Escuchar Hacking Humans

As Maria is on vacation this week, our hosts ⁠Dave Bittner⁠ [https://www.linkedin.com/in/dave-bittner-27231a4/] and ⁠Joe Carrigan⁠ [https://www.linkedin.com/in/joecarrigan/], are sharing the latest in social engineering scams, phishing schemes, and criminal exploits that are making headlines. Joe and Dave are joined by guest Rob Allen [https://www.linkedin.com/in/threatlockerrob/] from ThreatLocker [https://www.linkedin.com/company/threatlockerinc/] who shares a story on how a spoofed call to the help desk unraveled into a full-blown cyber siege on MGM Resorts. Joe’s story is on a new FBI warning: scammers are impersonating the Internet Crime Complaint Center (IC3), the very site where people go to report online fraud. Dave's got the story of a so-called “Nigerian prince” scammer who turned out to be a 67-year-old man from Louisiana, now facing 269 counts of wire fraud for helping funnel money to co-conspirators in Nigeria. Our catch of the day comes from a scams subreddit, and is on a message received from the Department of Homeland Security reaching out to a user to share that they are a victim of fraud. Resources and links to stories: * Investigating the MGM Cyberattack – How social engineering and a help desk put the whole strip at risk. [https://thrivedx.com/resources/article/investigating-the-mgm-cyberattack-how-social-engineering-and-a-help-desk-put-the-whole-strip-at-risk?utm_source=chatgpt.com] * Brian Krebs LinkedIn [https://www.linkedin.com/posts/bkrebs_todays-most-meta-announcement-the-fbi-is-activity-7319031085093269504-6CJd/?utm_source=share&utm_medium=member_desktop&rcm=ACoAAABolDgBa1OkcRIevOVLL65vUF8SOgJfvpI] * FBI Warns of Scammers Impersonating the IC3 [https://www.ic3.gov/PSA/2025/PSA250418] * IC3 2024 Report [https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf] * 'Nigerian prince' scammer was 67-year-old from Louisiana, police say [https://www.nbcnews.com/news/us-news/nigerian-prince-scammer-was-67-year-old-louisiana-police-say-n833801] Have a Catch of the Day you'd like to share? Email it to us at ⁠hackinghumans@n2k.com⁠ [hackinghumans@n2k.com].

Please enjoy this encore of Word Notes. The state of a web application when it's vulnerable to attack due to an insecure configuration.  CyberWire Glossary link: ⁠https://thecyberwire.com/glossary/owasp-security-misconfiguration⁠ [https://thecyberwire.com/glossary/owasp-security-misconfiguration] Audio reference link: ⁠“What Is the Elvish Word for Friend?”⁠ [https://www.quora.com/What-is-the-Elvish-word-for-friend?share=1] Quora, 2021.

This week, our hosts Dave Bittner [https://www.linkedin.com/in/dave-bittner-27231a4/], Joe Carrigan [https://www.linkedin.com/in/joecarrigan/], and Maria Varmazis [https://www.linkedin.com/in/varmazis/] (also host of the T-Minus [https://space.n2k.com/podcasts/t-minus] Space Daily show) are sharing the latest in social engineering scams, phishing schemes, and criminal exploits that are making headlines. This week Joe's got some follow up about his chickens. Joe's story is on LLM-powered coding tools, and how they are increasingly hallucinating fake software package names, opening the door for attackers to upload malicious lookalike packages—a practice dubbed "slopsquatting"—that can compromise software supply chains when developers unwittingly install them. Dave’s story is on Cisco Talos uncovering a widespread toll road smishing campaign across multiple U.S. states, where financially motivated threat actors—using a smishing kit developed by “Wang Duo Yu”—impersonate toll services to steal victims' personal and payment information through spoofed domains and phishing sites. Maria's got the story of how scammers are using fake banking apps to fool sellers with phony payment screens—and walking away with thousands in goods. Our catch of the day comes from listener John who writes in to share a suspicious text message he received. Resources and links to stories: * LLMs can't stop making up software dependencies and sabotaging everything [https://www.theregister.com/2025/04/12/ai_code_suggestions_sabotage_supply_chain/] * Unraveling the U.S. toll road smishing scams [https://blog.talosintelligence.com/unraveling-the-us-toll-road-smishing-scams/] * 'Scammers used fake app to steal from me in person' [https://www.bbc.com/news/articles/cn05d58jwvdo] Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@n2k.com [hackinghumans@n2k.com].

Please enjoy this encore episode of Word Notes. A broad OWASP Top 10 software development category representing missing, ineffective, or unforeseen security measures. CyberWire Glossary link: https://thecyberwire.com/glossary/owasp-insecure-design [https://thecyberwire.com/glossary/owasp-insecure-design] Audio reference link: “Oceans Eleven Problem Constraints Assumptions [https://www.youtube.com/watch?v=7X9kHeY-lpo].” by Steve Jones, YouTube, 4 November 2015.

This week, our hosts Dave Bittner [https://www.linkedin.com/in/dave-bittner-27231a4/] and Joe Carrigan [https://www.linkedin.com/in/joecarrigan/], are sharing the latest in social engineering scams, phishing schemes, and criminal exploits that are making headlines, while our other host, Maria Varmazis [https://www.linkedin.com/in/varmazis/] is at a conference. We begin with some follow-up, as Joe reflects on the density of gold. Then, Dave shares some heartfelt and moving words about the recent passing of his father. Dave's story follows how confusion sparked by Trump's erratic tariff policies is fueling a global surge in cyber scams, phishing sites, and crypto cons, as threat actors exploit the chaos to mislead, defraud, and manipulate online users. Joe has two stories this week, the first is about the "blessing scam," a con that targets older Chinese women with promises of spiritual cleansing that ends in financial ruin. The second covers a new FTC rule requiring companies to make subscription cancellations as easy as sign-ups, cracking down on deceptive practices. Our catch of the day this week comes from MontClair University, as they are warning of a phishing scam offering a “free 2014 Airstream Sport 16′ Travel Trailer.” Resources and links to stories: * Trump Tariff Confusion Fuels Online Scams [https://www.forbes.com/sites/emmawoollacott/2025/04/10/trump-tariff-confusion-fuels-online-scams/] * Oklahoma woman charged with laundering $1.5M from elderly women in online romance scam [https://www.foxnews.com/us/oklahoma-woman-charged-laundering-1-5m-from-elderly-women-online-romance-scam] * A new ‘jackpotting’ scam has drained more than $236,000 from Texas ATMs — but who foots the loss? [https://www.yahoo.com/news/jackpotting-scam-drained-more-236-110900898.html?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referrer_sig=AQAAACoO7q4vRhd33ftG3Ak2pN42Aw23uyziwT35V0ggRRHVx1EEkH46nZkEOoHn8vaeSYg_8jknuCkpTYYilp5WPyGjngMUZAO_VtrltdU4LNsMCULF_RUqpv98tSe5S0GDER8kHHa_1Rmpyjh9fRrbJSPr9Kr5IIxrlLLzbAYFn6Gv] * Opportunity To Own A Free 2014 Airstream Sport 16′ Travel Trailer [https://www.montclair.edu/phish-files/2025/04/01/free-item-phish/] Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@n2k.com [hackinghumans@n2k.com].