On Hacking Humans, Dave Bittner, Joe Carrigan, and Maria Varmazis (also host of N2K's daily space podcast, T-Minus), are once again sharing the latest in social engineering scams, phishing schemes, and criminal exploits that are making headlines to help our audience become aware of what is out there. This week, Joe shares a note from listener Michael before getting into stories, and Michael writes in to share that there are VIN cloning scams. Joe brings back the Iota discussion from last week. Joe's up first for stories and focuses on fraud. Dave informs us of the new human-like AI granny who is wasting scammers time. Finally Maria brings us the story of how BforeAI researchers analyzed over 6000 newly registered retail domains, revealing a surge in scam activity targeting shoppers with phishing websites, fake apps, and fraudulent offers, particularly during the holiday season, exploiting brand names, seasonal trends, and emerging technologies like AI and cryptocurrency. Our catch of the day comes from listener Kenneth who writes in about a fraudulent email claiming to be from Emirates Group, inviting a company to register as a vendor or contractor for upcoming projects in 2024/2025. The email emphasizes the company's experience in various sectors and urges a prompt response to initiate the registration process. It is signed by a supposed "Contractors Coordinator," Mr. Steve Ibrahim Ghandi, and includes fake contact details for the Emirates Group.

Resources and links to stories:

• VIN cloning
• How Cybercriminals Use Vehicle Identification Numbers (VINs) to Hack Cars
• Yes, your car's Vehicle Identification Number can be used to steal from you
• Geolocation Resources for OSINT Investigations
• Person dressed in a bear costume to fake attacks on cars for insurance payout, California officials say
• U.S. Trustee Program Warns Consumers of Bankruptcy Fraud Alert Scam
• O2 unveils Daisy, the AI granny wasting scammers’ time
• 2024 Online Holiday Retail Threat Report

You can hear more from the T-Minus space daily show here.

Have a Catch of the Day you'd like to share? Email it to us at [email protected].

A term of legal art that defines the types of data and circumstances that permits a third party to directly or indirectly identify an individual with collected data. 

On Hacking Humans, Dave Bittner, Joe Carrigan, and Maria Varmazis (also host of N2K's daily space podcast, T-Minus), are once again sharing the latest in social engineering scams, phishing schemes, and criminal exploits that are making headlines to help our audience become aware of what is out there. This week, the team shares follow up about FEMA and Hurricane Helene relief. Dave's story is about romance scams involving an impersonator of a WWE star scamming a grandfather out of their retirement savings, Maria shares a story about a valid-looking document impersonating DocuSign's API (application programming interface). Joe's got a few stories including one about a CVE (Common Vulnerabilities Enumeration) relating to an Okta bug and one from the Better Business Bureau with a new twist on online shopping scams where your get a "card declined" message. Our Catch of the Day comes from listener William about an email from the "United Nations."

Resources and links to stories:

• DisasterAssistance.gov
• They’re Giving Scammers All Their Money. The Kids Can’t Stop Them.
• Attackers Abuse DocuSign API to Send Authentic-Looking Invoices At Scale
• DMARC: Domain-based Message Authentication, Reporting & Conformance
• CVE-2024-10327
• BBB Scam Alert: 'Card declined' error may lead to multiple fraudulent charges

You can hear more from the T-Minus space daily show here.

Have a Catch of the Day you'd like to share? Email it to us at [email protected].

Enjoy this encore episode.

A security architecture that incorporates the cloud shared responsibility model, a vendor provided security stack, an SD-WAN abstraction layer, and network peering with one or more of the big content providers and their associated fiber networks.

Maria Varmazis, host of N2K's daily space show T-Minus, joins Dave and Joe to share the story of the five types of social engineers Deanne Lewis encountered while tending bar, revealing how each barroom personality reflects a common cybersecurity threat. Our hosts share some follow-up from a friend of the show, JJ, who reports a rise in tech support scams targeting non-tech-savvy users by locking their screens and persuading them to call scammers, often leading to credit card fraud and unauthorized remote access through tools like AnyDesk or TeamViewer. Joe has two stories this week: one covering JPMorgan Chase's lawsuits against individuals who exploited an ATM glitch to withdraw fake deposits, a scam popularized on TikTok; and the second on four suspects in Maryland charged with conning an elderly woman out of nearly $40,000 in a "pigeon drop" scam, where victims are promised a cut of "found" money in exchange for collateral. Dave's story is on a viral AI-generated hoax spreading on Facebook, where fake posts about neighbors egging cars over Halloween decorations are stirring moral panic and sowing distrust, especially among older users. Finally, our catch of the day comes from some text threads about a scammer trying to get clever while buying a used car.

Links to the stories:

• The Five Types of Social Engineers I Met Tending Bar (And What They Taught Me About InfoSec)
• JPMorgan Chase is suing customers over 'infinite money glitch' ATM scam
• Four charged in ‘pigeon drop’ scam targeting elderly in Maryland
• The newest AI slop on Facebook exploits suburban fear

You can hear more from the T-Minus space daily show here.

Have a Catch of the Day you'd like to share? Email it to us at [email protected].

Welcome in! You’ve entered, Only Malware in the Building. Join us each month to sip tea and solve mysteries about today’s most interesting threats. Your host is Selena Larson, Proofpoint intelligence analyst and host of their podcast DISCARDED. Inspired by the residents of a building in New York’s exclusive upper west side, Selena is joined by N2K Networks Dave Bittner and Rick Howard to uncover the stories behind notable cyberattacks. 

Being a security researcher is a bit like being a detective: you gather clues, analyze the evidence, and consult the experts to solve the cyber puzzle. On this episode, we talk about how threat actors are shifting tactics across the landscape, focusing more on advanced social engineering and refined initial access strategies than on sophisticated malware.

We’ll dive into Proofpoint's latest blog detailing a transport sector breach that, while involving relatively standard malware, showcases this growing trend of nuanced techniques and toolsets.

Enjoy this encore episode.

 The practice of emulating known adversary behavior against an organization's actual defensive posture.

Happy Halloween from the team at N2K Networks!

We hope you share in our Halloween tradition of listening to the Malware Mash. You can check out our video here.

Lyrics

I was coding in the lab late one night

when my eyes beheld an eerie sight 

for my malware threat score began to rise 

and suddenly to my surprise...

It did the Mash 

It did the Malware Mash 

The Malware Mash 

It was a botnet smash 

It did the Mash 

It caught on 'cause of Flash 

The Malware Mash 

It did the Malware Mash

From the Stuxnet worm squirming toward the near east 

to the dark web souqs where the script kiddies feast 

the APTs left their humble abodes 

to get installed from rootkit payloads. 

They did the Mash 

They did the Malware Mash 

The Malware Mash 

It was an adware smash 

They did the Mash 

It caught on 'cause of Flash 

The Malware Mash 

They did the Malware Mash

The botnets were having fun 

The DDoS had just begun 

The viruses hit the darknet, 

with ransomware yet to come. 

The keys were logging, phishing emails abound, 

Snowden on chains, backed by his Russian hounds. 

The Shadow Brokers were about to arrive 

with their vocal group, "The NotPetya Five."

They did the Mash 

They played the Malware Mash

The Malware Mash 

It was a botnet smash 

They did the Mash 

It caught on 'cause of Flash 

The Malware Mash 

They played the Malware Mash

Somewhere in Moscow Vlad's voice did ring 

Seems he was troubled by just one thing. 

He opened a shell then shook his fist 

and said, "Whatever happened to my Turla Trojan twist." 

It's now the Mash 

It's now the Malware Mash 

The Malware Mash 

And it's a botnet smash 

It's now the Mash 

It caught on 'cause of Flash 

The Malware Mash 

It's now the Malware Mash

Now everything's cool, Vlad's a part of the band 

And the Malware Mash is the hit of the land. 

For you, defenders, this mash was meant to 

when you get to my door, tell them Creeper sent you.

Then you can Mash 

Then you can Malware Mash 

The Malware Mash 

And be a botnet smash 

It is the Mash 

Don't you dare download Flash 

The Malware Mash 

Just do the Malware Mash

Maria Varmazis, host of N2K's daily space show T-Minus, joins Dave and Joe to share the story of a relentless wave of political donation texts that go well beyond simple annoyance, revealing an unsettling impact on vulnerable populations. CNN's investigation exposes how these texts, with their urgent and personal tone, have led seniors, including those with dementia, to make thousands of donations—sometimes unknowingly amassing hundreds of thousands of dollars for campaigns. Joe's story highlights a dash cam video capturing a car colliding with another vehicle while backing up on a busy highway. The footage raises questions about driver awareness and road safety in high-traffic situations. Dave's story shares the alarming potential of OpenAI's real-time voice API, which allows scammers to create AI agents capable of executing phone scams for as little as $0.75. Researchers from the University of Illinois Urbana-Champaign revealed that these agents can autonomously conduct scams, raising serious concerns about the misuse of voice-enabled AI technology despite previous safety precautions. And finally, our catch of the day shares how the Library of Congress is cracking down on copy write infringement.

Links to the stories:

• Age of fraud: Are seniors more vulnerable to financial scams?
• How elderly dementia patients are unwittingly fueling political campaigns
• Apparent attempt at insurance scam caught on camera
• Voice-enabled AI agents can automate everything, even your phone scams
• Bank account transfer scam

You can hear more from the T-Minus space daily show here.

Have a Catch of the Day you'd like to share? Email it to us at [email protected].

Please enjoy this encore episode of Word Notes.

A layer seven security orchestration platform deployed at the boundary between internal workloads slash data storage and untrusted sources that blocks incoming and outgoing network traffic with rules that tie applications to the authenticated user and provides most of the traditional security stack functions in one device or software application.

Maria Varmazis, host of N2K's daily space show T-Minus, joins Dave and Joe to share the story of how ESET Research revealed that Telekopye, a scam toolkit used by cybercriminals, has expanded its operations from online marketplaces to accommodation booking platforms like Booking.com and Airbnb. Joe’s story is on the elaborate "blessing scam" targeting older Chinese women, where scammers pose as spiritual healers to swindle victims out of their valuables by convincing them their loved ones are in danger—a criminal act spanning across the UK, US, Australia, and Canada, leaving families desperate to catch the perpetrators. Dave follows the story of a new rule passed by the US Federal Trade Commission (FTC) to make subscription cancellations easier with a simple "click to cancel" process. Our catch of the day comes from Reddit where a user was contacted via text message claiming that they were mixed up in a romance scam.

Links to the stories:

• Telekopye scammer network targets Booking.com and Airbnb
• 'Your son will die': How blessing scammers prowl streets
• FTC “click to cancel” rule seeks to end free trial traps, sneaky auto-enrollments

You can hear more from the T-Minus space daily show here.

Have a Catch of the Day you'd like to share? Email it to us at [email protected].