The Future of the Con Is Already Here, It’s Just Not Evenly Distributed

骗局的未来已至，只是尚未普及

The Set-Up 布局

Johnny Hooker: Sometime after 2:00, a guy’s gonna call on that phone there and give you the name of a horse. Imagine yourself, perhaps a typically-well-paid, tech-savvy professional, on the job hunt. You’ve been looking for a while with no luck; the market just sucks right now. A recruiter reaches out on LinkedIn, and it seems to be a perfect opportunity, tailored exactly to your best skills. The company is one you’ve heard about; it’s known to be a great place to work. They also pay pretty well compared to your previous job. Of course you’re quite stoked, and agree to some interviews. You have an initial screening call that seems to go well. They mention that their interviews are under a standard, simple NDA and promise to send it to you over one of those legaltech SaaS startup platforms. You get the email, and after signing in to their enterprise SSO, you see what is, yep, a pretty simple NDA, and sign it. The interviews go great. The interviewers are warm, welcoming, and you look forward to getting to work with them more. Everything they say about the company sounds amazing. And then you get the bad news: someone else got the job. Oh well. They did, however, enjoy talking to you and might reach out for future similar opportunities. Anyway, back to the grind. Six months later, you learn this was all a scam. Your identity has been stolen, and thousands have been spent on credit cards opened in your name. Your brokerage account has been partially drained. It’s going to take months to disentangle this, and you’re likely not going to get everything back. To top it all off, you have lost access to your email and many other online accounts. As you are discovering this, you’re still bewildered as to how this happened. You never expected this type of thing to happen to you; you’re well versed with keeping yourself secure on the internet and not prone to common scams.

强尼·胡克（Johnny Hooker）：两点过后，会有人打那个电话告诉你一匹马的名字。想象一下，你是一位薪水不错、精通技术的专业人士，正在找工作。你找了一段时间却毫无进展；现在的就业市场简直糟透了。这时，一位招聘人员在 LinkedIn 上联系了你，这看起来是一个完美的机会，完全契合你的核心技能。这家公司你听说过，以工作环境优越著称。相比你上一份工作，他们的薪水也相当可观。你当然很兴奋，并同意参加面试。初步筛选电话进行得很顺利。他们提到面试需要签署一份标准、简单的保密协议（NDA），并承诺通过某个法律科技 SaaS 创业平台发送给你。你收到了邮件，在登录他们的企业 SSO 后，你看到了一份确实很简单的 NDA，于是签了字。面试过程非常棒。面试官热情友好，你很期待能与他们共事。他们所说的一切听起来都令人向往。然而，你收到了坏消息：别人得到了这份工作。好吧。不过，他们表示很享受与你的交谈，未来有类似机会可能会再联系你。总之，继续努力吧。六个月后，你发现这一切都是一场骗局。你的身份被盗，以你名义开通的信用卡被刷走了数千美元。你的证券账户也被洗劫了一部分。你需要花费数月时间来处理这些烂摊子，而且很可能无法挽回所有损失。最糟糕的是，你失去了对电子邮件和其他许多在线账户的访问权限。当你发现这一切时，你仍然感到困惑：这到底是怎么发生的？你从未想过这种事会发生在自己身上；你深谙网络安全之道，本不该轻易掉入常见的骗局。

The Hook 诱饵

Henry Gondorff: You can’t do it alone, you know. It takes a mob of guys like you and enough money to make them look good. The point of attack was the login to the NDA signing platform. You chose to use a “sign in with ” login when you had to create an account, and it sent you through a realistic-looking login flow: a real Google/iCloud page, perhaps with your email already filled in. When you logged in to this site they used your entered password and subsequent “tap yes on your device” 2FA flow to log in to your account on their end (saving the session cookies), and made it look like a successful login on your end. The attackers kept this undetected access and monitored your patterns, looking for ways to exploit it. They disabled your smoke detectors before setting off any fires: pre-filtering alert emails from accounts they intended to hit, so warnings never reached you. They downloaded all of your cloud files and used the account to log in to various other sites. They used everything they knew about you to open credit cards in your name. The interview and rejection after the compromise were theater — keeping you from getting suspicious so that they could hold on to your credentials longer. This is pretty scary already, but it gets worse: they managed to drain funds. This is hard: modern financial systems have a lot of protection against hijacked accounts. Most scams targeting money involve convincing someone to voluntarily transfer money in an irreversible or untraceable way, and a tech-savvy professional is less likely to be the target of that. But it’s still possible for a scammer to take money from you with their level of access in a way that lets them keep that money and avoid detection until it’s too late. Someone with persistent, undetected access to your email and accounts may notice, for example, that you have paycheck money autotransferring to a brokerage account that you don’t seem to touch or log in to often. They might gain access to it by resetting your password, and then add a transfer account, maybe establishing a pattern of usage making small transfers. Eventually, they transfer the funds out, timed so you won’t notice for a while, in a way that’s hard to trace. Maybe they can wait for you to be on vacation, because they know when that is: they have your calendar! After they’re all done and think the scam will be detected soon anyway, they lock you out of your accounts to make it harder for you to piece together what happened. Yeah … all of that sounds possible. It’s also a lot of effort, needing multiple people coordinating and monitoring things, for a payoff that might not happen. Feels unlikely, right? Well, I left out one part. This entire attack was orchestrated and carried out by an LLM. An LLM which could research everything about you and craft a tailored attack. An LLM that could put together all the things that would be needed to make this seem plausible (a LinkedIn account, a fake document signing website, a plausible-looking domain to send emails from), and synthesize all text, audio and video interactions. An LLM which, after gaining access to your account, could monitor it and find the best ways to make use of that access, whether it be worming its way into your brokerage, racking up huge cloud spends on AWS, taking all your crypto, or even ransoming your decades of precious data from your now-stolen, likely-wiped Google account. And the job hunt was incidental. The interview was the scam that fit you; a plausible way to hook you in based on what the scammers knew about you. For someone else, it might be a scary call from the police, a relative asking for help, an email from their bank, or a slow-burn romance. The pretext changes each time, but the machinery behind it is the same.

亨利·贡多夫（Henry Gondorff）：你知道，你一个人是干不成的。这需要像你这样的一群人，还要有足够的钱来包装。攻击的切入点是那个 NDA 签署平台的登录环节。当你需要创建账户时，你选择了“使用 <服务> 登录”，它引导你进入了一个看起来非常真实的登录流程：一个真正的 Google/iCloud 页面，甚至可能已经填好了你的邮箱。当你登录该网站时，他们利用你输入的密码以及随后的“在设备上点击确认”的双重验证（2FA）流程，在他们那边登录了你的账户（并保存了会话 Cookie），同时让你这边看起来像是登录成功。攻击者保持这种未被察觉的访问权限，监控你的行为模式，寻找利用机会。他们在放火前先拆除了你的烟雾报警器：预先过滤掉来自他们打算攻击的账户的提醒邮件，这样你就永远收不到警告。他们下载了你所有的云端文件，并利用该账户登录其他各种网站。他们利用关于你的一切信息以你的名义开通信用卡。妥协后的面试和拒绝都是一场戏——为了让你不产生怀疑，从而让他们能更长时间地持有你的凭证。这已经很可怕了，但更糟糕的是：他们成功地转走了资金。这很难做到：现代金融系统对被劫持的账户有很强的保护措施。大多数针对金钱的骗局涉及诱导受害者自愿进行不可逆或无法追踪的转账，而精通技术的专业人士不太可能成为这类骗局的目标。但如果骗子拥有这种级别的访问权限，他们依然可能以一种既能保住钱又能逃避侦测的方式从你这里拿走资金，直到为时已晚。一个对你的电子邮件和账户拥有持续、未被察觉访问权限的人，可能会注意到，例如，你的工资会自动转入一个你似乎很少触碰或登录的证券账户。他们可以通过重置密码获得该账户的访问权限，然后添加一个转账账户，甚至建立一种小额转账的使用模式。最终，他们会将资金转出，并精心选择时间，让你在一段时间内无法察觉，且难以追踪。也许他们会等你度假时下手，因为他们知道你的行程：他们有你的日历！当一切完成后，或者他们认为骗局很快会被发现时，他们会锁定你的账户，让你更难拼凑出发生了什么。是的……这一切听起来都有可能。但这需要大量的工作，需要多人协调和监控，而且回报还不一定能实现。感觉不太可能，对吧？好吧，我漏掉了一点。整个攻击是由一个大语言模型（LLM）策划并执行的。这个 LLM 可以研究关于你的一切，并精心策划一场量身定制的攻击。它能整合所有让骗局看起来可信的要素（LinkedIn 账户、虚假的文档签署网站、看起来可信的发送邮件域名），并合成所有的文本、音频和视频互动。这个 LLM 在获得你的账户访问权限后，可以监控它并找到利用该权限的最佳方式，无论是渗透进你的证券账户、在 AWS 上产生巨额云服务费用、卷走你所有的加密货币，还是勒索你那被盗且很可能已被清空的 Google 账户中几十年的珍贵数据。而找工作只是个幌子。面试只是适合你的骗局；基于骗子对你的了解，这是一种让你上钩的可信方式。对于其他人，这可能是来自警方的恐吓电话、亲戚求助、银行邮件，或者是一场温水煮青蛙的网恋。借口每次都在变，但背后的机器却是一样的。

The Tale 故事

Henry Gondorff: It’s not like playing winos in the street. You can’t outrun Lonnegan. For quite a while now, you could broadly categorize scams into two buckets: cheap, easy-to-run spray-and-pray scams hoping to ensnare the less savvy; and expensive, targeted scams, aimed at people with…

亨利·贡多夫（Henry Gondorff）：这可不像在街上骗那些酒鬼。你跑不过朗尼根（Lonnegan）。长期以来，你可以将骗局大致分为两类：一类是廉价、易于操作的“广撒网”式骗局，旨在诱捕那些不太精明的人；另一类是昂贵的、针对性的骗局，目标是那些拥有……的人。