Hacking Humans

By N2K Networks

Listen to a podcast, please open Podcast Republic app. Available on Google Play Store.


Category: Technology

Open in Apple Podcasts


Open RSS feed


Open Website


Rate for this podcast

Subscribers: 978
Reviews: 1
Episodes: 436

Chris Libera
 Sep 11, 2020
Very well made and informative.

Description

Deception, influence, and social engineering in the world of cyber crime.

Episode Date
Are you who you say you are?
2949
Bala Kumar of Jumio joins to discuss how travel companies can combat the exponential rise in fraud and ensure their traveler is who they say they are. Dave and Joe share some listener follow up, with the first from Matt, who writes in with a strange Dick's Sporting Goods story about gift cards and credit cards. Our second follow up comes from listener King, who writes in regarding the QR discussion in episode 243. Dave's story follows how almost every US state has sued a telecom company after being accused of routing billions of illegal robocalls to millions of US residents on the do not call list. Joe's story is about a family losing $730,000 in a wire fraud scam, but with a twist ending. Our catch of the day comes from listener William, who writes in with an email laced with so much fraud, Gmail didn't even want Joe to open it to read it for this episode. Links to stories: 48 states sue phone company that allegedly catered to needs of robocallers Family loses $730K in wire fraud scam — and gets it all back Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jun 01, 2023
passkey (noun) [Word Notes]
448
A passwordless authentication protocol based on the FIDO2 standard. CyberWire Glossary link: https://thecyberwire.com/glossary/passkey Audio reference link: Summers, J., 2023. Google Passkeys Have Arrived (here’s how to use them) [All Things Secured Channel]. YouTube. URL https://www.youtube.com/watch?v=oFO7JgUx-bU.
May 30, 2023
catfish (noun) [Word Notes]
423
The practice of crafting a fake online persona for malicious purposes. CyberWire Glossary link: https://thecyberwire.com/glossary/catfish Audio reference link: netbunny, 2013. Catfish - The Movie - Ending Scene [Movie Scene]. YouTube. URL https://www.youtube.com/watch?v=qR_NIN6zy0U
May 30, 2023
Bringing in the human side of scamming.
3988
Nick Percoco from Kraken sits down to discuss the human factor of crypto scams, including going over common red flags and what to do when a third party is exerting pressure that taps into a human emotions. Listener Sean writes in with some follow up to discuss the increase in AI scams and if people would be more likely to talk about falling for these scams as AI becomes better and better. An anonymous listener also reached out with some follow up regarding there experience with corporate ID theft. Joe's story follows the report on "dark patterns," and what they are. Dave's story is on people who got hired as customer service reps, but instead helped lure in lonely and lovestruck through a network of dating and hookup sites. Our catch of the day comes from listener Gareth who shares his catch of a phishing scheme from the "NSA." Links to stories: Guide to Dark Patterns – Terms and examples from the CCPA and the CPA Bringing Dark Patterns to Light This Is Catfishing on an Industrial Scale Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
May 25, 2023
QR code phishing (noun) [Word Notes]
479
A type of phishing attack that uses QR codes as the lure. CyberWire Glossary link: https://thecyberwire.com/glossary/qr-code-phishing Audio reference link: KNR, 2018. Batman The Dark Knight Joker bomb blast by phone calls scene [Video]. YouTube. URL https://www.youtube.com/watch?v=qB_fXfzB4z0.
May 23, 2023
Who says the perfect heist doesn't exist? [Hacking Humans Goes to the Movies]
1346
Thanks for joining us again for another episode of fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Hacking Humans co-host Dave Bittner is joined by Rick Howard in this series where they view clips from their favorite movies and television shows with examples of the social engineering scams and schemes you hear Dave and co-host Joe Carrigan talk about on Hacking Humans. In this episode, Dave and Rick watch each of the selected scenes, describe the on-screen action for you, and then they deconstruct what they saw. Grab your bowl of popcorn and join us for some fantastic scams and frauds. Links to this episode's clips if you'd like to watch along: Dave's clip from the movie Out of Sight Rick's clip from the movie The Thomas Crown Affair
May 21, 2023
Data privacy in a consumers world.
3871
Our guest, Mark Kapczynski from OneRep, joins Dave to discuss what consumers should know about data privacy. Listener Jon writes in to the show with some follow-up with some thoughts on tap interface. Another anonymous listener wrote into the show discussing ethical hacking. Dave's story is on fake QR codes and how people are getting scammed out of money after receiving a fake QR code parking ticket survey. Joe's story follows an attempted attack at Dragos and what they didn't get. Our catch of the day comes from listener Richard who writes in with a fun scam he caught from the "Marine Corps." Links to stories: QR codes used in fake parking tickets, surveys to steal your money Deconstructing a Cybersecurity Event Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
May 18, 2023
attribution (noun) [Word Notes]
564
Definition one: The recognition of a set of repeatable attack patterns across the intrusion kill chain. Definition two: Determining the responsibility for offensive cyber operations. CyberWire Glossary link: https://thecyberwire.com/glossary/attribution Audio reference link: Nunnikhoven, M., 2018. Cybersecurity Basics #9 - Attack Attribution [Video]. YouTube. URL www.youtube.com/watch?v=rlyMz5jN_Vs
May 16, 2023
Remedies for infectious computers.
3439
Our guest, CW Walker, Director of Security Product Strategy at SpyCloud, joins to discuss post-infection remediation and ransomware defense. Joe compliments one of his least favorite big tech companies. Joe and Dave share quite a bit of follow-up; one from listener Clayton who writes in about “fast idiots” from a previous episode. The other is from listener Robert, who writes in about the wallet versus smart phone debate, and which is safer. Joe shares a few stories this week, all regarding ATM scams and lost or stolen credit cards including his own sons ATM nightmare. Dave's scary story is on the latest hot topic in the cyber industry: AI, and how families are being scammed by believable voice AI to sound like loved ones. Listener Michael shares this week's catch of the day on an IRS scam he came across in his email. Links to stories: Chase Bank didn't believe customers with accounts drained by ATM 'tap' feature scam Lost or Stolen Credit, ATM, and Debit Cards Family targeted by AI scam using loved one’s voice Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
May 11, 2023
spear phishing (noun) [Word Notes]
430
A type of cyber attack where an attacker sends a targeted and personalized email or other form of communication to a specific individual or a small group of individuals with the intention of tricking them into divulging sensitive information, such as a password, or convincing them to click a malicious link that will enable the attacker to take control of the victim's machine. CyberWire Glossary link: https://thecyberwire.com/glossary/spearphishing Audio reference link: Richardson, T., 2014. What is the difference between phishing and spear-phishing? [Video]. YouTube. URL www.youtube.com/watch?v=Wpx5IMduWX4.
May 09, 2023
Encore: Human errors and why they're made.
3015
Josh Yavor, CISO at Tessian, joins Dave to discuss a new report they released on cyber mistakes and why employees make them. Joe and Dave share a listener follow-up from Jon, who writes in about mental illness, a serious epidemic taking over the nation. Jon shares interesting tidbits on social media linking to mental illness and the impact it's creating. Dave's story is on hackers trying an old trick with new mechanics: impersonating well known companies. This time, hackers are posing as Quickbooks. Joe's story describes how LinkedIn users are being targeted yet again. These fraudsters are now creating significant threats to users, according to the FBI. Finally, our catch of the day comes from listener Jennifer, who writes in and shares her story of a scammer using SMS to tell her that her Venmo account was hacked, even though she does not have one. Links to stories: Sending Phishing Emails from QuickBooks FBI says fraud on LinkedIn a ‘significant threat’ to platform and consumers Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter
May 04, 2023
resiliency (noun) [Word Notes]
426
The ability to continuously deliver the intended outcome despite adverse cyber events. CyberWire Glossary link: https://thecyberwire.com/glossary/resiliency Audio reference link: Cameron, J., 1984. The Terminator [Movie]. IMDb. URL www.imdb.com/title/tt0088247/. Clip Nation, 2012. The Arnold Schwarzenegger “I’ll Be Back” Supercut [Video]. YouTube. URL www.youtube.com/watch?v=-YEG9DgRHhA. Coops, C., 2013. Terminator 2 Theme [Video]. YouTube. URL www.youtube.com/watch?v=pVZ2NShfCE8.
May 02, 2023
Is the industry ready for AI?
2541
This week, Carole Theriault, CW UK correspondent, sits down with Cisco Talos' Vanja Svacjer discussing if the security industry is ready for AI. Joe and Dave share some follow up regarding a new term, "yahoo boy" after reading it in an article. Joe's follows a story about a scam where five mastermind business men were able to scam ordinary investors out of a billion dollars. Dave's story is on a basic iPhone feature that is helping criminals steal your entire digital life. Our catch of the day comes from William who writes in about an email he received from "Bob William" who shares that he works at a law firm and one of his clients has an insurance policy where his client did not write a will. Bob wants to share the amount of $12,820,000 with charity and then split the rest of the funds. Links to stories: On the hunt for the businessmen behind a billion-dollar scam A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Apr 27, 2023
Security Operations Center (SOC) (noun) [Word Notes]
477
A centralized facility or team responsible for monitoring, detecting, analyzing, and responding to cybersecurity incidents within an organization. CyberWire Glossary link: https://thecyberwire.com/glossary/security-operations-center Audio reference link: AT&T Tech Channel, 2012. A tour of AT&T’s Network Operations Center (1979) [Video]. YouTube. URL www.youtube.com/watch?v=cigc3hvMyWw.
Apr 25, 2023
Lazarus Group: Breaking down the evolution.
2945
This week, our guests are Jean Lee and Geoff White from BBC and the Lazarus Heist talking about what is coming up in Season 2 of their show and how the Lazarus Group is evolving. Joe briefly discusses Generative AI before going into his stories for this week. Joe's first story comes from Lauren Jackson from WBRC who writes in with a disturbing tire scam causing businesses to lose thousands. Joe's second story is from David Sentendrey from KDFW, who shares a story about a woman who fell victim to a romance scam loosing $75,000. Daves story follows a casino scam in Colorado, which was the largest heist in the states history. Our catch of the day comes from listener Morten who received a confusing message regarding an inheritance payment fund. Links to stories: Cullman Police warn of returning scam that has local businesses out thousands of dollars Woman who lost $75K in worldwide online romance scam warning others of the danger Black Hawk casino heist is largest in Colorado history Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Apr 20, 2023
Hunt forward operations (noun) [Word Notes]
361
Defensive cyber operations carried out by U.S. Cyber Command's Cyber National Mission Force, CNMF at the request of allied nations. CyberWire Glossary link: https://thecyberwire.com/glossary/hunt-forward-operation Audio reference link: Paul Nakasone, G., 2022. Vanderbilt Summit Keynote [Video]. YouTube. URL www.youtube.com/watch?v=Axg4s9l9wi0.
Apr 18, 2023
Inside the history of a child hacker.
2785
Paul Dant, Illumio's Senior Director for Cybersecurity Strategy and Research, is sharing how his history as a child hacker informed his thinking today. Joe and Dave share some listener follow up from Anthony, who writes in about a scam from the app Nextdoor, regarding scammers trying to upgrade Xfinity customers using their computers rather than the usual method, which throws up red flags. Dave's story this week follows a principal from a Florida science and technology charter school who mistakenly wrote a check for $100,000 to an Elon Musk impersonator. Joe's story is on email compromise, and the increase we have seen in the last several months, including an "increase in ‘novel social engineering attacks’ across thousands of active Darktrace/Email customers from January to February 2023." Our catch of the day comes from listener JP, who writes in regarding a suspicious looking email they received from "Norton" saying they will increase the price of their service being used. Links to stories: School principal resigns after writing $100,000 check to Elon Musk impersonator Tackling the Soft Underbelly of Cyber Security – Email Compromise Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Apr 13, 2023
Cyber gravity (noun) [Word Notes]
494
The invisible force that governs the movement of data across networks. Audio reference link: “Things to Come 1936 - HG Wells.” YouTube, YouTube, 28 Sept. 2011, https://www.youtube.com/watch?v=atwfWEKz00U. 
Apr 11, 2023
As a scammer, sometimes you need to fake it till you make it. [Hacking Humans Goes to the Movies]
1795
Thanks for joining us again for another episode of fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Hacking Humans co-host Dave Bittner is joined by Rick Howard in this series where they view clips from their favorite movies and television shows with examples of the social engineering scams and schemes you hear Dave and co-host Joe Carrigan talk about on Hacking Humans. In this episode, Dave and Rick watch each of the selected scenes, describe the on-screen action for you, and then they deconstruct what they saw. Grab your bowl of popcorn and join us for some fantastic scams and frauds. Links to this episode's clips if you'd like to watch along: Dave's clip from the movie The Princess Bride Rick's clip from the movie Now You See Me 2
Apr 09, 2023
Protecting against financial cybercrimes.
2753
Keith Houston, Chief prosecutor in financial cybercrimes at Harris County District Attorney's Office in Houston, TX, shares some scams that have come through his office and advice on how to protect yourself. Dave and Joe share some follow up from listener Nevile, who writes in about a news story he came across regarding pendrive bombs, wondering what do you do if you're a reporter and someone sends you a scoop in a pendrive? Joe has two stories regarding AI, and how scammers were able to use AI software to clone voices the victims would recognize and then con them out of thousands of dollars. Dave's story is on a new report stating that the most common combosquatting keyword is support. Our catch of the day comes from listener Shawn who writes in sharing an email they received from their companies HR team warning them of a suspicious package that has been circulating around the office. Links to stories: N.L. family warns of possible AI voice clone scam that cost them $10K How scammers likely used artificial intelligence to con Newfoundland seniors out of $200K The Most Common Combosquatting Keyword Is “Support” Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter
Apr 06, 2023
Artificial Intelligence (AI) (noun) [Word Notes]
486
The ability of computers to execute tasks typically associated with human intelligence, including natural language processing, problem solving, and pattern recognition. CyberWire Glossary link: https://thecyberwire.com/glossary/ai Audio reference link: Staff, 2016. Alan Turing - The Imitation Game - Can Machines Think? [YouTube Video]. Learn Understand Create. URL www.youtube.com/watch?v=Vs7Lo5MKIws.
Apr 04, 2023
Seeking employment fraud?
3551
Kathleen Smith, CMO from ClearedJobs.Net sits down with Dave to talk about how job seekers are susceptible to employment fraud. Joe and Dave share some listener follow up from Steve, who writes in to share a scary and frustrating story as hackers were able to scam their way into his and his wife’s Verizon Wireless account. Dave's story follows giveaway scams, which are scams that impersonate celebrities and brands, most notably Elon Musk and the companies he is associate with, to try and get victims to believe they have won a large sum of cryptocurrency. Joe's story is on a scary development in the AI world, regarding family emergency scams. Scammers are now using AI to enhance the believability. Our catch of the day comes from a listener named Jim who writes in about a scam he came across in his spam folder from a "Sgt. Nolla E. Donald" who wants to give him millions of dollars to keep safe while she fights over in Iraq. Links to stories: Chatbots, Celebrities, and Victim Retargeting: Why Crypto Giveaway Scams Are Still So Successful Scammers use AI to enhance their family emergency schemes Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter
Mar 30, 2023
Certification (noun) [Word Notes]
397
A credential demonstrating an individual's knowledge in the field of cybersecurity, usually obtained by passing an exam or series of exams.  CyberWire Glossary link: https://thecyberwire.com/glossary/certification Audio reference link: Bombal, D., 2022. Are certifications important in Cybersecurity? [Video]. YouTube. URL www.youtube.com/watch?v=Zdgf_Wr82rs.
Mar 28, 2023
Fingerprinting fights off fraud? [Hacking Humans Goes to the Movies}
1434
Thanks for joining us again for another episode of fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Hacking Humans co-host Dave Bittner is joined by Rick Howard in this series where they view clips from their favorite movies and television shows with examples of the social engineering scams and schemes you hear Dave and co-host Joe Carrigan talk about on Hacking Humans. In this episode, Dave and Rick watch each of the selected scenes, describe the on-screen action for you, and then they deconstruct what they saw. Grab your bowl of popcorn and join us for some fantastic scams and frauds. Links to this episode's clips if you'd like to watch along: Dave's clip from the movie I dream of Jeannie Rick's clip from the movie Ant Man
Mar 26, 2023
Do you have curtains on your house?
2980
On this episode, the CyberWire's UK Correspondent Carole Theriault talks with Iain Thomson from the Register about why he has no IoT in his house and what advice he offers for those who do. Joe's story features ten social engineering techniques. Dave has a story starts with an order by the FTC against Epic Games for tricking users to make in-game purchases in Fortnite using dark patterns. Our Catch of the Day comes from listener Lauren sharing a phishing attempt at her company where the scammers obviously did their homework on who to contact in the organization. Links to stories: Ten Social Engineering Techniques Used By Hackers FTC Finalizes Order Requiring Fortnite maker Epic Games to Pay $245 Million for Tricking Users into Making Unwanted Charges What are deceptive patterns? Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter
Mar 23, 2023
Network slicing (noun) [Word Notes]
380
A technique used to create virtual networks within a shared physical network infrastructure. CyberWire Glossary link: https://thecyberwire.com/glossary/network-slicing Audio reference link: Whitehead, D.N., 2021. 5G Smart Networks Part 1: Network Slicing [Video]. YouTube. URL www.youtube.com/watch?v=dCt3rYODZ7g.
Mar 21, 2023
Changing the face of identity.
3236
Eric Olden, Chief Executive at Strata, sits down with Dave to discuss the changing face of identity; where we’ve been, where are going, and the bumps along the way. Dave and Joe share some listener follow-up from Michael, who writes in about advertisements on YouTube and other social networks claiming magical results. Dave's story follows a new tool released by the National Center for Missing and Exploited Children (NCMEC) to help with slow and stop the spread of sextortion of minors. Joe's story is on a LinkedIn post by Gary Warner regarding why we have so much fraud. Our catch of the day is from listener Shon, who writes in about an email they received about “Meta Resources Recruiter” informing them of an open “CISO Lead role.” Links to stories: Teens can proactively block their nude images from Instagram, OnlyFans Why do we have so much fraud? Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter
Mar 16, 2023
Device trust (noun) [Word Notes]
404
The process of verifying that a device is known, secure, and uncompromised before allowing it to connect to a network or access resources. CyberWire Glossary link: https://thecyberwire.com/glossary/device-trust Audio reference link: “Favorite Scene of Alan Rickman from Die Hard.” YouTube, YouTube, 14 Jan. 2016, https://www.youtube.com/watch?v=mklnXM3LIXo. 
Mar 14, 2023
Encore: Scams in the media.
3134
Mallory Sofastaii from Baltimore's WMAR 2 News sits down with Joe to talk about some recent stories on scams she's covered on Matter for Mallory. Dave and Joe share some listener follow up from Robert who writes in about the technical means to protect phones from robocalls. He shares some insight on how carriers up in the north are able to protect phones. Dave shares a twitter thread from Brian Jay Jones, who is an author of biographies of Jim Henson, George Lucas and Dr. Seuss, who shares how he would have almost had his Twitter account hijacked if it weren't for 2-step verification. Joe's story is on a gentleman pleading guilty in PAC scams, raising almost 3.5 million by making false and misleading representations in the 2016 election. This week we have a string of catch of the days from different listeners sharing different SMS scams. Links to stories: Associate of scam PAC operator pleads guilty Twitter thread of Brian Jay Jones Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter
Mar 09, 2023
ZTNA (noun) [Word Notes]
437
A technology set design to support the cybersecurity first principle strategy of zero trust, that limits device people and software component access to only designated authorized resources and nothing more. CyberWire Glossary link: https://thecyberwire.com/glossary/zero-trust-network-access Audio reference link: “Zero Trust Explained by John Kindervag.” YouTube, YouTube, 2 Oct. 2022, https://www.youtube.com/watch?v=-LZe4Vn-eEo. 
Mar 07, 2023
Saving the world from cybercrime.
3360
Dan Golden and Renee Dudley, reporters at ProPublica and authors of "The Ransomware Hunting Team: A Band of Misfits' Improbable Crusade to Save the World from Cybercrime," discuss their book. Dave and Joe share some follow up form listener Ignacio who writes in to share thoughts on Joe's preference to using open source options for password managers. Joe's story this week follows Coinbase, who recently had a cybersecurity breach but their cyber controls prevented the attacker from gaining direct system access and prevented any loss of funds or compromise of customer information. Dave's story is on people trying to gain cryptocurrency back after it was hacked and stolen from them, only to wait and receive nothing in the long run. Our catch of the day comes from listener Josh, who writes in about an email he received that stated that his wallet would be suspended if he did not download a verification link. Links to stories: Who You Gonna Call? The Ransomware Hunting Team. Social Engineering - A Coinbase Case Study These Companies Say They Can Recover Stolen Crypto. That Rarely Happens. Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Mar 02, 2023
GDPR (noun) [Word Notes]
417
A data privacy legal framework that applies to all countries in the European Union, regulating the transmission, storage, and use of personal data associated with residents of the EU.  CyberWire Glossary link: https://thecyberwire.com/glossary/general-data-protection-regulation Audio reference link: “Mr. Robot Predicts JPM Coin!” YouTube, YouTube, 14 Feb. 2019, https://www.youtube.com/watch?v=1ee-cHbCI0s. 
Feb 28, 2023
Password managers and their benefits.
3003
Corie Colliton Wagner from Security.org joins to discuss the company’s research of password manager tools and their benefits, identity theft, and the market outlook for PW managers. Dave and Joe share quite a bit of follow up from listeners Mitch, Neville, and Richard. Mitch writes in to share about gift card scams, and Neville and Richard both share their thoughts on the pros and cons of having a cloud-based password manager. Dave's story is about employees around the globe and their internet habits inside the workplace. Joe's story follows a new release of data from the FTC on romance scams, including the top lies being told by scammers. Our catch of the day comes from listener Gordy, who writes in about an email he received regarding a new position scammers are trying to fill in an open job. Links to stories: Are Your Employees Thinking Critically About Their Online Behaviors? New FTC Data Reveals Top Lies Told by Romance Scammers Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Feb 23, 2023
ChatGPT (noun) [Word Notes]
517
A conversational language model developed by the company OpenAI.  CyberWire Glossary link: https://thecyberwire.com/glossary/chatgpt Audio reference link: jeongphill. “Movie - Her, First Meet OS1 (Operation System One, Os One, OS1).” YouTube, YouTube, 29 June 2014, https://www.youtube.com/watch?v=GV01B5kVsC0. 
Feb 21, 2023
Scamming through generations.
3013
Mathieu Gorge from VigiTrust sits down to discuss the different ways that online attackers target younger and older generations, and what the cybersecurity industry can and should do to protect them. Dave and Joe share some listener follow up from Greg who writes in regarding porch pirates possibly finding a new way to steal packages. In Joe's story this week, we learn that while ransomware was down last year, more and more people are clicking on phishing emails. Dave's story follows Ahad Shams, the co-founder of Web3 metaverse gaming engine startup Webaverse, who ended up getting $4 million of his cryptocurrency stolen. Our catch of the day comes from listener Rodney who writes in about an email he received. The scammers were trying to collect information from him after saying he was already scammed out of money, when in fact he was not. Links to stories: New cybersecurity data reveals persistent social engineering vulnerabilities Scammers steal $4 million in crypto during face-to-face meeting Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Feb 16, 2023
Man-in-the-Middle (noun) [Word Notes]
351
A cyber attack technique where adversaries intercept communications between two parties in order to collect useful information or to sabotage or corrupt the communication in some manner. CyberWire Glossary link: https://thecyberwire.com/glossary/man-in-the-middle-attack
Feb 14, 2023
Appearances count in the scam business. [Hacking Humans Goes to the Movies]
1333
Welcome to Season 3 of Hacking Humans Goes to the Movies. Thanks for joining us again for another episode of fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Hacking Humans co-host Dave Bittner is joined by Rick Howard in this series where they view clips from their favorite movies and television shows with examples of the social engineering scams and schemes you hear Dave and co-host Joe Carrigan talk about on Hacking Humans. In this episode, Dave and Rick watch each of the selected scenes, describe the on-screen action for you, and then they deconstruct what they saw. Grab your bowl of popcorn and join us for some fantastic scams and frauds. Links to this episode's clips if you'd like to watch along: Dave's clip from the movie Paper Moon Rick's clip from the movie Catch Me If You Can
Feb 12, 2023
A boom of infostealers and stolen credentials.
2907
Keith Jarvis, Senior Security Researcher from Secureworks Counter Threat Unit (CTU), shares his thoughts on the alarming rise of infostealers and stolen credentials. Dave and Joe share some listener follow-up from Ron who writes in about a book, entitled "Firewalls Don't Stop Dragons" by Carey Parker, which he finds as a helpful resource when it comes to cybersecurity. Dave's story follows password management companies and how they might not be as safe as what we presume them to be, most notably the LastPass breach in the last month. Joe has two stories this week, his first on a 19 year old TikToker who was arrested for running a GoFundMe scam while portraying on the popular social media app that she was diagnosed with 3 different types of cancer. Joe's second story is on Marines outsmarting artificially intelligent security cameras by hiding in a clever way that the AI could not recognize. Our catch of the day comes from listener Tim, who writes in about an old scam with a new twist, and how he was able to figure it out. Links to stories: Password Managers: A Work in Progress Despite Popularity 19-YEAR-OLD TIKTOKER ARRESTED FOR RUNNING GOFUNDME SCAM... Over Fake Cancer Diagnosis U.S. Marines Outsmart AI Security Cameras by Hiding in a Cardboard Box Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Feb 09, 2023
NIST (Noun) [Word Notes]
366
A branch of the US Department of Commerce whose stated mission is to “promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.” CyberWire Glossary link: https://thecyberwire.com/glossary/national-institute-of-standards-and-technology Audio reference link: Center, M.I., 2022. 2022 Meridian Summit: Cultivating Trust in Technology with NIST Director Laurie Locascio [WWW Document]. YouTube. URL https://www.youtube.com/watch?v=o43Y9Tk8ZVA (accessed 1.26.23).
Feb 07, 2023
A war on commerce.
3058
J. Bennett from Signifyd discusses the fraud ring that has launched a war on commerce against US merchants over the past few months. Joe and Dave share some listener follow up from Jon who writes in about an email he almost fell victim to. Joe shares two stories this week, the first on how scammers were seen posing as tech support at two US agencies in an attempt to hack their employees. Joe's second story is on a woman trying to steal 2.8 million for an elderly Holocaust survivor. Dave's story follows how an ad scam was able to break through over 11 million phones. Our catch of the day comes from husband and wife, Chad and Jen, who write in sharing a scam that Jen almost fell for. An email from "iTunes" confirming a payment of over $100 hit the music lover's inbox that she didn't authorize. The scammers went on to explain the rules behind the payment, making sure to include that if she did not make this purchase to notify them immediately. Links to stories: Scammers posed as tech support to hack employees at two US agencies last year, officials say 36-Year-Old Woman Accused of Using Romance Scam to Swindle $2.8M from Elderly Holocaust Survivor A Sneaky Ad Scam Tore Through 11 Million Phones Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Feb 02, 2023
CIRT (noun) [Word Notes]
396
A team responsible for responding to and managing cybersecurity incidents involving computer systems and networks in order to minimize the damage and to restore normal operations as quickly as possible. CyberWire Glossary link: https://thecyberwire.com/glossary/cirt Audio reference link: Avery, B., 2017. 24 TV May 05 Season4 [WWW Document]. YouTube. URL https://www.youtube.com/watch?v=Gq_2xPuqI-E&list=PLGHedLavrFoGsea1ZCHBm9-nK5FdM3_Kd&index=10.
Jan 31, 2023
Interview with the AI, part one. [Special Editions]
1647
Cybersecurity interview with ChatGPT. In part one of CyberWire’s Interview with the AI, Brandon Karpf interviews ChatGPT about topics related to cybersecurity. Rick Howard joins Brandon to analyze the conversation and discuss potential use cases for the cybersecurity community. ChatGPT is a chatbot launched by OpenAI and built on top of OpenAI’s GPT-3 family of large language models. Cyber questions answered by ChatGPT in part one of the interview. What were the most significant cybersecurity incidents up through 2021? What leads you to characterize these specific events as significant? What were the specific technical vulnerabilities associated with these incidents? Who were the cyber actors involved in each of these attacks? Do you think it's valuable to attribute cyber attacks to specific actors?
Jan 29, 2023
Outsmarting the scammers.
3349
Nadine Michaelides from Anima People sits down with Dave to discuss preventing insider threat using behavioral science and psych metrics. Joe and Dave share some follow up regarding a Facebook scammer who is targeting Joe, as well as a letter from listener Richard who write in about business emails and the compromised warning signs they send about dangerous emails coming from outside the company. Dave shares a story about hackers who are setting up fake websites to promote malicious downloads through advertisements in Google search results. Joe's has two stories this week, one is about the latest scam in the parking ticket realm, and the second story follows West Virginia police warning residents of a Walmart scam where the scammer send you a "free 50 dollar Walmart gift card." The catch of the day comes from Penny who writes in about a scam that almost sucked her in through an email from "McAfee." Links to stories: Hackers push malware via Google search ads for VLC, 7-Zip, CCleaner That Surprisingly Real Looking Parking Ticket May Be Fake! Don’t Fall for Latest Scam McMechen Police issue warning about Walmart scam in area Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jan 26, 2023
PUP (noun) [Word Notes]
325
A software program installed unintentionally by a user that typically performs tasks not asked for by the installer.  CyberWire Glossary link: https://thecyberwire.com/glossary/potentially-unwanted-program Audio reference link: Butler, S., 2022. Potentially Unwanted Programs (PUPS) EXPLAINED [Video]. YouTube. URL https://www.youtube.com/watch?v=5L429Iahbww (accessed 1.6.23).
Jan 24, 2023
The front lines of ransomware attacks.
3022
Rohit Dhamankar from Fortra’s Alert Logic joins Dave to discuss the decline in ransomware attacks and lessons learned from the front lines. Dave and Joe share some listener follow up from Keith regarding Dave's story from last episode and how he recognizes the scams being mentioned and offers his opinions on the matter. Joe shares two stories this week, one about his ironclad gift he gave to his wife, with his second story following the buzz surrounding OpenAI, creators of ChatGPT, their new interface for their Large Language Model (LLM) and how it works. Dave's story also follows ChatGPT in a different direction. His story is on the latest popular app and its rise to fame in the app store, now charging users almost 8 dollars to use the AI technology. Our catch of the day comes from listener and friend of the show Joel who writes in about how he was contacted at his place of business by a "DEA agent" who claims Joel was committing malpractice, and if he wanted these charges to go away he would need to pay $2500. Links to stories: OPWNAI: AI THAT CAN SAVE THE DAY OR HACK IT AWAY Sketchy ChatGPT App Soars Up App Store Charts, Charges $7.99 Weekly Subscription [Update: Removed] Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jan 19, 2023
Ransomware (noun) [Word Notes]
466
Malware that disables a system in exchange for a ransom, usually by encrypting the system's data until the user pays for the decryption key. CyberWire Glossary link: https://thecyberwire.com/glossary/ransomware Audio reference link: https://watch.amazon.com/detail?gti=amzn1.dv.gti.d6a9f744-47b0-ac70-aa56-b31fd0f58482&territory=US&ref_=share_ios_season&r=web
Jan 17, 2023
The age old battle between social engineering and banking.
3214
Chip Gibbons, CISO at Thrive, sits down with Dave to talk about how to defend against social engineering attacks in banking. Dave starts us off this week with a story about Amazon opening up its selling market to Pakistani residents, and what consequences that led to for the organization’s business. Joe's story follows a scam targeting soldiers in the Army. The Army warns against unknown individuals purporting to be noncommissioned officers that are calling said soldiers and asking them for money to fix a "pay problem" and, if questioned, threatening them with a punishment. Our catch of the day comes from listener Manie who writes in about a scam found when trying to download a HDRI (High Dynamic Range Image). The scam involves a fake ad asking for people’s cell phone numbers as soon as they click on a button that reads "download here". Manie shares how after she clicked the ad, she realized the mistake and immediately researched more before proceeding further. Links to stories: Amazon finally authorized Pakistani sellers. A wave of scammers followed Army Warns of Scam Targeting New Soldiers Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jan 12, 2023
Service Set Identifier (SSID) (noun) [Word Notes]
342
The name of a wireless access point. CyberWire Glossary link. Audio reference link: SSID Management - CompTIA Security+ SY0-401: 1.5, Professor Messer, uploaded August 3rd, 2014.
Jan 10, 2023
Leveraging credentials online and off isn't going away.
3202
Guest Eric Levine, Co-founder and CEO at Berbix, joins Dave to discuss identity fraud. Dave and Joe share comments from listener Chris on a series of SMS messages he got from "Wells Fargo." Joe's story previews what is coming for social engineering attacks in 2023 and how to prepare to improve your safety online, while Dave's story is about sextortion scammers in rural India and how they are blackmailing victims. Our catch of the day comes from listener George who's been receiving a lot of scam messages via WhatsApp and how he played along with one of them. Links to stories: Social Engineering Attacks: Preparing for What’s Coming in 2023 The sextortion scammers of rural India Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jan 05, 2023
Advanced Encryption Standard (AES) (noun) [Word Notes]
517
A U.S. Government specification for data encryption using an asymmetric key algorithm. CyberWire Glossary link: https://thecyberwire.com/glossary/advanced-encryption-standard Audio reference link: papadoc73. “Claude Debussy: Clair De Lune.” YouTube, YouTube, 6 Oct. 2008. 
Jan 03, 2023
Sisters, grifters, and shifters. [Hacking Humans Goes to the Movies]
2068
Thanks for joining us again for another episode of fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Hacking Humans co-host Dave Bittner is joined by Rick Howard in this series where they view clips from their favorite movies and television shows with examples of the social engineering scams and schemes you hear Dave and co-host Joe Carrigan talk about on Hacking Humans. In this episode, Dave and Rick watch each of the selected scenes, describe the on-screen action for you, and then they deconstruct what they saw. Grab your bowl of popcorn and join us for some fantastic scams and frauds. On this episode, Dave and Rick are joined by guest contributor Amanda Fennell. You can find Amanda on Twitter at @Chi_from_afar. Links to this episode's clips if you'd like to watch along: Dave's clip from the movie Zombieland Rick's clip from the movie Traveller Amanda's clip from the movie The Girl with the Dragon Tattoo
Dec 29, 2022
The CyberWire: The 12 Days of Malware.[Special Editions]
448
Merry Christmas and Happy Holidays from the CyberWire and our friends! Enjoy our rendition of the 12 Days of Malware created by Dave Bittner and performed by Dave and friends: Rachel Tobac, Jayson Street, Ron Eddings & Chris Cochran, Ray [Redacted], Dinah Davis, Camille Stewart, Rick Howard, Michelle Dennedy, Jack Rhysider, Johannes Ullrich, and Charity Wright. Ba dum bum bum. Sing along if you are game! Check out our video for the full effect! The 12 Days of Malware lyrics On the first day of Christmas, my malware gave to me: A keylogger logging my keys. On the second day of Christmas, my malware gave to me: 2 Trojan Apps... And a keylogger logging my keys. On the third day of Christmas, my malware gave to me: 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the fourth day of Christmas, my malware gave to me: 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the fifth day of Christmas, my malware gave to me: 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the sixth day of Christmas, my malware gave to me: 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the seventh day of Christmas, my malware gave to me: 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the eighth day of Christmas, my malware gave to me: 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the ninth day of Christmas, my malware gave to me: 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the tenth day of Christmas, my malware gave to me: 10 Darknet markets... 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! (Bah-dum-dum-dum!) 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the eleventh day of Christmas, my malware gave to me: 11 Phishers phishing... 10 Darknet markets... 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! (Bah-dum-dum-dum!) 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the twelfth day of Christmas, my malware gave to me: 12 Hackers hacking... 11 Phishers phishing... 10 Darknet markets... 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys.
Dec 25, 2022
How to avoid Instagram scams.
3140
This week, Carole Theriault sits down to interview Dr. Jessica Barker from Cygenta to discuss the latest Instagram scams and how to avoid them. Dave and Joe share some follow-up on Apple, why they are being sued, and how you can protect yourself, as well as a new USPS scam affecting Connecticut. Dave's story follows a message board on smartphones being stolen and what happens after the thieves obtain the stolen phone. Joe's story is on a complex scam where the scammers choose ambitious individuals to turn into the scammers. Our catch of the day comes from listener Jay, who writes in, sharing a LinkedIn post from Dave Harland about him messing with a scammer trying to bamboozle him. Links to stories: USPS text scam hits Connecticut residents What happens to your smartphone when it gets stolen? Dreamers say father and son lured them to scam artist LinkedIn scammer thread Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Dec 22, 2022
Data Loss Protection (DLP) (noun) [Word Notes]
426
A set of tools designed to safeguard data while in use in motion and at rest.  CyberWire Glossary link: https://thecyberwire.com/glossary/data-loss-prevention Audio reference link: HistoryHeard. “Data Loss Prevention - CompTIA Security+ SY0-501 - 2.1,” Professor Messer, uploaded 20 November 2017
Dec 20, 2022
Sometimes it's scripted and others, it's a target of opportunity. [Hacking Humans Goes to the Movies]
1706
Thanks for joining us again for another episode of fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Hacking Humans co-host Dave Bittner is joined by Rick Howard in this series where they view clips from their favorite movies and television shows with examples of the social engineering scams and schemes you hear Dave and co-host Joe Carrigan talk about on Hacking Humans. In this episode, Dave and Rick watch each of the selected scenes, describe the on-screen action for you, and then they deconstruct what they saw. Grab your bowl of popcorn and join us for some fantastic scams and frauds. On this episode, Dave and Rick are joined once again by Tracy Maleeff, security researcher at the Krebs Stamos Group. You may also know Tracy on Twitter as infosecsherpa. Links to this episode's clips if you'd like to watch along: Rick's clip from the movie Criminal Tracy's clip from the movie The Talented Mr. Ripley
Dec 18, 2022
Disinformation and verification.
3165
Kaspars Ruklis, the Program Manager for Media Literacy from IREX sits down with Dave to talk about the very verified media literacy program. Dave and Joe share some listener followup on some of the business' common language, this week, listener Vicki asks about the term "EULA" and what it stands for. Joe's story follows a scam that is particularly alarming around the holiday's, about fake barcodes on gift cards. A former police officer found this scam as she was trying to check out with a gift card and the cashier pulled off a fake barcode. Dave's story is all about scammers who are getting scammed. The story follows cybercriminals who are using hacking forums to buy software exploits and stolen login details and how they keep falling for cons and are getting ripped off thousands of dollars. Our catch of the day comes from listener Connor who shares an email that is so suspicious, Gmail put a warning on it. It's a very interesting email explaining that the receiver has been hacked and the scammer requires $1200 in bitcoin to not take advantage of the receivers accounts. Links to stories: HOW TO AVOID GIFT CARD SCAMS THIS HOLIDAY SEASON Scammers Are Scamming Other Scammers Out of Millions of Dollars Very Verified program Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Dec 15, 2022
Domain Naming System (DNS) (noun) [Word Notes]
571
A system that translates text-based URLs to their underlying numerical IP addresses. CyberWire Glossary link: https://thecyberwire.com/glossary/domain-name-system-dns Audio reference link: HistoryHeard. “History Heard: Paul Mockapetris.” YouTube, YouTube, 5 Apr. 2009.
Dec 13, 2022
Keeping the scams in the family. [Hacking Humans Goes to the Movies]
1176
Thanks for joining us again for another episode of fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Hacking Humans co-host Dave Bittner is joined by Rick Howard in this series where they view clips from their favorite movies and television shows with examples of the social engineering scams and schemes you hear Dave and co-host Joe Carrigan talk about on Hacking Humans. In this episode, Dave and Rick watch each of the selected scenes, describe the on-screen action for you, and then they deconstruct what they saw. Grab your bowl of popcorn and join us for some fantastic scams and frauds. Links to this episode's clips if you'd like to watch along: Dave's clip from the television show Better Call Saul. Rick's clip from the movie The Lady Eve.
Dec 11, 2022
Do not get your news on social media.
2888
Guest Giulia Porter, Vice President of RoboKiller, discusses their mid-year report on phone scams. Following that phone scam line, Dave has a story about the international takedown of online crimeware that spoofed caller ID with a service called iSpoof. Dave notes there are some helpful tips for scams related to caller ID included in the article. Joe talks about news on social media (note: Joe's stance is: DO NOT get your news on social media). He talks about several pieces he found on leadstories.com while doing research for an article about news on social media. Joe shares some examples from the website. Our Catch of the Day listener Povilas with a funny phish about a green product. Links to stories: Voice-scamming site “iSpoof” seized, 100s arrested in massive crackdown Leadstories.com Blue Feed Fact Check: White House Did NOT Pick 'Satan Worshipper' to 'Oversee American Health' Fact Check: COVID-19 Nasal Test Swabs Do NOT Contain DARPA Hydrogel That Causes Recipients To Be Remotely Controlled Red Feed Fact Check: Donald Trump Does NOT Get A Tax Break For His Golf Course Because Ivana Trump Is Buried There Fact Check: Ben Shapiro The Commentator Did NOT Receive PPP Loan -- That Was A Different Guy Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Dec 08, 2022
Pretexting (noun) [Word Notes]
367
A social engineering technique in which a threat actor poses as a trusted person or entity in order to trick the victim into disclosing information or performing an action that benefits the attacker. CyberWire Glossary link: https://thecyberwire.com/glossary/pretexting Audio reference link: “Batch Pin Hurt Charlize Theron Skin | the Italian Job (2003) Movie Scene.” YouTube, YouTube, 22 Nov. 2016. 
Dec 06, 2022
A vishing competition and a Black Badge holder.
3319
This week, Carole Theriault is interviewing DEFCON Black Badge holder Chris Kirsch from RunZero on the recent DEFCON 30 vishing competition. Dave and Joe share some listener follow up from 3 different listeners, who share stories on disposable email addresses, as well as a little insight on a Best Buy scam mentioned in a previous episode. Joe's story is on gaming companies and whether or not they have to stoop down to stemming growth in cheats, hacks, and other types of fraud to keep customers coming back. Dave's story comes from his father, he has two stories, one involving a gift card scam and an email compromise of a family member’s account. The other involves a fake invoice for tech support services. Our catch of the day comes from listener Felipe, who writes in asking Joe and Dave to make sense of the email he received saying that his refund was recalled from someone claiming to be the "Secretary for International Finance of United States Treasury Department." Links to stories: For Gaming Companies, Cybersecurity Has Become a Major Value Proposition Scam call center video Jim Browning scammers video Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Dec 01, 2022
Web Application Firewall (noun) [Word Notes]
539
A layer seven firewall designed to block threats at the application layer of the open system interconnection model, the OSI model.  CyberWire Glossary link: https://thecyberwire.com/glossary/web-application-firewall Audio reference link: “VCF East 9.1 - Ches' Computer Security Adventures - Bill Cheswick.” YouTube, 29 Dec. 2015, https://youtu.be/trR1cuBtcPs. 
Nov 29, 2022
Counterfeit coupons and paybacks. [Hacking Humans Goes to the Movies]
1409
Thanks for joining us again for another episode of fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Hacking Humans co-host Dave Bittner is joined by Rick Howard in this series where they view clips from their favorite movies and television shows with examples of the social engineering scams and schemes you hear Dave and co-host Joe Carrigan talk about on Hacking Humans. In this episode, Dave and Rick watch each of the selected scenes, describe the on-screen action for you, and then they deconstruct what they saw. Grab your bowl of popcorn and join us for some fantastic scams and frauds. Links to this episode's clips if you'd like to watch along: Dave's clip from the movie Queenpins. Rick's clip from the movie Confidence.
Nov 24, 2022
COBIT (noun) [Word Notes]
426
An IT governance framework developed by ISACA.  CyberWire Glossary link: https://thecyberwire.com/glossary/cobit Audio reference link: isacappc. “How Do You Explain Cobit to Your Dad – or Your CEO?” YouTube, YouTube, 24 Aug. 2016, https://www.youtube.com/watch?v=EYATVkddIyw. 
Nov 22, 2022
Ways to make fraud less lucrative.
3102
Brett Johnson, Chief Criminal Officer at Arkose Labs, sits down with Dave to discuss his history & ways to make fraud efforts less lucrative for bad actors. Dave and Joe share some listener follow up from Graham about one way that helps him stay safe against fake URLs. Dave's story is about bomb email attacks, in which someones email is spammed with hundreds to thousands of emails in hopes of hiding important information contained in one of the thousands of emails, perhaps from a financial institute. Joe's story is on how the FBI is warning the public to beware of tech support scammers and how they are targeting financial accounts using remote desktop software. Our catch of the day comes from listener Norman, who shares a story about how his Steam account got hijacked and how a hacker impersonating a Steam employee was trying to help him. Links to stories: New Registration Bomb Email Attack Distracts Victims of Financial Fraud FBI Warns Public to Beware of Tech Support Scammers Targeting Financial Accounts Using Remote Desktop Software Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Nov 17, 2022
Security Service Edge (SSE) (noun) [Word Notes]
497
A security architecture that incorporates the cloud shared responsibility model, a vendor provided security stack, and network peering with one or more of the big content providers and their associated fiber networks.  CyberWire Glossary link: https://thecyberwire.com/glossary/security-service-edge Audio reference link: Netskope (2022). What is Security Service Edge (SSE). YouTube. Available at: https://www.youtube.com/watch?v=Z9H84nvgBqw [Accessed 21 Oct. 2022].
Nov 15, 2022
New laws and the effect on small businesses.
3015
Kurtis Minder, CEO of GroupSense joins Dave to discuss how ransomware new laws leave small business behind. Dave and Joe share some follow up on Elon Musk after his big purchase and the changes that now follow. Joe's story follows Kalamazoo County residents and a new scam that is popping up, where they are being targeted by scammers through Facebook messenger video calls. Dave shares a story that hits home for him about an email that his father received from Best Buy claiming that he will be charged $500 for Geek Squad services. Our catch of the day comes from an anonymous listener who writes in to share an email they received from a Mrs. Phong Dung, who wants to send 1 million to the person who received the email. The receiver knows this email is a fake and writes into the show to ask Joe and Dave if these emails ever actually work on anyone. Links to stories: Kalamazoo County residents targeted in Facebook messenger video call scam Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Nov 10, 2022
Domain spoofing (noun) [Word Notes]
475
A social engineering tactic in which hackers build a malicious domain to mimic a legitimate one. CyberWire Glossary link: https://thecyberwire.com/glossary/domain-spoofing Audio reference link: “Mission Impossible Fallout - Hospital Scene.” YouTube, YouTube, 8 Oct. 2018,
Nov 08, 2022
What's Your Problem trailer.
124
We’re sharing a preview of a podcast we enjoy called “What’s Your Problem?”  Every week on What’s Your Problem, entrepreneurs talk about the future they’re trying to build and the problems they have to solve to get there. How do you build cars that can actually drive themselves? How do you use technology to bring down the cost of airfares? And how do you teach a computer to understand sports?  Hosted by former Planet Money host Jacob Goldstein, What’s Your Problem? helps listeners understand the problems really smart people are trying to solve right now.  Listen to What’s Your Problem? at https://podcasts.pushkin.fm/wyphumans
Nov 03, 2022
Protecting your identity.
3094
Jameeka Green Aaron, CISO, Customer Identity at Okta, sits down with Dave to speak about their State of Secure Identity report. Dave and Joe share some listener follow up from Richard, who writes in to share his thoughts on the discussion of the phishing kit targeting WordPress sites in a previous episode, and also writes in about last episode’s discussion on how companies were turning on employees who are overworked with two remote jobs and shares how Equifax was one of these companies. Dave's story follows typosquatting, which is when a scammer registers a website that is very similar to the real one, but will have a typo in it (ex: amozon, homdepot, gougle) and how a large typosquatting campaign is delivering tech support scams. Joe's story follows a South Bay man who had the misfortune of accepting hundreds of open house offers, but the houses weren't for sale. Our catch of the day comes from listener Chris who writes in that he's never gotten a phishing email on his work email or personal email, but that he received his first phish from PayPal, which seemed to me a notification at first glance rather than a message telling him there is fraudulent activity happening in his account. Links to stories: Large typosquatting campaign delivers tech support scams A South Bay man accepted hundreds of offers from open houses. But the homes weren’t for sale Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Nov 03, 2022
Secure Web Gateway (noun) [Word Notes]
562
A layer seven firewall that sits in line at the boundary between the internet and an organization's network perimeter that allows security policy enforcement and can perform certain prevention and detection tasks. CyberWire Glossary link: https://thecyberwire.com/glossary/secure-web-gateway Audio reference link: ‌Vintage Computer Federation (2015). VCF East 9.1 - Ches’ Computer Security Adventures - Bill Cheswick. YouTube. Available at: https://www.youtube.com/watch?v=trR1cuBtcPs.
Nov 01, 2022
The Malware Mash! [Bonus]
185
Enjoy this CyberWire classic. They did the Mash...the did the Malware Mash...
Oct 28, 2022
Setting tech limits with a new tool.
2597
Kim Allman from NortonLifeLock, and Carrie Neill from the National PTA, sit down with Dave to discuss the Smart Talk 2.0 tool. Joe and Dave share some follow up on an exciting new position Joe has accepted as the Director of Cyber Science at a company called Harbor Labs. This week, Joe's story comes from listener Beau, who writes in about an ATM scam he fell victim to, sharing how the scammers were spamming his phone with texts, emails, and calls before he figured out what was going on. Dave's story follows the growing new trend of overworking, or having two remote jobs at once and working at both. One company's CEO calls it a form of theft and deception. Our catch of the day comes from listener Rodney who writes in, sharing about his son's girlfriend who is looking for work and received an email pointing her in the direction of a new prospect. Sadly, Rodney had to share the news that the email seemed to be a scam. Links to stories: Tech CEO calls overemployment trend a 'new form of theft and deception' after firing 2 engineers secretly working multiple full-time jobs at once Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Oct 27, 2022
Indicators of Compromise (noun) [Word Notes]
419
Digital evidence that a system or network has been breached. CyberWire Glossary link: https://thecyberwire.com/glossary/indicator-of-compromise Audio reference link: ‌”Suicide or Murder? | The Blind Banker | Sherlock,” uploaded by Sherlock, 18 October 2015
Oct 25, 2022
The difference between shallow fakes vs. deep fakes.
2550
Martin Rehak CEO & Founder from Resistant AI sits down with Dave to discuss how organizations should be worried about shallow fakes vs. deep fakes. Listener Joe writes in with some follow up on Joe's statement about not using legacy OSes, and how it is unfortunately not an option for many. Both Joe and Dave share two stories this week. Dave's first story follows how the Maryland Attorney General, Brian Frosh, is warning residents about purchasing flood-damaged cars. Dave's second story is about how a Japanese woman was fooled by an astronaut imposter who wooed her into buying a "return ticket to earth." Joe's first story is about a potential scam brewing in Springfield, as people are collecting money on the side of the street for a teenagers funeral, police are warning residents stating they have heard of this scam in neighboring cities. Joe's second story follows a new horrifying scam after a woman fell victim to a phone scam where the scammer claimed to have the victims daughter and they would kill her if she did not do what they asked. Our catch of the day comes from listener Richard who writes in sharing his experience with an email that may or may not be a phish. Links to stories: Consumer Alert: Attorney General Frosh Warns Consumers about Purchasing Flood-Damaged Cars An Imposter Claiming to Be an Astronaut Wooed a Japanese Woman Into Paying for a 'Return Ticket to Earth' Springfield police warns drivers of “potential” funeral scam Greenfield Police warns about "terrifying" kidnapping scam Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Oct 20, 2022
Intrusion Detection System (noun) [Word Notes]
467
A system that monitors for malicious or unwanted activity, and either raises alerts when such activity is detected or blocks the traffic from passing to the target. CyberWire Glossary link: https://thecyberwire.com/glossary/intrusion-detection-system Audio reference link: “Network Intrusion Detection and Prevention - CompTIA Security+ SY0-501 - 2.1,” Professor Messer, uploaded 16 November, 2017
Oct 18, 2022
The long con and the flim flam. [Hacking Humans Goes to the Movies]
1214
Thanks for joining us again for another episode of fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Hacking Humans co-host Dave Bittner is joined by Rick Howard in this series where they view clips from their favorite movies and television shows with examples of the social engineering scams and schemes you hear Dave and co-host Joe Carrigan talk about on Hacking Humans. In this episode, Dave and Rick watch each of the selected scenes, describe the on-screen action for you, and then they deconstruct what they saw. Grab your bowl of popcorn and join us for some fantastic scams and frauds. Links to this episode's clips if you'd like to watch along: Rick's clip from Hustle: S1 Ep1 The Con is On Dave's clip from Cheers: S6 Harry the Hat
Oct 16, 2022
Falling for a phishing kit scam.
2575
Larry Cashdollar from Akamai sits down with Dave to discuss their research, "The Kit That Wants It All: Scam Mimics PayPal’s Known Security Measures." Joe shares an incredible story regarding impersonation and man sharing his first hand experience with impostors impersonating him to get a job, luckily a good samaritan shared this information before the damage could be done. Dave's story follows raids happening in Cambodia with connection to alleged cyberscam compounds. We have two catches of the day this week, one is from listener Eric who sends in a romance scam email asking for love from one desperate scammer. The next one comes from Uberfacts on Twitter and is an instagram DM from someone pretending to be Queen Elizabeth II. Links to stories: Someone is pretending to be me. Authorities Raid Alleged Cyberscam Compounds in Cambodia Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Oct 13, 2022
MFA prompt bombing (noun) [Word Notes]
407
Hackers bypass, multifactor authentication schemes by sending a blizzard of spamming login attempts until the accounts owner accepts the MFA prompt out of desperation to make the spamming stop.  CyberWire Glossary link: https://thecyberwire.com/glossary/mfa-prompt-bombing Audio reference link: movieclips. “Sneakers (2/9) Movie Clip - Defeating the Keypad (1992) HD.” YouTube, YouTube, 29 May 2011, https://www.youtube.com/watch?v=oG5vsPJ5Tos. 
Oct 11, 2022
What is cyber quantum computing?
2656
Pete Ford from QuSecure sits down with Dave to discuss what exactly cyber quantum computing is, what it means for the country, and how other countries are using quantum. Dave and Joe share follow up on 2 stories, one Bleeping Computer reports, discussing the teen that hacked Uber and Rockstar Games has been arrested. Second, we share some listener follow up from last episode about medical documents being shared and how easy it would be to falsify your identity to obtain children's documents. Dustin, a Registered Health Information Management Technician, shares his thoughts on the matter. Dave's story follows the FCC’s new plan to require phone companies to block spam texts from bogus numbers. Joe has the story on how two Abbotsford residents lose approximately forty six thousand dollars in a bank scam. Our catch of the day comes from listener Joseph who shares a strange email he received from a scammer claiming to be PayPal, which could have seemed real if it weren't for a few mistakes Joseph found to be peculiar. Links to stories: FCC advances plan to require blocking of spam texts from bogus numbers Two Abbotsford residents lose $46K in bank scam UK Police arrests teen believed to be behind Uber, Rockstar hacks Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Oct 06, 2022
Apple Lockdown Mode (noun) [Word Notes]
389
An optional security mode for macOS and iOS that reduces the attack surface of the operating system by disabling certain commonly attacked features.  Audio reference link: “How NSO Group’s Pegasus Spyware Was Found on Jamal Khashoggi’s Fiancée’s Phone,” FRONTLINE, YouTube, 18 July 2021.
Oct 04, 2022
A cryptoqueen on the run and the cons she got away with.
2319
This week Carole Theriault sits down to interview author Jamie Bartlett on his book, "The Missing Cryptoqueen - The Billion Dollar Cryptocurrency Con and the Woman Who Got Away with It." Dave and Joe share some follow up from listener Dustin who shares an interesting experience he had involving his child's medical documents and how easy it was to obtain them, making scams even easier. Joe's story follows a young teen hacker and how they allegedly were able to hack Uber and Rockstar Games. Dave has got the story on Queen Elizabeth II and how giving condolences could lead you right into a scam. Our catch of the day comes from us here at the CyberWire. We received an email from one Vladomir Petrova, a citizen of Ukraine, which gets more suspicious the longer the email reads. Links to stories: Social Engineering: How A Teen Hacker Allegedly Managed To Breach Both Uber And Rockstar Games PHISHING ALERT: GIVING YOUR CONDOLENCES FOR QUEEN ELIZABETH II CAN LEAVE YOUR DATA IN THE HANDS OF CYBERCRIMINALS Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Sep 29, 2022
Simulated Phishing (noun) [Word Notes]
485
A security awareness training technique in which authorized, but fake phishing emails are sent to employees in order to measure and improve their resistance to real phishing attacks.  CyberWire Glossary link: https://thecyberwire.com/glossary/simulated-phishing Audio reference link: “Blackhat (2014) - Hacking the NSA Scene (4/10) | Movieclips.” YouTube, YouTube, 19 Apr. 2017.
Sep 27, 2022
The rise in fraudulent online content.
3032
Guest Jane Lee, Trust and Safety Architect from Sift joins Dave to discuss the rise of fraudulent online content and fake crypto platforms. Dave and Joe share some listener follow up regarding the debate over "mum" versus "mom" and who speaks which pronunciation more. Dave has two stories this week, one story follows a Twitter thread about a man who shared his story about selling a desk on Facebook and the dangers that come with that. His second story is about how hackers are using a clever new phishing technique to create email threads with multiple responses to trick potential victims into thinking bogus messages are legitimate. Joe shares the story of hackers new way to get information positioning themselves in the middle of your browser between the server and your computer. Our catch of the day has a little bit of everything from Peter who writes in about an email he received pulling out all the stops to get him to give over his information. Links to stories: Twitter thread https://www.cyberscoop.com/phishing-scheme-targeting-mideast-researchers/ Serious Security: Browser-in-the-browser attacks – watch out for windows that aren’t! Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Sep 22, 2022
Sideloading (noun) [Word Notes]
419
The process of installing applications on a device without the use of official software distribution channels. CyberWire Glossary link: https://thecyberwire.com/glossary/sideloading
Sep 20, 2022
It pays to do your research. [Hacking Humans Goes to the Movies}
1888
Thanks for joining us again for another episode of fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Co-hosts Dave Bittner and Joe Carrigan are joined by Rick Howard in this series where they view clips from their favorite movies with examples of the social engineering scams and schemes you hear about on Hacking Humans. In this episode, Dave and Joe are joined on this episode by guest Tracy Maleeff from Krebs Stamos Group – you may know her on Twitter as @Infosecsherpa. Dave,Joe and Tracy watch and discuss Tracy;s and Joe's clips on this episode. They watch each of the selected scenes, describe the on-screen action for you, and then the team deconstructs what they saw. Grab your bowl of popcorn and join us for some Hollywood scams and frauds. Links to this episode's clips if you'd like to watch along: Tracy's clips from "Working Girl" Elevator scene Tess and Jack gatecrash a wedding scene Joe's clip from "Oceans 8"
Sep 18, 2022
Is inflation affecting the Dark Web?
3126
Dov Lerner, a Security Research Lead from Cybersixgill, sits down with Dave to discuss how inflation hasn't affected the Dark Web, including how the cratering of cryptocurrency may have affected things. Joe and Dave share some follow up from listener Pelle, who writes in about their grandmother who was scammed over the phone for her PIN, among other information, allowing the scammers to get away with much more than money. This week, Joe's story comes from a listener named Kyle, who shared an article about protecting against AiTM (adversary-in-the-middle) phishing techniques that bypass multi-factor authentication. Dave's story is about a new video being released that shares the most common WhatsApp scams and how to avoid them. Our catch of the day comes from listener Vlad, who shares his story regarding an email he received stating he is owed 1 million dollars, and how he's not falling for the scammer’s latest attempt. Links to stories: Protect against AiTM/ MFA phishing attacks using Microsoft technology How to avoid the most common WhatsApp Scams 2022 WhatsApp Scams in 2022: What to Look out for Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Sep 15, 2022
Microsegmentation (noun) [Word Notes]
379
A zero trust security technique that isolates application workloads from each other, allowing each one to be protected individually. CyberWire Glossary link: https://thecyberwire.com/glossary/microsegmentation Audio reference link: “Micro-Segmentation Masterpieces,” PJ Kirner, Illumio CTO and Co-Founder, Tech Field Day, YouTube, 13 December 2020.
Sep 13, 2022
A travel surge and a host of different scams.
2456
Greg Otto from Intel 471 joins Dave to discuss the findings of their work on "Cybercriminals preying on a travel surge with a host of different scams." Dave and Joe share some interesting listener follow up from Kevin, who writes in about the deepfakes episode and shares his comments on how scary the topic can be, especially with politicians. Dave shares a story about Charles Egunjobi, an auditor with the D.C. government, and how he fell victim to an online love scam costing elderly U.S. citizens $1.9 million. Joe touches on two stories, one being how a woman down in Texas is able to scam men out of some expensive items with a romance scam, and the other being a story that is warning Pennsylvania residents on a quick moving scam artist moving from state to state. Our catch of the day comes from Jon in California who writes in about about an email scam concerning a local job sent to him and how he needs to apply right away. Links to stories: D.C. government auditor involved in romance scheme, prosecutors say Texas woman cons men out of Rolex watches and fancy cars through ‘romance scam’ Pennsylvania State Troopers warn of ‘quick moving’ city-to-city scam artists Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Sep 08, 2022
Homograph phishing (noun) [Word Notes]
368
The use of similar-looking characters in a phishing URL to spoof a legitimate site. CyberWire Glossary link: Audio reference link: “Mission Impossible III 2006 Masking 01,” uploaded by DISGUISE MASK, 28 July 2018.
Sep 06, 2022
Is there a growing number of public and private partnerships forming?
2311
This week Carole Theriault interviews Chuck Everette from Deep Instinct on public and private partnerships. Dave and Joe share some listener follow up from Rodney who writes in about flexible spending cards and chips inside them as well as sharing technology that helps keep the scammers away. Joe's story follows the trend of fake invoicing, specifically through PayPal and the newest string of scammers getting people to call in about a pending charge. Dave shares a story where people are getting sent fake Microsoft products in hopes to steal information after they plug these products into their computers. Our catch of the day comes from listener William who writes in about getting an increasing amount of emails from fake accounts saying they have charged his card and there is a pending transaction. William shares how the scammers are trying to get him to call in to dispute the charges. Links to stories: PayPal Phishing Scam Uses Invoices Sent Via PayPal Criminals posting counterfeit Microsoft products to get access to victims' computers Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Sep 01, 2022
Policy Orchestration (noun) [Word Notes]
383
The deployment of rules to the security stack across all data islands, cloud, SaaS applications, data centers, and mobile devices designed to manifest an organization's cybersecurity first principle strategies of zero trust, intrusion kill chain prevention, resilience, and risk forecasting.  CyberWire Glossary link: https://thecyberwire.com/glossary/policy-orchestration Audio reference link: “The Value of Using Security Policy Orchestration and Automation,” by David Monahan, uploaded by EMAResearch, 3 April, 2018
Aug 30, 2022
Encore: Sometimes, deepfake victims don't want to be convinced it is fake.
2648
Guest Etay Maor of Cato Networks joins Dave Bittner to discuss the impact that deepfakes will have on our society, we share some fun feedback on the Lightning Rod story edit, Dave's story talks about how some of the most successful and lucrative online scams employ a “low-and-slow” approach, Joe's story is about 2 Arkansas farmer that scammed investors out of money for wind turbines, but used it for houses, cars and Disney World, and our Catch of the Day is from an unnamed listener with a supposed iPhone invoice. Links to stories: Gift Card Gang Extracts Cash From 100k Inboxes Daily Arkansas wind farmers claimed their technology was more efficient than turbines — then spent investors’ money on houses, cars and at Disney World Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Aug 25, 2022
Anti-cheat software (noun) [Word Notes]
490
Software designed to prevent cheating in video games.  CyberWire Glossary link: https://thecyberwire.com/glossary/anti-cheat-software Audio reference link: “The BIG Problem with Anti-Cheat,” by Techquickie, YouTube, 5 June 2020
Aug 23, 2022
Scams in the media.
3091
Mallory Sofastaii from Baltimore's WMAR 2 News sits down with Joe to talk about some recent stories on scams she's covered on Matter for Mallory. Dave and Joe share some listener follow up from Robert who writes in about the technical means to protect phones from robocalls. He shares some insight on how carriers up in the north are able to protect phones. Dave shares a twitter thread from Brian Jay Jones, who is an author of biographies of Jim Henson, George Lucas and Dr. Seuss, who shares how he would have almost had his Twitter account hijacked if it weren't for 2-step verification. Joe's story is on a gentleman pleading guilty in PAC scams, raising almost 3.5 million by making false and misleading representations in the 2016 election. This week we have a string of catch of the days from different listeners sharing different SMS scams. Links to stories: Associate of scam PAC operator pleads guilty Twitter thread of Brian Jay Jones Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter
Aug 18, 2022
Pseudoransomware (noun) [Word Notes]
447
Malware, in the guise of ransomware, that destroys data rather than encrypts. CyberWire Glossary link: https://thecyberwire.com/glossary/pseudoransomware Audio reference link: “Some Men Just Want to Watch the World Burn | the Dark Knight,” by YouTube, 2 November 2019.
Aug 16, 2022
Staying away from Medicare scams.
2556
Ari Parker, Lead Advisor from Chapter, discussing "Tips for Avoiding Medicare Scams." Joe and Dave share some follow up from several listeners, who write in about various scams they have encountered. Joe's story is on Facebook messenger and how more and more victims are being claimed to scams and cons through the popular social media app. Dave's story shares disturbing information regarding LinkedIn scams, explaining how North Koreans are stealing resumes off the job site in a new crypto job search scam. Our catch of the day comes from listener Jon who writes in about him receiving $10,500,000.00 and how he needs to claim this offer before the end of 2021. Sadly he missed the deadline and wanted to share. Links to stories: Understand and Avoid Medicare Scams Facebook Messenger scam snags 10 million victims, more conned every day North Koreans Steal LinkedIn Resumes in Crypto Job Search Scam Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter
Aug 11, 2022
Trusted Platform Module (TPM) (noun) [Word Notes]
398
A browser configuration control that prevents accessing resources within a private network. CyberWire Glossary link: Audio reference link: “TPM (Trusted Platform Module) - Computerphile,” Computerphile, 23 July 2021
Aug 09, 2022
Making the world a safer online place.
2955
Raj Sarkar, CMO from 1Password and Julien Benichou, Senior Director of Partnership, Strategy, and Execution from Gen.G, join Dave to discuss making the online world a safer place and talk about helping reduce the risk of gamers being the target of hackers. Joe and Dave share some followup from listener Ryan who writes in about the catch of the day from last week's episode, and what struck him most with the scam. Dave's story is on how the government was able to seize millions in stolen cryptocurrency. Joe's story is on a scam involving diamonds and how one scammer was caught, now sentenced to 12 years in prison. Our catch of the day comes from listener Jeremy who writes in about a suspicious email he received from one of his mothers friends. She wrote him asking if he could buy her gift cards and she would pay him back. He shares how he dealt with the scammer and informed his mom, one of her friends emails may have been compromised. Links to stories: How governments seize millions in stolen cryptocurrency Jeweler who sold Trump-Maples ring sentenced to 12 years in multimillion-dollar ‘Yellow Rose’ diamond scam Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter
Aug 04, 2022
Private Network Access (PNA) (noun) [Word Notes]
336
A browser configuration control that prevents accessing resources within a private network. CyberWire Glossary link: Audio reference link: “Chrome Limits Access to Private Networks,” by Daniel Lowrie, ITProTV, YouTube, 19 January 2022.
Aug 02, 2022
A return to office means a return to email scams.
2872
Romain Basset, Director of Customer Service, at Vade joins Dave to discuss the threat of initial contact spearphishing emails now that many employees are returning to the office. Dave and Joe share some listener follow up from listener Will who writes in about a troubling debate over if it should be "Joe and Dave" or "Dave and Joe." Will shares a website about ablaut reduplication, sharing his thoughts on the matter. Joe shares some good news following a story of a homeless man being robbed of $400,000 after a GoFundMe scam. Joe's story is on a woman who loses almost $150,000 over the phone with someone claiming to be a DEA agent. Dave's story is on a woman who gets scam calls up to 20 times a day. She was diagnosed with cancer in 2021, and can't afford to miss any calls from potential doctors or possible nurses trying to schedule appointments. Our catch of the day comes from listener Alex who writes in sharing how his Apple ID was hacked and locked, although the scammers got one crucial detail wrong, his email. Links to stories: Lincoln woman loses $149,000 in DEA phone scam GoFundMe scam: Kate McClure sentenced to 1 year in federal prison The nonstop scam economy is costing us more than just money Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter
Jul 28, 2022
Extortion scams and the LGBTQ+ community.
2896
This week, Carole Theriault sits down to talk with Paul Ducklin from Sophos on extortion scams targeting LGBTQ+ communities. Joe and Dave share multiple pieces of listener follow up, the first from Matt and Kevin, who write in to share a Wikipedia link regarding N.B. (Nota Bene, or note well) and an ad from 1801. The second one is a write in from someone who is referred to as "P," who shares more information on the Facebook link shortener discussion. Finally, Joe and Dave get a great piece of listener feedback from listener and friend of the show Jonathan, who writes in about resist fingerprinting and how Firefox doesn't block fingerprinting. Dave's story is on trafficking victims being forced to scam people. Joe's story is on a credit union being targeted for phone scams. Our catch of the day comes from listener Ian, who shares how his son was trying to get college housing accommodations and went through Facebook, only to find out that not everyone is as trustworthy as they seem. Links to stories: From Industrial-Scale Scam Centers, Trafficking Victims Are Being Forced to Steal Billions Don’t fall for a scam targeting Ent Credit Union customers Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter
Jul 21, 2022
Web 3.0 (noun)
420
The potential next evolution of the worldwide web that decentralizes interaction between users and content away from the big silicon valley social media platforms like Twitter, Facebook, and YouTube, and towards peer-to-peer interaction using blockchain as the underlying technology.  CyberWire Glossary link: https://thecyberwire.com/glossary/web-30 Audio reference link: “What Elon Musk Just Said about Metaverse, Web3 and Neuralink,” By Clayton Morris, Crypto News Daily, YouTube. 2 December 2021.
Jul 19, 2022
Behavioral science in the world of InfoSec.
2887
Kelly Shortridge, a Senior Principal from Fastly, joins Dave to discuss her talk at RSAC on why behavioral science and behavioral economics matters for InfoSec. Joe's story shares an old scam with a new twist, it's about packages being delivered to you that you never ordered. Dave's story is on how a large scale phishing campaign compromised one million Facebook credentials. Our catch of the day comes from listener Will who was reached out to by someone claiming to be the "Head IMF/EUROPEAN UNION coordinator," who claimed to want to give Will one million dollars in compensation. Links to stories: Package scam delivers unordered items, victims billed hundreds of dollars One Million Facebook Credentials Compromised in Four Months by Ongoing Phishing Campaign Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter
Jul 14, 2022
Identity access management (IAM) (noun) [Word Notes]
715
A set of solutions for ensuring that the right users can only access the appropriate resources. CyberWire Glossary link: https://thecyberwire.com/glossary/identity-and-access-management Audio reference link: “The Wrath of Khan (1982) ‘Kirk’s Response,’” by Russell, YouTube, 16 May 2017.
Jul 12, 2022
Human errors and why they're made.
3015
Josh Yavor, CISO at Tessian, joins Dave to discuss a new report they released on cyber mistakes and why employees make them. Joe and Dave share a listener follow-up from Jon, who writes in about mental illness, a serious epidemic taking over the nation. Jon shares interesting tidbits on social media linking to mental illness and the impact it's creating. Dave's story is on hackers trying an old trick with new mechanics: impersonating well known companies. This time, hackers are posing as Quickbooks. Joe's story describes how LinkedIn users are being targeted yet again. These fraudsters are now creating significant threats to users, according to the FBI. Finally, our catch of the day comes from listener Jennifer, who writes in and shares her story of a scammer using SMS to tell her that her Venmo account was hacked, even though she does not have one. Links to stories: Sending Phishing Emails from QuickBooks FBI says fraud on LinkedIn a ‘significant threat’ to platform and consumers Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter
Jul 07, 2022
Abstraction layer (noun) [Word Notes]
336
A process of hiding the complexity of a system by providing an interface that eases its manipulation. CyberWire Glossary link: https://thecyberwire.com/glossary/abstraction-layer Audio reference link: “What Is Abstraction in Computer Science,” by CodeExpanse, YouTube, 29 October 2018.
Jul 05, 2022
The top 10 brand names most likely used in a phishing scheme.
2649
Omer Dembinsky, a Data Research Manager from Check Point Research, joins Dave to discuss their Brand Phishing Report for Q1 2022 and how DHL, Maersk, and AliExpress were all in the top 10 list. Joe and Dave have some listener follow up from the 200th episode discussing how many redirects are too many. Joe has two stories this week, the first on how Instagram (Meta Platforms) was hit with multiple lawsuits from the Beasley Allen Law Firm over exploiting young people for money. The second story is about social media addiction, and how companies are making the platforms deliberately addictive. Dave's story is on your internet fingerprint that you leave behind, and how easy it is for websites to know everything about you and your computer settings. Our catch of the day comes from listener Pablo, who shares about a scammer contacting him through text trying to receive money for coronavirus insurance. Links to stories: Meta, Instagram hit with 8 lawsuits for ‘exploiting young people for profit’ Social media apps are 'deliberately' addictive to users The Fingerprint You Leave Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter
Jun 30, 2022
Identity Fabric (noun) [Word Notes]
405
A set of services for managing identity and access management, or IAM across all of an organization's data islands. CyberWire Glossary link: https://thecyberwire.com/glossary/identity-fabric Audio reference link: “Leadership Compass Identity Fabrics - Analyst Chat 126,” by KuppingerCole, YouTube, 30 May 2022.
Jun 28, 2022
North Korea and a global cyber war.
2293
Carole Theriault interviews author and journalist Geoff White on his upcoming book, "The Lazarus Heist: From Hollywood to High Finance: Inside North Korea's Global Cyber War." Joe and Dave share some listener follow up from listener John, regarding a T-mobile breach and how he was notified through a third-party monitoring service and not T-Mobile. Joe's story shares how hackers are also keeping an eye on the upcoming holidays and describes how a Father's Day beer contest from Heineken was a scam. Dave's story is on police warning against a rise in voice phishing as they have made 2000 arrests since the crackdown on social engineering and business email scams started. Our catch of the day comes all the way from the Netherlands, listener Joram shares a scam he discovered in his spam folder. The sender notified him that she is frail and will be dying soon, to which her millions of dollars will be lost since she has no next of kin. The sender goes on to tell him that he is receiving this money just out of the goodness of her heart. Links to stories: Heineken says Father's Day beer contest is a scam 2,000 arrests in crackdown on social engineering and business email scams Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter
Jun 23, 2022
Intrusion Kill Chain (noun) [Word Notes]
466
A cybersecurity first principle strategy focused on disrupting known adversary activity at one of several phases of an attack sequence. CyberWire Glossary link: https://thecyberwire.com/glossary/intrusion-kill-chain Audio reference link: "Cybersecurity Days: A Network Defender's Future," by Rick Howard, Integrated Cyber Conference, Integrated Adaptive Cyber Defense (IACD), YouTube, 26 October 2018.
Jun 21, 2022
The great resignation and data exposure challenges.
3113
Abhik Mitra, Head of Portfolio Strategy at Code42, shares the findings on Code 42's 2022 Data Exposure Report (DER). Joe breaks down a story that follows a couple in Westlake, where the woman was called about a supposed warrant out for her arrest, and how she was told that she needs to provide thousands of dollars in order for the police to not come and arrest her. The story describes how her fast-thinking husband was able to figure out the scam and get in touch with real authorities. Dave's story delves into Facebook and a phishing scam that ended in a threat actor stealing 1M credentials in 4 months. Our catch of the day comes from listener William who received an email about a new laptop that he supposedly bought through PayPal. He shares why he knew it was a scheme right away, and hopes to make this information known so others know what to look out for. Links to stories: Westlake doctor and lawyer avoid telephone scam; police warn residents to be alert Phishing tactics: how a threat actor stole 1M credentials in 4 months Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitte
Jun 16, 2022
Identity Orchestration (noun) [Word Notes]
376
A subset of security orchestration, the management of identities across an organization's set of digital islands.  CyberWire Glossary link: https://thecyberwire.com/glossary/identity-orchestration
Jun 14, 2022
What to look out for with scan-and-exploit cyber attacks.
2841
Andrew Morris, founder and CEO of GreyNoise Intelligence, joins Dave to discuss the explosive increase in opportunistic scan-and-exploit cyber attacks, and what security analysts can do to combat it. Joe and Dave share some follow up from listener Mark, whose son got scammed out of 150 million dollars in a game he plays. Dave's story is on ChromeLoader, which is a pervasive and persistent browser hijacker that modifies your settings and redirects you to more advertisement websites. Joe has two stories: one on a family of con artists found to be scamming gas station patrons that attacked an individual after being confronted, and the second is on fake Facebook ads and how shoppers are being scammed. Our catch of the day comes from listener Jon, who was contacted via email being requested to pay customs fees of $750 for packages in his name. Links to stories: ChromeLoader: a pushy malvertiser Michigan State Police Looking For Con Artists in Emmet County Gas Station Scam Shoppers scammed by fake ads on Facebook Marketplace Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jun 09, 2022
Diamond Model (noun) [Word Notes]
467
A cyber threat intelligence analysis model that defines relationship pairs between four core components in the shape of a diamond of adversary playbook activity across the intrusion kill chain: the adversary, their capability, the infrastructure used or attacked, and the victim. CyberWire Glossary link: https://thecyberwire.com/glossary/diamond-model Audio reference link: “Diamond Presentation v2 0: Diamond Model for Intrusion Analysis – Applied to Star Wars’ Battles,” Andy Pendergrast and Wade Baker, ThreatConnect, YouTube, 4 February 2020.
Jun 07, 2022
Is ransomware getting too fast?
2930
Ryan Kovar, distinguished security strategist at Splunk and leader of SURGe, discusses the speed of ransomware, as well as the first-of-its-kind research the SURGe team is releasing on how quickly the top ransomware families can encrypt 100,000 files. Joe and Dave share some listener follow up from listener Josh. Joe's story follows the baby food shortage and warns about the dangers of sellers scamming people through online purchases of formula. Dave's story is on how IT members can identify the three most dangerous types of internal users and what businesses need to look out for. Our catch of the day comes from listener Josh, who shares about a friend of his who possibly got hacked and the check the scammers claimed was real. Links to stories: Kansas City-area experts warn of online baby formula scams The three most dangerous types of internal users to be aware of Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jun 02, 2022
MITRE ATT&CK (noun) [Word Notes]
463
A knowledge base of adversary tactics, techniques, and procedures established and maintained by the MITRE Corporation.  CyberWire Glossary link: https://thecyberwire.com/glossary/mitre-attck Audio reference link: “Attack Frameworks - SY0-601 CompTIA Security+ : 4.2,” Professor Messer, YouTube, 29 April 2021.
May 31, 2022
Combating social engineering.
2864
Ann Johnson, Security Executive at Microsoft and host of the afternoon cyber tea podcast, joins Dave to discuss social engineering and ways to help prevent it, as well as the different types of social engineering she's seen from her experience, Dave and Joe share some listener follow up about macros in Office documents, Joe has two stories this week, one is on how Seth Green lost over 300K in NFTs, and the other is on a new scam with Chatbots on phishing emails, Dave's story is on how a California man was arrested for siphoning money, our catch of the day comes from listener Sadik who shares a suspicious looking email telling him, that his Norton service is about to expire. Links to stories: Amazing mind reader reveals his 'gift' Seth Green Loses $200K Bored Ape Yacht Club NFT in Phishing Scam Phishing Scam Nets $23.5 Million From DoD, California Man Arrested Siphoning Money From Contractor Phishing websites now use chatbots to steal your credentials Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
May 26, 2022
DevOps (noun) [Word Notes]
450
The set of people, process, technology, and cultural norms that integrates software development and IT operations into a system-of-systems. CyberWire Glossary link: Audio reference link: "10+ Deploys Per Day: Dev and Ops Cooperation at Flickr," by John Allspaw and Paul Hammond, Velocity 09, 25 July 2009.
May 24, 2022
Voice authentication taking hold.
2882
Mark Horne, Chief Marketing Officer at Pindrop, joins Dave to discuss voice authentication, Dave and Joe have some follow up about business phishing (BECs) from listeners Nick and Michael, Joe's story has a romance scam where criminals pretend to be celebrities, and Dave's story is about the increase in phishing downloads due to cyber criminals using SEO to leverage their lures, and we've got 2 catches of the day for you from listener Peter on free Dyson vacuums and one from Joe with a plea from Vladimir Putin asking for money. Links to stories: ‘Keanu Reeves … I know it’s not you’: Fraudsters pretend to be celebrities in scam attempts Malware Mayhem: Netskope Research Finds Sharp Increase in Phishing Downloads, as Cybercriminals Leverage SEO to Lure Victims Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
May 19, 2022
MITRE ATT&CK (noun) [Word Notes]
463
A knowledge base of adversary tactics, techniques, and procedures established and maintained by the MITRE Corporation.  CyberWire Glossary link: https://thecyberwire.com/glossary/mitre-attck Audio reference link: “Attack Frameworks - SY0-601 CompTIA Security+ : 4.2,” Professor Messer, YouTube, 29 April 2021.
May 17, 2022
Business phishing: Who's biting the bait?
2864
Matthew Connor, Founder of Conscious Security, discusses a study he conducted while working with F-Secure, the study targeted 82,402 individuals with one of four phishing emails, he goes into the findings of the study and certain insight this study has brought, Joe's story is on the popular app Zelle and how users are loosing thousands of dollars due to scams, and Dave's story is on three big tech giants announcing plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance, our catch of the day comes from listener Areus on text messages exchanged between two strangers and where the conversation leads. Links to stories: Criminals Are Scamming Zelle Users. Here's How to Keep Your Money Safe Apple, Google and Microsoft Commit to Expanded Support for FIDO Standard to Accelerate Availability of Passwordless Sign-Ins Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
May 12, 2022
Waterfall Software Development Method (noun) [Word Notes]
385
A software development model that relies on a series of sequential steps that flow into each other, like a series of waterfalls.  CyberWire Glossary link: https://thecyberwire.com/glossary/waterfall-software-development Audio reference link: “Creating Video Games - Agile Software Development,” by Sara Verrilli, MIT OpenCourseWare, YouTube, 10 December 2015
May 10, 2022
Encore: The attackers keep coming every single day.
2709
Guest Andrew Rubin, CEO and co-founder of Illumio, joins Dave to discuss Zero Trust, Dave and Joe share some follow-up from several listeners including one with a variation on prison pen pals we discussed some time ago and some advice on Dave's Google Authenticator issue he mentioned last week, Dave's story is about non-delivery scams, Joe's got a story on Imperial Kitten doing some catphishing, and our Catch of the Day comes from listener Timothy about with a sextortion campaign. Links to stories: 5 reasons non-delivery scams work I Knew You Were Trouble: TA456 Targets Defense Contractor with Alluring Social Media Persona Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
May 05, 2022
Agile Software Development Method (noun) [Word Notes]
465
A software development philosophy that emphasizes incremental delivery, team collaboration, continual planning, and continual learning  Audio reference link: https://thecyberwire.com/glossary/agile-software-development "Velocity 09: John Allspaw and Paul Hammond, "10+ Deploys Pe" John Allspaw and Paul Hammond, 2009 Velocity Conference, YouTube, 25 June 2009. 
May 03, 2022
The dark side of business email attacks.
2728
John Wilson, Senior Fellow Threat Research at Agari by HelpSystems, discusses business email compromise attacks, Joe shares three stories on different types of scams, the first being a mystery shopper scam, where the scammer tries to get you to buy gift cards at a grocery store, the second one is on, scammers posing as DTE Energy representatives, seeking bill payments, and the final one is about someone showing up to a victims door and demanding money to collect “Money owed” for a family member, Dave's story is on criminals who are using apple pay to scam their way into going on spending sprees, our catch of the day comes from listener Jon, who shares how two men claimed to be owed money after Jon's death, when in fact, John was very alive. Links to stories: Mystery shopper scam: How it works and how to avoid it Phone scam alert: Metro Detroiters receiving phony DTE Energy calls Police: Man scammed elderly person out of $10K Criminals Abuse Apple Pay in Spending Sprees Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Apr 28, 2022
Pegasus (noun) [Word Notes]
525
The flagship product of the controversial Israeli spyware vendor, the NSO Group, use for remotely hacking mobile devices, most notably iPhones, via zero-click exploits. CyberWire Glossary link: https://thecyberwire.com/glossary/pegasus Audio reference link: “Cybersecurity beyond the Headlines: A Conversation with Journalist Nicole Perlroth,” Kristen Eichensehr, and Nicole Perlroth, University of Virginia School of Law, YouTube, 14 February 2022
Apr 26, 2022
Cons through and through. [Hacking Humans Goes to the Movies]
1249
Thanks for joining us for the latest episode of our fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Co-hosts Dave Bittner and Joe Carrigan are joined by Rick Howard in this series where they view clips from their favorite movies with examples of the social engineering scams and schemes you hear about on Hacking Humans. In this episode, Dave and Joe are joined on this episode by Perry Carpenter, host of 8th Layer Insights podcast and chief evangelist at KnowBe4. Dave,Joe and Perry watch and discuss Dave's and Perry's clips on this episode. They watch each of the selected scenes, describe the on-screen action for you, and then the team deconstructs what they saw. Grab your bowl of popcorn and join us for some Hollywood scams and frauds. A heads-up for our listeners: there is a bit of spicy language in today’s clips, so use your discretion if you are tuning in with your kids.  Links to this episode's clips if you'd like to watch along: Dave's scene from "Focus" Perrys clip from "Ferris Bueller's Day Off"
Apr 24, 2022
On the front lines of fraud protection.
2624
Pete Barker, director of Fraud and Identity at SpyCloud offers critical insights on the alarming evolution of fraud and how consumers and enterprises can protect themselves, Joe and Dave share some listener follow up from listener Micah on a catch of the day from last week, Joe's story is on a woman who was scammed out of $15,000 and shares her experience on how the hackers were able to gather so much info and money from her, Dave's story is on an android malware scheme that allows cybercriminals to intercept customer calls to their banks, our catch of the day comes from listener John, who shares a scam from people claiming to be Amazon, saying that the users secret phrase has been incapacitated. Links to stories: 76-year-old Fargo woman loses $15,000 in computer scam Android banking malware intercepts calls to customer support Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Apr 21, 2022
Domain-based Message Authentication Reporting Conformance (DMARC) (noun) [Word Notes]
507
An open source email authentication protocol designed to prevent emails, spoofing in phishing, business email compromise or BEC, and other email-based attacks. 
Apr 19, 2022
Magic, illusion, and scams, oh my.
3061
Brian Brushwood a former magician, joins Perry Carpenter, host of 8th Layer Insights, to talk about his new podcast, The Worlds Greatest Con, and how magic led him to discussing cons and scams on a podcast, Dave shares a personal story on login frustration, Joe's story is on a Cash App breach being confirmed after an employee was able to access a US customers data, and Dave's story is on inauthentic LinkedIn profiles and how fake accounts are requesting to connect when in fact the accounts are fake, our catch of the day comes from listener Richard who shares a scam he got sent through the mail to exploit his political views. Links to stories: Block confirms Cash App breach after former employee accessed US customer data That smiling LinkedIn profile face might be a computer-generated fake Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Apr 14, 2022
Shields Up (noun) [Word Notes]
466
A condition announced by the US Cybersecurity and Infrastructure Security Agency (CISA) to draw attention to a temporary period of high alert, associated with expectation of a connected wave of cyberattacks prompted by either a widespread vulnerability or an unusually active and capable threat actor.
Apr 12, 2022
Online threats turned real world danger.
2786
Laura Hoffner from Concentric, joins Dave to discuss online dangers and how they can very easily turn into real world dangers, Laura explains about the popular social media platform TikTok and how users are being stalked and shares one story in particular, Joe and Dave share some listener follow up, Joe's story is centered around cryptocurrency scams and how they are on the rise, and Dave's story is on the malware BABYSHARK and the internal process of investigation as well as lessons learned, our catch of the day comes to us from listener Andre, who shares a scam from a Commanding officer of the U.S Central Command and how they need Andre to keep his money safe. Links to stories: Targeted APT Activity: BABYSHARK Is Out for Blood BBB Study: Cryptocurrency is ripe for fraud and financial loss Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Apr 07, 2022
Software Assurance Maturity Model (SAMM) (noun) [Word Notes]
343
A prescriptive open source software security maturity model designed to guide strategies tailored to an organization’s specific risks.
Apr 05, 2022
Robocall scams and the psychology surrounding them.
2555
Alex Quilici, Robocall Scam Expert of YouMail, discusses how unwanted robocalls are becoming more targeted and the psychology behind some of the worst calls, Joe and Dave share some listener follow up, Joe's story comes from listener Derek who shares how his aunt avoided a scam which wasn't very obvious at first, and Dave's story is about how the FBI released its annual Internet Crime Complaint Center Internet Crime Report for 2021, our catch of the day comes from listener John who shares how he got a new interesting Instagram follower. Links to stories: FBI Releases the Internet Crime Complaint Center 2021 Internet Crime Report Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Mar 31, 2022
Universal 2nd Factor (U2F) [Word Notes]
437
An open standard for hardware authentication tokens that use the universal serial bus, or USB, near-field communications, or NFCs, or Bluetooth to communicate one factor in a two-factor authentication exchange.
Mar 29, 2022
Cons: the short one and the first one. [Hacking Humans Goes to the Movies]
1084
Thanks for joining us for the latest episode of our fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Co-hosts Dave Bittner and Joe Carrigan are joined by Rick Howard in this series where they view clips from their favorite movies with examples of the social engineering scams and schemes you hear about on Hacking Humans. In this episode, Dave, Joe and Rick are watching Joe's and Rick's scene picks. They watch each of the selected scenes, describe the on-screen action for you, and then the team deconstructs what they saw. Grab a bowl of popcorn and join us for some Hollywood scams and frauds. Links to this episode's clips if you'd like to watch along: Joe's clip from "House of Games" (the Western Union scene) Rick's clip from "The Brothers Bloom"
Mar 27, 2022
What's behind Buy Now, Pay Later scams?
3022
Jim Ducharme, COO of Outseer joins Dave to discuss buy now pay later scams, Joe and Dave share some listener follow up, Joe has an interesting story about an Unchained Capital partner and how they were hit with a social engineering attack, and Dave's story is on the FIDO alliance, our catch of the day comes from listener Matt, who shares how he won 20.5 million and why he wasn't falling for it. Links to stories: A Big Bet to Kill the Password for Good Unchained Capital partner hit with social engineering attack Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Mar 24, 2022
adversary group naming (noun) [Word Notes]
617
A cyber threat intelligence best practice of assigning arbitrary labels to collections of hacker activity across the intrusion kill chain.
Mar 22, 2022
Data privacy: is it black and white when it comes to your kids?
2417
UK Correspondent Carole Theriault returns talking with guest David Ruiz from Malwarebytes about parents spying on their kids, Joe and Dave share some listener follow up, Joe's shares a story about the top 5 strangest social engineering tactics, Dave's got a story from one of our listeners, Ricky, about best gift card sales practices at retail chains, and our Catch of the Day comes from listener Michael with a well-crafted email full of red flags when you read into it. Links to stories: Rounding up the Past Year's Strangest Social Engineering Tactics Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Mar 17, 2022
BSIMM (noun) [Word Notes]
369
A descriptive model that provides a baseline of observed software security initiatives and activities from a collection of volunteer software development shops. 
Mar 15, 2022
Technology's effects on students during the pandemic.
2417
Guest Justin Reilly, the CEO of Impero, stops by to talk with Dave Bittner about the mental health of kids in the digital age, Dave's got a story about large-scale phishing campaigns targeting the Indian Electric Vehicle consumers and businesses, Joe's story is from Vade sharing the top 20 most impersonated brands in phishing, and our Catch of the Day comes from Bob, a friend and former coworker of Joe's who received a smishing attempt via text from a "friend" and how he expertly turned the tables on the scammer. Links to stories: Unearthing the Million Dollar Scams Targeting the Indian Electric Vehicle Industry Vade Releases 2021 Phishers’ Favorites Report Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Mar 10, 2022
OWASP vulnerable and outdated components (noun) [Word Notes]
484
Software libraries, frameworks, packages, and other components, and their dependencies (third-party code that each component uses) that have inherent security weaknesses, either through newly discovered vulnerabilities or because newer versions have superseded the deployed version. 
Mar 08, 2022
Phishing seems to be cyclical and thematic.
2889
Guest Jeff Nathan, the Director of Threat research at Norton Labs, joins Dave to discuss their most recent Consumer Cyber Safety Pulse Report, Joe and Dave share some follow up from listeners Daniel and Neville who helped the guys with a phrase from a recent Catch of the Day, Joe shares a story about getting around MFA using remote access software, Dave's story is about a jobfishing scam from a fake design firm, and our Catch of the Day is from listener Randy about an unsubscribe email he received. Links to stories: Devious phishing method bypasses MFA using remote access software Jobfished: the con that tricked dozens into working for a fake design agency Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Mar 03, 2022
OWASP software and data integrity failures (noun) [Word Notes]
507
Code and data repositories that don't protect against unauthorized changes.
Mar 01, 2022
A blurring of lines between nation states and criminals.
2715
Guest Joshua Neil, the Chief Data Scientist for SecurOnix, joins Dave to talk about evasive techniques and identifying nation-state kill chains, Joe shares an update on his identity theft experience, the guys share some follow up from listener Benji who shares experiences of scammers changing the name on gmail accounts at the synagogue where he works saying they are the rabbi and emailing congregants asking for gift cards, Dave's story is about Apple's AirTags and how they led to the discovery of a German intelligence agency, Joe's got a story about the City of Baltimore falling victim to a phishing scam, and our Catch of the Day is from listener G about a compressed file attachment he received, but did not open. Links to stories: Apple's AirTag uncovers a secret German intelligence agency Inspector General: Baltimore victimized in 376,213 phishing scam last year Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Feb 24, 2022
OWASP server-side request forgery (noun) [Word Notes]
458
An attack technique that leverages an unprotected web server as a proxy for attackers to send commands through to other computers. 
Feb 22, 2022
Hustling the hustlers. [Hacking Humans Goes to the Movies]
1275
Thanks for joining us for the latest episode of our fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Co-hosts Dave Bittner and Joe Carrigan are joined by Rick Howard in this series where they view clips from their favorite movies with examples of the social engineering scams and schemes you hear about on Hacking Humans. In this episode, Dave, Joe and Rick are watching Joe's and Dave's scene picks. They watch each of the selected scenes, describe the on-screen action for you, and then the team deconstructs what they saw. Grab a bowl of popcorn and join us for some Hollywood scams and frauds. Links to this episode's clips if you'd like to watch along: Joe's scene from "The Hustle" Dave's clip from "True Lies"
Feb 20, 2022
Vulnerabilities will be found.
2873
Guest Deral Heiland from Rapid7 talks with our UK Correspondent Carole Theriault about the state of IOT, Joe shares a personal story about bank checks and a debit card received at his home that were in his name but not from his bank, Dave's got a story from an email he received from the PR department at TikTok about romance scams, and our Catch of the Day is from listener John about a friend who was harassed on Facebook to click a link and how John addressed it. Links to stories: #BeCyberSmart: Tips to protect your heart and wallet Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Feb 17, 2022
OWASP security logging and monitoring failures (noun) [Word Notes]
364
The absence of telemetry that could help network defenders detect and respond to hostile attempts to compromise a system. 
Feb 15, 2022
If you wish for peace, prepare for cyberwar.
2995
Guest Nick Shevelyov, Chief Security Officer for Silicon Valley Bank. joins Dave sharing some personal history around security, and discussing his book "Cyber War… and Peace," Dave and Joe have some follow up from an anonymous listener about mobile device management issue at their work, Dave has a story where a woman was scammed out of thousands while someone contacted her to "help" with a problem with their bank, Joe's got a few stories about Facebook and ad scams, and our Catch of the Day is from listener Jonathan with a Geek Squad subscription scam. Links to stories: They Were ‘Calling to Help.’ Then They Stole Thousands Facebook blames Apple after a historically bad quarter, saying iPhone privacy changes will cost it $10 billion Scam ads: why an Australian billionaire is launching legal action against Facebook Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Feb 10, 2022
OWASP identification and authentication failures (noun) [Word Notes]
358
Ineffectual confirmation of a user's identity or authentication in session management.
Feb 08, 2022
How to talk your way in anywhere. [Hacking Humans Goes to the Movies]
1329
Thanks for joining us for the latest episode of our fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Co-hosts Dave Bittner and Joe Carrigan are joined by Rick Howard in this series where they view clips from their favorite movies with examples of the social engineering scams and schemes you hear about on Hacking Humans. In this episode, Dave, Joe and Rick are watching Dave's and Rick's scene picks. They watch each of the selected scenes, describe the on-screen action for you, and then the team deconstructs what they saw. Grab a bowl of popcorn and join us for some Hollywood scams and frauds. Links to this episode's clips if you'd like to watch along: Dave's clip from the television show "Key & Peele" Rick's pick from "Sneakers"
Feb 06, 2022
The ransomware game has evolved.
3134
Guest Allan Liska from Recorded Future joins Dave to discuss the evolution of ransomware and his new book "Ransomware: Understand. Prevent. Recover," Joe shares a question from listener Joan about an email her father received from "MasterCard Fraud Department" asking photo/video and the last 4 of his Social Security Number, Joe has a story about scams to watch out for during tax time in the US, Dave's story is about ransomware operators trying to recruit company insiders, and our Catch of the Day is from listener Michael who had some acquaintances fall for a scam. Links to stories: Latest IRS Scams: How to Spot Them and Fight Back The Rising Insider Threat: Hackers Have Approached 65% of Executives or Their Employees To Assist in Ransomware Attacks Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Feb 03, 2022
OWASP broken access control (noun) [Word Notes]
450
Software users are allowed access to data or functionality contrary to the defined zero trust policy by bypassing or manipulating the installed security controls. 
Feb 01, 2022
Useful ransomware protection for you.
2695
Guest Roger Grimes, Data Driven Defense Evangelist at KnowBe4, joins Dave to discuss his new book "Ransomware Protection Playbook," Dave has a story about a Meta (Facebook) group with a cryptocurrency scam that promises "a new way to wealth," Joe's story has tales of account takeover attacks of high-profile gamers, and our Catch of the Day is from listener Jesse about a text they received from "Facebook" about a $600,000 windfall. Links to stories: We Infiltrated a Crypto Scam Network That’s Hosted by Meta EA Confirms Account Takeover Attacks Compromising High-Profile Gamers via Phishing and Social Engineering Attacks Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jan 27, 2022
OWASP security misconfiguration (noun) [Word Notes]
423
The state of a web application when it's vulnerable to attack due to an insecure configuration. 
Jan 25, 2022
The perfect environment for ATOs (account takeovers) to breed.
2781
Guest Jane Lee, Trust and Safety Architect at Sift, joins Dave to talk about the Digital Trust and Safety Index, Joe and Dave share some follow up from a listener, Ben, with a suggestion as an alternative to prevent clicking on those bonus phishing scams, Joe's story is about fake ticket scams for the Kansas City Chiefs NFL playoff game against the Pittsburgh Steelers, Dave's got a story about scams on Apple's App Store, and our Catch of the Day is from an anonymous listener about an email they received from their "IT department" requesting credentials (including password) when getting a new laptop. (Note: This is our first COTD that is not a scam, rather a bad policy.) Links to stories: Kansas City police warn Chiefs fans about ticket scams APPLE’S $64 BILLION-A-YEAR APP STORE ISN’T CATCHING THE MOST EGREGIOUS SCAMS Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jan 20, 2022
OWASP insecure design (noun)
499
A broad OWASP Top 10 software development category representing missing, ineffective, or unforeseen security measures.
Jan 18, 2022
The only locks you should pick are your own.
2692
Guest Tom Tovar, CEO and Co-Creator of AppDome, joins Dave and Joe to discuss the results of a recent consumer survey, Dave's story is based on a tweet where the user's child's middle school had some unintended consequences of a phishing scam training, Joe has two stories: one on QR code scammers on parking kiosks, and one about a book publishing phishing scam, and our Catch of the Day is a message that purports to come from the USPS sent in by listener William about a missed package delivery. Links to stories: Tweet about phishing simulation gone wrong. QR code scammers hitting on-street parking in Texas cities -- including Houston, officials say; This is what you need to know FBI Arrests Suspect in Unpublished Book Manuscript Phishing Scam Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jan 13, 2022
Log4j vulnerability (noun) [Word Notes]
556
An open source Java-based software tool available from the Apache Software Foundation designed to log security and performance information. 
Jan 11, 2022
Changing the game on ransomware.
2961
Guest Adam Flatley, Director of Threat Intelligence at Redacted, talks with Dave about "the only way to truly disrupt the ransomware problem is to target the actors themselves," Joe shares some statistics that will help you stay up-to-date on recent cybersecurity trends, Dave's story is about criminal indictments in a case of a Maryland company buying lead paint victims’ settlements for a fraction of their value, and our Catch of the Day comes from listener Brady about a slick mail campaign they received from "Amazon." Links to stories: 22 cybersecurity statistics to know for 2022 Criminal indictments filed against Maryland company that targeted Baltimore lead paint victims’ settlements Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jan 06, 2022
OWASP injection (noun) [Word Notes]
392
A broad class of attack vectors, where an attacker supplies input to an applications command interpreter that results in unanticipated functionality. 
Jan 04, 2022
Identity "protection" and a pigeon drop. [Hacking Humans Goes to the Movies]
1283
Thanks for joining us for Episode 5 of our fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Co-hosts Dave Bittner and Joe Carrigan are joined by Rick Howard in this series where they view clips from their favorite movies with examples of the social engineering scams and schemes you hear about on Hacking Humans. In this episode, Dave, Joe and Rick are watching Joe's and Dave's scene picks. They watch each of the selected scenes, describe the on-screen action for you, and then the team deconstructs what they saw. Grab your popcorn and join us for a trip to the movies. Links to this episode's clips if you'd like to watch along: Joe's clip from "Identity Thief" Rick's pick from "The Flim-Flam Man"
Dec 30, 2021
Encore: zero trust (noun) [Word Notes]
512
A security philosophy that assumes adversaries have already penetrated the digital environment and tries to reduce the potential impact by limiting access by people, devices, and software to only the resources essential to perform their function and nothing more. 
Dec 28, 2021
The CyberWire: The 12 Days of Malware.
448
Merry Christmas and Happy Holidays from the CyberWire and our friends! Enjoy our rendition of the 12 Days of Malware created by Dave Bittner and performed by Dave and friends: Rachel Tobac, Jayson Street, Ron Eddings & Chris Cochran, Ray [Redacted], Dinah Davis, Camille Stewart, Rick Howard, Michelle Dennedy, Jack Rhysider, Johannes Ullrich, and Charity Wright. Ba dum bum bum. Sing along if you are game! Check out our video for the full effect! The 12 Days of Malware lyrics On the first day of Christmas, my malware gave to me: A keylogger logging my keys. On the second day of Christmas, my malware gave to me: 2 Trojan Apps... And a keylogger logging my keys. On the third day of Christmas, my malware gave to me: 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the fourth day of Christmas, my malware gave to me: 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the fifth day of Christmas, my malware gave to me: 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the sixth day of Christmas, my malware gave to me: 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the seventh day of Christmas, my malware gave to me: 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the eighth day of Christmas, my malware gave to me: 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the ninth day of Christmas, my malware gave to me: 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the tenth day of Christmas, my malware gave to me: 10 Darknet markets... 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! (Bah-dum-dum-dum!) 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the eleventh day of Christmas, my malware gave to me: 11 Phishers phishing... 10 Darknet markets... 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! (Bah-dum-dum-dum!) 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the twelfth day of Christmas, my malware gave to me: 12 Hackers hacking... 11 Phishers phishing... 10 Darknet markets... 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys.
Dec 25, 2021
Hustling the hustler and three-card Monte. [Hacking Humans Goes to the Movies]
1214
Thanks for joining us for Episode 4 of our fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Co-hosts Dave Bittner and Joe Carrigan are joined by Rick Howard in this series where they view clips from their favorite movies with examples of the social engineering scams and schemes you hear about on Hacking Humans. In this episode, Dave, Joe and Rick are watching Joe's and Rick's scene picks. They watch each of the selected scenes, describe the on-screen action for you, and then the team deconstructs what they saw. Grab your popcorn and join us for a trip to the movies. Links to this episode's clips if you'd like to watch along: Joe's clip from "The Fresh Prince Of Bel-Air: Pool Hall Hustle" scene Rick's pick from "Lock, Stock and Two Smoking Barrels"
Dec 24, 2021
Even if a cause moves you, do your due diligence.
1828
Guest Amaya Hadnagy, Media Support for the Social-Engineer, LLC, joins Dave to share information about charity scams, Dave shares a personal story about some safety triggers he recently put into place to help protect his elderly parents financial accounts from scams, Joe's story comes from a listener Alice about someone scamming female Indian news anchors about jobs in Harvard University's journalism department, and our Catch of the Day comes from an imposter of Navy Federal Credit Union via listener Chris. Links to stories: The Harvard Job Offer No One at Harvard Ever Heard Of Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Dec 23, 2021
Conmen come in many flavors, all motivated by greed. [Hacking Humans Goes to the Movies]
1334
Thanks for joining us for our fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Co-hosts Dave Bittner and Joe Carrigan are joined by Rick Howard in this series where they view clips from their favorite movies with examples of the social engineering scams and schemes you hear about on Hacking Humans. In this episode, Dave, Joe and Rick are watching Dave's and Rick's scene picks. They watch each of the selected scenes, describe the on-screen action for you, and then the team deconstructs what they saw. Grab your popcorn and head to the movies with us. Links to this episode's clips if you'd like to watch along: Dave's clip from "Dirty Rotten Scoundrels" Rick's pick from "The Sting"
Dec 22, 2021
OWASP cryptographic failures (noun) [Word Notes]
395
Code that fails to protect sensitive information. 
Dec 21, 2021
The 3 M's: Minimize, monitor and manage.
2752
Guest Adam Levin, security expert and podcast host of "What the Hack with Adam Levin," joins Dave to share advice and discuss some experiences shared on his podcast, Dave and Joe have some listener follow up from David with clarification on 2FA, Joe's story is about a job scam for positions at a video game company, Dave's got a story about how tools like Google and smartphones affect our memories and how we judge our own abilities, our Catch of the Day is from a listener named Chris with a fake email from Amazon about a TV his father "purchased," and how Chris had to intervene. Links to stories: They thought they got their dream job at Riot Games — but it was a scam Indeed's Guidelines for Safe Job Search The internet is tricking our brains Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Dec 16, 2021
account takeover prevention (noun) [Word Notes]
383
The prevention of the first part of an intrusion kill chain model exploitation technique, where the hacker steals valid logging credentials from a targeted victim. 
Dec 14, 2021
Scams abound this time of year.
2635
Guest Dave Senci of Mastercard's NuData Security talks about the security issues with remote access and coaching frauds, Dave's got a story about receiving a "Best Buy gift card" and USB mailing, Joe's story is from the Better Business Bureau about their "12 Scams of Christmas," and our Catch of the Day is from our listener Henry who received an email that appeals to one's faith. Links to stories: PSA: If You Get a 'Best Buy Gift Card' on a USB Drive in the Mail, Don't Plug It Into Your PC The Naughty List: BBB's 12 Scams of Christmas Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Dec 09, 2021
threat hunting (noun) [Word Notes]
421
The process of proactively searching through networks to detect and isolate security threats, rather than relying on security solutions or services to detect those threats. 
Dec 07, 2021
Do you really want that device to be a connected device?
2844
Guest Jay Radcliffe from Thermo Fisher Scientific shares his advice and security concerns with smart devices since the holiday gifting season is around the corner, Joe and Dave have some listener follow up about 2FA, Joe's got a story about the Robinhood breach, Dave's story is about numerous LinkedIn requests from HR specialists with GAN images (Generated Adversarial Network), and our Catch of the Day is from listener Michael who was just trying to sell his car and then he got a text message. Links to stories: Data Breach of Robinhood Trading Platform Blamed on Social Engineering, Similar to 2020 Twitter Breach LinkedIn Fakes: A Wolf in Business Casual Clothing Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Dec 02, 2021
vulnerability management (noun) [Word Notes]
496
The continuous practice of identifying classifying, prioritizing, remediating, and mitigating software vulnerabilities within this.
Nov 30, 2021
Misdirection and layering with a con in the middle. [Hacking Humans Goes to the Movies]
1065
Thanks for joining us for our fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Co-hosts Dave Bittner and Joe Carrigan are joined by Rick Howard in this series where they view clips from their favorite movies with examples of the social engineering scams and schemes you hear about on Hacking Humans. In this episode, Dave, Joe and Rick are watching Joe's and Rick's scene picks. They watch each of the selected scenes, describe the on-screen action for you, and then the team deconstructs what they saw. Grab your popcorn and join us for a trip to the movies. Links to this episode's clips if you'd like to watch along: Joe's clip from "The Simpsons: Father and Son Grifting" episode Rick's pick from "Paper Moon"
Nov 25, 2021
software bill of materials (SBOM) (noun) [Word Notes]
419
A formal record containing the details and supply chain relationships of various components used in building software. 
Nov 23, 2021
A good amount of skepticism helps protect you online.
3048
Guest Blake Hall, CEO and founder of a company called ID.me, discusses protecting your identity online, Dave and Joe have some follow up from listener Rafa on 2FA he uses, Dave has a story about bots that take advantage of 2FA to break into your payment accounts, Joe's story is about scams carried out through QR codes, and our COTD comes from listener Wyatt about an award-winning email from Warren Buffett. Links to stories: The Booming Underground Market for Bots That Steal Your 2FA Codes Fake “Sugar Daddies” are cheating on Instagram Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Nov 18, 2021
zero trust (noun) [Word Notes]
542
A security philosophy that assumes adversaries have already penetrated the digital environment and tries to reduce the potential impact by limiting access by people, devices, and software to only the resources essential to perform their function and nothing more. 
Nov 16, 2021
Let's go to the movies. [Hacking Humans Goes to the Movies]
1511
Welcome to a fun new project by the team who brings you Hacking Humans, the CyberWire's social engineering podcast. Co-hosts Dave Bittner and Joe Carrigan are joined by Rick Howard in this series. They view clips from their favorite movies with examples of the social engineering scams and schemes you hear about on Hacking Humans. In this first episode, Dave, Joe and Rick are watching Dave's and Joe's picks. They watch each of the selected scenes, describe the on-screen action for you, and then the team deconstructs what they saw. Grab your popcorn and join us for a trip to the movies. Links to movie clips if you'd like to watch along: Dave's pick from "The Grifters" Joe's clip from "Matchstick Men"
Nov 11, 2021
OT security (noun) [Word Notes]
493
Hardware and software designed to detect and prevent cyber adversary campaigns that target industrial operations. 
Nov 09, 2021
Cybersecurity awareness should be a year-round activity.
2018
Guest Dr. Jessica Barker from Cygenta talks with UK correspondent Carole Theriault about how every month should be cyber awareness month, Joe has a story about password spraying (kind of like a credential stuffing attack), Dave's story is about scams carried out through QR codes, and our COTD comes from listener Wyatt about an award-winning email from Warren Buffett. Links to stories: Microsoft warns over uptick in password spraying attacks Scammers are emailing waves of unsolicited QR codes, aiming to steal Microsoft users' passwords Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Nov 04, 2021
cybersecurity skills gap (noun) [Word Notes]
463
The difference between organizational employee job requirements and the available skillsets in the potential employee pool.
Nov 02, 2021
The Malware Mash!
185
Oct 29, 2021
Good grammar is essential for business email compromise.
2502
Guest Brandon Hoffman from Intel 471 is back sharing some research on business email compromise, Dave's got a story on buying collectable sneakers and how bots make that really hard to do, Joe has two stories with different spins on romance scams: one notes they are the most prevalent scams targeting older adults; and the second is about a group of Nigerian men preying on women through money scams, and our Catch of the Day comes from reddit user steev p (Steve P) about a benefit scam from an impersonated Facebook friend. Links to stories: Bots have made it nearly impossible to buy hyped up shoes. What if they could be stopped? FTC warns of increase in romance scams, especially targeting older adults Nigerian romance scam suspects targeted 100 women - FBI Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Oct 28, 2021
digital transformation (noun) [Word Notes]
425
The use of technology to radically improve the performance or reach of the business. 
Oct 26, 2021
Joekens, Bittnercoins, and the serious impacts of spam analysis.
2234
UK Correspondent Carole Theriault returns with an interview with Paul, a spam analyst, Dave and Joe have some follow-up, Joe revisits NFTs with rug pull scams, Dave's story is about phishers using a symbol in place of the Verizon logo, and our Catch of the Day comes from listener Rafael in Spain about a Steam account takeover scam attempt his son experienced on Discord. Links to stories: Phishers Get Clever, Use Math Symbols for Verizon Logo Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Oct 21, 2021
bulletproof hosting (noun) [Word Notes]
392
Cloud services intended for cyber criminals and other bad actors designed to obstruct law enforcement and other kinds of government investigations, and to provide some protection against competitors.
Oct 19, 2021
Physical pen testing: You've got to be able to think on your feet.
2830
Guest Marina Ciavatta CEO at Hekate talks with Dave about some of her social engineering and pen testing experiences, Dave's got a story is about getting your family to use a password manager, Joe's story is about NFTs (non-fungible tokens) and scams that have arisen around them, and our Catch of the Day is from listener William and it turns out Dave is in trouble with the IRS again on this one. Links to stories: How to Get Your Family to Actually Use a Password Manager THE NFT SCAMMERS ARE HERE Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Oct 14, 2021
endpoint security (noun) [Word Notes]
511
The practice of securing a device that connects to a network in order to facilitate communication with other devices on the same or different networks. 
Oct 12, 2021
Measuring security awareness proactively.
3011
Guest Zach Schuler of NINJIO joins Dave to discuss measuring the effectiveness of awareness training, Joe's got a story about a school nurse who was scammed with a "Bank of America" Zelle transaction, Dave's story is about a phone scam a therapist received from a local "Sheriff's office," and our Catch of the Day is from Hacking Humans Senior producer Jennifer Eiben about some pricey potatoes and chocolate chip cookies she "ordered." Links to stories: School nurse falls victim to scam targeting Bank of America and Zelle customers 'He held me hostage with no gun but with his words': The phone scam gaslighting therapists Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Oct 07, 2021
Executive Order on Improving the Nation's Cybersecurity (noun) [Word Notes]
494
President Biden's May, 2021 formal compliance mandate for federal civilian executive branch agencies, or FCEBs, to include specific shortterm and longterm deadlines designed to enhance the federal government's digital defense posture. 
Oct 05, 2021
Capture the Flag, Black Badges and social engineering tricks.
2421
Guest Chris Kirsch, DefCon 25 Social Engineering Capture The Flag winner and Co-Founder and Chief Executive Officer at Rumble, talks with our UK Correspondent Carole Theriault about his experience at the event, Dave's story is about scammers bypassing social engineering and going directly to pitch employees to install ransomware, Joe's got a story about travel scams he came across while planning a recent trip, our Catch of the Day comes from Reddit about some text messages which cause emotions to flare. Links to stories: Nigerian Threat Actors Skip Social Engineering, Make Direct Pitches to Employees To Install Ransomware on Company Networks 15 Common Travel Scams (And How To Avoid Them) Catch of the Day links: Guess I made the scammer angry? He blocked me before I could really mess with him, unfortunately Did I win? Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Sep 30, 2021
lateral movement (noun) [Word Notes]
483
Phase of a typical cyber adversary group's attack sequence, after the initial compromise and usually after the group has established a command and control channel, where the group moves through the victims network by compromising as many systems as it can, by looking for the data, it has come to steal or to destroy.
Sep 28, 2021
They won't ask for sensitive information over the phone.
2342
Guest Alex Hinchliffe, Threat Intelligence Analyst from Unit 42 at Palo Alto Networks joins Dave to talk about some of his team's ransomware research, Joe's story is about a new jury duty scam that is out there (hint, they will not call you on the phone), Dave's got a story about Microsoft rolling out passwordless login options, our Catch of the Day comes from a listener named Lucio who shared several social engineering ploys with us. Links to stories: Brand New Jury Duty Scam You Can Now Ditch the Password on Your Microsoft Account Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Sep 23, 2021
common vulnerabilities and exposures (CVE) (noun) [Word Notes]
433
A public list sponsored by the US government and designed to uniquely identify, without the need to manually cross- reference, all the known software vulnerabilities in the world. 
Sep 21, 2021
Sometimes, deepfake victims don't want to be convinced it is fake.
2648
Guest Etay Maor of Cato Networks joins Dave Bittner to discuss the impact that deepfakes will have on our society, we share some fun feedback on the Lightning Rod story edit, Dave's story talks about how some of the most successful and lucrative online scams employ a “low-and-slow” approach, Joe's story is about 2 Arkansas farmer that scammed investors out of money for wind turbines, but used it for houses, cars and Disney World, and our Catch of the Day is from an unnamed listener with a supposed iPhone invoice. Links to stories: Gift Card Gang Extracts Cash From 100k Inboxes Daily Arkansas wind farmers claimed their technology was more efficient than turbines — then spent investors’ money on houses, cars and at Disney World Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Sep 16, 2021
dead-box forensics (noun) [Word Notes]
376
A forensic technique where practitioners capture an entire image of a system and analyze the contents offline.
Sep 14, 2021
Collaboration platforms are a gateway for ransomware attacks.
2009
Guest Gil Friedrich from Avanan joins Dave to discuss how collaboration platforms, like Microsoft Teams, Slack and others, opened up a new gateway to ransomware attacks, Joe's story comes from listener Matt shared as a COTD candidate that's a phishing scam, Dave's got a story about China and Russia trying to turn your employees into spies, and our Catch of the Day comes from a listener named Iain with a timely story "from" Afghanistan. Links to stories: Guarding Against the Chinese Domain Name Email Scam The FBI’s warning to Silicon Valley: China and Russia are trying to turn your employees into spies Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter. Note: Microsoft is a sponsor of the CyberWire, however, we cover them as we would any other company.
Sep 09, 2021
cybersecurity maturity model certification (CMMC) (noun) [Word Notes]
417
A supply chain cybersecurity accreditation standard designed for the protection of controlled unclassified information that the U.S. Department of Defense, or DoD, will require for all contract bids by October, 2025. 
Sep 07, 2021
Don't blindly test your colleagues.
2403
Guest Javvad Malik from KnowBe4 shares his thoughts on bad security training with the CyberWire's UK correspondent Carole Theriault, Dave's story is about deepfake technology being used for business cases, Joe's gives a synopsis of Proofpoint's most recent State of the Phish report, our very first Catch of the Day about Discord comes from a listener named Henning. Links to stories: Deepfakes Are Now Making Business Pitches Proofpoint's 2021 State of the Phish Report Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Sep 02, 2021
incident response (noun) [Word Notes]
470
A collection of people, process, and technology that provides an organization the ability to detect and respond to cyber attacks.
Aug 31, 2021
Companies don't want their customers to be victims of fraud.
2368
Guest Brandon Hoffman from Intel 471 joins Dave to talk about how cybercriminals are going after large retail and hospitality companies, Joe shares some advice for college students to avoid scams and ID theft, Dave got an edit to the tale of the lightning rod, our Catch of the Day comes from listener Shannon who received a beneficiary scam email. Links to stories: BBB Scam Alert: 6 Scams for College Students to Avoid BBB Tip: 9 Tips for college students to avoid ID theft Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Aug 26, 2021
script kiddies (noun) [Word Notes]
338
Cybercriminals who lack the expertise to write their own programs use existing scripts, code, or tools authored by other more skilled hackers. 
Aug 24, 2021
Effective cybersecurity training has to be meaningful to employees.
2192
Guest Jann Yogman, entertainment industry veteran and writer of Mimecast Awareness Training, joins Dave to share his thoughts on the ransomware epidemic and the cybersecurity awareness training problem, Joe's got a story about scams targeting families eligible for the IRS' child tax credit, Dave's story is about scams and fraud experienced by US military veterans, personnel, and their families, our Catch of the Day comes from listener Sawyer Dicky on Reddit who insists he's not the right guy. Links to stories: IRS warns of child tax credit scams US military personnel lost over $822 million to scams since 2017 Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Aug 19, 2021
sandbox (noun) [Word Notes]
385
An isolated and controlled set of resources that mimics real world environments and used to safely execute suspicious code without infecting or causing damage to the host machine, operating system, or network.
Aug 17, 2021
The attackers keep coming every single day.
2709
Guest Andrew Rubin, CEO and co-founder of Illumio, joins Dave to discuss Zero Trust, Dave and Joe share some follow-up from several listeners including one with a variation on prison pen pals we discussed some time ago and some advice on Dave's Google Authenticator issue he mentioned last week, Dave's story is about non-delivery scams, Joe's got a story on Imperial Kitten doing some catphishing, and our Catch of the Day comes from listener Timothy about with a sextortion campaign. Links to stories: 5 reasons non-delivery scams work I Knew You Were Trouble: TA456 Targets Defense Contractor with Alluring Social Media Persona Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Aug 12, 2021
security orchestration, automation, and response (SOAR) (noun) [Word Notes]
386
A stack of security software solutions and tools that allow organizations to orchestrate disparate internal and external tools which feed pre-built automation playbooks that respond to events or alert analysts if an event meets a certain threshold.
Aug 10, 2021
Acceleration of our digital lives and impacts on cybercrime.
2632
Guest Darren Shou, Chief Technology Officer of NortonLifeLock, shares insight on some of the scams he and his colleagues have been tracking, Joe and Dave share some follow up from listener Robert about free learning resources, Joe's story comes from listener Sedric who is new to real estate Investing and was looking for a hard money loan, rather than a story, Dave continues the conversation on passwords and multi-factor authentication with comments from listener Coinsigliere, and our Catch of the Day, well "catches" of the day since we have two, include one from Pryce on a smishing scam and the second from Ronald with a subscription email scam.. Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Aug 05, 2021
personally identifiable information (PII) (noun) [Word Notes]
446
A term of legal art that defines the types of data and circumstances that permits a third party to directly or indirectly identify an individual with collected data. 
Aug 03, 2021
What are our devices doing to our compassion?
2802
Guest Dr. Charles Chaffin, author of the book "Numb: How the Information Age Dulls Our Senses and How We Can Get them Back," joins Dave this week, we have some listener follow up from John with a tip on ATM security, Dave's got a two-fer this week including a useful site called www.shouldiclick.org and a Twitter report on multi-factor authentication thanks Rachel Tobac for calling our attention to it, Joe's story is from Microsoft on trends in tech support scams, and our Catch of the Day is from a listener on Twitter called @DoNoEvilMan about a payout from the Federal Reserve via the FBI. Links to stories: Should I click or not? Twitter Account Security report Tech support scams adapt and persist in 2021, per new Microsoft research Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jul 29, 2021
secure access service edge (SASE) (noun) [Word Notes]
505
A security architecture that incorporates the cloud shared responsibility model, a vendor provided security stack, an SD-WAN abstraction layer, and network peering with one or more of the big content providers and their associated fiber networks.
Jul 27, 2021
It's ok to be trusting, just be careful.
2532
Guest Gil Friedrich from Avanan joins Dave to talk about how bad actors are infiltrating organizations using collaboration apps, we have two pieces of listener follow up from Michael and Tobias, Joe has a story about fake information, Dave's story is about message spam on LinkedIn, and our Catch of the Day is from a listener named Lucio with a questionable Reddit communication. Links to stories: Propaganda as a Social Engineering Tool Annoying LinkedIn Networkers Actually Russian Hackers Spreading Zero-Days, Google Says Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jul 22, 2021
red teaming (noun) [Word Notes]
386
 The practice of emulating known adversary behavior against an organization's actual defensive posture.
Jul 20, 2021
Threat actors changing ransomware tactics.
2441
Guest Kurtis Minder from GroupSense joins Dave to discuss divergent ransomware trends, the guys have a listener reminder about it being CompTIA, Joe, Dave has a story about a coupon scam in the Houston area, Joe's story is about a real estate rental scam and a scammer who likes to talk about his work, and our Catch of the Day is from a listener named Craig with an email about an unprofessional colleague and a questionable attachment. Links to stories: A ‘dark-side coupon group’ scammed stores out of millions, police say. ‘They were just going through the ink.’ Housing scams abundant in Jackson. This scammer is proud of it Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jul 15, 2021
next generation firewall (noun) [Word Notes]
447
A layer seven security orchestration platform deployed at the boundary between internal workloads slash data storage and untrusted sources that blocks incoming and outgoing network traffic with rules that tie applications to the authenticated user and provides most of the traditional security stack functions in one device or software application. 
Jul 13, 2021
Introducing 8th Layer Insights: Deceptionology 101: Introduction to the Dark Arts
3687
Have you ever noticed how fundamental deception is to the human condition? Deception and forms of social engineering have been with us since the beginning of recorded history. And yet, it seems like we are just as vulnerable to it as ever. But now the stakes are higher because technology allows social engineers to deceive at scale. This episode explores the psychology of deception, provides a foundation for understanding social engineering, offers a few mental models for exploration and exploitation, and discusses how we can prepare our mental defenses. Guests: Rachael Tobac: (LinkedIn), CEO of SocialProof Security Chris Hadnagy: (LinkedIn); CEO of Social Engineer, LLC; Founder of Innocent Lives Foundation; Founder of Social-Engineer.org Lisa Forte: (LinkedIn); Partner at Red Goat Cyber Security; Co-Founder Cyber Volunteers 19 George Finney: (LinkedIn); Chief Security Officer at Southern Methodist University; Founder of Well Aware Security Notes & Resources: CSO Online article on Social Engineering OODA Loop Understanding Framing Effects More examples of Framing Effects Harvard Business Review article on the Principles of Persuasion A blog series I did on Deception (Part 1), (Part 2). PsychologyToday article on Social Engineering Recommended Books (Amazon affiliate links): The Art of Deception: Controlling the Human Element of Security by Kevin Mitnick Ghost in the Wires: My Adventures as the World's Most Wanted Hacker by Kevin Mitnick Human Hacking: Win Friends, Influence People, and Leave Them Better Off for Having Met You by Chris Hadnagy Influence, New and Expanded: The Psychology of Persuasion by Robert Cialdini Pre-Suasion: A Revolutionary Way to Influence and Persuade by Robert Cialdini Practical Social Engineering: A Primer for the Ethical Hacker by Joe Gray Social Engineering: The Science of Human Hacking by Chris Hadnagy Thinking, Fast and Slow by Daniel Kahneman. Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors by Perry Carpenter Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future by George Finney Music and Sound Effects by Blue Dot Sessions & Storyblocks. Artwork by Chris Machowski.
Jul 11, 2021
Collaboration, data portability, and employee mobility fuel insider risk.
2472
Guest Joe Payne of Code 42 joins Dave to discuss insider risks Joe has a story about Frank Abagnale who's conned everyone one way or another, Dave's story is about a real estate scam conning a single mother of her life savings, and our Catch of the Day is from listener Michael with an "Extremely Urgent Attention Required" email. Links to stories: Confessions of a Famous Fraudster: How and Why Social Engineering Scams Work Real estate scam robs Florida mom of $63K in life savings Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jul 08, 2021
fast flux (noun) [Word Notes]
433
A network designed to obfuscate the location of a cyber adversary's command and control server by manipulating the domain name system, or DNS, in a way that rotates the associated IP address among large numbers of compromised hosts in a botnet.
Jul 06, 2021
An inside view on North Korean cybercrime.
2135
The CyberWire's UK correspondent Carole Theriault returns to share an interview with Geoff White, reporter from the BBC and co-host of the Lazarus Heist podcast, Joe has some listener follow-up from Mike looking for advice on certifications for getting into cybersecurity, Dave's story is from Brian Krebs about catching an ATM shimmer gang, Joe's got a piece from MalwareBytes Labs about phishing for Bitcoin recovery codes, and our Catch of the Day is from listener Rohit with a pretty genuine-looking snail mail scam. Links to stories: How Cyber Sleuths Cracked an ATM Shimmer Gang Bitcoin scammers phish for wallet recovery codes on Twitter Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jul 01, 2021
encryption (noun) [Word Notes]
407
The process of converting plain text into an unrecognizable form or secret code to hide its true meaning.
Jun 29, 2021
Bad password hygiene jeopardizes streaming services.
2414
Guest Matthew Gracey-McMinn joins us from Netacea to speak with Dave about security issues with streaming services, Joe shares some follow-up from listener Jason about a bracelet sale mentioned a few episodes ago, Joe's story is from UMBC about AI-generated fake news reports, Dave's got a story about a replacement scam for a hardware wallet used for storing cryptocurrency, and our Catch of the Day comes from a listener called R about a vishing scam for DirectTV. Links to stories: Study shows AI-generated fake reports fool experts Criminals are mailing altered Ledger devices to steal cryptocurrency Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jun 24, 2021
keylogger (noun) [Word Notes]
330
Software or hardware that records the computer keys pressed by a user. 
Jun 22, 2021
Answering a job ad from a ransomware gang.
2242
Guest Mantas Sasnauskas from CyberNews joins Dave to talk about how he and his colleagues applied for a job with a ransomware gang, Joe and Dave reply to a listener named Christopher about certifications, Dave's story is about credential stuffing with payroll companies for $800,000,Joe shares a story about lewd phishing lures sent to people's email accounts, and our Catch of the Day is from from a listener named Stof who says, he “received this call just now, never heard one this convincing, nearly got me too!" Links to stories: How to hack into 5500 accounts… just using “credential stuffing” Lewd Phishing Lures Aimed at Business Explode Million-dollar deposits and friends in high places: how we applied for a job with a ransomware gang Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jun 17, 2021
non-fungible tokens (NFT) (noun) [Word Notes]
334
Digital assets that are cryptographically protected on a blockchain and contain unique identification codes and metadata that makes them one of a kind.
Jun 15, 2021
Pandemic taxes: later due dates afford more time for scams.
2369
Guest Robert Capps of NuData Security joins Dave to discuss what businesses can do to bolster their protection against tax fraud, Joe and Dave have some follow-up from 2 episodes ago when they discussed a BazarLoader scam: Wired has a recent article with a twist about a totally fake streaming site called BravoMovies, Joe shares a story from a listener Jason about a friend of his who was targeted by a scammer on Facebook Marketplace, Dave's story is about scammers demanding ransom from families who report missing persons on social media, and our Catch of the Day is from Reddit on a Tron cryptocurrency scam. Links to stories: The Bizarro Streaming Site That Hackers Built From Scratch  Scammers Target Families Who Post Missing Persons on Social Media COTD post on Reddit: Crypto scammer doesn't understand compound interest and gives me a rate that would give me all of the crypto after 9 hours. Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jun 10, 2021
multi-factor authentication (noun) [Word Notes]
361
The use of two or more verification methods to gain access to an account.
Jun 08, 2021
The fight in the dog.
2343
Guests Jan Kallberg and Col Stephen Hamilton of Army Cyber Institute at West Point join Dave to talk about cognitive force protection, Joe and Dave have some follow-up from a listener named Obada about Apple only allowing 2FA through SMS, Dave shares a story about Google's plan to require MFA for all users, Joe's story is about a couple who had their Fidelity retirement account defrauded to the tune of $40,000, and our Catch of the Day is from a listener named Doal about becoming named the beneficiary of a similarly-named deceased person. Links to stories: Google to make multi-factor authentication its default mode ‘Sleeping Giant:' Thieves Target Retirement Accounts How to protect troops from an assault in the cognitive domain Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jun 03, 2021
machine learning (noun) [Word Notes]
376
A programming technique where the developer doesn't specify each step of the algorithm in code, but instead teaches the algorithm to learn from the experience.
Jun 01, 2021
Hacking people vs. hacking technologies to get into companies.
2363
Guest Tim Sadler from Tessian on how oversharing on social media and in OOO messages can open the door for hackers, Joe shares a story about vishing emails from "Amazon" that had spam confidence levels of 1, Dave's story is about an elaborate BazarLoader campaign counting on a lot of human interaction, and our Catch of the Day is from a listener named Scott about a phishing fax, that's right, we said fax. Links to stories: Hello, Is It Me You’re Phishing For: Amazon Vishing Attacks BazarCall Method: Call Centers Help Spread BazarLoader Malware Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
May 27, 2021
intelligence (noun) [Word Notes]
356
The process of turning raw information into intelligence products that leaders use to make decisions with.
May 25, 2021
Whaling attacks are more targeted than phishing or spearphishing.
2039
Guest Kev Breen from Immersive Labs joins Dave to talk about how to address whaling attacks, Dave shares a discussion he had with. a colleague about password managers and elderly parents and Joe weighs in, Dave's story is about a smishing Trojan impersonating a Chrome app, Joe has a story about URL redirection making more effective phishing attacks, and our Catch of the Day is from a listener named Vaughn about a snail mail fraud scheme that references a website. Links to stories: Beware of this smishing trojan impersonating the Chrome app Exploiting common URL redirection methods to create effective phishing attacks Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
May 20, 2021
Introducing 8th Layer Insights [Trailer]
274
Coming May 25, 2021. Get ready for a deep dive into what cybersecurity professionals often refer to as the "8th Layer" of security: HUMANS. This podcast is a multidisciplinary exploration into how the complexities of human nature affect security, risk, and life. Author, security researcher, and behavior science enthusiast Perry Carpenter taps experts for their insights and illumination. Topics include cybersecurity, psychology, behavior science, communication, leadership, and more.
May 19, 2021
SaaS (noun) [Word Notes]
364
A cloud-based software distribution method where app infrastructure, performance, and security are maintained by a service provider and accessible to users, typically via subscription, from any device connected to the internet.
May 18, 2021
How to best fight fake news.
2363
Guest Helen Lee Bouygues of the Reboot Foundation joins Dave to talk about social media’s effect within the misinformation ecosystem and how users can best fight fake news, Dave and Joe share some follow-up from listener Jonathan on two-factor authentication, Joe's story is about an employee in Scotland sued for making payments based on phishing emails, Dave has a story about fake order confirmation phishing messages prompting us to call rather than click, our Catch of the Day comes from a listener named Wyatt who received a phishing email from some fellow jackpot winners. Links to stories: Why You Should Use a Physical Key to Sign Into Your Accounts Publishing company defrauded of over £193,000 fail to appeal decision that ex-employee was not liable for damages Company sues worker who fell for email scam BazarBackdoor phishing campaign eschews links and files to avoid raising red flags Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
May 13, 2021
decryption (noun) [Word Notes]
448
A process of converting encrypted data into something that a human or computer can understand.
May 11, 2021
Digital identities are at the core of recent breaches.
2358
Our UK correspondent Carole Theriault returns to share her interview with Julie Smith from the Security Alliance and Kelvin Coleman from National Cyber Security Alliance about Identity Management Day, Dave's story is about how Pixar uses colors to hack our moods and minds to see colors we've never seen before, Joe has a story about ways malicious actors can break into accounts with multi-factor authentication enabled, our Catch of the Day comes from a listener named Brett who works in a PC repair shop and "HackerDont'comebacker" software. Links to stories: How Pixar Uses Hyper-Colors to Hack Your Brain How Social Engineering Tactics Can Crack Multi-factor Authentication Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
May 06, 2021
brute-force attack (noun) [Word Notes]
392
A cryptographic hack that relies on guessing all possible letter combinations of a targeted password until the correct codeword is discovered.
May 04, 2021
Anyone can be a target of romance scams.
2164
Guest Stacey Nash, Head of Fraud and Central Operations at USAA, joins Dave to discuss romance or sweetheart scams, Joe and Dave share some listener follow-up, Joe's got a story about emails sent to British awards organizers asking them to transfer prize money to a PayPal account, Dave's story is about a Rolling Stones tribute band targeted in a bogus check racket, and our Catch of the Day comes from a listener named Konstantin about a fake tax refund. Links to stories: $40,000 Swindle Puts Spotlight on Literary Prize Scams Scammers can’t get no satisfaction Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Apr 29, 2021
denial-of-service attack (noun) [Word Notes]
397
A cyber attack designed to impair or eliminate access to online services or data.
Apr 27, 2021
Make systems to mitigate the mistakes.
2548
Guest Margaret Cunningham from Forcepoint talks with Dave about cognitive biases that lead to reasoning errors in cybersecurity, Joe shares some follow-up from a listener named Alex about the Alexa phone call Joe mentioned a few episodes back, Dave shares a note from listener Brandon about finding similar DNS names (check out https://dnstwister.report/), Dave's story is about dark patterns to get you to do something on a website, Joe shares a story phishing emails and defenses against them, and our Catch of the Day comes from a listener named Big Mike about an old time radio podcast he heard recently with great examples of social engineering. Links to stories: Dark patterns, the tricks websites use to make you say yes, explained Why do phishing attacks work? Blame the humans, not the technology Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Apr 22, 2021
cold boot attack (noun) [Word Notes]
419
A type of side channel attack in which an attacker with physical access to a computer performs a memory dump of a computer’s Random Access Memory or RAM during the reboot process in order to steal sensitive data. 
Apr 20, 2021
Being aware can go a long way to prevent attacks.
2132
Guest Herb Stapleton, the FBI’s cyber division sector chief, joins Dave to talk about the FBI's Internet Crime Complaint Center (IC3) annual report and its findings, Joe's story is about an ongoing IRS impersonation scam targeting educational organizations, Dave shares a story from the BBC about people using their pets names as passwords (tell us that hasn't crossed your mind or your keyboard before), and our Catch of the Day comes from the Land Down Under via Gareth and Kingsley. COTD note: Just to be clear their jurisdiction is a single party consent jurisdiction. Links to stories: IRS warns university students and staff of impersonation email scam Pets' names used as passwords by millions, study finds Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Apr 15, 2021
cloud computing (noun) [Word Notes]
376
On-demand pay-as-you-go Internet delivered compute, storage, infrastructure, and security services that are partially managed by the cloud provider and partially managed by the customer.
Apr 13, 2021
Finding targets of opportunity.
2410
Guest Peter Warmka, founder of the Counterintelligence Institute, joins Dave to talk about how insider targets are chosen and assessed, Joe shares a weird phone call he received, Dave's story from a Twitter use named Jake on flower shop scams, Joe has a story about student loan forgiveness scams, and our Catch of the Day comes from a listener named Andrew about a pricey software subscription renewal scam. Links to stories: Twitter thread with flower shop scams from Australia 3 Ways to Spot Student Loan Scams Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Apr 08, 2021
APT (noun) [Word Notes]
412
An acronym for Advanced Persistent Threat to describe hacker groups or campaigns normally, but not always, associated with nation state cyber espionage and continuous low-level cyber conflict operations.
Apr 06, 2021
The pandemic is slowing, time to travel?
2090
Guest Fleming Shi of Barracuda joins Dave to talk about about travel-related phishing attacks now that vaccines are more readily available, Dave and Joe share listener advice about preventative email blocking, Joe shares a story about romance scams by someone that includes fake W2s and other documents in the process, Dave's got a story about a phone scammer posing as McDonald's CEO, and our Catch of the Day is from a listener named Tarik with an email about his reported death. Tarik awards this email the Unlikely Phishing Hook of the Year Award presented by the Institute of Questionable Intentions. Links to stories: Irvine man accused of $1 million romance scam Phone scammer pretending to be McDonald's CEO nearly cons Pennsylvania restaurant out of thousands: report Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Apr 01, 2021
backdoor (noun) [Word Notes]
354
An undocumented or publicly unknown method to access a computer system undetected or to break a cypher used to encode messages.
Mar 30, 2021
Technology is not designed for older users.
2237
Guest Ming Yang of Orchard joins Dave to talk about ways to help your parents with technology (aka providing tech support for our parents). Dave shares the FBI's advisory warning of an expected increase in the use of deepfakes for social engineering attacks, Joe's got a story about phantom debts, and our Catch of the Day is from a listener named Anthony about an email from federalcrimeofinvestigation@gmail.com. Hmmm...seems legit. Links to stories: Malicious Actors Almost Certainly Will Leverage Synthetic Content for Cyber and Foreign Influence Operations Beware Scammers Trying to Collect Phantom Debts Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Mar 25, 2021
watering hole attack (noun) {Word Notes]
330
From the intrusion kill chain model, a technique where the hacker compromises sites commonly visited by members of a targeted community in order to deliver a malicious payload to the intended victim.
Mar 23, 2021
Ideally, look for someone open to deception.
2365
Guest professional magician Brandon Williams talks with Joe about the art of deception. we have some follow-up on a watering hole attack we discussed a few episodes back, Joe's story is about the Attorney General of Vermont's top scams of 2020 report (no surprise #1 was SSN phishing), Dave's got a story about the level of sophistication of cybercriminals (hint: not all are that sophisticated), and our Catch of the Day is from a listener named Jo about a well-written request for donation. Links to stories: Top 10 scams of 2020 released by attorney general Not all cybercriminals are sophisticated Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Mar 18, 2021
network telescope (noun) [Word Notes]
318
Network observation systems designed to monitor globally unreachable but unused Internet address space or the Deep Web in order to study a wide range of interesting Internet phenomena.
Mar 16, 2021
Insider threats and security concerns for APIs.
2302
Guest Inon Shkedy, security researcher at Traceable and API project leader at OWASP Foundation, talks with Dave about the risks various types of insider threats pose to APIs, we have some follow-up from a listener closing on their home, Dave's story is about a new wave of scams saying they are from the Social Security Administration, Joe's got Deepfakes of Tom Cruise (thanks to Rachel Tobac for this one), and our Catch of the Day is from a listener named John's son and a job interview scam he experienced. Links to stories: US government warns of Social Security scams using fake federal IDs Here’s How Worried You Should Be About Those Tom Cruise Deepfakes Deepfake videos of Tom Cruise show the technology's threat to society is very real Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Mar 11, 2021
SOC Triad (noun) [Word Notes]
321
A best practice for framing cyber intelligence critical information requirements that recommends collecting and consolidating data from three specific sources: endpoint, network and log.
Mar 09, 2021
Fraud activity within secure messaging apps in plain sight.
2495
Guest Brittany Allen of Sift joins Dave to talk about a new fraud ring on Telegram where bad actors leverage the app to steal from on-demand food delivery services, Joe's story involves two of the five parts of URLs in phishing attacks, Dave's got a story about a malvertising group called "ScamClub," and our Catch of the Day is from a listener named John about a letter he received in the mail from "TD Trust Bank" about an inheritance opportunity. Links to stories: New Phishing Attack Identified: Malformed URL Prefixes “ScamClub” gang outed for exploiting iPhone browser bug to spew ads Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Mar 04, 2021
supply chain attacks (noun) [Word Notes]
328
Also known as a third-party attack or a value-chain attack, advisory groups gain access to a targeted victims network by first infiltrating a business partner's network that has access to the victim's systems or data.
Mar 02, 2021
How likely are online users to reveal private information?
1994
Guest Professor Lior Fink from Ben Gurion University shares insights from their study on "How We Can Be Manipulated Into Sharing Private Information Online," Dave's story is some good news about a Nigerian man sentenced for phishing the US heavy equipment company Caterpillar, Joe has a story with bad news about a sextortion email scam with a fake Zoom zero day component, and our Catch of the Day is a compelling phishing email a listener named Michael recently received. Links to stories: Nigerian man sentenced 10 years for $11 million phishing scam Watch out for sextortion email scams Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Feb 25, 2021
taint analysis (noun) [Word Notes]
260
The process of software engineers checking the flow of user input in application code to determine if unanticipated input can affect program execution in malicious ways.
Feb 23, 2021
Including your passwords in your final arrangements.
2472
Guest Sara Teare who is known as 1Password's Minister of Magic talks with Dave about things that people don't consider like custody of the digital keys to your stuff online, Dave and Joe share some listener feedback from Jonathan about replacing outdated equipment (aka an old phone), Joe's story is about ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations, Dave's story has a holiday theme: emails pretending to confirm orders from lingerie and flower shops that are actually spreading malware, and our Catch of the Day is from a listener named Kristian and it's a "legitimate deal" from Colonel Gaddafi's daughter. Links to stories: New campaign targeting security researchers Pre-Valentine’s Day Malware Attack Mimics Flower, Lingerie Stores Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Feb 18, 2021
ATM skimming (noun) [Word Notes]
297
The process of stealing ATM customer credentials by means of physically and covertly installing one or more devices onto a public ATM machine.
Feb 16, 2021
In the disinformation and misinformation crosshairs.
2246
Carole Theriault returns with a discussion on disinformation with guest, BBC host, podcaster and author Tim Harford, Dave's got a story about Covid vaccine phishing campaigns, Joe's story talks about data breaches that have increased 50% year over year since 2018, and our Catch of the Day is from a listener named John his wife saw on Facebook who translated it from Lithuanian. Links to stories: Count Yourself in For a Vaccine Phish Deep Analysis of More than 60,000 Breach Reports Over Three Years Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Feb 11, 2021
APT side hustle (noun) [Word Notes]
329
A nation-state hacking group’s practice of funding its town activities through cybercrime or cyber mercenary work.
Feb 09, 2021
Understanding human behavior is a key to security.
2371
Guest Nico Popp of Forcepoint joins Dave to discuss why understanding human behavior is a major key to security, Dave & Joe discuss some listener follow-up about a Craigslist posting, Joe's story is about a scam website that is promising refunds to consumers all over the world, Dave shares a story about scam calls coming from call centers in India, and our Catch of the Day is from a listener about an email from former first lady Melania Trump. Links to stories: FTC warns of scam website that promises refund for victims of online scams Scam “US Trading Commission” website is not the FTC Who's Making All Those Scam Calls? Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Feb 04, 2021
endpoint (noun) [Word Notes}
365
A device connected to a network that accepts communications from other endpoints like laptops, mobile devices, IoT equipment, routers, switches, and any tool on the security stack.
Feb 02, 2021
Covid has shifted the way we deal with money and increased fraud.
2472
Guest Eric Solis of MOVO Cash talks with Dave about the increase of fraud attacks on consumers and businesses by not having a body of regulations for digital payments, Dave's story is about his recent pillow purchase prompting him to do online reviews for an extra bonus, Joe shares some details from Verizon's Cyber-Espionage report, and our Catch of the Day is a letter from a listener named Jim who had a bad eBay transaction. Links to stories: Amazon is trying to crack down on fraudulent reviews. They’re thriving in Facebook groups. Breach of Trust: How Cyber-Espionage Thrives On Human Nature Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jan 28, 2021
unified extensible firmware interface (UEFI) (noun) [Word Notes]
356
An extension of the traditional Basic Input/Output System or BIOS that, during the boot process, facilitates the communication between the computer’s firmware and the computer’s operating system.
Jan 26, 2021
Targeted phishing campaigns and lottery scams abound.
2053
Guest Arjun Sambamoorthy of Armorblox talks with Dave about five targeted phishing campaigns that weaponize various Google services during their attack flow, Joe's story is about the MegaMillions jackpot that is approaching epic proportions and attracting the attention of scammers, Dave's story comes from a listener over on the Grumpy Old Geeks podcast about a Venmo incident, and our Catch of the Day comes from Joe's son who received an email from the FBI. Links to stories: Advisory: Beware of Scams as Jackpot Grows Lottery Scams: Some scammers falsely use Mega Millions name Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jan 21, 2021
Daemon (noun) [Word Notes]
289
An operating system program running in the background designed to perform a specific task when certain conditions or events occur.
Jan 19, 2021
As B2C interactions shift online, call centers become new fraud vector.
2368
Guest Umesh Sachdev of Uniphore talks with Dave about how call centers are becoming the new fraud vector, Dave's story involves an email that has a Trump scandal .jar file attached that's really a RAT, Joe has a story about hackers spoofing a victim's phone number making emergency calls where the police respond to the victim's home with force, he also talks about credential stuffing for swatting a video doorbell, and our Catch of the Day comes from a listener Christian who received an email with a lazy trunk box scam. Links to stories: Hackers Using Fake Trump's Scandal Video to Spread QNode Malware FBI Warn Hackers are Using Hijacked Home Security Devices for ‘Swatting’ Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jan 14, 2021
greyware (noun) [Word Notes]
318
Also known as spyware and adware, it is a software category where developers design the application neither to cause explicit harm nor to accomplish some conventional legitimate purpose, but when run, usually annoys the user and often performs actions that the developer did not disclose, and that the user regards as undesirable.
Jan 12, 2021
Combating growing online financial fraud.
2180
Dave switches gears and shares a story from the National Law Review with a social engineering spin to it about a theft exclusion in a title company's errors and omissions policy, Joe shares a story from Facebook taking action against hacking groups, The Catch of the Day comes Joe himself with a connection request he received on LinkedIn, and later in the show, Dave's conversation with Carey O’Connor Kolaja from AU10TIX on fraud in the financial services and payment industry, and how organizations are using emerging technical solutions to help combat it. Links to stories: Engineering Coverage for Social Engineering Schemes in Light of New Jersey Federal Court Opinion Finding No Errors and Omissions Coverage for Email Scam Taking Action Against Hackers in Bangladesh and Vietnam Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jan 07, 2021
Unix (noun) [Word Notes]
315
A family of multitasking, multi-user computer operating systems that derive from the original Unix system built by Ken Thompson and Dennis Ritchie in the 1960s.
Jan 05, 2021
fuzzing (noun) [Word Notes]
315
An automatic software bug and vulnerability discovery technique that input's invalid, unexpected and/or random data or fuzz into a program and then monitors the program's reaction to it.
Jan 05, 2021
Encore: Don't go looking for morality here. [Hacking Humans]
2331
Dave has a story of an investment scam featuring celebrities, Joe warns of scams surrounding the Coronavirus, the Catch of the Day features Joe's son-in-law's adventure with thousands of bot infiltrations, and later in the show, Dave's extended interview with magicians and entertainers Penn and Teller at RSAC 2020 in San Francisco. Links to stories: Revealed: fake 'traders' allegedly prey on victims in global investment scam Coronavirus: Scammers follow the headlines Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Dec 31, 2020
deep packet inspection (DPI) (noun) [Word Notes]
334
A network monitoring and filtering technique that examines both the header information and the payload of every packet traversing a network access point.
Dec 29, 2020
Encore: Separating fools from money. [Hacking Humans]
1802
Dave shares a story of airport penetration testing with high degree of yuck-factor. Joe explores research on protecting passwords from social engineering. The catch-of-the-day comes courtesy of Graham Cluley's email spam box. Dave interviews Wired's Security Staff Writer Lily Hay Newman on her article tracking Nigerian email scammers.  Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Dec 24, 2020
tactics, techniques and procedures (TTPs) (noun) [Word Notes]
403
A set of behaviors that precisely describes a cyber adversary attack campaign.
Dec 22, 2020
rootkit (noun) [Word Notes]
417
A clandestine set of applications designed to give hackers access and control over a target device.
Dec 22, 2020
Phishing lures that may be in your inbox soon, and how to deal "left of bang."
2224
Joe talks about phishing lures with holiday packages, current events, and things he expects to see in your inbox soon, Dave's shares a blog post on how to troll a Nigerian prince, The Catch of the Day comes from a listener named Christian who received an email from an ill churchgoer that tests US knowledge of geography, and later in the show, Carole Theriault returns with a conversation with Rebecca McKeown, an independent Chartered Psychologist, with experience researching and evaluating learning and development across the Ministry of Defence. She is studying the psychology of cyber response. Links to stories: How to Troll a Nigerian Prince Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Dec 17, 2020
identity theft (noun) [Word Notes]
240
In this case Identity is the set of credentials, usually electronic that vouch for who you are and theft is to steal. The theft of a person's identity for purposes of fraud.
Dec 15, 2020
The landscape has shifted for holiday shopping to online.
1987
Joe provides some listener feedback on allowing site notifications, Dave shares good news in his story about taking down money mules, Joe's got not as good news about a phishing campaign targeting the COVID-19 vaccine cold chain, The Catch of the Day comes from a listener named Virginia who received a phishing email impersonating a bank, and later in the show, Dave's conversation with Neal Dennis from Cyware on the cybersecurity concerns and pitfalls customers need to look out for and why ecommerce has become a goldmine for hackers. Links to stories: U.S. Law Enforcement Takes Action Against Approximately 2,300 Money Mules In Global Crackdown On Money Laundering IBM Uncovers Global Phishing Campaign Targeting the COVID-19 Vaccine Cold Chain Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Dec 10, 2020
cyber threat intelligence (CTI) (noun) [Word Notes]
362
Information used by leadership to make decisions regarding the cybersecurity posture of their organization.
Dec 08, 2020
Virtual Private Network (VPN) (noun) [Word Notes}
385
A software, hardware or hybrid encryption layer between two devices on the network that makes the traffic between the sites opaque to the other devices on the same network.
Dec 08, 2020
Going behind the scenes and preventing social engineering in financial institutions.
2339
Joe has a story about fake websites with advanced profiling tools and malicious software by OceanLotus, Dave's story is about sites that ask if it's ok to send you notifications, The Catch of the Day comes from a listener named William who received a phishing email from the boss, and later in the show, Dave's conversation with Mike Slaugh from USAA on his predictions for 2021 and best practices for organizations to protect themselves and consumers, including creating better means of identity verification. Links to stories: OceanLotus: Extending Cyber Espionage Operations Through Fake Websites Be Very Sparing in Allowing Site Notifications Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Dec 03, 2020
Network Time Protocol (NTP) attack (noun) [Word Notes]
397
A reflection or amplification distributed denial-of-service attack in which hackers query Internet network time protocol servers, NTP servers for short, for the correct time, but spoof the destination address of their target victims.
Dec 01, 2020
smishing (SMS phishing) (noun) [Word Notes]
277
From the intrusion kill-chain model, the delivery of a “lure” via a text message to a potential victim by pretending to be some trustworthy person or organization in order to trick the victim into revealing sensitive information. Smishing is a portmanteau word made of two other words, the acronym “SMS” and the cyber coinage “Phishing“. It’s a text-message-centric variation of the email-based phishing scams that have been around since the 1990s. The term “Smishing” arose in the late 2000s. 
Dec 01, 2020
Encore: Wearing a mask in the Oval Office and the art of deception.
2613
Joe shares his Classic Cons Part 3, Dave has an Apple device scam story, The Catch of the Day is your assassination heads-up, and later in the show our interview with Jonna Mendez, retired CIA intelligence officer and former Chief of Disguise. Link to story: Twitter Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Nov 26, 2020
port mirroring (noun) [Word Notes]
277
A network switch configuration setting that forwards a copy of each incoming and outgoing packet to a third switch port. Also known as SPAN or Switched Port Analyzer, RAP or Roving Analysis Port, and TAP or Test Access Point. When network managers and security investigators want to capture packets for analysis, they need some sort of generic TAP or Test Access Point. You can buy specialized equipment for this operation but most modern switches have this capability built in. 
Nov 24, 2020
The public's expectations are changing.
2443
Dave has a story about the security risks of your outbound email, Joe's story is about a fake company, Ecapitalloans, using fake BBB affiliation, The Catch of the Day comes from a listener named Max with a new work phone with curious activity from previous number owner, and later in the show, Dave's conversation with Bill Coletti, crisis communications and reputation management expert at Kith, and author of the book Critical Moments: A New Mindset for Reputation Management.  Links to stories: The 2020 Outbound Email Data Breach Report Finds growing email volumes and stressed employees are causing rising breach risk BBB Warning: Ecapitalloans steals personal information and money from loan applicants Ecapitalloans.co Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Nov 19, 2020
shadow IT (noun) {Word Notes]
294
Technology, software and hardware deployed without explicit organizational approval. In the early days of the computer era from the 1980s through the 2000s security and information system practitioners considered shadow IT as completely negative. Those unauthorized systems were nothing more than a hindrance that created more technical debt in organizations that were already swimming in it with the known and authorized systems. 
Nov 17, 2020
Network Detection and Response (NDR) (noun) [Word Notes]
379
NDR tools provide anomaly detection and potential attack prevention by collecting telemetry across the entire intrusion kill chain on transactions across the network, between servers, hosts, and cloud-workloads, and running machine learning algorithms against this compiled and very large data set. NDR is an extension of the EDR, or endpoint detection and response idea that emerged in 2013. 
Nov 17, 2020
Ransomware: Statistically, it's likely to happen to anybody.
2180
Joe has a story about how Emotet is being used in phishing emails through thread hijacking, Dave's story is a two-fer: one is about bad guys using image manipulation and the other has Elon Musk giving away Bitcoin again taking advantage of the US election, The Catch of the Day is from a listener named John about an email-based vishing attack, and later in the show, we welcome back Kurtis Minder of GroupSense on the burgeoning ransomware negotiation industry.  Links to stories: Spike in Emotet activity could mean big payday for ransomware gangs Sneaky Office 365 phishing inverts images to evade detection Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Nov 12, 2020
remote access Trojan or RAT (noun) [Word Notes}
282
From the intrusion kill chain model, a program that provides command and control services for an attack campaign. While the first ever deployed RAT is unknown, one early example is Back Orifice made famous by the notorious hacktivist group called “The Cult of the Dead Cow,” or cDc, Back Orifice was written by the hacker, Sir Dystic AKA Josh Bookbinder and released to the public at DEFCON in 1998.
Nov 10, 2020
Too good to be true.
2176
Dave has a story about a fake Facebook copyright violation scam trying to trick you out of your TFA to get into your account, Joe story about the largest elder fraud scam in US history, The Catch of the Day is about a scam using a Google code for verification and includes Hacking Humans in the response, and later in the show, Dave's conversation with Mallory Sofastaii from WMAR Baltimore returns with her reporting on a fake website luring victims through social media ads. .  Links to stories and Catch of the Day: Facebook “copyright violation” tries to get past 2FA – don’t fall for it! Feds Bust Massive Magazine-Subscription Scam Targeting Older Consumers Feds in Minnesota charge 60 in $335M magazine fraud that defrauded seniors nationwide Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Nov 05, 2020
business email compromise or BEC (noun) [Word Notes]
227
A social engineering scam where fraudsters spoof an email message from a trusted company officer that directs a staff member to transfer funds to an account controlled by the criminal. 
Nov 03, 2020
David Sanger on the HBO documentary based off his book, "The Perfect Weapon". [Special Edition]
1800
On this Special Edition, our extended conversation with author and New York Times national security correspondent David E. Sanger. The Perfect Weapon explores the rise of cyber conflict as the primary way nations now compete with and sabotage one another. ‌
Nov 01, 2020
The Malware Mash!
185
Oct 30, 2020
New consequences, extortion and cyber insurance.
2423
Joe has a story about a woman who called a fake customer service number and got scammed, Dave's story talks about how phishing kits are not that. hard to find, just check YouTube, The Catch of the Day is an opportunity for a listener remove their name from the BLACKLIST, and later in the show, Dave's conversation with John Pescatore from SANS on Thinking Through the Unthinkable: Should You Pay Off a Ransomware Demand.  Links to stories and Catch of the Day: Local Doctor Scammed After Calling Fake Customer Service Number Phishing kits as far as the eye can see Sawyer Dickey: " Your name is in the US.BLACKLIST which makes it impossible for you to send money" Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Oct 29, 2020
anagram (noun) [Word Notes]
214
A word, phrase, or sentence formed from another by rearranging its letters. For example, cracking a columnar transposition cipher by hand involves looking for anagrams.
Oct 27, 2020
What is true and important versus what is the spin.
2137
Dave's story is about some cybercriminal gangs that have stolen $22 million from users of the Electrum wallet app, Joe's story talks about a business email compromise scam cost a US company $15 million, The Catch of the Day is a gift card scam that includes references to National Treasure movie, and later in the show, Dave's conversation with Bill Harrod, Federal CTO of MobileIron on election disinformation campaigns.  Links to stories and Catch of the Day: Bitcoin wallet update trick has netted criminals more than $22 million The anatomy of a $15 million cyber heist on a US company Uno reverses, 50000 credits worth of nitrous oxide, Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Oct 22, 2020
rogue access point (noun) [Word Notes]
247
1. A wireless access point installed by employees in an office or data center environment as a convenience to connectivity without the consent or the knowledge of the network manager. 2. A wireless access point, sometimes called an Evil Twin, installed by a cyber adversary in or near an office or data center environment designed to bypass security controls, gain access, and/or surveil the network traffic of the victim’s network. Both kinds, the employee installed and the adversary installed rogue access points, increase the attack surface of the organization. The employee installed device, because of its electronic footprint range, might make it easier for hackers and mischief makers outside of the organization’s network to bypass the corporate security controls and gain access without permission. The adversary installed device is designed specifically to bypass the security controls of the target network.
Oct 20, 2020
Use a Dance Dance Revolution floor lock for your data centers.
2168
Starting with some listener follow-up on password managers, Joe's story has an angel investor bilking people out of due diligence fees, Dave's story comes from Graham Cluley on a malware campaign talking about details on Donald Trump's COVID-19 status, The Catch of the Day is an animal vaccine phishing scam, and later in the show, we’ve got a special treat for you: David Spark from the The CISO/Security Vendor Relationship Series podcast joins us to play the Best Worst Idea game.  Links to stories: Promising Infusions of Cash, Fake Investor John Bernard Walked Away With $30M Hackers disguise malware attack as new details on Donald Trump’s COVID-19 illness Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Oct 15, 2020
darknet (noun) [Word Notes]
287
A subset of the internet where communications between two parties or client-server transactions are obscured from search engines and surveillance systems by layers of encryption. The U.S. Navy designed the original Darknet by developing The Onion Router network, or TOR, back in the 1990s. Roger Dingledine and Nick Mathewson deployed the first alpha implementation in 2002 with some initial funding by the Electronic Frontier Foundation (EFF.) The TOR Project became a non-profit in 2006 and is funded by the U.S, Sweden, different NGOs, and individual sponsors.
Oct 13, 2020
Don't click any button...even the 'No' button.
2526
Dave's story is about how some adware took a turn for the worse (and how his dad has fallen adware in the past), Joe's story talks about how someone is trying to phish AT&T employees and others, The Catch of the Day is an OfferUp scam on an rtx 3080 (you gamers know what that is), and later in the show, Dave's conversation with Caleb Barlow from Cynergistek reacting to the recent story of the tragic death of a woman due to hospital ransomware. Links to stories: Linkury adware caught distributing full-blown malware Phishing Page Targets AT&T’s Employee Multi-Factor Authentication Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Oct 08, 2020
phishing (verb) [Word Notes]
257
From the intrusion kill chain model, the delivery of a “lure” to a potential victim by pretending to be some trustworthy person or organization in order to trick the victim into revealing sensitive information. According to Knowbe4, the word “phishing” first appeared in a Usenet newsgroup called AOHell in 1996 and some of the very first phishing attacks used AOL Instant Messenger to deliver fake messages purportedly from AOL employees in the early 2000s. The word is part of l33tspeak that started in the early days of the internet (1980s) as a shorthand to let readers know the author was part of the hacker community. In this case, the letters “ph” replace the letter “f” in the word fishing, as in “I fish, with an ‘f,’ for bass in the lake.” In hacking, “I Phish, with a ‘ph,’ for login credentials from key employees at my target’s organization.
Oct 06, 2020
Cookies make for some tasty phishing lure.
2163
In addition to his regular story Dave shares a situation where his mom almost took the bait, Dave's story is about an SMS phishing (smishing) Apple scam in UK (ps, there's never a free iPhone & Joe is still not an Apple fan), Joe's story talks about why you don't trust anything political on a social network, The Catch of the Day is from a Reddit user invited to join the Illuminati game, and later in the show, Dave's conversation with Alex Mosher from MobileIron on MobileIron's Phishing with Cookies Campaign. Links to stories and Catch of the Day: SMS phishing scam pretends to be Apple “chatbot” – don’t fall for it! Chinese propaganda network on Facebook used AI-generated faces Catch of the Day on Reddit Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Oct 01, 2020
credential stealing (verb) [Word Notes]
229
From the intrusion kill chain model, the first part of an exploitation technique where the hacker tricks their victims into revealing their login credentials. In the second part of the technique, hackers legitimately log into the targeted system and gain access to the underlying network with the same permissions as the victim. Hackers use this method 80% of the time compared to other ways to gain access to a system like developing zero day exploits for known software packages. The most common way hackers steal credentials is with some version of a phishing attack.
Sep 29, 2020
It's human nature.
2021
Dave and Joe have some follow-up from a listener on OG accounts, Joe's story talks about a new phishing campaign inspired by Twitter from earlier this summer, Dave shares a story about using security awareness training as phishing lures, The Catch of the Day is a SunTrust phishing scam, and later in the show, Dave's conversation with Tim Sadler from Tessian on the Psychology of Human Error report. Links to stories and Catch of the Day: New Twitter phishing scam inspired from Twitter’s latest security response This security awareness training email is actually a phishing scam Catch of the Day on Twitter Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Sep 24, 2020
The Bombe (noun) [Word Notes]
255
An electro-mechanical device used to break Enigma-enciphered messages about enemy military operations during the Second World War. The first bombe–named Victory and designed by Alan Turning and Gordon Welchman– started code-breaking at Bletchley Park on 14 March 1940, a year after WWII began. By the end of the war, five years later, almost 2000, mostly women, sailors and airmen operated 211 bombe machines in the effort. The allies essentially knew what the German forces were going to do before the German commanders in the field knew. Historians speculate that the effort at Bletchley Park shortened the war by years and estimate the number of lives saved to be between 14 and 21 million.
Sep 22, 2020
Your information is already on the Dark Web.
2160
Dave and Joe have some follow-up on mobile banking apps, Dave talks about the website bitcoinabuse.com, Joe's story Brian Krebs did on old Gmail emails and people using them either errantly or maliciously to create accounts, The Catch of the Day is about a Netflix-themed campaign that's currently running, and later in the show, Dave's conversation with Shai Cohen from TransUnion on identity fraud at center of many digital COVID-19 scams. Links to stories: Bitcoin Abuse Database The Joys of Owning an ‘OG’ Email Account Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Sep 17, 2020
cross-site scripting (noun) [Word Notes]
226
From the intrusion kill chain model, a malicious code delivery technique that allows hackers to send code of their choosing to their victim’s browser. XSS takes advantage of the fact that roughly 90% of web developers use the JavaScript scripting language to create dynamic content on their websites. Through various methods, hackers store their own malicious javascript code on unprotected websites. When the victim browses the site, the web server delivers that malicious code to the victim’s computer and the victim’s browser runs the code.
Sep 15, 2020
The story is what gets people in.
2059
Joe shares a story on the ability to make a scam work through storytelling skills, Dave's story is about a guy duping a convenience store clerk into taking over her shift and later robbing the place, The Catch of the Day is about an email from a fake landlord, and later in the show, Dave's conversation with Mallory Sofastaii a reporter and anchor at WMAR2 on Impostor uses Maryland man's identity to steal unemployment insurance benefits. Links to stories and Catch of the Day: The Age-Old Secrets of Modern Scams Twitter: @findmyscammer Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Sep 10, 2020
penetration test (noun) [Word Notes]
248
The process of evaluating the security of a system or network by simulating an attack on it. Sometimes called "ethical hacking" or white hat hacking. The phrase started to appear in U.S. military circles in the mid 1960s as time sharing computers became more necessary for daily operations. Computer security experts from Rand Corporation began describing computer compromises as “penetrations.” By the early 1970s, government leaders formed tiger teams of penetration testers to probe for weaknesses in various government systems.
Sep 08, 2020
It's evolving rapidly and getting more furious by the minute.
2227
Dave & Joe have a tip as some follow-up on cloning social media accounts, Dave's story is about turning the tables on hackers in the UK, Joe talks about Kaspersky's Spam and phishing report, The Catch of the Day is is from a listener, Bob, who received an email from Eddy looking for the love of a woman (but, Bob is not a woman), and later in the show, Dave's conversation with Max Heinemeyer from Darktrace on threats that he and his team have tracked throughout the onset and spread of COVID.  Links to stories: Boomer outsmarts hackers: “Kiss your cash goodbye” Spam and phishing in Q2 2020 Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Sep 03, 2020
social engineering (noun) [Word Notes]
250
The art of convincing a person or persons to take an action that may or may not be in their best interests. Social engineering in some form or the other has been around since the beginning of time. The biblical story of Esau and Jacob might be considered one of the earliest written social engineering stories. As applied to cybersecurity, it usually involves hackers obtaining information illegitimately by deceiving or manipulating people who have legitimate access to that information. Common tactics involve phishing attacks and watering hole attacks.
Sep 01, 2020
Take a deep breath.
2177
Joe's story is about the effectiveness of social media account cloning, Dave talks about toll fraud, The Catch of the Day is a Bitcoin scam with some scam baiting on the side, and later in the show, Dave's conversation with Ben Rothke from Tapad on Medium piece: A conversation with an iTunes card scammer. Links to stories: Attack of the Instagram clones A Game of Phones: Fighting Phone Phreaks in the 21st Century Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Aug 27, 2020
man trap (noun) [Word Notes]
282
A physical security access control device consisting of an enclosed hallway with interlocking doors on each end where both doors can’t be open at the same time. A person presents credentials to the entry doorway. If authorized, the entry door opens and the person walks into the mantrap. The man trap exit door will not open until the entry door closes. The person presents credentials to the exit door. If authorized, the exit door will open. If not, the person is captured in the man trap until security arrives to handle the situation. Physical security leadership installs man traps to separate unrestricted areas from restricted areas, to prevent tailgating by uncleared personnel, and to impede access by unauthorized persons.
Aug 25, 2020
Many times it is less sophisticated than we think.
2422
Dave's story is about robocalls to a telephony honeypot, Joe talks about postcards impersonating HIPAA communications (you have one? please let Joe know), The Catch of the Day is an email that our editor, Tom, received from the FBI about his COVID-19 death,, and later in the show, Dave's conversation with Rachel Tobac from SocialProof with her insights on the Twitter hack. Links to stories: A simple telephony honeypot received 1.5 million robocalls across 11 months Fraudulent HIPAA Communications: An Alert from the Office for Civil Rights Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Aug 20, 2020
Zero-day (adjective) [Word Notes]
237
A class of software-security-weakness-issues where independent researchers discover a software flaw before the owners of the code discover it. Zero-day, or 0-day in hacker slang, refers to the moment the race starts, on day zero, between network defenders who are trying to fix the flaw before hackers leverage it to cause damage. It is a race because on day zero, there is no known fix to the issue.
Aug 18, 2020
Flying under the radar.
1776
Dave's story is about a forgotten scam, Joe talks about the recent Twitter hack, The Catch of the Day is a pretty standard phishing email for you to be on the lookout for, and later in the show, Dave's conversation with Carolyn Crandall from Attivo Networks on why human-controlled ransomware, Ransomware 2.0, is so threatening to today’s remote businesses. Links to stories: Question Quiz - The Forgotten Scam The Teenager Allegedly Behind the Twitter Hack and How He Did It Catch of the Day: Fake email notice for business owners on Bluehost. Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Aug 13, 2020
NMAP (noun) [Word Notes]
233
A network mapping tool that pings IP addresses looking for a response and can discover host names, open communications ports, operating system names and versions. Written and maintained by Gordon Lyon, a.k.a. Fyodor, it is a free and open source software application used by both system admins and hackers alike and has been a staple in the security community for well over two decades.
Aug 11, 2020
Ignore the actor, focus on the behavior.
2022
Dave shares an horrific cyberstalking story from the local area, Joe's story is about a phishing campaign impersonating voicemail alerts, The Catch of the Day is an HR front for a check floating scam, and later in the show, Dave's conversation with Johnathan Hunt of GitLab on his perspective of dealing with bad actors: ignore them. Links to stories: Anne Arundel man sentenced for ‘cyberstalking’ ex-girlfriend by hacking her accounts and getting her arrested New Voicemail-Themed Phishing Attacks Use Evasion Techniques and Steal Credentials Catch of the Day: I was just super bored. But now I have something to do. Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Aug 06, 2020
Be the custodian of your own digital identity.
2035
Dave talks about a deepfake recording impersonating a CEO, Joe's story is about a new phishing campaign, The Catch of the Day is a very persistent cash app scammer, and later in the show, Dave's conversation with Bruce Esposito from One Identity on digital identities and what they could mean for privacy. Links to stories: Listen to This Deepfake Audio Impersonating a CEO in Brazen Fraud Attempt New phishing campaign abuses a trio of enterprise cloud services Catch of the Day: Monica played dumb with a cash app scammer for 3 days.  Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jul 30, 2020
Never think of security as a destination.
2168
Dave talks about gift card scams associated with YouTube live streams, Joe's story is about a scam impersonating Canadian hospital staff, The Catch of the Day is phish impersonating a small game developer going after podcasters, and later in the show, Dave's conversation with Richard Torres from Syntax on phishing attacks increasing 350% during COVID-19. Links to stories: PSN / XBOX / STEAM CODES GIVEAWAY | V BUCKS GIVEAWAY Scam impersonating hospital staff, phishing for personal information: VCH Catch of the Day: Cellar Door Games impersonation Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jul 23, 2020
A little dose of skepticism.
2066
We have some listener follow-up sharing dnstwister.report site, Dave has a story of consent phishing, Joe talks about calendar invite phishing, The Catch of the Day is a lazy money multiplying scam, and later in the show, Dave's conversation with Don MacLennan from Barracuda Networks on brand impersonation. Links to stories: Microsoft warns of Office 365 phishing via malicious OAuth apps Abnormal Attack Stories: Calendar Invite Phishing Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jul 16, 2020
Send me money so I know you are real.
2274
We have some follow-up, and this time, Joe was not right, Dave's story is about poison-selling scam, Joe about an impersonation site, The Catch of the Day claims to be notice of a United Nations payment, and later in the show, Dave's conversation with Satnam Narang from Tenable on the increase of scams on Venmo, PayPal and Cash App on giveaways due to the opportunity provided by the economic fallout of COVID-19. Links to stories: How to Passcode-Lock Any App on Your Phone Privnotes.com Is Phishing Bitcoin from Users of Private Messaging Service Privnote.com Catch of the Day: 7 Spam Email Examples that Will Make You LOL Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jul 09, 2020
Because they deserve the money!
2164
Dave's story shows Macs are not immune, Joe talks about a dark place in his soul (aka survey scams), some listener follow-up saying Joe was right!, The Catch of the Day an advanced fee scam from the US government, and later in the show, Dave's conversation with Aviv Grafi from Votiro on a multistage attack using a zero day exploit to deliver a trojan relating to COVID-19 Stay at Home orders. Links to stories: New Shlayer Mac malware spreads via poisoned search engine results Anatomy of a survey scam – how innocent questions can rip you off Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jul 02, 2020
Close in your pajamas.
2178
Joe shares a different spin on ransom attacks, Dave has a story on phone number reuse, The Catch of the Day is a notice from British Gas (accent included), and later in the show, Dave's conversation with Stan Holland from Atlantic Bay Mortgage on their experience adapting to COVID-19. Links to stories: Extortionists threaten to destroy sites in fake ransom attacks How I Accidentally Hijacked Someone's WhatsApp Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jun 25, 2020
It can happen to anybody.
2642
Dave shares a story of an attempt on his father's Verizon account, Joe has the story of an Amazon gift card phishing attempt, The Catch of the Day is a funny phishing email, and later in the show, Joe checks in with Kurtis Minder from GroupSense. They dig a little deeper into some of the topics Kurtis discussed in his previous appearance on our show.  Link to story: Multifactor Authentication Hacking is Getting Real Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jun 18, 2020
Taking a selfie with your ID.
2260
Joe talks about HROs (High Reliability Organizations), Dave has a scam on Upwork gigs, The Catch of the Day talks about giving a scammer the runaround, and later in the show our interview with Sanjay Gupta from Mitek on how cybercriminals are capitalizing on the recently-deceased and creating synthetic identities. Link to stories: The Unaddressed Gap in Cybersecurity: Human Performance People who turned to Upwork to find freelance gigs say they've lost thousands of dollars to scams Catch of the Day: Person Tests Scammer’s Patience By Pretending To Be Not The Sharpest Tool In The Shed Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jun 11, 2020
Seniors and millennials more alike than people think.
2107
Dave has a ransomware story from inside a virtual machine, Joe talks phishing with Google firebase storage URLs, some listener follow-up, The Catch of the Day comes from Joe's daughter and "Apple", and later in the show our interview with Paige Schaffer from Generali Global Assistance on the digital habits of seniors and millennials and the latest scams. Link to stories: The ransomware that attacks you from inside a virtual machine Phishing in a Bucket: Utilizing Google Firebase Storage Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jun 04, 2020
HH Extra - Happy 100 shows!
550
We'd like to thank you, our dear listeners, for sticking with us and our podcast through thick and thin, bad accents and even worse ones, with this - a collection of some of our favorite Catch of the Day segments. From Australia to Brazil, Italy to the Oval Office, they're all here.  Here's to another 100 episodes. Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
May 28, 2020
Wearing a mask in the Oval Office.
2510
Joe shares his Classic Cons Part 3, Dave has an Apple device scam story, The Catch of the Day is your assassination heads-up, and later in the show our interview with Jonna Mendez, retired CIA intelligence officer and former Chief of Disguise. Link to story: Twitter Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
May 28, 2020
How scammers fill the gap.
2127
Dave has a story on a possible Disney-styled phishing email, Joe has the skinny on a circular pyramid scheme, some listener follow-up, The Catch of the Day is a YouTube verification badge for you, and later in the show our interview with Neill Feather from SiteLock. He joins us to explain how scammers fill the gap when popular retail items are sold out. Link to story: New phishing/scam email attempt Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
May 21, 2020
Every day you're a firefighter.
2174
Dave and Joe have a follow up for a listener, Joe has two stories on different levels of effort of phishing schemes, The Catch of the Day is looking for a sugar baby, and later in the show our interview with Marcus Carey, enterprise architect at ReliaQuest. He’s the author of the book Tribe of Hackers, and he wonders if we are living in a cybersecurity groundhog day. Links to stories: Anatomy of a Well-Crafted UPS, FedEX, and DHL Phishing Email During COVID-19 Phishers target investment brokers, aim for Office, SharePoint login credentials Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
May 14, 2020
Exploiting our distractions. 
2150
Dave has the story of PR firms selling lies online, Joe has the story of a sophisticated Business Email Compromise attack, The Catch of the Day advises you to update your account information IMMEDIATELY, and later in the show our interview with Dave Baggett, CEO and Founder of INKY. This will be a discussion of fake stimulus payment phishing scam recently found by INKY. Links to stories: Disinformation For Hire: How A New Breed Of PR Firms Is Selling Lies Online IR Case: The Florentine Banker Group Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
May 07, 2020
Passwords are the easiest things to steal.
2571
Joe takes a look at a massive sextortion spam scheme, Dave has some advice for all of us, the Catch of the Day comes from down under, and later in the show our conversation with Andrew Shikiar, Executive Director and Chief Marketing Officer at FIDO Alliance on why phishing and passwords remain such a huge security problem and options for doing away with passwords.  Links to stories: Following the money in a massive “sextortion” spam scheme When in Doubt: Hang Up, Look Up, & Call Back The Catch of the Day Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Apr 30, 2020
Wallet inspector.
2059
Dave warns of fake QR code websites stealing Bitcoin, Joe has the return of classic cons, the Catch of the Day forgets one crucial element, and later in the show, our interview with Kurtis Minder. He’s with a company called Groupsense and they’ve been commemorating the 20th anniversary of the Dark Web. Links to stories: Network of fake QR code generators will steal your Bitcoin Paris Gold Ring Scam The Simpsons - Wallet Inspector Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Apr 23, 2020
They're getting smart, but we're getting smarter.
1574
Joe has the story of a cold-calling conman, Dave has a story of vindication for seniors who lost money in phone scams, the Catch of the Day has Joe doing his research, and later in the show my conversation with Dustin Warren from SpyCloud. His team has been monitoring criminal forums during the COVID-19 pandemic, and he’s here to share what they’ve been seeing. Links to stories: Coronavirus conman barges in on 83-year-old woman Western Union Paying $153M In Compensation To Seniors Who Lost Money In Phone Scams Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Apr 16, 2020
Even famous people get scammed.
2081
Dave has the story of a Walking Dead actress raising money for a scammer, Joe has an article warning of Government websites giving bad security advice, the Catch of the Day tries to put the fear of God in it's victim, and later in the show Carole Theriault returns with an interview with a couple of researchers from a firm called Lookout, who analyzed a phishing scam with over four thousand victims. Links to stories: Lehigh Valley cancer scammer ensnares ‘Walking Dead’ actress US Government Sites Give Bad Security Advice It’s Way Too Easy to Get a .gov Domain Name The Catch of the Day: https://twitter.com/thedave2006/status/1223736469568851969 Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Apr 09, 2020
Shedding light on the human element.
1907
Joe has the story of a very exposing scam, Dave has the scoop on a rare BadUSB attack, The Catch of the Day is a 'lame scammer who needs to get a life' and later in the show our conversation with Tom Miller from ClearForce on continuous discovery in the workplace, and the human side of protecting your business. Links to stories: ‘What kind of breast check-up would need my face?’: Woman falls victim to Facebook Messenger scam Rare BadUSB attack detected in the wild against US hospitality provider Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Apr 02, 2020
Paging Dr. Dochterman.
2467
Dave shares an example of modern-day snake oil, Joe brings us his favorite old-time scams, the Catch of the Day is straight from Dr. Dochterman - you really can't make this stuff up - and later in the show Joe speaks with Scott Knauss - a security consultant who was targeted by scammers. Links to stories: Coronavirus Scam Alert: Beware Fake Fox News Articles Promising A CBD Oil Cure Slowing the Scammers Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Mar 26, 2020
Disinformation vs. misinformation.
1810
Dave shares the story of a malicious website posing as a Coronavirus map supposedly from Johns Hopkins University, Joe has the story of an elderly woman who lost a lot of money to two men claiming her grandson was in a car accident, the Catch of the Day's dying wish is to give you money to build an orphanage, and later in the show Carole Theriault returns and speaks with Samuel C. Woolley from University of Texas at Austin on disinformation campaigns. Links to stories: the Botometer The Catch of the Day: Been going back and forth with these a-holes for a few weeks now. More pictures in comments. Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Mar 19, 2020
Winking emoji.
1890
Joe shares the story of a phishing website posing as the Singapore Police site, Dave shares a harmful, simple little message, the Catch of the Day drags her scammer through the mud and asks if he wants his casserole dish back. Later in the show our conversation with Gretel Egan from Proofpoint on their 2020 State of the Phish report. Links to stories: SPF warns of phishing website posing as police site Nemty Ransomware Actively Distributed via 'Love Letter' Spam 2020 State of the Phish Report The Catch of the Day: “My Wife Spent Three Days Trolling A Scammer” Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Mar 12, 2020
Don't go looking for morality here.
2229
Dave has a story of an investment scam featuring celebrities, Joe warns of scams surrounding the Coronavirus, the Catch of the Day features Joe's son-in-law's adventure with thousands of bot infiltrations, and later in the show, Dave's extended interview with magicians and entertainers Penn and Teller at RSAC 2020 in San Francisco. Links to stories: Revealed: fake 'traders' allegedly prey on victims in global investment scam Coronavirus: Scammers follow the headlines Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Mar 05, 2020
The art of cheating.
2020
Joe shares some insights into the art of cheating travelers, Dave has a story of a woman facing drug charges trying to kidnap another woman's baby, an update on last week's bizarre phone scam, The Catch of the Day features otters, sexy ham, frustrated scammers and... you're just going to need to listen. Later in the show, our interview with Tim Sadler from Tessian on human element of cybersecurity and phishing schemes. Links to stories: The art of cheating travelers at dhabas Woman who posed as baby photographer charged after drugging a mother and planning to steal her child, prosecutors say The Catch of the Day Inside a scam call center Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Feb 27, 2020
Hi, I'm trying to steal your money.
1795
Dave shares the most bizarrely honest phone scam of all time, Joe has a pretend PayPal phishing scam, the Catch of the Day finally lets Dave show us his best Blanche Devereaux, and later in the show Christopher Hadnagy from Social Engineer LLC returns with an update on the trends he’s been tracking. Links to stories: Active PayPal Phishing Scam Targets SSNs, Passport Photos Current PayPal phishing campaign or "give me all your personal information" Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Feb 20, 2020
Fake news and misplaced trust.
2000
Joe shares a collection of romance scams from the great plains, Dave has a report which uncovered a root system of fake news, the catch of the day comes straight from... Warren Buffett? Later in the show Carole Theriault speaks with Lisa Forte from Red Goat on how her experiences working with the police have informed her perspective on the human factors in cyber security. Links to stories: Don't Get CatPhished This Valentine's Day By a Scammer These Fake Local News Sites Have Confused People For Years. We Found Out Who Created Them. Researchers propose detecting deepfakes with surprising new tool: Mice Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Feb 13, 2020
I wouldn't want my computer to be disappointed.
1742
Dave finally has good news. Joe shares a fake website created by the US Trading Commission... which doesn't exist. The catch of the day threatens FULL DATA LOSS! Later in the show, Anna Collard is the founder of security content publisher of Popcorn Training – a South African company that promotes Cyber Security awareness by using story-based techniques. Our conversation centers on the state of cyber security in Africa. Links to stories: DOJ sues US telecom providers for connecting Indian robocall scammers The aforementioned DOJ complaint Uncle Sam compensates you for data leaks (yeah, right) Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Feb 06, 2020
They had no idea.
1809
Dave shares a particularly exposing sextortion scam. Joe has a story of a million-dollar scam that targeted college students in Miami just trying to pay their tuition. The catch of the day comes straight from The U.S. President. Later in the show, part two of Carole Theriault's interview with Jamie Bartlett, the brains and host behind The Missing Cryptoqueen, an amazing BBC podcast about trying to get to the bottom of the OneCoin scam. Links to stories: Fresh New Nest Video Extortion Scam Plays Out Like a Spy Game WeChat and stolen credit cards: How scammers victimized Miami Chinese college students Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jan 30, 2020
Flipping the script.
1818
Dave's phone is blowing up with smishing attempts. Joe shares a story about fake license renewal attempts from The New Zealand Transportation Agency. The catch of the day flips the script on their attacker. Later in the show Carole Theriault speaks with Jamie Bartlett, the brains and host behind The Missing Cryptoqueen, an amazing BBC podcast about trying to get to the bottom of the OneCoin scam. Links to stories: Fresh Apple #Phishing found The catch of the day Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jan 23, 2020
Life in the (second) age of pirates.
1887
Dave has an account from a man who was almost scammed by an impersonation of his own close friend. Joe has the story of a sophisticated phishing scheme involving Microsoft Office 365. The catch of the day goes all the way back to the age of pirates. Carole Theriault interviews Andrew Brandt from Sophos regarding their 2020 threat report. Links to stories: Tricky Phish Angles for Persistence, Not Passwords SophosLabs 2020 Threat Report  Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jan 16, 2020
Ransomware is a reality.
1730
Dave has a master list of cyberbadness. Joe has some handy red flags this tax season straight from our beloved IRS. The catch of the day features an alluring proposition from someone who is probably not "Sofia". Our guest is Devon Kerr with Elastic Security Intelligence and Analytics who shares his insights about Ransomware.  Links to stories: 7 types of virus – a short glossary of contemporary cyberbadness Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jan 09, 2020
Leading by example and positive reenforcement.
1761
Dave has a warning from a galaxy far, far away. Joe has a report of a scam attempt on a listener who fancies fancy pens. The catch of the day features a Tinder dating app bot scam. Our guest is Dennis Dillman from Barracuda Networks, sharing his thoughts on employee training. Links to stories: https://www.bleepingcomputer.com/news/security/fake-star-wars-streaming-sites-steal-fans-credit-cards/ Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Jan 02, 2020
Telling The Truth In A Dishonest Way - Rebroadcast
1860
Today's episode is a re-broadcast of an episode from August 2018.  Dave looks at Hollywood script pitch event scams. Joe describes a romance scam murder scheme. Spontaneously combusting ATM cards. Guest Jayson E. Street from SphereNY describes his security awareness engagements. Links to stories mentioned in this week's show: https://www.hollywoodreporter.com/news/why-are-wannabe-screenwriters-getting-scammed-1130919 https://nakedsecurity.sophos.com/2018/08/17/romance-scam-victim-allegedly-plotted-to-kill-her-mother-for-cash/ Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Dec 26, 2019
Managing access and insider threats.
1879
Joe's wife has been getting suspicious shipping notices. Dave describes a phone scam where crooks intercept phone calls. The catch of the day turns the tables on a would-be scammer. Carole Theriault speaks with Peter Draper from Gurucul about their 2020 Insider Threat Report. Links to stories: https://www.ctvnews.ca/canada/police-warn-of-new-phone-scam-where-criminals-intercept-your-calls-1.4706758 Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Dec 19, 2019
If you didn't ask for it don't install it.
1641
Dave describes a gas-pump hidden camera scam. Joe shares the story of a fraudulent Microsoft Windows Update notice. The catch of the day involves a scammer making use of an online celebrity's profile picture. Our guest is Karl Sigler from Trustwave with tips for staying safe online through the holidays.  Links to stories: https://krebsonsecurity.com/2019/11/hidden-cam-above-bluetooth-pump-skimmer/ https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/fake-windows-update-spam-leads-to-cyborg-ransomware-and-its-builder/ Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Dec 12, 2019
I really wanted that shed.
1889
Joe shares the story of a woman losing her life savings to a scammer claiming to be from the FBI. Dave describes the $139 shed scam. The catch of the day is another threat of revealing compromising photos. Carole Theriault speaks with Chris Bush from ObserveIT about security threats from employee burnout. Links to stories: https://www.wsj.com/articles/robocall-scams-exist-because-they-workone-womans-story-shows-how-11574351204 https://youtu.be/zFQUCCbodHc Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Dec 05, 2019
Security has to be friendly.
1775
Dave wonders about Juice Jacking warnings. Joe shares findings from Agari's latest email fraud and identity deception report. The catch of the day promises romance in exchange for airline tickets. Our guests are David Spark and Allan Alford, cohosts of the Defense in Depth podcast.  Links to stories: https://www.goodmorningamerica.com/travel/story/travelers-beware-juice-jacking-public-charging-stations-safely-67004765 https://www.agari.com/cyber-intelligence-research/e-books/q4-2019-report.pdf https://cisoseries.com/introducing-defense-in-depth-podcast/ Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Nov 21, 2019
Skepticism is the first step.
1986
Joe shares stories of typo-squatting. Dave reminds warns us against responding to malicious email, even just for fun. The catch of the day is from a listener, leading on a romance scammer. Carole Theriault returns with an interview with Chris Olson from The Media Trust on how targeted advertising can enable election interference. Links from this week's stories: https://www.securityweek.com/err-human-squat-criminal https://info.phishlabs.com/blog/dont-respond-suspicious-emails Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Nov 14, 2019
When you are the target, objectivity is gone.
1886
Joe shares a report on who's more susceptible for scams. Dave shares a story from a listener who what hit by a scam attempt while staying at a hotel. Our catch of the day involves an attempt to scam someone selling a motorcycle. Our guest is Maria Konnikova, an award-winning author, journalist, and international champion poker player. Her latest book is The Biggest Bluff. Links to stories: https://www.washingtonpost.com/business/2019/10/28/this-might-surprise-you-seniors-are-not-more-susceptible-scams-younger-adults-are/ https://www.ftc.gov/system/files/documents/reports/protecting-older-consumers-2018-2019-report-federal-trade-commission/p144401_protecting_older_consumers_2019_1.pdf https://twentytwowords.com/man-gets-revenge-on-craigslist-scammer-in-the-most-satisfying-way-imaginable/ Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Nov 07, 2019
The Malware Mash!
231
Happy Halloween from Joe, Dave, and everyone at the CyberWire!
Oct 31, 2019
Don't dismiss the fraudsters.