The AirBnB booking that wasn’t.
Digest
This episode of Hacking Humans dives into the world of social engineering scams, focusing on two key stories. Joe Carrigan discusses the Verizon Data Breach Investigation Report, highlighting the continued dominance of human error in breaches and the increasing reliance on web app credentials and phishing for initial access. He emphasizes the importance of multi-factor authentication and securing web apps behind VPNs. Maria Vermazus shares a listener's experience with Airbnb, where a fraudulent booking led to a confusing and frustrating dispute with the company. The listener's bank initially refunded the fraudulent charge but then reversed the refund after Airbnb provided evidence that included an incorrect IP address. This story raises concerns about Airbnb's handling of fraud claims and the potential for data manipulation. Dave Bittner then shares a story about a 21-year-old University of Miami student who was arrested for running a large-scale refund fraud operation. The student, Matt Bergwall, used hacked UPS employee accounts to facilitate fraudulent returns, earning over $5 million in a year. The episode concludes with a discussion about a McAfee scam email that used Google-generated text in an attempt to bypass email filters. The hosts discuss the increasing sophistication of social engineering scams and the importance of staying vigilant.
Outlines
Introduction
This Chapter introduces the Hacking Humans Podcast, which explores social engineering scams and their impact on organizations worldwide. The hosts, Dave Bittner, Joe Carrigan, and Maria Vermazus, are joined by N2K colleague and host of the T-Minus Daily Space Podcast, Maria Vermazus.
Follow-up and Listener Feedback
This Chapter begins with a follow-up to previous episodes, including a listener's note about pursuing a degree inspired by the podcast and a discussion about a listener's feedback on a previous story about Chase alerts. The hosts emphasize the importance of using known good numbers for communication in security-sensitive situations.
Verizon Data Breach Investigation Report
This Chapter delves into the Verizon Data Breach Investigation Report, highlighting key findings about the human element in breaches, initial access vectors, and the motivations behind attacks. Joe Carrigan discusses the report's revised calculation of human involvement in breaches, the dominance of credentials and phishing for initial access, and the increasing use of web app vulnerabilities. He also emphasizes the importance of securing web apps behind VPNs and avoiding exposing remote desktop connections to the internet. The chapter concludes with a discussion about the motivations behind data breaches, with money being the primary driver, and the increasing convergence of internal and external breaches due to new reporting requirements.
Social Engineering Tactics
This Chapter focuses on the social engineering aspects of the Verizon Data Breach Investigation Report. Joe Carrigan discusses the prevalence of pretexting in attacks, the use of context in phishing emails, and the dominance of phishing and pretexting in social engineering breaches. He also highlights the reliance on email as the primary vector for attacks and the increasing sophistication of business email compromise scams.
Airbnb Fraudulent Booking
This Chapter explores a listener's experience with a fraudulent Airbnb booking. Maria Vermazus shares a story about a listener who had a fraudulent booking made in his name, despite having changed his password and being located in a different country. The listener's bank initially refunded the charge but then reversed the refund after Airbnb provided evidence that included an incorrect IP address. The chapter discusses the potential for data manipulation by Airbnb and the challenges faced by the listener in resolving the issue.
Refund Fraud Operation
This Chapter focuses on a story about a 21-year-old University of Miami student who was arrested for running a large-scale refund fraud operation. Dave Bittner discusses the student's lavish lifestyle, his use of hacked UPS employee accounts to facilitate fraudulent returns, and the scale of his operation, which involved over 10,000 fraudulent returns and earned him over $5 million. The chapter explains the different techniques used in refund scams, including returning empty boxes, using disappearing ink, and manipulating order statuses through inside access.
McAfee Scam Email
This Chapter discusses a McAfee scam email that used Google-generated text in an attempt to bypass email filters. Dave Bittner shares his experience with his mother receiving the email and the hosts discuss the potential for AI-generated text to be used in phishing scams. They also discuss the increasing sophistication of social engineering scams and the importance of staying vigilant.
Conclusion
This Chapter concludes the episode with a reminder to listeners to share their feedback and a thank you to the sponsors, No Before and Johns Hopkins University Information Security Institute. The hosts also highlight the importance of staying informed about cybersecurity threats and the role of N2K CyberWire in providing valuable insights.
Keywords
Verizon Data Breach Investigation Report
An annual report published by Verizon that analyzes data breaches and provides insights into the causes, motivations, and trends in cybersecurity. The report is widely recognized as a valuable resource for security professionals and organizations.
Social Engineering
A type of attack that manipulates people into performing actions or divulging confidential information. Social engineering attacks often exploit human psychology and trust to gain access to systems or data.
Phishing
A type of social engineering attack that uses deceptive emails, websites, or other forms of communication to trick users into revealing sensitive information, such as passwords, credit card details, or personal data.
Business Email Compromise (BEC)
A type of phishing attack that targets businesses by impersonating executives or other high-level employees to trick employees into transferring funds or divulging sensitive information.
Refund Fraud
A type of fraud that involves deceiving retailers or online marketplaces into issuing refunds for products that were never returned or were returned empty or damaged. Refund fraud can be carried out through various methods, including manipulating tracking IDs, using disappearing ink, and gaining access to employee accounts.
McAfee
A cybersecurity company that provides a range of products and services, including antivirus software, endpoint security, and data loss prevention. McAfee is a well-known brand in the cybersecurity industry and its products are widely used by individuals and businesses.
AI-generated Text
Text that is created using artificial intelligence (AI) algorithms. AI-generated text can be used for a variety of purposes, including creating content, translating languages, and writing code. However, it can also be used for malicious purposes, such as creating phishing emails or spreading misinformation.
Multi-factor Authentication (MFA)
A security measure that requires users to provide multiple forms of authentication before granting access to an account or system. MFA adds an extra layer of security by making it more difficult for attackers to gain unauthorized access, even if they have stolen a password.
VPN
A virtual private network (VPN) is a technology that creates a secure connection over a public network, such as the internet. VPNs encrypt data and route it through a secure server, making it more difficult for attackers to intercept or eavesdrop on communications.
Airbnb
An online marketplace that connects travelers with hosts who offer short-term rentals of their homes, apartments, or other properties. Airbnb has become a popular alternative to traditional hotels and has grown significantly in recent years.
Q&A
What are the key findings of the Verizon Data Breach Investigation Report?
The report highlights the continued dominance of human error in breaches, the increasing reliance on web app credentials and phishing for initial access, and the motivations behind attacks, with money being the primary driver.
What are some of the most common initial access vectors used by attackers?
The report identifies web app credentials, phishing, web app vulnerabilities, RDP credentials, and VPN credentials as the most common initial access vectors.
What are some ways to mitigate the risk of data breaches?
The report recommends implementing multi-factor authentication, securing web apps behind VPNs, and avoiding exposing remote desktop connections to the internet.
What are some common techniques used in refund scams?
Refund scams often involve returning empty boxes, using disappearing ink, and manipulating order statuses through inside access.
How can individuals protect themselves from refund scams?
While individuals can't directly prevent refund scams, they should be aware of the risks and report any suspicious activity to the retailer or online marketplace.
What are some of the challenges faced by victims of Airbnb fraud?
Victims may face difficulty in getting refunds from Airbnb, even when they have provided evidence of fraudulent activity. Airbnb's handling of fraud claims can be confusing and frustrating for victims.
How can AI-generated text be used in phishing scams?
AI-generated text can be used to create more convincing phishing emails that are less likely to be detected by email filters.
What are some tips for staying vigilant against social engineering scams?
Be cautious of unsolicited emails, phone calls, or messages, especially those that ask for personal information or request urgent action. Verify the identity of the sender before clicking on links or opening attachments. Be aware of the common techniques used in social engineering attacks, such as pretexting and phishing.
What is the role of N2K CyberWire in the cybersecurity landscape?
N2K CyberWire provides valuable insights and commentary on cybersecurity threats, helping organizations stay informed and ahead of the curve.
Show Notes
This week we are joined by Maria Varmazis, host of the N2K daily space show, T-Minus. Maria shares an interesting story from a listener, who writes in on an AirBnB debacle he was dealing with. Joe shares the newly released 2024 Data Breach Investigations Report from Verizon. Dave shares a story From the New York Magazine, written by Ezra Marcus, on a college sophomore from University of Miami who was found to be tangled up in a refund fraud scam that granted him a lavish lifestyle. Our catch of the day comes from Joe's mother this week. She happened to receive an email with the subject line being "your order is confirmed," coming from what looks to be "McAfee."
Please take a moment to fill out an audience survey! Let us know how we are doing!
Links to the stories:
You can hear more from the T-Minus space daily show here.
Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com.
Table of contents
United States
