hello world [what’s up]

Kaixo Cartomancers! 

So look at that - our 13th set of labnotes headed to your inboxes on Friday the 13th! It’s our lucky day! But speaking of “how could this possibly go wrong”, I’m likely going to be making some changes to the website that sits behind this newsletter/blog, so you might start receiving these newsletters from a new email address or see something new the next time you visit cartomancylabs.com. 

Let’s get into it:

• News nuggets 

  • An ATM check deposit “Glitch” by any other name: Check fraud goes viral

  • Extortion targeting + Google Maps mashup: Scammers get super-creeper to get your attention

  • Ok, Telegrammer: Not Radiohead’s new album (& tbh I’m guessing they’d be Signal users)

training data [what’s news]

🗨️ An ATM check deposit “Glitch” by any other name: A viral TikTok trend spiraled away from fun dances and into the Chase fraud team’s nightmares recently, as fraudsters discovered a loophole in how deposits are handled by ATMs.

• TL;DR: normally a check deposit is validated and/or held to ensure that funds clear before being made available for withdrawal (in whole or in part) to the customer that made the deposit. (Note: if you like cortisol, work on managing risk on a debit product for which funds are made available immediately - there are others). 

• Early into the event, Frank on Fraud had some thoughts: “The “glitch,” as far as I can tell, is simply depositing a fake check in the ATM that will never clear and withdrawing the money before the check bounces. Banks usually hold funds for up to 3 days before releasing money, but some users claim that they were able to get funds and big loans immediately, which kicked off the viral frenzy on social media.”

• And while social media turned One Weird ATM Trick into a virtual flashmob, what followed quickly was speculation and commentary, such as comments on r/TikTokCringe, or Axios weighing in with some caveats for the folks thinking they’d discovered a foolproof “free money” hack. Axios also strikes at the heart of the issue for most fraud fighters: “Checks, as a payments technology, are both awkward and archaic.”

Now that the weekend’s over, the party’s over, and Chase has confirmed that they’re referring fraud cases over to law enforcement. And the credit bureaus, I would suspect. 

The “glitch” made for an exciting weekend, and also for some interesting takes in pop and financial press alike, I think my favorite take came from my favorite LawTuber, Emily Baker. A former prosecutor, Baker’s channel does deep dives into pop culturally significant court cases - I was not expecting her to start talking about this case AT ALL, but thoroughly enjoyed the discussion (this link is cued-to the “Glitch” segment). 

🗨️ Extortion targeting + Google Maps mashup: A few years ago I received a short note from an innocuous looking email account - while I didn’t recognize the sender, the email had been sent directly to me (no cc:’s) and wasn’t flagged by any spam filters.

But what really caught my eye was the subject line: it included one of my passwords. 

• The sender very politely explained that they’d installed malware on my computer and had compromising videos of me, which they’d be happy to expunge for $1000 in cryptocurrency. A straightforward extortion threat.

• Given my work in the anti-phishing space, I was less concerned about their claims and more concerned about what seemed to be a targeted threat. Was someone coming after me?

• It turned out that leveraging compromised passwords as “proof” of access to personal information was an innovation that became a trend. (Side note: Reusing passwords across sites is a bad idea - please use unique passwords and strong authentication where you can). Well, the scammy innovators are at it again.

404 Media shares some deets on a new scam - a lot of the same claims as any other sextortion spam - that the bad actors have compromising video or pics, but the “proof” being provided by the scammers is scarier: “The emails 404 Media has viewed—from readers and friends who’ve been targeted—contain the person’s full name, address, and phone number in the body of the email, an attached PDF that contains a photo of the person’s street (likely screenshotted from Google Maps), and a lengthy letter claiming that they’ve been watched through their webcam.” This appears to be a widespread trend. But in what I think is a good sign - people are speaking out and educating each other about it. 

• Reddit’s got some good active threads on this, in places like r/privacy, r/scams, r/hacking, and r/sextortion, and cautionary posts are popping up on Instagram from police departments, scam/hacking awareness personalities, and celebrity influencers.

• While the social platforms scramble to get ahead of these scammers, folks are figuring out how to improve their own social self defenses - better privacy. This Forbes article explains the mechanics of the scam and also how you can get Google Maps to blur your house and avoid scary streetviews from would-be scammers.

Sadly, while this unfortunate Google Maps mashup is a new twist on making a social engineering lure more effective, overall the problem of sextortion is on the rise, and the battle is happening on multiple fronts. We’ve previously discussed a bit about the impact of deepfakes on the problem, especially when minors (or depictions of minors) are involved. 

• The National Center for Missing & Exploited Children (NCMEC) has been tracking this space and their most recent data shows that the number of reports of sextortion increased dramatically after 2022 (they’ve been reviewing data since 2020), up to more than 800 reports a week in the past year.

• In 2023 alone, NCMEC received 26,718 reports of financial sextortion, up from 10,731 reports in 2022.  

• Further, in NCMEC’s joint report with Thorn, data shows that 90% of the victims were boys between the ages of 14 and 17.

Earlier this year, concerns over child safety led to the (temporary) removal of the app Wizz (a “Tinder-like” app aimed at teens) from Apple’s App Store and Google’s Play store, although Wizz was able to relaunch after making changes: “Apple’s App Store recently completed a comprehensive review of the latest version of the Wizz app and conducted a trial of these new features. Earlier this [year], Apple temporarily suspended new downloads of the app to conduct a thorough review of Wizz’s safeguards and technology. That review is now complete, and Wizz is again available for download on the Apple App Store.”

In July 2024, Meta claimed to have removed 63,000 Instagram accounts linked to sextortion scams from Nigeria, (after having received a $220 million fine). This action seems to be related to the “Yahoo Boys”, activity that US Homeland Security investigated in-depth between October 2021 and March 2023, generated 13,000 reports of sextortion – 12,600 of which were minors (mostly boys, consistent with the NCMEC/Thorn reports above) in the United States. In addition to financial damages, the scams triggered at least 20 suicides, according to the FBI.

Looping-back around to the impact of deepfakes here, deepfakes can and are being used both in the “lure” or “grooming” of the victims, as well as the generation of extortion material. In fact, we are still hearing reports of children and teens generating deepfake porn of other children and teens. 404 Media reviewed one of Thorn’s other reports on child safety that found 1 in 10 minors say their friends are using deepfake tech to generate nudes of others. 

🗨️ Ok, Telegrammer: I’ll keep this one blessedly short. In the wake of the arrest of Telegram founder Pavel Durov, there are a lot of questions about the app that is so popular among conservatives, free speech proponents - and tons of fraudsters and scammers. Here’s one we can answer quickly.

• Is Telegram really an encrypted messaging app?

• TL;DR - No

• And if you want to know more - Matthew Green, respected cryptographer (Johns Hopkins University) explains in his blog post that end-to-end encryption is NOT on by default, and must be manually activated using ‘Secret Chats’...which must be activated “for every single private conversation you want to have”.

find more cartomancy [what’s out there]

coming soon

▶️ Got some things in the works, so watch this space!

on demand

▶️ I attended Black Hat USA and the CISO Summit this summer in Las Vegas (early August). As a member of the review board (selection committee) for both events, it was fantastic to see and hear from so many innovators as they shared their experiences and research. I got to introduce a couple of great talks, and also got to have my own (on camera) discussion with Jeff Man - it was streamed live, but if you weren’t able to catch the stream you can catch the replay here:

▶️ I had so much fun with my talk (entitled “Watching the Detectives: Scam Artistry, Deep Fakery, Fraudsters, Frame-ups & Other Highlights of the High Speed Card Chase“) at BSides Knoxville’s 2024 event (their 10 year anniversary!). The discussion focused on parallels and differences between the evolution of detection technology in fraud/T&S versus cyber, and how Maturity Frameworks might apply to fraud programs. Here’s video (below) of the full talk:

▶️ I was delighted to spend some time discussing cybersecurity career paths, leadership development, and industry trends while reconnecting with my friend and colleague Sandra Liu (if you haven't seen what she's working on over on YouTube I encourage you to check out her projects). this interview, we cover cybersecurity career and industry topics including:

• 🤝 What do hiring managers look for when hiring candidates for a job?

• 💻 What cybersecurity skills are most relevant?

• 💭 What are the biggest challenges facing organizations today?

A bit of a throwback to but it was so much fun chatting with Andy Ellis, and so much in here is true even a couple of years later.

ttyl [what’s next]

Thanks for reading to the end of this set of lab notes. I’m thrilled to have some fellow travelers mapping out where we’ve been, philosophizing about where we want to be, and building the paths to get us where we’re going.

If you’ve read to the end and you find this content helpful, I’d love feedback. My news feed is full of leads, but my personal algorithm loves learning about what interests the community, so that I can focus in on what will be most useful. Just hit reply and your comments will come whizzing into my inbox. (It’s also a good way to find me if you are interested in working with me or with Cartomancy Labs).

See you next time on the Futurecast!

Allison

@selenakyle