Each week the CyberWire’s Hacking Humans Podcast looks behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. We talk to social engineering experts, security pros, cognitive scientists, and those practiced in the arts of deception (perhaps even a magician or two). We also hear from people targeted by social engineering attacks and learn from their experiences.
Encore: social engineering (noun)
The art of convincing a person or persons to take an action that may or may not be in their best interests. Social engineering in some form or the other has been around since the beginning of time. The biblical story of Esau and Jacob might be considered one of the earliest written social engineering stories. As applied to cybersecurity, it usually involves hackers obtaining information illegitimately by deceiving or manipulating people who have legitimate access to that information. Common tactics involve phishing attacks and watering hole attacks.
10/10/2023 • 4 minutes, 10 seconds
The CyberWire: The 12 Days of Malware.[Special Editions]
Merry Christmas and Happy Holidays from the CyberWire and our friends! Enjoy our rendition of the 12 Days of Malware created by Dave Bittner and performed by Dave and friends: Rachel Tobac, Jayson Street, Ron Eddings & Chris Cochran, Ray [Redacted], Dinah Davis, Camille Stewart, Rick Howard, Michelle Dennedy, Jack Rhysider, Johannes Ullrich, and Charity Wright. Ba dum bum bum. Sing along if you are game! Check out our video for the full effect!
The 12 Days of Malware lyrics
On the first day of Christmas, my malware gave to me:
A keylogger logging my keys.
On the second day of Christmas, my malware gave to me:
2 Trojan Apps...
And a keylogger logging my keys.
On the third day of Christmas, my malware gave to me:
3 Web shells...
2 Trojan Apps...
And a keylogger logging my keys.
On the fourth day of Christmas, my malware gave to me:
4 Crypto scams...
3 Web shells...
2 Trojan Apps...
And a keylogger logging my keys.
On the fifth day of Christmas, my malware gave to me:
5 Zero Days!
4 Crypto scams...
3 Web shells...
2 Trojan Apps...
And a keylogger logging my keys.
On the sixth day of Christmas, my malware gave to me:
6 Passwords spraying...
5 Zero Days!
4 Crypto scams...
3 Web shells...
2 Trojan Apps...
And a keylogger logging my keys.
On the seventh day of Christmas, my malware gave to me:
7 Scripts a scraping...
6 Passwords spraying...
5 Zero Days!
4 Crypto scams...
3 Web shells...
2 Trojan Apps...
And a keylogger logging my keys.
On the eighth day of Christmas, my malware gave to me:
8 Worms a wiping...
7 Scripts a scraping...
6 Passwords spraying...
5 Zero Days!
4 Crypto scams...
3 Web shells...
2 Trojan Apps...
And a keylogger logging my keys.
On the ninth day of Christmas, my malware gave to me:
9 Rootkits rooting...
8 Worms a wiping...
7 Scripts a scraping...
6 Passwords spraying...
5 Zero Days!
4 Crypto scams...
3 Web shells...
2 Trojan Apps...
And a keylogger logging my keys.
On the tenth day of Christmas, my malware gave to me:
10 Darknet markets...
9 Rootkits rooting...
8 Worms a wiping...
7 Scripts a scraping...
6 Passwords spraying...
5 Zero Days! (Bah-dum-dum-dum!)
4 Crypto scams...
3 Web shells...
2 Trojan Apps...
And a keylogger logging my keys.
On the eleventh day of Christmas, my malware gave to me:
11 Phishers phishing...
10 Darknet markets...
9 Rootkits rooting...
8 Worms a wiping...
7 Scripts a scraping...
6 Passwords spraying...
5 Zero Days! (Bah-dum-dum-dum!)
4 Crypto scams...
3 Web shells...
2 Trojan Apps...
And a keylogger logging my keys.
On the twelfth day of Christmas, my malware gave to me:
12 Hackers hacking...
11 Phishers phishing...
10 Darknet markets...
9 Rootkits rooting...
8 Worms a wiping...
7 Scripts a scraping...
6 Passwords spraying...
5 Zero Days!
4 Crypto scams...
3 Web shells...
2 Trojan Apps...
And a keylogger logging my keys.
12/25/2022 • 7 minutes, 28 seconds
The Malware Mash! [Bonus]
Enjoy this CyberWire classic.
They did the Mash...the did the Malware Mash...
10/28/2022 • 3 minutes, 5 seconds
The CyberWire: The 12 Days of Malware.
Merry Christmas and Happy Holidays from the CyberWire and our friends! Enjoy our rendition of the 12 Days of Malware created by Dave Bittner and performed by Dave and friends: Rachel Tobac, Jayson Street, Ron Eddings & Chris Cochran, Ray [Redacted], Dinah Davis, Camille Stewart, Rick Howard, Michelle Dennedy, Jack Rhysider, Johannes Ullrich, and Charity Wright. Ba dum bum bum. Sing along if you are game! Check out our video for the full effect!
The 12 Days of Malware lyrics
On the first day of Christmas, my malware gave to me:
A keylogger logging my keys.
On the second day of Christmas, my malware gave to me:
2 Trojan Apps...
And a keylogger logging my keys.
On the third day of Christmas, my malware gave to me:
3 Web shells...
2 Trojan Apps...
And a keylogger logging my keys.
On the fourth day of Christmas, my malware gave to me:
4 Crypto scams...
3 Web shells...
2 Trojan Apps...
And a keylogger logging my keys.
On the fifth day of Christmas, my malware gave to me:
5 Zero Days!
4 Crypto scams...
3 Web shells...
2 Trojan Apps...
And a keylogger logging my keys.
On the sixth day of Christmas, my malware gave to me:
6 Passwords spraying...
5 Zero Days!
4 Crypto scams...
3 Web shells...
2 Trojan Apps...
And a keylogger logging my keys.
On the seventh day of Christmas, my malware gave to me:
7 Scripts a scraping...
6 Passwords spraying...
5 Zero Days!
4 Crypto scams...
3 Web shells...
2 Trojan Apps...
And a keylogger logging my keys.
On the eighth day of Christmas, my malware gave to me:
8 Worms a wiping...
7 Scripts a scraping...
6 Passwords spraying...
5 Zero Days!
4 Crypto scams...
3 Web shells...
2 Trojan Apps...
And a keylogger logging my keys.
On the ninth day of Christmas, my malware gave to me:
9 Rootkits rooting...
8 Worms a wiping...
7 Scripts a scraping...
6 Passwords spraying...
5 Zero Days!
4 Crypto scams...
3 Web shells...
2 Trojan Apps...
And a keylogger logging my keys.
On the tenth day of Christmas, my malware gave to me:
10 Darknet markets...
9 Rootkits rooting...
8 Worms a wiping...
7 Scripts a scraping...
6 Passwords spraying...
5 Zero Days! (Bah-dum-dum-dum!)
4 Crypto scams...
3 Web shells...
2 Trojan Apps...
And a keylogger logging my keys.
On the eleventh day of Christmas, my malware gave to me:
11 Phishers phishing...
10 Darknet markets...
9 Rootkits rooting...
8 Worms a wiping...
7 Scripts a scraping...
6 Passwords spraying...
5 Zero Days! (Bah-dum-dum-dum!)
4 Crypto scams...
3 Web shells...
2 Trojan Apps...
And a keylogger logging my keys.
On the twelfth day of Christmas, my malware gave to me:
12 Hackers hacking...
11 Phishers phishing...
10 Darknet markets...
9 Rootkits rooting...
8 Worms a wiping...
7 Scripts a scraping...
6 Passwords spraying...
5 Zero Days!
4 Crypto scams...
3 Web shells...
2 Trojan Apps...
And a keylogger logging my keys.
12/25/2021 • 7 minutes, 28 seconds
The Malware Mash!
10/29/2021 • 3 minutes, 5 seconds
Introducing 8th Layer Insights [Trailer]
Coming May 25, 2021. Get ready for a deep dive into what cybersecurity professionals often refer to as the "8th Layer" of security: HUMANS. This podcast is a multidisciplinary exploration into how the complexities of human nature affect security, risk, and life. Author, security researcher, and behavior science enthusiast Perry Carpenter taps experts for their insights and illumination. Topics include cybersecurity, psychology, behavior science, communication, leadership, and more.
5/19/2021 • 4 minutes, 34 seconds
Encore: Don't go looking for morality here. [Hacking Humans]
Dave has a story of an investment scam featuring celebrities, Joe warns of scams surrounding the Coronavirus, the Catch of the Day features Joe's son-in-law's adventure with thousands of bot infiltrations, and later in the show, Dave's extended interview with magicians and entertainers Penn and Teller at RSAC 2020 in San Francisco.
Links to stories:
Revealed: fake 'traders' allegedly prey on victims in global investment scam
Coronavirus: Scammers follow the headlines
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
12/31/2020 • 38 minutes, 51 seconds
Encore: Separating fools from money. [Hacking Humans]
Dave shares a story of airport penetration testing with high degree of yuck-factor. Joe explores research on protecting passwords from social engineering. The catch-of-the-day comes courtesy of Graham Cluley's email spam box. Dave interviews Wired's Security Staff Writer Lily Hay Newman on her article tracking Nigerian email scammers.
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
12/24/2020 • 30 minutes, 2 seconds
Encore: Wearing a mask in the Oval Office and the art of deception.
Joe shares his Classic Cons Part 3, Dave has an Apple device scam story, The Catch of the Day is your assassination heads-up, and later in the show our interview with Jonna Mendez, retired CIA intelligence officer and former Chief of Disguise.
Link to story:
Twitter
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
11/26/2020 • 43 minutes, 33 seconds
The Malware Mash!
10/30/2020 • 3 minutes, 5 seconds
HH Extra - Happy 100 shows!
We'd like to thank you, our dear listeners, for sticking with us and our podcast through thick and thin, bad accents and even worse ones, with this - a collection of some of our favorite Catch of the Day segments. From Australia to Brazil, Italy to the Oval Office, they're all here.
Here's to another 100 episodes.
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
5/28/2020 • 9 minutes, 10 seconds
Telling The Truth In A Dishonest Way - Rebroadcast
Today's episode is a re-broadcast of an episode from August 2018.
Dave looks at Hollywood script pitch event scams. Joe describes a romance scam murder scheme. Spontaneously combusting ATM cards. Guest Jayson E. Street from SphereNY describes his security awareness engagements.
Links to stories mentioned in this week's show:
https://www.hollywoodreporter.com/news/why-are-wannabe-screenwriters-getting-scammed-1130919
https://nakedsecurity.sophos.com/2018/08/17/romance-scam-victim-allegedly-plotted-to-kill-her-mother-for-cash/
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
12/26/2019 • 31 minutes
The Malware Mash!
Happy Halloween from Joe, Dave, and everyone at the CyberWire!
10/31/2019 • 3 minutes, 51 seconds
Encore — Separating fools from money.
We're taking a break for the Independence Day holiday in the US, so enjoy this episode from the early days of our show.
Dave shares a story of airport penetration testing with high degree of yuck-factor. Joe explores research on protecting passwords from social engineering. The catch-of-the-day comes courtesy of Graham Cluley's email spam box. Dave interviews Wired's Security Staff Writer Lily Hay Newman on her article tracking Nigerian email scammers.
Thanks to our show sponsor KnowBe4.
7/4/2019 • 30 minutes, 31 seconds
People aren't perfectly rational.
A listener writes in with the results of his phishing attempt on his wife. Joe describes research from F-Secure on the most dangerous email attachment types. Dave shares the story of scammers impersonating local hospitals to scare a response from their victims. Our catch of the day involves a LinkedIn scam impersonating a fighter pilot.
Joe interviews Elissa Redmiles, an incoming assistant professor of computer science at Princeton University. She studies behavioral modeling to understand why people behave the way they do online.
Links to stories from today's show:
https://labsblog.f-secure.com/2019/05/08/spam-trends-top-attachments-and-campaigns/
https://www.nbc15.com/content/news/Text-message-scam-impersonates-local-hospitals-509615981.html
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
5/23/2019 • 30 minutes, 27 seconds
Live at KB4CON 2019.
It's a special edition of the Hacking Humans show recorded live at the KB4CON conference in Orlando, FL. Join Joe, Dave and their special guests Stu Sjouwerman, KnowBe4's CEO, and Kevin Mitnick, world-famous hacker and KnowBe4's chief hacking officer, as they discuss malicious scams making the rounds and how to protect yourself and your organization against them.
Dave describes a late-night phone call scam, Joe explains a Social Security scheme, Stu shares deadly catch of the day, and Kevin shares stories from his own hacking experience, and takes questions from the audience.
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
5/16/2019 • 46 minutes, 11 seconds
A data-driven approach to trust.
Joe describes a church scammed out of millions of dollars. Dave shares good news about a group of scammers being apprehended and arrested. The catch of the day involves a Vietnamese investment offer that's almost too good to pass up on. Dave speaks with Dr. Richard Ford from Forcepoint about the models of trust.
Links to stories in today's show:
https://www.grahamcluley.com/hackers-steal-1-75-million-from-catholic-church-in-ohio/
https://www.justice.gov/usao-sdny/pr/nine-defendants-arrested-new-york-florida-and-texas-multimillion-dollar-wire-fraud
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
5/9/2019 • 30 minutes, 49 seconds
Twitter bots amplifying divisive messages.
Followup from listeners on Google search result scams. Dave describes the city of Ottawa sending $100K to a fraudster. Joe shares results from the FBI's Internet Crime Report. The catch of the day involves a dating site and an offer to be someone's "sugar daddy." Our guest is Andy Patel from F-Secure, describing how Twitter bots are amplifying divisive messages.
Links to storys:
https://www.cbc.ca/news/canada/ottawa/city-treasurer-sent-100k-to-fraudster-1.5088744
https://threatpost.com/fbi-bec-scam-losses-double/144038/
https://www.ic3.gov/media/annualreport/2018_IC3Report.pdf
https://labsblog.f-secure.com/2019/04/03/discovering-hidden-twitter-amplification/
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
5/2/2019 • 28 minutes, 13 seconds
Let's play, "Covered by cyber insurance — true or false?"
Dave and Joe answer a listener question about a mysterious Netflix account. Dave describes a service for Airbnb scammers. Joe explains a particularly "nasty" Instagram scam. Carole Theriault interviews cyber insurance expert Martin Overton from OMG Cyber.
Links to stories:
https://www.bleepingcomputer.com/news/security/the-nasty-list-phishing-scam-is-sweeping-through-instagram/
https://krebsonsecurity.com/2019/04/land-lordz-service-powers-airbnb-scams/
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
4/25/2019 • 34 minutes, 54 seconds
I have been practicing honesty and truthfulness my whole life.
Followup from an Australian listener. Dave shares a Paypal scam leveraging Google ads. Joe describes TechCrunch reporting on a spam service that was left out in the open. The catch of the day promises a lifetime supply of gold. Dave interviews Asaf Cidon from Barracuda Networks
https://techcrunch.com/2019/04/02/inside-a-spam-operation/
https://www.barracuda.com/spear-phishing-report
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
4/18/2019 • 30 minutes, 58 seconds
Scammers have no ethics whatsoever.
Joe describes a study of people's perceptions when presented with a magic trick. Dave shares the story of fake boyfriend app. Our catch of the day involves the promise of millions from a bank in Africa. Dave interviews Chris Parker from WhatIsMyIPaddress.com.
Links to stories:
http://nautil.us/issue/70/variables/a-magician-explains-why-we-see-whats-not-there
https://youtu.be/vJG698U2Mvo
https://www.pedestrian.tv/tech/fake-boyfriend-app/
https://whatismyipaddress.com/
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
4/11/2019 • 30 minutes, 49 seconds
Girl Scouts empowering cyber security leaders.
Dave describes a survey of call center security methods. Joe explains a spam campaign raising the specter of a flu pandemic to scare people into enabling macros in an Office document. The catch of the day highlights a Facebook scammer promising a prize-winning windfall. Carole Theriault returns with a story about special badges Girls Scouts can earn for cyber security.
Links to stories:
https://marketing.trustid.com/acton/attachment/32513/f-0039/1/-/-/-/-/TRUSTID_2018_State_of_Call_Center_Authentication_Survey.pdf
https://www.bleepingcomputer.com/news/security/fake-cdc-emails-warning-of-flu-pandemic-push-ransomware/
http://blog.girlscouts.org/2018/07/girl-scouts-introduces-30-new-badges-to.html
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
4/4/2019 • 33 minutes, 5 seconds
Pick a persona to match the goal.
Followup on remotely previewing websites. Joe has the story of scammer bilking Facebook and Google out of millions. Dave reviews best practices for deleting data on devices you dispose of. The catch of the day is an offer of criminal partnering with the CIA. Our guest is Jeremy N. Smith, author of the book Breaking and Entering - the extraordinary story of a hacker called Alien.
Links from today's stories:
https://urlscan.io/
https://www.theregister.co.uk/2019/03/21/facebook_google_scam/
https://blog.rapid7.com/2019/03/19/buy-one-device-get-data-free-private-information-remains-on-donated-devices/
https://www.amazon.com/dp/B0789KP775
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
3/28/2019 • 30 minutes, 22 seconds
Kids are a great target.
A listener recommends an online tool for safely previewing web sites. Dave shares research on what time of the work week is best for scams. Joe explains credential stuffing. Our guest is Frances Dewing, the CEO and co-founder of Rubica. They recently published a report on how crooks are accessing parents’ mobile devices via apps their kids load.
Links to stories mentioned in today's show:
https://screenshot.guru/
https://www.aarp.org/money/scams-fraud/info-2019/phone-scams-peak-time.html
https://www.digitalnewsasia.com/insights/how-lose-money-credential-stocking-stuffers
https://rubica.com/wp-content/uploads/2019/02/Rubica-Report-Cyber-Crime-Privacy-Risks-in-Free-Mobile-Kids-Apps.pdf
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
3/21/2019 • 35 minutes, 23 seconds
When we rush we make bad decisions.
Joe tracks the surprising number of malicious links hosted on legit websites and why it's dangerous. Dave describes an extortion scheme targeting podcasters. Our catch of the day involves a lonely Russian woman promoting a dating site. Dave interviews Gary Noesner, author of Stalling for Time: My Life as an FBI Hostage Negotiator.
Links to stories mentioned in today's show:
https://www-cdn.webroot.com/9315/5113/6179/2019_Webroot_Threat_Report_US_Online.pdf
https://rebelbasemedia.io/podcast-review-extortion/
https://www.amazon.com/Stalling-Time-Life-Hostage-Negotiator/dp/1400067251
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
3/14/2019 • 29 minutes, 4 seconds
Don't assume younger people get it.
Followup on last week's TLD discussion. Dave shares a sextortion scam with a tragic ending. Joe highlights conveyance scams that rely on certain days of the week. Our catch of the day features a wealthy Londoner hoping to pass on her fortune. Guest Dale Zabriskie from Proofpoint has results from their State of the Phish report.
Links to stories:
https://www.dailymail.co.uk/news/article-6744421/Army-veteran-PTSD-committed-suicide-targeted-prison-inmates-sextortion-scam.html
https://www.todaysconveyancer.co.uk/main-news/law-firms-wising-up-conveyancing-scams/
https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/45597.pdf
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
3/7/2019 • 28 minutes, 45 seconds
Delivering yourself to a kidnapper.
Joe describes fraudsters taking advantage of top-level domain name confusion. Dave explains how a Google Nest security system shipped with an undocumented microphones. Our catch of the day involves a postcard missed package campaign. Our guest is Matt Devost from OODA LLC describing their work protecting high-net-worth individuals.
Links to today's stories:
https://rebootcamp.militarytimes.com/news/your-air-force/2019/02/13/watch-out-for-fake-dod-websites-like-this/
https://nakedsecurity.sophos.com/2019/02/21/sorry-we-didnt-mean-to-keep-that-secret-microphone-a-secret-says-google/
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
2/28/2019 • 30 minutes, 59 seconds
Stop and think before you click that link.
We've got followup from a listener on cognitive dissonance and behavioral science. Dave shares a listener story about a University Dean's List scam. Joe shares statistics from a government agency phishing test. Our catch of the day involves funds from the FBI, the IMF, and yes, Nigeria. Dave interviews Crane Hassold from Agari with phishing trends they've been tracking, plus his experiences as a former FBI agent.
Links to stories in today's show:
https://fcw.com/articles/2019/02/11/cyber-phishing-oig-fhfa.aspx
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
2/21/2019 • 28 minutes, 53 seconds
The trauma is multifactored.
On this Valentines Day edition of Hacking Humans, Joe and Dave examine romance scams, including the sad tale of woman bilked out of hundreds of thousands of dollars. There's a silly, non-murdering catch of the day, and Dave interviews Max Kilger from UTSA on the six motivations of bad actors.
Links to today's stories:
https://www.bbb.org/article/news-releases/17057-online-romance-scams-a-bbb-study-on-how-scammers-use-impersonation-blackmail-and-trickery-to-steal-from-unsuspecting-daters
https://www.aarp.org/money/scams-fraud/info-2015/online-dating-scam.html
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
2/14/2019 • 30 minutes, 46 seconds
Make it seem like the real answer is impossible to know.
Dave shares a bank spoofing scam with a reminder to mind those links, especially on mobile devices. Joe describes a case of someone turning the tables on a Twitter scammer. Our catch of the day involves a clumsy claim of physical harm. Dave interviews author Dave Levitan about his book Not a Scientist: How politicians mistake, misrepresent and utterly mangle science.
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
2/7/2019 • 30 minutes, 13 seconds
The excitement of tricking someone wears off quickly.
We've got followup on bank scams and ransomware. Joe describes a highly sophisticated multinational business scam. Dave shares a story about private school parents falling for a Bitcoin discount scam. Our guest is Jordan Harbinger, host of The Jordan Harbinger Show, with insights on influence and social engineering.
Links to this week's stories:
https://www.cpomagazine.com/cyber-security/cyber-fraud-by-chinese-hackers-makes-headlines-in-india/
https://www.bbc.com/news/uk-england-tyne-46920810
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
1/31/2019 • 30 minutes, 37 seconds
Opening your eyes to the reality in which we live.
Dave reviews tips on protecting yourself from ransomware. Joe describes a clever way to trick people into enabling macros. An attempt at celebrity friendship is our catch of the day. Carole Theriault returns and speaks with Dr. Jessica Barker from Cygenta about effective training techniques.
Links to stories mentioned:
https://www.csoonline.com/article/3331981/ransomware/how-to-protect-backups-from-ransomware.html
https://myonlinesecurity.co.uk/agent-tesla-reborn-via-fake-order/
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
1/24/2019 • 33 minutes, 15 seconds
Prisoners have nothing but time.
Joe shares the tale of a prisoner running a variety of romance scams from the inside. Dave outlines direct deposit scams. The catch of the day is a clever variation from (where else?) Nigeria. Our guest is Sam Small from ZeroFox.
Links to stories:
https://hubpages.com/politics/The-Games-That-Inmates-Play
https://ogletree.com/shared-content/content/blog/2018/january/diverting-employees-payroll-direct-deposits-the-latest-wave-of-phishing-scams
https://www.kansas.com/news/local/crime/article223873805.html
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
1/17/2019 • 31 minutes, 5 seconds
Trained humans are your strongest link.
Dave warns of scammers gaining access to homes by pretending to be workers from the local utility company. Joe shares a story of a sophisticated bank transfer scam in the UK. Our catch of the day outlines an attempted email scam targeting an architectural firm. Carole Theriault is back with the second part of her interview with the pen tester who goes by the name freaky clown.
Links to today's stories:
https://www.wxyz.com/news/michigan-energy-company-warns-of-increase-in-imposters-trying-to-enter-homes
https://inews.co.uk/inews-lifestyle/money/lost-19960-life-savings-phone-scam-natwest
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
1/10/2019 • 34 minutes, 47 seconds
At some point you're probably going to have to do some running.
Joe describes a reply-all scenario gone wrong. Dave explains the criminal use of steganography in memes as a command and control technique. Our catch-of-the-day features alluring photos texted to an unimpressed listener. Carole Theriault interviews physical pen tester Freaky Clown.
Links to stories mentioned in this week's show:
https://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-use-malicious-memes-that-communicate-with-malware/
https://www.cygenta.co.uk/
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter
1/3/2019 • 32 minutes, 3 seconds
Truth emerges from the clash of ideas.
We follow up on critical feedback of last week's show. Dave describes how online extortionists have pivoted from sex to explosives. We've got an auto-responding catch of the day from one of Joe's colleagues. Guest is Sean Brooks, Director of the Citizen Clinic and a Research Fellow at the Center for Long-Term Cybersecurity at UC Berkeley. He shares their research into online attacks of politically vulnerable organizations.
From our EV certs follow-up:
https://www.troyhunt.com/extended-validation-certificates-are-dead/
https://casecurity.org/2018/12/06/ca-security-council-casc-2019-predictions-the-good-the-bad-and-the-ugly/
Bomb threat catch of the day:
https://www.zdnet.com/article/extortion-emails-carrying-bomb-threats-cause-panic-across-the-us/
Sean Brooks interview:
Report: http://cltc.berkeley.edu/defendingpvos/
Clinic: http://cltc.berkeley.edu/citizen-clinic/
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
12/20/2018 • 31 minutes, 4 seconds
A pesky problem that doesn't go away.
Joe describes a Nigerian gang called London Blue that focuses on business email compromise. Dave shares surprising Cyber Monday phishing statistics. Guest Chris Bailey from Entrust Datacard teaches us how to detect lookalike sites online and better protect ourselves from fraud.
Links to today's stories:
https://www.agari.com/insights/whitepapers/london-blue-report/
https://www.zscaler.com/blogs/research/cyber-monday-biggest-day-cyberattacks-not-long-shot
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
12/13/2018 • 25 minutes, 3 seconds
Bringing trust to a trustless world.
Listener follow-up on a URL issue. Dave describes an elderly couple scammed out of savings. Joe wonders if it's wise to unsubscribe. Guest Andre McGregor from TLDR Capital describes his work as a former FBI agent, and his experience consulting on Mr. Robot.
Bank account transfer scam:
https://abc11.com/troubleshooter-durham-couple-loses-$8900-in-computer-virus-scam/4782799/
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
12/6/2018 • 30 minutes, 53 seconds
Be very aware of your desire to be right.
Joe explains URLs and DNS. Dave has tips to prevent holiday skimming. A bogus bank barrister is the catch of the day. Writer Ben Yagoda explains cognitive biases.
Links:
Wikipedia page on URLs -
https://en.wikipedia.org/wiki/URL
Tips to prevent skimming -
https://www.social-engineer.org/newsletter/social-engineer-newsletter-vol-07-issue-96/
Ben Yagoda's article from the Atlantic -
https://www.theatlantic.com/magazine/archive/2018/09/cognitive-bias/565775/
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
11/29/2018 • 33 minutes, 50 seconds
CEOs can be the weakest link.
Listener feedback on the "Can you hear me?" scam. Dave shares an ongoing Elon Musk Bitcoin giveaway scam. Joe describes the malicious use of a compromised DHL email address. This week's catch of the day comes from down under. (Apologies to the fine citizens of Australia.) Carole Theriault returns with an interview with MimeCast's Matthew Gardiner.
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
11/15/2018 • 36 minutes, 6 seconds
Human sources are essential.
Joe gathers open source information online. Dave wonders if a tow truck driver got the better of him. A listener shares a possible custom app scam. Former FBI agent Dennis Franks shares his experience developing human intelligence sources.
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
11/8/2018 • 30 minutes, 8 seconds
Scams are fraud and fraud is crime.
We get listener followup on the church pastor scam. Dave explores a phony investment web site. Joe explains phishing, spear phishing and whaling. Fake federal agents are featured in our catch of the day. Carole Theriault interviews Max Bruce from Action Fraud UK.
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
11/1/2018 • 30 minutes, 58 seconds
Fear, flattery, greed and timing.
We get followup feedback on gift cards. Joe describes a banking payment scam on a Canadian university. Dave reveals some sneaky apps. A reader shares a story worth its weight in gold. Jenny Radcliffe from Human Factor Security shares her insights on social engineering.
Links to stories in this episode:
https://www.thestar.com/edmonton/2018/10/09/how-a-fraudster-got-12-million-out-of-a-canadian-university-they-just-asked-for-it.html
https://www.forbes.com/sites/johnkoetsier/2018/10/04/app-scams-cheap-utility-apps-are-stealing-260-2500-or-even-4700-each-year-per-user/#9de2b67162ac
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
10/25/2018 • 30 minutes, 59 seconds
Waste my time and I'll waste yours back.
Dave reveals a stealthy trademark scam. Joe describes the invocation of a judge's name to lure a victim. A listener shares a business scam from India. Joe interviews "Shannon," a listener who enjoys wasting phone scammer's time.
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
10/18/2018 • 30 minutes, 29 seconds
Information is the life blood of social engineering.
Joe ponders how a phone number is obtained. Dave's friend avoids a Google gift card scam. Christopher Hadnagy returns with an update to his book, The Science of Social Engineering.
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
10/11/2018 • 31 minutes, 10 seconds
Easier to trick than to hack.
Dave dodges a local theater scam. Joe shares survey results from Black Hat attendees. A listener's calendar pops up alluring invitations. Carole Theriault interviews Sophos Naked Security writer Mark Stockley about password shortcomings.
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
10/4/2018 • 35 minutes, 55 seconds
Kidnappers, robots and deep fakes.
Joe shares a kidnapping scam targeting foreign students. Dave describes social engineering involving robots. Our guest is Robert Anderson from the Chertoff Group, discussing Deep Fake technology and how it erodes trust.
Links to stories mentioned in this week's show:
https://searchsecurity.techtarget.com/news/252448458/Robot-social-engineering-works-because-people-personify-robots
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
9/27/2018 • 28 minutes, 2 seconds
Stringing along a scammer.
Dave warns of scammers taking advantage of hurricane Florence, both on the phone and in person. Joe shares a scheme targeting the kindness of local churchgoers. A cosmic variation on the Nigerian email scam. Joe interviews his Johns Hopkins University colleague Chris Venghaus, who leads a tech support scammer on a wild goose chase.
Links to stories mentioned in this week's show:
https://www.13newsnow.com/video/weather/hurricanes/hurricane-florence/hurricane-scammers-target-hampton-roads/291-8250736
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
9/20/2018 • 29 minutes, 35 seconds
Influence versus manipulation.
Joe describes a law firm impersonating a rival to funnel business away from them. Dave has a story of pontiff impersonation. Our guest is Joe Gray from Advanced Persistent Security.
Links to stories mentioned in this week's show:
https://www.theregister.co.uk/2018/08/27/lawyers_impersonating_rivals/
https://www.ccn.com/pope-francis-latest-target-of-twitter-crypto-scam/
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
9/13/2018 • 30 minutes, 53 seconds
Real estate transactions in the crosshairs.
Dave gets scammed on an exit ramp. Joe describes real estate transaction scams. Is LinkedIn moonlighting in Himalayan tourism? Guest Asaf Cidon from Barracuda Networks shares social engineering trends his team is tracking.
Links to stories mentioned in this week's show:
http://www.baltimoresun.com/news/maryland/crime/bs-md-ramp-scam-20161018-story.html
https://www.cyberradio.com/2018/08/threat-actors-targeting-homebuyers-with-phishing-attacks/
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
9/6/2018 • 30 minutes, 35 seconds
Red teaming starts with research.
Joe describes an Office 365 phishing campaign. Dave warns of dangerous USB cables. A listener shares a fax from the UK. Joe interviews security consultant and pen tester Justin White.
Links to stories mentioned in this week's show:
https://www.helpnetsecurity.com/2018/08/15/office-365-phishing-sharepoint/
https://srlabs.de/bites/usb-peripherals-turn/
https://www.bleepingcomputer.com/news/security/usbharpoon-is-a-badusb-attack-with-a-twist/
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
8/30/2018 • 30 minutes, 5 seconds
Telling the truth in a dishonest way.
Dave looks at Hollywood script pitch event scams. Joe describes a romance scam murder scheme. Spontaneously combusting ATM cards. Guest Jayson E. Street from SphereNY describes his security awareness engagements.
Links to stories mentioned in this week's show:
https://www.hollywoodreporter.com/news/why-are-wannabe-screenwriters-getting-scammed-1130919
https://nakedsecurity.sophos.com/2018/08/17/romance-scam-victim-allegedly-plotted-to-kill-her-mother-for-cash/
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
8/23/2018 • 30 minutes, 36 seconds
Sometimes less is more.
Joe shares the story of a retiree scammed by a clever scheme. Dave describes a tech-support scam with a Russian twist. Our Catch of the Day features an adorable puppy. Guest Michael Murray from Lookout explains mobile device vulnerabilities.
Links to stories mentioned in this week's show:
https://www.scamwatch.gov.au/get-help/real-life-stories/investment-scam-how-steve-lost-200-000-to-an-investment-scam
https://www.grahamcluley.com/phone-scam-exploits-russian-hacking-fears/
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
8/16/2018 • 36 minutes, 5 seconds
Focus, technology, and training fight phishing.
Dave describes a phishing attempt to infiltrate U.S. election systems. Joe shares a story of government agencies receiving malicious CDs in the mail. University employees are lured by greed. And David Baggett from Inky joins us to describe phishing techniques they are seeing and offers ways to best protect yourself and your organization.
Links to stories mentioned in this week's show:
https://theintercept.com/2018/06/01/election-hacking-voting-systems-email/
https://krebsonsecurity.com/2018/07/state-govts-warned-of-malware-laden-cd-sent-via-snail-mail-from-china/
http://hci2018.bcs.org/prelim_proceedings/papers/Work-in-Progress%20Track/BHCI-2018_paper_95.pdf
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
8/9/2018 • 29 minutes, 15 seconds
Luring unsuspecting money mules.
Joe describes clever gift card scams. Dave follows up on last week's proposal to waste phone scammer's time. A more plausible phishing scheme comes through. Guest David Shear from Flashpoint describes methods scammers use to lure people into being money mules.
Links:
https://securelist.com/giftcard-generators/86522/
https://jollyrogertelephone.com/
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
8/2/2018 • 29 minutes, 51 seconds
Nothing up my sleeve.
Dave shares a story of deception right out of Hollywood.
https://www.hollywoodreporter.com/features/hunting-con-queen-hollywood-1125932
Joe proposes changing the financial incentives for scammers.
A porn-shaming catch of the day courtesy of Johannes Ulrich.
An interview with atomic physicist and close-up magician Adam West.
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
7/26/2018 • 30 minutes, 51 seconds
Think like an attacker.
Joe describes a con law enforcement agencies use to lure crooks. Dave shares a tech support scan spreading in chat forums. A listener from Dublin has a fake email from Apple. We welcome Rachel Tobac, CEO of SocialProof Security.
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
7/19/2018 • 30 minutes, 5 seconds
Presidential prank, pensioner pilfered.
Dave recounts the news that US President Trump likely fell for a prank phone call. Joe outlines the sad story of a woman robbed of her retirement savings. Twitter account recovery scams. Charles Arthur, author of Cyber Wars - Hacks that Shocked the Business World, joins us for an interview.
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
7/12/2018 • 30 minutes, 43 seconds
Phone scams, phantom employees and sitting Ducks.
Joe warns of a harrowing phone scam technique, Dave reveals an alternate persona, a listener tries to sell a truck, and Carole Theriault from the Smashing Security Podcast interviews Sophos' Paul Ducklin.
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
7/5/2018 • 30 minutes, 44 seconds
Separating fools from money.
Dave shares a story of airport penetration testing with high degree of yuck-factor. Joe explores research on protecting passwords from social engineering. The catch-of-the-day comes courtesy of Graham Cluley's email spam box. Dave interviews Wired's Security Staff Writer Lily Hay Newman on her article tracking Nigerian email scammers.
Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.