz surrounding OpenAI, creators of ChatGPT, their new interface for their Large Language Model (LLM) and how it works. Dave's story also follows ChatGPT in a different direction. His story is on the latest popular app and its rise to fame in the app store, now charging users almost 8 dollars to use the AI technology. Our catch of the day comes from listener and friend of the show Joel who writes in about how he was contacted at his place of business by a "DEA agent" who claims Joel was committing malpractice, and if he wanted these charges to go away he would need to pay $2500.Links to stories: OPWNAI: AI THAT CAN SAVE THE DAY OR HACK IT AWAY Sketchy ChatGPT App Soars Up App Store Charts, Charges $7.99 Weekly Subscription [Update: Removed] Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

Malware that disables a system in exchange for a ransom, usually by encrypting the system's data until the user pays for the decryption key.CyberWire Glossary link: https://thecyberwire.com/glossary/ransomwareAudio reference link: https://watch.amazon.com/detail?gti=amzn1.dv.gti.d6a9f744-47b0-ac70-aa56-b31fd0f58482&territory=US&ref_=share_ios_season&r=web

Chip Gibbons, CISO at Thrive, sits down with Dave to talk about how to defend against social engineering attacks in banking. Dave starts us off this week with a story about Amazon opening up its selling market to Pakistani residents, and what consequences that led to for the organization’s business. Joe's story follows a scam targeting soldiers in the Army. The Army warns against unknown individuals purporting to be noncommissioned officers that are calling said soldiers and asking them for money to fix a "pay problem" and, if questioned, threatening them with a punishment. Our catch of the day comes from listener Manie who writes in about a scam found when trying to download a HDRI (High Dynamic Range Image). The scam involves a fake ad asking for people’s cell phone numbers as soon as they click on a button that reads "download here". Manie shares how after she clicked the ad, she realized the mistake and immediately researched more before proceeding further.Links to stories: Amazon finally authorized Pakistani sellers. A wave of scammers followed Army Warns of Scam Targeting New Soldiers Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.