Posts

, ,

Trust but verify

How a $400,000 lobster theft exposed the hidden security gaps in modern logistics

 

By Skeeter Wesinger

January 5, 2026

 

Earlier this month, thieves made off with roughly $400,000 worth of lobster from a Massachusetts facility. The seafood was never supposed to vanish; it was en route to Costco locations in the Midwest. Instead, it became the end product of a carefully staged deception that blended cyber impersonation, procedural blind spots, and physical-world confidence tricks.

This was not a smash-and-grab. It was a systems failure.

The operation began quietly, with an altered email domain that closely resembled that of a legitimate trucking company. To most humans—and most workflows—that was enough. The email looked right, sounded right, and fit neatly into an existing logistics conversation. No servers were hacked. No passwords were cracked. The attackers didn’t break in; they were let in.

Modern organizations often believe that email authentication technologies protect them from impersonation. They do not. Tools like SPF, DKIM, and DMARC can verify that a message truly came from a domain, but they cannot tell you whether it came from the right one. The gap between technical validation and human trust remains wide, and that gap was the attackers’ point of entry.

Once inside the conversation, the criminals did what sophisticated attackers always do: they followed the process. They presented themselves as the selected carrier, responded on time, and matched expectations. Crucially, no one stopped to verify the change using a trusted, out-of-band channel—no phone call to a number already on file, no portal confirmation, no secondary check. The digital impersonation slid smoothly into operational reality.

The real turning point came at the loading dock. A tractor-trailer arrived bearing the branding of the legitimate company. The drivers carried paperwork and commercial licenses convincing enough to pass a quick inspection. Faced with routine procedures and time pressure, facility staff released the shipment. In that moment, digital deception became physical authorization.

This is where the incident stops being about phishing and starts being about trust. Visual cues—logos, uniforms, familiar names—still function as de facto security controls in high-value logistics. They are also trivial to counterfeit. Without a strong shared secret, such as a one-time pickup code or independently issued authorization token, the chain of custody rests on appearances.

After the truck departed, the final safeguards failed just as quietly. GPS trackers were disabled, and their sudden silence did not trigger an immediate, decisive response. In security terms, there was no deadman switch. When telemetry went dark, escalation was not automatic. By the time uncertainty turned into alarm, the window for recovery had likely closed.

Logistics theft experts know this pattern well. The first hour after a diversion is decisive. Organized theft rings plan around confusion, delayed verification, and fragmented responsibility. Their confidence suggests experience, not luck.

The CEO of Rexing Cos., the logistics firm coordinating the shipment, later described the crime as “very sophisticated” and attributed it to a large criminal organization. That assessment aligns with the evidence. This was not a crime of opportunity. It was a repeatable playbook executed by people who understood how modern supply chains actually operate—not how they are diagrammed.

The most unsettling lesson of the lobster theft is that no single system failed catastrophically. Email worked. Scheduling worked. Dock operations worked. Tracking existed. Each layer functioned more or less as designed. The failure emerged in the seams between them.

Security professionals often say that attackers don’t exploit systems; they exploit assumptions. This incident is a case study in that truth. Every handoff assumed the previous step had already done the hard work of verification. Each trust decision compounded the last until six figures’ worth of cargo rolled away under false pretenses. Always trust, but also verify, to quote President Reagan: “Doveryay, no proveryay”- “Trust, but verify.”

As supply chains become more digitized and more automated, it is tempting to treat logistics as paperwork and coordination rather than as critical identity infrastructure. This theft demonstrates the cost of that assumption. High-value goods move through a chain of identities—domains, vendors, drivers, vehicles—and each identity must be independently verified, not inferred.

The lobster didn’t disappear because the system was weak. It disappeared because the system was polite.

/3 Comments/by
,

The Second Cold War now moves to the Caribbean

The Second Cold War now moves to the Caribbean

By Skeeter Wesinger

September 10, 2025

The Caribbean has once again become a stage for the rivalry of great powers. In Cuba, Chinese technicians and engineers have been working around the clock to expand a network of intelligence-gathering sites. Satellite photographs and on-the-ground accounts confirm the presence of large radar dishes and a new antenna array near Santiago de Cuba, along with several facilities west of Havana. These installations appear designed to intercept communications and track movements across the southeastern United States. Their placement recalls the old Soviet listening post at Lourdes, which for years operated as Moscow’s ear on Washington.

What makes the present moment different is that China has chosen to follow its land-based presence with a naval one. Reports now indicate that a Chinese aircraft carrier, accompanied by support vessels, is moving into Caribbean waters. The decision to send such a formation across the Pacific and into the approaches of the Americas is a first. The United States Navy remains stronger in every respect, but the symbolism is clear. A foreign fleet, commanded from Beijing, is operating in what for two centuries Americans have regarded as their own sphere.

The tensions with Venezuela lend further weight to this development. Caracas, under sanction and isolation from Washington, has cultivated close ties with both China and Russia. A Chinese carrier group near Venezuelan ports would strengthen the government there and complicate American policy. It would also demonstrate that the Monroe Doctrine, which has served as the guiding principle of U.S. policy in the hemisphere since 1823, is under direct test.

Technologically, the new Cuban installations may not represent the most advanced form of signals intelligence. Analysts note that a significant amount can be intercepted today through satellite and cyber networks. Yet, the presence of these bases, together with a Chinese fleet, alters the strategic picture. They indicate that Beijing seeks not only to contest American influence in Asia but also to place pressure on the United States close to home.

This pattern, of probing and counter-probing, of establishing footholds near the other’s shores, is one that recalls earlier periods of rivalry. The first Cold War played out along these lines, and it is in that sense that many observers now speak of a second. The Caribbean, once the flashpoint of the Cuban Missile Crisis, is again the scene of significant power maneuvering. For now, the balance of power remains unchanged. But the geography of the contest has shifted. America finds that its own neighborhood is no longer beyond the reach of its chief rival, and that the struggle of the new century may be fought not only in distant waters, but in the seas and islands that lie just off its southern coast. The words of Ronald Reagan resonate now more than ever: ‘Trust, but verify.

 

/by
, ,

Scattered Spider Attacks Again

Scattered Spider Attacks Again
By Skeeter Wesinger
July 2, 2025

In yet another brazen display of cyber subterfuge, Scattered Spider, the slick, shape-shifting cyber gang with a knack for con artistry, has struck again—this time sinking its fangs into Qantas Airways, compromising data on as many as six million unsuspecting customers. It wasn’t some arcane bit of code that cracked the system. It was human weakness, exploited like a well-worn key.
The breach targeted a third-party customer service platform, proving once again that it’s not always your network that gets hacked—it’s your vendor’s.
A Familiar Pattern, a New Victim
Qantas now joins the growing list of high-profile victims stalked by Scattered Spider, a crew whose previous hits include MGM Resorts, Caesars, Hawaiian Airlines, and WestJet. Their calling card? Social engineering at scale—not brute force, but charm, guile, and just enough personal data to sound like they belong.
They impersonate. They coax. They wear your company’s name like a mask—and by the time IT realizes what’s happened, they’re already inside.
This time, they walked away with customer names, emails, phone numbers, birthdates, and frequent flyer numbers. No passwords or payment data were accessed—Qantas was quick to say—but that’s cold comfort in an age when a birthday and an email address is all that it takes to hijack your digital life.
“Trust, but Verify” is Dead, well, sort of.
As Qantas CEO Vanessa Hudson issued the standard apology—support lines are open, regulators are notified, the sky is still safe. But the real damage isn’t operational. It’s existential. Trust doesn’t come back easy, especially when it’s breached by a whisper, not a weapon.
“We used to worry about firewalls and phishing links,” one insider told me. “Now it’s your own help desk that opens the front door.”
Scattered Spider doesn’t hack computers. They hack people—call center agents, IT support staff, even security teams—using their own policies and training scripts against them. Their English is fluent. Their confidence is absolute. Their patience is weaponized.
The Breach Beneath the Breach
What’s truly alarming isn’t just that Scattered Spider got in. It’s how.
They exploited a third-party vendor, the soft underbelly of every corporate tech stack. While Qantas brags about airline safety and digital transformation, it was a remote call-center platform—likely underpaid, overworked, and under-secured—that cracked first.
We’ve heard this story before. Optus. Medibank. Latitude. The names change. The failures rhyme.
And the hackers? They have evolved.
The Next Call May Already Be Happening
Scattered Spider is a ghost in the wires—a gang of young, highly skilled social engineers, some rumored to be based in the U.S., operating like a twisted start-up. Their tools aren’t viruses—they’re LinkedIn, ZoomInfo, and your own onboarding documents.
What you can do is rethink your threat model. Because the enemy isn’t always a shadowy figure in a hoodie. Sometimes it’s a cheerful voice saying, “Hi, I’m calling from IT—can you verify your employee ID?”
By then, it’s already too late. Need to hire an expert? Call me.

/by
, , , , , , ,

Scattered Spider

Scattered Spider: Impersonation, and Cybersecurity in the Age of Cloud Computing

By Skeeter Wesinger
June 29, 2025

In an era where companies have moved their infrastructure to the cloud and outsourced much of their IT, one old-fashioned tactic still defeats the most modern defenses: impersonation.
At the center of this threat is Scattered Spider, a cybercriminal collective that doesn’t exploit code—they exploit people. Their operations are quiet, persuasive, and dangerously effective. Instead of smashing through firewalls, they impersonate trusted employees—often convincingly enough to fool help desks, bypass multi-factor authentication, and gain access to critical systems without ever tripping an alarm.
This is the cybersecurity challenge of our time. Not ransomware. Not zero-days. But trust itself.
Who Is Scattered Spider?
Known to threat intelligence teams as UNC3944, Muddled Libra, or 0ktapus, Scattered Spider is an English-speaking group that has compromised some of the most security-aware companies in North America. Their breaches at MGM Resorts and Caesars Entertainment made headlines—not because they used sophisticated malware, but because they didn’t have to.
Their weapon of choice is the phone call. A help desk technician receives a request from someone claiming to be a senior executive who lost their device. The impersonator is articulate, knowledgeable, and urgent. They know internal jargon. They cite real names. Sometimes, they even use AI-generated voices.
And too often, it works. The attacker gets a password reset, reroutes MFA codes, and slips in undetected.
The Illusion of Familiarity
What makes these attackers so dangerous is their ability to sound familiar. They don’t just say the right things—they say them the right way. They mirror internal language. They speak with confidence. They understand hierarchy. They’re skilled impersonators, and they prey on a simple reflex: the desire to help.
In the past, we might have trusted our ears. “It sounded like them,” someone might say.
But in the age of AI, “sounding like them” is no longer proof of identity. It’s a liability.
When Cloud Isn’t the Cure
Many organizations have moved to cloud-based environments under the assumption that centralization and managed services will reduce their exposure. In some ways, they’re right: the cloud simplifies infrastructure and offloads security operations. But here’s the truth: you can’t outsource responsibility. The human layer remains—and that’s precisely where Scattered Spider operates.
They don’t need to breach Azure or AWS. They just need to impersonate someone with access to it.
It’s time we stop treating “trust but verify” as a cliché and start treating it as operational policy. Better yet: trust—but always verify. Every request. Every reset. Every exception.
Verification today means more than checking a box. It requires multi-channel authentication. It means never resetting MFA or passwords based solely on a phone call, no matter how credible the caller seems. It means locking down help desk protocols so impersonation doesn’t slip through the cracks.
Security teams must also monitor legitimate tools—like AnyDesk, TeamViewer, and ScreenConnect—that attackers often use once inside. These aren’t inherently malicious, but in the wrong hands, they’re devastating.
And above all, organizations must train their frontline personnel—especially support staff—to treat every identity request with healthy skepticism. If your instinct says something feels off, pause and verify through secure channels. Escalate. Slow down. Ask the questions attackers hope you won’t.
Scattered Spider doesn’t hack your servers. They hack your systems of trust. They bypass encryption by impersonating authority. And they exploit the one vulnerability no software can patch: assumption.
As we continue shifting toward remote work, outsourced IT, and cloud-based everything, the real threat isn’t technical—it’s personal. It’s the voice on the line. The urgent request. The person who “sounds right.”
In this world, cybersecurity isn’t just about what you build. It’s about what you believe—and what you’re willing to question.
Therefore, you have to train your teams. Harden your protocols. And remember in the age of the cloud, the most important firewall is still human.
Trust—but always verify!

/by