Podcasts
Hacking Humans
Ep 282
Hacking Humans 3.21.24
Ep 282 | 3.21.24

Job seeker beware: Spotting sneaky scammers on job boards.

Show Notes
Transcript

Dave Bittner: Hello, everyone. And welcome to N2K Cyberwire's "Hacking Humans" podcast where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner and joining me is Joe Carrigan from the John's Hopkins University Information Security Institute. Hey, Joe.

Joe Carrigan: Hi, Dave.

Dave Bittner: We've got some good stories to share this week and we are joined once again by our N2K colleague and host of the "T-Minus" daily space podcast, Maria Varmazis. Maria.

Maria Varmazis: Hey. Good to see everybody again.

Dave Bittner: Good to have you back. Welcome back. And we will be right back after this message from our show sponsor. All right, Joe. Before we dig into our stories here we've got a little bit of follow up. What do we got?

Joe Carrigan: Yeah. We do. Alex hit me up on Linked In and sent me a video link on YouTube of scam baiter kitboga. You know who kitboga is?

Dave Bittner: It sounds familiar to me.

Joe Carrigan: He's the guy that does the old lady voices and sits there in sunglasses and wastes scammers' time. He actually has a relationship with Kraken, the cryptocurrency exchange.

Dave Bittner: Okay.

Joe Carrigan: Because Kraken. A lot of these scams go on through cryptocurrency. Kraken has a vested interest in it. They're actually working with kitboga to get these scammers. I don't know what they're -- what they're trying to do. But this is a video of him wasting the time of scammers who are running a pig butchering scam. And he's acting like he is a victim of a pig butchering scam or he sent some cryptocurrency to some third party exchange and says, "You've got to call this number to get the currency." And he just wastes their time. And it's fantastic. And so check out this YouTube link. It's about a half an hour which is kind of short for one of his videos.

Dave Bittner: Okay.

Joe Carrigan: His videos can run like two hours where he's just wasting time with these guys. The second piece we have is from Chloe, and she wrote a letter in about a situation that she has. And I'm going to summarize the letter.

Dave Bittner: Okay.

Joe Carrigan: Chloe has gotten two voicemail messages of they're both from different women with different phone numbers, but similar phone numbers, and they have southern accents. They sound like they come from the southern part of the United States. And they're leaving voicemail messages claiming that they're from a background investigation service looking for a person, and they give the name of the person, who is trying to get access to a nuclear power plant.

Dave Bittner: [Laughs] that seems oddly specific to me.

Maria Varmazis: A normal thing to happen to an average person. Yes.

Joe Carrigan: It is, and I'll explain why in a minute actually.

Maria Varmazis: Oh. Okay.

Joe Carrigan: This didn't -- this doesn't stand out to me as all that abnormal. But Chloe said --

Maria Varmazis: How often do you get asked for access to a nuclear power plant?

Joe Carrigan: It's not -- it's not -- I'll get to it. Let's just go to the -- through the story here, the backstory. The thing is that Chloe doesn't know anybody by this name. And that's why it kind of tipped her off that it might be a scam. So she went through the whole rigamorale of, you know, getting on Google maps and looking around. There is a company that matches the description that's been there since 2013 on Google maps. And there is a real company that has a phone number that has the same area code, but it's slightly different from the -- or it's actually different from the two telephone numbers that called her. And her question is she's a little bit -- well, she's wondering if she's being a little bit paranoid. Does she call them back or not? Okay. So here's why this might be legit is because the Department of Energy who is responsible for regulating a bunch of stuff here in the United States including our nuclear power plants has their own clearance system that is different from the Department of Defense's clearance system. So when you go to work for a Department of Energy contractor or for a contractor for a nuclear power plant you have to undergo a background investigation through the Department of Energy which it all makes sense that this -- I mean this adds up. This is very much like when someone goes to apply for a clearance at the Department of Defense and they have to provide references and then somebody has to call them.

Dave Bittner: Right.

Joe Carrigan: The part that doesn't make sense is that Chloe's getting calls for someone she doesn't know. Now they don't ask for the name of the person they're trying to call which again makes Chloe think this is kind of a scam. This might be the front of a scam. I don't know. My thinking is -- is maybe you call them back and you just say, "I don't know this person. Have a nice day." And that's it. And if they try to carry the conversation on, end it. Or the other thing is just don't call them back.

Dave Bittner: Right.

Joe Carrigan: Because they haven't provided you enough information. Don't return the phone call. And you don't know this person. So yeah.

Maria Varmazis: Yeah. Wouldn't you know if someone you knew well enough was trying to get that kind of job? If you -- if you know someone well enough that they would be calling you, yeah so that's not quite adding up to me.

Joe Carrigan: I know people who have gone through this for the Department of Defense. Coe Jarrigan had to do this once. So what happens is when I was doing this I would -- I called people and said, "I'm putting you down as a reference for clearance. So expect a visit."

Maria Varmazis: Yeah. It's not usually some random person. It's someone who knows you quite well.

Joe Carrigan: Right. You don't send the -- send one of these investigations out to talk to some stranger.

Maria Varmazis: Or your neighbor. It's got to be like a family member or someone who like just -- yeah.

Joe Carrigan: They came and talked to my neighbors. So I --

Dave Bittner: I have a neighbor who regular -- or not -- well, who has more than once gone through this with the DOD and he's put me down as a reference. And he gives me the heads up that these people are going to be calling. And, sure enough, they do. And, you know, we spend 10 or 15 minutes on the phone and that's it.

Joe Carrigan: Yeah. It's called a periodic re-investigation with the Department of Defense.

Maria Varmazis: Oh. That's because you actually talk to your neighbors. That's why. I live in New England. We don't do that. So that's the difference here. All right.

Dave Bittner: Fair enough. Huh. All right. So bottom line here I think your advice is good. There's no real reason -- there's certainly no obligation to engage with these people.

Joe Carrigan: Right. Absolutely.

Dave Bittner: And if she ignores them, they'll probably just go away.

Joe Carrigan: Right. And if this is legit, they have given -- somebody has given somebody the wrong phone number. If it's not legit, it's a scam. Either way don't return the phone calls is my advice.

Dave Bittner: Yeah. All right. Okay. Well, let's move on to our stories here. Joe, you want to start things off for us?

Joe Carrigan: Sure. My story comes from the BBC and Virma Simonette. That's a tough name to say. Virma Simonette and Kelly Ng are the authors. And apparently two weeks ago police in the Philippines raided a scam center that was about 100 kilometers north of Manila which is the capital of the Philippines. And they freed over 650 people who were there being used as scammers in forced labor.

Dave Bittner: Right.

Joe Carrigan: That includes 383 Filipinos, 202 Chinese, and 73 people from other nations or nationals from other nations. So these people what happens is these people come in. In fact there was a story about how they found this out. There was in January a Vietnamese man in his 30s arrived in the Philippines after being offered a position that he was told was a chef's job. So he gets there and the guy soon realizes that he has fallen prey to this human trafficking scam and he's going to have to run romance scams and cryptocurrency scams.

Dave Bittner: Right.

Joe Carrigan: So on February 28 the man escapes from the facility by climbing a wall. He crosses a river. I don't know how big of a river it is.

Dave Bittner: Was it alligator infested?

Joe Carrigan: I don't know.

Maria Varmazis: Is it a moat? Okay.

Dave Bittner: In my mind it is.

Maria Varmazis: Drawbridge.

Joe Carrigan: He finds a farm where he -- where the farmer's kind enough to take him in and the farmer's the one that notified police about this.

Dave Bittner: Does the farmer have any daughters? Because in my mind he does.

Joe Carrigan: Right.

Maria Varmazis: This is the beginning of an epic tale.

Joe Carrigan: Those old jokes. I'm also now thinking about those jokes. So.

Dave Bittner: Took you just -- sent you off the rails, didn't I, Joe?

Joe Carrigan: It does.

Dave Bittner: All right.

Joe Carrigan: But what's happening here is they are going after young tech savvy victims who are lured with these other jobs for, you know -- job offers that aren't real. And when they get there they are put into jobs that involve money laundering, crypto fraud, romance scams, and pig butchering which is a combination of crypto fraud and romance scams.

Dave Bittner: Right.

Joe Carrigan: So these people are not volunteers.

Dave Bittner: No. They're there under threat of violence.

Joe Carrigan: Right. There's a guy named Winston Casio who is the spokesman for the presidential commission against organized crime. He said that those running the scam, these scam centers, trapped good looking men and women to lure their victims. So they're not just looking for anybody. You have to be pretty attractive to -- to be making the contact with these romance scams. And he added that there were several others who had tried to escape but were caught. We don't know what happened to them.

Dave Bittner: Yeah.

Joe Carrigan: Police --

Maria Varmazis: Scary.

Joe Carrigan: It is.

Maria Varmazis: Really scary. Jeez.

Joe Carrigan: Police also seized 3 shotguns, one 9 millimeter pistol, two 34 -- or 38 caliber pistols, and 42 rounds of ammunition from this area. Now I'm going to tell you guys as an American that's a really small amount of guns and ammo.

Dave Bittner: For the rest of the world it's an arsenal.

Joe Carrigan: Right.

Maria Varmazis: That's the most American thing you could possibly say.

Joe Carrigan: Yeah.

Maria Varmazis: That's baby stuff.

Joe Carrigan: 42 rounds of ammunition.

Maria Varmazis: Let me know when you get started.

Joe Carrigan: Yeah. I have more than that for one gun. So, you know, in May of last year the Philippine authorities took out a scam center that had 1,000 people in it. If you think about this, we're making light of this situation, but it really only takes one gun to scare everybody in that place.

Dave Bittner: Yeah.

Joe Carrigan: Right? You know you've just got to wave that around every now and then and, you know, people who are there, "I don't want to be the guy that gets shot and I'm just going to keep making these phone calls and sending out these messages."

Dave Bittner: Right.

Joe Carrigan: But the UN reported last August that they estimate that hundreds of thousands of people from around the world have been trafficked into southeast Asia for running these scams.

Maria Varmazis: Wow. Jeez.

Joe Carrigan: Many said they traveled to these countries such as Cambodia and Myanmar in response to job ads and promises of many perks. I'm sure none of those perks included a guy walking around with a gun. And once they're trapped they are threatened if they refuse they -- to participate in these scams. Escapees and survivors have alleged torture and inhuman treatment which does not surprise me. And to say the governments are upset about this is an understatement. China has actually offered rewards for these people who are running these scams in Myanmar and these centers were run by Chinese mafia families apparently and many of those people that Myanmar has arrested have been sent back to China in recent months. So I wonder what happened to those guys.

Dave Bittner: I don't know. I've seen some coverage of if -- I'm not sure if this -- if it was this exact incident, but I have seen some coverage where evidently the Chinese government was coordinating with the Filipino government to get -- basically get their people back.

Joe Carrigan: Right because in this scam center alone there were 202 Chinese citizens.

Dave Bittner: Yeah.

Joe Carrigan: And China went after them. Went to try to get them back. Actually not in this case. In this case it was one Vietnamese person that escaped and had to get out and let the -- and somebody who saw him and knew him, the farmer guy, let the authorities know. So I'm happy that that happened because, you know, otherwise who knows? Maybe the scam never would have been uncovered or the scam center because it's not just one scam. There are thousands of scams being run out of here. And there's victims on both ends of the scam.

Maria Varmazis: Yeah.

Dave Bittner: Well, and how many of these scam centers exist all over the world?

Joe Carrigan: Oh. I'm sure there's many more than this one. I'm sure there's more in the Philippines.

Dave Bittner: Yeah. It will be interesting I think to see if we see a crack down on these things because you can't run an operation that's this big without somebody noticing what's going on.

Joe Carrigan: Yeah. I don't know. You know, there are -- there are operations, human traffic operations, human trafficking operations, that operate everywhere in the world. And for some reason they seem to escape notice. And they're moving massive amounts of people. I don't -- I don't get how this isn't something we just -- somebody just walks into and goes, "What's going on here?"

Dave Bittner: Right. And they get a gun waved in their face and they say, "Turn around. Leave. You didn't see anything." And they say, "All right. Have a good day."

Joe Carrigan: Right.

Dave Bittner: And away they go. Yeah.

Maria Varmazis: It's just -- it's just wild to think that there -- it's happening in aid of scamming people though. In my head when I think of a scammer in some far off country doing stuff it's someone who's opportunistic and, you know, trying to, you know, make a living in some way in a way that I don't like. But --

Joe Carrigan: Like a side hustle almost.

Maria Varmazis: Yeah. Or like, you know, trying to take advantage of gullible westerners or something. But not a person who's trafficked. I mean --

Joe Carrigan: Right. One of the things that's talked about in this article is they use the Chinese nationals to go after other Chinese nationals because they speak the language. Right? And they speak with the right accents. And it lowers the level of suspicion.

Dave Bittner: Yeah. It's fascinating. I don't know, you know, what's to be done about this other than, like I said, you know, because we're talking about cross border types of things I suppose you can get pressure and put pressure on the nations who are allowing this sort of thing. But at the same time, you know, you look at how hard it is for us to get ransomware operators out of Russia. We've got to wait for them to go on vacation somewhere.

Joe Carrigan: Yeah. That's -- yeah. They're never going to be extradited. Also Myanmar is going through a bit of political turmoil right now. I don't even know if there is a political leader there that -- I mean it's there's been a coup, I think. I was reading something about it today and I can't remember exactly everything what goes on in there, but it's not -- it's not a good -- a stable political situation, to say the least.

Dave Bittner: Right.

Maria Varmazis: So people are taking advantage, as often happens in these situations.

Joe Carrigan: Absolutely.

Maria Varmazis: Yeah. Wow.

Dave Bittner: All right. We will have a link to that story in the show notes. Maria, what do you have for us this week?

Maria Varmazis: Oh. Nothing like that story.

Joe Carrigan: We like to open with the dark ones, I guess.

Maria Varmazis: Wow. Yeah. I guess. Mine is I guess more timely because I saw it happening on my Linked In feed the other day. So it's about tech recruiting scams that are going on right now. They seem to be happening apace. We've got a lot of people who are out of work right now, a lot of people who are looking for jobs. And I saw a post from Dice which is the tech recruiting -- one of the major tech recruiting boards. Basically saying they've also been seeing and having -- they're seeing reports and getting reports from their users of a huge uptick in people posing as fake job recruiters. And ultimately these fake job recruiters are going on job boards and marketplaces like Dice, like Linked In, and many others and ultimately they lead their victims into a phishing scam. So that is the end goal. So Dice was putting out this posting. You've got to look for red flags in these fake job postings. And a lot of the red flags are common phishing scams we're all very familiar with like bad spelling and grammar, requesting your PII like right away, you know give your social security number, that kind of thing. Those are kind of dead giveaways. But I was sort of thinking I guess I was in a dark space thinking about this. I know a lot of people who have been out of work for a long time and I know I've been in that situation. You get really tired and you also start feeling a little desperate. And I know these scammers are taking advantage of that. Especially if you're really super tired of the job hunt after a certain point. Some of the red flags that Dice was saying I think I could see me falling for, and I guess I'm telling a scammer to come after me right now, but [laughs].

Joe Bittner: But you're gainfully employed, Maria. So --

Maria Varmazis: I am gainfully employed, but I'm just saying I could just I could see -- imagine myself in previous situations falling for some of this stuff. For example like Dice was saying to be aware of unrealistic urgency, things like, "Hey, there's a limited position available." Or, "We need your resume as soon as possible." Or even getting communication through an unusual channel like text messaging instead of a phone call. And I've definitely gotten text outreach on jobs. I've also definitely gotten legitimate messages from recruiters saying, "Hey, we're looking to fill this role right away. We need to talk to you in the next 48 hours because like, you know, we've got a couple other candidates and you're -- you know, we want to get you in the queue." Whether or not that's true, I don't care, but that's often what the recruiters will say.

Joe Carrigan: Yeah. It's the high-pressure sales trick.

Maria Varmazis: It is. It is. Admittedly because recruiters, you know, they make their money off of getting you a job. So they want to -- they want to make money as soon as they can too. So Dice was saying -- and, you know, good on them for saying this. Job seekers need to be wary of their offers, especially if you have put on Linked In like a lot of people have that green open for work banner under your name. That's telling people publicly, "Hey, I'm looking for work." It's great for letting your network know. I've seen a lot of people have some success using that. But scammers are unfortunately also keeping an eye out for stuff like that and people that they can prey on. So yeah. I was -- they had a really interesting post about job seekers, about how they can protect themselves, what they needed to keep an eye out for. We'll link for it for folks. And their advice is good advice to make sure that you can verify the claim of the job coming at you. If something seems off, go to the company directly and say, "Hey, is this a legitimate job posting or is this recruiter actually working for you?" If they can't verify it, then you know you've averted a crisis on your own side. One thing that I often like to do is move that conversation off of text to an actual phone call. If they don't want to do that, then you know there's another red flag for you.

Joe Carrigan: Yeah. Absolutely.

Maria Varmazis: Yeah. But I had seen someone I know actually had gotten a cold outreach for he's on the job hunt right now and it was he'd gotten cold outreach from a company that supposedly was called Therapy Notes. And the fake recruiter was using an email that was therapynotesjobs.com or another one was therapynotescareers.com. And again if you've been looking for jobs for a while you might go, "That looks pretty legit."

Joe Carrigan: Right.

Maria Varmazis: Yeah. So there -- I believe this fake recruiter using those emails was sending out a questionnaire saying, "I need a response from you within 24 hours to move ahead on this job." So again there's that fake urgency. And thankfully my friend because he's worked at a cybersecurity company in the past he knew to actually verify whether this posting was real, whether that recruiter was working for this company. And thankfully he averted a crisis. But it's just amazing how these scammers are trying to take advantage of people in really vulnerable situations using some incredible tricks and wearing out people who are already very tired. So.

Dave Bittner: Yeah. A couple things come to mind here. I wonder first of all if I were a scammer would an effective technique be to look for a real job offer, look for a company who is looking to recruit someone, use that real job offering as the basis for my scam so that way let's say, Maria, I reach out to you and I said, "Listen. You know, I see that your skills perfectly align with this job. I'd love to talk to you about it." That way if you were to call the company and say, "Is this job real?" The company would say, "Absolutely."

Joe Carrigan: Yeah. I thought -- I think I saw something about this today on some place. And it may have been while I was looking for my story today, but --

Maria Varmazis: I wouldn't be surprised. It was a pretty recent posting from Dice because there is so much of this going on right now. So I really would not be surprised if you came across it as well.

Joe Carrigan: No. I was talking about exactly what Dave was describing, that they have -- they have a legitimate posting, but they're not real recruiters. I think maybe I saw it on Linked In. Maybe it was somebody's page on Linked In.

Maria Varmazis: Yeah. So it's not enough to just verify the job. You have to also verify that the recruiter is real. Yeah. Because in the case of this Therapy Notes job one that I was mentioning the scammer was using a legitimate employee's name also. So part of the reason I saw this is I saw the legitimate employee posting something saying, "Hey, there's somebody pretending to be me. I am not posting this job out there." And there were a whole bunch of comments saying, "Oh yeah. I got contacted by that guy too." So yeah. Yeah.

Dave Bittner: Well, so my other question is what is an appropriate amount of information to share with a job recruiter? What's the limit?

Maria Varmazis: Certainly not your -- yeah. Go ahead, Joe.

Joe Carrigan: Well, I was going to say if they're a third party recruiter, your resume and that's it. And that should have your contact information on it. A third party recruiter will not need your -- you know your PII. And you shouldn't need any PII until you have a job offer which you'll have to vet and make sure it's right because a lot of times the way these scams work is they very quickly become -- you know they very quickly send you a job offer. And then they say, "Okay. Well, let me get all your PII." So I mean that's all entirely possible as well, but an in house recruiter also probably shouldn't be asking you for PII before you have a job offer.

Maria Varmazis: That's right.

Joe Carrigan: So definitely anybody asking you that, for that information, before a job offer or before even an interview, that's a red flag for me.

Maria Varmazis: Yeah. And I was just thinking the old advice might have been, you know, you're going to meet with somebody in person at some point so you know that's sort of your -- your moment. But if it's a fully remote job certain things like an interview can be faked. I've heard of -- I've heard stories of fake interviews. People can string you along all the way through to a pretty legitimate job offer. So I actually don't know what the advice is for saying, "Make sure that remote only job you're applying for is a real one." Aside form maybe trust your gut and just really do your research that this is a real offer and a real company.

Dave Bittner: Yeah. I wonder if it would make -- I mean if you could -- could you reach out to HR at the company specifically and say, you know, "This is the job I'm applying for. This is who I'm talking to." You know, would that help? But it would help, but it still seems to me like it's probably imperfect.

Maria Varmazis: Yeah, especially if you know these companies often are small and HR is also sales, is also engineering. It's also the CEO.

Dave Bittner: Exactly. It's a start up. Yeah.

Maria Varmazis: Yeah. I really feel sympathy for a lot of people who are looking for jobs right now. I -- they're -- I can't think of like a perfect way to say -- yeah. I don't know. Joe, I'm curious if you have advice on this.

Joe Carrigan: Yeah. I don't know. This is like I said don't give out any PII until you have a job offer. Make sure that this thing is -- you know, do everything you can within your power to vet the job. You know, if it is a remote company that has an office site somewhere, maybe you insist upon going there to meet people. You send, you know -- if it's a remote job that's local to you, you can travel to it. If it's not, they should buy you a plane ticket and have you come over there. You know scammers aren't going to lay out 700 bucks for a round trip plane ticket for you.

Dave Bittner: Right.

Joe Carrigan: So.

Dave Bittner: I'm curious, you know, if any of our listeners are actually recruiters. I'd love to know how you all as a profession are dealing with this issue.

Joe Carrigan: Yeah.

Dave Bittner: How are you putting people at ease to let them, you know -- how do you verify you are who you say you are? It's an interesting question.

Maria Varmazis: Yeah. I'd love to know that answer too. That's I imagine recruiters really hate that this is happening. It's making your job a lot worse. So yeah.

Joe Carrigan: It doesn't make their job any easier.

Dave Bittner: This has -- this has given me a very vague recollection. And it is incomplete in the -- I will grant my memory is not what it used to be, but I have a very vague recollection of like when I was -- the first round of serious job hunting I ever did like right out of college I want to say that my resume had my social security number on it. Does that seem like a thing to you, Joe? Do you have any recollection of that? I mean I'm, you know -- I went to a big state school and our student ID was our social security number.

Maria Varmazis: -- used to do that too. Yeah. Yep. Yep. It's crazy now.

Joe Carrigan: But I don't know. No. I never put it on my resume. I think it's actually engraved on the inside of one of my class rings somewhere that I don't wear.

Dave Bittner: Really?

Joe Carrigan: Yeah because it was a recommendation. Put your student ID on the inside of the ring so they can get it back to you. And I'm like, "Okay." Well, that's also my social security number so now I have to melt that down.

Dave Bittner: Hit that part with a soldering iron.

Joe Carrigan: Right. Wow. Okay.

Dave Bittner: Yeah. Boy it was a different time.

Joe Carrigan: I don't even wear that ring, you know, and I've never worn that ring.

Dave Bittner: Sure seemed like a good idea at the time, though, didn't it?

Maria Varmazis: Well, if you lose that ring now, you have two problems. So --

Joe Carrigan: Exactly.

Maria Varmazis: Yeah.

Dave Bittner: There you go. All right. Well, before we get to my story we're going to take a quick break to hear a message from our sponsor. [ Music ] All right. We are back. I'm going to round out our stories this week. I actually have I think you could put this in the good news category.

Joe Carrigan: Good.

Maria Varmazis: Great. That'd be great.

Dave Bittner: So the FCC, the Federal Communications Commission, has approved a voluntary cybersecurity labeling program for wireless IOT products.

Joe Carrigan: Nice.

Dave Bittner: Yeah. So they're calling it the U.S cyber trust mark and companies who put this on their devices will have certified, verified, that they are in compliance with the NIST cybersecurity standards. It's stuff like strong passwords, data protection, and the ability to do a software update on their device. And so they're looking to enhance security for stuff like baby monitors and home security cameras and fitness trackers. You know, anything that's wireless. And people are comparing this to you know some of the initiatives from the I guess the earlier days of computing, the -- like the Energy Star sticker. That sort of thing where totally voluntary, but I think certainly for some consumers if they were shopping around that might influence them to choose one option over another if this has been certified if it's going to, you know -- for Energy Star it's going to save me some money. It's going to, you know, help the baby polar bears and all that kind of stuff.

Joe Carrigan: I'm more concerned about my network than I am the baby polar bears. So I am going to be looking for --

Maria Varmazis: Why not both?

Joe Carrigan: Why not both? You're right. 100%. But you know this is -- this is -- this is great. Great news. And I agree with you, Dave. If you're, you know -- and like the Energy Star thing there's going to be a certain subset of people that this appeals to. Right? Like Energy Star appeals to me because I like a lower power bill.

Dave Bittner: Right.

Joe Carrigan: But cybersecurity markings appeal to me because, you know, we live and breathe this stuff. So yeah. I'm going to be looking for this.

Dave Bittner: Yeah. They're saying that a bunch of the major retailers are on board with Amazon, Best Buy, companies like Samsung. And they're hoping that this becomes a global standard, not just here in the U.S. I have to say when I read this story I had a little skepticism about stuff coming from Amazon because of how fast and loose Amazon plays with, well, everything.

Maria Varmazis: I had the exact same thought. Exact same thought. Yep.

Joe Carrigan: I thought that about Samsung too.

Dave Bittner: I can't imagine Amazon doing a whole lot of policing on this of, you know, every device having this slapped on. But who knows? It's possible that, you know, the FCC maybe they'll team up with their buddies at the FTC and have some scrutiny here over the misuse of the U.S cyber trust mark. We can only hope. Right?

Maria Varmazis: I would hope there would be a list that the FCC publishes sort of like they do with other things. Maybe it's not the FCC. FTC does. You know, somebody does. Or you can look it up. You can look up the product and see is it actually certified. So you don't have to trust a random label on a box. You can actually go and verify yourself.

Joe Carrigan: I wonder if this means we can now have private conversations in front of our Samsung TVs.

Dave Bittner: Right. Or in front of your baby monitor.

Joe Carrigan: Right.

Maria Varmazis: No. This is so needed, especially with a baby monitor conversation. I've had that chat with a lot of different parents and they're like, "Which one do you use?" I'm like, "Just not anything internet enabled." But that's very hard for a lot of people. So helping people with decision making is very needed. So I think that's it's a great move. It's a great move.

Joe Carrigan: I did an interview one time for a local TV station about one of the baby monitor hacks. It wasn't a hack. This family just got an IP camera and didn't change the default password. Somebody found it on Shodan or something and logged into it and started yelling at their baby while the baby was sleeping because it had two way communication.

Maria Varmazis: Yeah. Yeah.

Joe Carrigan: You know, I was talking to the newscaster. I said, "Well, if you think this is bad, wait until your refrigerator is online." And he goes [laughs] and man that has turned out to be just terrible as well. Hasn't it?

Maria Varmazis: Yeah.

Joe Carrigan: One of the things I say about this being the easiest part of this job is just look at something and go, "That's not going to end well." And 9 times out of 10 you're right.

Maria Varmazis: It's great for the cynics. Yes. That's true.

Joe Carrigan: You can look like Nostradamus.

Dave Bittner: When I was a teenager I stumbled across the fact that I had an AM radio that I guess could tune slightly out of bounds of the AM band and I could hear one of my neighbors' cordless telephones through it.

Joe Carrigan: Really?

Dave Bittner: Yep. Yep.

Joe Carrigan: AM or FM?

Dave Bittner: AM. AM. Yep.

Maria Varmazis: Anything juicy or no?

Joe Carrigan: You were a teenager.

Dave Bittner: Yeah. So we're talking back in the '80s. So this is first generation cordless phones. You know, no encryption. No -- this is in the clear RF. Not digital. Just blasting out a signal for all to hear. And I just I was scrolling around on the radio one day and I heard what sounded like a phone conversation and I went, "What is this?" And then I took -- didn't take me too long to go, "Oh. I know who this is."

Joe Carrigan: [Laughs] awesome.

Maria Varmazis: Oh my gosh.

Joe Carrigan: Imagine if you and I had had software to find radios when we were kids.

Dave Bittner: Oh my gosh. There are so many things that I am thankful did not exist when I was a teenager because I don't know that I would have been able to resist.

Joe Carrigan: Right. Absolutely.

Maria Varmazis: What, Dave?

Dave Bittner: Well, I mean just there's so much to the hacking. Look. I did my fair share of phone freaking back in the day. I am amazed that no one from the phone company came knocking on my parents' door and said, you know, "Listen. Why is your phone dialing sequential numbers between the hours of 3 and 5 AM every day?"

Joe Carrigan: Yeah. They never did that.

Dave Bittner: No. Yeah. I mean it was an innocent time and I think with some of the tools that are out there today I probably would have gotten in a lot more trouble. I'm just glad we didn't have like cell phone cameras.

Joe Carrigan: Yeah. Oh yeah. Or social media.

Dave Bittner: Evidence. I mean just so much evidence of all of our -- I don't know.

Joe Carrigan: That's what I say whenever somebody -- whenever something interesting is happening and somebody pulls out a cell phone. I go, "Remember that's evidence."

Dave Bittner: Yeah. That's good. That's good. All right. Well, those are our stories for this week. Of course we would love to hear from you if there's something you'd like us to include on the show. You can email us. It's hackinghumans@n2k.com. Joe, Maria, it is time to move on to our catch of the day. [ Soundbite of reeling in fishing line ] [ Music ]

Joe Carrigan: Our catch of the day comes from Mark who sent a story in. So do you want to -- do you want to -- do you want to read this one?

Dave Bittner: Sure.

Joe Carrigan: There you go.

Dave Bittner: It says, "Hi Dave, Joe, and Maria." See Maria you're getting mail.

Maria Varmazis: Oh my god. Hi.

Joe Carrigan: This was actually the listener put this in their salutation.

Maria Varmazis: Well, Hi Mark. Thanks for including me.

Dave Bittner: It says, "Recently my girlfriend was part of a fairly elaborate scam in the employment recruiting field. She's been unemployed and applying endlessly, but recently a recruiting manager for a legitimate company contacted her to connect for an employment opportunity."

Joe Carrigan: Dave, I just remembered where I heard what I was going to talk about.

Maria Varmazis: Was it this? Oh.

Dave Bittner: Your mind is like a steel vice, Joe.

Joe Carrigan: It's not. Not anymore it isn't, Dave. It's --

Dave Bittner: Continuing. "She let me know and I did as much research on this company and this person before she continued communicating with them. The company is legitimate and is hiring for the position this recruitment manager was discussing. The hiring and human resource managers she spoke with are actual people at the legitimate company, but the people she communicated with were simply posing as these legitimate people. Unfortunately she ended up supplying them with a W2 and photos of her driver's license along with other PII except banking information. This lasted about a week with interviews being done over Zoom chat and various phone calls made. The big red flag came when we received three checks in the mail for office supplies and the hiring bonus. The total of these checks was $12,000 and she was at that point instructed to deposit these checks and send money via Zelle to the verified vendor for the company to purchase her work from home equipment. At this point I started going through the communication logs and, clear as day, noticed it was a scam. Unfortunately during this process I never saw any of the communication myself until the very end. I had only received the names of the company and people to look up. At this point I was absolutely torn apart. I failed to protect her and they were able to add another victim to their list. After a few days of police reports, changing log in credentials, and implementing MFA, not just 2FA, we finally feel somewhat protected, but at what cost? I share this story in hopes that it may warn others who are unemployed or simply looking for new employment opportunities. In most cases these scammers know this group of people is more vulnerable because they need work. As the old saying goes, if it sounds too good to be true, run."

Joe Carrigan: Right.

Maria Varmazis: Wow. Yeah. Yep.

Joe Carrigan: Yeah. And that must -- I don't know why I didn't remember this was the catch of the day. Kind of embarrassing. But anyway it sounds like Mark's girlfriend got off pretty easy, that she didn't -- didn't lose any money. Am I reading that right, do you think?

Dave Bittner: I'm not sure. I don't know.

Joe Carrigan: Okay.

Maria Varmazis: Yeah. I don't think she's --

Dave Bittner: Mark says torn apart and failed to protect her, but he does not say specifically whether or not there was money lost.

Joe Carrigan: Yeah. Yeah. I mean there was PII lost and that's going to have long ramifications. So my advice, Mark, go out and go to chex system, C-H-E-X systems. Lock down your girlfriend's information there. And then maybe put a credit freeze with the three credit bureaus. And you can just Google how to do that and it comes up pretty quickly. Credit freezes and check system freezes are free. They can't charge you for it. You can unfreeze them whenever you want to go out and open up an account on your own. And they don't charge you for that. So yeah. That's probably your best offense at this point because they got a lot of information. A W2 has a lot of personally identifiable information on it. It's got your name, your address, your -- probably has your birth date, social security number. I don't remember. Does a W2 have your birthday on it? It might.

Maria Varmazis: Yeah. It's got everything. Yeah. Yeah.

Joe Carrigan: It's you know it's a terrible form for the IRS to mandate, but they do. I guess they need to establish your identity as well to properly tax you.

Dave Bittner: Right.

Joe Carrigan: But yeah. I mean that's -- that's really the best option right now.

Dave Bittner: You know what else Mark could do? As a gift Mark could buy his girlfriend a subscription to a credit monitoring company.

Maria Varmazis: So romantic.

Joe Carrigan: Right?

Maria Varmazis: Can you imagine? Put a red bow on it. Nothing a lady wants more than that.

Dave Bittner: Right. Exactly. Just let me show you how much I love you.

Maria Varmazis: And make sure you put it in a Tiffany box because that's a pro tip from me. Like one of those blue Tiffany boxes. She'll love that.

Joe Carrigan: The one that the people usually put rings in or --

Maria Varmazis: Indeed.

Dave Bittner: Oh yeah. That will go over real well.

Maria Varmazis: It will go over so well.

Joe Carrigan: Oh, Mark, what is this? I got you identity theft protection. Oh, you shouldn't have.

Dave Bittner: If everything goes well, nothing will happen. And you can thank me.

Joe Carrigan: Right. That's the motto of cybersecurity professionals everywhere. If everything goes well, nothing will happen.

Dave Bittner: Right. Yeah. We spent all this money and nothing happened. Can we increase my budget next year? All right. Well, thank you, Mark, for sending that in. That is an interesting story for sure. We do appreciate it. [ Music ] That is our show. We want to thank all of you for listening. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. Maria, how can folks find out more about the "T-Minus" podcast?

Maria Varmazis: Well, you can join me every day and download "T-Minus Space Daily" on your favorite podcast provider or go to space.n2k.com to find out more.

Dave Bittner: All right. A quick reminder that N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. Our executive producer is Jennifer Eiben. This show is mixed by Tre Hester. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: I'm Joe Carrigan.

Maria Varmazis: And I'm Maria Varmazis.

Dave Bittner: Thanks for listening. [ Music ]

Hacking Humans
Podcast Info
HOST(S):
Dave Bittner
Joe Carrigan
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Joe Carrigan, is a Senior Security Engineer with the Johns Hopkins University Information Security Institute. He has been a Software Engineer for over twenty years and has been working in the security field for more than ten years focusing on usable security and security awareness. He has experience in a broad range of fields including authentication systems, embedded systems, data migration, and network communication.
Schedule: Thursdays
Creator: CyberWire, Inc.
ADVERTISEMENT
KnowBe4
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.