December 27, 2022 • 27 mins
Every click matters in the digital world, especially when cybercriminals are crafting increasingly sophisticated traps. Our latest deep dive into the murky waters of phishing, smishing, and digital deception reveals just how creative scammers have become—and how easily anyone can fall victim.<br><br>The team shares recent encounters with text message scams promising everything from free Home Depot gift cards to notifications about packages supposedly delivered to wrong addresses. These messages seem legitimate at first glance, but a closer look reveals suspicious URLs completely unrelated to the companies they claim to represent. What happens when you click these links? At minimum, scammers collect valuable personal information; at worst, they establish live connections to your device, allowing them to extract data or maintain persistent access to your digital world.<br><br>Nick's cautionary tale about nearly losing $4,000 on an eBay camera purchase demonstrates that even experienced security professionals must remain vigilant. The scammer had compromised a legitimate seller's account, posted attractive listings, and even provided real tracking numbers purchased online—all to create the illusion of a legitimate transaction. Only by using multiple layers of protection through PayPal and a credit card, plus proactive verification with shipping companies, was Nick able to recover his money.<br><br>The conversation extends beyond text messages to sophisticated email phishing attempts mimicking legitimate services like Norton LifeLock and Geek Squad. These messages feature convincing order confirmations, activation keys, and professional layouts designed to trick you into revealing personal information or downloading malicious attachments. Perhaps most alarming are voice phishing attacks where callers attempt to establish remote connections to victims' computers using legitimate tools like TeamViewer, creating serious ongoing security risks.<br><br>Protect yourself by scrutinizing sender addresses, using credit cards instead of debit cards for online purchases, employing dedicated password managers rather than saving credentials in browsers, and maintaining healthy skepticism toward unexpected communications. Remember: if an offer seems too good to be true or an urgent request doesn't feel quite right, trust your instincts—your digital security depends on it.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Eric Brown (00:05):
You're listening to the Audit presented by IT Audit
Labs.
Mandi Rae (00:16):
Hello and welcome to the Audit by IT Audit Labs Today
.
I'm joined by Kyle and Nick.
We're going to review socialengineering fishing, smishing
and other trickery.
Hey guys, how are you thisafternoon?
Nick Mellem (00:33):
Good Mandy, how are you?
Mandi Rae (00:35):
Pretty good, thanks.
What's the agenda for today?
Nick Mellem (00:40):
So today we put together kind of the whole team
here collectively put togethersome examples of some different
fishing smishing, some goodfishing examples that we've seen
in just the past couple ofweeks.
Just going to run through someof that and a couple of stories
we have, so should be a good one.
We'll kick it off here.
We are going through thissmishing the SMS messaging.
(01:02):
We have a couple examples here,but what we've been seeing
recently is messages and I'msure many people that are
listening to this they'regetting these as well.
You're the ones that log intoyour Netflix account or your
package has been delivered fromAmazon and it's got a link and
it's pretty clear on these thatit's not from who it says it's
(01:23):
from.
And the first dead giveaway isthe URL is not right.
Let's say it's not from who itsays it's from.
The first dead giveaway is theURL is not right.
Let's say it's from Home Depot.
If you want to get this $100free Home Depot gift card, the
URL that it's going to hasnothing to do with Home Depot.
Mandi Rae (01:40):
Yokohama was a big giveaway.
Nick Mellem (01:42):
Yeah exactly.
I guess for us it's kind ofcomical.
Right Like this other one thatsays your package has been
delivered is from like US-PSU,it's just totally off right, and
iPhone has done a pretty goodjob recently because it even has
a report as junk, so they'rethinking it's fake as well.
Kyle Rosendahl (02:05):
Yeah, and when we talk about this too, right, I
mean, most of us are, I think,familiar, specifically when we
work in cybersecurity with youknow what phishing is.
But I mean, essentially, thesepeople are just trying to get
you to click the link or respondto them in some regard.
Click the link or respond tothem in some regard, and
(02:28):
typically Nick, then what arethey trying to get you to do
after that point?
Right, Because you or I orMandy here, we mostly recognize
that these are fake.
They're not real.
They're saying they're going togive you free money, or they're
saying, hey, look out, yourpackage went to somebody else's
house, click here to fix itmoney.
Or they're saying, hey, youknow, look out your package went
to somebody else's house, clickhere to fix it.
(02:51):
But why are people sendingemails out like this, Like what
is their goal in trying to getpeople to click?
Nick Mellem (02:53):
I think the fairly quick, short answer is they need
a reaction to their action.
Right, they're sending this outand they need a reaction from
us.
So as soon as we make thatconnection right, a couple of
things are going to happen.
Either you're going to go to alanding page and you're going to
put personal information in totry to get this gift card or
figure out where your package is.
That could range from an emailto hopefully you're not putting
(03:16):
any person identifiableinformation, but they're looking
for that.
Or, and probably the worst part, is they're looking to make an
actual connection with yourmachine.
So those are that's typically,I think, what they're looking
for and the one connection withthe machine.
Then you know you could have alive person on the other end.
(03:36):
That's getting an actualnotification that says you know
we've connected with nick'scomputer or phone and they have
a live connection.
They can extract data oractively, you know, have a
session with the machine andtake off what they want.
Mandi Rae (03:49):
Gotcha yeah, crazy, because they're either
insinuating you won something orthey're insinuating like
there's there's something thatwe have of yours, that that we
need you to take action on right, trying to catch you off guard
and also entice you it's reallyyeah, it's really a play on
emotions, right, because who'snot going to get excited about
(04:12):
getting a free home depot giftcard?
Nick Mellem (04:14):
we've seen plenty of these with an itunes gift
card, right?
A lot of us we you know instantgratification.
If you're going to getsomething, especially a hundred
dollar gift card to something,you're probably going to jump on
there and finish this quicksurvey, unless you've been
trained or understand that thisis fake.
Kyle Rosendahl (04:30):
In most cases, are they trying to do malware
onto the computer, right, as wethink about those kind of
malicious pop-ups that you runinto on websites where, hey,
we're going to lock yourcomputer unless you give us
something.
Are they looking for thatremote connection?
Are they just looking foradditional information?
Are they looking to, I mean,extort money in some way?
I mean, I think, if you've seensome of the videos out on
(04:53):
YouTube of these people who goin and, you know, kind of scam
the scammers and will createkind of reverse tunnels back
into their kind of scam callcenter or tech centers or
whatever it happens to be, itlooks like there's a pretty big
operation to.
You know, we're going to collectmoney via Amazon gift cards.
You know, go to your Walgreens,buy an Amazon card, come back
(05:15):
here, give me the code and thenI'll take it, get the money off
of it and then kind of leave youwith nothing.
But are they doing that just asa monetary gain or are they
trying to collect more than thatfrom just kind of typical
individuals?
Or does it just go on like acase-by-case basis?
Nick Mellem (05:34):
Yeah, my personal opinion is it's a case-by-case
basis right.
They're going to take what theycan get, right, and that could
be exactly what you'reexplaining.
I recently well, not recently,it's a few years ago I had
somebody that I worked with gota phishing email and in the
email it was a phishing scam andit was really spoofing our
(05:56):
manager, or one of the managers,I should say.
And the email was saying hey,I'm in a meeting right now, so
don't shoot me a text message,or anything like that.
The email was saying hey, I'min a meeting right now, so don't
shoot me a text message, oranything like that.
But I want to surpriseeverybody at our company meeting
later with 10 $100 gift cardsto iTunes.
Well, she falls for this andgoes and gets these gift cards.
In the email it also saysscratch off the back, write the
(06:20):
code and send them to me.
Luckily, before she does this,she sees this person and gives
them the 10 gift cards and then,from that point, they're
confused on why they have thegift cards.
So there's your monetary valuethat you know.
If it's going to come in a formof money, cash or whatever it
is gift cards they're going toget that $100, or, in this case,
(06:42):
$1,000, to iTunes gift cards.
Mandi Rae (06:44):
they're going to get that $100 or in this case $1,000
to iTunes Right, and maybethat's the important point here
for non-technical folks,clicking on it is the first
no-no, but if you do that and ifyou get further activity, no
one should ever need the data onthe back of a Visa gift card or
on gift card, unless it's fornefarious purposes.
Nick Mellem (07:07):
Yeah, and I think and this goes into different
ways Of being able to protectyourself I recently had An eBay
transaction.
I did and this is roughly acouple months ago but when I was
going into this I waspurchasing a camera and when I
was doing it, I was talking tomy wife and I said, well, this
(07:27):
is either the best deal ever orit's going to turn into a really
good podcast topic.
Well, it turns out it was agood podcast topic because it
was fake.
I went round and round withthis person after I had made the
purchase and contacted.
The moral of this whole storyif I'm backtracking one second
(07:50):
is that you really want to useand protect yourself with using
a credit card and PayPal.
It was, in this instance, whatsaved me.
So I went to this comfortableknowing that I did that.
But when I'm talking to thisperson, they're sending me
tracking codes so I can trackthis package.
And when I'm tracking thepackage, it's saying it's going
(08:10):
to somebody else's house, right?
So in this example, I was ableto clear up and get my all my
money back by using these coupleof protections, by using eBay
and PayPal.
And the third was I used anApple credit card and they sent
me my money back instantly andthen a month later PayPal
(08:31):
reached back out and said thatthis was a scam.
So they all don't come hiddenin a text message.
It could be something that isliterally just on eBay for you
to purchase and you fall intotheir trap and purchase it Right
.
So they're really coming at usfrom all different directions.
But that was just a quick,quick story I had of recent
(08:52):
purchase on eBay that actuallyended up being a scam.
Mandi Rae (08:56):
So to dig in a little deeper, Nick was the actual
scam part, so you did buysomething from a legitimate
seller.
Nick Mellem (09:04):
Yep.
Mandi Rae (09:05):
And where did this scam come in?
Nick Mellem (09:15):
Yeah, so what had happened here is the seller on
here's account was actuallybreached, so somebody was in
between right.
This person's account was beingused by a malicious actor.
They put some pictures of acamera up that they don't
actually have on somebody else'seBay account.
So the scam was to get you tobuy this account, hopefully wait
a certain amount of days andwait for PayPal to release the
funds to this person, and thenyou never see it again.
Mandi Rae (09:39):
So then, when you tracked this tracking number
that you were given, it wasactually a legitimate tracking
number for a package unrelatedto your purchase.
Yep correct, so I had gotten it, but that's what triggered you.
Nick Mellem (09:52):
Well, I was kind of , you know, I was on edge extra
throughout this whole process,obviously because I was, you
know, thinking it was way toocheap to be real.
But when I was getting giventhese tracking numbers, I called
FedEx right right away and Isaid I know you're not going to
tell me where this package isgoing, but can you verify the
address?
I'll verify my address and youcan tell me if it's coming in
(10:13):
there or not.
So every time I did that itwasn't coming to my address, it
was going to one that was, youknow, in my proximity, but so
that's what it looked like.
It was out for delivery in youknow that certain city, so you
wouldn't track on her.
You know track on what they hadright away.
But by calling I was able toverify that it was a scam,
(10:35):
because you can actively buymalicious actors can actively
buy actual track numbers online,and that's what this person was
doing.
They had purchased, you know,multiple active, different
tracking numbers that wereactually being shipped during
this whole process.
So it looked very legitimate ifyou, you know, didn't have some
extra training or knowledge onwhat's actually happening.
Mandi Rae (10:59):
Did you get your money back?
Nick Mellem (11:01):
I did Yep.
So PayPal worked with thisperson and they didn't release
the funds.
And what actually happens withPayPal is they don't release the
funds to a lot of eBay sellersfor five to seven business days.
So I had notified them like twoor three days after, so they
(11:22):
put the money on hold.
I had notified them like two orthree days after, so they put
the money on hold and they gavethis person I think it was 20
days to respond.
They didn't respond, so theyreleased the money back to me.
The second part of it wasGoldman Sachs is the holder for
the Apple card and during thistime they released the money
(11:44):
back to me and when the moneywas released back from PayPal,
the refund was complete.
It all worked out in the end.
Mandi Rae (11:55):
That's good to hear with your circumstance, because
it's not always how thesesituations play out.
Nick Mellem (12:02):
Yeah, I'd say most of the time it's unfortunate,
but if people aren't gettingtheir money back, they've fallen
into the trap and you knowtheir money is gone and
hopefully it's not a whole bunchof money like this was.
This is just.
This is roughly like $4,000.
So it wasn't cheap at all, buta lot of times it's a much lower
amount of money.
But you know they do it sooften that people just they're
(12:25):
not getting their money back.
Right, but it adds up over time.
So I had another one that cameup as well.
I thought this was kind ofinteresting and this was an
actual fraud on my credit card.
So one of the days I was athome and my wife and I we both
work from home and she I gotthis email that says thanks for
(12:48):
your panera order.
And in doing this I go to mywife and ask if she had ordered
panera bread.
Turns out she didn't.
So then I call this panerabread and I let them know that
we didn't order this and tocancel it.
Well, the way I figured this outwas is looking at the actual
(13:11):
email here.
It shows the address.
Well, it's in Indianapolis.
I was in Minneapolis at thetime, so you know.
After that I called my bank USAand had them cancel the credit
card, but to this day I stilldon't know how my card was
stolen.
This is a little while ago inJanuary or in June, excuse me
and I just had my credit cardreplaced, but it was a very, you
(13:33):
know, it was an active timewhere credit card had been
stolen and it was a debit card,which is a little bit scarier.
So that was another one of mypoints before is to use a credit
card whenever you can, becauseit's a lot easier there to work
with your credit card companyversus debit card money.
Mandi Rae (13:49):
Yeah, I think we learned about that too.
It was an important point thatEric made in previous podcasts.
The personal informationsecurity.
These are exactly the kinds ofthings that you're trying to
avoid when you know protectingyourself, your credit, your
passwords, your logins, etcetera.
Nick Mellem (14:10):
Yeah, thanks for bringing that up.
I was actually going to mentionthat I believe Eric did bring
that up before about using acredit card whenever you can.
So, yeah, thanks for doing that.
We had a couple other phishingexamples that I think, mandy,
you had sent in and you knowthese are similar to the ones
we've been talking about on thisepisode about different links
(14:32):
with the emails to clicking on,and this one here is actually
from Susan, with a couplekissing lips, and I was wanting
you to click on this link herefor a webcam to meet some
specific people, mind you, Ididn't know Susan.
Mandi Rae (14:53):
I didn't click to see her private parts.
Kyle Rosendahl (14:58):
I feel like you see a lot of these online too.
I mean, there's the whole likememe across the internet too,
where it's like oh, when I hadmy ad blocker on right, all the
hot singles in my areadisappeared.
So you know, once I turned myad blocker off, all of a sudden
they found me again.
Mandi Rae (15:15):
Does that mean the hot singles in your area are
spoofs and bots?
Kyle Rosendahl (15:20):
Apparently, yeah , when it comes to my free email
inbox, yeah, um, but no, I mean, it's such fascinating stuff
because, like, you'll see theseor you'll see other ones that
are like you know, check out my,you know, add me on instagram
or add my snapchat, and you knowthere are these links to these
pages and these profiles thatit's like, oh, oh, there's this
(15:46):
beautiful model on this page andyou know it's fake, right?
And you know they're trying toget your money.
They're trying to get you toconnect and talk to them so they
can either get you to connectback or, oh, just pay me, I'm
trying to get my business offthe ground.
Can you get me a Google PlayStore $50 gift card, right?
Or go to this link andsubscribe to this and I'll send
(16:08):
you this stuff, right?
I mean, it's all just so likeexploitive, but, at the same
time, like you know that theseprofiles that they're building
out there are just fake, I justreally wonder, like, how
effective these scams are,because I would never click on a
link like this that I just getin my email from someone I don't
know, but you wonder how manypeople actually click on these
(16:31):
things and then what types ofdata they're collecting on you.
Once you click, are theypulling stuff from your browser?
And then what's their goalafter that?
Do they just want you on thewebcam page?
Are they trying to do more?
I don't know.
It's fascinating stuff.
Mandi Rae (16:49):
It's super fascinating, especially when I
think, like, how did they get myinformation?
I can promise you, in thisemail account I'm not doing
anything to solicit any Susanswhen it came to being offered
like the DeWalt power tool oranything like that, I am
renovating a home and somehowthey must have got my
(17:11):
information.
And this was really relevant tome and what I was doing on the
internet, what I was buying, andthat in itself is kind of
invasive and scary also.
Nick Mellem (17:22):
Yeah, these are great examples, and I I'm
laughing at the susan one againhere, because because, going
back to what kyle was saying,how many people actually click
on this?
Right, I'm not thinking, wow,I'm gonna click on this and I'm
gonna meet a bunch of people,but I'm I'm guessing there's
people out there out there thatdo fall for this and they click
on this and it brings them tosome sort of website that's
(17:43):
probably malicious and that'syou know.
They're getting their personalidentifiable information, but
absolutely.
Mandi Rae (17:51):
I remember it must have been in 2012.
I'm kind of dating myself, butbefore smishing was prevalent
and fishing wasn't as well.
I guess I feel like those of usthat weren't in the tech
community weren't as educatedabout phishing attempts.
I received one of those linkswhere you click on it and it
(18:11):
turns on your webcam and ittakes a picture of you and I was
making the world's most awfulface ever because I'm like
looking at my computer, likewhat are you doing?
Like just not understandingwhat's happening.
And then it goes into thattimer and it's showing you that
horrible image of yourself itcaptured and it's saying it
(18:34):
wants money to make it go away.
This is just kind of that nextlevel what people are doing.
Nick Mellem (18:38):
I'm actually glad you brought that up, mandy,
because that triggered anotherstory in my head.
I know this went around, Ithink maybe five or six years
ago, where you know peoplehadn't, you didn't have to be on
some sort of adult website butyour computer is physically
being locked and said the FBI isgoing to contact you because
you're on some wanted list forsome sort of pornography or
(19:00):
something of the nature.
Well, people were paying theransom because it gave you the
option you can pay the ransom orthe fbi is going to contact you
.
Well, I believe it.
Mandi Rae (19:11):
If you're guilty, I would have paid money.
But that picture I was likethis isn't so bad.
What's the worst you're gonnado?
I didn't give them anything in?
Nick Mellem (19:17):
this instance, it was like you know the person
they're interviewing was a cheat, was a teacher, right?
So obviously those two don'tmix, so this person actually
paid the ransom.
I it was like you know, theperson they're interviewing was
a teacher, right?
So obviously those two don'tmix, so this person actually
paid the ransom.
I think it was $10,000.
But you bringing it up sparkedthat.
Mandi Rae (19:33):
Scary situations.
Don't click on things and don'tpay people money unless you
know who they are.
It's the moral of our story.
Nick Mellem (19:40):
Exactly, and you know there's plenty of these
different.
Hey, congratulations.
It looks like it's coming fromlooking at an example here from
cole's, some sort of ninja foodgrill.
Well, you know, it looks legit,but if you look around a little
bit more right, the emailaddress might be off.
But there's a lot, a lot ofthings that look weird, um, you
(20:02):
know.
So what we're getting at isdon't click the link if you
don't know.
Mandi Rae (20:06):
Ask right before you, before you do anything if it
looks sketchy, it's definitelyprobably too good to be true yep
, I think you're spot on there.
Nick Mellem (20:17):
I'm looking at this example right here.
It just says thecongratulations on the cole's
one and you know the font seemsa little bit off.
But other than that, like right, if you're not somebody that's
in the industry or looking, thisone looks pretty real.
Mandi Rae (20:31):
I'd say I think one of the best educations I ever
received is going back up andlooking at the sender Right I
think one of the ones you showedearlier in terms of the
smishing.
I think one of the ones youshowed earlier in terms of the
smishing.
It was very obvious that thesender was not Home Depot.
Nick Mellem (20:50):
Yeah.
Mandi Rae (20:50):
And I think nine times out of ten, that's the way
.
It's the easiest way to discernif it's true or not.
Nick Mellem (20:56):
Right, yeah, say, you're on your computer, you can
hover over the sender and itwill actually reveal where you
came from.
You can hover over the senderand it will actually reveal the
name from.
Well, one of the examples wehave here too is from Norton,
lifelock that it was saying youknow the subscription is going
to be up, you know pay your bill.
Well, if you look at the actualsender, it came from a random
person's name at Yahoocom.
(21:19):
Well, norton is not sendingfrom a personal, personal email,
so that was the dead giveawaythere.
Um, and if you actually callthe number, which I did do on
here, it goes to some foreignlocation help center and as soon
as you start to kind of playtheir game, they generally they
hung up on me.
Mandi Rae (21:37):
So I started receiving something similar like
this norton lifelock.
One is another one whereaesthetically it looks
legitimate, but in some of thekeys you've given us it's A.
I didn't make this purchase.
I wasn't expecting an orderconfirmation, right.
B.
Where is this coming from?
Hovering over who sent it?
I've been receiving a lot ofdifferent phishing attempts from
(22:00):
customers.
What's the geek squad?
oh, sure, yep where, just likeyou're mentioning the things,
the logo looks a little off.
The sender isn't legitimate,but it actually wants me to
download an attachment.
It's saying it's my invoice andI know I don't use geek squad
because I have kyle and nick'scell phone numbers.
So obviously I reported it asphishing and deleted it.
Nick Mellem (22:23):
But I could see how that one would be tricky too oh
yeah, and I mean they're reallytripping you up here because I
know we've said it a few timesand it's mandy, what it's like
what you're saying.
But when you look at thisnorton life lock one, you know
it's a very legitimate lookingorder summary.
There's an order number,activation key.
I mean it's, it looks real.
If I didn't make this purchaseand didn't know right away,
(22:46):
anybody could think that this is.
We had spoke before about, youknow, making the connections to
people's computers.
Yeah, that's something you dowith alliances.
Is there anything you can speakto on that?
Kyle Rosendahl (23:05):
Is there anything you can speak to on
that?
Yeah, I mean, I think ithappens more with, like those
voice phishing attacks, right,if someone's calling you on your
phone and you pick up and theysay hey, you know, I'm from the
extended warranty center foryour car.
You know, can you tell me whatkind of car you have, what year
is it?
You know?
Confirm your phone number forus.
And now you know we're going tolook up your car.
(23:27):
Oh, you're, you're able to getthis, but we need to get some
additional info.
Like we can connect to youremotely and, you know, help you
find that information on yourcomputer if that would be
helpful.
And they'll have you go to asite like TeamViewer and it's a
free service that provides thatremote connection to a computer.
So it's not a paid service,there's a free version.
(23:51):
They'll have you download it,run an agent on your computer
and then they'll say okay, nowread me your six-digit code that
we know is on the screen there.
You'll give that to them.
They'll use that to initiate aconnection from wherever they
are if they happen to besomewhere in Southeast Asia or
in India, which is typically thetwo places they connect from
and then they'll ask you to givethem control over your computer
(24:14):
and then from there they candump files, they can pull stuff
off, they can do things, youknow, kind of whatever they want
remotely on your workstation.
So that's typically what theytry to get you to do.
And you know I'll talk withthem on the phone and just kind
of see what they're after, justfor fun, just to get a better
(24:36):
understanding of how thesethings work.
But yeah, downloading anything,I mean pretty much no one that
calls you on the phone shouldever be asking you to, you know,
download a piece of software sothey can connect remotely, I
mean, unless you know it's partof a business that you work for
or anything specific right, butI would never download anything.
That's, someone on the otherside of the phone that I've
(24:57):
never talked to in my lifebefore tells me to do so well,
yeah, no, that was great.
Nick Mellem (25:02):
Thank you for that.
I think, uh, and the two of thekind of scary thing about that
is, once you've made thatconnection, they can pin that
and it's, you know, until youkeep that computer off, right,
it's, they can jump back on ittechnically whenever they want.
So it does make it a little bitadded.
It's a little bit more scarythat way because if they can
(25:22):
jump back on, they can dowhatever they want later.
Little bit more scary that waybecause if they can jump back on
, they can do whatever they wantlater.
Pull that information, you know, look at your recent browser
history, you know, and startsending specific targeted
phishing emails or something ofthe nature.
Mandi Rae (25:34):
Or this is just another good example of how we
talked about earlier a bestpractice would be not saving
your username or your passwordin your web browser.
Although we get it's soconvenient, it's really
essential to use a passwordmanager because in circumstances
like you guys are talking about, if someone has access to your
(25:54):
home or work PC via that teamviewer, they could go back in
and that's where they could domalicious activity and it'd be
really easy for them.
Nick Mellem (26:05):
Yeah, absolutely Password managers.
Whenever possible, Don't saveit in your browser.
Mandi Rae (26:11):
Well, I think this concludes our podcast on just
being aware of phishing,smishing and other web trickery.
To find out more, you can visitus on itauditlabscom.
We're also on all the socialsand we have other podcasts, if
(26:31):
you haven't checked us outbefore, that talk a lot about
personal information security,best practices and things to
watch out for.
Any closing comments.
Nick or Kyle.
Kyle Rosendahl (26:47):
Nope, nothing for me, just appreciate
everybody being here.
Mandi Rae (26:51):
No, nothing for me.
Thanks everyone.
Thanks for your time today.
We hope to see you again onanother episode of the Audit by
IT Audit Labs.
Eric Brown (26:59):
IT Audit Labs assesses security, risk and
compliance.
Our threat assessments find thesoft spots before the bad guys
do.
Whether you are looking for apoint solution or a broader
security program, contact ITAudit Labs to reduce your
organizational risk.
You're listening to the Audit presented by IT Audit
Labs.
Mandi Rae (00:16):
Hello and welcome to the Audit by IT Audit Labs Today
.
I'm joined by Kyle and Nick.
We're going to review socialengineering fishing, smishing
and other trickery.
Hey guys, how are you thisafternoon?
Nick Mellem (00:33):
Good Mandy, how are you?
Mandi Rae (00:35):
Pretty good, thanks.
What's the agenda for today?
Nick Mellem (00:40):
So today we put together kind of the whole team
here collectively put togethersome examples of some different
fishing smishing, some goodfishing examples that we've seen
in just the past couple ofweeks.
Just going to run through someof that and a couple of stories
we have, so should be a good one.
We'll kick it off here.
We are going through thissmishing the SMS messaging.
(01:02):
We have a couple examples here,but what we've been seeing
recently is messages and I'msure many people that are
listening to this they'regetting these as well.
You're the ones that log intoyour Netflix account or your
package has been delivered fromAmazon and it's got a link and
it's pretty clear on these thatit's not from who it says it's
(01:23):
from.
And the first dead giveaway isthe URL is not right.
Let's say it's not from who itsays it's from.
The first dead giveaway is theURL is not right.
Let's say it's from Home Depot.
If you want to get this $100free Home Depot gift card, the
URL that it's going to hasnothing to do with Home Depot.
Mandi Rae (01:40):
Yokohama was a big giveaway.
Nick Mellem (01:42):
Yeah exactly.
I guess for us it's kind ofcomical.
Right Like this other one thatsays your package has been
delivered is from like US-PSU,it's just totally off right, and
iPhone has done a pretty goodjob recently because it even has
a report as junk, so they'rethinking it's fake as well.
Kyle Rosendahl (02:05):
Yeah, and when we talk about this too, right, I
mean, most of us are, I think,familiar, specifically when we
work in cybersecurity with youknow what phishing is.
But I mean, essentially, thesepeople are just trying to get
you to click the link or respondto them in some regard.
Click the link or respond tothem in some regard, and
(02:28):
typically Nick, then what arethey trying to get you to do
after that point?
Right, Because you or I orMandy here, we mostly recognize
that these are fake.
They're not real.
They're saying they're going togive you free money, or they're
saying, hey, look out, yourpackage went to somebody else's
house, click here to fix itmoney.
Or they're saying, hey, youknow, look out your package went
to somebody else's house, clickhere to fix it.
(02:51):
But why are people sendingemails out like this, Like what
is their goal in trying to getpeople to click?
Nick Mellem (02:53):
I think the fairly quick, short answer is they need
a reaction to their action.
Right, they're sending this outand they need a reaction from
us.
So as soon as we make thatconnection right, a couple of
things are going to happen.
Either you're going to go to alanding page and you're going to
put personal information in totry to get this gift card or
figure out where your package is.
That could range from an emailto hopefully you're not putting
(03:16):
any person identifiableinformation, but they're looking
for that.
Or, and probably the worst part, is they're looking to make an
actual connection with yourmachine.
So those are that's typically,I think, what they're looking
for and the one connection withthe machine.
Then you know you could have alive person on the other end.
(03:36):
That's getting an actualnotification that says you know
we've connected with nick'scomputer or phone and they have
a live connection.
They can extract data oractively, you know, have a
session with the machine andtake off what they want.
Mandi Rae (03:49):
Gotcha yeah, crazy, because they're either
insinuating you won something orthey're insinuating like
there's there's something thatwe have of yours, that that we
need you to take action on right, trying to catch you off guard
and also entice you it's reallyyeah, it's really a play on
emotions, right, because who'snot going to get excited about
(04:12):
getting a free home depot giftcard?
Nick Mellem (04:14):
we've seen plenty of these with an itunes gift
card, right?
A lot of us we you know instantgratification.
If you're going to getsomething, especially a hundred
dollar gift card to something,you're probably going to jump on
there and finish this quicksurvey, unless you've been
trained or understand that thisis fake.
Kyle Rosendahl (04:30):
In most cases, are they trying to do malware
onto the computer, right, as wethink about those kind of
malicious pop-ups that you runinto on websites where, hey,
we're going to lock yourcomputer unless you give us
something.
Are they looking for thatremote connection?
Are they just looking foradditional information?
Are they looking to, I mean,extort money in some way?
I mean, I think, if you've seensome of the videos out on
(04:53):
YouTube of these people who goin and, you know, kind of scam
the scammers and will createkind of reverse tunnels back
into their kind of scam callcenter or tech centers or
whatever it happens to be, itlooks like there's a pretty big
operation to.
You know, we're going to collectmoney via Amazon gift cards.
You know, go to your Walgreens,buy an Amazon card, come back
(05:15):
here, give me the code and thenI'll take it, get the money off
of it and then kind of leave youwith nothing.
But are they doing that just asa monetary gain or are they
trying to collect more than thatfrom just kind of typical
individuals?
Or does it just go on like acase-by-case basis?
Nick Mellem (05:34):
Yeah, my personal opinion is it's a case-by-case
basis right.
They're going to take what theycan get, right, and that could
be exactly what you'reexplaining.
I recently well, not recently,it's a few years ago I had
somebody that I worked with gota phishing email and in the
email it was a phishing scam andit was really spoofing our
(05:56):
manager, or one of the managers,I should say.
And the email was saying hey,I'm in a meeting right now, so
don't shoot me a text message,or anything like that.
The email was saying hey, I'min a meeting right now, so don't
shoot me a text message, oranything like that.
But I want to surpriseeverybody at our company meeting
later with 10 $100 gift cardsto iTunes.
Well, she falls for this andgoes and gets these gift cards.
In the email it also saysscratch off the back, write the
(06:20):
code and send them to me.
Luckily, before she does this,she sees this person and gives
them the 10 gift cards and then,from that point, they're
confused on why they have thegift cards.
So there's your monetary valuethat you know.
If it's going to come in a formof money, cash or whatever it
is gift cards they're going toget that $100, or, in this case,
(06:42):
$1,000, to iTunes gift cards.
Mandi Rae (06:44):
they're going to get that $100 or in this case $1,000
to iTunes Right, and maybethat's the important point here
for non-technical folks,clicking on it is the first
no-no, but if you do that and ifyou get further activity, no
one should ever need the data onthe back of a Visa gift card or
on gift card, unless it's fornefarious purposes.
Nick Mellem (07:07):
Yeah, and I think and this goes into different
ways Of being able to protectyourself I recently had An eBay
transaction.
I did and this is roughly acouple months ago but when I was
going into this I waspurchasing a camera and when I
was doing it, I was talking tomy wife and I said, well, this
(07:27):
is either the best deal ever orit's going to turn into a really
good podcast topic.
Well, it turns out it was agood podcast topic because it
was fake.
I went round and round withthis person after I had made the
purchase and contacted.
The moral of this whole storyif I'm backtracking one second
(07:50):
is that you really want to useand protect yourself with using
a credit card and PayPal.
It was, in this instance, whatsaved me.
So I went to this comfortableknowing that I did that.
But when I'm talking to thisperson, they're sending me
tracking codes so I can trackthis package.
And when I'm tracking thepackage, it's saying it's going
(08:10):
to somebody else's house, right?
So in this example, I was ableto clear up and get my all my
money back by using these coupleof protections, by using eBay
and PayPal.
And the third was I used anApple credit card and they sent
me my money back instantly andthen a month later PayPal
(08:31):
reached back out and said thatthis was a scam.
So they all don't come hiddenin a text message.
It could be something that isliterally just on eBay for you
to purchase and you fall intotheir trap and purchase it Right
.
So they're really coming at usfrom all different directions.
But that was just a quick,quick story I had of recent
(08:52):
purchase on eBay that actuallyended up being a scam.
Mandi Rae (08:56):
So to dig in a little deeper, Nick was the actual
scam part, so you did buysomething from a legitimate
seller.
Nick Mellem (09:04):
Yep.
Mandi Rae (09:05):
And where did this scam come in?
Nick Mellem (09:15):
Yeah, so what had happened here is the seller on
here's account was actuallybreached, so somebody was in
between right.
This person's account was beingused by a malicious actor.
They put some pictures of acamera up that they don't
actually have on somebody else'seBay account.
So the scam was to get you tobuy this account, hopefully wait
a certain amount of days andwait for PayPal to release the
funds to this person, and thenyou never see it again.
Mandi Rae (09:39):
So then, when you tracked this tracking number
that you were given, it wasactually a legitimate tracking
number for a package unrelatedto your purchase.
Yep correct, so I had gotten it, but that's what triggered you.
Nick Mellem (09:52):
Well, I was kind of , you know, I was on edge extra
throughout this whole process,obviously because I was, you
know, thinking it was way toocheap to be real.
But when I was getting giventhese tracking numbers, I called
FedEx right right away and Isaid I know you're not going to
tell me where this package isgoing, but can you verify the
address?
I'll verify my address and youcan tell me if it's coming in
(10:13):
there or not.
So every time I did that itwasn't coming to my address, it
was going to one that was, youknow, in my proximity, but so
that's what it looked like.
It was out for delivery in youknow that certain city, so you
wouldn't track on her.
You know track on what they hadright away.
But by calling I was able toverify that it was a scam,
(10:35):
because you can actively buymalicious actors can actively
buy actual track numbers online,and that's what this person was
doing.
They had purchased, you know,multiple active, different
tracking numbers that wereactually being shipped during
this whole process.
So it looked very legitimate ifyou, you know, didn't have some
extra training or knowledge onwhat's actually happening.
Mandi Rae (10:59):
Did you get your money back?
Nick Mellem (11:01):
I did Yep.
So PayPal worked with thisperson and they didn't release
the funds.
And what actually happens withPayPal is they don't release the
funds to a lot of eBay sellersfor five to seven business days.
So I had notified them like twoor three days after, so they
(11:22):
put the money on hold.
I had notified them like two orthree days after, so they put
the money on hold and they gavethis person I think it was 20
days to respond.
They didn't respond, so theyreleased the money back to me.
The second part of it wasGoldman Sachs is the holder for
the Apple card and during thistime they released the money
(11:44):
back to me and when the moneywas released back from PayPal,
the refund was complete.
It all worked out in the end.
Mandi Rae (11:55):
That's good to hear with your circumstance, because
it's not always how thesesituations play out.
Nick Mellem (12:02):
Yeah, I'd say most of the time it's unfortunate,
but if people aren't gettingtheir money back, they've fallen
into the trap and you knowtheir money is gone and
hopefully it's not a whole bunchof money like this was.
This is just.
This is roughly like $4,000.
So it wasn't cheap at all, buta lot of times it's a much lower
amount of money.
But you know they do it sooften that people just they're
(12:25):
not getting their money back.
Right, but it adds up over time.
So I had another one that cameup as well.
I thought this was kind ofinteresting and this was an
actual fraud on my credit card.
So one of the days I was athome and my wife and I we both
work from home and she I gotthis email that says thanks for
(12:48):
your panera order.
And in doing this I go to mywife and ask if she had ordered
panera bread.
Turns out she didn't.
So then I call this panerabread and I let them know that
we didn't order this and tocancel it.
Well, the way I figured this outwas is looking at the actual
(13:11):
email here.
It shows the address.
Well, it's in Indianapolis.
I was in Minneapolis at thetime, so you know.
After that I called my bank USAand had them cancel the credit
card, but to this day I stilldon't know how my card was
stolen.
This is a little while ago inJanuary or in June, excuse me
and I just had my credit cardreplaced, but it was a very, you
(13:33):
know, it was an active timewhere credit card had been
stolen and it was a debit card,which is a little bit scarier.
So that was another one of mypoints before is to use a credit
card whenever you can, becauseit's a lot easier there to work
with your credit card companyversus debit card money.
Mandi Rae (13:49):
Yeah, I think we learned about that too.
It was an important point thatEric made in previous podcasts.
The personal informationsecurity.
These are exactly the kinds ofthings that you're trying to
avoid when you know protectingyourself, your credit, your
passwords, your logins, etcetera.
Nick Mellem (14:10):
Yeah, thanks for bringing that up.
I was actually going to mentionthat I believe Eric did bring
that up before about using acredit card whenever you can.
So, yeah, thanks for doing that.
We had a couple other phishingexamples that I think, mandy,
you had sent in and you knowthese are similar to the ones
we've been talking about on thisepisode about different links
(14:32):
with the emails to clicking on,and this one here is actually
from Susan, with a couplekissing lips, and I was wanting
you to click on this link herefor a webcam to meet some
specific people, mind you, Ididn't know Susan.
Mandi Rae (14:53):
I didn't click to see her private parts.
Kyle Rosendahl (14:58):
I feel like you see a lot of these online too.
I mean, there's the whole likememe across the internet too,
where it's like oh, when I hadmy ad blocker on right, all the
hot singles in my areadisappeared.
So you know, once I turned myad blocker off, all of a sudden
they found me again.
Mandi Rae (15:15):
Does that mean the hot singles in your area are
spoofs and bots?
Kyle Rosendahl (15:20):
Apparently, yeah , when it comes to my free email
inbox, yeah, um, but no, I mean, it's such fascinating stuff
because, like, you'll see theseor you'll see other ones that
are like you know, check out my,you know, add me on instagram
or add my snapchat, and you knowthere are these links to these
pages and these profiles thatit's like, oh, oh, there's this
(15:46):
beautiful model on this page andyou know it's fake, right?
And you know they're trying toget your money.
They're trying to get you toconnect and talk to them so they
can either get you to connectback or, oh, just pay me, I'm
trying to get my business offthe ground.
Can you get me a Google PlayStore $50 gift card, right?
Or go to this link andsubscribe to this and I'll send
(16:08):
you this stuff, right?
I mean, it's all just so likeexploitive, but, at the same
time, like you know that theseprofiles that they're building
out there are just fake, I justreally wonder, like, how
effective these scams are,because I would never click on a
link like this that I just getin my email from someone I don't
know, but you wonder how manypeople actually click on these
(16:31):
things and then what types ofdata they're collecting on you.
Once you click, are theypulling stuff from your browser?
And then what's their goalafter that?
Do they just want you on thewebcam page?
Are they trying to do more?
I don't know.
It's fascinating stuff.
Mandi Rae (16:49):
It's super fascinating, especially when I
think, like, how did they get myinformation?
I can promise you, in thisemail account I'm not doing
anything to solicit any Susanswhen it came to being offered
like the DeWalt power tool oranything like that, I am
renovating a home and somehowthey must have got my
(17:11):
information.
And this was really relevant tome and what I was doing on the
internet, what I was buying, andthat in itself is kind of
invasive and scary also.
Nick Mellem (17:22):
Yeah, these are great examples, and I I'm
laughing at the susan one againhere, because because, going
back to what kyle was saying,how many people actually click
on this?
Right, I'm not thinking, wow,I'm gonna click on this and I'm
gonna meet a bunch of people,but I'm I'm guessing there's
people out there out there thatdo fall for this and they click
on this and it brings them tosome sort of website that's
(17:43):
probably malicious and that'syou know.
They're getting their personalidentifiable information, but
absolutely.
Mandi Rae (17:51):
I remember it must have been in 2012.
I'm kind of dating myself, butbefore smishing was prevalent
and fishing wasn't as well.
I guess I feel like those of usthat weren't in the tech
community weren't as educatedabout phishing attempts.
I received one of those linkswhere you click on it and it
(18:11):
turns on your webcam and ittakes a picture of you and I was
making the world's most awfulface ever because I'm like
looking at my computer, likewhat are you doing?
Like just not understandingwhat's happening.
And then it goes into thattimer and it's showing you that
horrible image of yourself itcaptured and it's saying it
(18:34):
wants money to make it go away.
This is just kind of that nextlevel what people are doing.
Nick Mellem (18:38):
I'm actually glad you brought that up, mandy,
because that triggered anotherstory in my head.
I know this went around, Ithink maybe five or six years
ago, where you know peoplehadn't, you didn't have to be on
some sort of adult website butyour computer is physically
being locked and said the FBI isgoing to contact you because
you're on some wanted list forsome sort of pornography or
(19:00):
something of the nature.
Well, people were paying theransom because it gave you the
option you can pay the ransom orthe fbi is going to contact you
.
Well, I believe it.
Mandi Rae (19:11):
If you're guilty, I would have paid money.
But that picture I was likethis isn't so bad.
What's the worst you're gonnado?
I didn't give them anything in?
Nick Mellem (19:17):
this instance, it was like you know the person
they're interviewing was a cheat, was a teacher, right?
So obviously those two don'tmix, so this person actually
paid the ransom.
I it was like you know, theperson they're interviewing was
a teacher, right?
So obviously those two don'tmix, so this person actually
paid the ransom.
I think it was $10,000.
But you bringing it up sparkedthat.
Mandi Rae (19:33):
Scary situations.
Don't click on things and don'tpay people money unless you
know who they are.
It's the moral of our story.
Nick Mellem (19:40):
Exactly, and you know there's plenty of these
different.
Hey, congratulations.
It looks like it's coming fromlooking at an example here from
cole's, some sort of ninja foodgrill.
Well, you know, it looks legit,but if you look around a little
bit more right, the emailaddress might be off.
But there's a lot, a lot ofthings that look weird, um, you
(20:02):
know.
So what we're getting at isdon't click the link if you
don't know.
Mandi Rae (20:06):
Ask right before you, before you do anything if it
looks sketchy, it's definitelyprobably too good to be true yep
, I think you're spot on there.
Nick Mellem (20:17):
I'm looking at this example right here.
It just says thecongratulations on the cole's
one and you know the font seemsa little bit off.
But other than that, like right, if you're not somebody that's
in the industry or looking, thisone looks pretty real.
Mandi Rae (20:31):
I'd say I think one of the best educations I ever
received is going back up andlooking at the sender Right I
think one of the ones you showedearlier in terms of the
smishing.
I think one of the ones youshowed earlier in terms of the
smishing.
It was very obvious that thesender was not Home Depot.
Nick Mellem (20:50):
Yeah.
Mandi Rae (20:50):
And I think nine times out of ten, that's the way
.
It's the easiest way to discernif it's true or not.
Nick Mellem (20:56):
Right, yeah, say, you're on your computer, you can
hover over the sender and itwill actually reveal where you
came from.
You can hover over the senderand it will actually reveal the
name from.
Well, one of the examples wehave here too is from Norton,
lifelock that it was saying youknow the subscription is going
to be up, you know pay your bill.
Well, if you look at the actualsender, it came from a random
person's name at Yahoocom.
(21:19):
Well, norton is not sendingfrom a personal, personal email,
so that was the dead giveawaythere.
Um, and if you actually callthe number, which I did do on
here, it goes to some foreignlocation help center and as soon
as you start to kind of playtheir game, they generally they
hung up on me.
Mandi Rae (21:37):
So I started receiving something similar like
this norton lifelock.
One is another one whereaesthetically it looks
legitimate, but in some of thekeys you've given us it's A.
I didn't make this purchase.
I wasn't expecting an orderconfirmation, right.
B.
Where is this coming from?
Hovering over who sent it?
I've been receiving a lot ofdifferent phishing attempts from
(22:00):
customers.
What's the geek squad?
oh, sure, yep where, just likeyou're mentioning the things,
the logo looks a little off.
The sender isn't legitimate,but it actually wants me to
download an attachment.
It's saying it's my invoice andI know I don't use geek squad
because I have kyle and nick'scell phone numbers.
So obviously I reported it asphishing and deleted it.
Nick Mellem (22:23):
But I could see how that one would be tricky too oh
yeah, and I mean they're reallytripping you up here because I
know we've said it a few timesand it's mandy, what it's like
what you're saying.
But when you look at thisnorton life lock one, you know
it's a very legitimate lookingorder summary.
There's an order number,activation key.
I mean it's, it looks real.
If I didn't make this purchaseand didn't know right away,
(22:46):
anybody could think that this is.
We had spoke before about, youknow, making the connections to
people's computers.
Yeah, that's something you dowith alliances.
Is there anything you can speakto on that?
Kyle Rosendahl (23:05):
Is there anything you can speak to on
that?
Yeah, I mean, I think ithappens more with, like those
voice phishing attacks, right,if someone's calling you on your
phone and you pick up and theysay hey, you know, I'm from the
extended warranty center foryour car.
You know, can you tell me whatkind of car you have, what year
is it?
You know?
Confirm your phone number forus.
And now you know we're going tolook up your car.
(23:27):
Oh, you're, you're able to getthis, but we need to get some
additional info.
Like we can connect to youremotely and, you know, help you
find that information on yourcomputer if that would be
helpful.
And they'll have you go to asite like TeamViewer and it's a
free service that provides thatremote connection to a computer.
So it's not a paid service,there's a free version.
(23:51):
They'll have you download it,run an agent on your computer
and then they'll say okay, nowread me your six-digit code that
we know is on the screen there.
You'll give that to them.
They'll use that to initiate aconnection from wherever they
are if they happen to besomewhere in Southeast Asia or
in India, which is typically thetwo places they connect from
and then they'll ask you to givethem control over your computer
(24:14):
and then from there they candump files, they can pull stuff
off, they can do things, youknow, kind of whatever they want
remotely on your workstation.
So that's typically what theytry to get you to do.
And you know I'll talk withthem on the phone and just kind
of see what they're after, justfor fun, just to get a better
(24:36):
understanding of how thesethings work.
But yeah, downloading anything,I mean pretty much no one that
calls you on the phone shouldever be asking you to, you know,
download a piece of software sothey can connect remotely, I
mean, unless you know it's partof a business that you work for
or anything specific right, butI would never download anything.
That's, someone on the otherside of the phone that I've
(24:57):
never talked to in my lifebefore tells me to do so well,
yeah, no, that was great.
Nick Mellem (25:02):
Thank you for that.
I think, uh, and the two of thekind of scary thing about that
is, once you've made thatconnection, they can pin that
and it's, you know, until youkeep that computer off, right,
it's, they can jump back on ittechnically whenever they want.
So it does make it a little bitadded.
It's a little bit more scarythat way because if they can
(25:22):
jump back on, they can dowhatever they want later.
Little bit more scary that waybecause if they can jump back on
, they can do whatever they wantlater.
Pull that information, you know, look at your recent browser
history, you know, and startsending specific targeted
phishing emails or something ofthe nature.
Mandi Rae (25:34):
Or this is just another good example of how we
talked about earlier a bestpractice would be not saving
your username or your passwordin your web browser.
Although we get it's soconvenient, it's really
essential to use a passwordmanager because in circumstances
like you guys are talking about, if someone has access to your
(25:54):
home or work PC via that teamviewer, they could go back in
and that's where they could domalicious activity and it'd be
really easy for them.
Nick Mellem (26:05):
Yeah, absolutely Password managers.
Whenever possible, Don't saveit in your browser.
Mandi Rae (26:11):
Well, I think this concludes our podcast on just
being aware of phishing,smishing and other web trickery.
To find out more, you can visitus on itauditlabscom.
We're also on all the socialsand we have other podcasts, if
(26:31):
you haven't checked us outbefore, that talk a lot about
personal information security,best practices and things to
watch out for.
Any closing comments.
Nick or Kyle.
Kyle Rosendahl (26:47):
Nope, nothing for me, just appreciate
everybody being here.
Mandi Rae (26:51):
No, nothing for me.
Thanks everyone.
Thanks for your time today.
We hope to see you again onanother episode of the Audit by
IT Audit Labs.
Eric Brown (26:59):
IT Audit Labs assesses security, risk and
compliance.
Our threat assessments find thesoft spots before the bad guys
do.
Whether you are looking for apoint solution or a broader
security program, contact ITAudit Labs to reduce your
organizational risk.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.