The Audit - Cybersecurity Podcast

Cybersecurity News: Vikings Vishing Lost $240K, Scattered Spider & F1 Racing

IT Audit Labs

Dallas Turner's $240,000 fraud loss isn't just celebrity news—it's a wake-up call for anyone with a bank account. When even NFL linebackers fall victim to social engineering, what does that mean for the rest of us? 

In this episode of The Audit, co-hosts Joshua Schmidt, Eric Brown, and Nick Mellem break down the sophisticated tactics behind this massive financial fraud and reveal why help desk vulnerabilities are becoming cybercriminals' favorite attack vector. From Scattered Spider's multi-industry campaigns to the unexpected cybersecurity challenges facing Formula 1 racing, this episode covers the evolving threats that no security professional can afford to ignore. 

  • 🎯 Key Topics Covered:  
  • How banking impersonation scams work and red flags to watch for  
  • Why Scattered Spider targets help desks and how to defend against it  
  • The surprising cybersecurity risks in high-speed Formula 1 racing  
  • Practical steps to protect yourself from social engineering attacks  
  • Why MFA fatigue is becoming a serious security vulnerability 

Don't let social engineering catch you off guard. The tactics that fooled a professional athlete could easily target your organization next. 

#cybersecurity #socialengineering #scatteredspider #financialfraud #infosec 

Speaker 1:

We are going live. You are listening to the Audit presented by IT Audit Labs. My name is Joshua Schmidt, your co-host and producer Today. We're joined by the usual suspects Eric Brown and Nick Mellum. How are you guys doing today? Fantastic, eric, you don't look like you're in the office today. Are you at an undisclosed location?

Speaker 2:

I am at an undisclosed location up north getting ready for a little lake time.

Speaker 1:

Nice. Well, let's jump right into it so Eric can get back out to sunbathing on the dock. We're doing a news episode. Obviously, we've got the first article pulled up here, coming straight from the Vikings Linebacker, dallas Turner. Call him Diamond. Dallas Turner lost $240K in financial fraud scheme. That's no small amount. We've all heard about friends and family and grandparents losing tens of thousands of dollars, but a quarter mil is nothing to slouch at. So let's see what it says here. Egan, minnesota, minnesota Vikings outside linebacker Dallas Turner was targeted in an alleged financial fraud scheme that cost him about $240,000, according to local authorities, sergeant Rich Evans confirmed Thursday that Eagan Police Department was actively investigating the case.

Speaker 2:

Josh, I hate to see these things. This is happening all over the place, at larger amounts and smaller amounts, to this, but it really comes down to, unfortunately, the individuals just maybe being unaware that this attack could happen. We've seen these types of things happen in the professional space, where you'll have malicious actors that they're just out there, they're waiting, they're watching, they have access to open source intelligence gathering, information, so things that are publicly available, like contract dates and vendors that are awarded contracts, and then it's easy to just slip in and socially engineer one side of that transaction, so the side where the money is going to be transferred from. And there's a couple of recent examples in Minnesota, a really large deal a couple of years back with the city of Cottage Grove, where the city of Cottage Grove I think it was a sewage contract over $1 million, I believe was socially engineered. But you really hate to see these things.

Speaker 3:

I think one of the most unfortunate things when I see this and I saw this pop up on my ESPN app a couple of nights ago and just right away you feel for him. But one of the most unfortunate things is you choose a bank and you do business with this bank and you think it's somebody you can trust. So I'm assuming they figured out who his bank was right and they call him and they try to give friendly advice. So it's tough when you think you can trust somebody but you're deceived by a bad actor that's posing as them.

Speaker 2:

It takes me back to the work we were doing with the executives. So the service offering that we've got, where we'll help executives and high net worth individuals with education around something like this, where we come in, do an assessment with their family and being that point of contact, because, as you know, this sort of thing is just continues to happen. And then when you introduce the grandparent scheme, where little Johnny is on vacation in Mexico and then allegedly gets kidnapped and calls the grandmother for money, all of those sort of things of how do individuals protect themselves and their family, and largely it's with knowledge of what do we do in a scenario like this, I would think that level of education. If I'm investing millions of dollars in a bank, I want that banker to sit me down and have that cyber conversation.

Speaker 1:

What would be some other red flags, eric, that might jump out at you if you've all of a sudden get a call from your bank and they're like hey, eric, we got to switch this money, we got to send this over here. You know, here's the route, what's the routing number, and blah, blah, blah.

Speaker 2:

If I get any sort of call that seems time sensitive or financially sensitive, I'm not going to react to that call, Probably just going to hang up Right and I'm not going to deal with it because there there is nothing going on that is that time sensitive from a transaction standpoint.

Speaker 1:

Slowing down. Don't hit the panic button.

Speaker 3:

You took the words right out of my mouth, Josh. We need to encourage people to take a beat, Slow it down and if this person's calling, you judge their sense of urgency. If they're calling and they're frantic you got to do this, you got to do that Don't miss this opportunity feeding you this line. Like Eric said, nothing's that urgent. You can call them back, think about it, talk to your spouse or, whatever the case is, call your financial advisor, et cetera, et cetera. Before anything else, before you proceed, especially with this, I mean with any sum of money, but we're talking big numbers here.

Speaker 1:

Phone a friend. Ask someone like your spouse or something like does this make sense?

Speaker 3:

When we see it too, in the space too. When we worked on a case a number of years ago, a specific organization, their controller, was sending money to an overseas organization, thinking that the owner of the organization was investing in these organizations and she had full control, obviously, as the controller. She was social engineer. Turns out it was a half a million dollars she had sent over and you know we had to work with the fbi on that. But another situation where somebody that should be trusted within the organization had worked there for almost 30 years and you know couldn't do anything about it.

Speaker 2:

The malicious actors are always watching, no matter who you are, what you're doing, the size of your company and looking for that opportunity. So it comes down to education. Right, having that conversation as somebody comes on board of like these are the things that could happen, and I'll never ask you for a gift card. If it comes up, then we need to talk about it. If you don't hear from me directly, then it didn't happen at the family level to where you could have certain words or phrases that in this particular case, it could have been something that he set up with his banker.

Speaker 2:

When we go into the homes and the lives of these high net worth individuals sitting down and talking with their children about you're playing online. You're playing Minecraft. You're playing an online game where you're interacting with people. Those people that you're interacting Minecraft, you're playing an online game where you're interacting with people. Those people that you're interacting with could be malicious actors. Right, they can use voice changers. They can impersonate different people of different ages, and it's really unfortunate to have to tell children that not everybody you meet is honest and people could be trying to deceive you to get to your family member for social or economic reasons or political reasons or whatever conversations, and letting the families know that, yes, your mother, father, whatever, is in this high profile position and you could absolutely be a target.

Speaker 1:

I think the takeaway here is regardless of whether you're a Diamond Dallas Turner, a linebacker for the Vikings, or you're just Joe Smith from Minnesota, take a beat and make sure you know. Lock your credit. You're taking your time. If you do get suspicious calls, slow down, talk to your bank.

Speaker 2:

I'm going to just say one of because this is one of my favorite topics here of the personal information security regardless. Right, it doesn't matter if you're a high net worth individual or you're just the guy or gal down the street. There are things that you can absolutely do to protect yourself and make it more difficult for the malicious actors to attack you. Right, if you're posting on social media, don't post that you're. You know you're in Mexico for the next two weeks and make it make your home a target. Don't put your address in the social media posts.

Speaker 3:

So make sure you're using. You know you don't think on Facebook you need MFA. You absolutely do. Secondly, when you're posting to social media, maybe wait until you get back from your trip. I know everybody's got to do it right now, like they want everybody to see they're on the beach in Jamaica, right, they just did whatever, had a great day and that's awesome, like share that stuff. Wait till the week you got home, so you're they know your house isn't vacant whatever the case is, so wait till you get home.

Speaker 1:

Yeah, my wife and I went to Hawaii in 2018 and there was some great pictures and we'd refrain from posting anything online and you know what, everything was fine when I got back. You know, no one cares. It's actually kind of liberating because, you know, I just those were for us, you know, and I still haven't shared them and yeah, that's what they're for. Then we don't need to have everyone checking those out. Yeah, let's pivot over to this next article, because it is part of the same conversation around social engineering phishing phishing this is coming from Cybersecurity Dive Scatter Spider poses serious risk to several hundred major companies. A new report shows that a select group of large companies use technologies that the hacker group often targets the cybercrime group. Scattered Spider's tactics put a group of roughly 300 major companies at heightened risk of attack, according to a new report from security firm Cybercube. So I wanted to kick it over to you guys and ask with you know, why is the help desk such an approachable vector for this type of campaign?

Speaker 3:

There's so many things we could dig in on this. I think, especially for these large organizations, the help desk is always going to be a target because of the volume that they're dealing with. They're getting so many tickets every day from so many people and you know this is not necessarily a bad thing. But when you work at these large organizations we've talked about before you know this is not necessarily a bad thing. But when you work at these large organizations we've talked about before you you know you kind of become a barcode, but they're always going to be big targets for those reasons social engineering because they're easy targets to get information from.

Speaker 3:

You know you could even call the help desk and ask how long does my password need to be? Do I need special characters, right? You start to like fine tune and funnel this information out. But I also want to just shine a light on how important it is not only to train the service desk with the people at the organization that might be calling. You know the phone call can go both ways, right, if you're calling to a help desk or help desk is calling you. I've been a part of hundreds of social engineering exercises and I think the numbers probably tipped at probably 70% I've used. I act as a service desk. I call them as a service desk extracting information. Hey, we're operating to.

Speaker 3:

Windows 11, whatever your pretext is, and we also see that your password hasn't been updated in over 90 days. We're having an issue there. Whatever you decide, these are things that are happening, that you need to train your people in your organization that you know. If that's really the case, you don't need to answer that information. You could. Hey, let's hang up, I'll call you back. I'm going to call my service desk and who answers that I'm going to verify this information. The training goes both ways. Here they're mainly targeting actual service desks to get information, but to my point, it goes both ways. We need to train the service desk, but train our individuals that are going to either receive a call from a service desk or calling into a service desk.

Speaker 2:

keep hitting that prompt and then on your phone you get the notification of accept or decline from the MFA prompt and normally that would be a red flag where you get that notification and if you didn't request to log in somewhere, then there's something fraudulent happening. Somebody has your creds and is trying to use your account to gain access. Some people are just hitting accept because they're just getting so many notifications and they want the notifications to stop. You're out to dinner or whatever. It is just like, yeah, accept, stop, which is, of know, of course, the wrong thing to do, but it obviously works because it's an attack vector that they use. And the modern authentication with MFA you've probably seen it where it asks you to input a number. So you get sent a number and you have to put the number in, and the purpose of that was to stop the MFA fatigue.

Speaker 1:

So one of the things I found interesting about Scattered Spire and this makes a whole lot of sense they're bouncing between industries and I would assume that's because there's an awareness within each industry. If it's airlines, by the time the airline, other companies catch up hey, this is happening to Delta or American Airlines. There's some little bit of talking going on there about what's happening in that industry, that they're already onto the insurance company or the next thing. So if only 2% of these major companies made the high risk list, what are the 98% doing right, and what should those 2% be doing to kind of fortify their security, to prevent being attacked by a major operation like Scattered Spider?

Speaker 3:

To me it's because it hasn't been reported yet. The problem's on the way. It's banging up against the doorstep right now. The problem is we're always so reactive and defensive. We need to be offensive. We need to get out in front of these problems, start talking in front of these problems. Start talking, you know and we've talked about it many episodes ago about getting your security team, getting your IT team out of that back room, educating the staff walking around the facility. Like you know you were, let's say, you work at a manufacturing plant. You know, pick a day of the week and have one of your guys walking around talking to people. They should know who the IT people are so they can go talk to them about these issues.

Speaker 3:

Like there's so many different ways we could solve these problems besides just sending out a newsletter, which is great we do highly recommend using tactics like that. But get you know. Don't just have one of your guys. Send your even your most junior service desk guy out there. Start shaking hands, educating people on things that they're seeing around the industry, cause a lot of people are generally interested, right, cause they see this at home. They want to know and understand. Um, but not only that. You could have turn around and educate people about their home life and, in return, if they care about that, they're going to care about what's happening at work, right, because they don't want to be the problem that f1 movies out with brad pitt, summertime best movie in america, biggest movie in america.

Speaker 1:

So I thought we'd bring this into the conversation today and and just talk about something fun. For you know, instead of all the serious stuff, we uh like to doom and gloom. In a fast-paced, tech, technologically advanced world of formula one racing, where every millisecond counts. The competition is fierce. The latest tech collaboration between williams f1 team and keeper highlights the critical role of cyber security and safeguarding top race teams operations and strategies. So there's a lot of telemetry data happening. Ostensibly, they're collecting tons of info and there's a team of people, you know, analyzing that in real time to help make decisions about. Well, you take it from there, nick. What would you? You're a Formula One fan. What would the data be used for?

Speaker 3:

These big organizations that are having these problems that we talked about in the last article. Same thing your spotlight's coming on, there's more technology going to these cars. Every year New standards come into the cars. There's thousands of sensors in there and they're getting the data right away and that could allow another team to get a leg up on them. But it could all allow a threat actor maybe to get into the comms. It doesn't necessarily make it any different than what we're dealing with our organizations. They're dealing with the same kind of problem social engineering and everything else that we're looking at.

Speaker 3:

But the ecosystems of these races I think one of the problems is always going to be is the logistical nightmare of the sport. When I first started watching Formula One way long time ago, there was maybe 10, 12 races a year. There were a couple of weeks spread out, so you might have one or two races a month. Now you have 22, 23, 24 races where they're going somewhere new every year, and these races aren't close. They're in different countries, so they've got to get two cars, their whole team, their infrastructure moved within a week. Formula One has the FIA, which is their governing body, and they are having issues. I think they had a ransomware attack three years ago, so it's a big problem.

Speaker 2:

I was going to ask you what's the fastest way to become a millionaire in Formula One? Win baby. Start out as a billionaire. That's fair.

Speaker 1:

That's fair. So you mentioned Nick. There's like tons of races. I think there's 22 countries, 24 races annually. So how do they keep continuity in their cybersecurity posture when they're moving?

Speaker 3:

So good standard, constant training and rinse and repeat, but pushing the envelope on what they're doing, best practices, bringing in third parties to do those audits and exercises against these systems, and it's similar thing to the FIA, which is overseeing all these teams. It's probably coming to a point now where they need to step in and implement standards for cybersecurity because of all the technology and money that's coming into the space. Right, you need to have a governing body. We have governing bodies for everything that we do, whether it's local government, federal government, smaller big organizations. They are all following guidelines to something they do within their industry. Your original question, josh. Yeah, I think it's partnering with strong people, using third parties to do tabletop exercises, to do audits, to do penetration, testing and rinse and repeat and make sure that you set those standards from the FIA because of the logistics.

Speaker 1:

I'll kick this one over to Eric. The article mentions that OTIT, convergence or F1 cyber attacks could potentially lead to physical harm, like Nick would just mention, and driver safety issues. What kind of attack would create something?

Speaker 2:

like that. It really just comes down to the basics, and F1, no different than another type of organization that's going to be moving protected data in a secure way. Um and their teams know, know what they're doing and and if not, give us a call, we'll send nick over.

Speaker 3:

It sounds like he's he's ready to go you know, if I, if I could you know, make sure they call me around the may time frame, because that's what monaco is, and you know see, I don't like the monaco track.

Speaker 2:

I'm gonna have a real problem with it.

Speaker 3:

It's a it's most legendary right. I will under the lights at Bahrain.

Speaker 2:

Okay, I'm with you on Bahrain, monaco. It's like I don't know. Everybody get in line, nobody passes.

Speaker 3:

It's the historic track. You got the yachts pulling up right. The street's this tight. You know you got no.

Speaker 1:

What ESPN or cable package do you guys have to watch Formula 1?

Speaker 3:

It's on espn right now okay, I mean always it was on uh you, or going forward, rather, uh, you're gonna have to buy f1 tv, for my understanding, because espn is not going to re-up the contract, because I think sky network overseas um owns the rights to f1, is my understanding I had to buy about three different subscriptions just to watch the timber, the timber wolves play, play the playoffs.

Speaker 1:

It was a nightmare. And then I had like Fubo and I had like ESPN and HBO Max and then I'm like still can't watch the game.

Speaker 3:

And I think the Formula One races might be on HBO Max right now too. I watch them on ESPN, so whatever package.

Speaker 1:

And just like that we're back to cable packages.

Speaker 3:

F1 TV. People want to come here because they like this, josh. They want to know about F1, right, they're getting into it. They watch the series.

Speaker 1:

Speaking of race driving, I know you're expecting, nick. Have you plotted out your path to the fastest path to the hospital? Are you going to do a little F1?

Speaker 3:

It's funny you bring that up. Yeah, I'm ready to go. Uh, I've practiced the track to the, to the hospital. I'm ready to go using the shoulders, jumping the. You know all getting over there Texas style.

Speaker 1:

Yeah, so right across the mid, the median.

Speaker 3:

Oh man, we're in for it, we're in for it. Yep, we're good, and I think too. Just what gets me to that? The most luxurious couch in the country, those hospital couches that you sleep on for double nights. I'm looking forward to it. It's like a vacation, all right.

Speaker 1:

We're rooting for you, buddy, and congratulations again, and, eric, hope you enjoy the rest of your time at your undisclosed location. So thanks so much for joining us live today. We will be publishing this full length episode and some shorts and some snippets from this on our YouTube channel. If you haven't yet, please like, subscribe and share. Also got video on Spotify and you can source us wherever the audio, wherever you get your podcasts. So unless you guys have anything else to add about Formula One, I will leave it there.

Speaker 2:

Well, I was just wondering, Nick, did we hit the numbers for the party? Otherwise, is there a shaving event that's happening?

Speaker 3:

Oh well, just as long as we've got the 10 people there, we're good.

Speaker 1:

We can have a little burnout party. After a little burn some tires light, some fires.

Speaker 3:

But get some Motley Crue going and we're ready to go.

Speaker 1:

All right guys. Well, thanks for your time today. You've been listening to the audit presented by IT Audit Labs. I'm Joshua Schmidt. You've been joined by Eric Brown and Nick Mellum. Please like, share and subscribe, and we'll see you in the next one.

Speaker 2:

You have been listening to the audit presented by IT Audit Labs. We are experts at assessing risk and compliance, while providing administrative and technical controls to improve our clients' data security. Our threat assessments find the soft spots before the bad guys do, identifying likelihood and impact. Where all our security control assessments rank the level of maturity relative to the size of your organization. Thanks to our devoted listeners and followers, as well as our producer, Joshua J Schmidt, and our audio-video editor, Cameron Hill, you can stay up to date on the latest cybersecurity topics by giving us a like and a follow on our socials and subscribing to this podcast on Apple, Spotify or wherever you source your security content.