CCATP_2024_12_10
In this episode, Adam Engst and I discuss audio gear, online scams, and phishing attempts. We share cautionary tales, highlight copyright infringement scams, and provide practical advice on verifying websites and using AI tools to enhance digital safety.
Automatic Shownotes
Chapters
Long Summary
In this episode of Chit Chat Across the Pond, I engage with Adam Engst, the publisher of TidBITS, to delve into a multitude of topics, ranging from audio equipment woes to the rising tide of online scams. We kick things off by discussing Adam's latest microphone purchase, bringing a lighter touch to our conversation. He elaborates on the trials he faced with prior microphones, including various models like the Blue Yeti and Blue Snowball, and how he finally settled on the Audio-Technica ATR2100 after my recommendation. Our casual banter highlights not only our passion for quality sound but also the technical hurdles Adam encountered along the way.
Transitioning from audio to technology's darker side, we reflect on scams targeting unsuspecting individuals. I share a compelling story about a neighbor who nearly fell victim to a $30,000 fraud, and Adam reveals an alarming email he received from a TidBITS reader. This correspondence illuminated a nuanced scam that led to a thorough examination of the email's legitimacy. We unpack the elements that made the email seem credible and share investigative techniques, emphasizing the critical importance of skepticism when encountering digital correspondence that stirs panic.
A notable case we cover involves a copyright infringement scam targeting someone Adam knows. This individual was approached with a warning about using images without permission, which turned out to be a deceptive maneuver aimed at securing backlinks to a fraudulent site. Adam's investigation into this scam demonstrates the necessity of conducting deeper research, such as checking the sender's details and verifying claims via reliable sources like state bar associations.
We delve into specific instances of elaborate phishing attempts, discussing how these scams prey upon urgency and fear. In one example, a TidBITS reader misinterpreted a legitimate alert from 1Password as a security breach following an encounter with a malicious obituary site. Adam assures listeners that iOS's security measures typically prevent substantial damage from such alerts, instilling confidence in Apple's ability to fend off malware. We emphasize the importance of remaining calm during these encounters and encourage that instinct to investigate further rather than rashly take action.
Towards the end of our discussion, we cover the genealogy of the scam-infested obituary websites, drawing attention to their clever design and the utilized tactics to engage unsuspecting users. Adam explores the nuances of these sites and even logs various pop-up alerts generated when accessed on an iPhone. The conversation pivots to practical advice for identifying legitimate websites and avoiding pitfalls when searching for obituaries.
As we wrap up, we facilitate a broader discussion around safety and the tools available for investigating potential scams. Adam introduces the concept of leveraging AI tools for preliminary checks, suggesting that users can input suspicious content into chatbots for preliminary assessments. This empowering wrap-up emphasizes proactive engagement in digital safety while also stressing kindness and patience when helping others navigate these treacherous waters.
This episode is brimming with insights, not only about the latest in audio technology but also practical wisdom on navigating the increasingly complex landscape of online security threats.
Transitioning from audio to technology's darker side, we reflect on scams targeting unsuspecting individuals. I share a compelling story about a neighbor who nearly fell victim to a $30,000 fraud, and Adam reveals an alarming email he received from a TidBITS reader. This correspondence illuminated a nuanced scam that led to a thorough examination of the email's legitimacy. We unpack the elements that made the email seem credible and share investigative techniques, emphasizing the critical importance of skepticism when encountering digital correspondence that stirs panic.
A notable case we cover involves a copyright infringement scam targeting someone Adam knows. This individual was approached with a warning about using images without permission, which turned out to be a deceptive maneuver aimed at securing backlinks to a fraudulent site. Adam's investigation into this scam demonstrates the necessity of conducting deeper research, such as checking the sender's details and verifying claims via reliable sources like state bar associations.
We delve into specific instances of elaborate phishing attempts, discussing how these scams prey upon urgency and fear. In one example, a TidBITS reader misinterpreted a legitimate alert from 1Password as a security breach following an encounter with a malicious obituary site. Adam assures listeners that iOS's security measures typically prevent substantial damage from such alerts, instilling confidence in Apple's ability to fend off malware. We emphasize the importance of remaining calm during these encounters and encourage that instinct to investigate further rather than rashly take action.
Towards the end of our discussion, we cover the genealogy of the scam-infested obituary websites, drawing attention to their clever design and the utilized tactics to engage unsuspecting users. Adam explores the nuances of these sites and even logs various pop-up alerts generated when accessed on an iPhone. The conversation pivots to practical advice for identifying legitimate websites and avoiding pitfalls when searching for obituaries.
As we wrap up, we facilitate a broader discussion around safety and the tools available for investigating potential scams. Adam introduces the concept of leveraging AI tools for preliminary checks, suggesting that users can input suspicious content into chatbots for preliminary assessments. This empowering wrap-up emphasizes proactive engagement in digital safety while also stressing kindness and patience when helping others navigate these treacherous waters.
This episode is brimming with insights, not only about the latest in audio technology but also practical wisdom on navigating the increasingly complex landscape of online security threats.
Brief Summary
In this episode, I engage with Adam Engst, publisher of TidBITS, to explore a range of topics, starting with his recent microphone purchase and the audio challenges he faced with previous models. Our conversation shifts to the issue of online scams, where I share a cautionary tale about a neighbor almost falling victim to a significant fraud. Adam discusses a concerning email he received regarding a phishing attempt, illustrating the importance of skepticism. We also delve into a copyright infringement scam targeting someone he knows, emphasizing the need for thorough research to verify claims. Throughout our discussion, we highlight detailed phishing attempts and the tactics used to deceive individuals. We conclude with practical advice on identifying legitimate websites and utilizing AI tools for preliminary scam checks, stressing the importance of proactive engagement and kindness in addressing digital safety.
Tags
Adam Engst
TidBITS
microphone purchase
audio challenges
online scams
phishing attempt
copyright infringement
skepticism
scam checks
digital safety
Transcript
[0:00]Music
[0:07]Well, it's that time of the week. Again, it's time for Chit Chat Across the
[0:13]
Introduction with Adam Engst
[0:10]Pond. This is episode number 803 for December 10th, 2024. And I'm your host, Alison Sheridan. And we're back with Adam Engst of Tidbits. How are you doing today, Adam?
[0:20]Fine, thank you. I've got a new microphone, so we've actually managed to play with something and have it work for once as opposed to all my old microphones, which were bugging the heck out of me.
[0:29]Well, I was going to ask you exactly how much have I cost you so far between buying a new mic, you've got a fancy new boom arm too, because you like to stand?
[0:40]I do. I do like to stand and I like to move. So, we're going to have to see if it actually works. What I need is actually the thing that wraps around my neck and kind of puts the microphone in front of me like that so I can get wild. But I'll try. I'll try to stand still.
[0:56]You're feeling so restrained. Have I made you buy any software?
[0:59]I'm a high-energy person. No, no, I have all the software.
[1:04]Okay, that's good, that's good. Well, yeah, I don't think everybody knows in the background all the different mics that you tried. You had a Blue Snowball?
[1:12]Blue Yeti. I had a Blue Yeti first, and that just broke. Right. And then a Blue Snowball. And I actually have a Blue Snowflake, which was a tiny little snowball. And that didn't work so well. And then on your recommendation, I got this Audio-Technica ATR something rather.
[1:36]ATR 2100 something rather is what I recall.
[1:40]I will say, when they called it a Blue Snowball or a Blue Yeti, you remember what the name is. That's true. If you called it an ATR2100BXTR or something or other, no one remembers it.
[1:50]Well, actually, since that mic has been around for practically ever, so I do remember the name of it because it was one of my first mics and I've recommended it to others. I've still got one of mine, so I brought it in and we did a bunch of experiments. And we decided that that's why we kept going back to the AirPods, though, that the sound wasn't great, but they were reliable. They worked every time, but now you're on a big boy microphone.
[2:17]Yes. And the AirPods did keep working. That was the problem, is that they were continually functional. And I have to say, I've been using the AirPods Pro more and more because of the noise canceling. Okay. I've been to a couple of concerts where they were absolutely essential, And we were in a restaurant in Toronto recently, last weekend, which I have never been in a restaurant that was so loud. I actually took sound readings. Really? I have a decibel meter app on the phone. And it was averaging around 86 and was peaking to over 108, something like that.
[2:57]Was it like metal floors and ceilings or something?
[3:00]It was i mean it was very hard surfaces and you know it was it was a very weird kind of building where it was very tall so like three floors um and fairly narrow and um and some big groups and man it was just so freaking loud and tanya and i both put in their part the airpods pro and put them on noise cancelling some some level of noise cancelling and tried
[3:22]
AirPods and Noise Cancellation
[3:20]to hear tristan across the table did you end up doing.
[3:22]The um transparency mode but with noise cancellation
[3:26]Um adaptive actually okay so um in in what i what i've sort of realized is as the there is the set you know the the interface gives you transparency adaptive and noise cancellation and adaptive then has its own settings separately quite a ways away um in the interface where you can do less noise default or more noise and what that basically means what my testing showed me anyway, is that essentially then you get three adaptive settings plus the two. So it's basically five settings for how much noise cancellation you want. And so, yeah, and it made a difference. I mean, like, you know, you could put it on adaptive on more or less noise and really hear the difference in how much was getting through. And so it was kind of brilliant in that regard. What we really wanted, and I could not figure out if such a thing even exists, is wouldn't it be cool if like three people could have AirPods in and just talk.
[4:30]To each other over them? Like make a little loop?
[4:33]Yeah, right. Right. Just like, just in person, like, so everything else is being canceled. Like no other sound is, is, is, is, is getting hit. It may just not work because of you're making your own noise. And so you can kind of hear yourself, but who knows? It just seemed like something that should be possible.
[4:51]Yeah. Don't put it past him. I really wish the AirPods Pro would stay in my ear. They just ooze out fairly quickly. So yeah. Enough to be annoying. Steve's, it's just like, he looks at a pair of head earbuds and they just go boink and pop out of his ears, you know? none of them fit in them well
[5:07]And the yeah the different tips made a big difference um for you know for us i tried.
[5:12]Different tips i tried third party tips i tried everything i could find and they just didn't work for me but then we got the beats fit pro that have that little phalangey thing that kind of curls inside your ear and that made the difference so we we both wear those and they do noise cancellation but they don't have any of the new tricky stuff so not quite going But that's not actually the subject of the day.
[5:34]
Scams and Copyright Infringement
[5:34]No, it's not. Completely different topic.
[5:37]Last week on the show, Pat Dengler came on and told a story. She's sort of an Apple consultant. She told a story of a neighbor who got scammed recently. And it was just this close to losing $30,000. It was a really horrible story. And Pat saved her just in time. But you got an email or something from a Tidbits reader within a slight panic, you said, about something that happened to them. And I thought your analysis of how you went through showing why this was not something that was terrible was really interesting. I thought maybe we could talk about that today.
[6:12]Yeah, yeah. So, I mean, I sort of, in some sense, I kind of hate to be writing about this stuff, because, like, scams are kind of horrible. Like, they're not fun in that regard. This one proved a little bit more so. But just to set some background, the reason why I'm kind of feeling a little scam-heavy right now is another person who's sort of, you know, somewhat connected to it, but had gotten a copyright infringement scam. Scam where they were told that they had to, um, they were using some image without permission and they had to put a, um, uh, you know, put a, um, an, uh, Attribution, sorry, lost the, lost the word. Uh, they had to attribute it and put a link in and, um, and it didn't want to use DMCA language and blah, blah, blah. And what was interesting about it was, is that, you know, this, this image probably was being used without permission. Um, It may have been from Pexels or one of the places that claims that all the images are licensed, but maybe not. But it was in some sense really easy, right? Because you could just, oh, I'll put the attribution on the link and this will all go away as a problem. Of course, what it is is, in fact, a scam to get SEO ranking improved for some scammy site that you're linking to from your legitimate site.
[7:34]Oh, that's genius.
[7:36]Right. And the email message that came with that was, in fact, really hard to identify as a scam because it came from a legitimate-sounding person at a legitimate-sounding law firm. It wasn't written badly. It sounded like lawyer speak, all those kinds of things. And so that one required much more investigation of the actual lawyer and the law firm and things like that to prove that it was not true.
[8:05]How did your friend find this, figure out that it was a scam?
[8:10]Well, so I was actually doing it for her. But basically, among other things, we looked at the, you know, the State Bar Association, the address of the law firm was in Arizona. And we looked at the State Bar Association, no lawyer by that name, no law firm by that name. And when you looked up the address in Google Maps, which it was on the fourth floor, supposedly, you looked up the address and it's this, you know, one story Adobe building.
[8:37]What made you suspicious in the first place, though?
[8:42]Um... And this was where it was a little hard. One is, it was calling for all sorts of DMC, it was using the DMCA, was talking about the DMCA, oh, you're in violation of the DMCA, which stands for the Digital Millennium Copyright Act. And that's one of those blah, blah, blah, blah acronyms that people hear and just kind of panic. But in reality, all the DMCA can be used for is takedown notices. So if someone has your copyrighted stuff on their site, you can issue a DMC takedown notice, which has to have very specific language and all that sort of stuff, and they have to take it down. Or lawyers get involved very quickly. But it's only takedown. You can't use DMCA to ask for attribution or links or anything like that.
[9:33]How did you know that?
[9:33]Nor can you use the DMCA to basically require payment. So the other kind of copyright infringements, not really a scam, I mean, it's sort of a scam, but it's kind of real, is there's companies that go out and look for images that are being used without permission and then basically bill the websites that have used them. And those are, it's sketchy, but it's not actually a scam. I mean, assuming that the image is in fact being used without permission.
[10:03]And assuming they own the rights to it.
[10:06]And they own the rights to it, yeah. I mean, so, you know, it does happen. You know, again, often a lawyer can get them to go away because often they're trying – the scam part of it is they're often trying to charge too much or, you know, use all sorts of techniques that really are not quite legal. But nonetheless, it is real. I mean, there are companies that do this.
[10:28]Well, I think it's important to talk about these, to keep people alert to thinking about these things. And maybe you won't get hit with this one, but maybe you get hit with something else where it just makes you go, let me do a little bit of investigation before I freak out.
[10:44]So the first thing that I did that actually, you know, in essence revealed that this one was a scam pretty quickly was I searched on more than just like the company name. Because, oh, and to be clear, the website, there was a full website for this law firm.
[11:02]Oh, really?
[11:03]With bios for all of the lawyers and, you know, lawyerly sounding pages and all that kind of stuff. You know, they had information about various things. Very simple kind of site to fake. these days yeah um and so on a very quick you know you clicked through you know like it all it all matched up like it looked real enough but if you did a little bit more searching one um what you found very quickly was this this company name and lawyer name had been used uh multiple times okay and other people had discovered it was a scam and written okay okay so if you searched on more than just like the name of the company or more than just the name of the lawyer if you like search on them together um or you search on the whole company's address um all the search engines would then pick up the fact that this other people had written about this scam okay so so so so doing a little bit more detailed searching would get you that far on this one but then you know again what if you were the first person right that's where i was like hey go to the state bar association and, you know, do a Google Maps search on the address. Does it look right? You know, could it? Because Google Maps tells you what businesses are at an address. Right, right. So, you know, and then there were businesses at the address they gave, but they were clearly not law firms. I wonder whether.
[12:25]You could have looked it up in Dun & Bradstreet. That's one of the ways I look for, like, is a company, maybe even a legitimate company, but are they a U.S. Company? You can see where they're located.
[12:36]Yeah. And the problem with this was like when you looked at the company name, it was something like, I don't know, Commonwealth Law Services or something like that. I forgot. Commonwealth Legal Services. It was such a generic name that you would find other firms with very similar sounding names in other places. So, again, you had to kind of look past the really simple stuff. And then, you know, when you look, again, once you realize that it was a scam, like, all of, if you did, there's this wonderful, do you know about the TinEye? T-I-N-E-Y-E. It's an image search engine.
[13:11]How do you spell it again?
[13:13]So you can feed TinEye, like an eyeball. T-I-N-E-Y-E. And so you can feed TinEye an image, and it will tell you where the image is located.
[13:24]Oh.
[13:25]You know, anywhere else on the web. It's a reverse image search engine. And so I fed it the headshot of the lawyer. Oh. And all the results came back with file names of like generated.photos, basically showing that it was AI generated. And so if you do a legitimate search, it'll actually, you know, like if you search on your picture or something like that, it'll probably find some legitimate things. So, you know, it's one of those things you can prove like this wasn't a real person.
[13:55]Wow. That's... You're really clever. But I like this because you're giving us more generic tools for figuring this out than this specific kind of a scam.
[14:06]And normally with phishing, they're not very well written and they're not very good. And the reason for that is somewhat intentional. They don't want people who are paying close attention and are super, you know, alert and all that. They want people who are like, oh, no, I better do what this thing tells me. Right, right. Because once you start looking, it's always going to fall apart at some point. And so they actually would prefer to find people who are – like, if you're going to figure out the scam right away, they don't want to talk to you.
[14:47]
Identifying Scam Emails
[14:45]They're just wasting their time at that point.
[14:47]Okay, okay.
[14:50]So normal phishing is often like that. the we'll get to the one that i talked about in this most recent article too but but the other ones that i've been seeing a ton of recently are paypal and docu-sign spam oh.
[15:05]I've heard of the docu-sign one yeah but the
[15:09]Problems with both of them is they come from paypal and docu-sign oh so they're they're real email they're not fake email they're not forged but you can send an invoice you can set up a paypal account apparently very easily i guess i don't know i mean they're doing it um and then you can send someone an invoice okay and it you know if you're someone like me and you get an invoice from you know mac store or you know apple store or something like that you know you look twice at it because i do buy stuff from apple you know i might have, Just, you know, over now and then, you buy something from Apple. And so the point being, though, that the only thing that is, quote-unquote, wrong with these is that you're being billed for something that is completely fake.
[16:01]Right, right.
[16:02]You know, but they have semi-real names, and it's PayPal's true invoice message. It's being sent through PayPal. So so you actually that and paypal even has a link report this as a scam and you can click the link, and and if you're the first person um you know then then it will thank you for reporting it if you're not the first person you will get a message saying this invoice is no longer available because it was okay.
[16:29]So and you send that to paypal or to docu-sign or whoever
[16:34]Well that's following the the link um i don't i'm not sure about docusign with paypal there's also an address phishing p-h-i-s-c-h-i-n-g phishing at paypal.com and i've always forward all these things to paypal as well probably not because i figure it's just a little bit i don't.
[16:51]Think there's a c in phishing but
[16:52]Yeah p-h-i-s-h there we go.
[16:57]Yeah yeah yeah
[16:58]Um it's that it's not the f fish it's the.
[17:01]Ph right Okay,
[17:05]So, that's the other one. It just keeps going.
[17:08]Yeah, so, let's switch gears and talk about the one that you got from a tidbits reader.
[17:13]The one that just happened, right. The one that I'm like, oh my gosh, this is turning into a trend. So, this one, the tidbits reader in question is older, he's retired, and like those of who are getting on there, we know more and more people who have died. So, obituaries become a little bit more common for something that we might look at. And he was searching, I think, for a neighbor who had died obituary. I think the guy might have been named Chris Gamble, to judge from the search results. And so, he finds, you know, Chris Gamble obituaries on his iPhone. And he taps one. And he immediately starts, his iPhone kind of blows up with these, like, you know, your iPhone has been infected. You know you know quick tap this to get a cleaner app or you know use use a vpn for protection that kind of thing and he just freaks basically um and that's when he contacted me uh because he was like what you know what is going on here actually i take back wasn't when he contacted me um about 10 minutes later he gets email from one password legitimate totally legitimate email which he confirms with 1Password support, basically saying that a device has logged into your 1Password account.
[18:40]Oh, geez.
[18:41]And this is too close in time. Right. And so he's really worried that, oh my gosh, they just told me my iPhone was hacked, and now I've got a 1Password, someone logged into my 1Password account. And 1Password support was very good, and they told him that, well, it is a legitimate message. This is, you know, one password thing is not fake in any way. But that was when he contacted me.
[19:06]You said he closed Safari immediately after seeing these pop-ups. So at first he was like, okay, that's probably not real. But then the other thing happens and he's thinking, well, wait a minute, what's going on here?
[19:18]And what I don't know, and I'm not sure he remembers, I mean, he was moving quickly, et cetera, et cetera, is how he closed Safari. So, if you force quit Safari and then bring it back up for any reason, it's conceivable that that could trigger the 1Password message because it sort of has to reconnect to the 1Password site. The 1Password extension does, is the theory. And there's a number of other things that can kind of do this, too. Like if you change your IP number or change networks, you know, you've got a new IP number and suddenly one password's like, ah, I'm not sure this is a good idea. I need to reconnect. I'm going to do reconnect, but then send the message saying that I did this.
[20:08]But doing that doesn't always trigger that message. Just sometimes.
[20:11]No, it doesn't always do it. It's, you know, when I looked into it, you know, like there's a collection of five or six things that can trigger that message, but they do not generally. It's more that if you've gotten one of those messages and didn't do something yourself, that's probably why. Okay, okay. But it's not a common thing for people to have this message show up spuriously.
[20:34]All right. So that was just a coincidence. But, oh, you also looked into the IP.
[20:39]Coincidence, yeah, coincidence, but certainly related. But so, yeah, the first thing was it said, you know, 1Password said, hey, you know, your 1Password extension at this IP address just connected.
[20:51]Okay.
[20:52]And so the first thing I had him check is there's a website called what'smyip.com. And just a very quick and easy way to figure out what other sites on the internet see your IP address as. Right, right. Because remember, your IP address is usually going to be the IP of your router. Not what your Mac says. So it's not usually helpful to look it up and try to look it up on your Mac. So you want to look at, you know, you want a website to say, you know, this is what I'm seeing coming from you.
[21:24]So, by the way, that's a very memorable URL and that's awesome. But I prefer IP chicken. It's the same thing. It's got a chicken on it.
[21:36]It's hard to go wrong. Exactly. I must admit.
[21:39]Chicken's never wrong. Okay. so you were able to match up uh he saw that ip address from what's my ip.com the same ip address so if it's coming from within the house
[21:49]Well well yeah so that's the problem right so on the one hand good news it's not you know someone out on the internet who's who's hacked into your own password right like that is good very good news because if it was not coming from within the house then you've got bigger problems because someone really has got your password um but so yeah right It's coming from the house, but of course it's, you know, that'll be the same IP address for his Mac and for his iPhone and for everything because it's, again, probably his router that's actually producing the IP address that's being reported. So, so that was thing one. So I'm like, okay, well, good news that it's not someone out on the internet, you know, that's hacked in. But bad news that, okay, like, is it conceivable that someone hasn't, you know, that some malware, because obviously not you as a person, that some malware has somehow managed to hack into your 1Password account and trigger this message?
[22:44]And that's where, you know, nothing is impossible. Like, you know, cannot 100% guarantee that this did not happen. However, the way one password works is you have an account password. And that's kind of your bastard password. And that's what, you know, like if you enter your password after you've restarted your Mac, for instance, you'll have to enter that account password. But when you set up a new device, you have a secret key as well. And the secret key is not quite random because it actually has some stuff at the beginning that's always the same or identifies in different ways. And then it's got a whole bunch of random stuff. And so what 1Password does to make its encryption key is it combines your account password, which you've selected and you've made, with this random secret key.
[23:40]And that's one of the big distinctions between 1Password and LastPass, at least around the time that LastPass was getting hacked every couple of minutes.
[23:49]Yeah, I was going to say, who knows what LastPass does anymore? Because I and everyone else I know immediately got off.
[23:54]Exactly, exactly. But that was one of the extra layers of security. Even if your 1Password got compromised, they have to have the secret key to mash together with it.
[24:06]Precisely. And that secret key is a pretty, you know, it's a pretty long set of digits and numbers and things like that, you know, letters and characters. So that really does massively increase the security. So the secret key is in fact stored locally. That's how, you know, once you've entered it, you don't have to enter it again on a device. So, again, it is 99.999999% sure that 1Password was not compromised. But I cannot 100% guarantee it because it's, you know, the information is all present in the right place at the right time. It's just that, oh, boy, would Apple's overall security have to be compromised for this to, and your device's overall security would have to be compromised
[24:55]
Understanding 1Password Security
[24:53]for this to become a real problem.
[24:55]Right, right.
[24:57]And and and so like if you're you know a retired guy and in in uh you know the bay area you're probably not a high enough value target to for anyone who might have that level of tech yeah you know that's the that's the you know we're going after you know the there's a you know we're a repressive government we want to we want to get the leader of the opposition right you know So that's the kind of tech you use on those people, you know, the, the, the exploits that you get to use once, because once it's used, you know, Apple will figure it out and, and, and block it from then out.
[25:34]So they wouldn't waste that on me, for example.
[25:37]Not a chance. I mean, you know, it's funny because there is this sort of, you know, it used to be saying back in the old days, people used to say, oh, I'm not that interesting. You know, no one would ever bother hacking me. Well, that's true at the very high level now.
[25:56]Right.
[25:56]You know, no one's going to waste one of those million-dollar exploits. Right. I mean, they do. And basically, if you find one, you know, if you're a security researcher and you find one of these things, if you're ethically challenged, yeah, you can sell it for a million dollars. Yeah. You know, there are people that they will pay that pretty happily. And I mean, that's why Apple actually and most other companies pay bug, you know, bug bounties, security bounties, because, I mean, they're not going to pay a million, but they want to make sure that, you know, people are like, well, geez, you know, I can get a million or I can get nothing.
[26:28]Millions looking pretty good.
[26:29]Apple does pay, yeah, millions looking pretty good. But nonetheless, the, I was going with this, the, okay, so, but most security problems are now automated, right? They're bots, they're script kitties, you know, it's stuff that you don't actually, you're not targeted personally. And so, yeah, you are interesting enough to be targeted by a bot. Right, right. And so that's why, you know, that's why we all get phishing attacks all the time and spam and things like that. Because it's easy. Why wouldn't you spread off this, you know, spread this, you know, phishing attack, you know, across a few million people? Because you only need to get one for it to be worth doing to a million people.
[27:13]And Bart has been explaining to us that there's now basically malware as a service. So you don't have to write your own malware. You just buy some. So let's switch gears and talk about the obituary site he was on. What did you learn about that?
[27:28]Yeah, so that was really kind of interesting. So, well, first of all, it was just a sloppily built WordPress site. I have a little Chrome extension called BuiltWith, which reveals what technology is behind the site.
[27:43]Oh, really? Okay.
[27:45]Yeah, yeah, it's kind of neat. And because all these sites have to, you know, they have to, you know, just in what they do, what they promote, you can usually get Telltale stuff. So BuiltWith is kind of fun to look. And it was more that I was just trying to see how real was this site. And it was pretty clearly not real. I mean, it was a simple WordPress site that had been spun up on November 13th because all the posts were dated November 13th. And they were undoubtedly AI written obituaries because a number of them said, you know, so-and-so passed away, insert date here.
[28:22]Okay.
[28:24]But those are going to get better. And the one that – well, in some sense, they're fine already because, I mean, obituaries are of style. Like, they all sound the same. Like, I didn't – I mean, I could have read any one of these except for the insert date here and not thought twice about it. Okay. You know, they kind of went on, frankly. Like, okay, we get it. Respected member of the community, moving along.
[28:48]Survived by –
[28:51]Yes. And so, in the particular one that my friend found, it was actually a very easy giveaway because the title was, you know, Chris Gamble passed away. And then, I don't know, as soon as you got into the body of it, it was a guy named Alex Brodsky. So, you know, it didn't even manage to match up the title and the title on the body in that one. But, you know, there were others on the site that were properly matched. And the other slight giveaway there was, you know, they had ads for gambling sites.
[29:23]Nice, nice.
[29:25]So, I mean, it was pretty clearly a scam site. But that wasn't the interesting part, because that one really was, you could figure out, oh, this is fake pretty quickly. What was interesting was, is if you went to it from an iPhone and only an iPhone, if you didn't hit on a computer, it didn't trigger all this stuff. Then all of these pop ups would start appearing, you know, show, you know, like where it would it would redirect you to another page that would, you know, have like, you know, you know, 44 viruses found, you know, and show up something pop up with things like, you know, clean them or something. And then when you, my friend, as I said, my friend panicked at that point, but I'm fairly comfortable that Apple, iOS is not vulnerable to this, any kind of, you know, malware that's going to exist on these kind of sites.
[30:13]Right.
[30:14]You know, that you can do, you can display stuff, but you can't actually do anything to iOS. IOS is too good for that. Again, if you have the exploit that can break iOS by visiting a site, you're selling it for a million dollars. You're not using it on obituary scam sites.
[30:32]On a poorly written WordPress site for obituaries.
[30:35]Yep, yep. Not wasting the silver bullet on those. So I just basically kept going to this site repeatedly until I'd collected, I don't know, like nine different examples of these alerts.
[30:50]Yeah, I'm noticing. So, he's got screenshots in his wonderfully written article, and every one of them looks different. Yeah. They're not the same alert each time. Some of them have the system settings logo in them. Some are just badly drawn. Some of them look like a classic alert. You know, it's really interesting that they're so different. And this is the same website over and over again? Or different websites?
[31:18]Yep. Those are, well...
[31:21]They have different URLs in them.
[31:22]So it's different websites, but it's all triggered from the same source obituary site. So basically you go to the source obituary site, and when it detects you're
[31:37]
Exploring Obituary Scams
[31:35]on an iPhone, it redirects you to one of these other sites.
[31:38]Oh, wow.
[31:39]Wow. And, and then if you tap one of their, you know, like basically you tap anything more or less, because they'll put up dialogue saying allow or cancel or, you know, whatever they're doing, you know, whatever the makes sense for this particular alert, whatever you tap, it will take you to the app store and load a VPN app or some kind of system cleaner app or something promising to protect you from bad stuff on the iPhone. And these are real apps.
[32:09]Interesting. Well, yeah. Are they real apps? What do those real apps do? Did you install any of them?
[32:14]So as I said, I'm foolhardy enough to load malicious websites. I'm not foolhardy enough to load malicious apps. Because once you've allowed, I mean, an app obviously, in theory, can't do much because it's been sandboxed or whatever. But, you know, VPN apps.
[32:34]They install profiles.
[32:34]They install profiles.
[32:36]Yeah.
[32:36]Yeah, it's like, I'm not going there.
[32:38]I was trying to think, could I do it with an old iPhone that I'm logged out of iCloud? But you can't. You can't install something from the App Store without being logged into an iCloud account.
[32:46]You need a full test test count and everything. And again, I just do this on TV. I'm not a real security expert.
[32:55]So you put screenshots of some of the apps that came up in Visigard, VPN, Purely Cleaner, VPN Lumos. I'm wondering, you know, some of these have, well, I guess they're in the low tens of reviews.
[33:12]So, reviews can be purchased. So, that doesn't mean much. And so, yeah, I mean, like, there's whole swaths of sites or products on Amazon, which have just, you know, vast amounts of reviews because I just purchased reviews. So what was interesting is one or two of the apps was very, very new. Like it was like, I don't know, version 1.0.1. Others have been around for years. And the problem is, I don't know. I mean, like, I don't know if they're – I mean, they obviously must do enough to have gotten past Apple's basic vetting.
[33:51]Right.
[33:52]And so I doubt they're, you know, like hugely problematic in that regard because Apple, they got past Apple. And I can't quite, I couldn't, I went through the app review guidelines and I couldn't quite determine if it's against Apple's guidelines to promote your app with spam.
[34:13]Oh, like how you got there.
[34:16]Right. Like you can't do anything like that within Apple's world. But but but i'm not i couldn't quite like there's some wording in there that suggests you you can't you know do anything fraudulent to to um direct people to the app but again i you know and and these companies if they're real companies could just say well we don't know i have no idea how our link got into that scam you know right right so i didn't that's why i didn't uh i didn't uh you know automatically say you know these are evil apps that you should be very careful about yeah.
[34:54]I get a sketchy ick feeling looking at them though
[34:58]Don't you don't you i mean they are not like these are these are these are not you know companies you've ever heard of or you know anything else and and many of these like there's not a lot you can clean on the iphone right so like the concept of a cleaner app yeah.
[35:16]I i find it odd to believe that that would be allowed on uh on ios
[35:22]Yeah so interestingly um you cannot report apps using the app store unless you've purchased them so um so like i actually am still still trying to figure out how to get this i have quote unquote reported it, but I'm trying to figure out like a better way to say, I think these apps are scams, you know, look at them again. And because the, you know, the automated method just won't work for me unless I'm willing to download them, which I prefer not to even clutter my history with them, put it that way.
[35:59]Right, right.
[36:00]Plus, you know, like, and I'm working through the basic, you know, a really simple form where I, you know, like, I want to say, look, no, here's the background of why I think these things are scams, not like I'm going to click report a problem and I think it's fraudulent and then not be able to say anything in detail.
[36:18]Yeah, I'm looking at Purely Cleaner only has one rating, but it's got four stars for that one rating. But what they promise to do is allow you to see things like duplicate photos and duplicate videos. And that's something you can do with apps from the App Store. I've got one that does that. Yep. Let's you see a bunch of images and you can pick which one's the one you want to keep. But it also has merge duplicate contacts. And I don't remember being allowed to do that with anything.
[36:51]Might be if you can request, I mean, like busy contacts and the like would request access to your contacts, and it can do that. From iOS?
[37:00]Or is that Mac OS?
[37:03]
Investigating Malicious Apps
[37:01]I'm not sure, but I wouldn't be entirely surprised.
[37:04]But I don't think that's a Mac App store app,
[37:06]Is it? Once you have read-write access, once you have read-write access, yeah, there's an iOS app.
[37:10]I think. Okay, okay.
[37:12]So Cardhop, certainly, from the Flexibits people. Right. But if you can read and you can write, you can probably merge. So, you know, like, it will probably have to ask for all those permissions, but that would seem, you know, you would probably grant them if you got this app. Okay.
[37:27]Oh, yeah. Cardhop is in the App Store. Okay. Huh.
[37:31]Yeah. So, you know, the question is, though, like, is it somehow exfiltrating all this data? You know, yes, you've given me access to all your contacts. Now, I have all your contacts. I'm going to send that off to my server in some, you know, backwater country.
[37:48]Right, right. New people to scam. So, what do you see as the lessons to take away from all of this? I mean, you did a lot of digging that people wouldn't go that far.
[38:00]I mean, I think the, well, a big one is be careful of obituary sites, unfortunately. Because, well, even legitimate ones, a lot of people have the same names, right? You search on, you know, a name, obituary, you're going to find a lot of people on a totally legitimate site, you know, legacy.com or whatever. So, you know, pay a little bit of attention to make sure you're on a legitimate site if you're looking at obituaries, because it's awfully easy to fake those. And Glenn, when he was, Glenn Fleischman was editing my article, he was pointing out that there's actually, you know, whole lots of scams, you know, which don't require the same, you know, even, you know, even faking them. So, you know, it's just, you know, be careful when reading obituaries. And people are often not necessarily in the best state of mind when they're doing that.
[38:50]I wonder whether you don't have to put the adjective obituary in front of sites. Be careful of sites.
[38:59]Boy, it does seem that way these days. So, that's thing one. Thing two is...
[39:08]
General Security Advice
[39:08]It's pretty unlikely that any website is going to be able to cause problems on an iPhone or an iPad. You know, Apple security is pretty darn good. And, and, and they're, I mean, and partly they're constantly improving it. That's why we have all these stupid updates to install all the time. Right. The last, you know, they were just, you know, 18.1.1 was for two zero day vulnerabilities in JavaScript and WebKit. So, you know, like those were, those were bad website bugs. So you know so always keep stay up to date um with the security updates they really are important, and um and but that said if you do end up in one of these sites just you know close the tab, don't you know you don't have to intersect interact with it in any way you know it's nothing can it can't do anything to you so you don't have to be scared by it you can just go another one of those and then you tap the tab button and you tap the x and the tab goes away and it's not a problem okay so you know that you know kind of i'm a big fan of hitchhiker's guide to the galaxy because you know don't panic is really good advice well.
[40:18]And that is one of the things that um they feed on is that panic right they with the example of pat's friend where it's that urgency that they give you if they're giving you an overwhelming amount of urgency that's making you super anxious, you should do everything possible to reverse that in your head and go, hang on, why is that urgent?
[40:39]Yeah, yeah. Well, and also, I mean, to get back to that copyright infringement one, that completely freaks people out because you're being hit with a lawyer letter, right? You know, nothing ever good comes out of letters from lawyers. Um and so you know so that you know it's the same trigger that that fight or flight you know response and so you know i think the the bigger picture story is you know be aware that a lot of things are going to try to do this to you and of course it doesn't help that social media wants to do this in general right you know social media wants engagement and the best way to get engagement is to have things that make you crazy. So, you know, I mean, general advice is always avoid social media like the plague that it is. But, you know, it's the same physiological response that all the social media sites are trying to trigger that is what's causing these scams to be as effective as they are in some respects.
[41:43]Right, right. I feel inadequate that I did so little when my mother-in-law called and said, but Allison, there's something weird on my screen. Can I share my screen with you? And I looked at it and I was like, okay, I'm looking at this. It's got a red X in the upper right, not a red dot in the upper left. So Apple things are always red dots. As soon as you see a red X in the upper right, you know that's not for you. And she goes, oh, okay. And she closed it and I said, okay, moving on. Good job. But I didn't go any further than that. I was just like, yep, she's fine.
[42:16]Well and and part of the way i've gotten into these um is that one people are really falling for them you know and actually you know in both of these cases the copyright infringement one um the paypal docusign invoice stuff um you know this obituary these were real people who are not dumb right like this is you know these this is not a this is not made up or super newbies who couldn't possibly have figured this out you know because people who.
[42:44]Don't know computers
[42:47]Nope no not at all um you know the uh you know so so they they are real and like even after i posted the obituary one i've gotten a couple of notes saying yes my wife just got this the other day wow you know you know thank you thank you for you know kind of resetting us you know you know explaining what what's going on here because we just saw this yeah and so so so so it is out there and you know and again like i don't want to just be writing about this non-stop but i'm always intrigued when there's a new type oh you know and so because like oh well that's an interesting way to scam people like clever clever scammers too bad you're you know slime balls because that's kind of clever.
[43:30]Yeah, Bert and I talk about that often where you're like, man, I kind of respect him for thinking of this. That's crazy, but okay, still hate you, but...
[43:39]Yeah, right. Precisely. You're still a scumbag. Right, right. You know, so, so yeah. And, you know, and again, you know, as you know, I do feel that people who are older, I know a number of number of friends and, you know, getting into their, you know, 70s and early 80s and stuff like that. And they're just not doing as well at identifying this stuff anymore. And, you know, as I said, it's the particular people I'm thinking of, and, you know, I don't know how to do anything more other than just try to get the information out there so that hopefully it triggers when they run into one of these things as opposed to them having to call me each time it does.
[44:24]Yeah, I do think that one of the big values of doing this out to, like, in my case, this is a nerd community who's going to be listening to this is not just to protect themselves, that is going to be an aspect of it, but to really preach that when your friend, relative, school teacher, whatever, calls you and says, I see this thing, treat them with as much respect and honor as you can for having them called you and make them feel good. Like, wow, that's amazing. You caught, that's great. Thank you for checking in with me. Not, oh, you idiot. You know, I can't believe you were going to fall for this. You know, we can't ever do that.
[45:02]No, no, no. And, and, and, and not at all because this stuff isn't easy. And it's, you know, like. It's going to get you.
[45:10]And me eventually.
[45:11]Oh yeah.
[45:12]Sooner, if not later.
[45:13]No, I mean, I've only, I've only once, the closest I've ever come, um, was I had a friend of mine who passed away. And the right afterwards, like that, oh no, it was like, oh no, I'm sorry. It was a friend passed away, and then a woman who was his boss, her account was hacked and used to send spam of some sort, I forget exactly, which i would never normally have in any way fallen for i mean didn't do anything particular but i like i read it and i was like uh-oh you know i almost like almost replied and everything um but basically because it was again so coincident in time that this guy had just died and his boss who i also knew um you know had was sending mail that you know somehow made me want to go do this thing and it really was like the oh my gosh i almost fell for that You know, I was that close and because it just hit, it pushed all the buttons. And so it doesn't take much and people are moving faster and faster than ever, not reading carefully. And, you know, it's, it's, that's, it's easy to miss these things.
[46:32]I think we should close this out with Bart's tagline, which is stay patched. So you stay secure.
[46:42]Yep. It's, it is absolutely true. Those security patches, they make a difference. And the problem is it's hard to say when because you'll never know. You just won't have a problem.
[46:54]Well, thanks for coming on and giving us the investigatory methods that you've been using too. Because I think as we learn more about these, we need to have more tools in our tool belt to be able to figure it out. I never would have thought of looking at the Bar Association, for example.
[47:09]And one thing I will actually also just mention as another quick thing to try, not that you should necessarily trust it implicitly and everything, but the AI chatbots are actually interesting ways to feed these things. Because you can feed them an entire message and say, is this legitimate?
[47:27]Oh, and it might give you some links to something that helps you investigate further?
[47:33]Well, or just, well, not so much. I mean, the links, if it's using perplexity, for instance, which is more of a real search engine, chat GPT is no sort of notorious for doing bad links. It's more just that if what they're good at, right, is saying stuff like this.
[47:54]Oh, OK. Right, right. Right.
[47:55]And so if it's if stuff like this is like all of these other dubious things, they'll probably say nicely, you might want to look into this more deeply. You know, you know, things like this have been used to for scams in the past. And so it's just one new new tool that we have. And when I like when I pasted the copyright infringement stuff in, yeah, chat GPT was like, yeah, all over. That's probably a scam.
[48:22]That's probably an LLM superpower, right? Have you seen this pattern of words? Why? Yes, I have. That's what I do.
[48:32]Yeah. So that's the one sort of new thing. And I don't quite want to, you know, I don't want to say you should absolutely trust everything they say, because of course, they're LLMs, they get stuff wrong. But as a just a yet another data point in all of this you know and it can be a quick it can be an easy one right like you can literally just copy paste is this real no okay thank you you know and you know and then if you need more more backup you can most of the time we don't need more the only time we care is when you're being like me and you want to like well is that lawyer a real lawyer is that firm a real firm are they on the fourth floor no i don't think so you know.
[49:12]
Conclusion and Closing Thoughts
[49:13]Sounds like you had fun with that. Well, thanks again for coming on and telling us all about it, Adam.
[49:18]You're welcome. Nice to be here.
[49:19]I hope you enjoyed this episode of Chit Chat Across the Pond. Did you notice there weren't any ads in the show? That's because this show is not ad-supported. It's supported by you. If you learned something or maybe you were just entertained, consider contributing to the PodFeed podcast. You can do that by going over to PodFeed.com and look for the big red button that says Support the Show. When you click that button, you're going to find different ways to contribute. You can donate one time through the big donate button with a credit card or Apple Pay, or you can use PayPal. If you want to make a recurring contribution, click the Patreon button. Keep in mind, I don't charge Patreon for chitchat across the pond or programed by stealth episodes just once a month for the NocilaCast. That keeps it simple. If you want to contact me for any reason, you can email me at alisonandpodfeed.com, and you can follow me on Mastodon at podfeed.com.
[50:08]Music