Hacking Humans

Épisodes disponibles

5 sur 719

Lost iPhone, found trouble.
This week, our hosts ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Dave Bittner⁠⁠⁠⁠⁠⁠⁠⁠, ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Joe Carrigan⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠, and ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Maria Varmazis⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ (also host of the ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠T-Minus⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Space Daily show) are sharing the latest in social engineering scams, phishing schemes, and criminal exploits that are making headlines. We start with some follow up on China sentencing five members of a violent Kokang-based gang to death for running brutal scam compounds in Myanmar. And in related news, China has also extradited alleged scam kingpin She Zhijiang, a major figure behind one of Southeast Asia’s largest fraud hubs, as Beijing intensifies its crackdown on global cyber-fraud networks. Listener Jon reports a new twist on sextortion, where scammers used an unsolicited FaceTime call to capture an image, generate an AI-manipulated obscene photo, and then extort an employee using publicly scraped contact lists. Joe’s story is on Anthropic’s claim that attackers jailbroke its Claude model to carry out what it calls the first AI-orchestrated cyber-espionage campaign, a narrative now being challenged by researchers like Dan Goodin and Dan Tentler, who argue the attack was far less “autonomous” than advertised and comparable to long-standing hacking tools rather than a breakthrough in offensive AI. Dave’s story is on a new phishing scam where attackers use the contact info displayed on a lost iPhone’s lock screen to send fake “Find My” texts claiming the device was found, luring victims to a spoofed Apple login page to steal their Apple ID and bypass Activation Lock. Maria has the story on Zimperium’s Mobile Shopping Report, which shows that during the holiday season mobile threats surge across mishing, fake retail and payment apps, and app-level vulnerabilities—making this the peak time for scammers to exploit shoppers with spoofed texts, malicious apps, and insecure SDKs hidden inside legitimate shopping tools. Our catch of the day comes from the phishing subreddit as someone is impersonating a woman who is sick with cancer asking for the victim to take care of their money. Resources and links to stories: ⁠⁠⁠⁠China sentences 5 to death for building, running criminal gang fraud centers in Myanmar's lawless borderlands Man Accused of Running Southeast Asia Scam Compound Is Extradited to China Disrupting the first reported AI-orchestrated cyber espionage campaign Researchers question Anthropic claim that AI-assisted attack was 90% autonomous Lost iPhone? Don’t fall for phishing texts saying it was found ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Have a Catch of the Day you'd like to share? Email it to us at ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠[email protected]⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠.
--------
55:59
--------
55:59
Trusted Platform Module (TPM) (noun) [Word Notes]
Please enjoy this encore of Word Notes. A browser configuration control that prevents accessing resources within a private network. CyberWire Glossary link: ⁠https://thecyberwire.com/glossary/trusted-platform-module⁠ Audio reference link: “⁠TPM (Trusted Platform Module) - Computerphile⁠,” Computerphile, 23 July 2021
--------
6:38
--------
6:38
Tap, pay…and prey.
This week, our hosts ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Dave Bittner⁠⁠⁠⁠⁠⁠⁠, ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Joe Carrigan⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠, and ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Maria Varmazis⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ (also host of the ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠T-Minus⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Space Daily show) are sharing the latest in social engineering scams, phishing schemes, and criminal exploits that are making headlines. We start with some big chicken news from Joe! Dave’s story is on Meta’s internal documents revealing it projected up to 10% of its 2024 revenue, worth billions, would come from fraudulent or banned ads across its platforms. Maria has the story on how Howler Cell at Cyderes uncovered a systemic “Bring Your Own Updates” risk in Windows updaters, where attackers can hijack trusted, signed update clients like Advanced Installer to deliver malicious code that evades detection and could lead to large-scale supply-chain attacks. Joe has the story on a new scam called “ghost tapping,” where fraudsters use near-field communication devices to secretly charge tap-to-pay cards and mobile wallets in crowded places. Victims often don’t notice until small, unauthorized withdrawals add up, prompting the BBB to warn consumers to use RFID-blocking wallets, verify charges before tapping, and monitor accounts for suspicious activity. Our catch of the day is on an application to the Council of the Ecliptic. Resources and links to stories: ⁠Meta is earning a fortune on a deluge of fraudulent ads, documents show Ghost-tapping scam targets tap-to-pay users ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Have a Catch of the Day you'd like to share? Email it to us at ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠[email protected]⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠.
--------
52:49
--------
52:49
Private Network Access (PNA) (noun) [Word Notes]
Please enjoy this encore of Word Notes. A browser configuration control that prevents accessing resources within a private network. CyberWire Glossary ⁠link⁠. Audio reference link: “⁠Chrome Limits Access to Private Networks⁠,” by Daniel Lowrie, ITProTV, YouTube, 19 January 2022.
--------
5:36
--------
5:36
Seniors in scam crosshairs.
This week, our hosts ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Dave Bittner⁠⁠⁠⁠⁠⁠, ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Joe Carrigan⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠, and ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Maria Varmazis⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ (also host of the ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠T-Minus⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Space Daily show) are sharing the latest in social engineering scams, phishing schemes, and criminal exploits that are making headlines. We start with some follow-up, listener Jay shared how Robinhood tackled a $25.4 billion phone scam problem with a simple fix—a bright yellow in-call banner that warns users, “We’re not calling you. If the caller says they’re from Robinhood, they’re not—hang up.” Meanwhile, Myanmar’s military blew up a major online scam center at KK Park, forcing over 1,500 people to flee into Thailand. Listener JJ reminds us it’s “CAC cards,” not just “CAC,” and Shannon reports from Scooter’s Coffee, where customers are now bringing chickens for pup cups—proving some pets really do rule the roost. Maria’s story is on Bitdefender and NETGEAR’s 2025 IoT Security Report, which found smart homes now face triple the attacks of last year—about 29 a day. Dave’s story is on a cloud architect who exposed his AWS keys online, letting attackers hijack his account for crypto-mining and phishing. His takeaway: secure keys, limit privileges, and assume it can happen to you. Joe’s got the story of scammers posing as banks or the FTC, using fake security alerts to trick older adults into draining their savings. The FTC says losses are skyrocketing—so don’t move money or trust surprise calls or pop-ups. Our catch of the day comes from the Scams SubReddit, where a scammer got way more than what they signed up for in a text chain. Resources and links to stories: Robinhood LinkedIn post. Stragglers from Myanmar scam center raided by army cross into Thailand as buildings are blown up My AWS Account Got Hacked - Here Is What Happened False alarm, real scam: how scammers are stealing older adults’ life savings Trying to scam the scammer ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Have a Catch of the Day you'd like to share? Email it to us at ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠[email protected]⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠.
--------
49:49
--------
49:49