Hotline Hacked Vol. 1

Speaker 1: Thank you for calling Hotline Hacked. Share your strange tale of technology, true hack, or computer confession. After the beep.

Speaker 2: Hey. My university has a system, like many universities, for getting enrollment verification. So if you wanna get a student discount, some places will require that you submit a transcript or some evidence that you're currently enrolled. So I go to the website provided by my university, which asks for a last name and a Social Security number. I type in my last name. I type in the Social Security number, and I get somebody else's transcript. Turns out, I typed the wrong Social Security number, and they don't check against the last names. And so what they provided me is a portal where I can just put in random Social Security numbers, write down the number I put in, and get a transcript of you know, I know they're going to school here. I know what classes they took. I know their address. It's just a great place to get all sorts of information about people. And, thankfully, I I tried it a couple of times just to make sure that this was actually fully broken. Didn't do anything with it, obviously. But I reported it to the security email that I found somewhere on the page, and it did get fixed. But I'm like, make sure if you're asking for security questions, you actually use them. Take care. Bye.

Speaker 3: Okay. It's

Speaker 4: just such a great place to get all sorts of information about people.

Speaker 3: Well, I I think what he doesn't what he doesn't realize is that he has committed a a large crime as he demonstrated by the fact that this same thing happened in the province of Alberta by one of the MLAs, the members of the legislative assembly, which is essentially like somebody in government, elected official in government, during the COVID thing. Do you remember this? They had, like, the little COVID certification things, and one of the MPs found out that there was a flaw in the system that allowed you to bypass certain things and would give you information on other people. That MP got investigated by the RCMP or, like, the police for doing the essentially the ID. I totally forgot about that. Yeah. They tested it and reported it. So this this this caller has essentially done the same thing.

Speaker 4: And now we've got you on tape confessing to it. Exactly. This was a this was a what are those called? This was a covert operation. Gotcha, buster. No. Not at all. Hey. Well, welcome to hotline hacked. The hotline you can trust for your to preserve your anonymity when you share stories and content with us.

Speaker 3: The the the other thing I'd say about this is I think this is so common. Like, there's so many systems that are poorly designed from a security standpoint, especially it seems like ones that are, like, largely database driven, like things like this where it's probably put together by, like, a a database person who's not thinking about all of the security around the access to the data, they're just like, oh, I can I can build something that quickly queries this information and dumps it to a website? And it's like, okay. Great. It's like, why would I put any kind of constraints and checks on this? Like, I'm just gonna look up use the primary key of the social, look it up in the table, and dump that record out. And it's like, I I can't I can't imagine. There's gotta be thousands of systems that are broken like this. Thousands.

Speaker 4: There's a couple things to unpack here. First is there is definitely assuming this worked the way the caller described, which is that the thing asked for this portal asks for both your Social Security number and your last name. It would seem the last name is just going into the void, and all they're doing is checking the Social Security number before they give you access to this information. There's a little bit of duplicitousness of even putting the last name box if you're not going to use

Speaker 3: it. Totally.

Speaker 4: It suggests, you know, that you should be getting some kind of verification, but you can't be bothered to wire it into anything. So we we kinda gotta put that aside. To your to your second point about this happening, about four seconds of googling discovered that it was the most recent one is the University of Minnesota, who is currently who at the time of that publication needed to email 2,000,000 former students, applicants, staff, and people whose information had been leaked to any data breach that was discovered in July of that year. The hacker in that claimed to have accessed 7,000,000 Social Security numbers, that was published in the Cyber Express. So, yeah, I think you're honing in on something that maybe those databases on campuses aren't quite as locked down as they ought to be.

Speaker 3: It's I like the it's not even like this is an SQL injection. Like, you'd use something like an SQL injection attack to get access to data that's not connected to your record and stuff like that. Like, if you can get into the database, if you can add stuff to the query, you can pull more stuff out. This is just straight up broken. Like, it's just a a complete lack of security on the on the on the form that they built. Like, the fact that you don't have to do anything besides just like, you could write a number generator that just attacks this thing and war dial the the social numbers and just pull every record from everybody at the school with probably pretty easy. I doubt they have a query limit. I doubt they have anything. So you'd probably do it, like, really quickly, and nobody would even know what happened. So another

Speaker 4: never heard the term war dialing until you just used it.

Speaker 5: You have a

Speaker 4: a sick term. You've heard the term war dialing. Have I heard the term war dialing?

Speaker 3: Yeah. We've talked about it in episodes long ago. So war dialing is essentially like the old school back when back when the Internet was phones, for lack of better terms Right. When when when office workplaces and stuff allowed access to networks through dial in, war dialing was essentially setting up a a modem to call all numbers in a band. So, like, maybe you give it a prefix, then it dials every suffix in that prefix and essentially makes note of which ones are modems that pick up because modems have distinct, you know, ways of answering. And then you get, like, a list of all, you know, computer assist computers that are on in that prefix. So that's what WARD dialing is. So you kinda use it the same way for a number of other things.

Speaker 4: Fascinating. Yeah. So the the first thing that I thought when I heard this was, like, It's pretty weird that someone else at the school had such a similar Social Security number. Mhmm. So I went down a little bit of a rabbit hole of how Social Security numbers are generated, and it made it left me feeling like this is actually totally plausible. So up until 2011, in 2011, Social Security numbers were replaced with totally random strings of numbers.

Speaker 3: Mhmm. I

Speaker 4: think it's the same length, but they're totally randomized. In the press for this, they use the term randomization in quotes as though it was like a patent pending term that they had invented, but it just they just made them random numbers. The Social Security Administration changed the way SSNs are issued in 06/25/2011. Prior to that point, though, since they were originally implemented in 1936 for tracking workers' earnings, Social Security numbers had a really rigid structure. It was a three digit area number, a two digit group number, and a four digit serial number. And what that basically meant was that, if you were born in the same place at the same time, your Social Security number could largely overlap with other people born in the same place at the same general time. This was obviously changed in 2011 to sort of expand the total possible pool of Social Security numbers. I think now there's approximately 420,000,000 possible numbers up for assignment. The previous structure had limited that. That's why they changed it. But I kinda buy it. You get a bunch of people going to the same school. A lot of them are gonna have grown up in the same place. A lot of them are gonna have been born at generally the same time. I I kinda buy it. I I think it seems plausible to me.

Speaker 3: I seems plausible to me too.

Speaker 4: Yeah. The other thing this reminded me of is that scene in the social network where he gets brought in front of the ethics committee for having hacked the Facebook, like the campus Facebook. And it just evoked that, which is fun because I think the other call we're gonna be talking about is also set on a campus.

Speaker 3: Let that be our segue.

Speaker 4: Let that be our segue.

Speaker 6: Good morning, Jordan and Scott. It is Chris here from a chilly autumnal morning in Dublin, Ireland. I wanted to share with you a story of when, I had my first job out of college, basically. I was an intern working in a very small company. I was based in a college campus, basically. Parking was €10 a day, and I wasn't even getting paid. So I thought that was pretty unfair. So I decided to, hack the system in my own way. So I I scanned in some, some tickets that I bought over the course of a week, managed to get all of the numbers in the that I needed, I suppose, and the letters that I needed for the days of the week, etcetera, and the months of the year. And then eventually, what I what I would do is every morning, I would just print off from Photoshop a new ticket. And, yeah, that's how I got free parking for, like, a year or two. Not exactly a high stakes computer hack, but, yeah, it's my own personal hack.

Speaker 3: I

Speaker 6: love the show. Keep up the good work. All the best.

Speaker 3: That's so sweet. We love the show too, and we're thankful that you love it too.

Speaker 4: Thank you. Really appreciate that. Okay. Let's crunch some numbers here. Parking was €10. Homie wasn't even getting paid for the job. So unfair. Assuming he had to go in five days a week is pretty quick math. €50 a week. How many weeks do we assume he went in per year? For, call 50?

Speaker 3: Call it call it, like, 47. 47.

Speaker 7: So maybe just crazy.

Speaker 4: Times 50. Homie saved €2,350. He did. With this hustle. Assume he ran it for a full year. And again, this is an undercover operation. Gotcha.

Speaker 3: The so this one resonates with me because this is something that I always

Speaker 4: your shit. This is something you would have done.

Speaker 3: No. This is something I always want to do and never do. So I don't know I don't know if you know this about me, and I don't know if this is in the hack trivia yet, but, like, I'm a huge tennis fan, and I go to tennis tournaments. And k. Tennis tournaments are very, like they're kind of for the people in some ways, but then they're also not for the people. Like, there's different levels and passes that you get that get you better hospitality options, not only better seats but better hospitality options better you know bars restaurants services on-site and they cost way more like if you want to get a premium ticket at a premium tournament it's much more expensive than just getting a general admissions like site access pass One's, like, $50 a day and one's, like, you know, $5,000 a day. And k. The passes that they give out are honestly the most reproducible things I've ever seen at most of these tournaments. Like, they're they're just physical access. Like, they're just a like, a placard on a lanyard. The lanyard's for sale in the in the shop on-site, so you can buy the lanyard. The placards, like, we've honestly gotten to the point of, like, jokingly taking photos with site staff so that we can have copies of their decals in our photos.

Speaker 4: Oh, sure.

Speaker 3: But we've never actually done it. Like, it's so easy to do. Like, it would take fifteen minutes in Photoshop, a trip to Staples, and $2 for a laminator, and it would be all done. We'd have full access site passes, get media access. We'd be able to do anything, but we just haven't. I've never

Speaker 4: done barcode? Like, it's it's just a site

Speaker 3: There's a barcode, but, like, the security don't scan it. So it's just, like, it's

Speaker 4: just fancy tennis thing, and people would be offended if someone had the gall to scan their

Speaker 3: Exactly.

Speaker 4: Pass, supposing that they were a liar and a thief. Yeah. I got you. So all

Speaker 3: of a sudden, you just have a lanyard on with a big placard and a photo of you on it and, like, often, like, a a letter or a colored block that designates what level of access you have. And then once you have those passes, you're just free to roam. And every time I'm at one of these tournaments with one of my friends, we joke about making them because it would be so easy, and we haven't done it. So I look I look to this caller, and I say, thank you for living out my dark fantasy.

Speaker 4: It's dark. My beautiful dark twisted fantasy. Oh, that's pretty good. Yeah. Yeah. I remember kids in high school, photoshopping bus passes, which in retrospect was actually kinda dark now that I think about it because it meant that kids needed to photoshop bus passes. But, anyways, no. The story that this reminds me of, Scott, did I ever tell you the story of my first ever hustle?

Speaker 3: Always be hustling, Jordan. Always be hustling.

Speaker 4: On that grind set twenty four seven. No. My first rift. The con that kicked it all off. Did I ever ever told you this story?

Speaker 3: I don't think so. I don't think so.

Speaker 4: Okay. Amazing. I was a minor. So for legal purposes, we can also say it was my last. Okay. So when I and it has to do with parking, which is why I bring it up. So I got a job when I was like, they just changed the laws in the province we're from about how young you could be to work seasonal work. Mhmm. My parents were like, get this kid to work. And so I went to go work it. I won't it'll remain nameless, but it was the big carnival exhibition in town. Mhmm. You would be familiar with it. It's gold rush themed. Anyway, my job is I worked parking. It's not a great job. Oh, man. It was it was paid, which means it's better than, what our dear caller was getting compensated for his position. It wasn't a great job. You stand in a parking lot directing cars either in the hot sun or the pouring rain with all of the authority of, like, a 13 year old.

Speaker 3: But all the authority that a high vis vest and a light stick gives you.

Speaker 4: A 100%. And at some point during this whole, this terrible week and a half, they said this 13 year old seems like he's really ready to handle a little bit more responsibility. So they put me in charge of a gate. And it's a gate that was it was away from the main parking lot. It was kind of off to the side of the complex. It was a little bit private, and it was the gate that people who worked for the, like, the property essentially where the exhibition was being held would pull off of a road. I would go open the big chain link gate. They would drive in, go down a road, and go park. But it also happened to be the road that packs of people coming from the transit center would walk down on their way to the main entrance.

Speaker 3: Okay. Okay.

Speaker 4: And some, like, people would have the thought, hey, there's, like, seven of us. Tickets cost whatever $25 to get in or something, say $20. Mhmm. Hey, kid. If we give you $20, would you open the door? No one's around. And It's a big chain link fence. And? The con is on, my friend.

Speaker 3: Criminal. Criminal.

Speaker 4: The the the hustle begins. So I feel a real kinship with you, caller, in that we have both, exploited a parking system at some point in our lives. I feel a kinship with you.

Speaker 3: So let's let's talk more about your con here. Let's get into the the dirty details. How much additional funds do you think you might have or might not have made that summer?

Speaker 4: You know, it's foggy. We're we're we're getting pretty far back in the personal history, like, around two decades at this point, but I remember it being comparable to what I was being paid for the, like, accidental.

Speaker 3: You double down.

Speaker 4: I double down. I double down totally.

Speaker 3: You're you're coming home every night with, like, a stack of twenties in your pocket, and your mom's like, what's going on, Jordan? You're like, business is good, mom.

Speaker 4: Business is a booming. I definitely I think I learned in that that while I am very compelled by crime stories, I do not have the disposition for it because I was nervous. Like, I I carry I don't know if it's guilt. It was hard to feel guilty as a 13 year old taking advantage of such a large organization, but I definitely carried some kind of, weight after that. And I think I learned in that that I am much better at telling stories of other people's indiscretions, not necessarily committing them myself. Yeah. But, is it you know?

Speaker 3: I feel

Speaker 4: The the hustle the hustle begins.

Speaker 3: I feel like I was raised in a way where I have, like, a very strong sense of justice instilled in me. And I kinda don't like it because I think that life would be a lot easier if I was just a little bit seedier. Like, I have I have skills and talents that I could use to make myself better off, have a comfier lifestyle, not just money, but, like, other things. And I just can't bring myself to do it because I just have to like, my wife hates me for it, but I have, like, this strong beacon of justice that I've been, like, bred into me. And I'm blind to anything but that. And it and it and it it is at my own downfall, my personal downfall.

Speaker 8: So, anyway

Speaker 4: Oh, man.

Speaker 3: With that

Speaker 4: Sticking it to parking pass, people. I love it. Should we go to commercial?

Speaker 3: Let's do it.

Speaker 4: Let's do it. Starting some new isn't just hard. It can be downright terrifying. You put a lot of work into a thing. You're not entirely sure it's gonna work out. You're taking a huge leap of faith. I've started a few things. Now I know I was right for believing in, you know, the idea, the product, despite all of those fears and hesitations. But boy, does it sure help when you have a partner like Shopify on your side. Shopify is the commerce platform behind millions of businesses around the world and 10% of all e commerce in The US. From household names like, well, hacked podcasts merch, to brands just getting started, you can get started with your own design studio with hundreds of ready to use templates. Shopify helps you build a beautiful online store that matches your brand style. Did I mention that that iconic purple shop pay button that's used by millions of businesses around the world? I don't know why I wouldn't. I should. It's why Shopify has the best converting checkout on the planet. It also helps boost conversions, meaning less carts, sort of getting abandoned in the parking lot, and more sales for you. It's time to turn those what ifs into sign up for your $1 per month trial at shopify.com/hacked. Go to shopify.com/hacked. One more time, that's shopify.com/hacked.

Speaker 9: Whatever your thing, it could be anything. Canva helps you make that thing a thing. Canva is a simple online tool thing. It's a way to design with our magic AI tool things. You can social media your thing, generate images or videos of your thing, make decks for presentations to show your thing. Whatever needs to be done for your thing, Canva can make it an even better and bigger thing. Canva, the thing that makes anything a thing.

Speaker 3: Study

Speaker 10: and play. Come together on a Windows 11 PC. And for a limited time, college students get the best

Speaker 4: of both worlds.

Speaker 10: Get the Unreal College deal. Everything you need to study and play with select Windows 11 PCs. Eligible students get a year of Microsoft three sixty five premium and a year of Xbox Game Pass Ultimate with a custom color Xbox wireless controller. Learn more at windows.com/studentoffer. While supplies last, ends June 30, terms at aka.ms/collegepc.

Speaker 8: Thinking about refreshing the carpet in your home? Now's the time to do it. For a limited time at The Home Depot, get 10% off installed carpet projects on trusted brands like Lifeproof, Lifeproof with PetProof Technology, Home Decorators Collection, and Traffic Master. Plus, with installation starting at just 49¢ per square foot, upgrading your space is more affordable than ever at The Home Depot. Offer valid, 06/11/2026 through 06/28/2026. Exclusions apply for licenses. See homedepot.com/license numbers.

Speaker 4: Okay. Before we get to our next caller, thanks for listening to hotline hacked. If you would like to share your strange tale of technology or parking pass abuse or computer confession, go to hotlinehack.com. You'll find an email you can submit to. You'll find a phone number. It is +1 (888) 281-8869. You call in. Leave your message, and we might talk about it on the show. We've got some fantastic calls we're not getting to this episode. I'm just gonna highlight it because we highlighted it last time. Tonskos, spins an epic Yarm. We're saving that one for a rainy day. We've got stories about airplanes. We've got we've got all sorts of wacky stories. We're not getting them to all of them today, but we will in the future. If you'd like to get yours in there, hotlinehack.com.

Speaker 7: Just wanted to try this out. I don't have much in terms of, like, you know, I've I've always been interested in cybercrime, but I've never had anything myself. But, I did once wanna join a Discord server that was called the family. It was, like, spam to, like, a random dead server. I was in, and I was like, I don't know what that means, but that sounds really fun. Like, I wanna be in the family, obviously, even though I'm, like, fully not hold on. Sorry. Let me restart. I got a weird text. My friend spotted me in the wild, apparently. Anyway, I, yes. I wanted to join the family, but I'm not I'm not a particularly savvy Discord user, nor am I someone who goes out of the mouth. They're just calling the family, and it sounded kinda lit. So, you know, I I kept scanning this QR code, and nothing happened. And I just kept scanning it. And then they hacked my PayPal. Got a bunch of, like, money from it. I didn't really know what to do, so I got a new card on it. I was gonna switch out. But yeah. Like, they they I they got a few, like, Discord Nitro even though I haven't had Discord Nitro in, like, forever. It was really crazy. But they just kept charging Discord Nitro, like, a few times. And so, you know, luckily, I was able to cancel and all that, but I was like, what? What the hell is going on? That's what they choose to do with my PayPal information, but maybe they couldn't do anything else. I really don't know. Yeah. That's that's kinda yeah. That's kinda what I got for y'all. So good luck with your hotline.

Speaker 3: Spotted in the wild. Spotted in the wild.

Speaker 4: Spotted in the wild. You said something in your call. Who wouldn't wanna be part of a family? And, a big part of family is being honest. I did a little research. I think you maybe got caught in a little bit of a thirst trap there, friendo. YouTube video digging into the scam from a YouTuber called No Text to Speech. Really good stuff. And in his video, he digs into what he called three scams that involve exploring people's hormones.

Speaker 6: On God, all you horndogs really gotta take a step back and think about things. In this video, I'm gonna go over kinda three types of scams I've seen that involve, you know, exploiting teenage hormones.

Speaker 4: I I think these are thirst trap Discord scams is what happened here.

Speaker 3: Go further, Jordan. Tell more. Tell more.

Speaker 4: Tell more. A person a person gets a message inviting them to this Discord server. It is, the reason I'm pretty confident this is what we're looking at is because, you know, the the graphic is is right in the YouTube video. The family reference is to do with Dominic Toretto from Fast and the Furious. Okay. I'm not sure if you're familiar with this film franchise. It's a film all about how what does he say in the movie? I don't have friends. I have family. That line is quoted in the, kinda spammed Discord thing. You click on it to verify. It takes you to another Discord server. And it is there that the victim encounters a verification bot, a fake verification bot in the server that gives you a QR code to scan to verify using the Discord mobile app, scan with Discord function. Discord QR codes are used to log into accounts, and what they're trying to get you to do there by scanning this fake verification bot is to try to get you to scan their login QR code to log into your account on their computer. Do not use the Discord QR scanning app on anything you see on Discord. It is almost certainly just trying to get you your account logged in on someone else's computer. So So? Then there's the question of PayPal. Caller, I think, generally got it. There's the remote chance that something in their account made of like, some piece of information was used to log in to PayPal. I think all this was was the person using their Discord profile to purchase Discord Nitro, which can then be resold or gifted to other people.

Speaker 3: Yeah.

Speaker 4: What I'm guessing is the PayPal was connected to Discord, and that's what happened.

Speaker 3: Yeah. I think the same. I think that the PayPal was connected to Discord. They lost access to their Discord, and then bang, all of a sudden somebody was spending their spending their Discord connected PayPal monies on Nitros.

Speaker 1: Exactly.

Speaker 3: The family.

Speaker 4: Cracked that mystery. The family. Yeah. It was one of several of these similar scams, that were identified in no text to speeches video, but they all, typically were paired with some sort of message that you would probably only click on in a a hormone hormonal flurry of poor security protocols. Let's call it.

Speaker 3: Alright.

Speaker 4: Try to keep it remotely PG

Speaker 3: over here. I don't think it would be remotely PG. It's probably, like, lightly r, if not strong r, light x.

Speaker 4: Oh, yeah. No. There's a reason we're not re reading the, YouTube transcript verbatim. Yeah. Yeah.

Speaker 2: But I

Speaker 4: think that's what happened here. And, hey. You know what? It that's okay.

Speaker 3: And here here's what I'm gonna say. No shame. No shame. Zero. Zero shame.

Speaker 4: Zero, friend. Zero shame.

Speaker 3: I'm I'm sad that we're happy here. And I'm glad that you're part of the hacked family as we don't try to steal your money.

Speaker 4: This is true. Thank you for calling with your story. It was a nice reminder that that, scan to verify QR code thing is at the heart of we've talked about Discord scams before on this show. The scan QR code to verify thing is at the heart of, like, all of those things. So this call was a really great opportunity to get to kind of remind ourselves of that. Never scan a QR code using the QR code scanner inside the app itself. The app QR code scanner is typically used for verification purposes. If you're gonna scan a QR code in the wild, don't use the built in app.

Speaker 5: So a few years ago, while I was getting started in my cybersecurity career and had some extra time on my hands and feeling extra ambitious, I decided to try and go after scammers similar to the scam baiters that you find on YouTube. Had a whole setup, green screen, little costume. I had a idea in my head that I, would have my face covered in the videos until I reached a certain subscriber point. And, so I started, you know, going after scammers. Found form after form and and chat groups that had phone numbers to call and, created an anonymous, persona with the phone number and all this stuff. I had a voice changer, you know, the whole nine yards. I I was trying to be as legit and, technically savvy as possible with my whole setup. On my professional side of my career, I've been, learning how to set up remote portals for, managing, endpoints, remotely and being able to deploy the agents for these remote management tools, silently in the background. And so I had that under my belt, and, and I wanted to learn how hackers moved laterally through networks and all this stuff. So, anyways, fast forward a couple weeks, I've got a number of scammer endpoints in my portal using tricks I've learned along the way. Most of it was, using AnyDesk to kinda do a reverse connection to the scammers and then get a script running on their endpoint to, launch a reverse shell that would give me remote access and be able to launch my remote tools on their systems. And I started making connections with other people in the community. A couple big names in the the YouTube scam bait community. And, they started actually using some of my tools to be able to bring some of these, bad guys, the scammers, and whoever they could find into my portal. And, so, occasionally, I would have endpoints that would just show up out of nowhere. Something that I didn't do that, you know, another scam baiter had done. And one of the scam baiter started going after crypto scammers, which was a very different breed of scammer than I was used to. I was going after all the Indian call center scammers. And, and as it turns out, the crypto scammers were mostly Nigerian, at least these ones that we're going after. And some of them were based out of Nigeria. Majority of them, as I learned, were based out of Cyprus. Apparently, Cyprus is an area of the world where a lot of, scammers from Nigeria have fled to because of persecution in their home country for scamming. And we ended up getting onto this one particular person's computer, because his friend, who's running crypto scams, decided to borrow his friend's computer to try and, help my my scam bait buddy. I put in air quotes help. Show him how to, you know, release crypto to him using AnyDesk or whatever tool it was. And, and so my my scam big buddy got on to this friend's computer. Well, it turns out this computer, this person that owns this computer, was an email scammer. I guess maybe, like, one step above crypto scamming. And if you're familiar with email scams at all, they kind of work the range of romance scams, but primarily, they will focus on businesses and getting, kind of a man in the middle set up, between businesses where they will act as a person on either side of a company, usually between payroll or, an accountant in a company. And and they'll they'll send fake emails to try and tell a person that, you know, you owe this much money. You know, we're we're expecting this payment from you. Where is it at? Or they'll pretend to be a CEO. That's a really common one. They'll pretend to be a CEO, and the CEO will, email the accountant, saying that they need a payment sent through to a vendor, ASAP because of, you know, some reason or, you know, the payment didn't go through, and we don't want the services to end, so on and so forth.

Speaker 3: I'm just gonna stop it right there for a sec. Do do you know that it's illegal to just mail out invoices?

Speaker 4: Interesting. I mean, that makes sense that you would have to make a law about that because it makes even more sense to just try and, like, lob a bill into the ether and see if someone will pay

Speaker 3: it. Exactly. So there's a this is like an old school scam that, like, I've seen a few times. And, actually, I still get these occasionally, and it's it's the only ones that have gotten it with any kind of recency is DNS registration ones. So they'll actually scan the DNS registries and look to see if any of your, like, websites are coming up for expiration and then they essentially send you an invoice to reregister it. Because I'm sure for for, you know, every 10,000 of those that they send out, they get a 100 back or, like, for every thousand they send out to get

Speaker 4: one to

Speaker 3: 10 back one to 10 back paid. And they, of course, charge you, like, 15 times what it would normally cost. So anyway, I did some research into it a long time ago, and it turns out it's essentially mail fraud and what I would assume is now email fraud to just blanket invoices out because assuming that some company is gonna receive it, it's gonna be small enough that they're just gonna throw it into the payables pile.

Speaker 4: Right.

Speaker 3: And just assume and especially if it's like you're a major construction company and you get, like, a an invoice for, like, screws. You're like, okay. We owe $700 in screws. Like, if our

Speaker 4: something we buy. Sure.

Speaker 3: So, like, just pay this. And it's like, I I I learned that that is actually fraud. So, anyway, let's jump back to the story, but I just thought that was an interesting tidbit.

Speaker 4: No. It's a it's a good thing to chime in with. Interesting.

Speaker 5: So enough backstory. I'm on this guy's computer. I've been watching for weeks. I'm recording the screen just floored by all the stuff I see and also floored by the fact that he's not technically savvy at all. And he's got chat windows open with, you know, his different guys that he's connecting with. And for the life of me, I can't really follow or understand a lot of the stuff that he's saying even though it's in in English because of the slang that they use. And, but I decide to, you know, be a vigilante and, help out some of the business owners or businesses that this guy is going after. I've pulled passwords from my systems, and and I began calling some of these companies. And, you know, the individuals I mailed to get a hold of, I I would talk to them and, tell them what I'm seeing, tell them who I am, you know, my my alias name, and and what has happened. And when they don't believe me, you know, I tell them the password or part of the password that I've pulled from this gentleman's computer. Majority of the time, the individuals would freak out and ask me if I was a hacker, which, you know, is really hard to convince them of otherwise. But the worst one, and this is where the story is all leading, was, there's a box company in Atlanta, that it seemed like a fairly large company that the scammer had gotten into the CEO's mailbox. And it never really dawned on me till I needed to do this that, it is really difficult to get the contact information for the CEO of a company. They don't exactly, you know, post the phone number on the website, and I couldn't email him because the scammers in the email box. So I started calling the company. And, routinely, I would get the receptionist, and and I would, you know, tell the receptionist what's going on. And after a few attempts at trying to get her to get this message across to the CEO that his email has been, hacked into, and there's a scammer that is watching all of his emails, and he's trying to, you know, siphon money out of the company. After nothing had had happened, I finally decide to give her my alias anonymous phone number, to, you know, pass on to the CEO so he can call me. And the next day after I do this, I log on to the scammer's computer, and on his screen, on his chat window, I see my number. My alias number, not my real phone number, but my alias number. I see it on his screen, and I'm like, holy shit. Because as it turned out, the receptionist had emailed my information to the CEO even though I told her his email had been compromised. And that day, I received multiple phone calls on that number who I'd given to virtually no one, from various different, numbers. And, yeah. So it was a little scary. And I I, you know, was telling all my friends and my boss, you know, about some of the stuff I've been doing. And my boss was like, you know, you have no idea how much money is behind this guy that you're watching and how high, you know, he goes or what skills the people love him have. So please be safe. Maybe stop doing this. You don't want them showing up on your front door. And, so soon after that, I I stopped going after guys like that and just continued on with the Indian scam calls until I got bored with them. But, anyways, that's my story. I don't know how you guys are gonna cut this up. Just thought I would share.

Speaker 3: Oh, we're not gonna cut it up, buddy. We're gonna play the whole thing.

Speaker 4: Whole dang thing. I thought we were gonna cut it up, and then relistening to it. I'm like, this is fire. This is so interesting to me. There's there's a lot to unpack in this one. The first is and this is more just, like, subjective, but the sort of hierarchy of different types of scammers Totally. Talking about the call center scammer and then the sort of next tier above the crypto scammer,

Speaker 3: maybe. Email.

Speaker 4: And then I think to use his phrase of one step above crypto scammer, the email scammer, which includes sub variations like the romance scam, but relevant here, the man in the middle between two businesses scam. Like, on the way to this story, just sort of does a casual drive by survey of the entire phone scamming landscape. I find that so interesting.

Speaker 3: The this one's interesting for a number of reasons to me. A, because most scamming scammers, these things, these are essentially organized crimes outfits. Right? Like, they're not Yep. Like, large call center scammers are essentially organized crime in whatever jurisdiction they're operating in, whether it's India or Yeah. Africa or wherever. Getting into crypto scamming, those are also largely done by organized crime in Russia, The Ukraine, Belarus, Georgia, you know, you name it. Yeah. The eastern black loves a good crypto scam. Korea too. The getting into email, like, emails, actually, what I would say, I can see how the I can see how the ladder progresses because an email hack being like, hey, can you pay this invoice immediately coming from the CEO going to the payables department is like real white collar crime. Like, you're you're you're it's like most fraud that occurs inside of a business occurs in the accounting department. Right? Like, if you're an accounts payable person and you make $20 an hour, you can add a vendor for payment, create invoices, and key those invoices in, and then put the checks into a stack of checks to be signed or automatically sign them if they're low enough on the the pricing that they're automatically approved. Like, there's the the amount of fraud that occurs in businesses often happens at the lowest end in people in, like, the accounts payable department, payroll department. You add fake employees and pay them, etcetera, etcetera. So, like, to jump in and, like, take over executive level emails and senior people and essentially people that have high levels of authority in the company to sign off on larger expenses and then to fabricate those expenses and force staff to pay them. Like, that's a that's a I'll go as far as to say pseudo sophisticated fraud.

Speaker 9: Sure.

Speaker 4: And It's definitely more in the, like, corporate espionage realm of things than a romance scam where you're carpet bombing people with

Speaker 3: Totally.

Speaker 4: You know, first step in a long con romance type emails. Like, no, you you hacked a person's system, and it reveals how deceptively hard it is to wriggle your way around something like this once the email is compromised because you've compromised the channel through which people would reveal the vulnerability. Yes.

Speaker 3: But the other thing I found interesting is is the fact that whomever this is, their employer was, like, kinda cool with it. Like, they weren't

Speaker 4: Yeah. Sure.

Speaker 2: They weren't

Speaker 3: cool with it, but they were like, you know, you should really watch out. Like, these people mean business. It's like you're getting in the middle of a multi like, multi multimillion dollar Yeah. Fraud, and this could be detrimental to you. But also, like, you know, see you tomorrow morning.

Speaker 4: Pretty cool boss.

Speaker 3: Pretty cool boss.

Speaker 4: Yeah. It it's definitely like a thank god. Obviously, a very tech technically sophisticated caller is naturally going to use a burner number for anything

Speaker 7: Of course.

Speaker 4: To do with, interfering with an organized crime syndicate. Thank god you did because that receptionist just sort of revealed the whole, the whole investigation in that email to the CEO. What I wanna know is, what happened with the company? The the end of the story, if I'm understanding correctly, is Homeboy calls the receptionist trying to inform them the scammer is in their is in their system and can see all of their emails. The receptionist does not really appreciate the spirit of this warning and emails word of that onto the CEO, thus giving the phone number to the hacker. We know that the caller starts getting all these weird calls from the hacker. Thank god it was a burner. But what happened to the company? Do you kinda just throw your hands up and go like, okay. I tried. I I tried to give you a warning. You just turned around and informed the person I was warning you about. I'm gonna take my boss's advice, be safe, and walk away from this. Like, I'm so curious what came of this. How much money was drained out of that company? Who knows?

Speaker 3: The the other thing I would say is, like, a word of advice is if you're calling in with something like this and you wanna talk to a CEO, clearly, you never worked in sales. Like, you can't get through to the executive branch without coming through a few gatekeepers. If you've got some kind of information like this and you need to get a hold of somebody that cares about it, just ask for the IT nerds because they'll understand, and they'll take action immediately to figure it out. It's like, just go to

Speaker 4: That's a great point.

Speaker 3: Just go to IT. Just skip it. The gatekeeper of of of the receptionist is not gonna give it any merit to because they don't understand it. And then they're gonna get even if you got to the CEO, they probably wouldn't understand it, and they would just bounce you back to the IT guys and just our people. And just go to the IT people. Ask if they have a security officer. If they don't, just ask for anybody anybody in IT. And they would have been like, okay. We understand what you're saying. You've hacked into somebody. You are a hacker, by the way. You've hacked into a scammer's computer, and you're now, like, observing his activity inside of our company. That's very valuable knowledge to to IT people. But, yeah, I'd the the the anti scammer world is is fascinating to me. Fascinating.

Speaker 4: We've never actually interviewed anyone that does this. And scam baiting is so fascinating because it can be both done so well, and there are stories of people trying to do it and having catastrophic outcomes. So it's like it's a it's a real tightrope act. People are pulling off when they do it really, really well. But I think we gotta talk to someone in this world.

Speaker 3: I I I think I was

Speaker 4: I think we have to call.

Speaker 3: We gotta get scammed. We're just one of the big YouTubers on, Jim Browning, I think is big in it. Kit Boga, obviously. I've talked about him before on the show.

Speaker 4: We have.

Speaker 3: Like, the they're they're, like, almost low level harassment to the scammers. It's so funny.

Speaker 4: Yeah. Well and, apparently, I didn't know about this. Cyprus.

Speaker 3: Cyprus. Do we

Speaker 4: gotta go to I think we gotta go to Cyprus. I think we gotta do a little investigation to what the heck is going on in Cyprus.

Speaker 3: I think I think the outcome of that story is that island Scott needs to go to Cyprus.

Speaker 4: I'll see you there. K. I so we we got parking passes, forged parking passes

Speaker 3: Mhmm.

Speaker 4: Social Security number

Speaker 3: Bad database design.

Speaker 4: The bad database design. Thank you. I couldn't couldn't quite figure out how to articulate that one. And finally, we have a very intense but fascinating story about scambaiting and why you always go straight to the IT department.

Speaker 3: Yes.

Speaker 4: They're the one. They'll kick down the door. They won't email it.

Speaker 2: Yeah.

Speaker 4: Exactly. Like, burst through leaving a, like, them shaped hole in the wall of the CEO's office, banging a drum, screaming, like, turn the computer off right now, unplug it. I always go to the IT department. Thank you so much for calling in. Thank you so much for submitting your audio. I think we're definitely gonna do another one of these. Yeah.

Speaker 3: We've got a bunch more of the This was bunch more in the files, so we definitely have to do another one.

Speaker 4: This was heaps of fun. Hotline hacked. Hotlinehacked.com. Ignore the best security certificates or, like, the absent security certificates on that site.

Speaker 3: No. No. We we we I gave it a I gave it a security certificate.

Speaker 4: Do we oh, I thought I got a oh, yeah. HTTPS. No. You're right. Totally.

Speaker 3: It's okay. Fixed.

Speaker 4: It's not fixed. Ignore me then, and go to our rock solid secure website to submit your story. Thank you so much for calling in. This was fun. Oh.

Speaker 3: While you're And? While you're just visiting websites related to us, you can also go to store.hackpodcast Yeah. Yeah. Patreon.

Speaker 4: And maybe go Maybe Patreon. Go over to our Patreon. Yeah. Hackpodcast.com.

Speaker 3: Follow us on our our socials that we don't really use so you could be there for the occasional tweet. We do respond Yeah. Typically if you We do. If you say things to us, but we don't really we're not we're not very vocal. We save that for the podcast episodes.

Speaker 4: No. We're reply guys on Twitter for sure. Yeah. And if you live in Cyprus and wanna host us Oh. While we come there and, trepidatiously knock on email scammers' doors, get at us. We'll see you on the beach, baby.

Speaker 3: Island Scott. Here he comes.

Speaker 4: Island Scott's coming. Try and stop him. Haulin hacked. Thanks for listening, everybody. We'll catch you in the next one. Take care.