Hacking Humans

• What’s inside the mystery box? Spoiler: It’s a scam!

  As Dave Bittner is at the RSA Conference this week, our hosts ⁠⁠Maria Varmazis and ⁠⁠Joe Carrigan⁠⁠, are sharing the latest in social engineering scams, phishing schemes, and criminal exploits that are making headlines. We start with some follow-up from José on episode 335, sharing how UK banking features like Faster Payments and the “Check Payee” function might have helped prevent a scam involving fake banking apps—and he even tells a wild tale of someone using a fake app to reverse-scam a bike thief. Joe covers the House’s overwhelming passage of the SHIELD Act to ban revenge porn—including deepfakes—and why critics say it could threaten encryption. He also shares a strong warning about trust and the real risks of sharing intimate images. Maria has the story of a surge in sophisticated subscription scams, where cybercriminals use fake “mystery box” websites, social media ads, and influencer impersonations to trick users into handing over credit card data and signing up for hidden recurring payments. Bitdefender researchers warn these polished scams are part of a broader evolution in social engineering, designed to bypass skepticism and evade detection. Our Catch of the Day comes from listener Rick, who received a suspicious email that appears to be from Harbor Freight—a popular U.S. retailer known for affordable tools and equipment—offering a “free gift” to the recipient… classic bait for a likely scam. Resources and links to stories: ⁠House Passes Bill to Ban Sharing of Revenge Porn, Sending It to Trump TAKE IT DOWN Act Trump’s hasty Take It Down Act has “gaping flaws” that threaten encryption Congress Passes TAKE IT DOWN Act Despite Major Flaws Mystery Box Scams Deployed to Steal Credit Card Data Have a Catch of the Day you'd like to share? Email it to us at ⁠⁠[email protected]⁠⁠.

  --------  

  46:13
• OWASP broken access control (noun) [Word Notes]

  Please enjoy this encore of Word Notes. Software users are allowed access to data or functionality contrary to the defined zero trust policy by bypassing or manipulating the installed security controls.

  --------  

  7:30
• The RMM protocol: Remote, risky, and ready to strike. [OMITB]

  Welcome in! You’ve entered, Only Malware in the Building. Join us each month to sip tea and solve mysteries about today’s most interesting threats. Your host is ⁠Selena Larson⁠, ⁠Proofpoint⁠ intelligence analyst and host of their podcast ⁠DISCARDED⁠. Inspired by the residents of a building in New York’s exclusive upper west side, Selena is joined by ⁠N2K Networks⁠ ⁠Dave Bittner⁠ and our newest co-host, Keith Mularski, former FBI cybercrime investigator and now Chief Global Ambassador at Quintel. Being a security researcher is a bit like being a detective: you gather clues, analyze the evidence, and consult the experts to solve the cyber puzzle. On this episode, our hosts discuss the growing trend of cybercriminals using legitimate remote monitoring and management (RMM) tools in email campaigns as a first-stage payload. They explore how these tools are being leveraged for data theft, financial fraud, and lateral movement within networks. With the decline of traditional malware delivery methods, including loaders and botnets, the shift toward RMMs marks a significant change in attack strategies. Tune in to learn more about this evolving threat landscape and how to stay ahead of these tactics.

  --------  

  41:40
• The prince, the pretender, and the PSA.

  As Maria is on vacation this week, our hosts ⁠Dave Bittner⁠ and ⁠Joe Carrigan⁠, are sharing the latest in social engineering scams, phishing schemes, and criminal exploits that are making headlines. Joe and Dave are joined by guest Rob Allen from ThreatLocker who shares a story on how a spoofed call to the help desk unraveled into a full-blown cyber siege on MGM Resorts. Joe’s story is on a new FBI warning: scammers are impersonating the Internet Crime Complaint Center (IC3), the very site where people go to report online fraud. Dave's got the story of a so-called “Nigerian prince” scammer who turned out to be a 67-year-old man from Louisiana, now facing 269 counts of wire fraud for helping funnel money to co-conspirators in Nigeria. Our catch of the day comes from a scams subreddit, and is on a message received from the Department of Homeland Security reaching out to a user to share that they are a victim of fraud. Resources and links to stories: Investigating the MGM Cyberattack – How social engineering and a help desk put the whole strip at risk. Brian Krebs LinkedIn FBI Warns of Scammers Impersonating the IC3 IC3 2024 Report 'Nigerian prince' scammer was 67-year-old from Louisiana, police say Have a Catch of the Day you'd like to share? Email it to us at ⁠[email protected]⁠.

  --------  

  28:35
• OWASP security misconfiguration (noun) [Word Notes]

  Please enjoy this encore of Word Notes. The state of a web application when it's vulnerable to attack due to an insecure configuration.  CyberWire Glossary link: ⁠https://thecyberwire.com/glossary/owasp-security-misconfiguration⁠ Audio reference link: ⁠“What Is the Elvish Word for Friend?”⁠ Quora, 2021.

  --------  

  7:03

More News podcasts

Trending News podcasts

About Hacking Humans

Hacking Humans: Podcasts in Family