Hotline Hacked Vol. 11
56:04 Share

Thank you for calling Hotline Hacked. Share your strange tale of technology, true hack, or computer confession, after the beep. Greetings, sorry for the submission not being audio. I don't want to reveal my voice but I still have an interesting story to share. I think it's more fair to let you two read it instead of using TTS. Joke's on you, we use TTS anyway. A friend of mine got phished and his Discord account was stolen.

What's really impressive is that there were four programmers looking at the screen while it happened, and no one suspected anything. How was this possible? Turns out there is a really clever trick that very few people know about. So, he joined a Discord server that required "verification" in a very unique way. He had to open a verification bot site, which gave him instructions to drag a certain link to his Chrome bookmarks bar.

Then he had to click this bookmark while being in a tab with Discord open, it reloaded, and he was in. A half an hour later, his Discord server started advertising crypto scams. Turns out that this link wasn't actually a link, but a script. Yeah, I was going to pause and jump in and be like,

I wonder how much malicious JavaScript was embedded in that bookmark that they dragged out. So I'm assuming that's where this is going. It would seem a lot, but let's find out. Let's find out together. Chrome allows you to drag scripts to your bookmarks bar and execute them by clicking. They call this bookmarklets. The problem is that these scripts run in the same environment as the current tab, so they have full access to web apps memory and can do whatever they want with it.

This particular script extracted the authentication token from Discord's memory and opened a makeshift API link, something like https colon slash slash scamsite dot example slash API question mark token equals 0123456789 to send it to the server. I love this. I love that. Just reading it out loud. The TTS is showing us like a temporal structure. So essentially what they're saying is that the

The JavaScript pulled the token out of the memory and then jammed it into an API call which sent the token back to the server. When I learned about this, I created a simple Python script that opened a ton of these API links from different IPs and submitted random strings that looked like Discord authentication tokens, hopefully disrupting the scam.

A few days later, the verification site was gone, though I have no idea if that's standard for scams, or I actually did something. This scam really shows how important is it for cybersecurity to be informed about new technologies and various quirks, and to never be 100% confident in your knowledge of tech. Anything that asks you to drag and drop anything into your bookmarks is probably mucking with you. Like, we have so many ways to verify things these days that...

you know, double factor or multi-factor authentication, sending you or texting you codes, like whatever that looks like. That when something's like, hey, do you mind like putting this code into your browser and executing it for me? It's like, yeah, it's like you're probably...

screwing with something. It's welcome to people. Thank you for joining us. It's The Colin Show, where you can share your strange tale of technology, true hack, or computer confession. If you want to share your story, go on over to hotlinehack.com.

Hotline Hacked brought to you by Push Security. You're going to hear more about them later in the show. But before we get to that, we got to dig into this caller's call. Let's dig in. Okay, so a friend got phished. Their Discord credentials got stolen. The part that was never really explained was the idea that this all occurred while there were three programmers watching the screen. I want to understand that situation more because it sounds like maybe someone bumped into something and then gathered everybody around to like...

and see what happened. It almost had the vibe of an experiment, but I can't figure out why you would let that happen given that the fallout was your Discord server spamming crypto. The thought that I have is that they were probably programming together at university or something. Everybody's around. They're trying to get access to a Discord server for some purpose. Who knows? Whether it be gaming, whether it be all the things people do on Discord these days, which is a lot. Yeah.

There were probably just a bunch of them around a single computer and they were just going through the verification steps really quickly. There are a lot of verification systems on Discord these days, so I just ran into a new one that's like, oh, I've got to do this weird thing. It didn't trigger anybody's like, hey, maybe there's a reason why they're putting this in a bookmark because it can execute to the code inside of the browser window. Because if you click on the link...

it's going to run in the environment of opening a new window and then boom, probably nothing's going to happen because it needs to look for specific things in the memory. The fact that they had to put it in a bookmark meant that when it executed, it executed on the open tab, which probably was the Discord, which then gave it access to all of the information that was currently stored in the state of that tab.

Does that make sense? I think so. So a bookmarklet is different from a link in that it can run a little bit of code? Sure, sure. A link can also run code. You can embed JavaScript in links on the websites. But the difference is that the bookmark probably executes a JavaScript function. Imagine...

Imagine you wrote a small JavaScript function that replaced the word the with and or something. You could run that on any website by putting that JavaScript function and embedding it into a bookmark.

If you open developer tools on a website, you can interact with the JavaScript and interact with the website DOM entirely through the console. It's a live, living connection you have to it. You can jam in or type in or execute or import libraries of JavaScript and execute them right from the developer tools of an open site. The difference between a link and a bookmark is

is that the link, I'm assuming, probably looks to open and execute that code in a new tab or a new window or a new sandbox. Sure. Where when it's a bookmark, it probably interacts directly with the open tab and the sandbox that it's living in. Oh, and that's how they were able to extract the authentication token. Correct. And get access to the account. Correct.

So then on the backside of this, this caller then decides to do a little bit of a flip. The old switcheroo, they created a simple Python script to open a ton of these links. And they said that a few days later, the verification site was gone. And they asked the very interesting question of, did this deluge of...

from their Python script cause the creators of that spam bot site to take it down? Or is that natural churn just part of how these things work? You spin the spam site up, you let it cook for a couple of days, then you take it back down, you move on over. It's the many, many bank accounts of the classical criminal enterprise, but in URL form. It sounds like, and this is me hypothesizing, which I think we're all used to here on this show,

I would suspect that they kind of dossed them. I would suspect that they wrote a Python script that sent in... Hell yeah. Rock on. That they wrote a Python script that sent in thousands of fake requests, which essentially would jam up the logic. It wouldn't jam up the logic, but it would essentially make it fail on thousands of entries in the database. Because if you imagine it's building a database of authentication keys and then leveraging them to push out

spam, all of a sudden those authentication keys start failing and instead of getting a 90% hit rate, they're getting a 0.09% hit rate.

All of a sudden it's like, well, now we've got this headache. Plus they probably were overrunning it. I would be if I was them. If we were looking to DOS them, if they just stole my thing and turned my Discord account into a spam bot, I'd be looking to counter attack, I guess. Yeah, sure. You want to get back at them. You and your three friends that were watching your other friend get crypto spam bot hacked, you want a little satisfaction. You open up

any of your favorite AI chatbots these days and say, this is an API endpoint. Make me a Python script that generates a random number and calls this API endpoint set authentication token equal to this and just do it infinitely amount of times. And you do that off of four computers and all of a sudden there'd be a million records at that SpamBop endpoint that were garbage. So,

So the lesson here feels a little bit that like, when you are clicking on a link, you're just going to URL sure bad stuff can happen, but the browser is still applying its usual security protections, you can hover over a link and see where it's going. And there's going to be an extra step to tricking you into executing some dodgy code.

If you drag a bookmark, a little bookmarklet, you're saving like executable, potentially like JavaScript in your browser. And you clicking it later could run the code on whatever page you're currently on at that moment. And that could execute a bunch of really dodgy, dodgy shit. So that lesson is...

If anything asks you to make it into a bookmark, you should probably do a code review as to what you're bookmarking. Okay. There you go. That's a surprisingly nice, clean, simple lesson from that call, that a bookmarklet drag is a very different action than a link click. That's good to know. Yeah, link clicks can be malicious too, but like... Sure. Yeah, I would say that there's probably layers more security being applied, as well as...

to have it execute the JavaScript in the same sandbox, if you think of Chrome, essentially every tab you open is essentially an independent sandbox. To have a link that clicks that interacts with a specific sandbox would be tougher than having you executing code in that sandbox, which is what the bookmark click would do.

Learn something new every day, Scott. That's the point of this show, Jordan, to educate Jordan. Especially when you make a cybersecurity show and you do not come from that background. You learn some stuff. I love it. Okay, before we move on to the next call, a quick comment about the ad volume. A quick, quick word from your hosts. Us.

So full transparency, we have put four mid-roll episode ad spots in the show since we started making it. They don't always fill up, but it's always been four. When we got offered what for us as like indie podcasters, a very exciting sponsorship deal, we didn't correct for that. So the effect was the episodes got kind of overstuffed with ads and no one likes it when a show that they like does that. That's our bad.

So we're going to pump the brakes with the mid-roll ads, and we're going to be more succinct with our reads. So by volume, it's more hanging out, telling weird tech tales with your pals, and less clicking on that, let's just be frank here, 15-second skip button. To everyone who took the time to message us or comment saying that we'd let it get off track, thank you for taking the time to give some honest feedback, and thank you for listening. Jordan and I are...

I would say relatively selective in who we take on as sponsors. Like we approve or decline. We decline a lot of potential sponsors. Yeah. But we do approve some. And there was some controversy about some of our recent approvals. All I'm going to say is erectile dysfunction is a real thing.

I'm okay with us advertising to people that need that help. We're going to keep our ad reads nice and clean and succinct, and we're just going to make sure that there aren't too many of them. And we're going to keep trying to be thoughtful about what we take on. Appreciate you all. Appreciate you all. Thanks for listening. And again, genuinely appreciate the honest feedback.

When the game was first launched, Blizzard introduced a system that allowed players to trade in-game items for real currency. Unlike shady third-party sites, the system was built right into the game and utilized PayPal for real cash transactions.

I love the start of this story already. This was like when, I don't know if you remember, but when World of Warcraft and these things, all the virtual currencies, there used to be essentially an index, like CoinMarketCap, the site that shows you what cryptos are worth. There was versions of that for in-game currencies. They had real world value. That was like market, supply, demand, commodity track. So it's like,

I just like where this is going as an economics tech geek. Did people ever short the in-game currency in those games? I don't know if they ever added derivatives to them. Were there options? That would have been awesome. Maybe something we should just whip up as a fun game. Sure, if I've coded. There was two types of currency, gold, the virtual in-game currency,

and United States dollars that could be cashed out after Blizzard took their 15% cut. When I first started, I played the game legitimately. I built up a decent character from scratch.

At the time, the items were easy to find, still valuable since the market was just getting started. You could sell a simple sword that you found and after the 15% cut, you would get $0.85 in your PayPal account. So I did this for a while, but it was just a couple bucks for playing the game.

One day I joined a game to make a trade. Somebody was advertising a hundred valuable stack of crafting reagents, probably equal to $100 at the time, but at a suspiciously low price. They were offering it for $70 and this is a commodity so it could be cashed out quite easily. Is this turning into an arbitrage story about how this guy wrote a bot to arbitrage?

people that posted things for below value. It's starting to lean that way, and I'm very intrigued. Yeah, I like arbitrage. So this, again, just towing me further in. And you love Diablo, so it's all coming together for you. You know what? Truthfully, dungeon crawlers don't do it for me. Don't tell anybody. I'll get some fire for it. I agreed to the amount of gold in the trade window and clicked accept. So my side of the trade window lit up,

Instead, I just got one.

I was confused as to what was going on here. When I just had one, the other guy basically said, "Hey, you want to know how it works?" Because I just got scammed out of 199 items. What was interesting about this script was that you would click accept on your side of the window for when they had 100, and then they could click accept after and only give you one.

it was something broken with the game and it wasn't like I miss saw the screen. So I'm like, yeah, I want to know what the heck's going on. So we got into a Skype chat

What a thing to be scammed, and the immediate response is like, ha-ha, I scammed you. Want to see how I did it? Yeah, you want to see? Yeah, you can really only do that when you're scamming someone on the internet. If a pool shark does that, they're going to get hit with a pool key. Totally.

I feel like this was the foundation where in-game trading and stuff required an escrow house to settle things out to make sure that this never happened again. But let's keep listening. I don't think they were chatting, but they were typing to me. They passed me an AU3 file.

Non-executable, but it was still kind of sketchy and I just kind of hanged around asking them pretending like it didn't work or luckily it didn't run it because Later I found out that when you ran the script It would make you drop all your items in the game basically click on the screen drag the item to the outside and drop the game and then the item and

So like, hey, you want to figure out how I scammed you? Also run this thing that's going to scam you even harder. Yeah, it feels like this is barreling towards an even larger scam. And it's like, oh, he like lured him out with the worm of want to see how I did this. He lured him out with the worm of do you want to buy 700 gold for $70? And then a subsequent worm of do you want to see how I did it?

And this call still has many minutes left on it. So I'm curious how many like Russian nesting dolls of grift this thing goes. Well, the thing, well, like the thing I'm waiting for is the turn because I'm assuming this person fights back at some point. Let's find out. So quickly I kind of realized, oh, this is what they're doing. I was young at the time, so I didn't really have a moral compass.

So I started kind of doing it myself and that script, the other one where it gave one instead of a hundred of the item became publicly available online.

So you do it to people or show people it even because eventually people kind of knew that that was out there so they wouldn't trade, but you basically show it to them and then go, Hey, you can do this too, but you have to give me 10% of whatever you make. And then instead of giving them that script, you would give them the script that makes them drop all their stuff and, um,

you'd sell other things and you'd go after characters in the game that were high ranked. So they've created a pyramid scheme of fraud inside of Diablo 3. But in fact, just like with the Discord one, to try and verify yourself onto the server, you're actually just dumping all your stuff and giving it to them.

So it's a scam. Yeah, I thought they'd created a pyramid scheme, but it sounds like they didn't even create a pyramid scheme. They said, we've got this bomb ass pyramid scheme. And then when you like, I don't know, walk into the pyramid, they're like, we're just kidding. We're just going to beat you up and take your stuff. We're taking all that gold. You could look up high ranked characters and then kind of go after them. And a character could be worth $500 of items at the time.

Um, so you could imagine kind of how lucrative this could be. Uh, not that this was good or I can condone any of this. So one day I met someone kind of doing the same scheme, but he took it to the next level. I believe his name was like demand demand or something. So if you're there, if you're listening, uh, I'd love to chat again, but anyways, this guy was taking it to the next level.

If you're listening, I'd love to hang out and miss you, bud. I really like the idea that Hotline Hacked could become a missed connection for cybercrime. Be like, I saw you on the subway. I saw you on the Discord server. Our eyes locked across the Diablo gold grift in 2012. You just seemed special to me. I'm the guy from the Discord server that stole your Ethereum. Wondering what you're up to these days. Want to join a pyramid scheme? Sick.

Um, I ended up becoming the recruiter, finding players who were eager to kind of, um, there was various different things where you'd set up. And, um, one of them was, uh, people that wanted to run magic find runs. It was a popular in-game activity where you'd switch to different gear at the very end to maximize the drops in the game. Um, but anyways, it was something that you could basically convince people, um, that

you'd be like, "Hey, our friend who's amazing, who's about to join the game." It would be the three of us, meet a man in the target and you'd run with four people and you'd be like, "We're waiting for this guy." But the magic find gear was such that you would have to have the whole group would do it and then all of you would get better drops. So we're using this script to swap our gear and we'd show them like,

uh you got to run this script too and i and eventually we'd get them to run it and damn andaman would just kind of come in at the last moment i would get these people warmed up and this one would

Man, he had it where I never saw the thing, but they were connecting to some sort of server. And then damn Andaman, we'd see him in game and he'd send the command to make them drop all their stuff. He was pretty fair about the whole thing, but he had multiple people finding people for him, I think. And I was just one of those people. One time I just remember...

I had my sound loud and the guy on Skype heard all of his items dropping and started to panic. I don't particularly feel good about that instance. Once again, I was young and would not do this now.

But of course, this couldn't last forever. Blizzard eventually caught on and accounts started getting banned. That was part of the reason why Demandman was having such issues, I think, too, and why he needed people to recruit because getting to max level to be able to do this took a while.

i started asking my friends for their accounts and offering them a hundred dollars to let me use their characters and then eventually i got down to like my last character and i told demandman if this account gets banned can you give me something and he was like yeah i'll give you something whatever and to this guy's credit like he could have just ditched me and like he gave me

I can't remember what it was, but he gave me compensation for like getting my last character band.

And, uh, I, you know, then I would get other characters I think at some point, but eventually came to the end when like the real money auction house just like closed entirely and they'd implemented like trade warnings and a whole bunch of things to make it harder to exploit during the peak of it. I think I was making $3,600 a month.

I remember definitely days where like I would skip work to do this because I would make more money doing this than going to work. And looking back on it, I don't feel good about it, but I'll tell you, it was definitely thrilling at the time.

They could get that gear back from contacting Blizzard and getting their items restored, but I mean they would lose games of day play in the meantime. So yeah, that's my story. Hope you enjoyed it.

There's a lot to unpack there. Mostly, I'm curious who Demand Demand was, this like wraith-like Oliver twist with the gang of young ne'er-do-wells running around doing crimes for him figure was. Here's a better thing is that I know a pretty senior programmer who goes by the moniker of that.

No way. Yeah. So I was like, I just pulled up his Instagram and was like, could this have been you? Maybe it was. Offline. I'm curious about the spelling because every time that the caller said it, it was slightly different. Slightly different. It was slightly different. Oh, there's a lot to unpack there. So organized crime. Yeah. Diablo 3, 2012. Mm-hmm.

$4,000 a month as like a thug in the gang. Yep. Thrilling, as I'm sure most crime is. Yeah, I'm intrigued by the escalation of it. So they start out, they get compromised. They get invited into the hack. They realize that the invitation to the hack is itself a hack.

They then start doing that whole thing, that whole pipeline themselves. And they come across this demand, demand figure that offers them this even larger grift of, okay, you're going to take an account. You're going to form a party. You're going to get all these people into a little community. You're going to, it's like a long con. And then we're going to do this.

It sounds like some kind of a script that gets people to drop items. I didn't quite catch how mechanically that would work. Yeah, so not knowing Diablo 3 at all, I have no idea how it would work. But it sounds like they refined it to the point where it would take over your screen, show you a realistic loading screen. But in the background, it was iterating through your characters.

spawning them in world dumping their inventory changing characters spawning in world dumping their inventory so it's like doesn't matter which character you were partied up with it would just start cycling through all their characters dumping everyone's inventory and then it became like a like a loop pool of like okay i'm gonna take the sword and you can take the shield and

I'm like, what do you want? We're going to divvy up all the goods that we got after we... Sure. So this person is staring at this loading screen, probably still chatting with them in in-game chat or in Discord, like watching or whatever. Actually, 2012, it wouldn't even have been Discord. It would have been like one of those early, you know,

game chat systems. I can't remember. Like a forum or something, yeah. No, no, there was like a, pre-Discord, there was like a really crappy version of Discord. I'm trying to remember what it's called. They ran on the side of a game and let you chat with everybody. Let you talk to everybody. Just like Discord, sure. Yeah, exactly, yeah. Anyway, but it sounds like they really got into like mass stuff

And then some honor among thieves moment at the bitter end where he goes to demand him and says, if my last account, like I'm just getting there, they're starting to lock this down. If my last account gets banned, will you help me? Will you give me something for the riches I've made you? Because he's making $3,600 a month and he's one of these many merry bands of thugs. Yeah.

But presumably, Demand to Man was even doing better. And yeah, Demand to Man did him right. Hey, it's like the organized crime when the mafia pays your legal bills when you finally get charged. Totally. When you finally get out of prison, you got a slick situation waiting for you. Yeah. I remember reading about Diablo 3's economy. I've never played Diablo 3, but I remember reading about it. A few years ago, I was working on a small multiplayer indie game.

And just going down the rabbit hole of learning about those economies, it is like kind of a cautionary tale. Diablo II had a big black market.

And I think in Diablo 3, they wanted to legitimize that black market. And so to capture all of those transactions, there's like a security argument to be made. But there's also just a like, hey, if people are going to be making a ton of money by selling stuff in this game and it's happening on the black market, we want our cut. And it's widely considered like a cautionary tale in that

Games have since been monetized in that way to within an inch of their life, but it was sort of the first instance of that attempt at monetization breaking the core loop of the game and starting to bias people towards feeling more like a customer and less like a person going on an adventure. Since then, a lot of games have fallen into that trap, but I think it's widely considered like a little bit of a cautionary and that's why they pumped the brakes on it. They changed it based on pretty big backlash. Yeah.

The thing for me is the current games, pay to win is pretty rare, where you can buy OP guns or swords or whatever. I feel like they've...

I feel like they tried that, then that got pushed back because people were like, no. People just don't want to play that game. It's not a fun experience to just get wrecked by someone because they were willing to spend more than you. Exactly. Something like, I'm assuming Diablo and World of Warcraft and some of these other games where if you committed the time to mine all the ore and spend 70 real human hours doing absolutely nothing except for game productivity stuff,

you could generate one of these like mystical items which gave you a benefit. And it's like, okay, like you worked for it, you deserve it. And then it became like the, this thing has a real value. And somebody who's like, I want to pay to win. I don't want to spend 70 hours like mining ore and collecting fairy dust to generate this magical shield.

So it's really tough. I can see how they got there from the game designer perspective, being like, you know what? You know what's better than loot boxes? Us just taking 15% of the cut from everybody. Yeah, totally. It's like Ticketmaster. Ticketmaster does that. 100%. And there's something intuitive about it at the outset. People pay money for games because games are fun. The thing that's fun typically about games normally has something to do with friction.

You have to grind through something. You have to wait for that random reward inside of the box. There's a little bit of struggle so that when it happens, it feels good. You've achieved something. You can circumvent that with money and you get sort of a pale imitation of the feel good. But in the end, if the money comes from making people have fun and giving you money isn't fun, you've broken the core loop of these whole things.

And now we're at the, there's so much more maturity in the way these systems are designed where it's like, we need to onboard you with legitimate fun gameplay. I'm talking about good games, not the candy crush whales.

But we need to onboard you with the fun. I mean, the shot's fired. And then there can be a layer of monetization underneath it. Yeah. Well, you're seeing that we're off track here. We're no longer talking about hacking Diablo. But the aesthetics have become such a big thing. Most of these microtransactions are around just simple in-game aesthetics. I'll take that.

Yeah, same. I can work with that. That's fine. You want a neat hat? Yeah, somebody wants to pay $12 to wear a different cape in this open world game, I don't care. Good for them. Support the devs. Exactly. That cape doesn't come with a... God mode. God mode, yeah, exactly. I actually still like the old school, like World of Warcraft, like grinding either resource capturing or grinding...

Going through massive dungeons to acquire, what were they called? Come on, how am I slipping on this? You're talking about a raid? Yeah, raids. Doing massive raids with the hope of getting the 25% or 10% drop at the end. And it's like 13 of you go in and one thing has a 10% chance of dropping. And you spent three hours perfecting, fighting this raid out so that you might be able to get something. I like that.

It's a fun loop. Yeah, it's a fun... And I also like the fact that it's like, and if you get one of those drops, you can share it, sell it, do whatever with it. I still like that too. I just need to figure out how to balance that in the real world. Because if some candy crush whale starts playing Diablo and wants to spend $300 to buy that shield rather than to level up a character, level up gameplay capabilities, and get to the point where they can earn that shield, I get that. Yeah.

Our economy and society is full of ways to bypass roadblocks with money. Almost exclusively, you might say. Why would a game be any different? Well, I mean, on the flip side, if I'm not grinding to earn points that can be converted back into a cryptocurrency and have the potential of creating an entire cottage industry of people working under me to make me money, why am I even playing? For fun? Go to hell.

There's a really interesting side story to all this where it's like income distribution globally where grinding resources in some of these games, these online multiplayer games, became like a job in countries where the GDP was really low. So if the average earned hourly rate was really low, you could be mining gold and...

in Malaysia and selling it in the United States for like what, what would be considered cheap in the States for the amount of productivity required to get it. But in Malaysia was like an insane hourly work wage. So it's like you saw, started seeing like internet cafes across like Asia and Africa, like filling up with people who were like grinding in games specifically to sell things to, to,

first world countries to then leverage that. Like it was a job and it like paid really well. And it's like, to me, that's kind of a cool thing where it's like something that has, I guess, you know, we talk about wasted utility and maybe that's an argument for it. That might be the purest expression of wasted utility if I'm being honest. It does create like a potential for an icky incentive. I remember, I'm not going to name it right now, but there was a video game

kind of blew up in about 2021. And it was the one that I was referring to with the, uh, with the crypto thing where, uh,

In order to monetize the game effectively, you needed a specific account with a specific type of crypto asset attached to it that cost a certain amount of money. So all the people in those emerging economies that wanted to play the game didn't have the initial capital, so they would have to go to someone. And it was almost like a taxi token type allegory of like, oh, you want to play this game for money?

You got to pay a rent to me because I have the account that is monetized. And people would build these giant funnels of just people grinding at a game. And the game's valuation skyrocketed. It was sort of like championed as play to earn. Like it was, people loved that. And yet at the base level, there didn't seem to be anyone playing this thing for fun. There was just this toil of,

for digital like financial output system going on and it was like we that's fascinating we covered that with uh zeke in zeke's interview yeah yeah yeah i don't know why i'm not saying the name of the game axiom infinity uh but uh yeah we covered that extensive yeah we sure did yeah

Anyway, I think we should take it over to the Ad Oasis. Let's kick it over to some ads. And when we get back to the other side, we've got a couple more calls for you, friends.

We talk a lot about tools, you know, on and off the air. Some clever, some feel like solutions in search of problems. But every now and then something shows up that just makes sense for big corporations. Push security is that kind of tool. Identity attacks, phishing, credential stuffing, session hijacking, account takeovers. These are the number one causes of breaches right now. Most security tools still focus on endpoints, networks, infrastructure. And meanwhile, the browser, the actual place where people work, has been mostly ignored. And push changes that.

They built a lightweight browser extension that observes identity activity in real time. It gives the organization visibility into how identities are being used, like when logins skip multi-factor authentication, or when passwords are being reused, or when somebody unknowingly enters credentials into a spoofed login page.

Then when something risky is detected, push enforces protections right there in the browser. No waiting, no help desk tickets. It's visibility and control directly at the identity layer.

It's not just about prevention. Push also monitors for real-time threats, adversary in the middle attacks, stolen session tokens, even newer techniques like cross-IDP impersonation, where an attacker bypasses SSO and MFA by registering their own identity provider. If you think about it, it's kind of like endpoint detection response, but for the browser.

And the team behind it, all offensive security pros, they publish really interesting research in identity attacks, like the SAS attack matrix, which breaks down exactly how these kinds of threats bypass traditional controls. Identity is the new endpoint, and Push is treating it that way. Check them out at pushsecurity.com. That's pushsecurity.com.

Hey guys, my name's Cody. This is a bit of an interesting tale, similar to the Discord hack from the first episode of Hotline Hack that you guys did, which was fantastic, by the way. I, unfortunately, wound up falling for one of the classic scams where they ask you to test a game. They're using a friend's account. It looks very trustworthy.

I ran the executable that I downloaded and that gave them a door into my Discord information, which they then proceeded to use to take over. However,

I actually noticed what was happening. I was still logged in at the time that they were trying to take over my account. So I actually wound up fighting back. And once I realized that they had effectively written a script that ran with this executable and placed a file into a

my Discord folders across my computer that gave them access to my token, my email, my password, all of the information regardless of how much I changed it. I turned my computer off, changed everything from my phone

took my computer offline, started it back up, removed the files, and actually wound up having a conversation with the hacker while they were still in my friend's account. It was quite the experience, and apparently

He was really, really determined to try and scam a bunch of money out of people doing this because he really wanted to upgrade his computer. He asked me for like 50 bucks and he would leave me and my friend alone. I told him where to stuff it, but you get the point. So yeah, just an interesting little experience. They tried to hit my PayPal and

It didn't work. PayPal notified me and blocked the transaction.

And I wound up getting the account back without any help from Discord. Although that account has since been banned over a year later for reasons I do not know. And Discord does not seemingly have anyone answering those emails. But I digress. Thanks very much for the show, guys. Keep it up and take care from another fellow Albertan.

Oh, wow. Hey. Hometown boy. Welcome from the Rockies. Thanks for the call, Cody. Really appreciate it. I like that we're two for two on Discord revenge story calls. This is turning into a PSA for Discord.

People on Discord are not trustworthy. Do not do anything they say and definitely do not execute anything they give you. No. Yeah. We'll leave that on the website. Just sort of lingering there as like a little safety advisor for people. So this person's Discord gets hacked. They notice it's happening while it's happening. They're still logged in.

And so this person decides to just yoink the cable out of the wall. Very dramatic, very movie moment. The computer boots down. They rip over to their phone that the hacker doesn't have access to. They change all of their login credentials on all of those different accounts that were in one fell swoop all compromised by the compromised access to the system.

They then go back over to the computer, turn it back on. Take it offline. Take it offline. Pull the Ethernet jack out of the back. Well, no, it seems like it was still online because they go back over and they're having a car. Well, I guess they could have done that on their phone. I think, yeah, I think like to clean up all the files, the injections that it had left. Right.

I think he said that he took it offline, which means just disconnect it from the internet to make sure that if anything's running. Like a really good idea. Smart. Yeah, the number one way to stop a lot of network-based attacks is to just rip the network off. Yeah, sure. So at some point after that, he reconnects to the internet and resumes this conversation with this Discord hacker who was friends with him. That's how we got him to run the script. No, no, no, no, no. He was having a conversation. We've got a misinterpretation between the two of us here. We do.

It sounds like he finally cleans his stuff up, changes his creds, gets back online, and is talking to his friend's account that the hacker is inside of. So his friend got duped at the same time. Oh, that's even better. It just didn't clean it up. So he's talking to the hacker who is essentially masquerading as his friend. Oh, spooky. So your friend messages you. Oh, I like that. And then we get the real crazy.

piece de resistance of this whole bad boy which is that this was i'm going to go ahead and say a teenager who was trying to drum up 50 for a new gaming pc you had jippity write them like some authentication token extractor and was looking at ways to to leverage it into money oh no just wanted 50 bucks got told to stuff it um tried to hit the old paypal that is a scary moment

We had this conversation. I'm going to keep referencing the interview with Adam because we talked about a lot of good stuff in there. Discord is essentially a website. You can load it up in a web browser. It runs fine. If you download the app, the app is literally just essentially a wrapper for Chrome. So it's like...

interacting with Discord is very easy and I would say accessible programming. You're not really interacting with compiled code and pulling stuff out of actual memory addresses and things like that. You can interact with it through TypeScript and JavaScript, which is pretty accessible and very easy to code with any form of AI helper. So I think it's just like...

Really highlighting some of the security vulnerabilities and trust. Again, this guy sounds like he was hoping on getting some beta version of a game or something that he wanted early access to.

And he pushed his trust aside to hopefully get a larger return of dopamine from getting something early. And it just led to what probably was a stressful and furious afternoon. Yeah. The speed at which he just recognized, okay, they're in this system, so I'm going to turn it off.

I'm going to immediately go change all of those credentials. And then when I come back, I'm going to disconnect from the internet, clean all this crap out. And then I can go have a conversation with my friend's account being puppeted by the person that attacked me for $50. It's great. It's a good little yarn. Whenever I hear stories like this, I'm just so thankful it wasn't like BitLocker or something. Oh my gosh, yeah.

It's like, oh yeah, they got into my, I ran this executable and I like turned the power off on my computer as my hard drive was being encrypted in front of my face. And I was going to be like ransomware it up. Yeah, sure. So I'm, at least it was only like, oh, we grabbed, like, I'm sure it took him a long time to go and reset passwords to all of his accounts. You know? Yeah. Good, good argument for a password manager there. Yeah, seriously. But, but yeah. Fascinating one.

Anyway, local boy too. Local boy. Keeping Discord locked down in Berta.

Hello, guys. I'm a new listener to your show, and I've really been enjoying it. And I just listened to episode four and figured this might be a fun one for you guys. It's kind of a small story, but I was at an exposition last year for Ham Radio, actually. And it was a fun exposition. I love those things. Lots of smart people there. And it was at a hotel. And right across from where my booth was was a little restaurant. They had a bunch of TVs. They had a bunch of just a little small restaurant. I don't know. It was like a pub. And

And this was day two of the expo I was presenting. I was a little bit bored and my booth was right across from there. So I pulled out my laptop, booted up Kali Linux instead of the Windows that I was using as part of the demo. Just to look around a little bit I found there was a Wi-Fi network that

was open but didn't have its SSID broadcasting. So I logged into that one and ran a NMAP scan to see what devices were on the network. And there wasn't much that was very interesting. There was like, you know, the router, of course, some what looked like phones or something. But what I did notice was a bunch of TVs. It had, I don't remember what brand it was on there, but they recognized them as the TVs because it was the same

brand as what was on all the TVs that were on there. They were all different sports shows. So I looked on there and I kind of was just kind of looking around. I didn't see anything interesting, but then I had an idea. I logged into that same network on my smartphone and I opened up YouTube and I could cast to all of those TVs.

So, just to be kind of funny, I thought it would be fun, I found a zombie outbreak, like, what do you call it, the emergency alert system video. Because I figured if I did anything that was too realistic, then people would know it was real. But I hacked all the TVs, I mean, it's not really hacking at this point, but I

I casted onto them, all of them, this video. And it was pretty funny. I mean, YouTube had to update on all of them first, so that was probably a bit of a giveaway that it wasn't real. But then it just started playing this AES message alert outbreak thing. And it was pretty realistic. It was pretty cool how they made it.

I thought it was a neat little video. And the staff were all looking at it like, what the heck is going on? It was like a minute-long video. And I just closed my laptop and was like, anyways, I'm just here presenting. But kind of a fun thing. I was bored, and I thought it was kind of fun. Took some pictures of it and stuff. But yeah, that's my little story. Thanks so much for doing the show, guys. Really enjoying that episode. And I will be looking back at your catalog. I'm going to see more of them for sure. Have a great one. Bye-bye.

Well, thanks for listening. Yeah, we appreciate it. Thanks for calling in with the story. I love a ham radio, an amateur radio aficionado, which for anyone that doesn't know, that's what ham radio is. I love me some conference hijinks.

Totally. I think that's the bane of DEF CON is the conference hijinks. It just makes such an infrastructure impact. Yeah, the amount of warning that you get before you go there about turning off all the devices. Everything you have is like, lock it down, turn off every radio antenna. This is a good PSA because there's a lot of people out there, I think, that

Think if they check the hidden SSID, like it's non-broadcasting. When you open up, say you're on Windows or Mac and you look at networks around you, you can opt out of that list, but it doesn't mean that your Wi-Fi doesn't exist. It takes very few seconds and not even a hardcore tool to find all of those hidden SSIDs, especially if you've got one that's unencrypted, unlocked down, and open.

You're just asking for invaders. Thankfully, it was just a bunch of smart TVs that I think he mentioned that he updated them, right? I think he said that YouTube had to update before he could work. So YouTube would have had to have run a little update on the televisions before it would have played his on-air. So he actually maintained their equipment. He did them a favor. Mm-hmm, mm-hmm.

So the fun conference hijinks, I do think that that is a good... If we're making a PSA out of each one of these calls, the one there is do not... If you're hiding your SSID and you think that's some form of security, it is not security against the people that you need to be worried about. It might be security against your neighbor jumping on or trying to get on it to download stuff, but it's not going to...

prevent anybody that knows anything about anything. But in this analog, and correct me if I'm wrong here, it isn't stopping the network. It isn't making the network more or less secure. It's just stopping it from being advertised. Theoretically, that network should have still had some kind of

password on it that stops the person from connecting to the smart TV. So maybe it was, that's a weird overlap of things where like it's unprotected, but we've removed the SSID so that it's hidden. It's like, oh, that's, it's like you left the door wide unlocked, but good luck finding it. It's like, oh, it's quite easy to find this door in this analogy. But when you kind of set up a bunch of TVs and you need to tell your staff how to connect to smartphones so that they can send, you know, Snapchats, it's,

It's a lot of work to set up a passkey or a passphrase for the thing. So just leave it open, just hide it. If nobody knows it's there, then how is anybody going to use it? So it's so much more convenient. You don't need to know the password. You do need to know the SSID. So you're just asking them to save the less secure string of jargon. Errors were made in this diner, I'm sensing. I'm going to assume...

Diner owner, not security. That's valid. I get it. I like the swing at it being like, I'm going to take it off. No one's going to see this network here. It will be extremely secure. I think the War of the Worlds Orson Welles fake broadcast is like a really, that's a really good move. Because honestly, probably everyone in that diner knew that there wasn't really a zombie outbreak, but it has that veneer of a

Could there be? Could there be zombies? For like a second, everyone wondered as they were eating their eggs. Eating my grilled ham and cheese and tomato soup. Sitting here wondering if this is the last good meal I'll ever have. Cock the shotgun. Pull the headband on tighter. War paint under the eyes. Like, let's do this. I've been planning it for years. I got a van that's got spikes on it. I'm going to rule the wasteland.

Well, you have fun with that. I will not. The wasteland will rule me, but it's fun to imagine. I like this. I also want to know what a... I feel like I've never been to a ham radio conference, but I got to think that is a chill, wholesome vibe. I bet that is a... And I mean that sincerely. That sounds like a fun weekend. You got to wonder if there's like... Every little subset has egos, right? Yeah.

Like, what is a ham radio ego? Like, is there...

I've been a member of a lot of little subsets. I used to play competitive tabletop gamings. You go to the world championships and there were egos there. Even though it's like you're the biggest dog of the 14,000 people globally that play this silly game. There's just all these weird things. So it's like, what is a ham radio ego? That's the real thing that jumps into me. Is there some cock of the walk that is the ham radio guy? Yeah, it's a good question. I assume they're probably...

the nicer you are, the bigger ego, like the more notorious you would be. Like, I feel like that's the kind of like innocent, delightful subculture that like rewards being a good person. Sure. They're so nice. I hate that. See, I was going to go in the like darker direction. Like, is there a dark corner of the ham radio community? Like, are we like, like, like the pirates or whatever, broadcasting copywritten musical material over their ham radios. Yeah.

People jamming other people's ham radios and beefs that go back years. I don't know. There has to be. There's got to be. There's got to be. People broadcasting propaganda between... I don't know. I want to see the seedy underbelly of ham radio. I think I'm just, for my own sake, I'm going to believe that...

The largest celebrity and influencer in the ham radio community is like the nicest human you'll ever meet. I like that. I prefer to believe that. Yeah. It's like Jack. It's like I see Jack at every conference. He will literally stop doing whatever he's doing to like help you solve and figure out what you need. Who's the Jack Reciter of ham radio. And they're probably an extremely chill human being. Exactly. Yeah. It's the chillest. I like that a lot.

Okay, I think that's another one. I think that's another one. Another Hotline Hacked in the bucket brought to you by PushSecurity, pushsecurity.com. Thank you for sharing all of your calls. Thank you for sending them on over. Again, if you want to share your strange tale of technology, true hack, computer confession, we've been getting lots of different types of calls, and we really like that. Go on over to hotlinehacked.com, submit texts, submit a voice. You can call an actual phone line. It's pretty cool. Get at us with it.

I will say, let's put a request out. What kind of story do I want to hear? I want a real hack. I want a penetration. I want somebody to have hacked a web server. I know there's a million of you out there listening to this that have done that. So somebody call in, email in, send in a voice change thing, do whatever, but send us in a real story about a real hack. Real hacks. I like it. Real hacks in the next one.

Don't have to disclose who the target was unless you want to. Just send us something that's got a good depth of technical complexity. That's what I want to hear. And I remember in the last one, we were talking about receipts. And you don't need all receipts. If you threw a zombie video up on a

a Denny's sports display. I'll take your word for it, but like, Oh boy, did I love, love having those videos. We could play the audio from in the calls. So I'll, I'll, I'll pass that in. Okay. And with that, have a great week or two, depending on when our next episode comes out in relation to this and have a great month. And we'll see you guys soon. Catch you in the next one.

Bye.