‹ All episodes

Cyber Crime Junkies

New Ways to Stop Online Predators

March 01, 2024 Cyber Crime Junkies-David Mauro Season 4 Episode 27
Cyber Crime Junkies
New Ways to Stop Online Predators
Info
Cyber Crime Junkies
New Ways to Stop Online Predators
Mar 01, 2024 Season 4 Episode 27
Cyber Crime Junkies-David Mauro

Joined by covert investigator and analyst with Searchlight Cyber (www.slcyber.io), which helps law enforcement with Dark Web Investigations and Best-selling author, Chris Hadnagy, founder of the Innocent Lives Foundation (www.innocentlivesfoundation.org) who helps law enforcement with ways to help prosecute online predators. 

We discuss topics on dark web dangers for children, new ways to stop online predators, and how law enforcement catches cyber criminals.


Try KiteWorks today at www.KiteWorks.com

Don't Miss our Video on this Exciting KiteWorks Offer!

Try KiteWorks today at www.KiteWorks.com

Don't miss this Video on it!

The Most Secure Managed File Transfer System. 








Share
Apple Podcasts Spotify Amazon Music Podcast Index Overcast YouTube +
Show Notes Transcript

Joined by covert investigator and analyst with Searchlight Cyber (www.slcyber.io), which helps law enforcement with Dark Web Investigations and Best-selling author, Chris Hadnagy, founder of the Innocent Lives Foundation (www.innocentlivesfoundation.org) who helps law enforcement with ways to help prosecute online predators. 

We discuss topics on dark web dangers for children, new ways to stop online predators, and how law enforcement catches cyber criminals.


Try KiteWorks today at www.KiteWorks.com

Don't Miss our Video on this Exciting KiteWorks Offer!

Try KiteWorks today at www.KiteWorks.com

Don't miss this Video on it!

The Most Secure Managed File Transfer System. 








New Ways to Stop Online Predators

Joined by covert investigator and analyst with Searchlight Cyber (www.slcyber.io), which helps law enforcement with Dark Web Investigations and Best-selling author, Chris Hadnagy, founder of the Innocent Lives Foundation (www.innocentlivesfoundation.org) who helps law enforcement with ways to help prosecute online predators. 

We discuss topics on dark web dangers for children, new ways to stop online predators, and how law enforcement catches cyber criminals.


Topics 
dark web dangers for children, new ways to stop online predators, how law enforcement catches cyber criminals, how law enforcement investigates cyber criminals , how law enforcement investigates cyber crimes , ways to help prosecute online predators, online undercover investigations, online covert investigations, ways to identify online predators, stories of undercover investigations, stories of undercover cyber crime investigations, undercover cyber crime investigations

New Ways to Stop Online Predators

Joined by covert investigator and analyst with Searchlight Cyber (www.slcyber.io), which helps law enforcement with Dark Web Investigations and Best-selling author, Chris Hadnagy, founder of the Innocent Lives Foundation (www.innocentlivesfoundation.org) who helps law enforcement with ways to help prosecute online predators. 

We discuss topics on dark web dangers for children, new ways to stop online predators, and how law enforcement catches cyber criminals.


Topics 
dark web dangers for children, new ways to stop online predators, how law enforcement catches cyber criminals, how law enforcement investigates cyber criminals , how law enforcement investigates cyber crimes , ways to help prosecute online predators, online undercover investigations, online covert investigations, ways to identify online predators, stories of undercover investigations, stories of undercover cyber crime investigations, undercover cyber crime investigations


Dino Mauro (00:00.174)
And today's episode is different. And one I guarantee you, you will learn something from it'll help you in your personal life as well as work. We're joined today by industry expert and leader Christopher Hannegy, a four time bestselling author, CEO and founder of social engineer, Inc. And he wrote four main books on the topic of social engineering. Two of them are right here. I've got two others over my bookshelf. But this is his most recent one and it is outstanding.

The topic came up because you all brought it up. You asked us to dig deeper into social engineering. We received over 400 questions and comments asking us to dig deeper into social engineering and explain more about it. Here's just some of the samples.

Dino Mauro (00:47.63)
Hey guys, I had a question. What exactly is social engineering?

Dino Mauro (00:55.598)
How can it be stopped? Why is it that so many people keep falling for it? Great questions. So we all understand the phrase social engineering, but it's so overused that nobody really seems to know how to defend against it. Today, we address the science behind social engineering and why people keep falling for it. More importantly, we address how you can protect yourself, your family and your organization against the number one tactic used by cyber criminals today.

This is the story of how to defend against social engineering.

Dino Mauro (01:55.022)
which we all understand. So please help us keep this going by subscribing for free to our YouTube channel and downloading our podcast episodes on Apple and Spotify so we can continue to bring you more of what matters. This is Cybercrime Junkies, and now the show.

Dino Mauro (02:25.454)
Welcome everybody to cybercrime junkies. I'm your host David Morrow and we're excited about today's episode in the studio today is my Positive co -host mark Mosher. How are you? Wonderful David? I'm really excited about this episode We've got a wealth of knowledge in the studio with us returning again to bring us some new knowledge new information on what's going on Who else we have in the studio? We do?

Yeah, we also have our counterpart Logan Potberg joining us. Logan, welcome. Yes, happy to be here. Second show and they will only get better going forward. You're a veteran by now. So no, we're very excited. Christopher Hannegy is with us. So Christopher Hannegy and correct me if I'm wrong, but he is the CEO and founder of Social Engineer LLC. He's also one of the founders of Innocent Lives and is a four time

bestselling author, the most recent book that he has is Human Hacking, which was an outstanding book. I'd say it was your best one. I have to tell you, no offense to the other three. I don't want to meet them in a dark alley and have them beat me up, but I'm telling you that that's the best one. It really is. It was very practical and we'll get into some of those topics. But just to start off, Chris, walk people through kind of.

your current role and some of your experience. So as you mentioned, I'm the CEO of both Social Engineer LLC, which is a company that manages social engineering services for larger organizations. So what that means is if people want to find out if their employees could defend and report against fishing, vishing, smishing attacks, red team attacks, social engineering attacks, we perform them. We perform them in a safe environment.

So that way your people aren't hurt, things aren't embarrassing, things aren't used. And then when we find failure, instead of getting rid of people, we educate them, we strengthen them, we help them be able to defend against those attacks more and more. We also have a series of training classes that we do, anything from getting people into a career in social engineering to enhancing their skills that they already have on red teams or other types of physical social engineering type of things like that.

Dino Mauro (04:45.454)
And then I also am the CEO over at Innocent Lies Foundation. That's a nonprofit that I started about six and a half years ago. Our mission is to help law enforcement geolocate people who traffic children and create child abuse material. We're a non -vigilante group, which means we don't do the things you see out like Facebook, guys make them believe they're 13 year old girls and getting some guy in a McDonald's parking lot. We've heard from many law enforcement agents that those things generally never work.

and they end up losing cases. So our mission is to literally use our skills and OSINT and internet digging to locate people to then find out who they are in the real world and hand that off to law enforcement so they can be apprehended. So that's my two of my two of my jobs, you know. Yeah. And then you also do a side thing like writing. Yeah, I've written. Like you said, it's okay. You said four, it's five books, but I like to forget the first one. So that's perfectly fine. What was it?

Now, we'll walk us through. Can you just tell us? We'll have links to all of them in the show notes, but walk us through the chronological order. But it's so don't bother. We won't. The link in our show notes will be broken. That's it. Just the broken link. You'll understand. So my first book, the way it came about is kind of like an interesting story, right? I was I was.

exploit writer and a network pen tester. And I stunk at exploit writing. You know, I just, I'm not good with code. My brain doesn't work that way. It works better with people. So when we would get a pen test, I would always say, Hey, can I send an email or can I make a phone call or can I walk up to security guards? And at that time, nobody was doing social engineering, right? So it was literally the boss would be like, you know, why do you want to do that? We're going to write this exploit. I'm like, I don't know. I just want to try. And I'd get authorization and trying it would work. And then inherently the company owner would come back and say,

So, okay, that worked. What do we do? And I went, I don't know, you know, and one company owner, and this is what changed my life. He said to me, he said, you know, if I went to a mechanic and I said to the mechanic, Hey, I got this bad noise here and the mechanic listened to the car and said, Oh yeah, that's your brakes, right? That's, that's your brakes. And every, you know, I agree. Can you fix it? Nope. I don't know how to fix it. Cause I would never go back to that mechanic again. And I'm like, that's a really good analogy. And I said, I'm.

Dino Mauro (07:07.15)
I'm a guy who can break into buildings and I can't tell you how to fix it. So why would you ever pay me? So I went and started reading like all these books you see behind me about psychology, influence, persuasion, everything I can get my hands on, nonverbals. And I wrote a framework that still lives on social -engineer .org. And I put the framework out there and within two months, Kevin Mitnick's publisher called me and she asked me to write a book. And I was like, nah, I'm not an author. I'm just like a hacker. I don't really do this stuff.

She's like, no, no, you got it. Kevin McNich for if anybody is listening to our podcast that doesn't know him. He recently passed away tragically, but he was the most famous hacker like he was. He was hacking back in the day when they would be freaking and using using landlines and pay phones and getting on the subways and things and just just, you know, transcending those systems to to leverage. Then he turned into a good guy.

Right. So after I got in prison, yeah, absolutely. He came in to be a good guy and that he's amazing. And it's like you said, he passed away. But his publisher called me and asked me to write that book. So eventually I got convinced to do it. I did it. It's great. And you know, like even though I make fun and I say no, like well, you were hesitant in the beginning, weren't you? To even write. I was very hesitant. I wasn't an author. I didn't think anybody would care about anything I had to say. You know, I was a nobody. You know, I didn't really have anything special. I didn't grow up like Kevin. I wasn't.

you know hacking systems illegally and stuff like that so I'm like why would anyone want to read a book that I wrote? But you know that book sold over a hundred thousand copies which is crazy when you think about that for an IT book and it still sells but the reason I say don't buy it is because you know four years later or not even ten years later I wrote Social Engineering the Science of Human Hacking and I updated it right so I said like don't go back because that book is like now well that came out in 2010.

So it's 13 years old. So many things have changed. So many things have changed. Yeah. So that's why I make a joke about that. Plus it was my first book so it was not the best written. I was still learning how to write and how to be an author. And then my second book is Unmasking the Social Engineer and that was kind of a passion project for me. One of the things that I fell in love with in my learning.

Dino Mauro (09:30.478)
was nonverbal body language and facial expressions. And the grandfather of all of that was Dr. Paul Ekman. And I had a great privilege of getting to meet him and become his friend, and he became my mentor. And after working with him for a little bit, I came up with this idea of writing a book on how scammers and con men and social engineers can use facial expressions and body language to influence other people. And I presented it to him. And I said, I'm not a scientist. I don't have a degree.

So how would you feel about authoring a book with me since you're the brains behind this whole industry? And amazingly enough, he agreed. So my second book was co -authored with Dr. Eckman, which I'm just like I said, that book, it doesn't have as many sales, but I'm, I'm proud of that book. Cause it was like a passion project and I just wanted that. And then my third book was fishing dark waters. And that is an interesting story because I have a patent on a fishing process that another company was trying to steal.

And I said, you know what? Screw it. I'm going to write a book and put the patent out there. Now you can't steal it. I'm giving it away. Right. So I wrote that book and it was basically my whole patent outlined the exact process I have for fishing. And I just put the book out there and, and, and that that's been helping a lot of companies with their fishing program. It was a unique and new way to approach fishing. When everyone was buying into SAS's and just doing the templates, like click here, I was, I was approaching it from a very psychological way and doing fish.

Then my fourth book was the rewrite of the first one so social engineering the science of human hacking and then my fifth one as you mentioned was human hacking win friends influence people and leave them better off for having met you That was after again, we're going now like, you know What 12 years of my career and I realized that you can use these skills every day to do great things You know, you can use these hence the latest book, right? Yeah, that was why that one came out It's like you can use these skills to change people and to influence people in good things. I

And I thought, why not? I got to write a book about that. So that's how that fifth book came about. It was not really about breaking into buildings or getting into a career. It was about using this with your kids, your wife, your employees, your boss, you know, in an ethical way. Right. Well, and you go into the disk assessment and a lot of that. And that's something that organizations use all over. And our organization even uses it. It's just a way of communicating.

Dino Mauro (11:53.454)
Can you walk us through kind of the understanding of what disc is and why it's so important? So if we go way back in the day, there was a very, very popular psychiatrist and inventor, a lawyer. This guy had like so many degrees from Harvard. It wasn't even funny. His name is William Marston. William Marston, he's the guy who created the polygraph. And he was doing that during a university degree he was getting where he found out that people's blood pressure fluctuate when they lie.

So he was the creator of the polygraph. Funnily enough, another fun fact about him, he's also the creator of Wonder Woman. If anyone doesn't know that. Really? Yeah, he was the creator of Wonder Woman and just, I think about eight or nine years ago, got inducted into Comic Book Hall of Fame for creating Wonder Woman. That's Yeah, he was a big feminist back in the day and people hated Wonder Woman because when he created her, and I think it was the late 30s, so that she was basically wearing no clothes. So, you know, for women in that time, so they...

They kind of ride at the comic scene. But anyhow, back to the disk and one of his books talking about the emotions of psychology of emotions. He defined a communication profiling tool and that's where this came from. So what it really is, it's not really to not get confused. It is not a personality tool. And correct. It's not it's not like my brains, right? Like a lot of people like, oh, you're an extrovert introvert.

you know, feeling versus, you know, insight and all that. It's it that's more about your personality and how you interact in the world. Disc is different, right? Yeah, it is. Disc is a method for understanding how somebody communicates and communicating with them. Yeah. So it's it's that's actually a good way of putting it. So disc is about how you like to be communicated with. Right. So how then and if you can read that on someone else. Right. So if I can read that you're a very direct communicator.

and I communicate with you that way, we're more likely to build rapport fast. And I'm more likely to be able to influence you to do something that I would want you to do if I communicate with you in the way I want you to communicate with. I have a great story about this where I kind of made a rule in my company about something. I can't remember what it was, but I made this rule in this company about something for the vishing team and everybody disagreed, but nobody spoke up, right? But nobody said anything, but they all hated it.

Dino Mauro (14:13.934)
Well, and knowing you, right, you point out in your book, you're very direct, right? And so you're like, no, no, no, no, no, no, you can't have an opinion and not tell me about it and expect change, right? Like, if you need to just be blunt, be upfront with me and be direct. And that's how I communicate. Right. Yeah. And that's exactly what the team lead did. Patrick, he says, hey, I need to talk to you. He pulled me into a room and he says, look, and Patrick's the opposite. He's an S, so he's a team player.

He's very soft. He doesn't speak directly. He's indirect. But he pulled me in and he says, listen, this is really uncomfortable for me, but I'm going to tell you what this decision you made is wrong. And we all disagree. And I went, oh, OK, tell me why. And he went, what? Yeah. Tell you why. And I'm like, yeah, tell me why you disagree. And he told me, I'm like, oh, actually, you're right. I'm wrong. He's OK. Let's change it back. Yeah, exactly. Wait, wait, you're not mad. I'm like, why would I be mad?

And he was like sitting there dumbfounded. He's like, so this this stuff works. And I'm like, of course it works. And he's like, I'm like, Oh, is that what you were doing? I'm like, Oh yeah, you were really direct. That's not like you at all. You know, and he's like, wow, I was really nervous. When he stepped out of his comfort zone to communicate with you the way you need to be communicated with it work. Yep. That's phenomenal. You know, you in a lot of your work and some of the people that you've introduced us to you, you talk a lot about the science behind social engineering and you've dealt deep deeper than anybody that I know.

into this. You have a lot of experts on your team. But what can you tell us about this? Like when when there's phishing emails that come, they're trying to trigger that amygdala hijack, right? Where the cortisol levels rush and you get that kind of fight or flight motives, because then you can't process intellectually necessarily until the time goes by. What can you share with us about what the latest science is showing about? Yeah.

some of the efforts of social. So I mean, we have a couple things against us right now in society, right? Our stress levels are higher than ever. Our anxiety levels are higher than ever. Social media creates anxiety in us. We're seeing constant bad news, right? You can't turn the TV on. It's bad news all the time. Financial, political wars, everything, right? So that that first we got to take into effect that that is that is a big deal. Even though we're in a financial crisis. So what we hear.

Dino Mauro (16:35.566)
people are busier than ever, working more hours than they've ever worked. I think America has taken over Japan in the longest work hours for the first time in history in the last few years. And the least amount of vacations, right? So let's tack that on. Now we talk about the bad actors, threat actors, who are using AI, they're using all the most advanced techniques, they're using everything that they can possibly use.

and they're generating attacks that are so realistic and so good. Now you get this attack in, and what happens in our brain when we have these little pieces of gray matter in our brain called the amygdalae, the little walnut -sized pieces of gray matter, and their whole purpose is to create physiological and psychological change when external stimuli comes into one of our senses. And they do that before our brain kicks in as a survival mechanism.

So if you think about this, right. And this goes back to the day, right? I didn't mean to interrupt you. No, no, it's fine. But this doesn't this, this is like genetic back in the day. This is the way we were. Like in a cave and like a say like a like a wooly mammoth was attacking us. So even before our brain could kick in and process it, we would know to run or hide or protect. This is definitely by design, right? Because here's like you got this thing, let's make believe you're deathly afraid of snakes. So you walk out into your yard and out of the corner of your eye.

what you see you perceive to be a snake, a long black thing. Your body will do a whole bunch of things. It will open its eyes, it will gasp for air, and it will reel back like this. Now what has just happened is when opening your eyes, it's taking in everything around you, right? So that way you're preparing for fight or flight. With the freeze, the first F, and the jolt, you're releasing adrenaline into your bloodstream. And by gasping for air, you're oxygenating your bloodstream.

Now all of that has happened before you're literally about 150 milliseconds before your visual cortices even are active. Now all of a sudden you look down and you see it's the garden hose and you go, ah, silly. And you go on with your day, nothing. But if you look down and you see it's a snake, your body has now been prepared physiologically for fight or flight. Right? So what science has found is that in that moment, when you have that reaction, that what they call an amygdala hijack, your brain,

Dino Mauro (18:50.478)
puts all of its energy into the limbic center and it does not, the frontal cortex is shut down. It's just shut down. Right. And the frontal cortex is the part of our brain that can have vast amounts of data and rational thought and recall all of the training that we've had. And to say, is it real that the IRS is going to arrest me? But during a big deluge. Right. It's shut down. It's dark. Actually with fMRI helmets on.

You sit there and you can see clearly that the frontal cortex is dark and that limbic system is all lit up. So, you know, in essence, it's a really bad time to make critical decisions. But if you think about it, this is exactly what the threat actors are doing. They're saying, hey, I'm a vendor. You haven't paid me. I'm not shipping this stuff out unless you do a wire transfer right now. And this guy... And everybody sees their boss, like in their mind, they see their boss yelling at them.

They think they're getting fired, all of this, and so they want to act on it. Yeah.

So we have to then show them the garden hose, essentially, to bring it back to the story, you know, like that's, that's where it has to click. It's like, Oh, that's a garden hose. Silly, silly hacker, but we should walk around with a garden hose in our sessions. You're onto something. I love it. That's great. I'm going to, I'm going to use that analogy, you know, like, you know how in the matrix, he said there is no spoon. I'm going to be like, there is no snake. I like that. But, um,

That's really, you know, yeah, it's it's so that's a good analogy, Logan, because it is. And once what the main guy who did research in this, his name is Dr. Daniel Goldman. And in his book, when he wrote about amygdala hijacking, he said that what is needed is non emotional time. So time when you're not hijacked, it could be as short as five seconds. But that that short time is what your brain needs to return back to critical thinking. Right. So it's.

Dino Mauro (20:50.318)
So when I follow this through, then the bulk of successful phishing email attacks, successful social engineering could be avoided if people paused. So this is what I always tell people, right? Exactly what you said. I mean, are we getting to the point where literally if you pause, you can eliminate major data? Yes and no. Yes and no. So it's not just a pause because it's a pause with the time to actually critically think, right? Like,

Like here, you know, so the problem with that is the challenge. Let me use that word. The challenge with that is, is that you have people on the other end of the phone saying like, I'm not doing the shipment. You're not going to get the products, you know, or, you know, and this has happened. Sadly, I mean, we laugh at this, but those messages that pop up that said we found child porn on your computer, the FBI is be heading to your house to arrest you. There's a sad case where a man committed suicide because.

He was he was worried that he was going to get arrested and he was an illegal immigrant here and he thought he was going to get deported. So he killed himself and his son because of that message. Right. So like, you know, there are some horrific things that happen when your amygdala is hijacked. So, yes, the answer is a pause. But it's almost like for corporations, how do we effectively enforce that? Right. So technology that effectively enforces that, you know, almost like.

you know, maybe when you click that link, is there a delay? But now you try to say that, right? Oh man, you try to say that the delay when you click the link and now every link you click is going to be delayed. We're in a spot now. If I'm waiting more than two seconds for my page to load, I'm like, what the heck is going on? I'm out of here getting a bad review. You know, so yeah, we can't, we're not going to be in a time like the answers to fix the problem aren't reasonable and still conducting business in this day and age. And that's the problem. Right. Right.

Well, it gets into the whole philosophical thing that cybersecurity by definition is inconvenient. Yeah. Right. It has to be in cybersecurity when fully secure. Right. Means we're not operating like we're just offline and we're just in person. Right. It's so interesting. You've you've shared with us. You've you know, we've seen some of the most interesting data breaches.

Dino Mauro (23:11.022)
in the past year that we have a long time and it was like the wild west looking at some of these things the mgm the caesar's breaching you see some of the social engineering groups like scattered spider uh... what what insight based on your experience can you provide us so i was literally just speaking to a uh... government agent today uh... about a case that we're working and uh... he said the increase in social engineering eighty percent what they're noticing

80 % of all of these breaches are involving massive elements of social engineering. And it's, like I said, a society we're just, we're inundated with emotion, nonstop. And that level of constantly being hijacked is making us all susceptible. And, you know, there used to be a rule, like they never, like threat groups, ransomware groups never went after hospitals, especially children's hospitals. Now there's one.

That's all they target. That's all they target. The whole ransomware group just targets hospitals and especially children's hospitals because that data is worth so much. The amount of the lack of empathy and the lack of a fellow feeling. This the sociopathology. It's scary that they demonstrate scary. Right. So we're seeing an increase in social engineering because of the brazen attitude. Right. We're seeing that it works because.

I think especially after COVID, we want to connect with people. We think about the increase in romance attacks, right? Romance scams. I mean, they work. Why? They work because we want a connection, right? And they're using genius methods. They're trolling Facebook for the woman who just lost her husband at 40 years and then starting a slow roll relationship that turns into a, you know,

It's just, you read it and you're like, oh my gosh, it just kills me. It's so terrible. When they play the long game, right, they will continue that on and then right at the last minute they'll say, oh, I can't make it, can you just wire me something? Or can you do something, right? And that's kind Chris, let me ask you this. The overall increase in volume and in complexity, I guess, of social engineering that you're seeing, does AI play a part in that or are they leveraging AI in any way to...

Dino Mauro (25:25.87)
this complexity and increase? They are. So we're seeing AI in a couple different areas. One, we actually found a vision group that was using AI based voice changers to get to take away their accents. So they have American accents now, right? That was a big one. They actually have a version called fraud GPT, which they sell for only about 1800 bucks a month. You can get it on the dark web and it's a, it's a full AI system that that is, it's actually amazing. I mean, it will.

it will write exploit code, it will go and hack a website, it will create phishing emails and then track those phishing emails. And they're also using, I was just at a conference in Spain and one of the things I heard from a Japanese law enforcement agent there is that for the longest time they didn't see a lot of phishing attacks in Japan because his answer was Russians don't speak Japanese.

But now that AI has gotten so good at translating, they're seeing a massive increase in phishing emails in Japan because now they can be, they look like actual Japanese. So it's just, it's kind of one of those things where AI, we're seeing it and it's advancing so fast that I don't think we're ready for what's coming in 2024. I really don't.

Well, in some of the larger attacks, it seems there's, well, let's go over some of the common social engineering types. We have phishing, right, which is the blasting out of 20 ,000 emails, hopefully with the skill of getting somebody to click on a link or download a document and open it up within those emails. Spear phishing, right, which is...

geared toward one organization, maybe carbon copying, coworkers and things, correct? And then, Quishing is a very, very, very kind of a newer one, right? Where they're putting in QR codes, which I still don't really understand, because they put a QR code in an email wanting you to use your phone to scan that. Or they put a QR code on something else, like a billboard or something, and you just walk by and scan it. Right.

Dino Mauro (27:39.918)
Right. And then what does that give the threat actors access to your phone? Yeah, I mean, a lot of times it's downloading an app, installing something that you shouldn't install, sending you to a malicious website, you know, those kinds of things. I mean, think about it during when COVID broke, we got used to using our phones for all, I mean, how many times you go into a restaurant, there's no more paper menus. Right. It's all QR codes. It's code on the table. You're scanning it. So we've been trained to just trust them and we just start scanning them. Right.

And it's and they're so easy to do because you just you can take a malicious URL and just go to a QR generator and say generate a QR code and boom, there you have it. You can use that image in anything. Anything right? Yes. Right. And then MFA Fatigue is one that's been very, very popular. That was seen. That was that was in Twitter. Which one was that? Was the Cisco one? Cisco. We saw MFA Fatigue. Yeah. And Uber, I think. Yeah.

the uber breach where they kept so basically they got the credentials from the dark web from another breach because they probably use the same password or something right and they were trying to log in but it was sending a notification through the octa through the authenticator right and they just kept doing it over and over and over again and then they got the person the the internal person to

get on like a WhatsApp channel or something. And then from there, they were like, hey, this is your IT department. Can you please approve this? We're doing some tests or whatever they said. And then he went and he approved it. And then from there, they launched the breach. There's so many elements of issues there. But that's kind of common, right? I mean, it's more just constant barrage of notifications. Yep. And then we have vishing, which is voice phishing.

Right. We have smishing, which is SMS phishing. The, the, the texting. Right. And we have impersonation. Now that you mentioned that fraud GPT and the voice corrector, the vision is in 2024. Is there an outlook that there may be an increase in vision because of tools and resources just like that? Oh yeah. Yeah. Yeah. I mean, so we've, so, uh, the FCC's reported a 550 % increase in vision in the last 12 months.

Dino Mauro (30:08.078)
So I don't see it ending. I mean, you think about this, they could set up call centers in foreign countries for next to nothing. And if you have a win, right there, we found an ad on the dark web for a client of ours. I won't say any names, but they were offering this malicious group was offering $30 ,000 per compromised record. And they wanted a female visher.

So you get the target list. They'll give you the target list. If you were successful at compromising one of their accounts, you get $30 ,000. Wow. Yeah. So I mean, if you're down and out, you're sitting here, you got no job, the economy's looking like garbage. And now someone offers you, you can make a few phone calls a month and have a couple of accounts and you can make $60K a month, $100K a month. Yeah, that's big. That's

big money and a huge change in their lifestyle or even if you're in a part of the world where it's basically decriminalized. Yeah, I mean, we uncovered a group in the country of Georgia and we reported it and they basically were like, yeah, okay. Yeah. Well, I mean, when you look at some of these cyber crime gangs. Yeah, they were like, yeah, whatever. Actually, one guy even said to me, you Americans are rich. It's fine. I'm like, oh my gosh.

That's kind of the presumption. And then when we look at some of the cybercrime gangs, like some of the leading gangs like Black Cat and Lockbit, I mean, their programs are designed not to work on certain languages, right? Because they know so long as they don't hit those entities, they're not going to get reprimanded or law enforcement breathing down their neck.

Unbelievable. Unbelievable. And the skill levels have gotten good. You know, when we heard about the MGM Caesar's breach, what was going around social media and in the cybersecurity industry was that, you know, 10 minutes they scanned LinkedIn to find out, and then they made a few phone calls and they got in. Was it really that simple? So no, I mean, from our understanding, they probably... There's quite a bit of OSIP. Yeah, they spent a lot of time...

Dino Mauro (32:29.15)
in that network probably for months to maybe a year before they started the attack because they had to find the flaw in Okta, right? Then they had to buy the exploit, find someone and buy it, right? And then they did OSINT on their targets, which probably was weeks if not more of OSINT, found the right person that had the right privileges to do the installation, targeted that person and then made the call to that person.

So it's overly simplistic when they say it was only a 10 minute phone call. Yes, at the end of that. But that probably was anywhere from six to eight months worth of work that led to that 10 minute phone call. So at the end of the day, was it social engineering for the win? Yes, it was. But it wasn't like they just picked up a phone called Fred over an IT and went, hey, install this. And he installed it and they won in 10 minutes. There was a lot of work. This was organized crime. Long game. It was long organized crime. The long game with the last like

The touchdown move was social and 100 % that's so interesting. Makes perfect sense. Yeah, makes me and we're seeing more and more of that from ransomware groups where, you know, they're they're they're finding the way in. But then they're you're utilizing SE to, you know, and the and the and the cyber kill chain. When you look at that exploitation part, they're using social engineering as that piece to get the actual exploit delivered. The delivery mechanism is social engineering.

Right. So we're seeing just more and more of that because like, why work your butt off to try to find a whole the network when I can get a trusted person to install it for me? I can work hard to do that or I can get you to do the installation for me. And that just seems so much easier. Well, I break down the door if all I'm going to do is knock. Exactly. Right. Well, that so that begs this question. So.

About a year ago or so, the FBI issued an alert about deepfake and how people were applying for remote jobs in the United States, hundreds of them. Getting those jobs, they were using a deepfake technology, right? So they were impersonating someone else. And then they would get access, they would get hired, they would be onboarding. And then they would be giving them access to their systems.

Dino Mauro (34:49.07)
So like, is that the next evolution or how common is that? I don't know if it's a next evolution, but I think we're going to see more and more occurring with deep fakes because the technology has gotten so good. Right? You go back even a couple of years and you're like, Oh, I can tell the difference between that neck and that, that head, you know? And now it's to the point where like one of the things that we're working as cases in ILF is they started doing a deep fake pornography of teenagers and embarrassing them, using them as part of an exploitation.

Right, so taking young girls and usually putting them on some sex act and then saying they're going to release this on the school's website if they don't do X, Y or Z. And the technology is so good that they actually have a program out there now that you could just put a clothed picture of someone in this program and it will tell you probably what they look like naked. So the deep fake will actually be as close to possible, and you know, we're talking about sizes and shapes and things like that because of what they can see through clothes.

So the deep fake technology has gotten very advanced. And besides the exploitive nature of that from a sexual standpoint, I worry about how this could be affected from a political standpoint, too, in war. I mean, you see an image of Putin out there saying, I'm about to hit the button and launch World War Three. And if it's believable enough, what happens? And to explain what you can do within your control to.

bolster your defenses. And I think, you know, when people say that, and I like what your message, because what I usually say to people is how can you defend against something that you don't know exists? Right? If you don't know what exists, you can't possibly defend against it. Right? So I can't, you know, I remember when I first moved down south here to Florida, I had to learn what all the different bugs were.

to learn how to defend against them. I didn't know how many dang insects existed down here. And they're huge, right? And not all of them are dangerous, but you've got to learn which ones can kill you. And those are the ones I want dead. Right. So I tell people that analogy because I'm like, how do you know how to protect against like if you never heard of Quishing, you go, what's Quishing? Like, what the heck is that type of toy? Like what is like what? You don't even know what it is. So how do you defend against it? Right. And how do you defend against vishing if you don't even know what it looks like? So.

Dino Mauro (37:02.702)
People have to know that these things exist. It's like modus operandi. I mean, it's not, it's no, it's very similar to traditional law enforcement. And that is you have to understand modus operandi. If somebody's breaking in your house or somebody's breaking in neighborhood homes every Wednesday morning between four and six AM through the laundry room window, then why are you focused on your front door? Right? Like, why are you, why are you focused on your front door on Saturday night? Like you're focusing, you're spending your resources.

on the wrong thing, right? Like how about Wednesdays having some light or some cameras over by the laundry room window because that tends to be what the modus operandi is, right? Yep, that's a good point. That's crazy.

Dino Mauro (37:54.126)
Well that wraps this up. Thanks for joining everybody. Hope you got value out of digging deeper behind the scenes of security and cybercrime today. Please don't forget to help keep this going by subscribing free to our YouTube channel at Cybercrime Junkies podcast and download and enjoy all of our past episodes on Apple and Spotify podcasts so we can continue to bring you more of what matters. This is Cybercrime Junkies and we thank you for joining us.