Hacked - Hotline Hacked Vol. 12
Episode Date: April 26, 2025A tech worker stumbles upon mass fraud and brings receipts, a flag football prank goes very right, a teenager uses Net Send and gets in trouble — but not as much as the person they're in trouble wit...h, and a guy almost sends his pal on a "Taken" style revenge mission to Kosovo. Got a strange tale of technology, security, or hacking? Share it at HotlineHacked.com. Hacked is brought to you by Push Security. Check them out at PushSecurity.com Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
Thank you for calling Hotline Hacked. Share your strange tale of technology, true hack, or computer confession.
After the beep.
This hack happened in the early days of AOL and Gmail, probably around 2005.
Back then you could create multiple Gmail accounts without any issues.
AOL also had a want ad service, where you could offer to sell or buy items from their web page listings.
I have a friend who wanted to buy a PC and he found an ad.
that apparently was not getting much attention because he was the only person to bid on the PC.
He won the PC for $300 and called me to brag about the buy. I asked him about the PC and found the
listing. While he was on the phone, I found the email of the seller and quickly created a Gmail
account, switching one of the letters for the seller's Gmail. I sent my friend a quick email
congratulating him on his win and in the email itemized all the additional fees that went with the
$300 PC. Shipping $200, packaging $150, insurance $250, taxes $325. You get the idea. The total bill was over $1,000, which is about what the
PC was worth at the time. I asked my friend, have you heard anything yet from the seller?
He replied, yeah, he just emailed me. Then there was a long silence followed by a string of profanities.
I had to cover my mouth to stifle my laughing.
I said, what's the matter?
He then furiously read me my email.
He was beside himself.
I replied, well, email him back and let him know the additional costs were not mentioned in the ad and are outrageous.
Which he did, and since he replied to the email, it went straight to me.
He stated, among other things, that he could not understand how the taxes exceeded the cost of the PC.
He finished the email stating he would not pay this price, and he was going to report the seller to AOL.
I should have stopped, but this was going great.
I replied to his email that the taxes were for New York City and the country of Kosovo.
I told him there was a clerical error, and this has been corrected to now show that he purchased three PCs.
Now the bill was close to $5,000.
I also told him I was aware of his children, whose names I thought,
listed in the reply and threatened that he better not say anything to aol i hit send and waited we've
been on the phone the whole time and it was tricky reading and composing these emails while also
conversing with him again i asked if he had a reply to his email this time there was this cold
silence and i could feel him go into full daddy mode he served in the army and was well prepared to
defend his kids i decided to fess up and he took it well turns
out, he did not get the BC.
Days later, the real seller sent him an email telling him that they could not sell it at that price.
Man.
Yeah.
Welcome to Hotline Hacked.
It's the call-in show where you can share your strange tale of technology.
True Hack or computer confession, if you want to share your story, go to hotlinehack.com.
It's brought to you by Push Security.
Yeah, you almost had your friend on a plane to Kosovo to go like taken style track down.
people.
And then when you fessed up to it, you almost had your friend break your nose.
I'm not convinced.
The way this email ends kind of abruptly.
I'm wondering, he said he took it well.
Did he?
Yeah, he took it well, well enough.
He mentioned some of these children's name.
I don't know.
I don't know.
Harmless prank, yes.
Emotional prank also, yes.
Yeah.
And also the idea, I think he says at the start of the call,
you know, back then in 2005, you could create multiple Gmail accounts without any issues.
You can still basically do that.
Yep, you can do that.
Yeah.
The one thing I'll say is like this has been such a plague of like online auction sites is like something doesn't get the traction it's supposed to and doesn't get bit up to where it is.
And if there was no minimum set, then the seller just backs out and walks away.
This happened to me in, like, college.
I got frauded.
I bought a, prior to tablet computing, I bought, like, a mobile PC.
And it was like 300 and some bucks, which was a decent amount of money back then.
Completely hosed.
Seller took the money.
Refused to send it.
It was too low.
Refused to give a credit.
Thankfully, PayPal did its thing.
Yeah.
I don't think PayPal's as aggressive in fixing broken transactions as they used to be.
I know the last time I tried to do this like two years ago, PayPal wanted nothing to do with it.
And I was like, how is this?
This is exactly why I liked PayPal and have used it for 25 years.
And now you're refusing to do it.
So I'm not sure what's changed on their side.
But yeah, the joys of online marketplaces.
Yeah, there's definitely a, like don't set the price floor on a thing you're selling on the internet below what you're willing to sell it for.
This is day one stuff.
Be willing to let it go for that amount of money.
Yeah, yeah, yeah, yeah.
eBay put them like a minimum
minimum bid in is like a thing.
Like use it.
Yeah.
But this was the wild west of 2005.
I do appreciate the like real time
multi-layered social engineering going on
across both phone and email
because it's not just the duplicitousness
of the emails.
It's being live on the phone with the guy
pretending to be, oh, and then what happened,
bro?
Clack, clack, clack, clack, clap, type, type type,
clap, clack, clack.
It's like, oh, that took a little bit of coordination there.
I love that he quickly looked up the seller's email address, made a spoof version of it, like, instantly.
Quick.
Quick.
Whip quick.
And then immediately fabricated a thing.
I also love that, like, the taxes were, like, 105% of the sale price.
Like, that would be just the most oppressive sales tax ever.
Yeah, there's a nice, it's almost like interrogations where you're supposed to increasingly apply pressure.
I say supposed to in movies in the TV.
In the TV.
That's how they do it.
And there's an element of this too where it's like an escalating stake where it starts
with like a plausible hidden fee.
And then it starts to bump up in the form of the taxes.
And then it's just like, whoopsie, you bought three PCs and it starts to get cartoonish.
And then really the highest of escalating stakes, I know your children's name.
I'm really curious, you got to wonder if he hadn't done the right thing and immediately
said, oh, I'm just messing with you.
What that next response would have been?
Because it feels like complaining to AOL or Gmail isn't sufficient at that point.
And I was like, oh, where would that guy have gone?
What journey would he have embarked on if you hadn't immediately done the right thing
and said this was a goof?
He's like booking plane tickets and like 3D printing a pistol.
The guy comes back on the phone.
He's like, what do you know about Kosovo?
And you're like, I'm not.
Don't go there.
He's like, well, I'm going to.
I'm going to.
This didn't happen to me recently, but like the headache.
You're in Kosovo right now.
I'm in Kosovo right now, yeah.
My 3D printer is currently going.
I recently bought a new fly fishing rod.
Took it out for the first time.
It broke fly fishing.
It has a warranty.
No problem.
I messaged them.
I'm like, hey, you know, first day out, this broke.
Well, in a cast, like it wasn't like I banged it on a boat or
something like that.
You were fishing with it.
And they were like, sure.
Like, here's how much we'll charge you to send you a new piece.
And I was like, I don't think so.
Like, this has a warranty against defects.
And this is clearly broke because of a defect.
And they were like, okay, okay, we'll make a, we'll make an exception for you.
We'll send you this for free, but you have to pay shipping.
Also, the shipping is $150.
And I was like to send me like the tiniest little section of a fly rod that weighs literally
like three grams.
And they were like, yeah, sorry, that's what it costs.
And I was like, fuck you.
Where are they shipping it from?
Cosevo.
Oregon.
Portland, Oregon.
No, that's nothing.
Yeah.
So I'm in the, in the, in the, I'm in the, I'm in the digesting phase of this
annoyance as to whether I'd light this company up on Reddit in like slash
R slash fly fishing.
Because there's not a lot of like negative press about this company.
and I feel like it might be my moral responsibility to let people know.
So I'm going to fish that rod again.
And if anything goes wrong with it again, it's full game on.
Do you fish the rod or do you fish the rod manufacturer like this caller did with an email?
Now I'm not saying, do this, Scott.
There's a lot of ways to get satisfaction is what this call taught me.
Totally, totally. I feel like I have a moral obligation, though, to like, if these things are faulty, they're very expensive. So it's like, I feel like I need to let other people know.
How much does a fly fishing rod cost? Ballpark. You don't have to say what you spent, but give me a range. Give me a range. I'll give you the full range. Like, let's say 200 US to 1,200 U.S. Okay. That's real. Yeah, real money. And I, and if a part breaks on it that shouldn't have broken on it due to no action.
that I took, like just using it in its normal, like, in the normal way, I would say that you
ship me a new part.
First day out.
Easy.
Came out of the tube, went on to the river, midcast, it snapped.
Like, I sent them detailed photos of the break, and I was like, and they were like, yeah, sure, yeah, we'll mail you a new one.
Here's how much it's going to cost you.
And I was like, this should be a warranty and I should pay nothing.
And they were like, yeah, okay, we discussed it.
You don't have to pay anything.
but the shipping that should be like $9 is also now $150.
And I was like, you've got to be kidding me.
Anyway, this is a big digression.
We've now spent as much time talking about your fishing rod as we did the call on to the next one.
So back in my early to mid-20s, almost 20 years ago, myself and a group of my friends played on an adult flag football team.
We would play basically every spring and fall, along with a handful of other teams that
would pretty much do the same. Of course, being a group of young, 20-something testosterone-filled males,
mostly single or in non-serious relationships and non-serious about our careers, this became a big
part of our lives and a little more than a hobby. So, of course, we developed rivalries
with several of the other teams, some friendly and some a bit more malicious. For context, it was
eight on eight with offensive and defensive lines. Pretty much full contact except for tackling,
so things would get pretty physical and intense. This was in the MySpace era of the internet,
and Facebook was still pretty young and mostly a college kid thing. There was a website that our
team and a bunch of the other teams used to set up free or paid mini sites for our teams.
It had a fairly large feature set even for the free plan, where you could post photos,
embed videos, rosters, schedules, etc.
It even had comments and a forum system.
C.
It also allowed some light MySpace-esque HTML and CSS
but pretty much locked down, still very customizable.
It was mostly aimed at Little League teams and clubs and such.
Our team and the others, of course,
took great care in our site and used it for things like posting game results
but mostly posting what today would be called memes,
the purpose being to taunt and mock our rivals.
Classic.
You've got to taunt your rivals.
I will say that I like the voice that the AI chose for this one.
It really, really lands for me.
There's a real sense of gravitas to this one.
And for anyone that does know this call, the last one,
and I think one other this episode,
they were text submission.
So you're getting an AI voice.
This guy might have a deep, rumbly, movie trailer voice,
but we just can't know.
I can't know.
Now, to the hack.
So as I mentioned earlier, the site allowed uploading of files such as images and videos and
and PDFs.
When we uploaded videos or images, I noticed that the URLs that were embedded on the server
were just a plain sub-directory within our site, no CDN or masking or anything.
From there I got an idea.
The site itself was written in ASP, the old-school Microsoft IIS programming scripting language,
Yeah, never had any vulnerabilities either.
J.K.
Obvious from the dot ASPX extension on every URL,
with some query params to show the particular minisite and section.
Every mini-sites URL was effectively the same,
with just some different URL parameters.
I am a software engineer,
and although I didn't know ASP at the time,
I knew what it was, and of course my knowledge is applicable.
I did a little googling on the syntax specifics and threw together a little script,
basically to just grep the contents of the controller file and dump it on the screen.
Still doubtful it would work, I uploaded it to our assets directory and pointed my browser at it.
Boom, it worked.
In front of me, in all its glory, the source code for the controller and
the credentials to access the SQL server where all the of the data lived.
I'm in great awe that they allowed you to upload something with an extension. ASP.
There's a different time.
Facebook was still for college kids.
Now it's just for retirees.
Now it's...
How far it's come.
Apparently, they forgot to lock down the types of files that could be uploaded,
or the execution permissions.
Oops.
Now that I had access to the database,
My next step was to write some SQL to get the table structure from the schema.
After that, I was able to see all the different tables.
Most interestingly, the ones that handled the mini-sites and the admin user info.
So naturally, I wrote another script that would take a site ID param
and fetch the login info for the admins of that mini-site.
In keeping with the stringent security practices, it was stored in clear text,
no hashing or anything.
I wish I knew. I have a gut feeling that I know what solution this is. I don't want to say it because I don't want to slander it if it wasn't the one I'm thinking of because I have used the site just like this. But like this is offensive security practices.
Yeah. And I get that it's the management system for an adult flag football team, probably other rec league sport type things. But still.
Come on.
But allowing anybody to upload executable code files, have the server parse them,
and then have the ability to like rip into the database, which would be easy.
Once you have that access and have clear text passwords, shocking.
Yeah, not only we're going to make like improper file upload valid.
You can upload anything.
And then we're just going to run it over here on this server and just sort of hope for the best.
But here's the best part.
like you don't even need the user accounts once you have full access to the database.
It's just going to make things easier for mucking with other people's microsites.
You could still do it through your like uploaded ASP code.
It would just be a little harder than using the interfaces that they've built instead of like
writing your own injections into the SQL and injecting what you want to change.
So the caller so far has used this file upload process to get into the back end of,
of the rec league sport software management software.
We don't really know what they've chosen to do with it yet.
Well, they're now getting user account passwords.
Yeah, it's getting there.
In the malicious intent that they're going to muck with the opposing team sites.
Let's hear.
Let's find out together.
Let the fun begin.
Boom.
We now had admin access to any of the teams on the website, including our rivals.
persistently since even if they change their passwords we could just look it up again let the fun
begin i showed one of my more creative and mischievous friends and together we began
epically mind-fucking the other teams wow the AI voice really stuck the landing on that one
mind fucking the other teams like whoa dude let's go AI
We started small at first, changing names and small details that were barely noticeable just to mess with them.
Of course, that escalated into Photoshopped versions of pics, deleting content, and creating new and embarrassing content that they would never post on their own.
Despite them feverishly changing their passwords, the attacks, of course, persisted.
Some teams even deleted their sites.
This went on for at least several months.
Finally, we received angry emails which included threats of legal action from the site's administrators,
which we of course denied vehemently.
Our site was also deleted and our access revoked.
We then decided we'd had our fun, and the Internet was shifting to other services, on mobile and etc.
So the value sort of diminished and we decided to call it quits.
I would say we also matured a bit, but I still don't think.
that's true. Of course nothing ever came of the legal threats. Last I checked, they're
still operating. And some of the URLs still have that old dot ASP extension, so I wonder if
the hole was ever patched. Oh well. So that's my story. Hopefully you guys enjoyed it, and I'm
hoping it gets picked for the podcast. Love your show. Thanks for everything.
That is great. Yeah. I love that one. I also, AI really landed it for me.
Both voice and an emphasis.
But that's like to me just shocking.
And it's like to get, I imagine if you're the company that's running it and you're sending out the like angry emails,
you're like also feel like you're an idiot because all of those things would be so easily preventable.
It's like you're accepting guilt in it by being like stop doing this.
But it should never have let it do it.
It's the crazy part.
Anyway.
It makes me think that it was a vulnerability that they maybe knew about and were letting
persist for some reason in a spirit of like, well, this makes it easier to do X, Y,
and Z as long as no one figures out ABC.
Maybe.
Like, I'm just trying to think of why you would just even allow that.
I can't see what the upside is.
When it started, I thought it was going to go like a cross-site scripting JS thing.
Like, I thought it was going to be a little bit more technical.
but just being able to go like file, upload, upload new, like server executable, upload, open executable, it's executed on the server with full server permissions.
And database connections, which is crazy.
Shocking.
Shockingly bad security development security practices.
Shocked that the company is still around, honestly.
That could be enough to bring something down.
privacy violations, things like that.
I've been reading up on, this will be in an upcoming episode,
I've been reading up on a large hack of a very popular forum that a lot of people use.
And the amount of steps that had to be taken in 2025 to take that site down as compared to taking this down in, you know,
2005 or whenever this was, I guess almost 20 years ago.
Yeah, 2005, same as the first call.
It's pretty baffling.
But the thing I want to zoom in on is, so we got a lot of context for this sort of mid-20s,
a lot of single guy testosterone-filled flag football league.
We got a pretty good breakdown of how they got into the system.
And then I noticed that the, I noticed that the caller sort of mose over what they did
with this access a little bit.
They made reference to epically mind-fucking the other teams.
changing some small details.
But the thing that I'm...
That's the thing I want to resume
just right ahead in on
is escalated into
Photoshoped versions of picks
and creating new and embarrassing content.
I'm going to want to...
So some other calls have sent receipts.
I'm going to want to go ahead
and see some of those Photoshopped images.
You might not want to,
given the fact that's true.
Testosterone-filled young flag football players.
In 2005, none of those...
They're probably very inappropriate.
Not good.
Not good is what I'm getting at.
A little funny, given the context, but probably not great.
Yeah.
The Wild West, the fact that he said that the service still exists and it still has ASP extensions is also shocking.
I don't even think Microsoft supports IAS anymore.
So that means you're like running some antiquated server environment that's probably its own security vulnerability.
So it's like, I don't know, wild to me.
It also reveals how much, now that I think about it, how much easier psychological warfare to borrow the caller's phrase has gotten in the intervening decades.
That you would need to have hacked this system to change the photo on the opposing team's page versus in the intervening years, it just became like, oh, you just upload the,
lie Photoshopped image to Facebook or MySpace, and it doesn't matter whose page it's on,
it'll still cook around and do all the damage it needs to. I guess we're treading out of
psychological warfare and getting into cyberbullying at that point, but it is interesting
just how well-suited some of those platforms are for this kind of stuff.
I just looked it up, and it turns out that IIS still is supported. I don't know anybody that's still
uses it.
Unpack that for me.
Internet information services was Microsoft's
like web server
that used to run on Microsoft servers,
which is what this was running.
ASP was a
IIS programming language or like
an executable extension.
I have not heard
or seen an IIS server
as a web server
in forever. I know they were
part of the additional SharePoint things
and things like that, but I did not know that
was still actually supported. So they've end of lifeed a few versions of it in
2023, but they're still supporting IAS 10 until 2029, which is, to me, shocking.
I would have assumed it had exited from stage left and was no longer here. I just have
never seen it in so long. So. So I feel like we learned quite a bit there. Validate file
uploads. Don't store user
credential. I'm listing now. I need
fingers to count. Don't store user
credentials in plain text.
Server side code
should not be accessible to users.
Yeah, yeah. The big one here is just
allowing people to put anything on the server is
always a security vulnerability.
Yeah. And if
they can put up
code that the server will
interpret, it is a massive
security vulnerability. So, you
Even just like a great way to get around something like this would be like, if you could upload a file, say you could upload text files.
You could put a bunch of like code in a text file uploaded.
And then if there was some way that you could force that text file to be either processed as like server side code or like rename the extension on it, like there's a bunch of ways that you could try and maneuver around simply an extension blocker on the upload, which is like the most basic security layer for it.
But yeah.
Those seem like solved problems in the interviewing years, I would say.
It's hugely solved problems.
Yeah.
Okay.
Hi.
My name is Nicola and this is the story of how I became the most famous hacker at school for one day.
Another nailed AI voice here.
I know.
Yeah.
Yeah.
I yelled it.
British this time.
Yeah.
The story begins at home where my older brother who was studying computer science
introduced us to the NetSend protocol on Windows XP.
Even our minds.
used NetSend to call my brother downstairs for dinner.
I found it fascinating that you could just make something pop up
on someone else's screen with NetSend.
So one day, while we were in the computer lab,
I thought,
let's scare everyone a little?
I typed, NetSend.
You guys suck and hit Enter.
But nothing happened.
As far as I understood,
the PCs in that classroom were already updated
to Windows XP Service Pack 2.
Service Pack 2, which had disabled the Netsend function by default.
A few minutes later, the school principal stormed into the room with our most senior IT
teacher demanding, who is hacking the school network?
The computers in the lab had been used recently, so they could trace the message back to a
specific IP address, but they thought it came from a computer that wasn't even in use at
the time.
I didn't realise they were talking about me.
After all, I wasn't hacking.
Then our teacher asked what had happened and the principal explained.
Apparently, the principal and everyone in administration, who still had older computers, received the message.
When he repeated what the message said, I sheepishly raised my hand and said,
Shabusa, that was me.
Of course, I was immediately taken to the principal's office.
There was serious talk of involving the police since I had hacked the school network.
our senior IT teacher had apparently never even heard of NetSend
so I tried to explain what I'd done that it wasn't hacking
just a silly message sent in the wrong way
the principal said well then show me
if it's not hacking do it here on my computer
so I sat at his computer and typed net send sorry
behind me I saw the IT teacher slowly sinking into his chair
embarrassed he hadn't known about it
The conversation continued, and suddenly the principal's phone started ringing non-stop.
It turns out he had two network cards in his computer.
One connected to the school network and the other to a shared provincial network linking all schools in the region.
You can probably guess what happened next.
I kept apologising, maybe sneaked in a nervous smile or two.
Meanwhile, it was break time.
One of my classmates told everyone what had happened
and in five minutes I went from being a total nobody
to the guy who hacked the province.
Almost every student in school heard the story.
The principal couldn't just let it go.
He feared people would think this kind of thing was okay.
So I got suspended for one day.
Even though the school board admitted I hadn't actually done anything wrong
they said it had to serve as a warning to others.
Maybe this isn't your typical tech story,
but I still think it's a funny moment
that shows how we grew up in a world
where even the teachers who were supposed to teach us about tech
often didn't know much at all.
So, yeah, keep doing what you're doing.
I really like the podcast.
Bye.
Thanks.
Okay, for anyone that doesn't know,
Net send.
Net send.
A command line tool that lets you send messages to other computers on a network.
Correct.
It's in the Windows like Microsoft world.
Similar to like there's a bunch of Unix tools that do something similar,
but they're typically on the same computer.
So like write or wall, which means write all.
You can use it to like broadcast messages to everybody that's logged into a server,
essentially like a Unix server.
but Netsend like kind of ripples it
through the entire network.
That is the most hilarious part of this story for me.
Like the whole thing about the teachers teaching us tech
that don't know as much as the students
completely resonates with me
because that was most of my high school
computer classes.
I think they were called computer.
I can't remember what they called them,
but they were like BS as far as like
actual technical knowledge went.
but the principle being on the provincial network
and broadcasting a message through the entire
like provincial jurisdiction.
I'm assuming this person's from Canada
because they said provincial.
It could be Europe if the AI voice is any occasion,
though I did pick the AI voice so that's not.
But yes, provincial, totally.
But that to me is the funniest part.
It's just like these basics.
So this is like comes from the era of like network
computing, Unix computing, where like, people were kind of like only nerds were on it.
They knew what was going on.
They built all these commands that let them do things to talk to each other and send
things between each other.
And then all of a sudden, like as PCs kind of blew up through the world, like she's
talking about Windows XP.
So this is what, like 1997?
Yeah, somewhere in the late 90s early because Vista was 2000.
Yeah, I'm looking at Service Pack 2 release date was 2000.
So I'm way off.
Vista was 2007.
Yeah, so Service Pack 2 came out August 25, 2004.
So this was like early 2000s.
PCs were still kind of like showing up out of nowhere.
And they had all these like technical tools in the back end that like people were still
figuring out how to use like the start bar.
And there's like this entire command line interface in the back end for nerds to use.
I also quite telling that like their home life used this command to like, hey,
everybody dinner's ready.
Like the entire household is on computers.
The whole story to me is in that one line of like, oh, got it.
This was what home looked like.
And then you come into school and you enter into an ecosystem where the like level of
tech literacy is just really, really different.
Yeah, it's non-existent.
Exactly.
Your story speaks to me as that's how I grew up as well.
In a similar era even where I'd go to my computing classes in high school and it was like
the teacher had no clue really what was going on.
And I was leveraging, you know, network utilities to muck with other people in the class and things like that.
And this is how I grew up as like a preteen.
There's also an administrative error here that I think goes beyond tech literacy and gets into common sense.
So you have a kid who does something and it is unclear to you whether or not it's hacking,
but it sure smells like hacking.
So your response is to bring them into your office, sit them down at your computer,
and to say, do the thing that I think is hacking.
I was like, you don't need to know much about computers to be able to intuit.
That's not a great idea.
Like you don't need to have known where this was going to go to know that, like, you know what?
Maybe we use a computer that isn't connected to a bunch of other computers and isn't on the network.
And maybe it's not my computer personally.
I would have thought you would have piece that together
even if you didn't really understand what was happening here
but I guess I was wrong.
But like that, I remember that era briefly.
Like, let's say that principle's 50, 50 something.
They've seen personal computers for like,
since they were 30 something, 40 something.
Like their tech literacy, like, you know, in my career,
I've worked with executives.
Like I was the chief information officer for a company.
and the CFO would get their emails printed by their executive assistant.
Sure.
And that's in my lifetime.
People that are in these positions, the tech literacy was so low that they would depend on other people to like, they would hire an entire person who would just be their conduit to technology.
Yeah, sure.
It's like shocking to me.
But at the same time, it makes sense because their valuable skills lie in other things.
Yeah.
No, that makes sense to me.
it's there's generational stuff where what age were you but even that seems less relevant to
are you interested in it yeah like do you have any interest whatsoever in nerd shit or do you not
and do you need to because if you don't have it and you don't need to you're probably not gonna
and in this case they it it has been revealed that they kind of maybe needed to also i'm wondering
how badass this person's reputation was after this.
Because now the story to the rest of the student body is, did you hear about the kid
that hacked the school network and sent out that message?
I heard they hacked the entire province when the principal let them into the room.
It's like, oh, you got a legendary reputation now probably in that school after that.
Absolutely.
The one thing I will say, too, is that speaking from experience,
coming from a provincial school system,
I can tell you that when I was a high school student,
the IT security structures set up to protect and safeguard the networks
were very low and very easily bypassed.
And essentially, if you had a physical connection to the network,
you had the ability to traverse away
throughout the entire province's network.
And even onto some other provinces networks.
Net send it up, why don't you?
Maybe even more.
Maybe even more.
I'm sensing that, yeah.
Yeah, great, great story.
I would love to know just like about the family.
Like clearly if the household was that technically savvy,
I would assume everybody from that household,
including the parents were in technical roles,
adopted technology,
and the kids have probably gone on to lead quite technically sophisticated lives.
I wonder if when they got home, I'm thinking of the circuit of getting in trouble at school and then going home and then your parent knows about it and you have to have the conversation.
I wonder if the, so here's what actually happened at school today conversation.
Itself occurred over Netsend.
Clack, clack, clack, dear mom, here's what went down.
Yeah, I got in trouble today and taken to the principal's office.
They didn't know what Netsend was.
then they made me do a net send message on a computer that was networked to the entire province.
You will probably hear about it today.
They were very, very, very mad.
What's for dinner?
It will be in the news.
It will be in the news.
I am a legend.
Can I go to all the parties I've been invited to this weekend as I am now the coolest kid in school?
I'm now the coolest kid amongst.
The least cool kids.
Enter.
A position in life I know well.
Good place to be.
Good place to be.
The,
I think that's really,
yeah,
I don't know,
funny.
I'm just thinking about like if my kid,
if I was the parent,
my kid came home and was like,
I got in trouble today.
I think you'd be a little mad
about like the content of the message.
Like you should be like,
you should have more respect for people.
Like I get them to do it's done in jest.
Less than there.
Yeah.
But like on the technical,
sophistication side of it. It's like, I'm not really that mad at you, but like, now you know
that like your actions have consequences and remember that in the future. I think we should move on,
but I do think sometimes in looking back on my childhood, that it must have been challenging,
for my parents and a lot of them, to be in a situation where you're like, intellectually,
this kid is in trouble. They did a thing that they did.
shouldn't do and I'm upset. I do need to conceal the fact that this is quite funny.
And I know I personally have a problem concealing when I find something funny.
The funny response comes out before the moral response sometimes and it's a thing I'm working on.
But I could see that being extra tough with a kid where they tell you, you're like, so I said you all suck on Netsend and sent it to the whole school.
I would have to like suppress some kind of response.
to be like, you shouldn't have done that.
Just laughing.
Just laughing.
Because I feel like I kind of remember some of those like that.
You shouldn't have done that.
I fully find your prank hilarious.
Yeah.
But also as your moral guidance.
Yeah.
Don't do that again.
Please don't do that again.
Unless you're sure you won't get, unless you're sure you'll get away with it.
All right.
Yeah.
As a follow up to it.
I'm going to teach you how to obfuscate your IP address,
so it looks like it's coming from somebody else.
We're going to get you a VPN, kid.
Well, yeah, they don't think they really had them that much back then.
No, I don't think they did either.
Okay, I feel like we should probably tell the folks
who this podcast is brought to them by.
That seems like something we should do.
Seems like it.
Let's talk about push security and the stuff that they do.
Let's talk about identity attacks, fishing,
credential, suffing, session hijacking, account takeovers.
You know, one of the biggest causes of breaches these days
that most security tools are still focused on endpoints, networks,
infrastructure, old school stuff,
where meanwhile, all of our activity seems to be shifting
into browser and browser adjacent applications,
and that's where push finds themselves.
They have built this lightweight browser extension
that observes that identity activity in real time,
gives you visibility into how identities are being used
across your whole organization.
Like when login skip multifactor authentication, when passwords are reused, or when someone
unknowingly enters credentials into a spoofed login page, and then when something risky is
detected, push can enforce protections right there, all in the browser, no waiting, no tickets.
It's visibility and control directly at that identity layer where it's all going down.
And it's not just prevention.
They're also monitoring for things.
Like they are constantly expanding their research pool.
The company has a research department.
They are the ones finding new vulnerabilities.
As ex-red teamers, they're the best equipped to do that,
and they're identifying potential vulnerabilities,
working with people to get them solved,
and then implementing the monitoring and prevention of those
right into their system in real time, which is amazing.
It's kind of like endpoint detection response,
but all right there in the browser.
And the team behind it, as we've said before,
we've had them on their offensive security pros.
They publish some of the most interesting identity attack
research you're going to find out there.
Like the software is a service attack matrix, which breaks down exactly how these kinds of threats
bypass traditional controls.
Identity is the new endpoint and Push is treating it that way.
Yes.
Check them out.
Pushsecurity.com.
And if you haven't yet, go listen to the episode that we have with their CEO, Adam.
It's still, honestly, it wasn't paid content, but it's one of my favorite episodes that
we've made this year.
Pushsecurity.com.
So this next story.
Yeah.
came in quite a long audio file.
A lot.
It would have been a ton of editing for us
because there's a lot of specific names
and companies and situations
and potential headaches.
So instead of us editing it out
we're just going to talk through it.
Yeah, I think it's going to be a lot easier
than shopping out the names of the stores
and the subcontractors and all the things
we would need to chop out.
This is a call from a listener of the show that we really appreciate them taking the time to send us this.
We're going to call them Drozy.
Drozy.
So the big thing here is this is the first for Outline Hacked, is that we're actually going to just kind of wing this one, as if we're telling the story.
Yeah, full disclosure, we listened through, I think I can say this.
We just listened through the entire call and gradually came to the conclusion in listening that we're going to want to go ahead and summarize this call for reasons that we'll become apparent.
The caller
The caller bitten by the caller
A first and foremost
starts with a lovely
Yeah, thank you.
Lovely remarks about the podcast and us
So thank you so much for that.
Truly.
We're going to the
They're bit by the curiosity bug,
a little bit of a hacker,
work at a security consulting company.
Security consulting company gains
a massive contract
with a big
retail chain.
Anonymous retail chain.
Yeah, but what you need to know is that it's a retail chain.
There's people going into stores and making purchases is pretty essential to this story.
So part of their role is they're helping modernize the technical command centers for each of these stores, of which there are thousands of.
So they're in the systems, in the things.
They have access to all of the video footage, all of the
the point of sale systems, everything.
And what they realize is that this retail chain has a system that monitors self-checkouts from above to verify that the transaction is accurate.
So it's identifying products being purchased, making sure that things aren't bypassing the point of sale,
validating that things are appropriately priced.
So it's kind of like I'm not assuming it's an AI system that's kind of like,
looking at what the transaction is and probably assigning it like a score.
The higher the score is, the more likely that the transaction is authentic and the lower the
score, and then it triggers systems internally.
So the caller is in this software, which again, as you said, Scott, it is pairing
transaction data with video footage of the points of sale.
They go into the transactions tab of the software in this sort.
of surveillance software, and they start digging around in like the advanced search panel looking
at different transaction amounts, receipt numbers. And out of curiosity, they do a little search
for transactions over $5,000. And they make this discovery of dozens of high value purchases,
some going up to like 15,000 bucks that are all paid entirely with digital gift cards.
All of these transactions were linked to the same woman. And the caller,
is able to watch the video surveillance footage of this person using their phone over a period of like an hour,
just scanning digital gift card after digital gift card after digital gift card until they're able to build up the amount of money
at which point they do the transaction and leave. This is obviously quite sketchy.
It sounded like from the color's description that the person, the perpetrator, have the
potential fraud, alleged fraud, would scan 150, $100 digital gift cards on their cell phone.
And it would take one hour or more for this transaction to complete.
They would buy highly resellable items like new iPhones, you know, high value tech goods.
So that, you know, clearly, like if you were in the market of taking illegal gift cards and flipping them into products to resell.
how you'd move them.
This is the things you would buy.
So anyway, this caller, who's this tech professional working on this contract for this company,
realizes that they've stumbled on to what is probably mass fraud.
There's loads of transactions all linked to the same person in the video footage.
And they're like, what do I do about this?
If I go, come forward with it being like, hey, I,
found something, I'm essentially ratting myself out for violating the privacy and the access
that we've been granted to do our jobs because I'm not supposed to be in this system.
But if I don't do it, then this fraud continues to roll on and on.
Caught in a moral quandary.
Yeah, rockin a hard place, I think was the term that they used on the call.
Yeah.
And this is not a single event either.
This person goes through and they're able to find patterns of these kinds of large multi-gift card purchases occurring over a period of months.
This is a pattern.
And the theory, as you said, and they bring up is that this is probably a mule working for a larger fraud network.
And then being stuck in this tricky situation of going, well, for a bunch of reasons that the caller outlines, if I go forward with this and review,
that I have seen this stuff, I'm revealing certain behaviors that will probably get me fired.
And yet, I seem to have stumbled upon a large fraud ring.
And I have video evidence of it.
Yeah.
Quite a, quite a prickly situation.
Old drozies found themselves in.
So that's, I think, the long and short story.
So now we can talk about it.
Yeah.
So actually, there was one other thing that I want to mention, because this is something that
like I myself find myself doing is they, when they started at this consulting firm that got this
contract, they also got in trouble because they were kind of meandering around the network
looking at shared file drives and things like that. And it turns out that they found the entire
HR folder completely unsecured on the network. And they like alerted their, they did the right
thing, it sounds like, they alerted their boss and was like, hey, like I shouldn't have access to this.
I can see compensation and internal employer reviews and bonus payouts and all the rest of this stuff.
You should not be sharing this with me.
And they were like, yeah, yeah, yeah, you shouldn't be looking at that.
Don't look at that anymore instead of fixing the security problem that allows them to.
But I, myself, am guilty of this.
Like when I get thrown onto it, when I jump onto a new network, often I just take a little peek around.
And it's, it's not a little digging.
Yeah, I do a little.
It's not even, it's not even digging.
It's like, you'll just like pull the, pull the yarn.
And it's like, out of the earth where it was previously using, I don't know, a shovel.
But like to me, if it's visible to the network and you've been given access to the network,
there might be stuff that you need to know in those places.
So I always like get a little lay of the land.
You know, it's like a little Google Maps thing to like, you know, check out the place.
that I'm going on vacation.
And it's like if I'm,
if I've been pulled into a new network
and there's a bunch of resources
that have been given to me,
occasionally I'll look at those resources.
And sometimes those resources
probably shouldn't be on the general public.
So it's like, yeah,
I feel for you on that one.
Yeah.
The, um,
without explicitly saying what it is,
or even whether or not it was,
it was sent.
This is the kind of story that,
um,
has implications where you would want to see receipts.
You would want to see some sort of evidence that this occurred before you would talk about it in a public forum like a podcast.
And I'll just leave it at that.
Yeah.
We'll just leave it there.
We'll just sort of leave that there.
And you can intuit what you will.
Yeah, this is pretty, there's a lot of questions this raises, which is, so assuming that on the back end,
of this, assuming the caller's theory is correct, that this was, what they had spotted was the final
stage of a much larger operation that resulted in acquiring a whole, whole, whole bunch of gift cards
and that the way that they were laundering those gift cards was by sending a mule in to go
make purchases. I'm curious where the gift cards came from. Yeah, same. I would, if I had to
render a guess, it's probably from all of the online.
and phone telephone fraud that is currently going on the world.
It seems like a good guess.
It seems like a really good guess.
Like when you defraud somebody,
like how many of those like online scam baiters?
Yeah.
How many of those videos have I watched
where the payout is always a gift card?
Google something else.
I would assume that this large retailer is the target of one of those
because one of these organized crime rings,
which is really what they are,
has figured out that they can convert retail chain gift cards into high value goods,
flip those goods at a 10% loss probably, which is a pretty good reduction.
Like laundering money probably costs more than 10% in any way.
So that seems like a great one.
And I bet the reason why they do it in low gift card amounts, hundreds,
is either a, they can't buy larger ones.
That's my guess.
or be they fly under the radar.
Like if you buy a $10,000 gift card, it's like, okay, like what's going on here?
Sure.
I would bet if I had to guess it's the former.
I would guess that at a certain point, it's that a large retailer like this just says,
we're not going to sell $500 gift cards because we have literally created a currency for money laundering and fraud.
And that already exists.
Yeah, iTunes store, App Store.
Bitcoin.
Yeah, Tether.
Tether.
Those already exist and we don't need to be in that industry.
So I would imagine at a certain point, it's just here's 35 instances of a $100 gift card to this major retailer.
We will accept these seven different products that we have deemed as having the best, the least depreciation the second you drive it off the lot.
we'll pay you this fixed amount of money to go do it, letter rep.
And this person is just driving around what area they're in making those purchases with these gift cards.
And the only record of it is this sort of pairing of transaction data and video surveillance,
showing them coming into the store and just sitting down for an hour scanning gift cards.
So here's the next moral dilemma.
You know, obviously the caller phase tomorrow dilemma.
But you're the retailer.
And you're now doing an extra million dollars in revenue per year from these mules.
Do you care?
Yeah.
Is it your place?
Is it your place to try and stop it?
Because they're just going to change to a different conversion path.
Totally.
They'll go from your gift cards to some other company's gift cards and do the same thing.
So it's like, what is the...
Stopping.
Yeah, what are you stopping?
And is it your moral responsibility to stop it?
My question would be, does the retailer know?
And do they care?
Technically, it's revenue for them.
Looks good to their shareholders.
They sold a PS5.
Yeah, they sell an absorbent amount of iPhones and Playstations.
And whether those end up on like Craigslist or Kijiji moments later, Facebook marketplace, they don't care.
Interesting.
That was a fascinating one.
Yeah, the caller estimated that they'd seen approximately 4.5 million in transactions,
which is substantial.
It's shocking.
Yeah.
Yeah, thank you for sending that one in.
We really appreciate it.
Yeah, and I think that's another episode of Hotline Hacked, brought you by.
Push Security.
If you want to share your story with us, go over to hotlinehacked.com.
It's got the email that you can send it to.
There's a specific hotline hacked email.
there's a phone number if you want to call in.
If you've already shared a story,
know that we've probably gotten it.
We're just working through them.
Yeah, there's a few hundred in the mailbox.
There are.
But we always want more.
So please share your story.
Get at us at hotlinehack.com.
I think that's another one in the bucket.
All right.
Well, thanks for listening,
and we'll catch you all next time.
Cheers.