As we approach the next season, threat actors will be keeping a close eye on dating apps. These apps have become a prime target for threat actors due to the size of the market expanding to over 300 million users and the rich information stored in these apps.
Today’s guests are Jason Kent and Will Glazier. Jason is a hacker-in-residence at Cequence Security. He has a diverse information security, networking, and IT background and a generous level of knowledge for most pieces of the IT spectrum including firewalls, security architecture, security controls, and security infrastructure.
Will Glazier is the Head of Threat Research at Cequence Security where they protect some of the world’s largest brands from sophisticated bot attacks and threats against the public facing APIs. Will has a background in fraud abuse and prevention as well as building threat intelligence systems.“Oftentimes someone you are talking to is an account that has been taken over or a fake account that was created.” - Jason Kent Click To Tweet
- [1:18] – Jason and Will share their backgrounds and current roles at Cequence Security.
- [5:24] – As common as scams and fraud are, even Jason and Will have personal experience with them.
- [7:39] – Dating app attacks are particularly hard because they prey on vulnerable people. There are so many cases, that there should not be shame around talking about it.
- [9:32] – The first red flag is when someone you are talking to on a dating app tries to get you over to texting or another app.
- [11:37] – In any given month, the amount of malicious API transactions that Cequence is blocking is in the billions.
- [13:52] – Fake accounts are constantly made but not as heavily used as taken over accounts.
- [16:08] – Scammers are now paying for premium accounts to appear more legitimate and the investment pays off when they scam someone.
- [18:11] – There are tools people can buy to make all accounts look real through automation.
- [19:29] – It is essential that people in a fraud department can trust the information and push it out to Cequence.
- [22:04] – Some organizations will pay a ransom to decrease the time wasted and money lost. In their eyes, the money lost to pay the ransom isn’t as much.
- [26:11] – Margins are getting tighter for the bad guys.
- [30:31] – The infrastructure that scammers use varies. There are some that are really well known at Cequence and some that are more difficult.
- [32:51] – It is easier to take out one big player than to take out hundreds of small ones.
- [36:03] – There are human and political pressures that make things more challenging for security.
- [38:07] – Romance scammers are employing new tactics and switching them up.
- [39:48] – If you put too much trust in the platform that it makes you trust the random person you’re talking to, take a step back.
- [42:40] – Take a look online for things that have been done by scammers historically, especially if you are new to dating apps.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Cequence Security Website
Thank you, guys, for coming on the Easy Prey Podcast today. I appreciate you carving out a portion of your day for this. Can you guys give a little bit of background about who you are and what you do? We'll start with you, Jason.
Jason: I'm Jason Kent. I'm a hacker-in-residence here at Cequence. My job is to understand the attacks. I look at a lot of the attacks that hit our customers to figure out the why and what of it. I also do individual research, a lot of speaking. I go around a lot of conferences and that kind of stuff.
Did you always want to be a hacker? Or is that something that just sparked your interest in life?
Jason: I built my first computer back when you had to have the right catalogs to order the right parts to show up to your house. My uncle gave me a stack of catalogs for Christmas one year. It wasn't too long before I realized that I could use the acoustic coupler modem and call my neighbors. It all took off from there
I got into web security in the late 90s. My wife was a web application designer and web application developer. She told me some guy named Bob O'Neill broke her web app, because his last name had a tick mark in it. That got me putting tick marks into everything and led to a career of taking URLs and getting error messages back.
It's always fun stuffing things into fields that people aren't expecting.
Will, how about you?
Will: I'm the director of threat research at Cequence. What that team is is a group of really awesome, hardworking, talented security engineers, data scientists, and machine learning experts. Our team spends a lot of days in the mud.
We are seeing these attacks, dealing with them hand to hand every day, understanding them, applying learnings and logic back into our product, into our threat intelligence cloud to make sure that what happens at one customer or one vertical, others benefit and learn from, to make sure that we are staying ahead of the Jasons of the world, the hackers trying to figure out exactly how to abuse the business logic, the APIs that we're protecting.
I've been working on this team for almost eight years at Cequence. A little bit of the story. I think the story of Cequence and my time there tells a little bit of the story of API security. Back in 2014-2015, it was more of the Wild West of bots on social media, and not everybody knew how pernicious the problem was. Post-2016 and on and on and on, everyone and their grandmother knows what a bot is on social media and everybody's got eyes for it.
Back in the day, APIs were just a new channel, an emerging channel by which many of these attacks were being carried out. Now, lo and behold, there's an entire vertical and security industry around API security of which bot attacks, malicious automation, business logic abuse are a key part of it. It's been an interesting journey through those years of seeing it grow.
Is security a field that you wanted to get into? Or was that the progression of your career?
Will: I never thought I would end up being this laser-focused on the bots and APIs, but there are only so many hours in the day, and yet you get consumed by this stuff to the chagrin of my friends and family, I think, sometimes.
Totally understandable. As we were talking a little bit beforehand and before we started recording, I'm really wanting to help people that have fallen victims to scam, fraud, and whatnot, to not feel ashamed about talking about it and realizing that it is considerably more common than we might think.
I've been asking my cybersecurity guests and fraud experts, have you guys ever been a victim of a scam or a fraud? Or has someone close to you been a victim of a scam or a fraud?
Jason: My spouse, actually, is the bookkeeper. She's the fiscal officer for a township. The township consists of two guys who drive the plow truck in the winter and the trustees who decide how much salt to buy. It's a very, very small organization that paychecks are not very big.
Somebody actually sent a scam from one of the trustees to the fiscal officer to say, “My next check should go in this bank account.” It was one of those things where the email was exactly right, everything looked exactly right, so she set it up. A couple of months later, this trustee says, “Where's my paycheck?” She goes, “Well, you changed the bank,” and he says, “No, I didn’t.”
She goes back, looks at the email and realizes that she has to go file an insurance claim to get everything recovered and all that. It was extremely embarrassing for her, especially since her husband is someone that's fairly well-known in security.
The reality of it is, when you follow this forward, it's happened enough times that now payment processors are saying, “Have you spoken to this person on the phone?” They have little tick boxes for when you go through and change these things now that remind you that you should be going and doing this.
I think that we have this kind of trust placement. A lot of what we're going to talk about today has to do with somebody giving a lot of trust placement. We have this for our systems and stuff. We just assume that we're going to see it. The scammers are quite crafty. Will can tell you, they're good at it.
Will: Chris, you mentioned you want to get people talking about this. I agree. The point I made when we were talking in the intro, I said, a lot of what we do is you try to learn from one attack and apply it to others. How can that happen proactively in an automated nature?
What you're talking about is getting people talking to each other, who may be victims, shedding light that's doing that on a human-to-human level. This problem in the dating sphere is particularly human. This is one where these attacks make me more mad to see than others because they're preying on vulnerable people. It's a good idea to not have shame around talking about these types of things.It's a good idea to not have shame around talking about these types of things. -Will Glazier Click To Tweet
I think the more I do these podcast episodes and the more people come on, it sounds like more and more people are starting to talk about it. People at church I've heard now talking about like, “Oh, yeah. I got hit for a small amount of money.” People talk about, “Oh, I tried to buy something off of a Facebook business list, a Facebook listing, a Facebook page, and it turned out to be fake, broken, or whatever.”
It's nice to hear people starting to talk more about it. I'm going to continue to talk about it. Hopefully, it will become lower and lower every year. But in the meantime, there's a lot going on. What is it that you're seeing going on with dating apps right now?
Jason: Let's talk about this thing we're talking about. We call this cuffing season. Really, it's getting colder outside, and wouldn't it be nice to have someone next to you? You go and put your information. You go put your trust into some platform, somebody on that platform decides to talk to you, and almost immediately tries to get you off that platform, because eventually trust mechanisms are going to fire, and they need to move you to an environment that they can keep you on.
If you meet somebody on one of these online dating sites, that's your first warning. If they immediately want to start texting with you, move this to WhatsApp, or whatever that is, you don't want to do that. What they're trying to do is get you to believe that the identity that you first met them with is transmuting over to this new place.
I'm sure Will's going to dig into some interesting numbers here. Oftentimes, that person you're talking to is someone's account that got taken over, or it's a fake account that got created. This concept of you putting trust in this platform, they're supposed to be watching out for you and protecting you.If they immediately want to start texting with you, move this to WhatsApp, or whatever that is, you don't want to do that. -Jason Kent Click To Tweet
If somebody went and took over Bob Miller's account, and they're in Nigeria, and their name isn’t Bob Miller, it definitely is one of those things where you're going to believe that Bob suddenly needs money, and you're going to try to give it to them. The kind of money that we see in this goes from a nicely priced used car to a house. This is a lot of money that gets scammed out of these folks.
One of my very early interviews with, I believe Debby Montgomery who’s just coming out of her spouse dying, got involved with a romance scam, and over the course of a year or more lost about a million dollars to this person. It's definitely a big amount. It can be large amounts of money. It can also be small amounts, but that can be just as traumatizing to people.
Jason: Yeah, depending on who it is, right?
Yeah. Before we go on, you talked about that combination of fake accounts and compromised accounts. Is there one or the other that you're seeing more of?
Jason: That's a great question. I'll provide you some numbers here from the last quarter to talk about the scale of this problem just to set the tone, and then I love that question about fake accounts versus taken-over accounts.
In any given month, the amount of malicious API transactions and Cequence’s blocking is in the billions, like three billion in just this last month alone. The vertical of dating sites, when you think of that scale, we're blocking in the last quarter about 150 million transactions in that universe.In any given month, the amount of malicious API transactions and Cequence’s blocking is in the billions, like three billion in just this last month alone. -Jason Kent Click To Tweet
Now, that's nothing compared to that three-billion number I just mentioned, which is an interesting fact of its own. However, 150 million. Just think about that. That's one transaction that we're blocking for every two Americans. That's the sense of the scale of this problem and what we're seeing.
Of those malicious transactions, that breakdown between fake account creation and account takeover, that ebbs and flows over time. The ebb and flow is based a lot of time on some of the business pressures that the dating site platforms have on some of the fraud initiatives that they may be undertaking.
Think about it from their perspective or the perspective of the defenders for our partners and colleagues in protecting dating sites. A freshly created account doesn't have a reputation to fall back on in their scoring algorithms. An old account, an existing account does. Those accounts, to get taken over, have higher value for attackers because they will come with this preceded positive reputation.
We see, oftentimes, tons of volume on the account takeover side relying on the law of large numbers. If I fail 99.9% of the time, but my denominator is large enough, I can take over a nice pool of accounts. It gives them a lot of repetitions to try to use those accounts to scam folks. The fake account creation oftentimes can manifest as a little bit more consistent, persistent, and low and slow.
These are your backup accounts. You need to make this farm of accounts every day, every month. It's almost like meeting your quota. You have to have those so that you can at least drive the influence, drive the visibility to certain places. All the while, you're trying to get those accounts that you can really use to make some noise and to make some money from their perspective.
Are there a certain amount of those fake accounts as opposed to being used right away or being left to season and age, that longevity, so to speak?
Will: Absolutely. Oftentimes, the seasoning and aging is actually just part of broader, coordinated inauthentic behavior. A few years ago, actually, we uncovered a ring of what we call VIP fraud, which is basically no different than what some of our partners in the social media space call coordinated and inauthentic behavior. Basically a ringleader who's buying, selling accounts, and basically likes visibility and engagement on that platform.
We uncovered the central hub that basically had the menu of how many accounts this person had bought and what's the progress on the way towards it, the status of it, basically. The accounts that they were engaging in this activity with were all paid accounts, like VIP accounts. Now, X has moved to X Premier, Premium, or whatever it is. They were accounts like that, because those come with a prebuilt, higher reputation, some air of credibility.
We saw tons of the accounts engaging with those premium accounts who were created and upgraded to that premium account level. We see that as a pathway whereby people generate legitimate looking behavior, then put some monetary, in this case, investment from the attackers behind it. They're investing now in these premium accounts so that they can hopefully draw down a bigger reward when they scam someone.
How complicated is it to detect when an account has gone from an authentic user into that it's now a bot, or it was under somebody else's control, and it's now changed control? Is there ML and AI? If you can detect who I am by the way I type, is that starting to be applied to social media accounts and other platforms to detect? This is just not how this user has behaved over the last 10 years, five years, or whatever.
Will: That's right. Jason, do you want to take this up and speak?
Jason: A lot of the analytics that we gather—a really good example is the impossible travel model, where I send a message into the platform just so that I'm seeding my account. It looks like I'm being active, but I'm coming from China. Then five minutes later, I'm coming from the United States. Those kinds of things inside of those systems sometimes get flagged and sometimes don't.
I traveled tons, so I'm always going to look like I'm coming from all over the place. If you're not putting the right timing in on it, you're not really going to understand it. But that behavioral shift definitely happened. They suddenly focus on one or two victims, and they really, all of a sudden, go away. They want them off the platform.
This behavioral stuff that Will was talking about, where you buy a VIP package and then farm that account, that kind of mechanism and those kinds of things, there are automated tools for that you can go buy.
One that comes to mind is called Essentials. Essentials will make all of your accounts look real by going and liking videos, doing all these kinds of things so that you look like a socially interactive person, and then it'll trick all of those trust mechanisms and off it goes. But you definitely see a pattern change. The problem is if you're watching for the pattern change for them to leave the platform, it's too late. You have to see a change in real time.
Will: There's a point here about defense in depth. The question you asked Chris is really an area where we see when we engage with our customers, that point is where the fraud team really specializes. It takes over. It's like in-platform activity, in-platform engagement. This is really a subtle shift.
That's deeper down the stack of protections. There's the perimeter where you need to keep out the flood of what could become this later. Cequence generally sits at the perimeter of our protection, and that's why we're seeing such huge numbers that I'm referencing about, transactions that we're blocking.
It's essential for the people downstream, the fraud analyst, fraud team, to have signals they can trust from the perimeter. It's essential that the fraud knowledge makes it back out to the perimeter as well. There's an interplay between those two that is critical from a defensive perspective.
That's the thing. Once the fraud department within a dating app company says, “Hey, we definitely know that this account is fraudulent. Do you want to push all that information back out to you guys so you can run it backwards and see how it gets through?”
Will: And you want to make a strong case to the business, too, because if you think about it, the business may not always be driven by the same motivations that the security team has driven by. Growth is very important; daily active users are very important. If anything negative is going to happen on those metrics, you need to bring the receipts if you're in the defender’s chair.
That's where it's critical that you have receipts from both of those data points. All of this traffic is inauthentic. We know it, and let's take action and not wait. It's one of those classic short-term-long-term trade-off problems.
People don't want to see any dip on this quarter's results. But if you let this problem persist for a year, watch out because eventually the tide will turn and people will stop using it. Organic humans won't be using the platform, because they'll feel overwhelmed. They’ll feel at risk. Their vulnerability will be taken advantage of.
I think it's one of the classic problems that compliance departments have, that loss prevention departments have, that security departments have. Your interests sometimes don't seem to be financially aligned with the company. If the compliance team is doing a great job, they're often seen as the Department of No and the Department of Reducing Sales.
Jason: I just had this discussion with a group of CISOs about this. It's the classic question: Pay the ransom or not? In the financial industry, it's funny. You'll hear them say, “Well, if it's less than two minutes of downtime worth of value, yeah, we pay it.” They actually sit there and do that Ford Pinto math. If they blow up and kill people, there are not a lot of people to be, “OK, that thing is just weird to me.”
I meet guys that are, “We're never paying that ransom. No.” You meet a lot of organizations that are like, “We'll be back up and running in 20 minutes. Yeah, pay it.”
You have to look at it from the perspective of what's going to drive the business. If you go to them and say, “Well, you don't have enough security in place. All of your accounts are going to be taken over by bots in a little while,” then the scenario that we'll pay is definitely going to happen. Everyone's going to leave. There are too many bots on there. It's something you hear all the time. These are these crazy decisions that these guys have to make.
But if you think about what happens, when the story breaks that someone loses a million dollars through a scam on your platform, that's never going to be a positive thing. That whole “no bad news is bad news” doesn't really apply.
Especially when these things usually come out as, “OK, I'm the headline, but here are 40 other people who had the same experience, because platform Z was not doing its due diligence to prevent this stuff from happening.”
Where do you see this going? Are there emerging trends? Is there a tidal wave on the horizon that's freaking you guys out? Is it looking like smooth sailing? What's your prognosis for the future?
Jason: I think predictability is hard. We just came out of two years of behaving completely differently than we normally did. No one could go to bars and meet each other. Online dating became this massive thing, and the fraud fallout.
What we're seeing now is, now that people go back to bars and are not as reliant on their dating apps, but the people that are there, the population that remains are those people that are going to be highly vulnerable because they want that connection. They're putting a ton of trust out there. They're going to ignore the warning signs.
I think that whole idea of normalizing what's going to happen is important. You're going to get a message from somebody that you probably shouldn’t trust, and they’re going to say, “Let's go chat.” They're going to tell you all about their financial problems. That's really what's going to happen. How that happens is going to play on a bunch of vulnerabilities and exploit understanding as much as possible.
Will: I have Jason on that question. I actually have an optimistic or hopeful take that I want to throw out there into the world. I'm going to make an analogy to what we've seen, not just in the dating site universe, but during the post-Covid period. In fact, particularly as some of the macroeconomic conditions, interest rate tightening has happened in the last year-and-a-half.
We also protect a lot of hype-sale clients. By hype sale, I mean, think about the Ticketmaster case where people are leveraging arbitrage to buy items with bots at a certain price and resell them at a much higher price. When NFTs were going to the moon, when every asset and used cars were appreciating, sneakers were appreciating assets because of the bubble.
Jerome Powell slams on the brakes, and all of a sudden, the margins in the sneaker bot universe are a lot tighter. That has an impact on the amount of scammers and cook groups that are operating efficiently and effectively actually making money.
You apply that analogy to the dating site universe. What Jason's saying is 100% true that folks who were there are particularly vulnerable, but what it means is that margins are getting a little tighter for the bad guys. Imposing financial costs on the bad guys wherever possible can really hurt them. I mentioned how one of the tactics they use is to build up these fake accounts that they've paid for to get reputations.Imposing financial costs on the bad guys wherever possible can really hurt them. -Will Glazier Click To Tweet
What if you can detect all of those? And what if a payment mechanism that you are supporting is pre-loaded gift cards, or someone has put stored value onto a thing that you control as a platform? What if you just wipe their account? What if you wipe their value and take their money? Hit back a little bit and impose that cost, that hurts their margins.
I think there's an opportunity for sites, for platforms in the dating sphere to leverage this moment macro-economically to hopefully make a little bit of a dent. That doesn't mean nothing's going to change in the future with interest rates going down. Maybe it changes, but making people safer for a little longer is also never a bad thing.
I think that's one of the things that's always been present in technology. There is a significant force difference that if you can create a thousand bots, you have way more ability to do damage and to hurt people. But if I now charge you a dollar a year to make those bots, I've just now created a significantly more costly structure for you to operate.
Not that you can't, but with X planning on charging or testing, “Hey, in Australia, we're going to charge you a dollar a year to join the platform.” For people in Australia, putting up a credit card number, paying a buck is no big deal.
Sure, that might push the bots somewhere else or shove them out of the way for a little while. But in other countries, a buck a year could be a substantially larger portion of your income. If that now starts to make the scammers, like you said, reduce their profit margins, they go somewhere else.
Jason: We often see in big account takeover attacks, the unsuccessful attacks are using the cheap infrastructure. We know the cheap infrastructure, all of us do. Anybody that's in this game knows where the cheap infrastructure is. It's colocation facilities in Colombia. It’s colocation facilities in set top boxes in Thailand. We all have seen all this before.
Once you start blocking those guys, they then go to more expensive infrastructure, where it's looking like residential IPs, and they're using people's cell phones to bounce stuff off. That alone makes it so that it's much more expensive for them to operate. They're going to hit harder when they hit because they need to recruit more each time. Each time they're successful, they’ve got to get more money, otherwise, they can't cover their costs.
We see that during the hype sale, a really huge period that Will is talking about, we saw companies start up that were bot companies. Literally, you could find postings on LinkedIn for jobs to go write software that would be bots. Now you're not seeing that. They don't have enough money to pay employees anymore. It's all starting to take up a lot more, and then the user pool is tightening up as well. They're really begging for success. The more that we can do and the more knowledge that people can have, the better.
Are you seeing the attacker switching from individuals to larger organizations that have that financial backing, or is there any way for you to know?
Will: That one's a really hard one to answer, to be honest, and it varies. The variance is so high that drawing a conclusion is almost disingenuous. I want to relate your question back to one point Jason just said, which is quite interesting. He talked about the infrastructure that the attackers use. He talked about those residential proxies, the things that use devices like people's phones, home routers, and cameras, which have been compromised by some vector and now are opened up as a proxy by which bot attackers can distribute their traffic.
From a defender's perspective, those are really hard to catch because they look just like your human traffic. They're coming from Comcast, Verizon, Spectrum, et cetera, all the big residential internet service providers. Those networks themselves, the people building up and farming those networks, are organizations. Those are businesses in and of themselves, and it's an area that we've seen a little bit more attention from.
In the law enforcement space, for example, there've been some residential proxy takedowns. I'm having a brain fart on one of the most recent names right now. I think it was the 911 proxy network. There are a bunch.
In particular, I know some of your listeners probably know Brian Krebs or have read his stuff before. He went on a little bit of a heater talking about these stories as they were happening. I think it was last summer. Those organizations are businesses in and of themselves. They're not the street dealers. They're the guys that are supplying the street dealers, to make an analogy.
I think the more attention that we focus there on removing the gasoline from the fire, that could pay dividends as well. Make it easier for the defenders to get to focus on the easy stuff and take away some of those nasty organizations that are doing this. That would be very powerful for the industry.
I assume from the law enforcement perspective and tying in with cyber security, if you can take out one big player who provides infrastructure, it's easier to take out one big player than 999 small players.
Will: Exactly. Now, inevitably, the rats scurry off the ship and go board another one. Other players pop up and it happens, the ebb and flow is natural. But still, if that was an excuse to do nothing, then we should all just fold up and go home. That's what then it will take to just, “Oh, because they're going to come back, I won't do anything.” We make progress where we can, and I think that's been done, and it continues.
Are there entities that you want to see more cooperation from? Let's say residential ISPs that they need to be monitoring their networks more. If they can see everything that's exiting their network, they should be able to see suspicious patterns. Should they be doing more?
Jason: They should. I approached a couple of the ISPs at RSA last year. I said, we collect IP addresses. As soon as they come online, and as soon as they start hitting our customers, we're back looking at them for what we call network IQ stats. If I can come up with a massive list of IP addresses coming out of one ISP and I hand it to them, they don't care.
They told me, quite frankly, “There's no one in our organization that you would hand that list to that would affect a change in our organization. We're too busy collecting money and selling phones.” That was the impression that I got from that. I went over to the FBI and the NSA, and I asked the same questions. There just really isn't a coordinated effort for this stuff, it doesn't seem.
Will: I'll throw in a slight—not that I disagree with anything Jason just said—I just want to throw in a maybe a shameless plug for some of our colleagues and partners that I spend a lot of time with, our customers.
If you look up Cequence's website, you'll see that we have a solid presence in the telecom space, ISPs. Those who could solve this problem, we interface with a lot. They're swamped by dealing with so many.
There are many problems to deal with, so much going on. It's like trying to just do basic juggling versus trying to juggle 10 things all pieces of furniture at once. What Jason's saying is just so true. Folks are DDoSed, and can't handle this problem. They're not the one at the end of the attack, they're the middleman in this case. It would be really cool to see more collaboration around to carve out some time, some focused time, where we can all work together. Hopefully, there's a little bit less noise that prevents that from happening.It would be really cool to see more collaboration around to carve out some time, some focused time, where we can all work together. -Will Glazier Click To Tweet
I guess the funny thing that I see happening is I get a phone call from my cable operator saying, “Hey, it looks like your computer might be compromised.” OK, everyone who's running a podcast talking about privacy security will tell you to hang up on that person.
Will: Exactly. You just brought up a very good point. Imagine the panic that ensues when you start making those calls. You're not going to call them. It's going to be automated, because there's going to be more than one. Then everybody's going to go, “Oh, my God,” and you're going to be in the news. There are human and political pressures that go along with all of these things that make it impossible to sometimes do what might be ideal from a pure security perspective.
I guess you have to work from the lowest hanging fruit first and work inwards from there.
We've talked in the realm of dating apps. Is there a trend that you're seeing of how this is morphing within the dating app? Are they changing practices? Are they starting to use ChatGPT to communicate with people so it doesn't look like I've hit macro four, macro five, macro six on a thousand different accounts?
Jason: You’ve got to remember that all of those little nits and mistakes that a scammer uses in their communication are really purposeful. If you don't notice them, you're probably going to be of the mind that you believe this person and all of that kind of thing. ChatGPT does things grammatically correct, but it'll let you generate so much more quickly. If English is your second language, you don't have to think through it so much; you can get it to come out a lot faster.
The overall trend that we're seeing is there has to be more focus. It's almost like these romance scams need to enter the world of spearfishing. Because the volume has gone way down, they have to be a lot more clean with what they're doing. They're employing whatever tactics that they can to make that better.
The history is still switch tactics whenever that's appropriate, and the old tactics stop working.
We've been talking more on the technology-ish side of things. What advice would you give for users of platforms, whether it's specific to dating apps or more broad? What should they be watching out for?
I think you talked to one about anytime someone's trying to get you to switch platforms, that's a potential red flag, but not always. There are people that initiate with me on Skype, and I can't stand messaging on Skype, like, “Get me over to email, please.”
Jason: I think that it has to do with where you place your trust and why. If you're on a specific targeted dating app, there are a bunch of apps out there, Christian Singles, SilverSingles. There are a lot of these that are out there that are focused on particular whatever aspect of your life. Don't immediately assume that you trust that app. Just because they have multi-factor authentication, doesn't mean a scammer isn't the one sending you the message. I think that's a really important thing.Don't immediately assume that you trust that app. Just because they have multi-factor authentication, doesn't mean a scammer isn't the one sending you the message. -Jason Kent Click To Tweet
Until you've met these people and until you know them, it's important to understand that there could very well be a 12-year-old girl sitting there typing that message. Just try to keep that in mind. If you put too much trust in the platform that it carries to the person talking to you, consider throttling that back.If you put too much trust in the platform that it carries to the person talking to you, consider throttling that back. -Jason Kent Click To Tweet
Will: I would add one thing to that, Jason, that I totally agree with. It's the analogy of to outrun a bear, you don't need to outrun the bear, just outrun your friend. Whatever features a company offers you to take from a security perspective, like second-factor authentication, like an email notification when you log in, or when you do anything in the platform, take advantage of them, enable them. It's so simple.
It should always exist. Let's approach it from the mentality of let's be grateful for the company that offers that feature. You can leverage it, take advantage of it, and outrun your friend. Your friend will be caught by the bear. Do that and make yourself a little bit more safe.Whatever features a company offers you to take from a security perspective, like second-factor authentication, like an email notification when you log in, or when you do anything in the platform, take advantage of them, enable… Click To Tweet
I think companies are getting better at it. I travel internationally on a semi-regular basis. On this last trip, I got way more notifications via email of, “Hey, we detected a login that we're not really sure about.” I was pestered more than normal on two-factor authentication, or we need you to jump through these extra hoops.
Pleasantly annoyed is probably the right answer. I'm annoyed that I'm getting pestered with these things, but it's really neat to start to see that, “OK, this didn't happen last time I traveled. Someone has ratcheted up their security a notch.” They haven't made the experience so horrible that I won't use what I was using while I was traveling.
Will: A minor caveat on that. If in the middle of the night you are getting spammed by second-factor authentication, push notifications, or text, do not answer and do not click acknowledge, because it's not you.
Jason: And your password's been compromised.
Will: Yeah, wake up and do something about it.
Yeah. I feel bad when people get compromised accounts. It's an absolute nightmare. Any parting advice, resources you'd want to point people to as we wrap up our discussion today?
Jason: If you just google cuffing on the FTC's website, you'll see a lot of what the historical scammers have done. Many of those things are the things they're going to try. I mentioned a few of them, moving to chat or whatever, but there are other ones in there.
The statistics around how much money they get when they win are pretty staggering. Really understand that you should learn about this. If you're going to be using these platforms, you should understand what kind of scams come out of them. You can recognize them a lot more easily that way.
That's a good point. I don't know what I have specifically talked about or recommended to people, if you've decided that you want to buy stuff from classified ads, you need to start researching about all the classified ad scams. That's actually really good advice.
If you're going to start going on dating apps, you need to research all the dating app scams. If you're going to go into photography, you need to figure out what all the photography-related scams are because they're going to try to take advantage of people that are new to that vertical.
Will: I have no better advice than that. That was a good one. We'll just keep trying to do what we do to keep the scammers away as much as we can.
I appreciate that there's so much work going on on the automated side, on the back ends of these platforms, to keep things at bay when it's orders of magnitude.
Will: Orders of magnitude, really hard-working people working on this problem. I’ve got to give a shoutout to everyone, not just my own team, but all of our partners we work with on the various security teams of our clients. It's a grind. Really hard-working people trying to keep people safe. Keep on keeping on.
Awesome. If people want to find you guys online, where can they find you? Or do you not want to be found?
Jason: No, we love to be found. We are at Cequence Security, www.cequence.ai. Or you can just google API security. We usually come up there. We have an entire platform that's dedicated to API security.
That's awesome. Thank you so much for coming on the Easy Prey Podcast today.
Jason: I appreciate it. Thanks.
Will: Thank you, Chris.