Hotline Hacked Vol. 12
55:51 Share

This hack happened in the early days of AOL and Gmail, probably around 2005. Back then you could create multiple Gmail accounts without any issues. AOL also had a want-ad service, where you could offer to sell or buy items from their web page listings.

I have a friend who wanted to buy a PC and he found an ad that apparently was not getting much attention because he was the only person to bid on the PC. He won the PC for $300 and called me to brag about the buy. I asked him about the PC and found the listing. While he was on the phone, I found the email of the seller and quickly created a Gmail account, switching one of the letters for the seller's Gmail.

I sent my friend a quick email congratulating him on his win, and in the email itemized all the additional fees that went with the $300 PC. Shipping $200 Packaging $150 Insurance $250 Taxes $325 You get the idea. The total bill was over $1,000, which is about what the PC was worth at the time. I asked my friend, "Have you heard anything yet from the seller?" He replied, "Yeah, he just emailed me."

Then there was a long silence followed by a string of profanities. I had to cover my mouth to stifle my laughing. I said, "What's the matter?" He then furiously read me my email. He was beside himself. I replied, "Well, email him back and let him know the additional costs were not mentioned in the ad and are outrageous." Which he did, and since he replied to the email, it went straight to me. He stated, among other things, that he could not understand how the taxes exceeded the cost of the PC.

He finished the email stating he would not pay this price and he was going to report the seller to AOL. I should have stopped, but this was going great. I replied to his email that the taxes were for New York City and the country of Kosovo. I told him there was a clerical error, and this has been corrected to now show that he purchased three PCs. Now the bill was close to $5,000. I also told him I was aware of his children, whose names I listed in the reply,

and threatened that he better not say anything to AOL. I hit send and waited. We've been on the phone the whole time and it was tricky reading and composing these emails while also conversing with him. Again, I asked if he had a reply to his email. This time, there was this cold silence and I could feel him go into full daddy mode. He served in the army and was well prepared to defend his kids. I decided to fess up and he took it well. Turns out, he did not get the BC.

Days later, the real seller sent him an email telling him that they could not sell it at that price. Man. Yeah. Welcome to Hotline Hacked. It's the call-in show where you can share your strange tale of technology, a true hack, or a computer confession if you want to share your story. Go to hotlinehacked.com. It's brought to you by Push Security. Yeah, you almost had your friend on a plane to Kosovo to go like take in style, track down some people. Yeah.

And then when you fessed up to it, you almost had your friend break your nose. I'm not convinced. The way this email ends kind of abruptly, I'm wondering. He said he took it well. Did he? Yeah, he took it well, well enough. He mentioned some of these children's names. I don't know. I don't know. Harmless prank, yes.

Emotional prank, also yes. Yeah. And also the idea, I think he says at the start of the call, back then in 2005, you could create multiple Gmail accounts without any issues. You can still basically do that. Yeah, you can do that. Yeah. The one thing I'll say is this has been such a plague of online auction sites.

is like something doesn't get the traction it's supposed to and doesn't get bit up to where it is. And if there was no minimum set, then the seller just backs out and walks away. This happened to me in like college. I got frauded. I bought a, prior to tablet computing, I bought like a mobile PC and, uh,

It was like 300 and some bucks, which was a decent amount of money back then. Completely hosed. Seller took the money, refused to send it. It was too low. Refused to give it credit. Thankfully, PayPal did its thing. I don't think PayPal's as aggressive in fixing broken transactions as they used to be. I know the last time I tried to do this, like two years ago,

PayPal wanted nothing to do with it. I was like, this is exactly why I liked PayPal and have used it for 25 years and now you're refusing to do it. I'm not sure what's changed on their side, but the joys of online marketplaces. Don't set the price floor on a thing you're selling on the internet below what you're willing to sell it for. This is day one stuff. Be willing to let it go for that amount of money.

Yeah, yeah, yeah, yeah. eBay put a minimum bid in as a thing. Use it. Yeah, but this was the Wild West of 2005. I do appreciate the real-time, multi-layered social engineering going on across both phone and email because it's not just the duplicitousness

Of the emails, it's being live on the phone with the guy pretending to be, oh, and then what happened, bro? Clack, clack, clack, type, type, type, clack, clack, clack. It's like, oh, that took a little bit of coordination there. I love that he quickly looked up the seller's email address, made a spoof version of it instantly. Quick. Quick. Whip quick. And then immediately fabricated a thing.

I also love that the taxes were like 105% of the sale price. That would be just the most oppressive sales tax ever. Yeah, there's a nice, it's almost like interrogations where you're supposed to increasingly apply pressure. I say supposed to. In movies, in the TV, that's how they do it. And there's an element of this too where it's like an escalating stake where it starts with a plausible hidden fee.

And then it starts to bump up in the form of the taxes. And then it's just like, whoopsie, you bought three PCs and it starts to get cartoonish. And then really the highest of escalating stakes. I know your children's name. I'm really curious. You got to wonder if he hadn't done the right thing and immediately said, oh, I'm just messing with you. What that next response would have been because it feels like complaining to AOL or Gmail isn't sufficient to

At that point, I was like, oh, where would that guy have gone? What journey would he have embarked on if you hadn't immediately done the right thing and said this was a goof? He's like booking plane tickets and like 3D printing a pistol. The guy comes back on the phone. He's like, what do you know about Kosovo? And you're like, don't go there. He's like, well, I'm gonna. I'm gonna. I'm gonna.

I read this also, this didn't happen to me recently, but like the headache. You're in Kosovo right now. I'm in Kosovo right now, yeah. My 3D printer is currently going. I recently, I bought a new fly fishing rod, took it out for the first time, it broke fly fishing. It has a warranty, no problem. I messaged them. I'm like, hey, you know, first day out, this broke while in a cast. Like it wasn't like I banged it on a boat or something like that.

You were fishing with it. And they were like, sure. Here's how much we'll charge you to send you a new piece. And I was like, I don't think so. This has a warranty against defects, and this is clearly broke because of a defect. And they were like, okay, okay, we'll make an exception for you. We'll send you this for free, but you have to pay shipping. Also, the shipping is $150. And I was like, to send me the tiniest little section of a fly rod that weighs literally like three grams? Yeah.

And they were like, yeah, sorry, that's what it costs. And I was like, fuck you. Where are they shipping it from? Kosovo? Portland, Oregon. No, that's nothing. Yeah, so I'm in the digesting phase of this annoyance as to whether I'd light this company up on Reddit in like slash r slash fly fishing because there's not a lot of negative press about this company. And I feel like...

It might be my moral responsibility to let people know. So I'm going to fish that rod again, and if anything goes wrong with it again, it's full game on. Do you fish the rod, or do you fish the rod manufacturer? Like this caller did with an email. Now I'm not saying, do this, Scott.

There's a lot of ways to get satisfaction is what this call taught me. Totally. Totally. I feel like I have a moral obligation, though, to like, if these things are faulty, they're very expensive. So it's like, I feel like I need to let other people know. How much does a fly fishing rod cost? Ballpark. You don't have to say what you spent, but give me a range. Give me a range. I'll give you the full range. Like, let's say...

200 US to 1200 US. Okay. That's real. Yeah. Real money. And if a part breaks on it that shouldn't have broken on it due to no action that I took, like just using it in its normal, like- Correct. In the normal way, I would say that you ship me a new part. First day out. Easy. Came out of the tube, went onto the river,

Mid-cast, it snapped. I sent them detailed photos of the break. They were like, yeah, sure. We'll mail you a new one. Here's how much it's going to cost you. I was like, this should be a warranty and I should pay nothing. They were like, yeah, okay, we discussed it. You don't have to pay anything. But the shipping that should be like $9 is also now $150. I was like, you've got to be kidding me. Anyway, this is a big digression. We've now spent as much time talking about your fishing rod as we did the call on...

to the next one. So back in my early to mid-20s, almost 20 years ago,

Myself and a group of my friends played on an adult flag football team. We would play basically every spring and fall, along with a handful of other teams that would pretty much do the same. Of course, being a group of young, 20-something testosterone-filled males, mostly single or in non-serious relationships and non-serious about our careers, this became a big part of our lives and a little more than a hobby.

So of course we developed rivalries with several of the other teams. Some friendly and some a bit more malicious. For context, it was 8 on 8 with offensive and defensive lines. Pretty much full contact except for tackling, so things would get pretty physical and intense.

This was in the MySpace era of the Internet and Facebook was still pretty young and mostly a college kid thing. There was a website that our team and a bunch of the other teams used to set up free or paid mini-sites for our teams. It had a fairly large feature set even for the free plan, where you could post photos, embed videos, rosters, schedules, etc. It even had comments and a forum system.

c. It also allowed some light MySpace-esque HTML and CSS but pretty much locked down, still very customizable. It was mostly aimed at little league teams and clubs and such. Our team and the others, of course, took great care in our site and used it for things like posting game results but mostly posting what today would be called memes. The purpose being to taunt and mock our rivals.

Classic. You got to taunt your rivals. I will say that I like the voice that the AI chose for this one. It really, really lands for me. There's a real sense of gravitas to this one. And for anyone that doesn't know, this call, the last one, and I think one other this episode, they were text submissions. So you're getting an AI voice. This guy might have a deep, rumbly movie trailer voice, but we just can't know. I can't know. Now to the hack.

So as I mentioned earlier, the site allowed uploading of files such as images and videos and PDFs. When we uploaded videos or images, I noticed that the URLs that were embedded on the server were just a plain subdirectory within our site, no CDN or masking or anything. From there I got an idea. The site itself was written in ASP, the old school Microsoft IIS programming scripting language. Yeah, never had any vulnerabilities either.

JK.

obvious from the .aspx extension on every URL, with some query params to show the particular minisite and section. Every minisite's URL was effectively the same, with just some different URL parameters. I am a software engineer, and although I didn't know ASP at the time, I knew what it was, and of course my knowledge is applicable. I did a little googling on the syntax specifics and threw together a little script.

basically to just grep the contents of the controller file and dump it on the screen. Still doubtful it would work, I uploaded it to our assets directory and pointed my browser at it. Boom, it worked. In front of me, in all its glory, the source code for the controller and the credentials to access the SQL server where all the of the data lived.

I'm in great awe that they allowed you to upload something with an extension .asp. It was a different time. Facebook was still for college kids. Now it's just for retirees. Now it's how far it's come. Apparently, they forgot to lock down the types of files that could be uploaded or the execution permissions. Oops.

Now that I had access to the database, my next step was to write some SQL to get the table structure from the schema. After that I was able to see all the different tables, most interestingly the ones that handled the mini-sites, and the admin user info. So naturally I wrote another script that would take a site ID param and fetch the login info for the admins of that mini-site.

In keeping with the stringent security practices, it was stored in clear text. No hashing or anything. I have a gut feeling that I know what solution this is. I don't want to say it because I don't want to slander it if it wasn't the one I'm thinking of because I've used the site just like this. But this is offensive security.

Yeah. And I get that it's the management system for an adult flag football team, probably other rec league sport type things, but still come on. But allowing anybody to upload executable code files, have the server parse them and then have the ability to,

rip into the database, which would be easy once you have that access and have clear text passwords. Shocking. Not only are we going to make improper file upload validation, you can upload anything. And then we're just going to run it over here on this server and just sort of hope for the best. But here's the best part. You don't even need the user accounts once you have full access to the database. It's just going to make things easier for mucking with other people's microsites.

You could still do it through your like uploaded ASP code. It would just take, be a little harder than using the interfaces that they've built instead of like writing your own injections into the SQL and injecting what you want to change.

So the caller so far has used this file upload process to get into the back end of the Rec League Sport software, management software. We don't really know what they've chosen to do with it yet. Well, they're now getting user account passwords. Yeah, it's getting there. In the malicious intent that they're going to muck with the opposing team's sites. Let's find out. Let's find out.

Let the fun begin. Boom. We now had admin access to any of the teams on the website, including our rivals. Persistently, since even if they changed their passwords, we could just look it up again. Let the fun begin. I showed one of my more creative and mischievous friends, and together we began epically mind-fucking the other teams. Wow, the AI voice really stuck the landing on that one. Mind-fucking.

fucking the other teams. Like, whoa, dude. Let's go AI. We started small at first, changing names and small details that were barely noticeable just to mess with them. Of course, that escalated into photoshopped versions of pics, deleting content, and creating new and embarrassing content that they would never post on their own. Despite them feverishly changing their passwords, the attacks, of course, persisted.

Some teams even deleted their sites. This went on for at least several months. Finally, we received angry emails which included threats of legal action from the site's administrators, which we of course denied vehemently. Our site was also deleted and our access revoked.

We then decided we'd had our fun, and the internet was shifting to other services, on mobile and etc. So the value sort of diminished and we decided to call it quits. I would say we also matured a bit, but I still don't think that's true. Of course nothing ever came of the legal threats. Last I checked, they're still operating. And some of the URLs still have that old .asp extension so I wonder if the hole was ever patched. Oh well. So that's my story.

Hopefully you guys enjoyed it, and I'm hoping it gets picked for the podcast. Love your show. Thanks for everything. That is great. Yeah. I love that one. I also, AI really landed it for me, both voice and emphasis. But that's, like, to me, just shocking. And it's like to get, I imagine if you're the company that's running it, and you're sending out the, like, angry emails,

You also feel like you're an idiot because all of those things would be so easily preventable that...

It's like you're accepting guilt in it by being like, stop doing this. But it should never have let it do it. It's the crazy part. Anyway. It makes me think that it was a vulnerability that they maybe knew about and were letting persist for some reason in a spirit of like, well, this makes it easier to do X, Y, and Z as long as no one figures out ABC. Yeah.

Maybe, I'm just trying to think of why you would just even allow that. I can't see what the upside is. When it started, I thought it was going to go like a cross-site scripting JS thing. I thought it was going to be a little bit more technical. But just being able to go file, upload, upload new server executable, upload open executable, it's executed on the server with full server permissions and database connections, which is crazy.

Shockingly bad security, development security practices. Shocked that the company is still around, honestly. That could be enough to bring something down. Privacy violations, things like that. I've been reading up on, this will be in an upcoming episode, been reading up on a large hack of a very popular forum that a lot of people use and the amount of steps taken

that had to be taken in 2025 to take that site down as compared to taking this down in 2005 or whenever this was, I guess almost 20 years ago. Yeah, 2005, same as the first call, is pretty baffling. But the thing I want to zoom in on

So we got a lot of context for this sort of mid-20s, a lot of single guy, testosterone-filled flag football league. We got a pretty good breakdown of how they got into the system. And then I noticed that the caller sort of mows over what they did with this access a little bit. They made reference to epically mind-fucking the other teams, changing some small details there.

Photoshopping some assets.

You might not want to, given the fact that it's a testosterone-filled young flag football player. In 2005, none of those. They're probably very inappropriate. Not good. Not good is what I'm getting at. A little funny, given the context, but probably not great. Yeah, I agree.

The Wild West, the fact that he said that the service still exists and it still has ASP extensions is also shocking. I don't even think Microsoft supports IIS anymore, so that means you're running some antiquated server environment that's probably its own security vulnerability. So it's like, I don't know, wild to me. It also reveals how much, now that I think about it, how much easier...

psychological warfare, to borrow the caller's phrase, has gotten in the intervening decades. That you would need to have hacked this system to change the photo on the opposing team's page versus in the intervening years, it just became like, oh, you just upload the lie photoshopped image to

Facebook or MySpace, and it doesn't matter whose page it's on. It'll still cook around and do all the damage it needs to. I guess we're treading out of psychological warfare and getting into cyberbullying at that point, but it is interesting just how well-suited some of those platforms are for this kind of stuff. I just looked it up, and it turns out that IIS still is supported. I don't know anybody that still uses it.

Unpack that for me.

as a web server in forever. I know it was part of the initial SharePoint things and things like that, but I did not know that it was still actually supported. So they've end-of-lifed a few versions of it in 2023, but they're still supporting IIS 10 until 2029, which is, to me, shocking. I would have assumed it had exited from stage left and was no longer here. I just have never seen it in so long. So...

So I feel like we learned quite a bit there. Validate file uploads. Don't store user credentials. I'm listing now. I need fingers to count. Don't store user credentials in plain text. Server side code should not be accessible to users. Yeah, yeah. The big one here is just like allowing people to put anything on the server is always a security vulnerability. Yeah. And if they can put up

code that the server will interpret, it is a massive security vulnerability. A great way to get around something like this would be if you could upload a file, say you could upload text files, you could put a bunch of code in a text file, upload it, and then if there was some way that you could force that text file to be either processed as server-side code or rename the extension on it, there's a bunch of ways that you could try and

maneuver around simply an extension blocker on the upload, which is like the most basic security layer for it. But yeah. Those seem like solved problems in the intervening years, I would say. Hugely solved problems. Yeah.

Hi, my name is Nicola and this is the story of how I became the most famous hacker at school for one day. Another nailed AI voice here. I know, yeah. Nailed it. British this time. Yeah. The story begins at home, where my older brother, who was studying computer science, introduced us to the NetSend protocol on Windows XP.

Even our mum used NetSend to call my brother downstairs for dinner. I found it fascinating that you could just make something pop up on someone else's screen with NetSend. So one day, while we were in the computer lab, I thought, "Let's scare everyone a little?" I typed "NetSend." You guys suck and hit enter. But nothing happened. As far as I understood, the PCs in that classroom were already updated to Windows XP Service Pack 2,

which had disabled the NetSend function by default. A few minutes later, the school principal stormed into the room with our most senior IT teacher, demanding: "Who is hacking the school network?" The computers in the lab had been used recently, so they could trace the message back to a specific IP address, but they thought it came from a computer that wasn't even in use at the time. I didn't realize they were talking about me. After all, I wasn't hacking.

Then our teacher asked what had happened and the principal explained. Apparently, the principal and everyone in administration, who still had older computers, received the message. When he repeated what the message said, I sheepishly raised my hand and said, "Shobhisa, that was me." Of course, I was immediately taken to the principal's office. There was serious talk of involving the police since I had "hacked" the school network.

Our senior IT teacher had apparently never even heard of NetSend, so I tried to explain what I'd done, that it wasn't hacking, just a silly message sent in the wrong way. The principal said, well then, show me. If it's not hacking, do it here on my computer. So I sat at his computer and typed, NetSend. Sorry. Behind me, I saw the IT teacher slowly sinking into his chair, embarrassed he hadn't known about it.

The conversation continued, and suddenly the principal's phone started ringing non-stop. It turns out he had two network cards in his computer. One connected to the school network, and the other to a shared provincial network linking all schools in the region. You can probably guess what happened next. I kept apologising, maybe sneaked in a nervous smile or two. Meanwhile, it was break time.

One of my classmates told everyone what had happened and in five minutes I went from being a total nobody to the guy who hacked the province. Almost every student in school heard the story. The principal couldn't just let it go. He feared people would think this kind of thing was okay. So I got suspended for one day. Even though the school board admitted I hadn't actually done anything wrong,

They said it had to serve as a warning to others. Maybe this isn't your typical tech story. I still think it's a funny moment that shows how we grew up in a world where even the teachers who were supposed to teach us about tech often didn't know much at all. So, yeah, keep doing what you're doing. I really like the podcast. Bye. Thanks. Okay, for anyone that doesn't know, NetSend.

NetSend. NetSend. A command line tool that lets you send messages to other computers on a network. Correct. It's in the Windows, like Microsoft world. Similar to like, there's a bunch of Unix tools that do something similar, but they're typically...

on the same computer, so write or wall, which means write all. You can use it to broadcast messages to everybody that's logged into a server, essentially like a Unix server. But NetSend kind of ripples it through the entire network. That is the most hilarious part of this story for me. The whole thing about the teachers teaching us tech that don't know as much as the students completely resonates with me because that was most of my high school experience.

computer classes. I think they were called computer. I can't remember what they called them, but they were BS as far as actual technical knowledge went. The principle being on the provincial network and broadcasting a message through the entire provincial jurisdiction. I'm assuming this person's from Canada because they said provincial.

It could be Europe if the AI voice is any occasion, though I did pick the AI voice, so that's not. But yes, provincial, totally. But that to me is the funniest part. It's just like these basics. So this comes from the era of network computing, Unix computing, where people were kind of like only nerds were on it. They knew what was going on. They built all these commands and let them do things to talk to each other and send things between each other.

And then all of a sudden, as PCs kind of blew up through the world, she's talking about Windows XP. So this is what, like 1997? Yeah, somewhere in the late 90s, early, because Vista was 2000.

Yeah, I'm looking at Service Pack 2 release date was 2004. So I'm way off. Vista was 2007. Yeah, so Service Pack 2 came out August 25, 2004. So this was early 2000s. PCs were still showing up out of nowhere. They had all these technical tools in the back end. People were still figuring out how to use the start bar. And there's this entire command line interface in the back end for nerds to use. Also quite telling that...

Their home life used this command to like, hey, everybody, dinner's ready. Like the entire household is on computers. The whole story to me is in that one line of like, oh, got it. This was what home looked like. And then you come into school and you enter into an ecosystem where the level of tech literacy is just really, really different. Yeah, it's non-existent. Exactly. Your story speaks to me as that's how I grew up as well. In a similar era, even.

Like I'd go to my computing classes in high school and it was like the teacher had no clue really what was going on. And I was leveraging, you know, network utilities to muck with other people in the class and things like that. And this is how I grew up as like a preteen. There's also an administrative error there.

here that I think goes beyond tech literacy and gets into common sense. So you have a, you have a kid who does something and it is unclear to you whether or not it's hacking, but it sure smells like hacking. So your response is to bring them into your office, sit them down at your computer and to say, do the thing that I think is hacking.

I was like, you don't need to know much about computers to be able to intuit. That's not a great idea. Like you don't need to have known where this was going to go to know that like, you know what? Maybe, maybe,

Maybe we use a computer that isn't connected to a bunch of other computers and isn't on the network. And maybe it's not my computer personally. I would have thought you would have pieced that together even if you didn't really understand what was happening here. But I guess I was wrong. I remember that era briefly. Let's say that principal's 50-something. They've seen personal computers since they were 30-something, 40-something years.

Their tech literacy, in my career, I've worked with executives. I was the chief information officer for a company and the CFO would get

there are emails printed by their executive assistant. Sure. And that's in my lifetime. People that are in these positions, the tech literacy was so low that they would depend on other people. They would hire an entire person who would just be their conduit to technology. Yeah, sure. It's shocking to me. But at the same time, it makes sense because their valuable skills lie in other things. Yeah. No, that makes sense to me. It's...

There's generational stuff where what age were you, but even that seems less relevant to are you interested in it? Yeah. Like, do you have any interest whatsoever in nerd shit or do you not? And do you need to? Because if you don't have it and you don't need to, you're probably not gonna. And in this case, it has been revealed that they kind of maybe needed to. Also...

I'm wondering how badass this person's reputation was after this. Because now the story to the rest of the student body is, did you hear about the kid that hacked the school network and sent out that message? I heard they hacked the entire province when the principal let them into the room. It's like, oh, you got to.

You got a legendary reputation now probably in that school after that. Absolutely. The one thing I will say too is that speaking from experience, coming from a provincial school system, I can tell you that when I was a high school student...

The IT security structures set up to protect and safeguard the networks were very low and very easily bypassed. Essentially, if you had a physical connection to the network, you had the ability to traverse away throughout the entire province's network and even onto some other province's networks. Net send it up, why don't you? Maybe even more. I'm sensing that, yeah. Yeah.

Yeah, great, great story. I would love to know just about the family. Clearly, if the household was that technically savvy, I would assume everybody from that household, including the parents, were in technical roles, adopted technology, and the kids have probably gone on to lead quite technically sophisticated lives. I wonder if

When they got home, I'm thinking of the circuit of getting in trouble at school and then going home and then your parent knows about it and you have to have the conversation. I wonder if the, so here's what actually happened at school today conversation itself occurred over NetSend. Clack, clack, clack, dear mom, here's what went down. Yeah, I got in trouble today and taken to the principal's office.

They didn't know what NetSend was. Then they made me do a NetSend message on a computer that was networked to the entire province. You will probably hear about it today. They were very, very, very mad. What's for dinner? It will be in the news. It will be in the news. I am a legend.

Can I go to all the parties I've been invited to this weekend as I am now the coolest kid in school? I'm now the coolest kid amongst the least cool kids. Enter. A position in life I know well. Good place to be. Good place to be. I think that's really, yeah, I don't know. Funny. I'm just thinking about like if my kid, if I was the parent and my kid came home and was like,

I got in trouble today. I think you're a bit a little mad about the content of the message. You should be like, you should have more respect for people. I get that it's a done and just. On the technical sophistication side of it, it's like, I'm not really that mad at you, but now you know that your actions have consequences and remember that in the future. I think we should move on, but I do think sometimes in looking back on my childhood, I

That it must have been challenging for my parents and a lot of them to be in a situation where you're like, intellectually, this kid is in trouble. They did a thing that they shouldn't do and I'm upset. I do need to conceal the fact that this is quite funny. And I know I personally have a problem concealing when I find something funny.

I, the, the funny response comes out before the moral response sometimes. And it's, it's a thing I'm working on, but I could see that being extra tough with a kid where they tell you, you're like, so I said, you all suck on NetSend and sent it to the whole school. I would have to like,

suppress some kind of response. Be like, you shouldn't have done that. Just laughing? Just laughing, because I feel like I kind of remember some of those. Like, you shouldn't have done that. I fully...

Find your prank hilarious. Yeah. But also as your moral guidance. Yeah. Don't do that again. Please don't do that again. Unless you're sure you won't get, unless you're sure you'll get away with it. All right. Yeah. As a follow-up to it, I'm going to teach you how to obfuscate your IP address so it looks like it's coming from somebody else. We're going to get you a VPN, kid. Well, yeah, I don't think they really had them that much back then. No, I don't think they did either.

Okay, I feel like we should probably tell the folks who this podcast is brought to them by. That seems like something we should do. Seems like it. Let's talk about push security and the stuff that they do. Let's talk about identity attacks, phishing, credential stuffing, session hijacking, account takeovers, etc.

You know, one of the biggest causes of breaches these days that most security tools are still focused on endpoints, networks, infrastructure, old school stuff, where meanwhile, all of our activity seems to be shifting into browser and browser adjacent applications. And that's where Push finds themselves. They have built this lightweight browser extension that observes that identity activity in real time.

gives you visibility into how identities are being used across your whole organization. Like when logins skip multi-factor authentication, when passwords are reused, or when someone unknowingly enters credentials into a spoofed login page. And then when something risky is detected, Pushkin enforced protections right there, all in the browser, no waiting, no tickets. It's visibility and control directly at that identity layer where it's all going down.

And it's not just prevention. They're also monitoring for things. They are constantly expanding their research pool. The company has a research department. They are the ones finding new vulnerabilities. As ex-Red Teamers, they're the best equipped to do that. And they're identifying potential vulnerabilities, working with people to get them solved, and then implementing the monitoring and prevention of those right into their system in real time, which is amazing.

It's kind of like endpoint detection response, but all right there in the browser. And the team behind it, as we've said before, we've had them on their offensive security pros. They publish some of the most interesting identity attack research you're going to find out there. Like the software as a service attack matrix, which breaks down exactly how these kinds of threats bypass traditional controls. Identity is the new endpoint and Push is treating it that way. Yes, check them out, pushsecurity.com.

And if you haven't yet, go listen to the episode that we had with our CEO, Adam. It still, honestly, it wasn't paid content, but it's one of my favorite episodes that we've made this year. Pushsecurity.com. So this next story came in quite a long audio file. It would have been a ton of editing for us because there's a lot of specific names and companies and situations and...

potential headaches. So instead of us editing it out and bleeping it out, we're just going to talk through it. Yeah. I think it's going to be a lot easier than shopping out the names of the stores and the subcontractors and...

All the things we would need to chop out. This is a call from a listener of the show that we really appreciate them taking the time to send us this. We're going to call him Drozy. Drozy. So the big thing here is, this is a first for Hotline Hacked, is that we're actually going to just kind of wing this one as if we're telling the story.

Yeah, full disclosure, we listened through, I think I can say this, we just listened through the entire call and gradually came to the conclusion in listening that we're going to want to go ahead and summarize this call for reasons that will become apparent. The caller...

The caller A, first and foremost, starts with a lovely remarks about the podcast and us. So thank you so much for that. They're bit by the curiosity bug. A little bit of a hacker. Work at a security consulting company. A security consulting company gains a massive contract with a big retail chain. Yeah.

Anonymous retail chain. Yeah, but what you need to know is that it's a retail chain. There's people going into stores and making purchases is pretty essential to this story. So part of their role is they're helping modernize the technical command centers for each of these stores, of which there are thousands of. So they're in the systems, in the things. They have access to all of the video footage, all of the...

the point-of-sale systems, everything. And what they realize is that this retail chain has a system that monitors self-checkouts from above to verify that the transaction is accurate. So it's identifying products being purchased, making sure that things aren't bypassing the point-of-sale, validating that things are appropriately priced. So it's kind of like, I'm not assuming it's an AI system, but

kind of like looking at what the transaction is and probably assigning it like a score. The higher the score is, the more likely that the transaction is authentic and the lower the score and then it triggers systems internally. So the caller is in this software, which again, as you said, Scott, is pairing transaction data with video footage of the

the points of sale. Uh, they go into the transactions tab of the software in this sort of surveillance software and they start digging around and like the advanced search panel, looking at different transaction amounts, receipt numbers. And out of curiosity, they do a little search for transactions over $5,000 and they make this discovery of dozens of high value purchases. Some going up to like 15,000 bucks that are all paid entirely with digital gift cards. Uh,

All of these transactions were linked to the same woman. And the caller is able to watch the video surveillance footage of this person using their phone over a period of like an hour, just scanning digital gift card after digital gift card after digital gift card until they're able to build up the amount of money at which point they do the transaction and leave. This is obviously quite sketchy. It sounded like...

It sounded like from the caller's description that the person, the perpetrator of this potential fraud, alleged fraud, would scan 150 $100 digital gift cards on their cell phone. And it would take one hour or more for this transaction to complete.

They would buy highly resellable items like new iPhones, high-value tech goods. Clearly, if you were in the market of taking illegal gift cards and flipping them into products to resell, this is the things you would buy. Anyway, this caller who's this tech professional working on this contract for this company realizes that

They've stumbled onto what is probably mass fraud. There's loads of transactions all linked to the same person in the video footage. And they're like, what do I do about this? If I come forward with it being like, hey, I found something, I'm essentially ratting myself out for violating the privacy and the access that we've been granted to do our jobs because I'm not supposed to be in this system.

But if I don't do it, then this fraud continues to roll on and on. Caught in a moral quandary. Yeah, rock in a hard place, I think was the term that they used on the call. Yeah. And this is not a single event either. This person goes through and they're able to find patterns of these kinds of large frauds.

multi gift card purchases occurring over a period of months. This is a pattern. And the theory, as you said, and they bring up is that this is probably a mule working for a larger fraud network. Um, and then being stuck in this tricky situation of going well for a bunch of reasons that the caller outlines. Uh, if I go forward with this and reveal that I have seen this stuff, I'm revealing certain behaviors that will probably get me fired. Um,

And yet I seem to have stumbled upon a large fraud ring. And I have video evidence of it. Yeah. Quite a prickly situation old drosies found themselves in. So that's, I think, the long and short of the story. So now we can talk about it.

Yeah.

on the network. And they did the right thing, it sounds like. They alerted their boss and was like, hey, I shouldn't have access to this. I can see compensation and internal employer reviews and bonus payouts and all the rest of this stuff. You should not be sharing this with me. And they were like, yeah, yeah, yeah, you shouldn't be looking at that. Don't look at that anymore instead of fixing the security problem that allows them to.

But I, myself, am guilty of this. When I jump onto a new network, often I just take a little peek around. You do a little digging? Yeah, I do a little. It's not even digging. It's like, you'll just pull the yarn, and it's like... Out of the earth, where it was previously, using, I don't know, a shovel. But to me...

If it's visible to the network and you've been given access to the network, there might be stuff that you need to know in those places. So I always get a little lay of the land. It's like a little Google Maps thing to check out the place that I'm going on vacation. And it's like if I've been pulled into a new network and there's a bunch of resources that have been given to me, occasionally I'll look at those resources. And sometimes those resources probably shouldn't be on the general public website.

So it's like, yeah, I feel for you on that one. Yeah. Without explicitly saying what it is or even whether or not it was sent, this is the kind of story that has implications where you would want to see receipts. You would want to see some sort of evidence that this occurred.

before you would talk about it in a public forum like a podcast. And I'll just leave it at that. Yeah. We'll just leave it there. We'll just sort of leave that there. And you can intuit what you will. Yeah, this is pretty... There's a lot of questions this raises, which is...

So assuming that on the back end of this, assuming the caller's theory is correct, that this was what they had spotted was the final stage of a much larger operation that resulted in acquiring a whole, whole, whole bunch of gift cards. And that the way that they were laundering those gift cards was by sending a mule in to go make purchases. I'm curious where the gift cards came from. Yeah, same. I would, if I had a...

render a guess. It's probably from all of the online and telephone fraud that is currently going on. It seems like a good guess. It seems like a really good guess. When you defraud somebody, how many of those online scam baiters, how many of those videos have I watched where the payout is always a gift card? Google.

Something else. I would assume that this large retailer is the target of one of those because one of these organized crime rings, which is really what they are, has figured out that they can convert retail chain gift cards into high value goods, flip those goods at a 10% loss probably, which is a pretty good reduction. Laundering money probably costs more than 10% in any way. So that seems like a great one.

Yeah. And I bet the reason why they do it in low gift card amounts, hundreds, is either A, they can't buy larger ones. That's my guess. Or B, they fly under the radar. Like if you buy a $10,000 gift card, it's like, okay, what's going on here? Sure. I would bet, if I had to guess, it's the...

former. I would guess that at a certain point, it's that a large retailer like this just says, we're not going to sell $500 gift cards because we have literally created a currency for money laundering and fraud. And that already exists. Yeah, iTunes store, App Store, Google. Bitcoin. Yeah, Tether. Tether. Those already exist and we don't need to be in that industry. So I would imagine at a certain point, it's just, here's

35 instances of a $100 gift card to this major retailer, we will accept these seven different products that we have deemed as having the best, the least appreciation the second you drive it off the lot. We'll pay you this fixed amount of money to go do it. Letter rip. And this person is just driving around what area they're in making those purchases with these gift cards. And the only record of it is this sort of

pairing of transaction data and video surveillance showing them coming into the store and just sitting down for an hour scanning gift cards. Here's the next moral dilemma. Obviously, the caller faced a moral dilemma, but you're the retailer and you're now doing an extra million dollars in revenue per year from these mules. Do you care? Yeah. Is it your place to try and stop it? Because they're just going to change to a different...

conversion path. They'll go from your gift cards to some other company's gift cards and do the same thing. What are you stopping? And is it your moral responsibility to stop it? My question would be, does the retailer know and do they care? Technically, it's revenue for them. It looks good to their shareholders. They've sold a PS5.

Yeah, they sell an absorbent amount of iPhones and PlayStations. And whether those end up on Craigslist or Kijiji moments later, Facebook Marketplace, they don't care. Interesting. That was a fascinating one. Yeah. The caller estimated that they'd seen approximately 4.5 million in transactions, which is substantial. It's shocking. Yeah.

Yeah. Yeah. Thank you for sending that one in. We really appreciate it. Yeah. And I think that's another episode of Hotline Hacked brought to you by Push Security. If you want to share your story with us, go over to hotlinehacked.com. It's got the email that you can send it to. There's a specific Hotline Hacked email. There's a phone number if you want to call in. If you've already shared a story, go over to hotlinehacked.com.

know that we've probably gotten it. We're just working through them. Yeah, there's a few hundred in the mailbox. There are, but we always want more. So please share your story. Get at us at hotlinehack.com. I think that's another one in the bucket. All right. Well, thanks for listening and we'll catch you all next time. Cheers.

People do all their shopping online these days. You could say e-commerce businesses fuel our economy. And while many customers think their orders magically appear, it's not magic. Chances are their packages arrived thanks to ShipStation. Last year alone, over 700 million orders were fulfilled with ShipStation. ShipStation syncs orders from everywhere you sell into one dashboard.

You can replace manual tasks with custom automations to reduce shipping errors. And ShipStation gets you the best rates across global carriers. You'll save up to 88% off UPS, USPS, and DHL rates, and up to 90% off FedEx rates. During the time you've been listening to this ad, another 1,400 packages were shipped with the help of ShipStation. Upgrade to a smoother shipping experience.

Go to ShipStation.com slash program to sign up for your free trial. No credit card or contract required, and you can cancel anytime. That's ShipStation.com slash program.