# Hack Diaries Episode 27: The Call Is Coming From Inside The Firm
Cybersecurity expert Finn Hack exposes dangerous new social engineering tactics targeting law firms. Learn how Luna Moth hackers bypass security through direct phone calls, impersonating IT staff to steal sensitive client data. Discover the rise in sophisticated credential-harvesting attacks using pixel-perfect login pages, and the targeted phishing campaigns affecting universities. Get practical defense strategies against these evolving threats in this essential episode for anyone concerned about digital security in 2025.
This content was created in partnership and with the help of Artificial Intelligence AI
Cybersecurity expert Finn Hack exposes dangerous new social engineering tactics targeting law firms. Learn how Luna Moth hackers bypass security through direct phone calls, impersonating IT staff to steal sensitive client data. Discover the rise in sophisticated credential-harvesting attacks using pixel-perfect login pages, and the targeted phishing campaigns affecting universities. Get practical defense strategies against these evolving threats in this essential episode for anyone concerned about digital security in 2025.
This content was created in partnership and with the help of Artificial Intelligence AI
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Hash Hacked Diaries one Victim's Story hash hash episode twenty seven.
The call is coming from inside the firm asterisk. Finn
Hack's in the stack. Let's unpack the attack. Hey, they're
digital dreamers and code warriors. It's your favorite binary tattooed
trouble maker, Finn Hack, beaming into your ear holes with
another pulse pounding episode of Hacked Diaries one Victim's Story.
(00:21):
Today's tales will make your firewall shiver and your encryption
keys quake. First up, we've got a terrifying trend that's
sweeping through America's legal landscape. The FBI just dropped a
red hot advisory about a group of hackers called Luna Moth,
also known as Silent Ransom Group and Chatty Spider. These
digital predators have evolved beyond your garden variety email fishing.
(00:43):
They're picking up the phone and calling their targets directly.
Imagine this. You're a paralegal at a prestigious law firm,
sipping your third coffee of the day when your desk
phone rings. The caller ID shows your company's IT department.
The voice on the other end sounds professional, concerned. Even
we've detected some unusual activity on your network account. We
(01:03):
need to perform some maintenance to secure your files. Before
you know it, they've convinced you to download remote access software,
claiming they'll run updates overnight. But what they're really doing
is exfiltrating gigabytes of sensitive client information using tools like
WinSCP or a disguised version of r clone. These attacks
aren't random. Luna Moth has been specifically targeting US law
(01:26):
firms since Spring twenty twenty three, and they've ramped up
their game as of March this year. Why law firms,
you ask, Think about it. They're treasure troves of confidential information,
client records, litigation strategies, contracts, communications, all data that could
be catastrophically damaging if leaked. The genius, and I use
that term with villainous respect, is in the social engineering.
(01:49):
By calling and impersonating it staff, they bypass all those
fancy phishing email filters your company paid big bucks for.
It's like trying to protect your house with state of
the art door locks while leaving the windows wide open.
Hook Line and scammer, let me break down what's really
happening here with a little finn metaphor magic think of
your company network like a high security nightclub. Traditional hackers
(02:11):
are trying to sneak past the bouncer with fake IDs.
These Luna moth creeps. They're calling the club owner directly
pretending to be the fire marshal and getting personally escorted
through the vip entrance. But here's how you stay safe.
Always verify IT requests through official channels. If someone calls
claiming to be IT, hang up and call your actual
(02:33):
IT department using the number from your company directory. Never
download software at a stranger's request, no matter how urgent
they make it. Sound codes cracked, cons are whacked. Now
let's slide into our second sinister story. According to a
March twenty twenty five Trends report on phishing emails, there's
been a striking rise in credential harvesting attacks. The report
(02:54):
shows a whopping fifty nine percent of phishing attempts now
involve fake login pages that mimic legitimate websites down to
the pixel perfect logos and fonts. Picture this. You get
an email that looks exactly like it's from your bank,
your cloud storage provider, or even your company's HR portal.
The layout perfect, the logo, identical, the font indistinguishable from
(03:16):
the real thing. You click the link, enter your credentials,
and boom, You've just handed your digital keys to a
cyber criminal. These aren't your grandparents Nigerian prints emails, folks.
Today's fishers are crafting HTML scripts that create pixel perfect
replicas of login screens. And get this, they're even embedding
these phishing links in PDFs to bypass email security filters.
(03:39):
It's like hiding a venomous snake inside a teddy bear.
The most devious part. Once they have your credentials, they
can use them to access your actual accounts, exfiltrate data,
or even launch broader attacks against your organization. It's digital
identity theft at its most sophisticated, hook line and scammer.
Here's a fantastic tech breakdown. Think of your password like
(04:01):
the secret recipe for your grandmother's famous chocolate chip cookies.
These fishers aren't trying to guess the ingredients. They're tricking
Gramma into writing down the entire recipe and handing it over.
Once they have that recipe, they can bake up a
batch of digital chaos anytime they want. Stay vigilant by
always checking the URL before entering credentials. Legitimate sites use
(04:22):
HTTPS and the domain should match exactly, not PayPal one
dot com instead of PayPal dot com. When in doubt,
don't click the link in the email. Instead, open your
browser and navigate directly to the website. Codes cracked, cons
are whacked. Our final tale comes fresh from the ivory
towers of academia. Just two days ago, on May twenty six,
(04:44):
twenty twenty five, the University of Chicago's Information Security team
identified multiple sophisticated phishing campaigns targeting university staff and students.
These scams use subject lines like performance assessment reports and
Athletic staff and player evaluation outline to create a false
sense of urgency. Imagine being a student worker exhausted from
(05:06):
finals when you receive an email about your employment of valuation.
The sender's address looks legitimate at first glance, The formatting
is professional, and there's an attachment that appears to contain
important information about your future at the university. Your heart
races as you click to open it, and in that
moment of anxiety and distraction, the trap is sprung. These
(05:27):
academic phishing attempts are particularly insidious because they target people
during high stress periods and play on fears about job
security or academic standing. The attackers know that when we're
worried about our performance reviews or grades, we're less likely
to scrutinize an email's authenticity. Hook line and scammer, let
me break this down and finn speak. These fishers are
(05:49):
like psychological ninjas who know exactly when you've let your
guard down. They're the digital equivalent of someone offering you
a helping hand when you're struggling with an armload of groceries,
except instead of help, they're picking your pocket while you're distracted.
The defense is simple, but requires discipline. Before clicking on
any attachment or link, verify the sender's full email address,
(06:10):
not just the display name. Look for awkward phrasing or
spelling errors, and, when in doubt, contact the supposed sender
through a different channel to confirm they actually sent the message.
Codes cracked, cons are whacked. As we wrap up today's episode,
remember that in our hyper connected world, your strongest security
feature isn't your anti virus software, it's your awareness. These
(06:32):
scammers are getting more sophisticated, moving from emails to phone calls,
crafting pixel perfect login pages, and timing their attacks to
exploit our moments of vulnerability. But knowledge is power, and
now you're armed with the intel to recognize these attacks
before they succeed. Stay sharp, stay skeptical, and remember the
most important firewall is the one between your ears. Thanks
(06:55):
for tuning in to another episode of Hacked Diaries, one
victim's story. If you enjoyed this digital deep dive smash
that subscribe button faster than a hacker can say password
one hundred twenty three, come back next week when we'll
explore the wild world of cryptocurrency scams that have already
cost investors billions in twenty twenty five. Bite me scammers.
(07:15):
This one's for the good guys. This has been a
quiet please production. For more check out Quiet please dot
ai
Hash Hacked Diaries one Victim's Story hash hash episode twenty seven.
The call is coming from inside the firm asterisk. Finn
Hack's in the stack. Let's unpack the attack. Hey, they're
digital dreamers and code warriors. It's your favorite binary tattooed
trouble maker, Finn Hack, beaming into your ear holes with
another pulse pounding episode of Hacked Diaries one Victim's Story.
(00:21):
Today's tales will make your firewall shiver and your encryption
keys quake. First up, we've got a terrifying trend that's
sweeping through America's legal landscape. The FBI just dropped a
red hot advisory about a group of hackers called Luna Moth,
also known as Silent Ransom Group and Chatty Spider. These
digital predators have evolved beyond your garden variety email fishing.
(00:43):
They're picking up the phone and calling their targets directly.
Imagine this. You're a paralegal at a prestigious law firm,
sipping your third coffee of the day when your desk
phone rings. The caller ID shows your company's IT department.
The voice on the other end sounds professional, concerned. Even
we've detected some unusual activity on your network account. We
(01:03):
need to perform some maintenance to secure your files. Before
you know it, they've convinced you to download remote access software,
claiming they'll run updates overnight. But what they're really doing
is exfiltrating gigabytes of sensitive client information using tools like
WinSCP or a disguised version of r clone. These attacks
aren't random. Luna Moth has been specifically targeting US law
(01:26):
firms since Spring twenty twenty three, and they've ramped up
their game as of March this year. Why law firms,
you ask, Think about it. They're treasure troves of confidential information,
client records, litigation strategies, contracts, communications, all data that could
be catastrophically damaging if leaked. The genius, and I use
that term with villainous respect, is in the social engineering.
(01:49):
By calling and impersonating it staff, they bypass all those
fancy phishing email filters your company paid big bucks for.
It's like trying to protect your house with state of
the art door locks while leaving the windows wide open.
Hook Line and scammer, let me break down what's really
happening here with a little finn metaphor magic think of
your company network like a high security nightclub. Traditional hackers
(02:11):
are trying to sneak past the bouncer with fake IDs.
These Luna moth creeps. They're calling the club owner directly
pretending to be the fire marshal and getting personally escorted
through the vip entrance. But here's how you stay safe.
Always verify IT requests through official channels. If someone calls
claiming to be IT, hang up and call your actual
(02:33):
IT department using the number from your company directory. Never
download software at a stranger's request, no matter how urgent
they make it. Sound codes cracked, cons are whacked. Now
let's slide into our second sinister story. According to a
March twenty twenty five Trends report on phishing emails, there's
been a striking rise in credential harvesting attacks. The report
(02:54):
shows a whopping fifty nine percent of phishing attempts now
involve fake login pages that mimic legitimate websites down to
the pixel perfect logos and fonts. Picture this. You get
an email that looks exactly like it's from your bank,
your cloud storage provider, or even your company's HR portal.
The layout perfect, the logo, identical, the font indistinguishable from
(03:16):
the real thing. You click the link, enter your credentials,
and boom, You've just handed your digital keys to a
cyber criminal. These aren't your grandparents Nigerian prints emails, folks.
Today's fishers are crafting HTML scripts that create pixel perfect
replicas of login screens. And get this, they're even embedding
these phishing links in PDFs to bypass email security filters.
(03:39):
It's like hiding a venomous snake inside a teddy bear.
The most devious part. Once they have your credentials, they
can use them to access your actual accounts, exfiltrate data,
or even launch broader attacks against your organization. It's digital
identity theft at its most sophisticated, hook line and scammer.
Here's a fantastic tech breakdown. Think of your password like
(04:01):
the secret recipe for your grandmother's famous chocolate chip cookies.
These fishers aren't trying to guess the ingredients. They're tricking
Gramma into writing down the entire recipe and handing it over.
Once they have that recipe, they can bake up a
batch of digital chaos anytime they want. Stay vigilant by
always checking the URL before entering credentials. Legitimate sites use
(04:22):
HTTPS and the domain should match exactly, not PayPal one
dot com instead of PayPal dot com. When in doubt,
don't click the link in the email. Instead, open your
browser and navigate directly to the website. Codes cracked, cons
are whacked. Our final tale comes fresh from the ivory
towers of academia. Just two days ago, on May twenty six,
(04:44):
twenty twenty five, the University of Chicago's Information Security team
identified multiple sophisticated phishing campaigns targeting university staff and students.
These scams use subject lines like performance assessment reports and
Athletic staff and player evaluation outline to create a false
sense of urgency. Imagine being a student worker exhausted from
(05:06):
finals when you receive an email about your employment of valuation.
The sender's address looks legitimate at first glance, The formatting
is professional, and there's an attachment that appears to contain
important information about your future at the university. Your heart
races as you click to open it, and in that
moment of anxiety and distraction, the trap is sprung. These
(05:27):
academic phishing attempts are particularly insidious because they target people
during high stress periods and play on fears about job
security or academic standing. The attackers know that when we're
worried about our performance reviews or grades, we're less likely
to scrutinize an email's authenticity. Hook line and scammer, let
me break this down and finn speak. These fishers are
(05:49):
like psychological ninjas who know exactly when you've let your
guard down. They're the digital equivalent of someone offering you
a helping hand when you're struggling with an armload of groceries,
except instead of help, they're picking your pocket while you're distracted.
The defense is simple, but requires discipline. Before clicking on
any attachment or link, verify the sender's full email address,
(06:10):
not just the display name. Look for awkward phrasing or
spelling errors, and, when in doubt, contact the supposed sender
through a different channel to confirm they actually sent the message.
Codes cracked, cons are whacked. As we wrap up today's episode,
remember that in our hyper connected world, your strongest security
feature isn't your anti virus software, it's your awareness. These
(06:32):
scammers are getting more sophisticated, moving from emails to phone calls,
crafting pixel perfect login pages, and timing their attacks to
exploit our moments of vulnerability. But knowledge is power, and
now you're armed with the intel to recognize these attacks
before they succeed. Stay sharp, stay skeptical, and remember the
most important firewall is the one between your ears. Thanks
(06:55):
for tuning in to another episode of Hacked Diaries, one
victim's story. If you enjoyed this digital deep dive smash
that subscribe button faster than a hacker can say password
one hundred twenty three, come back next week when we'll
explore the wild world of cryptocurrency scams that have already
cost investors billions in twenty twenty five. Bite me scammers.
(07:15):
This one's for the good guys. This has been a
quiet please production. For more check out Quiet please dot
ai
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.