Hacked - Hotline Hacked Vol. 1
Episode Date: January 16, 2024It’s our first call in show episode. Share your strange tale of technology, true hack, or computer confession at hotlinehacked.com. Learn more about your ad choices. Visit podcastchoices.com/adchoic...es
Transcript
Discussion (0)
Thank you for calling Hotline Hacked. Share your strange tale of technology, true hack, or computer confession. After the B.
Hey, my university has a system, like many universities, for getting enrollment verification. So if you want to get a student discount, some places require that you submit a transcript or some evidence that you're currently enrolled.
So I go to the website provided by my university, which asks for a last name and a social security number.
I type in my last name, I type in social security number, and I get somebody else's transcript.
Turns out, I typed a wrong social security number, and they don't check against the last names.
And so what they provided me is a portal where I can just put in random social security numbers,
write down the number I put in, and get out a transcript of, you know, I know they're going to school here,
I know what classes they took, I know their address.
it's just a great place to get all sorts of information about people.
And thankfully, I tried it a couple of times just to make sure that this was actually fully broken.
Didn't do anything with it, obviously.
But I reported it to the security email that I found somewhere on the page, and it did get fixed.
But I'm like, make sure if you're asking for security questions, you actually use them.
Take care.
Bye.
It's just such a great place to get all sorts of information about people.
Well, I think what he doesn't realize is that he's committed a large crime,
as he demonstrated by the fact that the same thing happened in the province of Alberta,
by one of the MLAs, the members of the Legislative Assembly,
which is essentially like somebody in government, elected official in government.
During the COVID thing, do you remember this?
They had like the little COVID certification things, and one of the MPs found out that there was a flaw in the system that allowed you to bypass certain things.
It would give you information on other people.
That MP got investigated by the RCMP, or like the police for doing the essentially the...
I totally forgot about that.
Yeah, they tested it and reported it.
So this caller has essentially done the same thing.
And now we've got you on tape confessing to it.
Exactly.
This was a, this was a one of those calls.
called. This was a covert operation. Gotcha, buster. No, not at all. Hey, welcome to Hotline Hacked.
The hotline you can trust for you to preserve your anonymity when you share stories and content
with us. The other thing I'd say about this is I think this is so common. Like there's so many
systems that are poorly designed from a security standpoint, especially it seems like ones that
are largely database driven, like things like this where it's probably put together by like a
a database person who's not thinking about all of the security around the access to the data.
They're just like, oh, I can build something that quickly queries this information and dumps it to a website.
And it's like, okay, great.
It's like, why would I put any kind of constraints and checks on this?
Like, I'm just going to look up, use the primary key of the social, look it up in the table and dump that record out.
And it's like, I can't imagine there's got to be thousands of systems that are broken like this.
thousands.
Yeah.
There's a couple things to unpack here.
First is there is definitely, assuming this worked the way the caller described, which
is that the thing asked for, this portal asks for both your social security number and your
last name.
It would seem the last name is just going into the void and all they're doing is checking
the social security number before they give you access to this information.
There's a little bit of duplicitousness of even putting the last name box if you are not
going to use it.
Totally.
It suggests you know that you should be getting some kind of verification, but you can't be bothered to wire it into anything.
So we kind of got to put that aside.
To your second point about this happening, about four seconds of Googling discovered that it was the most recent one is the University of Minnesota, who is currently, who at the time of that publication needed to email two million former students, applicants, staff, and people whose information had been leaked in a data breach that was discovered in July of that year.
the hacker in that claim to have accessed 7 million social security numbers that was published in the Cyber Express.
So yeah, I think you're honing in on something that maybe those databases on campuses aren't quite as locked down as they ought to be.
It's like the, it's not even like this is an SQL injection.
Like you use something like an SQL injection attack to get access to data that's not connected to your record and stuff like that.
Like if you can get into the database, if you can add stuff to the query,
you can pull more stuff out.
This is just straight up broken.
Like, it's just a complete lack of security on the,
on the form that they've built.
Like, the fact that you don't have to do anything besides just,
like, you could write a number generator that just attacks this thing
and wardial the social numbers and just pull every record from everybody at the school
with probably pretty easy.
I doubt they have a query limit.
I doubt they have anything.
So you'd probably do it, like, really quickly and nobody even know what happened.
So another...
I had never heard the term war dialing until you just used it.
That's a sick term.
You've heard the term war dialing.
Have I heard the term war dialing?
Yeah, we've talked about it in episodes long ago.
So war dialing is essentially like the old school, back when the internet was phones,
for lack of better terms, when office workplaces and stuff allowed access to networks
through dial-in, war dialing was essentially setting up a modem.
to call all numbers in a band.
So, like, maybe you give it a prefix,
and then it dials every suffix in that prefix,
and essentially makes note of which ones are modems that pick up,
because modems have distinct, you know, ways of answering.
And then you get, like, a list of all, you know, computers
that are on in that prefix.
So that's what war dialing is.
So it kind of used it the same way for a number of other things.
Fascinating.
Yeah.
So the first thing that I thought when I heard this was like, huh, it's pretty weird that someone else at the school had such a similar social security number.
So I went down a little bit of a rabbit hole of how social security numbers are generated.
And it made it left me feeling like this is actually totally plausible.
So up until 2011, in 2011 social security numbers were replaced with totally random strings of numbers.
I think it's the same length, but they're totally.
randomized. In the press for this, they used the term randomization in quotes as though it was
like a patent pending term that they had invented, but they just made them random numbers.
The Social Security Administration changed the way SSNs are issued in June 25, 2011.
Prior to that point, though, since they were originally implemented in 1936 for tracking
workers' earnings, Social Security numbers had a really rigid structure. It was a three-digit area
number, a two-digit group number, and a four-digit serial number.
And what that basically meant was that if you were born in the same place at the same time,
your social security number could largely overlap with other people born in the same place
at the same general time.
This was obviously changed in 2011 to sort of expand the total possible pool of social security
numbers. I think now there's approximately 420 million possible numbers up for assignment.
The previous structure had limited that. That's why they changed it. But I kind of buy it.
You get a bunch of people going to the same school. A lot of them are going to have grown up in the
same place. A lot of them are going to have been born at generally the same time. I kind of buy it.
I think it seems plausible to me. It seems plausible to me too. Yeah. Yeah. The other thing this reminded me of
is that scene in the social network where he gets brought in front of the ethics committee for having
hacked the Facebook, like the campus Facebook.
And it just evoked that, which is fun because I think the other call we're going to be talking
about is also set on a campus.
Let that be our segue.
Let that be our segue.
Good morning, Jordan and Scott.
It is Chris here from a chilly autumnal morning in Dublin, Ireland.
I wanted to share with you a story of when I had my first.
job out of college basically. I was an intern working in a very small company that was based in a
college campus basically. And parking was 10 euro a day and I wasn't even getting paid. So I thought
that was pretty unfair. So I decided to hack the system in my own way. So I scanned in some
some tickets that I bought over the course of a week. Managed to get all of the numbers in the
that I needed, I suppose,
and the letters that I needed for the days of the week,
etc. and the months of the year.
And then eventually what I would do is every morning
I would just print off from Photoshop a new ticket.
And yeah, that's how I got free parking
for like a year or two.
Not exactly a high-stakes computer hack,
but yeah, it's my own personal.
heck. I love the show. Keep up the good work. All the best.
That's so sweet. We love the show too. And we're thankful that you love it too.
Thank you. We really appreciate that. Okay, let's crunch some numbers here. Parking was 10 euros.
Homie wasn't even getting paid for the job. So unfair. Assuming he had to go in five days a week,
it's pretty quick math, 50 euros a week. How many weeks do we assume he went in per year?
for a call 50
two weeks off?
Call it like 47.
47.
Cool.
Let's do 47 times 50.
Homie saved 2350 euros.
He did.
With this hustle.
Assume he ran it for a full year.
And again,
this is an undercover operation.
Gotcha.
This one resonates with me because this is something that I always...
This is your shit.
This is something you would have done.
No, this is.
is something I always want to do and never do. So I don't know, I don't know if you know this about me,
and I don't know if this is in the hack trivia yet, but like, I'm a huge tennis fan and I go to
tennis tournaments. And tennis tournaments are very like, they're kind of for the people in some
ways, but then they're also not for the people. Like there's different levels and passes that you get,
that get you better hospitality options, not only better seats, but better hospitality options,
better, you know, bars, restaurants, services on site.
And they cost way more.
Like if you want to get a premium ticket at a premium tournament,
it's much more expensive than just getting a general admission, like site access pass.
One's like 50 bucks a day and one's like, you know, $5,000 a day.
And the passes that they give out are honestly the most reproducible things I've ever seen
at most of these tournaments.
Like they're just physical access.
Like they're just like a placard on a lanier.
The lanyards for sale in the shop on site.
So you can buy the lanyard.
The placards, like, we've honestly gotten to the point of, like,
jokingly taking photos with site staff so that we can have copies of their decals in our photos.
Oh, sure.
But we've never actually done it.
Like, it's so easy to do.
Like, it would take 15 minutes in Photoshop, a trip to Staples, and two bucks for a laminar.
And it would be all done.
We'd have full access site passes, get me.
media access.
We'd be able to do anything, but we just haven't.
I've never done it.
There's no barcode?
Like, it's just a site and a digit thing?
But like the security notes scan it.
So it's just,
right?
Because it's a fancy tennis thing and people would be offended if someone had
the gall to scan their pass,
supposing that they were a liar and a thief.
Yeah, I got you.
So all of a sudden you just have a lanyard on with a big placard
and a photo of you on it.
And like often like a letter or a colored block that
designates what level of access you have.
and then once you have those passes, you're just free to roam.
And every time I'm at one of these tournaments with one of my friends,
we joke about making them because it would be so easy and we haven't done it.
So I look to this caller and I say,
thank you for living out my dark fantasy.
Dark, my beautiful, dark twisted fantasy.
Oh, that's pretty good.
Yeah.
Yeah, I remember kids in high school photoshopping bus passes,
which in retrospect was actually kind of dark now that I think about it because it meant that kids needed to Photoshop bus passes.
But anyways, no, the story that this reminds me of, Scott, did I ever tell you the story of my first ever hustle?
Always be hustling, Jordan. Always be hustling.
On that grind set 24-7. No, my first drift, the con that kicked it all off. Have I ever told you this story?
I don't think so. I don't think so. Okay, amazing. I was a minor. So for legal purposes, we can
also say it was my last. So when I, and it has to do with parking, which is why I bring it up.
So I got a job when I was like, they just changed the laws and the province were from about how
young you could be to work seasonal work. My parents were like, get this kid to work. And so I went to
go work it. I won't, it'll remain nameless, but it was the big carnival exhibition in town.
You would be familiar with it. It's gold rush themed. Anyway, my job is I worked parking.
It was not a great job.
Oh, man.
It was paid, which means it's better than what our dear caller was getting compensated for his position.
But it wasn't a great job.
You stand in a parking lot directing cars either in the hot sun or the pouring rain with all of the authority of like a 13-year-old.
All the authority that a high-vis vest and a light stick gives you.
100%.
And at some point during this whole terrible week and a half,
they said this 13-year-old seems like he's really ready to handle a little bit more responsibility.
So they put me in charge of a gate.
And it's a gate that was away from the main parking lot.
It was kind of off to the side of the complex.
It was a little bit private.
And it was the gate that people who worked for the property essentially where the exhibition was being held would pull off of a road.
I would go open the big chain link gate.
They would drive in, go down a road and go park.
but it also happened to be the road that packs of people coming from the transit center
would walk down on their way to the main entrance.
Okay, okay.
And some, like, people would have the thought, hey, there's like seven of us.
Tickets cost whatever, 25 bucks to get in or something, say 20 bucks.
Hey, kid, if we give you 20 bucks, would you open the door?
No one's around.
And?
It's a big chain-length fence.
And?
The con is on, my friend.
Criminal.
Criminal.
The hustle begins.
So I feel a real kinship with you, caller,
in that we have both exploited a parking system at some point in our lives.
I feel a kinship with you.
So let's talk more about your con here.
Let's get into the dirty details.
How much additional funds do you think you might have or might not have made that?
summer. You know, it's foggy. We're getting pretty far back in the personal history, like
around two decades at this point. But I remember it being comparable to what I was being paid
for the like, so you double down. You double down on your age. I double down. I double down.
Totally. You're coming home every night with like a stack of 20s in your pocket and your mom's like,
what's going on, Jordan? You're like, business is good, mom. Business is abomin.
I definitely, I think I learned in that that while I am very compelled by crime stories,
I do not have the disposition for it because I was nervous.
Like I carry, I don't know if it's guilt.
It was hard to feel guilty as a 13 year old taking advantage of such a large organization,
but I definitely carried some kind of weight after that.
And I think I learned in that that I am much better at telling stories of other people's indiscretions,
not necessarily committing them myself.
Yeah.
But, you know.
I feel... The hustle begins.
I feel like I was raised in a way where I have a very strong sense of justice instilled in me.
And I kind of don't like it because I think that life would be a lot easier if I was just a little bit seedier.
Like I have skills and talents that I could use to make myself better off, have a comelier lifestyle.
Not just money, but like other things.
And I just can't bring myself to do it because I just have two, like,
my wife hates me for it, but I have like this strong beacon of justice that I've been like
bred into me. And I'm blind to anything but that. And it, and it, it is at my own downfall,
my personal downfall. So anyway, oh man, with that. Sticking it to parking pass people. I love it.
Should we go to commercial? Let's do it. Let's do it.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone somewhere saw something too late.
An alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up for a world where attackers are already using AI.
They created the Aurora Super Intelligence Platform, a fully agenetic system powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs, this swarm was,
full of deterministic agents that handle whole entire workflows.
Humans stay in the loop and on the loop to validate the critical decisions and keep everything trustworthy.
And all of this is just off running on their secure operations graph.
A constantly updating intelligence engine fueled by more than 9 trillion telemetry events every week
and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training data.
And the result is the new Aurora agent SOC.
It's the first SSC that is agent led by design.
You get agents that coordinate, agents that investigate, agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model.
They rebuilt the model entirely.
What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform
so every AI-driven decision reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy and proactive risk reductions while the agents handle the grind.
If you want to see what trustworthy, production-ready AI and security operations actually looks like,
go to ArcticWolf.com slash hacked.
Never feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches, from sophisticated ransomware operators to AI-enabled to
attacks that turn defenses on their head. Organizations around the world saw headlines they never
expected and cybersecurity teams were tested like never before, but here's the thing. These incidents
aren't just news headlines. They're learning opportunities. And that's why Arctic Wolf is hosting a
live webinar on February 5th diving the most impactful breaches of 2025. Their field CTO and security
leaders are going to unpack not just what happened, but why these attacks succeeded. And most importantly,
what businesses can do to fortify their defenses for it's too late.
walk away with real insights in how threat actors are evolving, how defenders are responding,
and what strategies can help you stay ahead of the next big breach. It's not fearmongering. It's practical,
actionable, intelligence from experts in the trenches. Register now at arcticwolf.com slash hacked.
Okay, before we get to our next caller, uh, thanks for listening to Hotline Hacked. If you would
like to share your strange tale of technology or parking pass abuse or computer confession,
uh, go to Hotline Hacked.
dot com.
You'll find an email.
You can submit to.
You'll find a phone number.
It is 1-888-288-28-8-8-6-9.
You call in, leave your message, and we might talk about it on the show.
We've got some fantastic calls.
We're not getting to this episode.
I'm just going to highlight it because we highlighted it last time, Taunskos,
spins an epic yarn.
We're saving that one for a rainy day.
We've got stories about airplanes.
We've got all sorts of wacky stories.
We're not getting to all of them today, but we will in the future.
If you'd like to get yours in there, hotlinehack.com.
I just wanted to try this out.
I don't have much in terms of, like, you know,
I've always been interested in the cybercrime,
but I've never had anything myself.
But I did once want to join a Discord server that was called Family.
It was like spam to like a random on dead server.
I was in and I was like, I don't know what that means because that sounds really fun.
And like, I want to be in the family, obviously, even though I'm like fully not, hold on, sorry, let me restart.
I got a weird text.
My friend spotted me in the wild, apparently.
Anyway, I, yes, I wanted to join the family, but I'm not, I'm not a particularly savvy Discord user, nor am I somebody who goes on the dog.
It was just called the family, and it sounded kind of lit.
So, you know, I kept scanning this QR code, and nothing happened, and I just kept scanning it.
And then they hacked my PayPal, got a bunch of money from it.
I didn't really know what to do so I got a new card moment if I was going to
get out but yeah, like they got it through like Discord Nitro even though I hadn't
had Discord Nitro and like forever.
So it was really crazy but they just kept charging Discord Nitro like a few times and so
you know luckily I was able to cancel it and all that but I was just like what
the hell was going on.
That's what they choose to do with my PayPal information and maybe they couldn't do
anything else.
I really don't know.
Yeah, that's kind of yeah.
That's kind of what I got for you all, so.
You've been luck with your hotline.
Spotted in the wild.
Spotted in the wild.
Spotted in the wild.
You said something in your call.
Who wouldn't want to be part of a family?
And a big part of families being honest.
I did a little research.
I think he maybe got caught in a little bit of a thirst trap there, Friendo.
YouTube video digging into this scam from a YouTuber called no text to speech.
Really good stuff.
And in his video, he digs into what he called three scams that involve exploring
people's hormones.
On God, all you horn dogs really got to take a step back and think about things.
In this video, I'm going to go over kind of three types of scams I've seen that involve,
you know, exploiting teenage hormones.
I think these are thirst trap discord scams is what happened here.
Go further, Jordan. Tell more. Tell more.
Tell more. A person gets a message inviting them to this Discord server.
It is the reason I'm pretty confident this is what we're looking at is because, you know,
the graphic is right in the YouTube.
video. The family reference is to do with Dominic Torretto from Fast and the Furious.
Okay. I'm not sure if you're familiar with this film franchise. It's a film all about how,
what is he say in the movie? I don't have friends. I have family. That line is quoted in the
kind of spammed Discord thing. You click on it to verify. It takes you to another Discord server.
And it is there that the victim encounters a verification bot. A fake verification bot in the server
that gives you a QR code to scan to verify using the Discord mobile app.
Scan with Discord QR codes are used to log into accounts.
And what they're trying to get you to do there by scanning this fake verification bot
is to try to get you to scan their login QR code to log into your account on their computer.
Do not use the Discord QR scanning app on anything you see on Discord.
It is almost certainly just trying to get you your account log,
in on someone else's computer.
So.
So?
Then there's the question of PayPal.
Caller, I think, generally got it.
There's the remote chance that something in their account made of, like, some piece of
information was used to log in a PayPal.
I think all this was was the person using their Discord profile to purchase Discord
Nitro, which can then be resold or gifted to other people.
Yeah.
What I'm guessing is the PayPal was connected to Discord and that's what happened.
Yeah, I think the same.
I think that the PayPal was connected.
to the Discord. They lost access to their Discord and then bang, all of a sudden somebody was
spending their, spending their Discord connected PayPal monies on Nitros. Exactly.
The family. Cracked that mystery. The family. Yeah, it was one of several of these similar
scams that were identified in No Text to Speech's video. But they all typically were paired
with some sort of message that you would probably only click on in a hormonal flurry of poor security
protocols, let's call it.
All right.
Trying to keep it remotely PG over here.
I don't think it would be remotely PG.
It's probably like lightly R, if not strong R, light X.
Oh, yeah.
No, there's a reason we're not reading the YouTube transcript verbatim.
Yeah, yeah.
But I think that's what happened here.
And hey, you know what?
That's okay.
And here's what I'm going to say, no shame.
No shame.
Zero.
Zero shame.
Zero, friend.
Zero shame.
I'm sad.
It's happened here.
And I'm glad that you're part of the hacked family as we don't try to steal your money.
This is true.
Thank you for calling with your story.
It was a nice reminder that that scan to verify QR code thing is at the heart of
We've talked about Discord scams before on this show.
The scan QR code to verify thing is at the heart of like all of those things.
So this call was a really great opportunity to get to kind of remind ourselves of that.
Never scan a QR code using the QR code scanner inside the app itself.
The app QR code scanner is typically used for verification purposes.
If you're going to scan a QR code in the wild, don't use the built-in app.
So a few years ago, while I was getting started in my cybersecurity career and had some extra time on my hands and feeling extra ambitious, I decided to try and go after scammers, similar to the scampaders that you find on YouTube.
Had a whole set up, green screen, little costume.
I had an idea in my head that I would have my face covered in the videos until I reached a certain subscriber point.
And so I started, you know, going after scammers found form after form and chat groups that had phone numbers to call and created an anonymous persona with the phone number and all this stuff.
I had a voice changer, you know, the whole nine yards. I was trying to be as legit and technically savvy as possible with my whole setup.
On my professional side of my career, I'd been learning how to set up remote portals for managing endpoints remotely and being able to deploy the agents for these remote management tools silently in the background.
And so I had that under my belt and I wanted to learn how hackers moved lateral.
lead through networks and all the stuff. So, anyways, fast forward a couple weeks. I've got a
number of scammer endpoints in my portal using tricks I've learned along the way. Most of it was
using any desk to kind of do a reverse connection to the scammers and then get a script running
on their endpoint to launch a reverse shell that would give me remote access and be able to launch
my remote tools on their systems.
And I started making connections with other people in the community,
a couple of big names in the YouTube scam bait community,
and they started actually using some of my tools to be able to bring
some of these bad guys, the scammers, and whoever they could find into my portal.
And so occasionally I would have endpoints that would just show up out and nowhere,
something that I didn't do, that another scam baiter had done.
And one of the scambaters started going after crypto scammers,
which was a very different breed of scammer than I was used to.
I was going after all the Indian call center scammers.
And as it turns out, the crypto scammers were mostly Nigerian,
at least these ones that were going after.
and some of them were based out of Nigeria.
A majority of them, as I learned, were based out of Cyprus.
Apparently, Cyprus is an area of the world where a lot of scammers from Nigeria have fled to
because of persecution in their home country for scamming.
And we ended up getting onto this one particular person's computer
because his friend who's running crypto scams decided to borrow his friend's computer
to try and help my scam bait buddy.
I put in air quotes, help.
Show him how to release crypto to him using any desk or whatever tool it was.
And so my scam bait buddy got on to this friend's computer.
Well, it turns out this computer,
this person that owns this computer was an email scammers. I guess maybe like one step above
crypto scatming. And if you're familiar with email scams at all, they kind of work the range
of romance scams, but primarily they will focus on businesses and getting kind of a man in
middle setup between businesses where they will act as a person on either side of a company,
usually between payroll or an accountant in a company.
And they'll send fake emails to try and tell a person that, you know, you owe this much money.
you know, we're expecting this payment from you.
Where is it at?
Or they'll pretend to be a CEO.
That's a really common one.
They'll pretend to be a CEO,
and the CEO will email the accountant saying that they need a payment sent through to a vendor,
ASAP, because of some reason or the payment didn't go through
and we don't want the services to end, so on and so forth.
I'm just going to stop it right there for a sec.
Do you know that it's illegal to dismail out invoices?
Interesting. I mean, that makes sense that you would have to make a law about that because it makes even more sense to just try and, like, lob a bill into the ether and see if someone will pay it.
Exactly. So this is like an old school scam that, like, I've seen a few times and actually I still get these occasionally. And it's, it's the only ones that I've gotten in it with any kind of recency is DNS registration ones. So they'll actually scan the DNS registries and look to see if any of your, like, websites are coming.
up for expiration, and then they essentially send you an invoice to re-register it.
Because I'm sure for, you know, every 10,000 of those that they send out, they get 100 back.
Or like for every thousand they send out, they get 1 to 10 back, 1 to 10 back, paid.
And they, of course, charge you like 15 times what it would normally cost.
So anyway, I did some research into it a long time ago, and it turns out it's essentially
mail fraud, and what I would assume is now email fraud.
to just blanket invoices out because assuming that some company is going to receive it,
it's going to be small enough that they're just going to throw it into the payables pile.
Right.
And just assume, and especially if it's like you're a major construction company and you get like an invoice for like screws.
You're like, okay, we owe $700 in screws.
Seems like something we buy.
Sure.
Yeah.
So like just pay this.
And it's like I learned that that is actually fraud.
So anyway.
Let's jump back to his story, but I just thought that was an interesting tip bit.
No, it's a good thing to chime in with.
Interesting.
So enough backstory.
I'm on this guy's computer.
I've been watching for weeks.
I'm recording a screen just floored by all the stuff I see and also floored by the fact that he's not technically savvy at all.
And he's got chat windows open with, you know, his different guys that he's connecting with.
And for the life of me, I can't really follow or understand a lot of the stuff that he's saying,
even though it's in English because of the slang that they use.
And but I decide to, you know, be a vigilante and help out some of the business owners or businesses that this guy is going after.
I've pulled passwords from his systems and I began calling some of these companies.
And, you know, the individuals I'm able to get a hold of, I would talk to the people.
them and tell them what I'm seeing, tell them who I am, you know, my alias name, and what has
happened and when they don't believe me, you know, I tell them the password or part of the
password that I've pulled from this gentleman's computer.
Majority of the time, the individuals would freak out and ask me if I was a hacker,
which, you know, was really hard to convince them of otherwise.
But the worst one, and this is where the story is all leading, was there's a box company at Atlanta that seemed like a fairly large company that the scammer had gotten into the CEO's mailbox.
And it never really dawned me until I needed to do this, that it is really difficult to get the contact information.
for the CEO of a company.
They don't exactly post the phone number on the website,
and I couldn't email him because the scammer's in the email box.
So I started calling the company.
And routinely I would get the receptionist,
and I would tell the receptionist was going on.
And after a few attempts at trying to get her to get this message across to the CEO,
that his email has been hacked into, and there's a scammer that is watching all of his emails,
and he's trying to siphon money out of the company.
After nothing that had happened, I finally decided to give her my alias anonymous phone number
to, you know, pass on to the CEO so he can call me.
and the next day after I do this, I log on to the scammers computer, and on his screen, on his chat window, I see my number, my alias number, not my real phone number, but my alias number. I see it on his screen, and I'm like, holy shit.
Because as it turned out, the receptionist had emailed my information to the CEO, even though I told her his email his email.
had been compromised. And that day I received multiple phone calls on that number who I'd given to
virtually no one from various different numbers. And yeah, so that was a little scary. And I, you know,
I was telling all my friends and my boss, you know, about some of the stuff I'd been doing.
And my boss was like, you know, you have no idea how much money is behind this guy that you're
watching and how high, you know, he goes or what skills that people love him have. So
please be safe. Maybe stop doing this. You don't want them showing up on your front door.
And so soon after that, I stopped going after guys like that and just continued on with the
Indian scam calls until I got bored with them. But anyways, that's my story. I don't know how
you guys are going to cut this up. Just thought I would share.
Oh, we're not going to cut it up, buddy.
We're going to play the whole thing.
Whole dang thing.
I thought we were going to cut it up and then we were listening to it.
I'm like, this is fire.
This is so interesting to me.
There's a lot to unpack in this one.
The first is, and this is more just like subjective,
but the sort of hierarchy of different types of scammers.
Totally.
Talking about the call center scammer and then the sort of next trip of the
crypto scammer, maybe.
And then I think to use his phrase of one step above
of crypto scammer, the email scam, which includes sub-variations like the romance scam,
but relevant here, the man in the middle between two businesses scam.
Like, on the way to this story, just sort of does a casual drive-by survey of the entire
phone scamming landscape.
I find that so interesting.
This one's interesting for a number of reasons to me, A, because most scamming,
scammers, these things, these are essentially organized crimes.
outfits, right? Like, they're not, like, large call center scammers are essentially organized crime
in whatever jurisdiction they're operating in, whether it's India or Africa or wherever. Getting into
crypto scamming, those are also largely done by organized crime in Russia, the Ukraine, Belarus,
Georgia, you know, you name it. Yeah, the Eastern Blocke loves a good crypto scam. Korea, too.
The getting into email, like email is actually what I would say. I could see how they, I could see how the
ladder progresses because an email hack being like, hey, can you pay this invoice immediately,
come from the CEO, going to the payables department, is like real white-collar crime.
Like you're, it's like most fraud that occurs inside of a business occurs in the accounting
department, right? Like, if you're an account's payable person and you make $20 an hour,
you can add a vendor for payment, create invoices and key the,
those invoices in and then put the checks into a stack of checks to be signed or automatically
sign them if they're low enough on the price thing that they're automatically approved.
Like the amount of fraud that occurs in businesses often happens at the lowest end in people
in like the accounts payable department, payroll department. You add fake employees and pay them,
etc., etc. So like to jump in and like take over executive level emails and senior people
and essentially people that have high levels of authority in the company to sign off on larger expenses
and then to fabricate those expenses and force staff to pay them.
Like that's a, that's a, I'll go as far as to say, pseudo-sophisticated fraud.
Sure.
And it's definitely more in the like corporate espionage realm of things than a romance scam
where you're carpet bombing people with.
Totally.
You know, first step in a long con romance type email.
I was like, no, you hacked a person's system.
And it reveals how deceptively hard it is to wriggle your way around something like this
once the email is compromised because you've compromised the channel through which people
would reveal the vulnerability.
Yes.
But the other thing I found interesting is the fact that whomever this is, their employer was like
kind of cool with it.
Like they weren't cool with it, but they were like, you know, you should really watch out
like these people mean business.
It's like you're getting in the middle of a multi, like multi, multi, multi million dollar fraud, and this could be detrimental to you.
But also like, you know, see you tomorrow morning.
Pretty cool boss.
Pretty cool boss.
Yeah.
It's definitely like a thank God.
Obviously, a very technically sophisticated caller is naturally going to use a burner number for anything to do with interfering with an organization.
Crime Syndicate. Thank God you did because that receptionist just sort of revealed the whole
investigation in that email to the CEO. What I want to know is what happened with the company.
The end of the story, if I'm understanding correctly, is Homeboy calls the receptionist trying to
inform them the scammer is in their system and can see all of their emails. The receptionist
does not really appreciate the spirit of this warning and emails word of that onto the CEO,
thus giving the phone number to the hacker.
We know that the caller starts getting all these weird calls from the hacker.
Thank God it was a burner.
But what happened to the company?
Do you kind of just throw your hands up and go like, okay, I tried.
I tried to give you a warning.
You just turned around and informed the person I was warning you about.
I'm going to take my boss's advice, be safe, and walk away from this.
this. I'm so curious what came of this. How much money was drained out of that company?
Who knows? The other thing I would say is like a word of advice is if you're calling in
with something like this and you want to talk to a CEO, like clearly you never worked in
sales, like you can't get through to the executive branch without coming through a few gatekeepers.
If you've got some kind of information like this and you need to get a hold of somebody that cares
about it, just ask for the IT nerds because they'll understand. And,
they'll take action immediately to figure it out.
It's like, just go.
That's a great point.
Just go to IT.
Just skip it.
The gatekeeper of the receptionist is not going to give it any merit to, because they don't
understand it.
And then they're going to get, even if you got to the CEO, they probably wouldn't
understand it.
And they would just bounce you back to the IT guys and just are people and just go to the
IT people.
Ask if they have a security officer.
If they don't, just ask for anybody in IT.
And they would have been like, okay, we understand what you're saying.
saying you've hacked into somebody you are a hacker by the way you've hacked into a scammer's computer
and you're now like observing his activity inside of our company that's very valuable knowledge to
to IT people but yeah the the anti-scammer world is fascinating to me yeah we've never actually
interviewed anyone that does this and scam baiting is so fascinating because it can be both done so well
and there are stories of people trying to do it and having catastrophic outcomes.
So it's like it's a real tight roll back.
People are pulling off when they do it really, really well.
But I think we got to talk to someone in this world.
I was stoked to see this call.
We got to get scambator.
One of the big YouTubers on.
Jim Browning, I think is big in it.
Kit Bogha, obviously.
I've talked about him before on the show.
We have.
Like the almost low-level harassment to the scammers.
It's so funny.
Yeah.
Well, and apparently, I didn't know about this.
Cyprus.
Cyprus.
I think we got to go to Cyprus.
I think we got to do a little investigation to what the heck is going on in Cyprus.
I think the outcome of that story is that Island Scott needs to go to Cyprus.
I'll see you there.
Okay.
So we got parking passes, forged parking passes,
Social Security number portals.
Bad database design.
Thank you.
I couldn't quite figure out
how to articulate that one.
And finally,
we have a very intense
but fascinating story
about scam baiting
and why you always go
straight to the IT department.
Yes.
They're the one.
They'll kick down the door.
They won't email it.
They'll just like burst through
leaving a like them shaped hole
in the wall of the CEO's office,
banging a drum,
screaming like turn the computer
off right now, unplug it. Always go to the IT department. Thank you so much for calling in.
Thank you so much for submitting your audio. I think we're definitely going to do another one of
these. Yeah, we've got a bunch more in the files, so we definitely have to do another one.
This was heaps of fun. Hotline hacked. Hotlinehack.com. Ignore the bad security certificates or
like the absence security certificates on that site. No, no, we, we, I gave it a, I gave it a
security certificate.
Do we, oh, I thought I got a, oh, yeah, HTTP.
No, you're right.
Totally.
It's been fixed.
It's been fixed.
Ignore me then.
And go to our rock solid secure website to submit your story.
Thank you so much for calling in.
And while you're just visiting websites related to us, you can also go to store.
dot hackpodcast.com.
Check out some merch.
Yeah.
Yeah.
Patreon.
Maybe go over to our Patreon.
on actpodcast.com.
Follow us on our socials that we don't really use.
So you could be there for the occasional tweet.
We do respond.
Yeah.
Typically, if you say things to us.
But we don't really, we're not very vocal.
We save that for the podcast episodes.
No, we're reply guys on Twitter for sure.
And if you live in Cyprus and want to host us while we come there and
trepidatiously knock on email scammers doors, get at us.
We'll see you on the beach, baby.
Island Scott, here he comes.
Island Scott's coming, try and stop him.
Holland hacked.
Thanks for listening, everybody.
We'll catch you in the next one.
Take care.