It would have made much more sense for me to give him a lift to a petrol station, filled up a petrol can.

Not if he was some killer!

You know what? I think it just says you're a good guy. Who cares if he scammed you? You were a good guy.

So having convinced myself there's no way I could be a victim of this, what you've done, Carole, very successfully there, is you've said, "No, you have been a victim of this, you moron." No, I've said, "Mark, you're human." Mark's human.

Mark's human, everybody.

Chicken-loving human.

There's your soundbite.

Smashing Security, Episode 126: Zombie Chickens and Fast Food Victims. With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 126. My name is Graham Cluley.

And I'm Carole Theriault.

Hello, Carole!

Have we done too many of these things?

Well, we are joined by a special guest. He's dialling into the show right now. It's chicken fancier Mark Stockley from Naked Security. Hello, Mark.

Hi. Chicken fancier?

Yeah, that's—

I'm not sure I would describe myself as a chicken fancier.

You do run a Twitter account called the Internet of Hens, I believe.

I do, yes. Yeah, but it's not what your description might suggest. The content's all safe for work.

Yeah, yeah, right.

Says Mark Stockley.

I assure you, I assure you.

Yeah, that's what they said to me when they said go visit Lemon Party.

Okay.

Now, where are you calling in to us from today?

So I am calling in from what's colloquially known as the Glastonbury toilet, which is this microscopic studio at Sophos HQ. And I was given very specific instructions by Paul Ducklin earlier about how to turn on the fan so it doesn't get too hot in here. So obviously I completely ignored him and I can't find the fan, so I'm basically sat in a polystyrene box. So how long does this podcast last?

Once again, Duck proves that he's right.

As businessmen in the city, you'd pay a good amount of money to be enclosed like that, I imagine.

Yeah, just imagine you're in a sauna.

Yeah, wrap yourself up in polythene, go for the whole experience. Why not?

If you hear a loud thud about three-quarters of the way through the podcast, don't worry about it. That's just my head hitting the desk as I pass out.

Carole, what have we got coming up on the show this week?

So coming up on this episode of Smashing Security, Graham shines his spotlight on all manner of scams, including romantic ones.

Ooh la la.

Mark gives us the lowdown on a nasty fight for site ownership of doitforthestate.com. And I'll be yakking about how a promo character from the '70s comes back to seek out Canadian fast food junkies. Buckle up your seatbelts, folks. All this and much more coming up on this episode of Smashing Security.

Now, now then, now then, Krull.

Krull. Yes, I assume you mean me.

Yes. Krull, I don't always say pleasant things about you, but the truth is you're everything a man could ever want, aren't you?

Where are you going with this?

Deep voice, hairy chest, lots of muscles. Now, the truth is, the truth is, right, there are lots of lonely chaps out there who'd love the thrill of having a frisson with you. They've heard the voice. They've observed the charm.

I'm not sure I'm comfortable with this.

They're dreaming of what you might be like in the full-bodied flesh.

This is revolting.

And scammers, they know that you're a hot tamale as well. There's loads of guys out there who'd love to wrap you up in a banana leaf and fill you up with mole negro and chicken. No!

Stop!

No, don't worry, Carole. Don't worry. It doesn't mean you work for all men. Goodness gracious. No, you certainly don't. Right. Take Mark, for instance, right?

Don't drag me into this.

He's the web developer type, isn't he? He's got a bit of a neckbeard going on. He's hairy. He's very hairy.

He's got a neckbeard.

I've seen it. No, but he's got a lot of hair in all kinds of places, hasn't he?

He's not wrong.

He dreams of a girl who knows her way around a Cascading Style Sheet. That's what he likes. He's hot for HTML5. He's after a woman who clicks yes when offered an Adobe browser plugin, just as long as it's not over in a flash, right? That's what he's like. That's the kind of thing you're into all that, Mark? Yeah, into the webby stuff, right?

Just keep going.

Am I right?

We're just ignoring you.

I'm right. All right.

Well, my point is this. My in-depth research reveals that scammers are posing on dating sites and social media. And of course they're posing, not in the normal way we pose on social media, but posing as individuals that they are not. And just like an imposter might claim to be a doctor and offer to take a look at your calves, so a romance scammer might try to convince you that they run in similar social circles to you, right? They're gonna change their language. They're gonna speak to you in a fashion which makes you think, oh, they're just like me. So Carole, you're into baking. They might tell you about their buns that they've been working on.

I thought you were gonna say I'm into swearing.

Yeah, yeah. So the scammer may pretend to have Tourette's, you know, oh yeah, okay, I'm great with you, right? Mark, you've got your chickens, obviously. I'll leave that to your imagination. Any fluffing feathers. So they may convince you that they have compatible values and forge an emotional connection, right? So they say, oh yeah, you know, I've looked at your Facebook likes. I love Titanic as well. I cried when Leonardo DiCaprio let go of the wreckage or Toy Story 3. They're so sad at the end. Or, oh yeah, Smashing Security. It was so much better when Vanja was on the show. It's never been the same since. All those kinds of things, right? People are working out what you like and what you're interested in. They're sort of mirroring you. You know the drill. And once the imposter has formed a connection with an individual, they then claim, I don't know, maybe they need money urgently to cover an emergency, right? The ceiling's fallen down because there's been a flood upstairs, or our chimney is infested with bees. You know, some sort of crisis has occurred. And you think, oh, I must help these people. Or there's a family situation. Great Aunt Agatha has been taken ill with lupus, or Tiny Tim needs new crutches, something like that, right?

Call me crazy, but I think you're describing a romance scam here.

Yeah, exactly. And this is how they do it, is they claim to be compatible with you by first of all making the connection. Then they come along, you know, with maybe a business opportunity, right? They say, oh yeah, I met this great guy, John McAfee. Told me you should buy some cryptocurrency. He's tweeted about it. Let's go and give me lots of money and I'll do it. Or I'm out on a business trip in Cairo, I've lost my wallet and passport, only you can help me. Or I want to come and visit you, but I'm over here in Basingstoke, send me the money for the airplane ticket and I'll come over and visit you. So these sort of things are happening all the time. So they've made the emotional connection and then they come in for the money, and they're incredibly successful at doing these sort of things. So they forge this strong emotional attachment. And they work because no one— well, almost no one, right, Carole? No one wants to be an arse. Yeah. No one wants to say no. If someone's in a crisis, if someone has got something bad going on, no one would say, no, I'm not going to help you, especially if—

Yeah, they don't want to say, I'm sorry, I'm a very busy man and I don't drink coffee, for instance. Right. That would be inappropriate.

I can't sort out your bee infestation. You're gonna have to find someone else to do it.

I'm beginning to understand why I haven't fallen victim to any of these scams.

Oh, your utter lack of empathy. Is that what— Didn't you— I said, web developer.

Mark, no, something happened to you on the road, didn't it? With a car. It was a live scam.

Oh no, you're right. You're right. It was the weirdest thing. I was driving along and I was flagged down, but literally my car was flagged down and I opened the door and this guy gave me a story and then I handed him some money.

Yes.

What?

And then I drove off. And then after I'd driven off, I then spent the next couple of hours going, I was just flagged down and I just handed someone some money. And it was—

Wow.

It was entirely incongruous. I assume now it was a scam. I mean, it wasn't a lot of money.

Yeah, I think it was for petrol. That's what I remember it being. He had to get somewhere because someone was sick.

Yeah, his car had broken down.

Petrol and yada yada.

I imagine, yeah, even if you didn't know the guy, even if you— I presume you didn't form an emotional attachment with him, a romantic relationship during those 5 minutes. I don't know how—

He was batting his eyelashes, Mark.

And he wasn't a chicken, so not my type.

But I guess it would be quite difficult. So if you're on the— in a lay-by or something, it'd be quite difficult to say, no, I'm not going to give you £10. I'm going to get in my car and drive off.

Yeah, saying no involves starting your car door and leaving him in a cloud of dust.

Yes.

But also waiting to get into the highway again. So you might be sitting there for quite a while.

With indicator on.

Indicator on.

But it was actually, it was in the middle of nowhere.

Oh, so even more difficult. So it wasn't that there were other people ready to offer him some cash.

No. I mean, it may have been genuine, but it's one of those things where you drive off and you go, okay, well, so now he's got some money. How is he going to go and get the petrol to put in this car? And then you go, it doesn't make any sense. It would have made much more sense for me to give him a lift to a petrol station, filled up a petrol—

You know what? I think it just says you're a good guy. Who cares if he scammed you? You're a good guy.

No, I'm not nice.

So having convinced myself there's no way I could be a victim of this, what you've done, Carole, very successfully there is you've said, no, you have been a victim of this.

No, I said, Mark, you're human. Okay, Graham, carry on.

Mark's human. Mark's human, everybody. Chicken-loving human.

Soundbite.

The reason why I'm talking about romance scammers and such today is because according to BBC News, there is a woman who hasn't been named because I imagine she might be a little bit embarrassed. Not embarrassed because she joined a Facebook fan page for Jason Statham, the Hollywood Fast and Furious actor, but because she was contacted via Facebook after joining that page by someone who posed as Jason Statham.

Is it wrong that I've lost all sympathy for this person already because they joined?

Because it's Jason Statham. It's Lock, Stock and Two Smoking Barrels, isn't it? It's all that sort of thing. He's always a hitman, isn't he? I think in his movie— I know that I've actually seen it.

I can't even think who it is.

He looks a bit like one of the Mitchell brothers from EastEnders, if you've ever seen them. So basically he's got a head like a boiled potato. Great. Now she's into him. Oh yeah, she's seriously into him. I mean, she joined the fan page and then he contacted— and she thought, oh, isn't he nice, he's contacted me. And over time their conversation got more intimate and they switched to WhatsApp, whereupon he started to say, can you send me a selfie? And, you know, I just need a decent smile from someone like you right now.

If the equivalent happened to me and Noam Chomsky got in touch, right? Chomsky? Right? I think I would tell people about it because I'd be so excited that that had happened.

If Noam Chomsky got in touch with you, you'd still be reading the first email that he sent you.

I know.

You didn't have time to tell anyone else.

But maybe she did. I mean, some sort of Hollywood stars are quite well known for engaging with their fans a lot. I think, isn't it Vin Diesel, who's quite a bit like Jason Statham in a way, another sort of hitman, hard man kind of guy, and although not quite as cockney.

Man of the people.

And I think he's well known for chatting with his fans and things. I don't know what he gets out of it. Let's stop there. But anyway, she was feeling rather vulnerable because poor thing, her mum and her fiancé had passed away recently. And when her purse was ripe for the plucking and she was conned into giving away hundreds of thousands of pounds, the fake Jason claimed that some sort of movie deal had fallen through or something, and you know, there was a bit of a money shortage. And he said, do you mind going down Western Union and you can send me the cash. And she did. In total, hundreds of thousands got sent. And it's not just horny diehard fans of Hollywood hunks who need to watch out for these things.

I don't understand how you'd get rid of that much money unless you were being blackmailed. Yeah, no, no, if you're being blackmailed, say he had pictures of her and threatened to do something or something like that, I can see why some people might think, okay, pay them off.

She thinks Jason Statham is going to be her boyfriend. She maybe thinks she's already—

In her head, she goes like, she doesn't think, oh, he might have richer friends than me.

I think the thing is, I guess this stuff works because for the victim, this is a one-to-one communication.

Yeah.

But actually for the attacker, he might be doing this with hundreds of people. And it may be that all of them have exactly that same thought. All, you know, 99 out of 100 of them say, of course he's got richer friends. This is obviously a scam. You only need one of them to turn around and say, yeah, I'll send you a few hundred thousand dollars. And that's it's absolutely worth your while.

Yeah.

And she was vulnerable, right? That's the thing to remember.

And she might be thinking, what do I care about money? The people I love are dead. I don't care. A bit depressed.

She was in a low point in her life. You know, think rubbish was going on in her life. And, you know, maybe I'll shack up with Statham.

Yeah, I'll just shack up with this.

Why not, right? And maybe this was the one thing that she was clinging on to.

The thing is, if you don't send the money, that's the point where you're driving away and leaving them in a cloud of dust. Your basic—

Right, exactly. We need to go back to Mark. Mark is the one who's actually been there in a relationship with someone. It'd been brief. It hadn't been online. It'd been face to face. It was with a member of the same sex, at least same species, at least, which is an improvement for you, Mark. So that was, that was a good thing. But you know, it happens, right? People get duped.

People get duped.

We've just seen in America, 9 men arrested in 3 different states in connection to a series of email scams, some of them business email compromise, some of them romance scams. That earned them over $3.5 million doing this kind of thing. They also pretend to be Russian oil oligarchs. It's easy to say that people are dumb or stupid or deserved it.

No, no one said that. You did.

No, you actually— you did. You were saying that earlier on.

Yeah, I might have as well.

Oh, well, there you go. So it's easy to say that, folks, because you just did. But when— I feel gaslit.

You're being scammed, Carole.

When I wrote about this earlier this week, about this poor woman, I got that reaction. Lots People saying, oh, you know, they're blaming the victim and saying, you know, you deserve to lose all that money and all that, you're so dumb. But I think people who go around blaming them are actually part of the problem. Only about 5% of victims are estimated to come forward from these romance scams. So it's the tip of an iceberg. If you're telling people they're dunces, you're not actually helping because no one thinks they're a dunce. Everyone thinks they're being logical. Everyone thinks in the moment that they're being entirely reasonable. Right, with the information which they have. So I think we need to stop calling people "der brains" and actually just warn them of the threats rather than say, "You're a bloody idiot," because no one will identify at that point. They think, "Well, I'm not being an idiot because Jason really likes me and he's a really nice guy." Has this happened to you, Graham?

Is that why you're being so defensive?

Well, I joined, of course, the Diana Rigg Appreciation Society some years ago.

How many other members were there when you joined? Enough said.

'Nuff said.

Mark, what's your story for us this week?

So my story is for anyone who's ever endured the pain of doing a domain transfer.

Oh.

So if you own a website domain, let's say nakedsecurity.sophos.com.

Plug.

Then you might have an idea about what a pain in the ass transferring domains can be. Basically, if you want to give ownership of your domain to someone else, you have to do a domain transfer. And all you're doing is you're moving a record from one computer to another. So it should be the simplest thing in the world. But normally it involves dealing with some massive hosting company's automated processes or worse, their first line support people.

Yep.

So it creates complications and it wastes time far out of proportion to what's actually involved. And I've wasted more time on domain transfers than I can tell you. And one of the reasons it's hard is because if you control the domain, you can control the site. So taking control of a site's name is often easier than hijacking the site proper. And hijacking normally means some kind of phishing or hacking. There was a spate of domain hijacks a few years ago. As websites became harder to break into, people started phishing the owners to get the domains instead.

Anyway, I remember, for instance, Twitter, their domain details got hijacked by one of the hacking groups. So anyone who went to Twitter instead got a page about— I can't remember who the hacking group were now, but it looked like the Twitter website had been defaced. But in fact, what happened was everyone was being pointed towards a different site. Yeah.

And it's happened to Google as well. I mean, Google have amazing security, but I think it was Google Palestine. They had a domain hijack and exactly the same thing happened. Visitors were sent to a different site. And it's happened to lots of sites and Google's a good example because they have such good security. It sort of shows how domain hijack can be a bit of an end run around security sometimes. Anyway, that isn't what happened in this case. This is about a man called Rossi Lothario Adams II from Cedar Rapids, United States.

What?

What? No, say that real.

Rossi Lothario Adams II, did you say?

Yeah.

Wow.

Breathe, breathe, Graham.

Self-appointed name or, you know?

Well, no, appointed by his dad, I imagine. It says II. There was an original Rossi Lothario Adams.

Somebody who was so impressed with his own name that he— I've come up with a brilliant name for our son. Where was I? This man, Rossi Lothario Adams II from Cedar Rapids, really, really wanted to own a domain name called doitforstate.com. That's do it for state spelt with a 4 spelt F-O-R.

Okay.

Adams started a social media company in 2015 called State Snaps. And its domain name was doitforstate.com as well. But the 4 was spelt using the numerical character 4.

Oh, I see. How frustrating that must be.

So it's the website and social media for State Snaps. It's dedicated to sort of US college debauchery. So it's drinking games, toga parties, drugs, and anything related to beer, boobs, butts, combinations of those things.

Ah, university.

Butts and beer. What a great combination. Yeah. Okay, good.

Are you with me so far?

Yep.

Okay.

Yes, but I'm not on the site.

That's all right. Tap, tap, tap, tap.

You're not looking at beer and butts.

So doitforstate.com, spelt with an F-O-R, was owned by a man called Ethan Dayo, a self-styled entrepreneur and personal branding expert.

Right.

And Adams tried to purchase doitforstate.com with an F-O-R from Dayo for about two years without success.

And what was this other guy doing with his, with the version with the proper spelling? What was he doing with his site?

I think it was unused. As far as I know, there hasn't been anything on doitforstate.com with an FOR since 2015.

Right. Okay.

But Adams was unsuccessful in his attempts to purchase from Dayo. Obviously didn't want to sell.

Well, I wonder who else he was thinking would want it. If not the people, anyway. Okay. So the price couldn't be agreed. All right.

Yeah. So then Adams changed his tactics. And Deo became aware of Adams' new approach when he heard somebody breaking into his home in Cedar Rapids on the 21st of June, 2017. Holy moly. The burglar breaking into his home was a man called Sherman Hopkins, who was a cousin of Mr. Adams.

Keep it in the family.

He broke in with a gun.

Oh my God.

And he forced Deo at gunpoint to turn on his computer and to connect to the internet. Now, I'm guessing that Hopkins has endured the pain of doing a domain transfer before. Because he had thoughtfully written out the instructions on how to do a transfer to go from one GoDaddy account to another.

So hang on, hang on, hang on. So the guy's come in holding this other guy to gunpoint and says, turn on your computer and move the domain, follow these instructions to move the domain on GoDaddy to this new owner. Doesn't that rather give you a clue as to who might have hired the gunman at that point? Isn't there a rather bit of a flaw in this crime? Well, could he have not broken into the computer?

Yeah. His email address is—

Adams the Third or whatever it is. Could he not have just— could the burglar not have done it himself? You know, rather than— it's a bit obvious.

The thing is, it didn't get that far.

Oh, okay.

Okay, so the scene is exactly as you spelled out. So Hopkins is holding a gun to Dayo's head and he's given him these instructions.

Oh my goodness.

But as is normal during a domain transfer, it didn't go smoothly and they ran into problems.

Did they have to call up tech support?

Instead of calling support, there was a struggle. Hopkins pistol-whipped and tased Deo before shooting him in the leg.

Tased? He came fully armed?

Remarkably, Deo himself then managed to get the gun and shot Hopkins in the chest.

Oh my goodness.

You're making this up.

Hopkins, all told, has slightly less experience than calling support. And we know about this because the cops got involved and Hopkins and Deo have now both had their day in court.

Oh, the police got involved in this, did they?

Yeah.

Oh, I see. It was a matter for the authorities. You surprise me.

Hopkins has been sentenced to 20 years, and Adams was convicted last week, and he's also facing a maximum of 20 years in jail. So again, in the end, not a million miles away from how it feels to do a normal domain transfer.

What? One comes in with a gun and forces the other to swap over the domain, and why are they both facing 20 years of jail time. I can understand why the shoot, you know, the—

Hopkins is the guy that broke in with the gun?

Yes.

He got 20 years. And in the process of convicting him, I guess the police found out that he was working on behalf of Adams. So Adams has now had his day in court. So Hopkins was convicted and charged last year, and Adams was convicted last week and is now awaiting sentencing.

Oh, okay. So we still don't know the sentence of Jezebel Adams IV.

No.

That's going to come at some later point.

And our poor victim still has his hands on the domain.

As far as I know, yeah.

He's got no one to sell it to.

Price has gone up.

So happy days, happy days.

If you want that domain, you now know how hard you have to work to get it, okay?

Carole, what's your story for us this week?

Okay, can you guys tell me what popular '80s food chain character used to use the catchphrase, "Rabble, rabble"?

Rabble, rabble. It's not gobble gobble, is it? Because that was Colonel Sanders.

I think you've got chickens on the brain. I think we know who's obsessed with chickens here. Actually, it's not Mark.

Yeah.

I want to know what you've been doing with Colonel Sanders.

You don't.

I know there's some listeners out there screaming the answer at you two. So those are the raspy tones of the Hamburglar. Do you remember that? It was a pint-sized thief with an insatiable hunger for Mickey D burgers. He started out in the '70s as one of the first McDonald's villains in ad spots, right, to help build decades of narrative tension between Ronald's crew and the baddies crew, which had— I know it had Hamburglar, and I think there was that big purple blob thing, Grimace. Grimace was the other one.

I think Mr. Blobby.

Now, in North America, at least, the Hamburglar was this red-headed pudgy kid. And he had a black and white striped shirt, a cape, wide-brimmed hat, red gloves. It looked kind of Puss in Boots style. And the only thing he said was either unintelligible or rabble rabble. Now, I find the Hamburglar quite creepy, but that might be because I find it looks remarkably similar to Chucky the killer doll.

Oh, yes.

From the '88 horror movie of the same name. It was called Chucky, wasn't it?

Yeah, yeah, yeah. To be honest, there's a lot of McDonald's stuff which is quite spooky. I mean, Ronald McDonald himself is a terrifying character, isn't he?

Yes. I was just thinking, if you line up the McDonald's characters from most disturbing to least disturbing, least disturbing is the weird purple blob thing. Then it's Hamburglar, and then it's Ronald.

I mean, what were their marketing— I mean, now they have Justin Timberlake, which I suppose is a bit better, but they've chosen some really odd things, haven't they?

Funnily enough, though, during my research, it brought up the UK version of Sir Hamburglar a lot, or Your Hamburglar. And what the fuck, guys? WTF?

What the French fries?

This Hamburglar has the super long witchy nose. His teeth look like they've been thrown into his face from a good distance. I mean, you tell me. Look, you've got the link there. Okay. I want to understand. You both were born here. I want to know why marketing experts in the UK thought this would appeal to the 10-year-old you guys.

I'm checking it out. Oh my goodness. There's that clown. Here he comes around the corner.

Oh, whoa, whoa. Right.

Yeah, he's terrifying.

He's terrifying. Absolutely terrifying.

So I don't understand.

That says a lot about everything. Of course, you're wondering, why am I talking about the Hamburglar?

Yeah.

Well, there's a reason. This promo character has become a reality, and he is hunting down burgers in my homeland of Canada. So Canuck burger fiends are under attack from a real-life Hamburglar who is making use of their My Mickey D apps to steal a heck of a lot of burgers. So in February, Lauren Taylor from Halifax told the CBC she had no idea how, get this, $483 and change was spent on her McDonald's app.

Oh, sure she hasn't. No idea at all.

Have we got a picture of her? We're looking for someone who's about 30 stone.

She's actually not.

Dressed as a Hamburglar.

No, I watched a video with her. So she first noticed the order confirmations, dozens of them, right? And they're all sporting the last 4 digits of her actual debit card. And by the time she checked in with the bank, she only had $199 left in her bank account.

And all this money was spent on produce from McDonald's?

All this was spent through the app for McDonald's produce, but they were made in another Canadian province about 10-hour drive away in Quebec. And Lauren still told the CBC, this is an app that's supposed to be secure, so why do I live in Nova Scotia and why is my card being used in Quebec? It's crazy. McDonald's, of course, retorted, saying that there was no security breach on the Mickey D app and reminded users to use the app vigilantly and not share passwords with others, create unique passwords. Lauren told the CBC that she does use different passwords for all online accounts, she changes them frequently, never shares her passwords, passwords are strong. So what's going on, right? And the Mickey D app requires 8 to 12 characters, upper, lowercase, one number in it. So all this sounds a bit suspicious, or it might sound like it was just her spending $500 on a big crazy meal. I've seen the menu, how you could spend $500 at McDonald's, and it's quite difficult.

It's impossible. It's impossible.

Are you saying that the McDonald's store where this was happening was in another state or something? So some distance away from her.

Yeah. Yeah.

Is it possible she was cycling back and forth from there, which would mean that she could consume it and then maybe the amount of calories she would use riding back?

I imagine she'd get a fairly fierce—

It's about, I don't know, 1,000 miles. So yeah.

Oh, quite a lot.

Yeah.

She'd have big calves, wouldn't she?

Yeah. The problem is, Lauren's not the only person to have noticed that her Mickey D app seems compromised. One guy, Brett, noticed that within half an hour his account had been used by an imposter and spent $50 worth of food at McDonald's in Mirabel, Quebec. So he was in Halifax. Again, the attack happened in Quebec, and there were two orders: one for 30 Chicken McNuggets and another for a double Big Mac meal. This is where he gets the name the Hamburglar. And fast forward to this week, the latest victim is Patrick O'Rourke, who was getting email notifications but hadn't actually been managing his email account very well, and someone purchased— get this— 100 meals in a single week, racking up a $2,000 bill. This included loads of Big Macs and McFlurries. And O'Rourke, obviously not a dumbass, doesn't think one person could have possibly eaten all this food.

No, they'd be dead.

Yeah, so what's going on here, right? This Hamburglar has already nabbed food worth thousands from a handful of victims across Canada. And what do you think the likely scenarios are? What's the modus operandi?

So one idea I had is a place like McDonald's have free Wi-Fi, right? And I was wondering whether maybe their Wi-Fi at some branches wasn't set up properly and maybe the app isn't communicating securely and maybe people are stealing tokens or passwords or something from the app. Could something like that?

I wonder if people actually use the app when you're in store. Do people do that?

Oh, yeah. Well, if you're really lazy, could you? I don't know.

It's not beyond the realms of possibility that people will be sat in a McDonald's on their phone ordering food.

I mean, letting their kid do it or something.

Yeah. It's a long way to the counter.

I mean, could it be a disgruntled employee or ex-employee? Could that be something? Because would they have access even to the passcodes at some point and be able to use them?

But they're saying that there isn't a vulnerability in the app, are they? And that's correct, is it?

Well, that's certainly what McDonald's are standing by at the moment.

It's not impossible to imagine a scenario where a company says that there is no vulnerability in their app and later turns out—

What are you talking about, Mark? I've never heard such a thing.

I'm just saying it's not an impossible scenario.

Highly unlikely though, highly unlikely.

I mean, someone's definitely seeming to attack Canadians that don't seem to have a lot to do with each other. So it seems to be happening around different provinces, but they're all taking place in Quebec. So Quebec police are now apparently looking for the Hamburglar.

Do we know how many of these things have taken place? So you've spoken about 3 of them, but is this—

When they put it up on Twitter, lots of people were saying, hey, this happened to me too, this happened to me too. So there seems to be a lot of unconfirmed reports online. Yeah, but there seems to be about 4 or 5 in the I wonder if it's an accident. Well, maybe.

Could it be like butt-dialling? People are ordering these things without realising they're ordering them.

Yes, but they're not ordering at the McDonald's where they live, right?

Yeah, okay, okay. I'm sorry, I haven't got the answer.

Is it actually the case that there's a McDonald's in Quebec that's had to hand over 100 hamburgers in one order? Or is it just kind of ghosts in the machine?

So this guy O'Rourke, who had 100 meals bought on his Mickey D app, that happened over a space of a week. So it happened at different locations, different McDonald's around in the vicinity. So they're obviously trying to go in and buy something that's maybe probably $50, not raising too many eyebrows and doing it right. And maybe there's probably more than one doing it at the same time.

Have you got an actual answer for us, Carole?

No.

Oh, for goodness sake.

But I have advice.

Okay. Okay. It better be good.

So one, I think McDonald's can't sit there and say nothing to do with us, gov. I think that's just uncool because they're obviously not enforcing two-factor authentication on the app. They're not doing anything to validate that the device belongs to the account user before a payment is made. I mean, they could ask for, you know, a code number, you know, upon receiving it or something. So they could bake in more security, I think, in the app. And users, don't use a debit card for your online purchase accounts. Consider using a credit card, right? So a credit card is where the credit card company makes the purchase and then you pay for that purchase upon receiving it. And if it's not what you want, you can say, hey, I'm not paying for this. But if it's coming out of your own money and it's debiting your account, you're the one who is losing out there. Now, in this case, both banks have paid two of the users back the money that they lost. But I don't hear McDonald's paying back the money. So that's— I don't know what's going to happen there. And I mean, really, do you really need a frickin' junk food app on your phone?

So that's, that's where I was going to go. I think all of your advice is great. And yeah, I think the point that you made earlier about, or the point that Graham made about blaming the victims earlier is well made as well. And I don't think it's nobody's fault that they use a McDonald's app, but we do live in a world where there's an app for everything. And I thought the whole point of McDonald's and fast food was that it was fast. They've optimized the delivery of food over the taste, the quality, literally everything has been sacrificed to get you that burger in double quick time. So trying to shave a few seconds off that by using an app is a great way of increasing your attack surface. So I think just, you know, do you really need an app for all the things that you do is a great question because you have to go there to pick it up anyway, unless it's, I don't know, are they delivering by drone now?

The last thing you want, other than of course an actual McDonald's burger, is a McDonald's burger that's been waiting for you for 10 minutes, isn't it?

I have some—

I have them all waiting for you, Graham.

They've all been waiting for you for 10 minutes. There's a queue of them, literally. You can see it if you look over the shoulder of the person who's serving you.

I'm thinking you would only actually use this when you're at the store.

Have you ever used the touchscreens they have inside McDonald's these days? I wonder if it's anything like this. Giant touchscreens. And the idea is that you walk in and instead of standing in a queue, you walk up to this touchscreen and then you spend, I don't know, 3 or 4 hours making your order as you figure out this sort of giant, you have to slap it and scrolling and these submenus that, and oh, if the app is anything like that, then it'll add hours to your day.

And that touchscreen will have been touched by loads of vulnerable kids who've been to the loo and not washed their hands. That's disgusting.

Yeah. And so, yeah, I think the takeaway here is maybe take a look at the apps on your phone, particularly those tied with debit or credit cards, and ask yourself if you really need those apps, if they're providing really the value you think they are, because they're just vulnerabilities waiting to happen. Actually, do you want to hear one last fun fact about the Hamburglar guy? So they killed them off, right? They killed them off in the early noughties.

Did they video that? Did they put out an advert of his death?

Facebook Live.

Yeah.

Was it like Chucky being killed?

But they brought him back to life in 2015.

Oh, nice.

McDonald's were introducing this sirloin burger, you know, full flavor thing, and they needed a character and a promo. So our little nasty little Hamburglar was reintroduced all grown up and, well, kind of sexy. And there were even news spots going, is this guy hot or not? One newscaster saying he's either creepy or Fifty Shades of Hamburglar.

Rabble, rabble. That doesn't work at all.

I know. Fifty Shades of Hamburglar. Hang on, I've got one. Or Fish?

Filet, gray filet. Oh, come on, that's—

He likes burgers.

They could have,

They could have.

I think hers is better. Hey, Graham, didn't you recently download the Threat Intelligence Handbook from Recorded Future?

Graham. I don't I did, yes. I went and grabbed myself a copy. Whoa.

Yeah, it's not some cheapo flimsy little pamphlet.

know why they would.

No, the Threat Intelligence Handbook, it really gives you the skinny on threat intelligence and how you can apply it in your workplace to really get some practical benefits.

The best of all, it's completely free. Listeners, visit smashingsecurity.com/intelligence to get your free copy. We are also sponsored this week by our friends at LastPass. Now, Graham, isn't it something like 90% of security breaches involve stolen password or a poor password.

Yeah, stolen passwords, poorly chosen passwords, reused passwords. Passwords are really sort of the hinge pin of so many security attacks which happen, which means that you probably want an enterprise password manager like the one offered by LastPass.

Listeners can learn all about LastPass Enterprise at lastpass.com/smashing.

You don't have to say forward slash, by the way. You can just say slash, just so you know.

And last but not least, we are supported this week by Gartner. Gartner is the world leading research and advisory company, and they are having a big event.

It's massivo, I'll tell you. All the big security vendors are going to be there. They're going to be talking about cyberattacks, artificial intelligence, blockchain, machine learning, and much more. It's all taking place between June 17th and 19th at the Gaylord National Convention Center in National Harbor, Maryland.

And if you are a CISO, IT security and risk professional, you probably want to go to the Gartner Security and Risk Management Summit. And listen up, listeners, you can receive $350 off the registration fee by using the code SMASHING with a G. To learn more, visit smashingsecurity.com/gartner.

Once again, you don't have to say forward slash, just say slash.

Is there an echo?

And welcome back. You join us for our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week.

It doesn't work.

How is the polystyrene chamber pot or whatever it is that you're sitting in?

I've lost about 10 pounds in sweat since the beginning of the podcast. I'm not going to lie.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they like. Doesn't have to be security-related necessarily.

It shouldn't be.

It doesn't have to be. Now, my pick of the week this week— no, definitely doesn't have to be. My pick of the week this week is a movie which I saw yesterday, and it was rather wonderful. I don't know if you guys have seen it or not. It is called Spider-Man: Into the Spider-Verse.

Strangely, it's not been on my list.

Has it not? Well, you know, the name itself would normally put me off because I am not interested in superhero movies. I tend to fall asleep during any sort of CGI fighting or anything like this. This is an animated film.

Oh, dying. I'm dying to see this.

Oh, well, Mark, actually, because you are quite an artist yourself, as indeed are you, Carole. I believe you're appearing in Oxford Art Weeks. Let's not forget that. Let's plug that again. Yes. But it is incredible. I saw the trailer a few months ago. I wanted to see it at the cinema. I missed it. And I've just grabbed it on one of the streaming services and paid a little bit cash. And it is fantastic. It is spectacular.

I'm looking at the promo right now and it does look fantastic, Graham.

It is incredible. It is the closest I've ever seen a movie to a comic strip. And there's a whole variety of animated styles and the thought and the attention that's gone into it, plus a fantastic funny script. It's not your typical animated movie. It's not like one of these DreamWorks sort of things, you know, where they have funny characters, you know, singing chunks or something like that. It's none of that going on. Well, it's a little bit of that going on because there's a character called Peter Porker who appears. The basic premise is that we are dealing with a multiverse, people. There are parallel universes. There's a bad guy who has a reason for trying to get through to another parallel universe, and different Spider-Men from different parallel universes are coming through with different characteristics. It is funny, but more than anything else, it is a spectacle and it is phenomenal. Phenomenal to watch. Brilliant.

It looks very beautifully drawn.

Yeah.

I've put in a couple of links in the show notes to some documentaries about the animation, which I'd really recommend you check out. And if that doesn't whet your appetite to go and see the movie proper, I don't know what will, but I'd really recommend it. Spider-Man: Into the Spider-Verse.

And when Graham says show notes, just someone asked this, that means on the website. So just go to smashingsecurity.com and you'll find it all there.

Yeah. And some of the podcast apps as well will include it. Sometimes they don't put them in as clickable links, but smashingsecurity.com, you'll find them on there too. Yeah. Mark, what's your pick of the week?

Well, before I tell you my pick of the week, very quickly, I want to know, do you two have a plan for the zombie apocalypse? When the zombie apocalypse happens, what are you going to do?

I think I'm going to go and hide under a chicken coop because chickens actually are very friendly. I used to keep chickens, but I think that in a zombie situation, they would probably peck out the eyes of the zombies and protect me. So that is, I think, one of the safer places to go.

How much time did you spend with your chickens, Graham?

They were lovely.

I think I'd offer myself up to the zombies because don't you get stronger the longer you are a zombie? So if you're one of the first, it probably wouldn't help your complexion, Carole. That's true.

So your plan for surviving the zombie apocalypse is just to immediately become a zombie?

Immediately become a zombie. And yeah.

Carole, what's your pick If only we'd had people like you during World War II, Carole. Oh, here come the Lemons. Yes, let's just give it.

So all I can say is I'm very glad that you weren't responsible for the Netflix series Black Summer because it would have been a very short TV program. Mercifully, it was created by someone else.

of the week?

I don't know who. And they have made a wonderful zombie apocalypse short TV series which we've just finished watching, and it's fantastic. I don't know if you're into zombies, but if you like zombies, it's a bit like somebody took the first series of Fear the Walking Dead.

Yeah, I've watched that actually.

But the first series of Fear the Walking Dead, it's all about people struggling with the initial outbreak, and they've crossed that with 28 Days Later, which is a terrifying Danny Boyle zombie film where the zombies run. And so when you get bitten by a zombie, you become a zombie almost instantly. You don't have to wait a day. So they just pop back up to life and then they run after you.

See, that sounds like much more fun than being chased.

It is, but it's very claustrophobic. There's lots of close camera work. It's all about the people and the fear. And it's very good if you like zombies.

Are you sure you're not just talking about your little box that you're in right now? Being claustrophobic was the first word that came to mind.

Yeah, and it's really warm.

Ah, I have a doozy this week, and I was waiting to hear yours to see if I would beat you, and I think I have.

It's not a competition.

If any listener's in front of a computer right now, I suggest you follow my instructions.

Hang on, hang on. It's worth it. It's really good. Please head to coolmathgames.com.

Math with a TH.

Are you sure?

No. Yeah, TH, no S. Normal.

CoolMathGames.com. Yeah. Do I want to accept cookies?

No, don't eat them.

Reject all cookies.

Well, it's a cute looking site.

It's a website from 1999.

CoolMathGames. It's been around since 1997. This is a brain training site. A site where logic and thinking meet fun and games. There's no violence. There's no empty action. Just loads of challenges.

I'm playing chess right now.

To give you a little mental workout.

Can you recommend one of the games?

Yes. See, Graham, we've lost Graham already. There you are. No, I started doing some— I tried to do some chess, but I'll do IQ Ball instead. Okay. I'm quite a fan of this little cute— Yeah, and it just goes. And you can play. There's no having to log in. You could just go and waste 10 minutes, which I did happily this morning before we decided to record. It's cute. See, look at you guys sitting there.

Wow.

Yeah. Now this is amazing, right? So already you're thinking, wow, this is pretty cool. Guess what gets better? Gets better. You ready? You can go Cool Math for Kids and Cool Math Games and coolmath.com, which was the first one for math for ages 13 to 100.

Don't accept all the cookies.

No, never.

Hurry up, Graham, I'm starting to feel a bit faint here.

Okay, which one do I need to play? Anything.

I don't— no, no, I'm just saying all these three right? You have something for your kids there, something for you. There's math, there's games, there's logic. Have fun, you're welcome, world. And thank you to the creators of Cool Math Games.

Wow. Well, Carole, that's a great pick of the week. Although, so I've tried that. I think you need to go and try out Black Summer and Spider-Man: Into the Spider-Verse, and only then will we know which was the best pick of the week.

Okay, whatever. Not worried.

Well, that just about wraps it up for this week. Mark, I'm sure lots of our listeners would love to follow you online or even flag you down on a motorway.

Well, you can hear me every week on the Naked Security podcast, and you can follow my chickens on Twitter @InternetOfHens.

Cool. And you can follow us on Twitter @SmashingSecurity, no G, Twitter doesn't allow us to have a G. And if you're on Reddit, why not continue the discussion with us up there as well? Just search for Smashing Security on Reddit and you'll find our subreddit.

And big shout out to this week's Smashing Security sponsors. Their support helps us give you this show for free, so be sure to check out their offers. And of course, big thanks to you all. Thank you for listening, supporting us, and helping us spread the word.

And until next week, cheerio, bye-bye, later.

Mark, I've passed out.

Yep, but you revived me, so thank you.

Are you gonna say toodle-oo or anything?

Oh, sorry, goodbye. Yeah, bye.

Good, excellent. Well, that went very smoothly, I think.

Whoop whoop.