Episodios

  • Brushed aside: The subtle scam you didn't order.

    Brushed aside: The subtle scam you didn't order.
    Jul 3 2025
    This week, our hosts⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠Dave Bittner⁠⁠, ⁠⁠⁠⁠⁠⁠⁠Joe Carrigan⁠⁠⁠⁠⁠⁠⁠, and ⁠⁠⁠⁠⁠⁠⁠Maria Varmazis⁠⁠⁠⁠⁠⁠⁠ (also host of the ⁠⁠⁠⁠⁠⁠⁠T-Minus⁠⁠⁠⁠⁠⁠⁠ Space Daily show) are back sharing the latest in social engineering scams, phishing schemes, and criminal exploits that are making headlines. We start with some follow up, as Joe shares with us a complaint he has with Vanguard. Maria’s story is on McAfee’s latest research revealing that one in five Americans has fallen for a travel scam—often losing hundreds of dollars—despite many trying to stay vigilant, as scammers use fake websites, AI-altered photos, and phishing links to exploit deal-seeking travelers. Joe’s got two stories this week: the first one is from Rachel Tobac on LinkedIn, breaking down how attackers like Scattered Spider are using phone-based impersonation, fake domains, and social engineering to breach insurance companies, and the second is on Aflac confirming it was hit in a cyberattack believed to be part of a broader campaign targeting the insurance sector, likely tied to the same threat group. Dave’s story is on brushing scams, a scheme the United States Postal Service is warning about, where scammers send unordered packages—often low-cost items—to people’s addresses so they can fraudulently post fake “verified” reviews online using the recipient’s name and address to boost product rankings. Our catch of the day is from the scams sub-Reddit, where someone shared text messages from a scammer asking for only a small favor. Complete our annual audience survey before August 31. Resources and links to stories: New McAfee Report Finds Young Adults Fall for Travel Scams More Often Than Older Generations Rachel Tobac LinkedIn Aflac Latest Insurer to Suffer Cyberattack and Data Breach Brushing Scam - Unexpected Package US Postal Inspection Service ⁠⁠⁠⁠⁠⁠⁠Have a Catch of the Day you'd like to share? Email it to us at ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠hackinghumans@n2k.com⁠⁠⁠⁠⁠⁠⁠⁠⁠.
    Más Menos
    44 m
  • The RMM protocol: Remote, risky, and ready to strike. [Only Malware in the Building]

    The RMM protocol: Remote, risky, and ready to strike. [Only Malware in the Building]
    Jul 1 2025
    Please enjoy this encore of Only Malware in the Building. Welcome in! You’ve entered, Only Malware in the Building. Join us each month to sip tea and solve mysteries about today’s most interesting threats. Your host is ⁠⁠Selena Larson⁠⁠, ⁠⁠Proofpoint⁠⁠ intelligence analyst and host of their podcast ⁠⁠DISCARDED⁠⁠. Inspired by the residents of a building in New York’s exclusive upper west side, Selena is joined by ⁠⁠N2K Networks⁠⁠ ⁠⁠Dave Bittner⁠⁠ and our newest co-host, ⁠Keith Mularski⁠, former FBI cybercrime investigator and now Chief Global Ambassador at ⁠Qintel⁠. Being a security researcher is a bit like being a detective: you gather clues, analyze the evidence, and consult the experts to solve the cyber puzzle. On this episode, our hosts discuss the growing trend of cybercriminals using legitimate remote monitoring and management (RMM) tools in email campaigns as a first-stage payload. They explore how these tools are being leveraged for data theft, financial fraud, and lateral movement within networks. With the decline of traditional malware delivery methods, including loaders and botnets, the shift toward RMMs marks a significant change in attack strategies. Tune in to learn more about this evolving threat landscape and how to stay ahead of these tactics.
    Más Menos
    41 m
  • The many faces of fraud.

    The many faces of fraud.
    Jun 26 2025
    This week, our hosts⁠⁠⁠⁠⁠⁠⁠ ⁠Dave Bittner⁠, ⁠⁠⁠⁠⁠⁠Joe Carrigan⁠⁠⁠⁠⁠⁠, and ⁠⁠⁠⁠⁠⁠Maria Varmazis⁠⁠⁠⁠⁠⁠ (also host of the ⁠⁠⁠⁠⁠⁠T-Minus⁠⁠⁠⁠⁠⁠ Space Daily show) are back sharing the latest in social engineering scams, phishing schemes, and criminal exploits that are making headlines. We start with some follow-up from listener Abdussobur, who wonders if a pair of suspicious text messages—one sent to his wife and another to him with a nearby address—could be the result of a data breach. Joe's story is on a surge of financial aid fraud where identity thieves, often using AI chatbots as “ghost students,” are enrolling in online college courses to steal federal funds—leaving real people like Heather Brady and Wayne Chaw with fake loans and months of bureaucratic cleanup. Dave's got the story on how the FIN6 cybercriminal group is posing as job seekers on LinkedIn to trick recruiters into opening malware-laced resumes, using deceptive tactics like fake portfolio sites and the MoreEggs backdoor to steal credentials and launch ransomware attacks. Maria's story is on a Pennsylvania woman who scammed over $800,000—nearly $466,000 from a Cedar Rapids church—by hacking emails and rerouting payments, claiming she did it under the direction of a famous British actor she was allegedly dating. Our catch of the day is on a convincing but bogus text claiming an overdue traffic fine under a fake regulation—complete with threats of license suspension and credit damage—all designed to trick recipients into clicking a malicious link. Resources and links to stories: ⁠⁠⁠⁠⁠⁠How scammers are using AI to steal college financial aid FIN6 cybercriminals pose as job seekers on LinkedIn to hack recruiters Woman scams church out of over $450,000, says famous British actor told her to do it ⁠⁠⁠⁠⁠Have a Catch of the Day you'd like to share? Email it to us at ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠hackinghumans@n2k.com⁠⁠⁠⁠⁠⁠⁠⁠.
    Más Menos
    42 m
  • OWASP vulnerable and outdated components (noun) [Word Notes]

    OWASP vulnerable and outdated components (noun) [Word Notes]
    Jun 24 2025
    Please enjoy this encore of Word Notes. Software libraries, frameworks, packages, and other components, and their dependencies (third-party code that each component uses) that have inherent security weaknesses, either through newly discovered vulnerabilities or because newer versions have superseded the deployed version. Audio reference Link: "⁠The Panama Papers: A Closer Look⁠," Late Night with Seth Meyers, YouTube, 12 April 2016
    Más Menos
    8 m
  • Gold bars and bold lies.

    Gold bars and bold lies.
    Jun 19 2025
    Please enjoy this encore of Hacking Humans. On Hacking Humans, ⁠Dave Bittner⁠, ⁠Joe Carrigan⁠, and ⁠Maria Varmazis⁠ (also host of N2K's daily space podcast, T-Minus), are once again sharing the latest in social engineering scams, phishing schemes, and criminal exploits that are making headlines to help our audience become aware of what is out there. First we start off with some follow up, our hosts share some more information on VIN swapping, and a clarification on bank participation in FinCEN. Maria shares a telling tale about a Bethesda couple loosing $367,000 in gold bars to a sophisticated scam involving fake officials and elaborate deceptions, but a police sting led to the arrest of a suspect, highlighting a growing nationwide trend of elderly victims targeted by gold bar fraud. Joe's story comes from KnowBe4 and is on DavidB, their VP of Asia Pacific, thwarting a sophisticated social engineering attack via WhatsApp by recognizing inconsistencies in the impersonator’s behavior and verifying directly with the colleague they claimed to be. Dave's story comes from the FBI on how criminals are exploiting generative AI to enhance fraud schemes, including using AI-generated text, images, audio, and video to create convincing social engineering attacks, phishing scams, and identity fraud, while offering tips to protect against these threats. Our catch of the day comes from a listener who received an urgent email from someone claiming to be an FBI agent with a rather dramatic tale about intercepted consignment boxes, missing documents, and a ticking clock—but let's just say this "agent" might need some better training in both law enforcement and grammar. Resources and links to stories: ⁠“VIN swap scam costs Las Vegas man $50K, new truck"⁠ ⁠FinCEN⁠ ⁠Gold bar scammers claimed hackers could fund Russian missiles, police say⁠ ⁠Real Social Engineering Attack on KnowBe4 Employee Foiled⁠ ⁠Criminals Use Generative Artificial Intelligence to Facilitate Financial Fraud⁠ You can hear more from the T-Minus space daily show ⁠here⁠. Have a Catch of the Day you'd like to share? Email it to us at ⁠hackinghumans@n2k.com⁠.
    Más Menos
    46 m
  • Managing online security throughout the decades.

    Managing online security throughout the decades.
    Jun 12 2025
    This week, our hosts⁠⁠⁠⁠⁠ Dave Bittner, ⁠⁠⁠⁠⁠Joe Carrigan⁠⁠⁠⁠⁠, and ⁠⁠⁠⁠⁠Maria Varmazis⁠⁠⁠⁠⁠ (also host of the ⁠⁠⁠⁠⁠T-Minus⁠⁠⁠⁠⁠ Space Daily show) are sharing the latest in social engineering scams, phishing schemes, and criminal exploits that are making headlines. We start off with some more chicken follow up, this week, delving into malware-related chicken names. Dave’s got the story of Brevard-based Health First Health Plans teaming up with the FBI to warn consumers about a nationwide medical insurance scam where victims pay upfront for fake coverage and end up stuck with huge medical bills. Maria shares the story on how a recent April 2025 survey reveals that while most US consumers feel confident identifying scams and rely on traditional security measures like strong passwords and two-factor authentication, many still experience scam attempts and data breaches, with real-time threat detection emerging as the most valued feature in security products. Joe shares a personal story about how he was mildly got, got—tricked, that is—he thought he was filling out a quick survey for a waiter, but it actually ended up as a Google review. It's a reminder of how AI and tech are blurring the lines in everyday interactions, and how easily people can get tripped up by these evolving processes. The catch of the day this week is from the Scams sub-Reddit, and Dave reads a text from a scammer claiming to have information on his doing drugs at his old work place. Resources and links to stories: ⁠⁠⁠ALERT! Brevard-Based Health First Health Plans Joins FBI to Expose Medical Insurance Scam Scams and Protections US Report: April 2025 We make building an app so easy, anyone can do it '700 Indian engineers posed as AI': The London startup that took Microsoft for a ride Artificial Intelligence stories ⁠Have a Catch of the Day you'd like to share? Email it to us at ⁠⁠⁠⁠⁠⁠⁠⁠hackinghumans@n2k.com⁠⁠⁠⁠⁠⁠⁠.
    Más Menos
    43 m
  • OWASP software and data integrity failures (noun) [Word Notes]

    OWASP software and data integrity failures (noun) [Word Notes]
    Jun 10 2025
    Please enjoy this encore of Word Notes. Code and data repositories that don't protect against unauthorized changes.
    Más Menos
    8 m