Beau Friedlander:
So Adam, this week there’s been a lot of news and whenever there’s a heavy news cycle on a specific topic, it is ripe territory for scammers. And I got a smishing attack, which is an SMS, a text-based attempt to get me to hand over some money in this case. And what they said was a bunch of people had been tossed in jail somewhere in the Midwest, I actually don’t remember where. And I needed to send 10 bucks and I have no idea how many people got that text but I also know it wasn’t a real request because I’m not on any list like that. How common are these kinds of approaches? It’s basically social engineering, right?
Explain social engineering for anybody who might not know what it is.
Adam Levin:
Social engineering is when someone is trying to get you to do something by making you believe that you either know of them, know them or view them as an authority figure or an organization to which you have to answer, like the Internal Revenue Service, your financial institution, healthcare providers, and social engineering is particularly effective when we have events in the news that interests people, that everyone expects that someone’s going to respond. If they get some kind of communication, another-
Beau Friedlander:
That need help. Here’s-
Adam Levin:
Yeah, well, that used to be known as the 419 scam, that would usually come in the form of an email where you would get an email from a friend or family member saying they had been traveling, generally in Europe. That they had lost their backpack, which contained their wallet and other identifying materials and “I have no money, I have no identification. Can you please wire some money to Western Union so I can get it and actually live a life and maybe even get out of wherever I am.”
Beau Friedlander:
You probably also heard the story. I mean, this is politics agnostic, this is social issues agnostic. This is “I want to get you to do something and I think I know how” right? It’s Three-card Monte but it’s a different approach.
Adam Levin:
I’m Adam Levin, founder of CyberScout, former director of the New Jersey Division of Consumer Affairs, author of Swiped.
Beau Friedlander:
Now, I’m Beau Friedlander. I write about cybersecurity.
Travis Taylor:
Hi. I’m Travis Taylor, resident Tech guy.
Adam Levin:
And we’re all here. And this is What The Hack.
Adam Levin:
So many of the scams are… It’s like traditional scams but dressed up to look differently based on whatever the issue is at the moment, whether it’s economic, health, political, a disaster somewhere in the world where there’s charitable fundraising, hackers will gravitate to whatever the issue is and they will find ways to try to lure you in and get you to click on a link, open an attachment, respond to a text.
Beau Friedlander:
So, yeah. And Adam, a text is really a common way for people to get caught. Email, text, message on social media. There’s a few ways but all of those ways involve scaring the person who’s receiving it.
Adam Levin:
No, it’s all designed to get someone to respond to something that sounds incredibly urgent using an emotional tug. And that’s really social engineering.
Beau Friedlander:
100%, I in fact… that nails it.
Adam Levin:
And that takes us to today’s guest. And this is quite a story and it’s a story that is happening to so many people on a daily basis. So, without any further to do, let’s bring on our guest.
Beau Friedlander:
Welcome Jake. Full disclosure, I know Jake. He actually lives maybe, five blocks from me.
Jake:
Hey guys, thanks for having me. I’m calling in from Brooklyn and I work in media as a journalist.
Adam Levin:
So is this broadcast media? Online media? Radio? What?
Jake:
I do a longform video journalism.
Beau Friedlander:
So… you travel for that or do you just use it local stuff?
Jake:
Yeah, I’ve done a couple of shoots recently in the South of the US. I did just get back from the Mideast where I spent a couple of weeks in Baghdad and Tehran.
Adam Levin:
What did you do there?
Jake:
I was working on a story about the assassination of General Soleimani and the foreign policy blunder fallout from the invasion of Iraq.
Adam Levin:
Basically a sort of a happy story, Right?
Jake:
Very light stuff.
Adam Levin:
I focus on light fluff pieces, right? Is that…
Jake:
Yeah. I will say that I found the Iraqis to be extremely light and fluffy and bellies full of rice and masghouf and always a huge smile on their face.
Adam Levin:
So while you were there, did anything happen that surprised you at all? Did you learn something that was surprising when you were there?
Jake:
Well, this is not what I called in today to talk about, but I definitely was hacked by the Iranians several times over to the point where I walked into my hotel room and another producer I was with said, “You know, just assume that you were put in this hotel room for a reason, there are going to be cameras and listening devices in there. So don’t say anything you shouldn’t say,” and there were certain times that our phones worked better than others and there were certain times that we would get on Signal and say, “Let’s meet at this place” and no intelligence agencies would show up, but if we’d get on WhatsApp and say, “let’s meet at that place,” there would be three Iranian Intelligence Agencies trailing us to the spot.
Beau Friedlander:
Did you love the border? How was the border experience for you? I know the answer to this.
Jake:
Oh God. I spent seven hours trapped between Iran and Iraq with both countries fighting over who wanted us less. We had our exit visas from Iran, trying to get into Iraq and a general in Baghdad called the border and said, “we don’t want Americans in, make them sleep overnight” and luckily we ended up getting to a General that was higher than this General. And he did us a favor and got us in, seven hours after.
Adam Levin:
Did you stay at a nice hotel while you were there, at least?
Jake:
We stayed at the nicest hotel in Baghdad, which is quite a trip because people staying at the nicest hotel in Baghdad, are not the most upstanding citizens in the world, if you can imagine. It’s surrounded by gunrunners and intelligence officials and weapons, arms dealers, it’s quite a trip.
Adam Levin:
So, like your typical American country club then, right?
Jake:
Yeah. It was like a holiday in Marfa, Texas.
Beau Friedlander:
John Wick in real life too and hackers, there had to be hackers there too.
Beau Friedlander:
Have you been hacked? We’d love to hear your story. Give us a call at 623-252-1828 or email stories@whatthehackpod.com.
Adam Levin:
Listen Jake, as cool as this story is, and it’s very, very cool. You’re not here to talk about that. Actually, you’ve had an interesting situation that we’d like to hear about.
Jake:
Well, yeah. I got an email and I think it had been sitting in my spam folder. I went in to look at it and I noticed the subject was this password that I’ve been using for a decade, just some variation of this password, which is a French word. So it stood out to me, immediately. And so I opened up the email and I mean, I’ve got the email here. I can read it or I can just go back to it.
Beau Friedlander:
Please read it.
Jake:
Okay. Yeah, it said “I know this word” I’m not going to tell what my password is because I still use it, which is kind of stupid.
Jake:
“I know this word is one of your passwords on the day of this hack, let’s get directly to the point. Not one person has paid me to check about you. You do not know me and you’re probably thinking, why are you getting this email? In fact, I placed the Malware on the adult videos, adult porn website, and you know what? You visited this site to experience fun. You know what I mean. When you were viewing videos, your browsers started out operating as a RDP, having a keylogger, which provided me with accessibility to your display and webcam. Immediately after that, my Malware obtained every one of your contacts from Messenger, Facebook, and email. After that, I created a double screen video. The first part show what you are viewing (you have nice taste, oh my God) and the second part displays the recording of your camera and it’s you. Best solution would be to pay me $1065. We are going to refer to it, as a donation. In this situation, I most certainly will, without delay, to remove your video”
Jake:
And he gives me his BTC address, tells me to copy and paste it. “You could go on with your life like this never happened. And you will never hear back from me again, make the payment be at Bitcoin. If you do not know how to do this, search how to buy Bitcoin in Google. If you were planning on going to the law, surely this email can not be traced back to me because it’s hacked, too. I’ve taken care of my actions. I’m not looking to ask you for a lot. I simply want to be paid. If I do not receive the Bitcoin, I definitely will send out your video recording, all of your contacts, including friends, families, coworkers, and so on. Nevertheless, if I do get paid, I will destroy the recording immediately. If you need proof reply with “yeah”. Then I will send out your video recording to eight of your friends. This is not a non-negotiable offer. Thus, please don’t waste my time and yours by replying to this message” and that was that.
Adam Levin:
Jake, I have one question for you. I’m very upset about this because how come you got a discount? Because the 15 of these that I’ve received wanted $7,000 or &14,000 and one time I was on a radio show and I was talking to the host and the producer for the show walked in and she said, “Wow, I got five of those myself” so this is a very, very popular and widespread and I think pernicious, scam. So, when you got it, when you first opened it, how you feel?
Jake:
Well, look, I was terrified. I opened it and my immediate thought was, “How do I buy Bitcoin?” And I remember I had like a TenX Wallet from years ago. My immediate thought was like, “Okay, just let this go” but between me and you Adam and Beau, you too. I don’t look at a lot of porn. I can probably count on one hand. The number of times I’ve looked at porn.
Beau Friedlander:
It would be one hand.
Adam Levin:
I don’t want to ask which hand.
Jake:
Immediately, I got a little bit suspicious but I was also, terrified. I called my friend, who’s an attorney. And I said, “What do I do?” I also… I work in news, I’d run a lot of background checks. So I ran background checks on this email address to see if it would pull up anything. I tried to figure out who was contacting me and I could not. I spent a couple of hours being terrified, thinking that one of five times that I have looked at porn, it happened to be hacked with my video camera and then, I guess I just kind of decided that I was going to take the chance that they’re going to hopefully not send out this wonderful video that he said he created.
Beau Friedlander:
It wasn’t that bad.
Jake:
You saw it though.
Travis Taylor:
Yeah. It’s like-
Adam Levin:
He sent it to me. I didn’t think it was that bad either, Really.
Beau Friedlander:
It’s pretty funny. You looked bored. You actually… You looked bored.
Adam Levin:
You were just scratching your ear. I mean, I don’t know what it has to do with anything.
Beau Friedlander:
Wait. So, didn’t you reach out to me, Jake? As I recall, you told me you got this thing, but it was it after the fact and you just had already decided it was fate was going to take you one way or another.
Jake:
I figure it how we were talking about it. Yeah. I had already… even when I told you about it, it had already passed, but it is stuck with me, “Does this video exist? Is it out there?” it’s really strange that he had my password, if you… One thing of my password was like Jake12345, and that’s what was in the subject line. But because it was like this French word that I got from at 1960s French new wave film.
That you don’t learn in French 101. It’s a strange word, it grabbed my attention. So obviously, there’s some credibility to this hack because he’s got that word, he knew my password.
Adam Levin:
Well, I think one explanation of that also could be, you didn’t happen to use this password on Yahoo. Did you, by any chance?
Jake:
I mean, I haven’t had a Yahoo account since I was 13. So, no. I don’t think so.
Beau Friedlander:
What about Adobe on any Adobe products?
Jake:
Yeah, that’s quite possible. I might have used it for Adobe Creative Cloud.
Beau Friedlander:
All right. So it’s time for you to meet the voice of God. Travis.
Jake:
Well, now I’m scared. Talking to God about my porn problem.
Travis Taylor:
I’m very disappointed in you, young man.
Adam Levin:
And now you can say several Ave Marias and we’ll get you out of here and you’ll be safe.
Jake:
This podcast is redeeming. I feel like I’ve got my path into heaven, I’m absolved of my sins.
Beau Friedlander:
All right. Travis, what do you think happened to this pervert? I mean, Jake.
Travis Taylor:
There was something called Collection #1 that hit the internet, specifically the Dark Web. Last year or the year before that had over 25 billion email password combinations attached to it. So it wasn’t necessarily a breach in it itself, but it had a whole bunch of passwords from previous breaches. So, that means that from what Beau and Adam were mentioning, including there’s LinkedIn, Adobe, Dropbox, really you name the data breach, and then the passwords were incorporated into there. So if that’s a password you’ve used before, if that’s a password that you are still using, there’s a very good chance it would’ve shown up on there.
I’m not sure if you visited the website haveibeenpwned.com but that would actually… If you enter in your email address, it will tell you a list of the number of times that that email address and that password had been breached, which is a great resource. But it’s very likely that if this is not a unique password, and this is something that you’ve used before, that it was part of that collection because that was given out for free and it had hundreds of gigabytes of people’s credentials in there.
Beau Friedlander:
And HaveIBeenPwned also, Jake, will tell you whether your phone number has been involved in a compromise. So you can see if you’re going to get, for instance, you’ve ever gotten one of those texts that say, “Hey, Jake. Your, whatever bank you bank with, has been compromised. You need to click this thing and reset your password” You’ve gotten those fake texts before?
Jake:
Yes, of course.
Adam Levin:
Or your accounts has been frozen. Now, of course there’s going to be a new status symbol in the world. And that is when you go to the HaveIBeenPwned site, how many pages are dedicated to you and every breach that you’ve been a part of.
Beau Friedlander:
How many pages about you… Do you know how many pages you have, Adam?
Adam Levin:
I’m not at liberty to say.
Beau Friedlander:
I have a lot of pages.
Adam Levin:
Beau, you have an encyclopedia.
Beau Friedlander:
Yes. I have been involved in many, many data breaches, but I’m happy to say that there was just recently, as in recently being in the last 12 months, a compromise that involved phone numbers that were leaked via Facebook. And it is a good idea to check out HaveIBeenPwned to see if your phone number was part of that. Travis, how many phone numbers were involved in that particular compromise?
Travis Taylor:
It was 500 million records, but I think 2 million phone numbers.
Adam Levin:
No. Actually it was 2.5 million email addresses but the phone numbers-
Travis Taylor:
Oh, that’s it. That’s right.
Adam Levin:
The phone numbers were more ubiquitous and that’s really the thing. So Travis, someone gets your phone number, right? You’re not going to change your phone, people don’t change their phone numbers. So therefore-
Travis Taylor:
Right.
Adam Levin:
What do you suggest?
Travis Taylor:
Don’t trust anyone calling you is the long and the short of it. A lot of mobile devices will have things, tell you that it’s a spam risk or what have you… But if you don’t recognize the phone number, if they’re not in your contacts, be extremely cautious. If you get a text that you don’t recognize, be even more cautious. But yeah, just keep in mind that at this point, your phone number is most likely in the public domain, somewhere. It can be found, it can be traced back to you, and it can be used to hack you.
Adam Levin:
And I have a theory on phone calls and that is, if you don’t pick up but they don’t leave a message, then it’s not real. If they do leave a message, don’t pick up till there is a message and then listen to the message and then whatever information is provided in that message in particular a phone number to call, don’t call it. Independently verify a) that the organization that sent you or supposedly, left this message for you, really was looking for you. And secondly, independently confirmed the phone number to call that organization.
Beau Friedlander:
And another thing, Adam, that I do is when I get one of these phone calls, I’ll just give him dead air. I’ll pick up and listen. The reason I do that is because sometimes they’re just looking to harvest your voice ID. So if you say, “This is Beau Friedlander” I’ll say, “Yes” and then they have my “Yes” for when they want to use my voice verification to get into my bank account.
Adam Levin:
Well, they also use the… That when you dispute a charge on your credit card, for instance, you say, “I never agreed to that” and they go, “Oh yes, you did. Here’s the tape, you said yes” so if for whatever reason you’re compelled to pick up the phone number, either say your name, or just say, “Can I help you?”
Travis Taylor:
That’s the nice way, I go, “Who is this?” But… So, Jake. I know you’re grown enough to know that you’ve probably now pulled up Have I Been Pwned to see what’s what.
Jake:
Oh, you know me well. I looked at it right away and HaveIBeenPwned, I don’t know if it’s an encyclopedia. But I mean, can I call out the companies that have breaches?
Adam Levin:
Why not? They’re public.
Jake:
CafePress, Dailymotion, MyFitnessPal, Ticketfly, Polo, Data Enrichment Exposure from PDL customer, Diet.com. I mean, no offend to Diet.com, Evite, Gawker, Kickstarter, LinkedIn, and Pornhub.com.
Travis Taylor:
I knew Pornhub was coming, I knew it.
Beau Friedlander:
So do you know offhand, if any of those sites that you’ve just rattled off, used the obscure or somewhat obscure French word? [foreign language 00:20:30].
Jake:
Well, I mean, it was my only password for a decade, probably.
Beau Friedlander:
Jake, bad move, man. So what did you do in the… Have you since become Fort Knox, you have two-factor authentication set up on all your devices and all your accounts?
Jake:
Yeah. I do have two-factor now and I’ve started rotating three different passwords, but when I was growing up, in the days of like Dial Up AOL.
The suggestion at school was always to use the same password across all of your accounts. So you don’t forget it. So that’s why I had the same password for so long. When I was in college, high school, internet data breaches were not really prominent or prevalent thing. It wasn’t a new data breach every week coming out to scare us. So it seemed safe at that time, I guess.
Adam Levin:
Well, I think it’s important to understand that we’re now living in a world and Beau and I love this phrase but we’re living in a world where breaches have become the third certainty in life, behind death and taxes. And what’s really about is you have to assume your information is out there and you have to take steps to basically reduce your attackable surface, make it more difficult for someone to try to come after you, make yourself a harder target. One of the ways to do it is or I think, get a password manager and because Beau loves you, Beau’s going to get you a password manager to protect you against this. And I suggest this to people. Now, again, the only thing you have to remember with a password manager is the password you use to secure the password manager. Just make sure that password is not easily discoverable or decipherable-
Beau Friedlander:
Or that French word.
Adam Levin:
So listen, before we let you go, Jake. Travis, any thoughts?
Travis Taylor:
I’d say the biggest one is if you’re not using two-factor authentication already, enable that for all of your accounts. That means, even if your password does get compromised, you have one extra little hurdle for a hacker or a scammer to have to jump over in order to be able to get your data or your information, or send you another scary email.
Beau Friedlander:
I would also add that you should probably, Jake, set a PIN code for your SIM card. In your case, given what you do, you should have when you restart your phone, it should prompt you for your password to your phone and then for the SIM code, which is a four digit code. And it just gives you an extra piece of protection because you are in a position to have your phone hijacked to get into your other accounts. And so, you need to be thinking in a priority sort of way. And Adam, do you think he should probably turn his devices off when he’s not using them?
Adam Levin:
I think he should. Well, especially when you’re traveling, be very careful and turn them off. I know it uses a little extra energy and I’ve realized that the Crypto miners will be very depressed, that they can’t get as much as they want out of you. But it’s just very important to really assume the worst because most likely it can happen. Especially with the places you go and the things that you work on, you are a target. I wish I could be more sanguine about that but you are. And I just think it’s very important to protect yourself as best you can.
Jake:
Actually I’d like to throw a question to Travis about these password managers. I’m aware of them. My understanding is just a block that keeps all of your passwords for your different sites, or maybe that’s not-
Travis Taylor:
Sure.
Jake:
what they are. But I’ve been reluctant to use a password manager out of fear that if that password manager is breached, then that seems like very easy access to all of my webs… my logins everywhere. Is there any sort of heightened security that a password manager has, over say my iCloud chain or whatever saved in my passwords right now.
Travis Taylor:
Well, any password manager you use is going to still provide better protection than reusing the same password that you’ve had for several years at this point. So, you can only go up, ultimately. As far as that’s concerned, one of the main things too is to never use a free password manager app. So if you’re not paying for the app, you are the product. So if you get a paid password app and then just make sure that you’re using it across all of your accounts and keep an eye on your accounts, just for any kind of suspicious activity, you should have a higher amount of security than you do without it.
Beau Friedlander:
And is it unnecessary with the password managers to change the overall password regularly, as well? If it’s the only place that occurs.
Travis Taylor:
There’s some controversy about that. Microsoft actually just announced this week that they don’t want you to bother changing your passwords consistently, that they say that, that could lead to more security issues. Just because when people constantly have to be resetting their password, then they need to enter in their… either security questions or what have been. And so there’s a bit of a liability. That’d be in the case, I would still say every six months or so, this is going to be a skeleton key to all of your accounts that you’re just being as careful as possible and that you are updating that password, but there’s a lot of different opinions on that one.
Adam Levin:
Okay, this is been awesome. We can’t thank you enough for telling your story and I know it was a little bit painful for you, in terms of what you went through. But again, this was extremely instructive and we really appreciate you spending time with us today and opening yourself up to us talking about this because I know that it is kind of a personal issue.
Jake:
Thank you guys for having me on. I feel more secure now, knowing that password manager is an option and not every day you get to talk to God and be absolved of your porn history. Maybe delete my browsing history and start a new life.
Beau Friedlander:
Go in peace.
Adam Levin:
Go forth, my son. Into the sunshine.
Jake:
Thank you guys.
Beau Friedlander:
Bye Jake.
Adam Levin:
What the Hack is a Loud Tree Media production in partnership with Larj Media. And please hit that subscribe button. For more information, like where to find us on social media, head to adamlevin.com. Thanks so much for listening. We’ll be here next week.