CHAOS: AI Jailbreaks, Cloud Meltdowns & The Fish-Tank Casino Hack That Shocked the World

Show Notes

In this shocking monthly cyber update, the Cyber Crime Junkies (David, Dr. Sergio E. Sanchez, and Zack Moscow) expose the craziest, must-know stories in tech and security.

What's Inside This Episode:

• The AI Threat is Real: Dr. Sergio reveals how Chinese threat actors manipulated Anthropic's Claude AI system to stage cyber attacks against nearly 30 companies globally. Learn how powerful Large Language Models (LLMs) are leveling the field for malicious coders.
• The Casino Fish Tank Hack (True Story!): David tells the unbelievable story of how hackers breached a casino's main network by exploiting a smart thermostat inside an exotic fish tank, accessing high-roller financials. This proves critical network segmentation is non-negotiable.
• The New Scam: ClickFix: David breaks down the terrifying new ClickFix attack, where hackers trick you into literally copying and pasting malicious code into your own computer. Learn the golden rule to protect yourself from this massive, 500% spike in attacks.
• The Cloudflare Outage: Zack discusses the massive Cloudflare outage that took down major services like ChatGPT, revealing how a seemingly minor configuration error caused massive ripple effects across the entire internet.
• The iPhone Scam Laundry: Dr. Sergio shares a wild anecdote from his time at Apple about a global scammer laundering stolen or damaged iPhones for new ones, using a loophole caused by a business decision.

🚨 Participate & Vote! Help us name this segment! Vote for your

Season 8 is officially here — and it’s the most unhinged, hilarious, and dangerously educational season we’ve ever done with full cyber chaos:

🔥 Interviews with spies & double agents 💥 Cyber WTF moments 🎮 New interactive segments & games 🛡️ Business-grade cybersecurity insights 😂 More humor, more banter, more chaos

Hit SUBSCRIBE 

Growth without Interruption. Get peace of mind. Stay Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com  
 

Support the show

🔥New Exclusive Offers for Cyber Crime Junkies! 🔥

1. Remove Your Data Online Today! Try OPTERY Risk Free. Sign up here https://get.optery.com/DMauro-CyberCrimeJunkies
2. Or Turn it over to the Pros at DELETE ME and get 20% Off! Remove your data with 24/7 data broker monitoring
🔥Sign up here and Get 20% off DELETE ME
3. 🔥Experience The Best AI Translation, Audio Reader & Voice Cloning! Try Eleven Labs Today risk free: https://try.elevenlabs.io/gla58o32c6hq

Dive Deeper:
🔗 Website: https://cybercrimejunkies.com

✅ LinkedIn: https://www.linkedin.com/in/daviddmauro/
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

=====================================================

Transcript

Speaker 3 (00:00.577)
you

Speaker 1 (00:05.14)
Alright, well buckle up because once again the internet has decided to remind us that common sense is optional. Hackers have no work-life balance and zero chill. And smart devices, you know, the smart toasters, the smart refrigerators, things like that, they are apparently a terrible idea.

This month we started our monthly collaboration with Zach Moscow, a locally famous Nashville musician and technologist, along with Dr. Sergio Sanchez, a medical doctor, a former Apple executive, and a video game designer involved in most of the popular games you and your kids play. And well, me also, because I guess it's my show. We call this Crime, Hackers, and AI Stories.

crime hackers and AI stories, and those acronyms add up C-H-A-O-S to chaos. So this week on chaos, we've got Chinese threat actors jailbreaking an AI like a cheap rental, a cloud fair meltdown that basically face planted half of the internet, scammers turning apples find my feature into lose your K, and yes, the legendary casino breach that started with a fish tank.

Because why breach a firewall when you could breach, well, a goldfish? And just when you think humanity couldn't get any more gullible, say hello to ClickFix, the new attack where the hackers don't even hack you. You hack yourself. They literally get you to copy and paste their malware into your own systems like a loyal unpaid intern.

And stick around for our brand new game that we play during the show. It's called Hack or Hype. It's the world's fastest cyber trivia showdown where even we don't know if the headlines are real or as fake as a Kim Kardashian Instagram filter. Welcome to Chaos, the only real cyber show where the stories are real, the human and economic damage is ridiculous. And the only rule is don't become the next headline.

Speaker 1 (02:20.302)
This is Cybercrime Junkies. Let's dive in.

Speaker 1 (02:29.432)
No problem, we're on the air, so don't you worry. Can you hear us, Dr. Sergio? Calling from the stadium down the yard line.

Go hear it now.

Speaker 2 (02:42.119)
So now you're playing with them.

Yeah, this is what you know, you get grown men toys. This is what we do. you quote President Kennedy, if not us who and if not now when it's like that's why we're going to the moon.

absolutely

Speaker 2 (03:00.63)
Yes. Perfect.

Welcome gentlemen, and I use that term with utmost respect. How are you guys?

You've got a little very good yourself.

I'm doing great. So I'm happy to be back with you guys. Yeah. So we have some things about today that were that are going to be a little different. So first, let me do this. First off, a message to our listeners. We want you to participate in these monthly informal discussions that we're having. If you have an interesting story you see in the news, anything technology or A.I. related, we'll go do the research and bring a summary. One of us will bring it.

with us each month. each month, the three of us are going to get together for a quick episode with each one of us bringing one story each and sharing it with each other and the audience. There's a lot of crazy crap out there and we all want to keep abreast of what's happening and stay on the pulse. So there's also a lot of noise. And so this allows us to kind of percolate what's interesting to people and what's important. But we also want to have you

Speaker 1 (04:07.714)
the listener or the viewer to help us participate. So first, we want to name this segment. Like, what are we going to call this when we get together every month? We're going to give everybody a vote. So you can reach out to us if you're listening on audio, or if you're watching on YouTube, you can text the studio directly, submit in the name of the show that you think this should be called once a month, we're going to get together, we're going to do this.

You can text direct right to the studio at 201-4652. That's 201... sorry. I totally got the number wrong. So, hey, let's do this. I'm going to edit that out or I might leave it in. But for those that may never look at the show notes, we have a link right in the show notes where you're able to click on it and text the studio directly. And we get all of those messages.

But for those that don't you text direct to the studio, you text the code 201-4652. That's 201-4652. You text that code to phone number 904-867-4466. That's 904-867-4466. But wait, there's more. It's 904-867-4466. You text the code 201-4652 and then you leave a message.

It can be a long message. It can be a short message. You could say hi. You can tell us to f off. Wait, f off. Like whatever you want to do, you can do that, but it's fine. We will get your message. So we also want to take the time to ask everybody that watches us on YouTube, could you please subscribe? We are weeks away from being monetized on YouTube. And if we can get a few more subscribers, then we'll start to do this thing maybe live on YouTube. Have you guys engage with us?

one-on-one. It's free to subscribe. We will not mail you. We will never, ever, ever sell your data. So, what are we going to name this segment? I've come up with five. I'm open to listener suggestions and my two esteemed colleagues and your suggestions. Here's the five names that I've come up with. What the what true cyber stories.

Speaker 1 (06:32.59)
Breaches, hacks, and WTF moments. That's number two. Number three, zero day stories. What we all missed this month. Number four, the dark net download.

Speaker 1 (06:51.948)
Very ominous. Yes. Or my personal favorite, Hackers Gone Wild, monthly edition. I really like that one. I thought it was great. But give us your vote. can text to the numbers 201-4652. Again, the number 904-867-4466. You can leave your message there or simply message us by email at cybercrimejunkies at gmail.com. That's cybercrimejunkies at gmail.com.

Or you can access Kylie, our producer, at info at cybercrimejunkies.com. That's info at cybercrimejunkies.com. In the history of crowdsourcing internet or names on the internet, I would expect prepare yourself for some submissions along the lines of like Cyber McCyberface or similar. Yes, convention. I'm thinking it's going to be fantastic. Yeah, but we can't wait. Please.

David.

Speaker 1 (07:50.176)
So your best ones, but wait, there's more. But wait, there's more. We have a new segment here on our monthly episode that's going to be called something, but soon to be named this segment. We can choose the name as well. It's either called click bait or cyber fate, or it's either called hack or hype.

or it can be called breach or

Bulls bull right? It can be called breach or that or click bait or cyber fate, hack or hype. So I'm going to read a headline to YouTube gentlemen, you guys and what's great for the listeners is these guys are like busy. Get work, they got families, it's the holidays. They have no time for me or any of this shenanigans. But I bring them more and more stuff to go down this rabbit hole. So

I'm going to read a headline. You each have five seconds to call it. Okay. And you will either tell me whether it's true or if it's made up. Okay. It's either a hack or a type. It's either click bait or cyber fate or it's breach or bull. Okay. Are we ready? Yes. I think that's the one. And by the way, I got a button every time that I get to use my button.

We had no idea this was coming. So thanks. No, you had no and I'm going to keep score each week and after a certain time period, we're going to call it and then the loser has to find like a spam email and read it to the other ones in a British or Australian accent. Yeah, publicly publicly on the air.

Speaker 2 (09:44.16)
I being funny with my accident. Great. I can't wait. I'm rooting for you.

Yes.

This is going to be great. So I'm to read headline. Let me. Let me look here. OK, headline.

Hackers stole 600 gallons of diesel fuel using Bluetooth pumps.

with serpents real

Speaker 1 (10:16.296)
Is it real or is it fake, Zach? Fake. Yo. It's real.

No,

Hang on, I got to write down who guessed what. Saks says fake. Dr. S says real. The answer is it's fake. That was a fake fake. That was clickbait. That was not a breach. It was BS. Okay.

Perfect.

Speaker 2 (10:51.982)
You know, but it's interesting. And I will tell you why it says, it's real. pumps are using your, phone or your watch for payment. And is one of the easiest signals to hack is not really security for blue.

No, you're right. It's openly connected.

It's happening. So many times you was driving, you was getting the signal of a call from the car right beside you. Like, what is that happening? Who's that voice? That's it make me think about it.

Yep, I agree. All right.

We'll do one more and then we'll get to our stories and we'll blow through our stories. So one more. Here's the.

Speaker 1 (11:50.722)
News article says hackers broke into a casino through a fish tank.

Speaker 1 (11:59.602)
Is it an actual breach or is it bulls**t? What do you think, Sergio? What do you think?

I know from the point of view I would say is fake but now you have me doubt that can be real. just don't know how is the connection between the bridge and a fish tank. I will think that you know something in that fish tank must be a massive fish tank maybe salt water time that is

in some way, check by,

Don't be buying time to Google this don't buy in time to Google. I he's stalling I agree Stalin meanwhile he's like, uh, it could be blah blah blah He's like is this thing real AI tell me

Well, I am thinking that is true.

Speaker 1 (13:00.48)
Okay. He goes with true. Zach. Well, you see to, to echo or go in here in the casino analogy, I'm already playing with house money cause I'm ahead. So I'm going to say it's true. All right. So the answer is it's true. That is actually something that happened. It's actually part of our

Live PSI, our live public service initiative. I just haven't been telling that story in the last year or so, but about three years ago, because I tell a story all the time. Last about three years ago, an attacker went in, saw an exotic fish tank in the foyer area of a casino and noticed that it was a smart thermostat inside.

got pulled out his tablet, hacked into that and was able to there wasn't security from that to the main network and that wasn't it wasn't segmented the name wasn't a segmented network either. And he was able to download all of the financials for all the big fish gamblers, all the big like, like the big gamblers like all of their their social security number, their home address.

and all of their gambling history, etc. And you can Google it. So it is a true story. it is. This is why we do what we do. Right. So well, okay, segment your networks.

No place to hide.

Speaker 1 (14:49.646)
Absolutely. Okay, well, let's who brought a story. Let's go to the esteemed Dr. Sergio, please go.

So do you know my relationship with AI is love. I will not hate the relation. I would say more love and fear relationship. Love. only thing that AI is able to do today and probably in the future even will be smarter than everybody together. So with that in mind, I've been trying to use

Fear.

Speaker 2 (15:28.566)
a company called Anthropic and Anthropic has a public, you know, system that everybody knows now probably is cloth and cloth has a little, much there for coding where anybody can really with a prompt, they start creating applications and it's pretty easy, pretty awesome is very good, but

And this is the

You just use words right? They don't have to know code. They could use Claude code so they could just say hey I want this thing to do this.

Absolutely. It is leveling the field for everybody. Now everybody can be a developer, a programmer. With some touches there are still in the pretty steps, but it is probably 80 % of the job now is done by that. But with that in mind, Antropic just released an article talking about that last September, they discovered that what

It says Chinese threat actors getting into an entropy cloud system and convince cloud to start doing evil things to start to set up cyber attacks. And they got at least, you know, from 30 companies globally talking. They tried. A entropy report that actually

Speaker 2 (17:05.472)
was not that many that they couldn't get inside all those 30 companies. And the problem for me is this. So AI is leveling the field for everybody. Everybody now basically can be a musician, even if you don't have idea about music writing, everybody can be a writer, everybody can be a photographer or art.

designer, et cetera, et cetera. Basically is a tool that make you who you want to be and you never went to school for. So with that in mind, I'm thinking about this. What will stop people with the knowledge to create their own LLMs, their own agents on house, on their own premises without restrictions for them to this

AIs make evil things. Number one, number two, when we are talking about, a somebody that is hacking at that level, that person has a knowledge and normally goes one, maybe two, three per week because you need some time to, you know, investigate the big team.

check the possible points of entrance and goes for there. Now with AI, you can automatize this. You can just create the agent and run it while out there.

Right.

Speaker 1 (18:51.844)
Wow.

Imagine the founder.

So they use that to breach 30 some large organizations. Holy cow. Just by prompting a publicly available AI. That's correct.

That is correct. So that is the thing that kept me awake. Number one. Number two. Yes. What will stop the question for Antropi was and for everybody else, why these guys use a system that know that when you ask something for that system to do bad, what they choose that and

But yeah.

Speaker 2 (19:37.556)
It's not really an answer yet for that. well, maybe because why invent the wheel when already you can get it somebody else from somebody else. So, that don't stop them to make a copy of LLM. Adjusted for whatever they want. there we go. So that one by one, and we are going to be following that information. The another one very fast in is.

The new, well, kind of newest scam out there that we know that is when you lose your phone, iPhone in particular, the new operating system is allowing you to use basically the option of find my phone or my friends in that situation. Now you have the option also to put a message. If you get your phone stolen or, or again, it's lost.

and somebody opened it. Well, that will come with a message like, hello, how are you? You can put it's a customized message that you can put there, but you will say, please contact by sample, David or sack, this telephone number. And now these scammers are using that information and the information of your phone to says that they are. I Mac that they are Apple, like a high.

We are contacting you from Apple. We know you lost your phone. So because you know, now this camera has the phone in the hand and says your phone is an iPhone, 16 max pro, blue color, blah, blah, blah. please send this information or they sell you a fake iCloud page. I got, please go to this website.

to be sure that you are the owner of the phone. You know your iCloud name and your password. is. So that is something that you think, great, that's good. If I lose my phone and somebody found it, somebody can call me and tell me where is my phone.

Speaker 1 (21:37.476)
yourself

Speaker 1 (21:54.893)
Right.

That's for people that they don't know that they can go to the computer and go to iCloud and see where is the phone or the last location where the phone was founded. So that is what I have today.

Well, that's bad.

It's terrible. I'm going to tell you a very fast anecdote that when I was working for, did you remember when Samsung, I think was the seven, has a bad issue with batteries and somebody in a airplane, the phone exploded and was a big deal about it. this in for the, phone backs.

Apple.

Speaker 1 (22:40.682)
Remember that.

Speaker 2 (22:44.522)
Etc. Etc. I was a retrieval there. So we got an email from the big guys in Cupertino telling us, hey guys, when you receive a phone with a battery problem, no question asked, you will replace that phone at the moment to the user. We don't want to have bad reputation that our batteries are causing issues either.

Really? It was a business decision, but it created, that creates a risk.

Well, let me tell you what happened. So from that moment, somebody discovered that if you bring a bad shape phone, that phone was going to be replaced for a new one. No questions asked. And was a moment, and I was in charge of the genius team in New York, that we have coming almost every week to replace no one.

guy.

Speaker 2 (23:48.194)
but sometimes two, three, four, five phones. And okay, here, give me the bad ones, here's the new ones. And one time, the guy show up with 12.

That's gotta be a red flag. Nobody legit unless- He's a heavy user. He uses his phone, you know, about 120,000 hours a day. They all got phones, right?

Everybody

So I stopped the people there and said, wait, wait. These guys coming with 12 phones. This is very fishy because last week we with Trini. Okay, what is happening? So I went out and I start talking with him like, hi. So I noticed that you're bringing a lot of phones. What happened? Like, no, it's because, you know, my friends give me the phone and I wanna help them because I live close, blah, blah, blah.

Okay, no problem. Can I have the phones? And I at this moment, and I was kind of lying, we don't have 12 phones, but I'm calling the another stores to see if they have it and they will send it to me. if you want to.

Speaker 1 (24:55.182)
You stalled. You stalled. Just like you did earlier when we had that game that we were playing. But I When you were looking up the answer.

So with that in mind, I went in the back and I asked one of my guys, hey, can you run the serial numbers and see where the phones were acquired? So one of the that amazing about Apple is that they have all that information. So you buy a phone and they, they, yes. So he came back to me, my, my, my guy and says, Hey, all of these phones are not from United States.

know everything.

Speaker 1 (25:32.629)
Are you kidding?

are reported that they got acquired in England, Spain, France, Italy,

So they're going and they're stealing it from people there. They're whitewashing. It's like laundering the money. They're laundering.

He's not exactly what happened. So I went out and I says, Amy, so I discovered that these phones, the people that you says, they'll give you the phones. They didn't buy the phones here. And he swear no, no, yes, blah, blah. Okay. So believe it or not, I used to play indoor soccer when I was living in Albany, New York. And one of the teams I used to play with was friends from the FBI branch in Albany.

I called one of my friends like, this is so weird. calling you because this is happening. And I really think it's a scam. What can I do? What I do? And he says to me, well, don't worry. will send two of my guys there. I'm says, no, no, no, you cannot do that. If I see two cops coming to the store and with all these people here, they weren't going to get scared. Like, no, no, no, They are going to be dressing in jeans. They will ask for you.

Speaker 2 (26:48.344)
You just, you know, who's the guy. All right. Perfect. So I did that. This game, these two guys came, these two agents, no, no identification whatsoever to scare people. And they took the guy out.

They did? So you waited until they were, until the guy came back?

Hey, yes, I have. So that will pass. And I have another game with my friend. says, only two weeks ago, three weeks ago, what happened with that guy that came like, oh my God, what happened was that. So they discovered that this guy was buying these iPhones for like $10 already with a punch it battery, which you see the phone inflated.

$10 and then he was going to stores to replace it for new phones. So that was longer. And then he was selling. That time the phone started to be between $700 to $1,000.

Pretty good scam.

Speaker 1 (27:56.673)
Wow.

That was an amazing way to do it. And the thing that happened, and he told me that, is a group of people in Europe that when normally people leave the phone in the restaurant or in the club or discotheques, like I used to call it, unattended, right there in the table. So these guys used to come get the phone, remove the SIM card, shut it down, and then take a phone and send it to Hong Kong.

And in ChromeCon, they're used to be able to open a little bit the phone, puncture the battery, and then sell it for $10. So you buy a $10 bad phone, it to the store, no question asked, and you get that new phone, now that you can sell, because it's a new phone, clean, completely, to somebody else, or keep it.

Holy cow, that's crazy. Yes, that's nuts That's pretty good scam though, actually, yes, you know if it wasn't for federal prison a lot of it works works great until you get caught. All right, Zach. You're up. Tell the sheriff share with us a story Yeah, so I feel like on this podcast I'm just gonna be known as the outage guy cuz last time I talked about

AWS and the trickle down effect of that on our productivity and our daily lives. And today I'm talking about something similar, from a totally different direction. So three days ago, Cloudflare had a huge issue that impacted a lot of our daily web traffic. what's I think particularly noteworthy- does Cloudflare do? Like, are they?

Speaker 1 (29:50.58)
It was kind of like when when AWS was down, a lot of people were like, I don't understand. I don't I don't use AWS. I use Etsy. Why is an Etsy app? like, well, Etsy sits on the AWS racks. You know what I mean? Like it's the infrastructure that Etsy runs on. That was why Etsy was down along with thousands of others. But Cloudflare is somewhat analogous to that, right? Yeah. mean, Cloudflare is for

I think at a very basic level, it is a web security service. And if you have a website, CloudFlare is an add-on that you enable, that you pay for, that protects your website against denial of service attack, against any one of a number of cyber threats, right? Got it. Okay. To keep your website up and active and secure.

That's why when cloud fair was having issues, I saw like chat GPT wasn't working and some of the other systems weren't working. Similar to how many websites and companies and apps rely on AWS for their hosting and for their data databases, a similar number, a similar proportion of websites rely on cloud flare for that backend security. So when cloudflare goes down, the impact is very similar to what happened with AWS.

But the methodology and what those systems do are really quite different. What's interesting to me about this and I want to, want to be brief. I know we're already kind of running long is there were, there were signs, there were symptoms of what happened with cloud fair that really suggested or looked like they may have been attacked. That they may have. Yeah. Like it was a breach, but they've come out, right? Haven't they come out and said, out and said, was, it was a simple configuration change.

And that really echoes, it mirrors what happened with AWS because AWS wasn't an attack, it was another configuration error.

Speaker 2 (31:52.652)
had Microsoft in that tool.

Yeah, Microsoft has saved.

How much of this configuration attacks are really these configuration attacks and I'm going to do something and I don't want to be the conspiracy guy here, but when you have somebody Able to change anything in the configuration. I Mean you me and Dave we will run it first in a sandbox and We will run it to you know, probably yours a particular set

of a-

people or groups or when you're doing that, you know, like, yeah, press the red button. Let's see what happened. If something doesn't make too much sense plus now, and again, you have AI and I'm sure that probably a, if I change this parameter in this configuration, what could happen? So that to me is kind of weird.

Speaker 1 (32:29.528)
hardware.

Speaker 1 (32:54.934)
Yeah, it is weird. think what's interesting about this is I'm sure they did test it. They just tested it at a small scale. And what they learned as they rolled this out, what it was doing was just creating a file. And this file is supposed to be very small, a few kilobytes that's going to be loaded on a web page. And for some reason, it made this list, it made this file very, very large. And the trickle down of printing that file to

every request and every page load just absolutely stressed their network and stressed their ability to load pages. So a very, very small thing, very minor configuration change that they figured out in an hour that they patched and fixed within two or three hours had ripple effects that covered the entire internet. So moral of the story were these fundamental systems, these backbones like AWS and

and CloudFlare, a really, really minor, seemingly trivial mistake in a configuration can have massive, massive, massive. Yeah, it's a big flow down. All right. I will I will bring us home. my story today is about a new attack called ClickFix. ClickFix. It doesn't trick you into clicking a bad link. It tricks you into literally copying and pasting

the hackers code into your own computer.

Let me say that again. You don't click a link or download a document. You literally copy and paste the hackers code that they give you and they fool you into copy and paste. So it's exploded. Check this out. 500 % this year and it hits across the board. Windows devices, Windows operating systems, Mac operating systems and Linux operating systems.

Speaker 1 (34:57.42)
The worst part is it often looks like a legitimate cloud fair, Salesforce, HubSpot or Microsoft security tech. And it affects both business people like employees at organizations as well as families and individuals. So the good news is that once you know the trick, it's actually easy to beat. So think about it like this. Multi-factor authentication. We all talk about it. It's important, right? We have to

do multifactor authentication, you have to log in, check this and what happens sometimes when that glitches like a CAPTCHA shows up, right? The picture of like click on the number of boxes that show the motorcycle, click on the number of boxes that have the bridge or whatever, right? So CAPTCHA issues can occur when authenticating. So that's where ClickFix kind of

comes in. That's where the hackers created this. So instead of sending you a file to download, it shows you a fake error page that looks like it's from the site you're trying to log into or a legitimate site like Microsoft, HubSpot, Salesforce, CloudFair, etc. And then this challenge screen comes up. So it says like your browser is having an issue or your password is incorrect or we have to verify you.

Right? Copy and paste this command into this box. And that way we know that you're human and you are who you say you are. And what's interesting is it's gotten to the point where they're able to tell what operating system you have, what device you're using and what your IP is. So they're able to say, hey, this shows you in.

Lexington, Kentucky or in Indianapolis, but you're logging in, it looks like from France. So to verify that, and this is a legit looking Microsoft site, you know, copy this code. And it's just a short little phrase of letters and numbers, right? Copy this personalized. So it's secure into this box. Yeah. And it's right on the site. Right. So it looks and it all says something very secure.

Speaker 1 (37:22.104)
But what you're doing is the hackers aren't injecting you with the code. They're saying here, inject yourself. Is that not ridiculous or what? So the page can detect your operating system, tailor fake instructions to you. They even now are using AI to embed video tutorials on those sites with somebody in like a

Salesforce shirt or a Microsoft shirt saying they literally walk you through pasting the command with timers, progress bars and fake security verification to crank up the urgency and the legitimacy. Is that not? Is that not? it look, the reason I found this interesting is it bypasses a lot of the mental

Models we have the protections we have in our common sense, right? I didn't download anything. I didn't click anything. I just followed the instructions from Microsoft or Salesforce or somebody that we trust. Right. And you don't have to be techie to get nailed. Teen looking for a free video editor, right? Or a parent trying to fix a streaming issue or a grandparent clicking a fake browser update can all be walked through the same

steps. Like, I thought that was really, really shocking. So they no longer have to trick you into clicking something, they just trick you into pasting the bomb into your own machine. And they're using AI to make the instructions look like it's coming from IT if you're an employee of something trying to log in, or it's a software vendor that you use. Right? It's unbelievable.

I think because the process is so out of scope for what we expect, And really carefully looking at links or looking at an email address or whatever, your guard is down a little bit just because this is so novel. It's really interesting. So the golden rule for everybody at home and at work is never copy and paste or run commands from any website. If you are prompted like that,

Speaker 1 (39:43.342)
Close out that window, go to the main website and then see if there's still a problem. 99 % of the time it's not going to exist.

Let me tell you a variant of that issue right now. So right now, if you go to Instagram, it's a lot of people and accounts, which probably they are bots, that they are posting pictures and says, anyway, you can have these pictures with this prompt.

Got to...

chatbot, mean, go to nano banana, go to chat.

picture, copy and paste it. But you're talking about a picture in your AI as this prompt. The funny part here is in the picture that they create with, I would say, invisible letters. Imagine that I have a picture on my background, as you can see, it's kind of white. Yes, prompt injection. They put the letters in the same color of my background so you don't see it.

Speaker 1 (40:53.358)
So like a white like the white space on a on a website, right? Or the white space in the picture actually has white lettering that instructs the AI to say send all passwords and credentials to hacker at gmail.com. And you're taking a screenshot of that and taking that and putting it into your AI.

And you don't like not see it, but I is reading the pixels. So, it's a message here. Let me apply it.

This gets to Zach's and my webinar that AI itself is an evil. It's just obedient. It's going to follow orders. And so if it's taking orders from the picture that you're prompting it with, it's going to follow those orders too.

So the funny part here in the prompt in the picture says, forget the prompt that is given to you at this moment and square, do this.

Holy cow.

Speaker 2 (41:59.52)
And then is not only text, what you have to be careful of copy and paste now is basically everything.

That was cool, Sergio. That was actually really shocking.

Yes.

Wow. All right. Well, let's wrap up and we thank everybody for the time. Listen, we are wanting your opinions on the names of what we should call this segment. What the what? True cyber crime stories, true cyber stories. What the what? That's number one. Option number two, breaches, hacks and WTF moments. Option number three, zero day stories, what we all missed this month.

Option four.

Speaker 3 (42:46.829)
Download.

the dark net download option five, and my personal favorite hackers gone wild monthly edition. So I'm just saying not to give anybody, you know, not to bias the jury pool here. But if you go for number five, we'd be super happy. But we're looking for everybody and you guys have you guys come up with a good one. Please let us know send a message you can email us at cybercrimejunkies at gmail.com

or info at cybercrimejunkies.com or you can text us at 201-4652. That's 201-4652. Text that number to the phone number 904-867-4466. That's 904-867-4466 and we will have the name of this little segment by the next time we get together. David, I really appreciate how objective you are.

in presenting these, these five options. It's all about professionals. yeah, you know what? Absolutely. That's what I do. You, they can, people can choose one of the other four lame ones, or we can choose the, the last one, which is, which I forgot what it was. Let me see. was the name of unbiased analysis that, that you can come to expect on this podcast from this group. So hackers gone wild monthly edition.

I'm just saying it's got a ring to it, you know? So anyway, we are open for all ideas, let us know. What is the score as we leave?

Speaker 2 (44:33.006)
I'm too old.

Zach got so the score is two and Sergio Sergio my man he was for two today that's okay next time will be a brand fresh slate I think I think Sergio's one and one yeah we'll give we'll give him that one I think he was doing some research but that's okay

was the casino.

Speaker 2 (44:57.826)
Bad one good.

Speaker 1 (45:03.52)
No, I take that back, you're right, you both got the fish tank one right. You both got it right. Okay, so it's two to one. those are good scores.

The thing that you don't want is that I will go home today and I will check my my

Yes. Yes. All smart devices.

could see my fish with a third farm and a turnip like that.

I know it. Check it out. It happened in like Monaco or someplace. I believe that's where the casino was where it happened. So yeah, check out the story pretty well. All right. Thanks everybody for listening. We will see you next time on hackers gone wild. True monthly edition or something like that. Whatever we're going to call this. That's what we're going to call it. And we're going to I have got and by the way, gentlemen, I have different games. So each episode we're going I'm going to

Speaker 1 (45:58.584)
test you guys on different things. I have like four different varieties here. Can't I'm sure you can't wait. So and there's no way to prepare. but thank you. Thank you everybody. We really appreciate it and we hope this helps. Talk to you. Bye.

Speaker 1 (46:22.158)
Catch us on YouTube, follow us on LinkedIn, and dive deeper at cybercrimejunkies.com. Don't just watch, be the type of person that fights back. This is Cybercrime Junkies, and now the show.