How Hacks Happen
Hacks, scams, cyber crimes, and other shenanigans explored and explained. Presented by cyber security teacher and digital forensics specialist Michele Bousquet.
How Hacks Happen
Hacker, Broker, Scam: Following Stolen Data
When a scam caller knows everything about you--your address, social security number, bank account--how do they know? There isn't some super powerful hacker ring with its own call center. Your data is actually stolen at one end of the internet, goes on a trip through hacker forums and dark web stashes, and reappears in a neat spreadsheet for a call center. The more you know about how your data is breached, sold, and aggregated, the better you'll be prepared for your next well-informed call from a scammer.
Everyday AI: Your daily guide to grown with Generative AICan't keep up with AI? We've got you. Everyday AI helps you keep up and get ahead.
Listen on: Apple Podcasts Spotify
Join our Patreon to listen ad-free!
Hacker, Broker, Scam: Following Stolen Data
Celia: Ugh, why is my bank calling me?
Roger: Hi, this is Roger Simmons. I am calling from the fraud department at Pioneer Federal Bank. Am I speaking with Celia Shodsky?
Celia: Yes, this is she.
Roger: I’m calling about your account number ending in 3257. This is your checking account at Pioneer Federal, correct?
Celia: Yes! Is there a problem?
Roger: We’ve detected fraud on your account.
Celia: Oh no!
Roger: It’s okay, ma’am. I just want to confirm two transactions. One was a payment to Big Mortgage Company on March 1st, for one thousand five hundred and thirty-two dollars. Is that a valid transaction?
Celia: Yes, that’s my usual mortgage payment.
Roger: Great. Now, there’s another charge on March 5th for two thousand eight hundred dollars, to Riverline Scooters.
Celia: No! I never bought anything at that place, I’ve never even heard of it! Oh my god, can you reverse that one?
Roger: Yes, ma’am, we can, but we suspect there’s going to be more fraud on your account.
Celia: How? Can you stop it?
Roger: To avoid any further fraud on your account, we have a solution. We are going to have you move your funds to one of our secure accounts, where we’ll hold it for you for a couple of weeks while we do an investigation. Then we can deposit it back in your account.
Celia: What do you need me to do?
Roger: Well, this is the tricky part, ma’am. We suspect that someone within the bank is responsible for the fraud. So we need you to keep it very quiet, okay?
Celia: Okay.
Roger: Just go to the branch at 72 Main Street, and withdraw all your money as cash. That’s your closest branch, right?
Celia: Yes, that’s the closest one.
Roger: Okay. And I see here that you have around $48,000 in the savings account connected to the checking account, so you should withdraw that too.
Celia: But aren’t they going to ask me a bunch of questions about it? What do I say?
Roger: Just tell them you’re buying a used car, and the seller will only accept cash. We have to be absolutely sure we don’t tip off the person at the bank.
Celia: Oh, yeah, I can do that.
Roger: Great. Now, after you get the cash, one of our agents will come by your house to pick it up. You’re still at 131 Maple Lane, correct?
Celia: Yes, that’s right.
Roger: Do you have a bag for the cash? Like a duffel bag?
Celia: Oh, yes. Yes. I’ll put it in there.
Roger: That’s perfect. We’ll send over our pickup agent in two hours to pick up the duffel bag. His name is Michael Smith.
Celia: Okay, I’m gonna go do it right now. Thank you so much for calling!
Roger: You’re welcome, ma’am. I’m just glad we’re going to be able to keep your money safe from fraud.
Safe from fraud, my a**.
That’s a crazy story. But in case you haven’t noticed, it’s a scam, through and through. After Agent Michael Smith picks up the cash, Celia will never hear from the fraud department of Pioneer Federal again. But in reality, Celia never heard from the fraud department at Pioneer Federal. The call was a scam, and a pretty sophisticated one, too .
Now this is a made-up story. Pioneer Federal is a made-up bank, and Celia is a made-up person. But scams like this happen all the time.
So, how could this happen? The scammer called from the number Celia had in her phone, for her bank. And the caller knew everything about her–her bank account number, her address, her most recent transactions, and even knew how much she had in her checking and savings accounts.
And yeah, there were definitely some red flags in that phone call to Celia, but between the urgency of the call, the phone number it came from, and all the information the scammer had, people do actually fall for this one. Bank impersonation fraud, or also called impostor fraud, is estimated to cost us regular old people $2.7 billion a year.
So how did these scammers get all this information? The journey that your data takes, where it starts off hidden behind a password or some other security measure, and then it ends up in a scammer’s phone call, where they’re blurting it all out to you–that journey is not a straight line.
To understand what happened here, how so much of someone's personal data could get into the hot little hands of an actual scammer making a phone call, we’re going to begin at the beginning. We’re going to start with a little boy named Jimmy.
Jimmy learned to use computers when he was six years old. And now he’s a little older, and he spends a lot of time in his room, alone with his computer. And his parents don’t mind, because Jimmy is quiet and well-behaved.
What his parents don’t know is that by the age of 11, Jimmy is hacking into his school’s computer system for fun. He doesn’t do much damage, just deletes some emails and sends some spam with offensive pictures to people. It’s kind of fun to break into the system and see what he can do, but he doesn’t actually hurt people.
And Jimmy hangs out on a social media platform called Discord, where he meets other kids who are also into the same kind of stuff. They’re his friends, these other kids on Discord. Friends from all over the world. They chat and exchange memes and make immature jokes about sex. Teenage stuff.
At this point, Jimmy is what’s called a Script Kiddie. A Script Kiddie is a newbie hacker that uses easy, known hacking tools to muck around in other people’s networks. Like, one time, this is a true story, a Script Kiddie broke into my website and replaced the home page with an image that said “You’ve been hacked.” And that’s all they did. It was an easy fix, and when I complained to my service provider, they fixed the security hole that made it so easy to deface my website. I like to think this was Jimmy in action. Actually, I have to admire what this Script Kiddie did. He pointed up a security hole without really causing damage, and made my service provider fix it. Plus the picture that the Script Kiddie put on my website, it was this wizardy-looking kind of guy, it was actually a really cool picture. So thanks for that, Script Kiddie.
Okay, back to Jimmy. By the age of 15, Jimmy is reading books about computer networks, which make him a little bit of a wizard himself. But Jimmy is kind of bored now. He’s hacked a few games, but it’s not that challenging anymore. Then he hacked his friend’s dad’s email, and found out about his secret stash of porn. Which was just funny, but kind of boring.
On Discord is where Jimmy meets Sophia. Sophia is 15, and she’s into social engineering. Like, she’s a genius at writing emails and texts that get people to click on some bogus link and give up their logins and passwords.
And she’s gotten her stepdad to fall for one of her emails. Now, Sophia is pretty sure her stepdad is cheating on her mom, and she wants to see if she can find something that will confirm her suspicions, like pictures of him with other women.
That’s been her whole motivation the entire time. And now she has stepdad’s Apple ID, the login and the password, which is connected to stepdad’s email address and his iCloud account, where stepdad’s photos are. Get where I’m going here? But because of the security on these Apple ID accounts, Sophia can’t really use her stepdad’s credentials to get into his account. He has two-factor authentication, and she doesn’t know how to get around it.
When Sophia finds out that Jimmy has already hacked into some email accounts, she asks him if he can come up with something that can help her.
Can Jimmy figure out a way to get around stepdad’s two-factor authentication on his Apple ID? And Jimmy, being curious, and let’s be honest, probably has a little bit of a crush on Sophia, he checks it all out, and he finds a way to do it. He finds a way to hijack the authentication process when stepdad logs in. I won’t get into the technical details, but just realize he figures it out. And he tells Sophia all about it, and he shows her how it works.
It’s all fun and games, the two of them get together and they hack into stepdad’s Apple account and find a bunch of photos of him with other women. Plus, they find PDFs of bank accounts showing that he’s paying for his girlfriend’s bills on the side, all while he’s telling Sophia’s mom that they can’t afford to take a vacation.
And Sophia, she’s ecstatic. She is so happy she found this information. She can finally convince her mom to leave her dirtbag stepdad. Thank you, Jimmy!
At this point in the story, we have a little bit of a fork in the road. Jimmy more or less goes his merry way. He graduates high school, goes to college to study computer science, drops out after two years, and then gets hired onto the cybersecurity team at a major financial institution, making well over six figures. He’s on the straight and narrow now, but those early years in hacking really served him well. He’s actually very good at his job. Good for you, Jimmy!
So now we’re going to go back and see what happened to Sophia. Right around the time Jimmy is leaving the Discord for good, Sophia finds her way onto her first hacker forum.
This hacker forum, it’s not actually a big secret. It’s right there on the surface web. Anyone can find it and join, and start asking questions about hacking. If you’re listened to my episode on the Tor Browser, you know that the surface web is the internet that you and I see every day, which we can reach with our Chrome or Safari or Firefox browser, any browser, and we can do a Google search and find things and and watch YouTube and do all this other stuff we do on the surface web.
Just below that is the Deep Web, where anyone can also go, but someone has to send you the link first because you can’t search for these deep websites in Google search. They aren’t indexed. They don’t show up.
Then there’s the Dark Web, which you can’t reach with your normal browser. We’ll get to that in a minute.
So these hacker forums Sophia joins, these are available to anyone on the surface web. But you can’t just jump in and start asking questions–you kind of have to earn peoples’ trust. One way to do it, is to perform a little hack and brag about it, and show the receipts. Like, break into a computer system, and show a screen capture that only the hacker could have gotten. That’s going to get you some cred on this forum.
Do you remember what it was like to be a teenager? You can imagine that this kind of challenge, it was like catnip to Sophia. She is only 16 at this point. All she has to do is show she can do it, and she’ll be accepted by these very cool hacker people.
So she uses her social engineering skills to break into the network of a local chain of used car dealers, and she gets a bunch of financial information about people who applied for car loans at these places. And from this hack, Sophia is able to go back to this hacker forum and show she’s got the financials for at least ten people. It’s just a little hack, but it proved she could do it.
And it is such a thrill for her, getting in there undetected, popping around the network, and getting out, scot free, with a bunch of loan applications, along with people’s names, addresses, social security numbers, and their bank account numbers. Ooh, this is great.
And with this cred, Sophia is invited to a hacker forum on the Dark Web.
To visit the Dark Web, you have to use a specific browser called Tor, T-O-R. And you have to know the exact address that you’re going to, and it’s a long string of letters and numbers. You can’t just go poking around in there. Someone has to invite you. Someone has to send you the link to a website, for you to even find it.
Sophia, very excited, takes the invite, and after she joins this one forum on the dark web, she eventually gets invited to more and more of these forums and other dark web sites. And to Sophia, it’s like being invited into a secret club, one where anything goes. A crazy bazaar where sellers from every country on the planet are hawking their wares.
Sophia is hooked. She can put her skills to use here, she can make some money!
She finds a particular forum where hackers buy and sell bank account data, and she makes a decision. She’s going to use her social engineering skills to get more Apple IDs and passwords, then use Jimmy’s expolit to log into people’s iCloud accounts and grab their bank account info, and then she’s gonna sell it!
Remember, at this point, Sophia is still just a teenager. She doesn’t have any concept of what it means to have your life savings stolen. She’s just rising to an exciting challenge that’s way more fun than her real life, with school and stuff. So, while her now-single mom is watching TV in the living room, blissfully unaware of what her daughter is up to, Sophia is hacking random people’s email accounts and iCloud storage. And this happens right around tax season, so Sophia finds a lot of bank statements that people have taken pictures of and uploaded so they can send them to their accountant.
These bank statements include each person’s name, address, and bank account number, or at least the last few digits of it. She gets in, she downloads the statements, and she gets out. And the people she’s hacked, they have no idea.
You might wonder, if a hacker like Sophia has all your bank account details, why don’t they just get in there and transfer your money away to themselves? Because bank transfers are trackable, which means the hacker could easily get caught. It can get messy. So it’s better for the hacker to sell the data to someone else, who can then run a scam to get you to hand over the money willingly.
And besides, Sophia doesn’t see herself as a thief. All she took was data, not money, right?
So Sophia goes back out to that big black bazaar on the dark web, and puts this bank account information up for sale. And one of the people who buys it, is someone named Vladi.
I’d like to point out here that Jimmy and Sophia and Vladi could be from any country. They could just as easily be from Russia or Nigeria or Jamaica as from the United States. When it comes to hacking, the internet knows no bounds.
And now, we’re going to take another fork in the road and we’re going to leave Sophia so we can follow Vladi. Before we do, you should know that Sophia hung around the Dark Web for a little while, but eventually left hacking behind to go to law school. She’s doing really well for herself now, so I hear, and she specializes in prosecuting fraud. Good for her.
So let’s see what Vladi is up to.
Vladi is kind of like an expert real estate agent with a little cash in his pocket, looking for a bargain. He knows which house is underpriced, he knows when the tax auctions are happening. Except in his case, he’s not looking for buildings, he’s looking for data on the dark web, data that he can buy and resell.
And overall, Vladi is very happy with his purchase from Sophia. It was a nice little find from a newcomer on the scene. And because she’s new, he got it at a really great price.
Something else Vladi also has is, from another data breach, he has the social security numbers of everyone ever breached. Which means probably me and you. And he also has phone numbers for just about every name and address known to mankind.
So Vladi makes up a little spreadsheet-type thing. He takes all of Sophia’s data, and he finds the social security numbers and phone numbers that match all of the stolen bank account information, and he makes up a nice little package with all this data.
Now, Vladi, he knows some people. In particular, he knows this one guy named Sanjay. And Sanjay runs a little call center. But it’s different from your average call center in some pretty significant ways.
Remember Agent Michael Smith who was going to show up and pick up the duffel bag full of cash? His one job is to pick up the money and make sure it gets to Sanjay. Michael is a mule.
And perhaps most importantly, Sanjay knows how to spoof phone numbers. Like, they can make it look like a phone call is coming from any specific phone number. For example, the phone number of the fraud department for a bank. The number that a person might have saved in their phone.
So, Vladi the data broker sells this bank account information, this spreadsheet, to Sanjay, the call center guy.
And this is where we reach another fork in the road, one where we part ways with Vladi. Having made a tidy little profit on his data sale, Vladi goes on to put together other data packages, and find other buyers. He is out of the picture.
And now, here we are, with Sanjay and his merry band of scammers, in a call center somewhere out in the world. With a nice, tidy spreadsheet of names, addresses, phone numbers, social security numbers, bank names and account numbers, the amounts in their checking and savings accounts, the usual day of the month for their mortgage payments, and the amount of that payment, and maybe even the address of the nearest bank branch.
Roger: Hi, this is Roger Simmons. I’m calling from the fraud department at Pioneer Federal Bank. Am I speaking with Celia Shodsky?
And that, my dear darling friends, is how these extremely personal scams happen. This data, all our personal data, is flowing out into the interwebs every day. I don’t think there’s any way to stop that from happening, but normal controls, like banks watching out for unauthorized transfers, this keeps hackers from stealing from us under normal circumstances. The main threat in this story is the scammer phone call with the urgent message for you to act now, withdraw all your money and give it to them. And once that cash is handed over, there is no way to get it back.
Scammers are counting on you to panic, and react in the heat of the moment. If you ever get a call like this, hang up, and call back the real number. Spoofing only works for incoming calls, not outgoing ones. So when you call back on that correct number, you should get your actual bank on the phone. Ask for the fraud department, and find out if they’ve been calling you.
Whew! That is a lot to take in. Your data can take some crazy trips! The safest assumption is that your data is already out there. But thankfully, there are safeguards in place to keep scammers from just getting into your accounts and stealing stuff. They need your consent to make that happen.
Shout-out to Katie Haze Productions for producing this episode.
This is How Hacks Happen, signing off for the day. Stay safe out there, folks!