Hacking Humans

Cybersecurity interview with ChatGPT. In part one of CyberWire’s Interview with the AI, Brandon Karpf interviews ChatGPT about topics related to cybersecurity. Rick Howard joins Brandon to analyze the conversation and discuss potential use cases for the cybersecurity community. ChatGPT is a chatbot launched by OpenAI and built on top of OpenAI’s GPT-3 family of large language models. Cyber questions answered by ChatGPT in part one of the interview. What were the most significant cybersecurity incidents up through 2021? What leads you to characterize these specific events as significant? What were the specific technical vulnerabilities associated with these incidents? Who were the cyber actors involved in each of these attacks? Do you think it's valuable to attribute cyber attacks to specific actors?

Bala Kumar of Jumio joins to discuss how travel companies can combat the exponential rise in fraud and ensure their traveler is who they say they are. Dave and Joe share some listener follow up, with the first from Matt, who writes in with a strange Dick's Sporting Goods story about gift cards and credit cards. Our second follow up comes from listener King, who writes in regarding the QR discussion in episode 243. Dave's story follows how almost every US state has sued a telecom company after being accused of routing billions of illegal robocalls to millions of US residents on the do not call list. Joe's story is about a family losing $730,000 in a wire fraud scam, but with a twist ending. Our catch of the day comes from listener William, who writes in with an email laced with so much fraud, Gmail didn't even want Joe to open it to read it for this episode. Links to stories: 48 states sue phone company that allegedly catered to needs of robocallers Family loses $730K in wire fraud scam — and gets it all back Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

Nick Percoco from Kraken sits down to discuss the human factor of crypto scams, including going over common red flags and what to do when a third party is exerting pressure that taps into a human emotions. Listener Sean writes in with some follow up to discuss the increase in AI scams and if people would be more likely to talk about falling for these scams as AI becomes better and better. An anonymous listener also reached out with some follow up regarding there experience with corporate ID theft. Joe's story follows the report on "dark patterns," and what they are. Dave's story is on people who got hired as customer service reps, but instead helped lure in lonely and lovestruck through a network of dating and hookup sites. Our catch of the day comes from listener Gareth who shares his catch of a phishing scheme from the "NSA." Links to stories: Guide to Dark Patterns – Terms and examples from the CCPA and the CPA Bringing Dark Patterns to Light This Is Catfishing on an Industrial Scale Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

Our guest, Mark Kapczynski from OneRep, joins Dave to discuss what consumers should know about data privacy. Listener Jon writes in to the show with some follow-up with some thoughts on tap interface. Another anonymous listener wrote into the show discussing ethical hacking. Dave's story is on fake QR codes and how people are getting scammed out of money after receiving a fake QR code parking ticket survey. Joe's story follows an attempted attack at Dragos and what they didn't get. Our catch of the day comes from listener Richard who writes in with a fun scam he caught from the "Marine Corps." Links to stories: QR codes used in fake parking tickets, surveys to steal your money Deconstructing a Cybersecurity Event Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

Our guest, CW Walker, Director of Security Product Strategy at SpyCloud, joins to discuss post-infection remediation and ransomware defense. Joe compliments one of his least favorite big tech companies. Joe and Dave share quite a bit of follow-up; one from listener Clayton who writes in about “fast idiots” from a previous episode. The other is from listener Robert, who writes in about the wallet versus smart phone debate, and which is safer. Joe shares a few stories this week, all regarding ATM scams and lost or stolen credit cards including his own sons ATM nightmare. Dave's scary story is on the latest hot topic in the cyber industry: AI, and how families are being scammed by believable voice AI to sound like loved ones. Listener Michael shares this week's catch of the day on an IRS scam he came across in his email. Links to stories: Chase Bank didn't believe customers with accounts drained by ATM 'tap' feature scam Lost or Stolen Credit, ATM, and Debit Cards Family targeted by AI scam using loved one’s voice Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

Josh Yavor, CISO at Tessian, joins Dave to discuss a new report they released on cyber mistakes and why employees make them. Joe and Dave share a listener follow-up from Jon, who writes in about mental illness, a serious epidemic taking over the nation. Jon shares interesting tidbits on social media linking to mental illness and the impact it's creating. Dave's story is on hackers trying an old trick with new mechanics: impersonating well known companies. This time, hackers are posing as Quickbooks. Joe's story describes how LinkedIn users are being targeted yet again. These fraudsters are now creating significant threats to users, according to the FBI. Finally, our catch of the day comes from listener Jennifer, who writes in and shares her story of a scammer using SMS to tell her that her Venmo account was hacked, even though she does not have one. Links to stories: Sending Phishing Emails from QuickBooks FBI says fraud on LinkedIn a ‘significant threat’ to platform and consumers Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter

This week, Carole Theriault, CW UK correspondent, sits down with Cisco Talos' Vanja Svacjer discussing if the security industry is ready for AI. Joe and Dave share some follow up regarding a new term, "yahoo boy" after reading it in an article. Joe's follows a story about a scam where five mastermind business men were able to scam ordinary investors out of a billion dollars. Dave's story is on a basic iPhone feature that is helping criminals steal your entire digital life. Our catch of the day comes from William who writes in about an email he received from "Bob William" who shares that he works at a law firm and one of his clients has an insurance policy where his client did not write a will. Bob wants to share the amount of $12,820,000 with charity and then split the rest of the funds. Links to stories: On the hunt for the businessmen behind a billion-dollar scam A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

This week, our guests are Jean Lee and Geoff White from BBC and the Lazarus Heist talking about what is coming up in Season 2 of their show and how the Lazarus Group is evolving. Joe briefly discusses Generative AI before going into his stories for this week. Joe's first story comes from Lauren Jackson from WBRC who writes in with a disturbing tire scam causing businesses to lose thousands. Joe's second story is from David Sentendrey from KDFW, who shares a story about a woman who fell victim to a romance scam loosing $75,000. Daves story follows a casino scam in Colorado, which was the largest heist in the states history. Our catch of the day comes from listener Morten who received a confusing message regarding an inheritance payment fund. Links to stories: Cullman Police warn of returning scam that has local businesses out thousands of dollars Woman who lost $75K in worldwide online romance scam warning others of the danger Black Hawk casino heist is largest in Colorado history Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

Paul Dant, Illumio's Senior Director for Cybersecurity Strategy and Research, is sharing how his history as a child hacker informed his thinking today. Joe and Dave share some listener follow up from Anthony, who writes in about a scam from the app Nextdoor, regarding scammers trying to upgrade Xfinity customers using their computers rather than the usual method, which throws up red flags. Dave's story this week follows a principal from a Florida science and technology charter school who mistakenly wrote a check for $100,000 to an Elon Musk impersonator. Joe's story is on email compromise, and the increase we have seen in the last several months, including an "increase in ‘novel social engineering attacks’ across thousands of active Darktrace/Email customers from January to February 2023." Our catch of the day comes from listener JP, who writes in regarding a suspicious looking email they received from "Norton" saying they will increase the price of their service being used. Links to stories: School principal resigns after writing $100,000 check to Elon Musk impersonator Tackling the Soft Underbelly of Cyber Security – Email Compromise Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

Keith Houston, Chief prosecutor in financial cybercrimes at Harris County District Attorney's Office in Houston, TX, shares some scams that have come through his office and advice on how to protect yourself. Dave and Joe share some follow up from listener Nevile, who writes in about a news story he came across regarding pendrive bombs, wondering what do you do if you're a reporter and someone sends you a scoop in a pendrive? Joe has two stories regarding AI, and how scammers were able to use AI software to clone voices the victims would recognize and then con them out of thousands of dollars. Dave's story is on a new report stating that the most common combosquatting keyword is support. Our catch of the day comes from listener Shawn who writes in sharing an email they received from their companies HR team warning them of a suspicious package that has been circulating around the office. Links to stories: N.L. family warns of possible AI voice clone scam that cost them $10K How scammers likely used artificial intelligence to con Newfoundland seniors out of $200K The Most Common Combosquatting Keyword Is “Support” Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter

Kathleen Smith, CMO from ClearedJobs.Net sits down with Dave to talk about how job seekers are susceptible to employment fraud. Joe and Dave share some listener follow up from Steve, who writes in to share a scary and frustrating story as hackers were able to scam their way into his and his wife’s Verizon Wireless account. Dave's story follows giveaway scams, which are scams that impersonate celebrities and brands, most notably Elon Musk and the companies he is associate with, to try and get victims to believe they have won a large sum of cryptocurrency. Joe's story is on a scary development in the AI world, regarding family emergency scams. Scammers are now using AI to enhance the believability. Our catch of the day comes from a listener named Jim who writes in about a scam he came across in his spam folder from a "Sgt. Nolla E. Donald" who wants to give him millions of dollars to keep safe while she fights over in Iraq. Links to stories: Chatbots, Celebrities, and Victim Retargeting: Why Crypto Giveaway Scams Are Still So Successful Scammers use AI to enhance their family emergency schemes Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter

On this episode, the CyberWire's UK Correspondent Carole Theriault talks with Iain Thomson from the Register about why he has no IoT in his house and what advice he offers for those who do. Joe's story features ten social engineering techniques. Dave has a story starts with an order by the FTC against Epic Games for tricking users to make in-game purchases in Fortnite using dark patterns. Our Catch of the Day comes from listener Lauren sharing a phishing attempt at her company where the scammers obviously did their homework on who to contact in the organization. Links to stories: Ten Social Engineering Techniques Used By Hackers FTC Finalizes Order Requiring Fortnite maker Epic Games to Pay $245 Million for Tricking Users into Making Unwanted Charges What are deceptive patterns? Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter

Eric Olden, Chief Executive at Strata, sits down with Dave to discuss the changing face of identity; where we’ve been, where are going, and the bumps along the way. Dave and Joe share some listener follow-up from Michael, who writes in about advertisements on YouTube and other social networks claiming magical results. Dave's story follows a new tool released by the National Center for Missing and Exploited Children (NCMEC) to help with slow and stop the spread of sextortion of minors. Joe's story is on a LinkedIn post by Gary Warner regarding why we have so much fraud. Our catch of the day is from listener Shon, who writes in about an email they received about “Meta Resources Recruiter” informing them of an open “CISO Lead role.” Links to stories: Teens can proactively block their nude images from Instagram, OnlyFans Why do we have so much fraud? Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter

Mallory Sofastaii from Baltimore's WMAR 2 News sits down with Joe to talk about some recent stories on scams she's covered on Matter for Mallory. Dave and Joe share some listener follow up from Robert who writes in about the technical means to protect phones from robocalls. He shares some insight on how carriers up in the north are able to protect phones. Dave shares a twitter thread from Brian Jay Jones, who is an author of biographies of Jim Henson, George Lucas and Dr. Seuss, who shares how he would have almost had his Twitter account hijacked if it weren't for 2-step verification. Joe's story is on a gentleman pleading guilty in PAC scams, raising almost 3.5 million by making false and misleading representations in the 2016 election. This week we have a string of catch of the days from different listeners sharing different SMS scams. Links to stories: Associate of scam PAC operator pleads guilty Twitter thread of Brian Jay Jones Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter

Dan Golden and Renee Dudley, reporters at ProPublica and authors of "The Ransomware Hunting Team: A Band of Misfits' Improbable Crusade to Save the World from Cybercrime," discuss their book. Dave and Joe share some follow up form listener Ignacio who writes in to share thoughts on Joe's preference to using open source options for password managers. Joe's story this week follows Coinbase, who recently had a cybersecurity breach but their cyber controls prevented the attacker from gaining direct system access and prevented any loss of funds or compromise of customer information. Dave's story is on people trying to gain cryptocurrency back after it was hacked and stolen from them, only to wait and receive nothing in the long run. Our catch of the day comes from listener Josh, who writes in about an email he received that stated that his wallet would be suspended if he did not download a verification link. Links to stories: Who You Gonna Call? The Ransomware Hunting Team. Social Engineering - A Coinbase Case Study These Companies Say They Can Recover Stolen Crypto. That Rarely Happens. Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

Corie Colliton Wagner from Security.org joins to discuss the company’s research of password manager tools and their benefits, identity theft, and the market outlook for PW managers. Dave and Joe share quite a bit of follow up from listeners Mitch, Neville, and Richard. Mitch writes in to share about gift card scams, and Neville and Richard both share their thoughts on the pros and cons of having a cloud-based password manager. Dave's story is about employees around the globe and their internet habits inside the workplace. Joe's story follows a new release of data from the FTC on romance scams, including the top lies being told by scammers. Our catch of the day comes from listener Gordy, who writes in about an email he received regarding a new position scammers are trying to fill in an open job. Links to stories: Are Your Employees Thinking Critically About Their Online Behaviors? New FTC Data Reveals Top Lies Told by Romance Scammers Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

Mathieu Gorge from VigiTrust sits down to discuss the different ways that online attackers target younger and older generations, and what the cybersecurity industry can and should do to protect them. Dave and Joe share some listener follow up from Greg who writes in regarding porch pirates possibly finding a new way to steal packages. In Joe's story this week, we learn that while ransomware was down last year, more and more people are clicking on phishing emails. Dave's story follows Ahad Shams, the co-founder of Web3 metaverse gaming engine startup Webaverse, who ended up getting $4 million of his cryptocurrency stolen. Our catch of the day comes from listener Rodney who writes in about an email he received. The scammers were trying to collect information from him after saying he was already scammed out of money, when in fact he was not. Links to stories: New cybersecurity data reveals persistent social engineering vulnerabilities Scammers steal $4 million in crypto during face-to-face meeting Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

Keith Jarvis, Senior Security Researcher from Secureworks Counter Threat Unit (CTU), shares his thoughts on the alarming rise of infostealers and stolen credentials. Dave and Joe share some listener follow-up from Ron who writes in about a book, entitled "Firewalls Don't Stop Dragons" by Carey Parker, which he finds as a helpful resource when it comes to cybersecurity. Dave's story follows password management companies and how they might not be as safe as what we presume them to be, most notably the LastPass breach in the last month. Joe has two stories this week, his first on a 19 year old TikToker who was arrested for running a GoFundMe scam while portraying on the popular social media app that she was diagnosed with 3 different types of cancer. Joe's second story is on Marines outsmarting artificially intelligent security cameras by hiding in a clever way that the AI could not recognize. Our catch of the day comes from listener Tim, who writes in about an old scam with a new twist, and how he was able to figure it out. Links to stories: Password Managers: A Work in Progress Despite Popularity 19-YEAR-OLD TIKTOKER ARRESTED FOR RUNNING GOFUNDME SCAM... Over Fake Cancer Diagnosis U.S. Marines Outsmart AI Security Cameras by Hiding in a Cardboard Box Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

J. Bennett from Signifyd discusses the fraud ring that has launched a war on commerce against US merchants over the past few months. Joe and Dave share some listener follow up from Jon who writes in about an email he almost fell victim to. Joe shares two stories this week, the first on how scammers were seen posing as tech support at two US agencies in an attempt to hack their employees. Joe's second story is on a woman trying to steal 2.8 million for an elderly Holocaust survivor. Dave's story follows how an ad scam was able to break through over 11 million phones. Our catch of the day comes from husband and wife, Chad and Jen, who write in sharing a scam that Jen almost fell for. An email from "iTunes" confirming a payment of over $100 hit the music lover's inbox that she didn't authorize. The scammers went on to explain the rules behind the payment, making sure to include that if she did not make this purchase to notify them immediately. Links to stories: Scammers posed as tech support to hack employees at two US agencies last year, officials say 36-Year-Old Woman Accused of Using Romance Scam to Swindle $2.8M from Elderly Holocaust Survivor A Sneaky Ad Scam Tore Through 11 Million Phones Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

Nadine Michaelides from Anima People sits down with Dave to discuss preventing insider threat using behavioral science and psych metrics. Joe and Dave share some follow up regarding a Facebook scammer who is targeting Joe, as well as a letter from listener Richard who write in about business emails and the compromised warning signs they send about dangerous emails coming from outside the company. Dave shares a story about hackers who are setting up fake websites to promote malicious downloads through advertisements in Google search results. Joe's has two stories this week, one is about the latest scam in the parking ticket realm, and the second story follows West Virginia police warning residents of a Walmart scam where the scammer send you a "free 50 dollar Walmart gift card." The catch of the day comes from Penny who writes in about a scam that almost sucked her in through an email from "McAfee." Links to stories: Hackers push malware via Google search ads for VLC, 7-Zip, CCleaner That Surprisingly Real Looking Parking Ticket May Be Fake! Don’t Fall for Latest Scam McMechen Police issue warning about Walmart scam in area Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.