Episode: 3898
Title: HPR3898: The Oh No! News.
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3898/hpr3898.mp3
Transcribed: 2025-10-25 07:40:26

---

This is Hacker Public Radio Episode 3898 for Wednesday the 12th of July 2023.
Today's show is entitled The Oh No News.
It is part of the series' privacy and security.
It is hosted by some guy on the internet and is about 25 minutes long.
It carries a clean flag.
The summary is, Scotty talks about internet scams.
Hello and welcome to another episode of Hacker Public Radio.
I'm your host, some guy on the internet.
And this is The Oh No News.
Oh no, user space.
Ladies and gentlemen, today I just want to talk to you guys about something that's
becoming a growing issue on the internet today.
I want to talk to you guys about scams and fraud.
As many of you know, we deal with software issues all the time with bugs, vulnerabilities
that leak data, leave us feeling insecure and our daily computing.
But we also have tons of people working to patch that software and provide us with security
in that area.
When I created the user space section of The Oh No News, I wanted it to serve the same
purpose as patching software except for patching the user.
Now quick little funny story, when I first created the name, it was user hardening because
I thought of, you know, you would harden your Linux box.
So I figure, you know, if you're making your Linux box hard against the attack start
out there on the internet, you would also do the same thing to the user.
And then I said the name allowed, you know, making the user hard.
And that's when I realized that's a terrible name and I should probably go for something
else.
Not to mention every show is going to have to be marked as explicit should I have chosen
that name.
So now you have the backstory behind user space.
All right, let's talk about cybercrime.
Cybercrime, also known as fraud or scams, is constantly evolving due to the many data
breaches occurring around the world, attackers gather more of our personal data from these
data breaches, then use that data to develop or modify their attacks.
Users must remain on guard against social engineered attacks, aimed at defrauding users
of the personal information and or property, usually their money.
I'm suggesting that users update themselves as well as their computers, constantly informing
themselves on the different types of attacks and how the attacks develop will benefit you
in the fight against cybercrime.
It's not enough to only learn about cybercrime, but I'm also asking users to take the time
and report cybercrime by reporting it, you're creating a benefit for all users in the space.
When a user reports cybercrime, that information can be used by investigators to combat the growing
threat of cybercrime.
So it can serve as a broadcast warning the greater population about the different types
of cybercrime as it evolves.
I provided a few links below to assist you in learning and reporting cybercrime.
Let's talk about a few common delivery methods for social engineered attacks.
First up on a list, email.
I'm pretty sure we've all received fraudulent emails.
A couple of the few that I've received came from companies claiming or individuals claiming
to be from Norton Antivirus.
They make these false claims that my Norton Antivirus is expired or my account has been
charged some large amount of money as a renewal subscription fee.
And in order for me to reverse that payment, I would need to click on the link and put
in my credentials deck on the thing.
So I'm sure you've all received these types of attacks through email, commonly known
as phishing attacks because they're trying to fish the credentials from unsuspecting users.
These types of attacks can be thwarted simply by using Thunderbird.
I use Thunderbird or any email client for that matter, but preferably I use Thunderbird.
I filter out legitimate sources and then mark the ill legitimate sources that span and
deal with them.
However, I see fit.
So without any more detail into that, you can now understand how email is one of your
attack vectors.
Now let's talk about mobile.
Mobile is interesting because you usually attacked on all three levels there.
You are me voice, text and through the app store with voice.
They normally spoof numbers and they can call you from anywhere around the world pretending
to be a legitimate agency again, usually requesting some sort of information from you or they'll
provide you with a limited amount of information that they've gotten from a data breach and an
attempt to convince you that they aren't a legitimate agency to facilitate the fraud.
The text messages work a lot like the email.
You get a text saying the service is down and you're being asked to click on a link in
order to correct the situation.
Again, numbers can be spoofed.
We put all this technology into mobile, but all of its design for convenience, not security.
We just kind of bolted the idea of security onto the side after the fact, same thing
with the app store.
Now, I'm not going to point to finger at any specific manufacturer here.
But these app stores are designed for your convenience.
They provide you access to other people's computers through these apps.
And when you're storing things like your credentials, your banking information and
anything like that on these mobile devices, a lot of these apps ask for permission to all
data on the device.
So you're not able to isolate any of that data.
And I'm not even going to go into the spying, you know, that's the story for another
day.
Now, let's talk about social media.
I'm pretty sure we've all seen on social media.
Someone pops in to your direct messages, also known as DMs.
They've got a cloned account, shout out to a hookah, pretending to be a loved one, telling
you things like, Hey, I've locked myself out of my account.
Well, you go ahead and help me out.
I'm going to send you a code to verify my account so I can get back on onto the platform.
You send me that code.
And then I can get back onto the platform.
But the reality is, if you send that code, it's really your TLTP code.
That's a sign that someone has guessed your password.
And now, all they need is that second factor authentication to take over your account,
but they're socially engineering the attack to make you believe that you're assisting
them in recovering their own account in the marketplaces attached to the social media
sites.
For instance, Facebook, it seems to be a place where scammers just lurk.
It's like if you've never been ripped off before, visit Facebook market.
They can remedy that situation quickly.
Now let's move on over to websites with websites is a little bit different.
We've seen fraudulent ads being posted onto Google searches.
So you'll literally have the criminals, the attackers, spending money to have Google,
who will not verify any of this information, post the thing that is going to attack you.
And many people simply trust Google and Google says, here's the first thing you should
be looking at after you've attempted the query.
Many people simply click on it and go there and never mind, they wanted to go to bank.com
to do banking stuff.
However, that first result is rip you off.com.
I mean, with Google also making the Chrome web browser less secure, meaning they're hiding
the URL, now allowing you to just see some sort of alias up there that the attacker can
decorate for you.
Make it look nice and comfortable for you so that way you can just live in the land of
bliss as they rob you blind.
Yeah, that's just one of the ways I'm not going to talk about the pop-ups.
I mean, they tell you that pop-up blockers are pirating, you know, whenever you visit
certain sites and you have a pop-up blocker or rather be at the DNS level or the browser
level, however you have it, they tell you that it's pirating, well, when their site is
now becoming insecure due to all the attackers lurking on their sites, you know, the attackers
that they're hosting on their site, so I should say, you'd be a fool not to use a pop-up
blocker.
And many of the pop-ups are very intrusive as well.
I mean, just completely take over your screen would also source a JavaScript and crap built
in to just make it difficult for you to escape the thing.
So these are just the a few of the common delivery methods used for socially engineered attacks.
Now I want to talk about extraction.
How are the attackers going to extract either the data or your property, more specifically
your money from you?
Because there's a host of different scams, different variants of the Nigerian prince
and it's going to be very difficult to try to keep up with every single type of scam
and how it evolves.
However, there's a bottleneck and the bottleneck is in the extraction, how they plan on getting
the funds away from the victim or the data away from the victim.
If you concentrate on the extraction, that can help you spot a ton of scams by itself
and you can basically eliminate every taking part in a scam by staying away from some of
these simple applications or platforms.
So the first one we're going to talk about is peer-to-peer payment service apps, example,
Venmo, Zell, Cash App.
These apps are designed for convenience.
They don't have the same consumer protections built into them that most consumers would expect,
meaning if something goes wrong, you have a way to recover.
These apps do not have that built in.
They're designed to put money in one end and it comes out the other end.
And that's it.
You don't get to reach back and grab it back because something went wrong.
Many of them even tell you do not send money to someone that you have not physically verified,
like somebody you know this is who they are.
So I would not recommend you attempting to pay a bill or buy a service of any type using
these apps.
Truthfully, I would not even use these apps simply because there's no protections built
into it.
You accidentally get the name wrong or the account wrong and you just send money into
thin air into the void.
There's no recall for that.
So that's the first method that I'd like to bring up to you on extraction.
The second would be wire transfers.
Most people, that's an older method of sending money from one account to another.
It's been around for a lot longer and it suffers roughly from the same type of thing.
Like once you put the money in one end, it comes out the other end and it's gone.
Now there, there are some very, very extremely limited cases where someone could get their
money back, but I'm making clear, very limited, they're just not designed with that in place
because they're meant for I have company A and I have company B, maybe once inside
the US and the others outside of the US, I am shifting money from company A to company
B, which I own both.
I'm just moving the money around and you know, things that at nature, there's also business
dealings and things that nature where there are contracts and all this information is verified
well in advance, but when an average user who has no contract or any information tying
whatever account they're about to send money to YouTube, but I mean, you have nothing
to verify that and you're about to just poof, shoot money out into the void, hoping for
the best.
I'm telling you right now, that's not a great idea.
Same thing with the apps.
One method, number three, that I'm going to bring up cryptocurrency, also known as digital
assets.
Let me be clear, I consider all cryptocurrency slash digital assets rather on the block chain
or not, whatever term they want to use, all of it's a scam, you understand, it's all
a scam.
The moment you consider buying in, meaning taking money out of your wallet to acquire
any of this, you have just been scammed.
Now, whatever you do after that, it just means you're just, you're playing 5D scam now,
you know what I mean?
You're getting scammed in all dimensions.
So yeah, just don't do anything with it, it's, I think it's a nice technology if you
want to tinker with it, play around with that.
But if you're trying to invest any money in it and I do mean any money, I consider it
to be 100% a scam.
And again, the way this stuff works is the people who provide it are the sellers.
So everyone else are attempting to acquire meaning purchase.
It is not an investment at all.
You're simply buying something that has no value or real world application.
So there's no benefit to that.
You put hard earned money in and you get absolutely nothing but the false sense of security
that one day you're going to, you're going to be better off because you did that.
And the reality is that false sense of security is going to collapse in on you and you're going
to realize you no longer have the money or the belief that you're going to be okay.
To many people that hits extremely hard to realize you not only do you not have the money
but you don't even have the belief that the idea that things are okay anymore, all of
it's gone.
So the scammers get you to put your money into this digital asset and then send them any
I guess rights you have to that digital asset and these systems that manage these digital
assets is supposed to be this block chain where everything sort of on the block chain.
However, the moment it leaves your your management system, it is gone forever.
There is nothing that can be done to get it back for you.
Now that is I am not telling you that the FBI cannot trace it.
I'm pretty sure if they wanted to know who has it, they can find out.
But that process may be wildly expensive and they need to save it for when they really
need it not because you decided to go give free money to someone on the internet.
Alright, that's just a lesson you're about to learn.
So I suggest you not do that.
Alright, last but not least, the good old store bought gift cards, you know you can get
those temporary visa and master cards, get them from any store really convenient stores
gas, you know gas stations, big box stores, wherever they sell them all over.
The attackers love these simply because there is no recovery for this, you understand?
Once you acquire this card and you send them the information from the card, they simply
take it and then there is nothing left for you.
You're holding a useless piece of plastic at that point.
There is nothing you can do to get it back or anything that these devices, these temporary
cards were not intended for refunds or any kind of processing beyond money in one direction.
And then it's gone.
That's it.
You know, like a ray, a beam of light that starts at one point and then heads out to infinity
in the other direction.
That's what your money is going to do.
It's going to start in your hand and then leave into infinity where you will never reach
it again.
So you have to choose, rather than not, you're going to participate in scams by using
Venmo, Zell, Cash App, wire transfers again.
If you have contracts and things that kind of cover this activity, I understand, but
if you do not, if you're just the average citizen working 9 to 5, trying to make ends meet,
you really should not be touching any kind of wire transfer again.
This is not a consumer technology, all right?
Do not under any circumstance go near a cryptocurrency or anybody talking to you about the acquisition
of a crypto current digital asset, right?
You leave them and their nonsense alone.
Get away from them quick and store box gift cards are cute when you buy them for a family
member and hand them over to them as a, you know, an actual gift for a loved one.
But truth be told, you better off just hand them cash.
But all jokes aside, once you understand that no matter how they attempt to scam you,
no matter how they dress it up, whether it be with deep fakes, using the voice of love
ones and all sorts of other things that exist out there as a form of scam, it all bottlenecks
to this, these technologies that I just point out, you need to be very clear.
If you're currently using any of these technologies, you need to reevaluate, you know what I mean?
Stop and think who I'm actually dealing with here.
The sort of internal policies do I have to make sure that before I deal with anybody
else, if I'm, if I'm already using this technology, before I deal with anybody else,
would do I consider as a form of verification that this is who, who I believe it is, right?
And if you're not using any of this technology, you know, peer-to-peer apps, cryptocurrencies,
any of that crap.
Good on you.
I mean, you're like 90% less likely to be scammed, that didn't mean that they won't steal
your data through a scam, but your money is going to be pretty safe.
And I'm not even going to mention skimmers in all the other business.
Let's not go into that.
That's more theft, not really scam.
So to wrap things up, I got a nice pretty little picture that I made using a draw I.O.
I think it was used to be called DIA, DIA, Delta Indigo Alpha, I think that's what it
was called.
I can't remember, but it's draw I.O. now.
And it's an excellent picture.
And I'm going to describe it to you just in case you're away from your system, you can't
view how beautiful it is because it's, I mean, it's, you can hang it up on a wall and
call it art.
It's so beautiful.
And here's the best part about it.
It's not an NFT or a crypto nonsense either.
It's just a 100% CC BYSA 4.0 piece of illustration that that's what it is right there.
So let me go ahead and describe this for you.
See we got we got users at the top of the illustration here.
And we have the different devices that the users normally use like phones, tablets, laptops,
computers.
Well, those devices go through a firewall before hitting the internet, which we normally
refer to as a cloud.
Our firewall is designed to protect us against, you know, brute force attacks, intrusion
of, you know, people attempting to get not only into our networks, but into our devices
where our data is stored.
Also we also have things like virus scanners and things of that nature look, you know, helping
to protect us as we surf the filthy wasteland known as the internet.
Well, a socially engineered attack is not caught in your firewall.
You cannot use a virus scanner to eliminate the socially engineered attack.
You the user can't just do a pseudo Pac-Man, that's why you, you know, or pseudo app update
or any of that, right?
You can't do that and stop a socially engineered attack upgrading your systems only like
a part of the battle updating yourself is the other part of the battle.
So, you know, below the internet portion of the illustration where I have the cloud,
you'll see I have just a few scams thrown in there, right?
You know, common scams and I'll just name one or two here, you know, fake payment scam,
loan debt scam, this tons of them out there.
But no matter which one you encounter and how it was distributed to you, rather social
media, email, whatever, one way or another, they're going to try to get money out of you
using one of the things that I pointed out.
So at the very bottom of the screen, you'll see I got those, those methods that we talked
about, the peer to peer, the wire transfers, etc.
Right down there with the scammer because that's the value point for the scammer to get
you to leave a point of security where you're not just making normal purchases and things
where if something goes wrong like with your credit card, you can contact your credit
card and have them, you know, freeze a payment or, you know, fight to get the money back
or whatever.
But if you jump on any of these other methods that we talked about, there is no recovery
for you.
So take this message with you, play it for you and your friends, take this illustration,
put it on the wall in front of the, in front of the throne and your lavatories.
So as you're thinking, and I know you can have your device with you, when you look up,
you need to see this illustration, you need to know that, that email that just came in
or that text message that just came in telling you about, whoa, spend $100 here and it'll
flip five or 10 times more, you know, you need to just take one quick look at this and
know that now, you know, if it involves these few things, a good chance is a scam.
I don't want to be parting with my money and no, no idea of what I'm actually, you're
not getting anything.
So you don't need to have an idea, you're just parting with your money down in the show
notes.
I made sure to include not just the US sources for fraud and scam reporting, but I also
included some for the UK, the EU and Canadian resources.
I'd also like to give a shout out to the, the subreddit call scams.
I often go there just to stay up to date.
Now it's kind of sad, you're constantly watching people who have been nailed by some type
of scam come rushing in trying to get help and it's, I mean, that's the kind of thing
you're going to experience a lot of people, you know, losing their life savings, maybe
loved ones thinking that they have this special someone and they're dumping all of their
money into what they hope will be a long lasting relationship.
So it's, it's a lot of stuff that you're going to be experiencing there should you choose
to go there and kind of kind of update yourself.
But if you, if you can just look past some of the, the sad doom and gloom and kind of,
you know, just keep your eye out, kind of feel through the emotions and keep an eye out
for what the scam actually is and how people are falling for the scams.
All thing you'll hear people say things like I've been hacked.
I mean, yes and no, they're right and and wrong.
No, it's not a hack of a device which caused them to lose their money or data, but yes,
it is a hack of them, the human being, right?
That the socially engineered attack is a hack of you, that human.
So they hacked you and, you know, manipulated you into revealing whatever it is they wanted
the money, the information, whatever.
So just keep yourself up to date and that's all a yapping you're going to get from me
because my mouth is super dry and I got to get out of here.
So we'll see you in the next episode.
Goodbye, everybody.
You have been listening to Hacker Public Radio at Hacker Public Radio does work.
Today's show was contributed by a HBR listener like yourself.
If you ever thought of recording a podcast and click on our contribute link to find out
how easy it really is.
HBR has been kindly provided by an honesthost.com, the internet archive and our sings.net.
On the Sadois status, today's show is released under Creative Commons Attribution 4.0 International
License.