[00:00:00] Narrator: Welcome to the Daily Decrypt, the go to podcast for all things cybersecurity. Get ready to decrypt the complexities of cyber safety and stay informed. Today is January 31st, 2024, the most important day of your life. Here is your host, Offset Keys.

[00:00:21] offsetkeyz: Good morning, everyone. And welcome back. I received a lot of good feedback on the formatting, making it more accessible to a larger audience. So I’m going to give it another shot today, hopefully a little more cohesive. Today I have three stories for you.

. Up first, we’re going to be discussing the phantom hacker scams, which is a new wave of cyber deceptions targeting seniors. We have Citibank and their legal battle, alleged negligence in protecting customers from cyber fraud. And a dark web data leak, targeting specifically network operators, which is who you do not want to have their [00:01:00] data leaked.

So, let’s go ahead and get started. Our first piece of news comes from the FBI’s Internet Crime Complaint Center, discussing a worrying rise in, quote, phantom hacker scams, which particularly target senior citizens. This alarming trend was reported in an article written by the FBI. They reveal a scam that unfolds in several phases, starting with imposters posing as tech support, then as financial institution representatives, and finally as U. S. government officials. It’s a very complex ruse where attackers gain remote access to victims computers under the guise of providing technical assistance. So, I don’t know if any of you have ever received a scam call that sounded EXTREMELY realistic, uh, but I have, and they often use multiple parts.

They give you phone numbers to call, they give you websites to go to over the phone. And they sound very official.

So in the first half of 2023 alone, there were about 19, 000 complaints filed with the FBI and losses exceeding 542 [00:02:00] million. So it’s not just those numbers that are staggering. It’s the methodical calculated approach of these scammers. They coerce their victims into transferring their life savings to so called safe accounts, often overseas, leaving the victims financially devastated.

So let me just describe to you the way that these attacks unfold. You receive a call. And like I said, specifically targeting senior citizens. So your grandma receives a call saying, Hey, we have this issue with your banking account. We’re actually closing the bank account, something really official sounding, and we need you to hop on a call with our tech support.

And so maybe they transfer you, maybe they give you a number to call, maybe something else. And they’re like, Hey, great. We’ve been waiting for your call. , there’s been an issue with your account. Your entire life savings is at risk. We need you to move it to this account. And so then they talked to a financial advisor, not at their bank. And this advisor was like, yeah, this is official. Like, blah, blah, blah, blah. Okay. So. You’re getting transferred around. Everything sounds great. The person sounds great over the phone, [00:03:00] English speaker, probably better than the tech support you’re going to receive at the bank.

They sound very cohesive and put together and what they’re telling you makes sense. So you, do what they ask, you transfer the money and now the attackers have the money. So how can you combat this type of thing? How, what do you talk to your grandparents about? How do you make sure that because everything sounds so official, how do you identify this?

This isn’t a phishing link. There’s not like a. Uh, suspicious URL, you know, there’s no real indicators that this could be fake or that this is even real. Like how do you identify this?

Okay. You can’t identify these attacks as they’re happening. I’m just going to go ahead and say that maybe you can, maybe you can’t plan to not be able to identify these attacks.

So that’s not helpful, right? What can you do? Since you can’t identify these attacks, you cannot receive calls and give any information over any call you’ve received. [00:04:00] So, to help that make sense, if someone calls you and asks for any information, asks you to do anything, if it’s a 10 charge, if they ask for your credit card, anything, do not give it to anyone who calls.

Even if you’re kind of expecting that call. Instead, get the name of their institution, get their name, get whatever you can, hang up the phone. Go to Google,… type in that information. Say, for instance, it’s Bank of America. Okay, find bank of america. com. Do not click on an advertisement for bank of america.

com on Google. It’ll say ad targeted ad paid ad something over the link. When you Google bank of america. com, it’s really unfortunate, but I could myself purchase that ad space on Google with a non bank of america URL. So, you go to Google, you type in bankofamerica. com, you [00:05:00] scroll down four or five, you find actual bankofamerica.

com. You go there, you find the customer support tab, okay? You find the number listed there, call it. This is going to be inconvenient. You’re going to have to wait on hold. You might have to wait on hold for an hour. So it sounds unnecessary, but trust me, it’s very necessary, especially in this day and age where people can mimic websites, people can mimic voices, people can do anything, you know?

Do not give any information over the phone unless you initiated that call and you trust the number. Okay, that’s the takeaway from this one

[00:05:39] offsetkeyz: So up next we have Citibank’s legal battle basically Citibank

is being sued by the New York Attorney General for Failures in defending customers against cyber fraud. Okay. So what does that mean? It’s pretty vague So the New York Attorney General’s lawsuit against Citibank detailed in a complaint Accuses the bank of not [00:06:00] adequately safeguarding customers from cyber scams, including phishing and sim swaps, resulting in a substantial financial loss.

. Bleeping computer reports further illuminate the situation, revealing that the lawsuit alleges Citibank exploited regulatory loopholes, denying reimbursement to fraud victims. The AG claims that these actions violated the Electronic Fund and Transfer Act which mandates reimbursement for unauthorized electronic transactions.

Okay, so, essentially, Citibank received complaints from its customers that their information had been stolen, that their accounts had been hacked into. Now, people assume hacking into means someone did something really fancy with Javascript, scripting. in the back end, run a password cracker, you know, did some OSINT and did all this stuff.

Um, but hacking is also social engineering. So the previous story, phantom hacker scams, where they just [00:07:00] call you, that’s hacking. So if you get a call from someone exactly the same thing as the previous story and you end up giving away your life savings, this is what we’re talking about. Letitia James in New York.

And other attorneys general are starting to crack down on the companies for allowing this type of fraud to happen. We can’t leave this in the consumer’s hands. They’re always going to get got, we have to require major companies to prevent these things from happening. Now, how can companies do that?

Companies need to figure out ways to make sure that this fraudulent activity doesn’t happen. Perhaps anytime Someone requests a large transfer the customer service is required to discuss how fraud occurs Common tactics that are happening right now and have prompting questions. Like, did somebody from this bank call you and ask you to make this transaction, anything like [00:08:00] that?

The New York attorney general is suing city bank. For allowing these phishing scams and sim swapping scams to happen. Okay, so sim swapping is completely out of the user’s Control it’s essentially when an attacker calls a carrier and they convince the carrier to swap your sim to their phone Using social engineering, answering your personal questions that you’ve indicated on the website.

Like, Verizon is like, what’s your mother’s maiden name? What was the name of your first dog? They go to Google and they figure out those answers. They convince this carrier to swap the sim. Then they go to your bank, Citibank, and they type in your username and password, which was found on the dark web because you haven’t changed it.

What do they do next? Citibank sends you a text message. In that text message is a code. Unfortunately, that text message did not go to you. It went to the attacker. Now the attacker has access to your Citibank. Doesn’t really sound like Citibank’s problem, right? But we need it to become Citibank’s problem.

It’s necessary for these [00:09:00] enterprises to start taking responsibility of the security. Attackers are going to continue to become more robust and creative, and we need to help individuals secure their presence online.

[00:09:17] offsetkeyz: Our final story is about a dark web data leak where network operators credentials were found. So from re security’s latest report, we’re going to explore the disturbing discovery of hundreds of network operators credentials circulating on the dark web.

Credentials from major regional internet service registries, which are key to maintaining secure and reliable internet services, are now compromised and available in the shadowy corners of the dark web. The implications of this breach are vast. These credentials, if exploited, could lead to large scale cyberattacks or espionage activities.

So it’s not just about unauthorized access. It’s the potential for service disruptions, data theft, and other malicious activities that could impact millions of users [00:10:00] worldwide. So what does this mean? Every company, every IT department has what’s called a network operator who’s in charge of maintaining the network.

They likely have advanced permissions to operate within the company. They might have access to everyone else’s password. They might have access to all the hidden gems and jewels of the company that they’d like to keep secret. So these are the credentials you don’t want leaked on the dark web. Hopefully companies have password rotations.

Hopefully they have multi factor authentication. Hopefully they have even physical secondary authentication, like a USB stick that has to be inserted into a computer before that network operator can log in to their account. So hopefully most of these credentials found are protected by another form of authentication.

But, hey, these attackers, they’re gonna attack. They’re gonna try these credentials, alright? So if you’re a network operator and you know there’s a security flaw, do your due diligence [00:11:00] and run it up the flagpole. Make sure that you are authorized to use two factor authentication. Make sure that you’re authorized to change your password. If you have an admin account, make that password really strong.

Do not use your credentials in other sites when you’re signing up for other accounts. And given that this data leak just happened, go ahead and change your password. Can’t hurt. You do not want to be on the cover of whatever article that caused your company to be breached.

That’s it for the news today. If you didn’t tune into yesterday’s episode, we are hopefully launching a series that will be released on weekends that gives you some creative ideas on ways you can break into the cybersecurity industry. If you’re looking for a career change, or, you know, if you’re looking to move from development or it into cybersecurity, this should give you some ideas.

So [00:12:00] stay tuned for that.

We’re hoping to release that this weekend. Thanks for listening and, stay safe out there.