We take a trip to Staten Island, New York, to hear how a case of cyberstalking resulted in the arrest of 20 alleged mobsters, learn about the nude photo-loving insider threat at Yahoo, and discover how fraudsters might be boosting Match.com's profits.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Ran Levi of the "Malicious Life" podcast.
Visit https://www.smashingsecurity.com/149 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Ran Levi.
Sponsored By:
- Code42: Code42 provides data loss protection for when employees quit. 60% of employees who quit their jobs admit to taking data. Your organization's data is more portable than ever and you have employees leaving everyday. Most organizations rely on prevention but there are simply too many ways for data to leave.
- To learn more about how to protect your company’s data from insider threats visit http://www.code42.com/smashing
- Immersive Labs: Immersive Labs provides the world's first fully interactive, on-demand, and gamified cyber skills platform.
- Try it for free at immersivelabs.com/lite/ and drive down your organisation’s cyber risk while reducing training costs.
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Links:
- The "You Think I'm Funny?" scene from "Goodfellas" — YouTube.
- 20 Defendants Charged with Crimes, Including Racketeering, Extortion, Loansharking — Department of Justice.
- Indictment against Joseph Amato and others (PDF) — Department of Justice.
- GPS cyberstalking of girlfriend brings surveillance and indictment for alleged American mobster — The Register.
- How to Find a GPS Tracker on Your Vehicle.
- Former Yahoo Software Engineer Pleads Guilty To Using Work Access To Hack Into Yahoo Users’ Personal Accounts — Department of Justice.
- Former Yahoo engineer pleads guilty to searching 6,000 user accounts for nudes — The Verge.
- Using Match.com? Read this — FTC Consumer Information.
- Why Match.com allegedly luring lonely customers with fake ‘winks’ is just another form of ‘phishing’ — MarketWatch.
- Fembots land Ashley Madison in hot water with the FTC — Graham Cluley.
- Mark Lewisohn Official Website.
- Hornsey Road with Mark Lewisohn.
- The Beatles' Abbey Road (Super Deluxe Edition) — Spotify.
- Jigsaw Explorer — Online Jigsaw Puzzles.
- Criminal — Netflix.
- Criminal Review: Netflix Crime Drama With Parts Better Than the Whole — Collider.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
RAN LEVI. I'm a man's man.
GRAHAM CLULEY. I'm a man's man, he said.
CAROLE THERIAULT. If he's into men, there's no problem.
GRAHAM CLULEY. Exactly. I don't know what a man's man means.
CAROLE THERIAULT. 2019, dude. You can go that way.
UNKNOWN. Smashing Security, episode 149: Falling in Love with Fraudsters, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 149. My name is Graham Cluley.
CAROLE THERIAULT. 149, clue. I'm Carole Theriault.
GRAHAM CLULEY. And we are joined this week by returning guest, it's Ran Levi from the Malicious Life podcast. Hello, Ran. Hello, hello.
RAN LEVI. Great to be back.
CAROLE THERIAULT. It's so good to have you back on. Thank you for making the time for us.
RAN LEVI. My pleasure.
GRAHAM CLULEY. Now, for those people who didn't hear you last time or may not be aware of Malicious Life, can you quickly summarize what the podcast is all about? Because I'm sure lots of people would love to tune into it.
RAN LEVI. Sure. So I'm originally from Israel, as some of you may be noticing from my accent. No, no, a bit.
CAROLE THERIAULT. It's a very sexy accent, actually.
RAN LEVI. Oh, thank you.
GRAHAM CLULEY. Oh, here we go.
CAROLE THERIAULT. I think the Israeli accent is one of my favorites in the whole wide world.
GRAHAM CLULEY. Thank you.
CAROLE THERIAULT. You can come on the show any time you like, Ran.
RAN LEVI. One of the few times somebody said my name along with the word sexy. So I'm buying it.
GRAHAM CLULEY. I'm buying it.
RAN LEVI. And Malicious Life is a podcast about mainly the history of cybersecurity. We bring lots of interesting stories from past hacks and, you know, interesting viruses all the way back to the 1920s and 1910s, even way before there were computers. But most of them naturally are from the past 20 years or so. So lots of stories. Excellent.
GRAHAM CLULEY. Yeah, lots of good fun. Really recommend it. So Carole, what's coming up on the show this week?
CAROLE THERIAULT. Well, first, thanks to this week's sponsors, LastPass, Immersive Labs, and Code42. Their support helps us give you the show for free. Now on today's show, Graham talks of an FBI arrest involving racketeering, extortion, and buses. Rav blows away the cobwebs and gives us a Yahoo update. And I'm diving into the online dating pool. All this and loads more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now then, ladies and gentlemen, I'm going to— well, I have to— I feel like—
CAROLE THERIAULT. why, why lady and gentlemen? He's not two people.
GRAHAM CLULEY. Oh, okay, okay.
RAN LEVI. Gentle person.
GRAHAM CLULEY. I mean, I don't know why you'd be rude to our guest.
CAROLE THERIAULT. Anyway, gentle folk, that's nice.
GRAHAM CLULEY. Hey, hey, hey, all right, I'm gonna take you to Staten Island, New York, okay? Right, I'm gonna do one of my accents. I'm gonna get into character right now, right? You think I'm funny?
RAN LEVI. No!
GRAHAM CLULEY. I amuse you? I amuse you? You think I look like a clown? Huh? Okay. I am going to tell you about what the FBI have been up to, because they have recently charged 20 people alleged to be members of an organised crime gang called the Columbo. The Columbo? The Columbo crime gang.
CAROLE THERIAULT. One more thing.
GRAHAM CLULEY. Hey, there's another impression. I can't keep up with all these impressions. They are part of La Cosa Nostra, the Sicilian Mafia. And they're being charged with racketeering, extortion, operation of an illegal gambling business, attempting to bribe a college basketball game, umpteen other crimes, and cyberstalking. And if the FBI are to be believed, their main chap is a chap called Joseph Amato. Now, disappointingly, Joseph Amato appears to be about the only member of the gang who doesn't have a pseudonym, right? Amato Tomato. I think they could have done something like that. But I imagine you don't call the boss names. So they didn't give him one, but other members do. For instance, there's Daniel "The Wig" Capaldo, also known as Shrek. There's Joey the Fish. There's Dominic Bologna.
CAROLE THERIAULT. I want a name like this, don't you?
GRAHAM CLULEY. Creepy Crawly.
CAROLE THERIAULT. Oh, nice.
GRAHAM CLULEY. That's what you could be.
CAROLE THERIAULT. Nice.
GRAHAM CLULEY. All of the alleged members of the Colombo Gang appear to be men based in Staten Island, New York. But there was a woman who was involved with the group, as you'll find out. The FBI began snooping on alleged members of the gang after a GPS tracking device was found on a Staten Island bus in November 2016.
CAROLE THERIAULT. Like an actual physical device was found?
GRAHAM CLULEY. An actual physical device was found on a bus in Staten Island, November 2016, which was giving them the ability to track people's movements. Now—
CAROLE THERIAULT. Well, track the bus, presumably.
GRAHAM CLULEY. Well, exactly. Why would anyone want to track a bus? I mean, surely—
CAROLE THERIAULT. There's a map online that tells you exactly where it is at all times.
GRAHAM CLULEY. Exactly.
RAN LEVI. Google Maps. The bus does that.
GRAHAM CLULEY. And you imagine more or less each day the bus is going to go the same route round about the same time. Yeah. Yeah. Well, the thing is they didn't want to track the bus. Oh. The tracking device was originally on a car belonging to Joseph Amado's girlfriend.
CAROLE THERIAULT. Oh, are we saying that maybe Joe and his gang put a GPS in her handbag or on her car?
GRAHAM CLULEY. They put a GPS tracking device on her car. He was obviously feeling a little bit uncomfortable as to what she might be getting up to when he wasn't able to see her. And He had boasted that he had eyes everywhere across New York. He said in one email, he said to her, he said, "This is my island, not yours. I've got eyes all over." He said, "I'm a man's man. I'm a man's man," he said.
CAROLE THERIAULT. If he's into men, there's no problem.
GRAHAM CLULEY. Exactly. I don't know what a man's man means.
CAROLE THERIAULT. 2019, dude. You can go that way.
RAN LEVI. I have to say, I'm so disappointed of these guys. It's so cliché. Everything is so cliché. They call themselves what? The Cosa Nostra?
GRAHAM CLULEY. Well, La Cosa Nostra is the name for the Sicilian Mafia, but this particular gang is called Colombo.
RAN LEVI. And all these pseudonyms, like it's very generic.
GRAHAM CLULEY. Fish.
RAN LEVI. And they'd have to think something more original.
GRAHAM CLULEY. The thing was, right, he had planted, or one of his goons had planted this tracking device on her car.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. Because he was interested in what she was going up to. And then he started saying, you know, I can see what you're doing now. Surprise, surprise. Having been told by him that she was being watched all the time, she checked out her car. She's not an idiot.
CAROLE THERIAULT. She's like, hmm, how did he know I went to McDonald's yesterday? I have an idea.
GRAHAM CLULEY. Let me see if there's some kind of tracking device. And she found this tracking device and she then went and concealed it on the bus. Smart. And so obviously he then thought, oh, she's behaving herself. She's just going around.
CAROLE THERIAULT. She's driving around in circles.
GRAHAM CLULEY. Driving in circles.
CAROLE THERIAULT. Day and night for 8 hours a day.
GRAHAM CLULEY. Stopping at every bus stop. You do have to wonder how long it took him to realise that he was tracking the bus. But eventually he did. And when he did, he did what many people might do. He reported that the tracking device had gone missing to the tracking service.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Right. So he told them, "Oh, I had this device. It's gone missing. So I'm going to need a new one." Sorry to interrupt. Right.
CAROLE THERIAULT. So a GPS tracking device presumably is always telling you where it is.
GRAHAM CLULEY. Oh, well, there are different kinds of tracking device, you see.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. So there are tracking devices which are called passive tracking devices. And what they do is they record locations, but they don't then transmit it back to you. You have to physically grab the tracking device and plug it into a computer or something in order to extract the data.
CAROLE THERIAULT. That would be annoying if you bought that one by accident.
GRAHAM CLULEY. Well, there is an advantage to those. And the big advantage to those is that they require less power.
CAROLE THERIAULT. Aha.
GRAHAM CLULEY. And the battery doesn't go dead. So everyone thinks, because you've watched 24 and TV shows like that, you can just attach some little pin-sized device on people, you can track them indefinitely. It's not as simple as that. So those kind of devices which are sort of giving you live tracking of someone, they're going to need either a really decent battery size or they're going to have to be plugged into your cigarette lighter or the car battery or something like that, right? So I imagine that this was a passive device. And I imagine that Joey the Tomato Amato got one of his buddies, you know, Benny the Banana or Mickey Blue Eyes or whoever it was. I imagine that whenever his girlfriend came to visit, he got them while he was occupying his girlfriend to pop out the car swap over the device or charge it up or grab the data from it. So I imagine it was that kind of thing.
CAROLE THERIAULT. I'm just taking out the trash. Yeah.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. And just doing a little swapsy.
GRAHAM CLULEY. Okay, interesting. Eventually taking out the trash. Anyway. Swim with the fishes. It's not just Dave Bickman doing the accents. After eventually realising he was tracking a bus rather than his girlfriend, he bought a brand new device. By now, however, the police had been informed when the bus company found the tracking device on their bus, and they said, "This is a bit weird. Do you want to look into this?" They found out who it was registered to. They'd been listening to his phone calls. They'd been wiretapping him and about 20 other members of this gang. It began as a cyberstalking inquiry and then turned into this massive bust of potentially a huge criminal gang.
CAROLE THERIAULT. May I interrupt? Is that why he reported it missing, thinking it may have been reported 'And if I report it missing, it'll be an easy lost and found situation.' Or maybe, I don't know.
RAN LEVI. Maybe he wanted a new one sent from the tracking company.
GRAHAM CLULEY. Maybe he wanted a new improved version. I'm not sure.
CAROLE THERIAULT. Oh, you think he was trying to just get the money for the insurance to replace it?
RAN LEVI. But it's so ironic that the whole operation—
CAROLE THERIAULT. Tomato, amato.
RAN LEVI. The whole operation was discovered because he was jealous of his girlfriend. So ironic.
GRAHAM CLULEY. See, girls always bring us down, don't they? We're just running a nice little criminal operation, and then the girls get involved and they ruin it all for us. Leading us to doom.
CAROLE THERIAULT. Thank God for girls. Okay, carry on.
GRAHAM CLULEY. Anyway, the police raided his house before he was able to plant the second tracking device. They found it. They found all kinds of other communications which he'd been up to. They raided other people's properties as well. They found evidence that they'd been trying to bribe people. They'd been extorting money. They found firearms. They found stun guns. They found cans of tear gas, thousands of guns. What, this was all in the house?
CAROLE THERIAULT. This was all in the house?
GRAHAM CLULEY. In this and other residences belonging to alleged members of the gang. So, you know, quite a serious criminal operation, it appears. Obviously, it's all going to go to court. It appears has been broken up by this FBI investigation, which all began purely because of a cyberstalking incident. Now, it's quite a juicy indictment. If you go and read up, exactly what's going on. There's a lot of this which sounds like a Joe Pesci movie when you read it. It does sound like these guys really loved— they loved their gangster movies and they loved The Godfather and they're quoting bits of The Godfather in their communications. Oh, I love that.
RAN LEVI. That's why it's so cliché.
GRAHAM CLULEY. Well, they are really living it. But as I was reading and I was thinking, oh, I'm going to talk about this on the podcast today, it did make me think, you know, these don't seem like Goodfellas to me. I'm not really sure that it was sensible for me to talk about this gang, even though here I am feeling like I'm safe in Oxford because their tentacles—
RAN LEVI. The Mafia's got long arms.
GRAHAM CLULEY. Oh yes, the Oxford Mafia.
CAROLE THERIAULT. As long as a spaghetti noodle. Rav, what's your story?
GRAHAM CLULEY. Okay.
RAN LEVI. My story involves Yahoo!, which a lot of people who actually read comments on the story were kind of surprised to see that Yahoo! still exists. So maybe You know, every time you mention Yahoo's name is a good thing for Yahoo, even if it's not in a good context.
GRAHAM CLULEY. Yahoo definitely still exists. It's all these people who are aged over 50, right?
CAROLE THERIAULT. Who had the same email account and password for the last 20 years.
GRAHAM CLULEY. Who don't know how to create a new account and automatically forward messages.
RAN LEVI. It really does. My wife's father has a Yahoo account. He's roughly 80. So I'm guessing that's the clientele.
CAROLE THERIAULT. You haven't moved over your father-in-law over to something better than Yahoo?
RAN LEVI. He knows how to to operate the user interface and it works. So why give him something new?
CAROLE THERIAULT. I can just see it right now, actually, that conversation. Why would I change? Why would I change?
RAN LEVI. Exactly. It works.
GRAHAM CLULEY. Okay.
RAN LEVI. Don't touch it. It works.
CAROLE THERIAULT. Hands off!
GRAHAM CLULEY. It's mine!
RAN LEVI. And our story begins with a guy called Reyese Daniel Ruiz. I hope I'm pronouncing his first name right. Reyese. That's R-E-Y-E-S. He's 34 years old from California. He's a senior DevOps engineer in Yahoo. He was back then. And he just admitted last week in federal court that he hacked around 6,000 accounts and tried to find nudes, basically.
CAROLE THERIAULT. And what, like women and men, or—
RAN LEVI. I don't know. They didn't say, but probably women.
CAROLE THERIAULT. Oh, right. Okay.
RAN LEVI. Including those of his friends and colleagues. I think that might be even the main reason why he did that, because he targeted co-workers and stuff, which is a bit creepy.
GRAHAM CLULEY. And so how many Yahoo co-workers did he— I mean, it is particularly grim. I mean, I think it's grim breaking into people's accounts anyway to look for private photos and things, but the thought that you might be hacking into the accounts of people who you know and who know you, it must be actually horrific for them. Carole, if you broke into my account, you'd find it pretty tea juice.
CAROLE THERIAULT. Oh yeah. I would be like, hey, here's my chess update. Hey, have you seen the new Doctor Who? Yonville.
RAN LEVI. Nothing happens in my accounts. I mean, that's so boring. Don't try to hack my mail. Nothing interesting is going on over there.
GRAHAM CLULEY. But the horrendous, the horrendous thing here, Ran, is that he was actually a Yahoo software engineer hacking into Yahoo accounts.
RAN LEVI. Oh, he's an insider. It's an inside job. And actually, when he hacked those accounts, The story doesn't mention how he hacked them. It was probably using weak passwords.
CAROLE THERIAULT. Yeah.
RAN LEVI. And once he was in, he was able to compromise other accounts of the same people, you know, Google accounts, Facebook accounts.
CAROLE THERIAULT. They all use the same passwords.
RAN LEVI. Exactly. And if not, he reset their passwords. And then you do a reset, you get an email saying, did you just reset your account? And he has control over the email account. So he was able to penetrate other accounts. So he got fired, obviously, once they discovered it. And the ironic part of the story is that once he was fired, he got a job in another Silicon Valley company called Okta. And Okta, ironically, is an access management company.
GRAHAM CLULEY. Exactly.
CAROLE THERIAULT. Oh my God, are you kidding me?
GRAHAM CLULEY. So if people had been using an authentication service like Okta, maybe their accounts wouldn't actually have been hacked. So that's where he went next. Yeah. Oh.
RAN LEVI. Somebody who accessed accounts illegally was at that point an access management specialist.
CAROLE THERIAULT. So he was fired from Yahoo upon discovery of his criminal behavior, but not reported to the authorities.
RAN LEVI. I think it was reported to the authorities, but nobody told Okta. And they were actually pretty crossed, from what I understand, on Yahoo's management.
CAROLE THERIAULT. I would say it's their responsibility to do a criminal background check.
GRAHAM CLULEY. Well, he wouldn't have had a crime record at that point. He wouldn't.
CAROLE THERIAULT. Well, he may have. You don't know. If he got fired.
GRAHAM CLULEY. He may have got chucked out of Yahoo, but he wouldn't at that time have been found guilty.
CAROLE THERIAULT. If you're arrested, I guess that there's no paper trail for that because you're innocent until proven guilty. Okay. Right. I understand.
RAN LEVI. Yeah. So he worked there for about 5 months and when Okta discovered his background, they obviously immediately fired the guy. And now he's standing trial. And I understand that the maximum penalty for what he did is 5 years behind bars and a quarter of a million dollars in fines.
GRAHAM CLULEY. And cut off his gooleys.
CAROLE THERIAULT. Yeah, yeah, yeah.
RAN LEVI. And it actually made it— I was interested in that story when I read it because in cybersecurity, we usually think about attackers as coming from outside of the organization. I have a notion that a large percentage of cyberattacks of all sorts actually originate from inside, from employees of companies, from people who have access to the information, to the tools, to the programs. And we know that the largest cases like Snowden and then Chelsea Manning, the famous cases, but I think many, many breaches and hacks probably originate from inside a job.
GRAHAM CLULEY. These are people who have already got the passwords. They already have access to the data because they're doing work with it. You don't need to hack in and get past all the security defenses because these are people you've let in through the front door. And given access to your network. It is, though, fairly horrific that those poor people who must have been having lunch with him, had meetings with him, who are now working there going, oh my goodness, what did that guy see of me? And what's he actually—
RAN LEVI. I had such an incident myself a long, long time ago when a coworker— it wasn't a cyber hack back then, but he actually stole a phone that I had and did calls. It was back when cell phones were rather new. And he stole something like, I think, $200 worth of phone calls.
CAROLE THERIAULT. Like phone credits.
RAN LEVI. And it was somebody I knew quite well. And it was so shocking to think that a friend, a coworker, colleague will do that to you.
CAROLE THERIAULT. So are you still friends with him? Have you forgiven him?
RAN LEVI. No, no, no. Actually, when I discovered it, I almost killed the guy. I was pretty angry then. Really?
CAROLE THERIAULT. Don't mess with Ran, kids.
GRAHAM CLULEY. He's Israeli, Carole. He's Israeli. You don't mess with him. We all know that.
RAN LEVI. I was going to say, I want to go to Israel and maybe we can me for a drink, but just don't touch my phone.
GRAHAM CLULEY. Don't touch my phone.
RAN LEVI. I was a bit younger, I was 20, so hot-headed, blooded.
GRAHAM CLULEY. Did you get a big phone bill or something? How did you find it out? Was it like lots of calls to sexy numbers?
RAN LEVI. Actually, it was quite an interesting story. I got a phone bill, it was way larger than what I usually called, and then I asked for, you know, a list of all the numbers that were called, and I saw that many of these conversations were to a different city in Israel which I never called because I didn't have any friends there. So I asked myself, who could it be? And I had no idea. And what I did then was I called one of the numbers which were rather frequently called, and I pretended to be a newspaper salesman who wanted to—
GRAHAM CLULEY. So juicy. Yeah.
RAN LEVI. And I offered the people on the other end, I had no idea who they were. I offered them a subscription for the newspaper. And if they do a subscription, they'll get a big reward or something. You know, I made up some big reward. And when, when they agreed, eventually I tried to be the best salesman that I could be. I asked them, okay, so just give me your names and street address or whatever. And now I had the last name and it was the same last name as the guy who stole the phone because it was his parents that he was calling. And then I connected the dots and I came over to that guy and he killed him. When he saw me, when he saw me that So how furious I was, he became pretty white because he obviously knew what was happening. But he paid up eventually and I didn't go to the police because he was quite younger. I was, I think, 18 years old. So I didn't want to ruin his life because he was doing something so stupid.
GRAHAM CLULEY. So you didn't want to ruin his life because he was 18?
RAN LEVI. Yeah, he was young.
GRAHAM CLULEY. And this was like 10, 15 years ago?
CAROLE THERIAULT. He was 20 though.
RAN LEVI. Ran was 20 at the time. He was 18. And I was thinking to myself, you know, if I I did give this guy a criminal record because of that stuff.
GRAHAM CLULEY. Okay, he's middle-aged now. Do you want to name him now? We can put it out on the podcast.
RAN LEVI. I don't even remember. 25 years ago. But we can shame him online.
GRAHAM CLULEY. No, no, no, no, no. I don't think we should.
CAROLE THERIAULT. See, Graham, some of us have loads of friends, right? And like through the years, it's hard to keep track of them all.
GRAHAM CLULEY. Krow, what have you got for us this week?
CAROLE THERIAULT. Well, I think you are also partnered, aren't you? Graham and I both are. Currently. Not together, thank God.
GRAHAM CLULEY. Tell me about it.
CAROLE THERIAULT. Um, but let's hark back, boys, to our single days, right? These are the days before someone graciously invited us into their lives. And I've been out of the game for a while, right? It was the mid-'00s when I fell into step with a hot somebody. So, and it shows, right? I was recently out with some younger friends, uh, and they were glued to their phones, right, while I was sitting there knocking back a delicious martini. I mean, I don't know how you're the wingwoman when the target's on a teeny tiny screen. I don't know how to play that game at all. So my point is the dating world has changed dramatically.
RAN LEVI. Of course, Tinder.
CAROLE THERIAULT. Yeah, right. But whether we're in the scene or not, we have all heard of Match.com.
GRAHAM CLULEY. Yeah, yeah.
CAROLE THERIAULT. Now Match.com is owned, interestingly, by a parent company called Match Group. And Match Group owns a number of dating sites that you might be familiar with, including Hinge, OkCupid, Plenty of Fish, and Tinder. So they are a seriously big player in the dating world.
RAN LEVI. Almost a monopoly, I think.
CAROLE THERIAULT. Yeah, I know. I was thinking eHarmony was the only one that came to mind of a big— one of the bigger brands. There's a Bumble as well. There's a few. Now, recently, Match Group, okay, the parent company, put out some stats on the dating world. And it said, um, it was like kind of like an acute media-friendly report, and it said things like only 11% of Gen Z and millennials date casually. That must be music to the ears of parents with daughters out there. And a third of millennials aren't dating much due to financial constraints. They basically just can't afford going out for dinner all the time, right? And 42% of singles say love feels lost in our society. So basically the dating is very empty. So, that got me thinking. I wondered whether Match Group were feeling the hit, right? So, I wanted to check out sites like Alexa and MarketWatch to see if there was any negative impact on the bottom line.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. And well, well, well, since January 2019, Match Group has grown a whopping 60%.
RAN LEVI. Gosh.
CAROLE THERIAULT. Stock value ticking upwards from $43 to $74. And that's in 10 months, folks, right? It's a pretty nice return.
RAN LEVI. They're doing good.
CAROLE THERIAULT. Yeah. So why are people flocking to Match, right? So one reason is the brand awareness is pretty strong. You and I know about it even though we're not in this world anymore for years.
GRAHAM CLULEY. And there's a Match app, I imagine, as well, is there?
CAROLE THERIAULT. There's a Match app. It also ties well with the Match website as well. There's really nice slick apps apparently, both for iOS and Android. It's really easy to sign up and it's free to sign up, right, and use the search facilities. And there's loads of add-ons available to enhance your experience. That's all the things people say thumbs up for. What people complain about is that only members who subscribe, basically pay a membership fee, can send and reply to messages.
GRAHAM CLULEY. So if I joined Match.com, I could receive messages from people. So it's like, oh, hey cutie, you know, they'd say to me. But if I wanted to reply—
CAROLE THERIAULT. No, no, you wouldn't be able to read it.
RAN LEVI. I—
GRAHAM CLULEY. oh, I wouldn't be able to read. So I'd know there was a message waiting for me.
RAN LEVI. Just browse the pictures.
CAROLE THERIAULT. I'll tell you exactly how it works. I mean, I think you'll see if you can find the flaw in it before I get there. Okay. So this is how it works. You can go out there and like people and read bios and look at pictures.
GRAHAM CLULEY. The profile.
CAROLE THERIAULT. But if someone does the same to you, you will be alerted via email that there's a message for you, but you will not be able to see anything about that message, including the contents, the profile, anything until you pay for a membership.
RAN LEVI. So you don't see it. You just see that somebody responded.
GRAHAM CLULEY. I can see how this might be abused to encourage people to sign up.
CAROLE THERIAULT. So, so just to make it really clear, right? So let's say, um, Rav, you and Graham are both on, you know, and you're liking each other or something, and you're both, you're a freebie, you're a freebie, Rav, on the site, right? So you kind of saw, you looking around on the site and you may have kind of thought, oh, he looks interesting, right? And then you get inside your email something that says, he just emailed you, exclamation mark. Okay, that's what the title says. And then it says, you caught his eye and now he's expressed interest in you. Could he be the one? Read his email. And this is a standard email that Match.com sends to users, including those that are free, right? Now, if you clicked on that, you would be like, ahahaha, you can't read Graham's love letter, or whoever's letter. You don't even know it's Graham, actually. You cannot read the love letter that you've received. Received, right, until you pay, right? The problem: Match had already identified many of the people, of these, the people behind these emails, these interests, as scammers. So if you had paid Match to read that message, yes, you might have gone in and had a scammer there start, a romance scammer start wooing you, or you would have an empty inbox because after you had paid, Match could say, oh, this is in our, in our list of known scammers, we're going to delete this email.
GRAHAM CLULEY. Oh, okay. So there's lots of romance scammers, as we know, doing online dating, and they are actually helping Match.com's bottom line.
RAN LEVI. That's co-evolution in biology.
GRAHAM CLULEY. Because they're sending— because, because they're sending messages to everyone, right? Saying, oh, you're so beautiful, come on, let's go to the bar together.
CAROLE THERIAULT. It gets even worse than this because apparently they have filters in place once you become a member. But they don't have filters, or the argument the FTC are making is that perhaps the same defenses are not in place for freeloader users. And the reason, as you get to the point, the reason you might want all those scammers sending all that traffic is that so you get more people to sign up.
GRAHAM CLULEY. That's a bit naughty, isn't it?
CAROLE THERIAULT. It is a bit naughty.
RAN LEVI. Actually, when you started describing the story, I was thinking more in the direction of what, if you remember, Ashley Ashley Madison, what they were doing? Ashley Madison, the—
GRAHAM CLULEY. Yes, the fembots.
RAN LEVI. Yeah, they had exactly the fembots that they fabricated users to kind of lure the users to—
GRAHAM CLULEY. Yeah.
RAN LEVI. That's different.
CAROLE THERIAULT. Because the FTC have been after this for years and years. One of the quotes from the FTC was Match had blocked some of these suspicious accounts from sending messages to its paying subscribers, but didn't give the same protection to free accounts. Users. Now, how big is the problem? The FTC alleges that millions of contacts that generated Match's 'you caught his eye' email notices came from accounts the company had already flagged to be fraudulent. And worse, right, Match prevented existing subscribers from receiving these email communications if they were from a suspected fraudulent account.
GRAHAM CLULEY. It's an interesting one, this, isn't it? Because I can imagine that Match.com might say one of the benefits of subscribing to our service is that we will give you a cleaner inbox and we will keep out scammers and spammers, etc., etc. And then maybe they wouldn't offer that to people who hadn't yet paid. And yet, of course, the very fact that there is spam and scams and fake winks occurring on Match.com might be an incentive for people to subscribe. Do we have any sense as to what percentage of traffic on Match.com is fraudulent or scammy?
CAROLE THERIAULT. Yes, there is. So apparently, I was shocked by the number, 25 to 30% of Match.com members who register each day are using Match.com to attempt to perpetuate scams, including romance scams, phishing scams, fraudulent advertising, and extortion scams.
RAN LEVI. That's a lot.
GRAHAM CLULEY. Now, do those, but those people, to send those scam messages, they must have to subscribe to Match.com, right?
CAROLE THERIAULT. Yes, they create, they create a bogus account. They go and like all the new people that have come on to the site as freebies.
GRAHAM CLULEY. Stolen credit card details?
CAROLE THERIAULT. Sure. Well, who knows if they—
GRAHAM CLULEY. I'm sorry, what noise are you making there?
CAROLE THERIAULT. No, no, no, sorry.
GRAHAM CLULEY. Was that a rabbit having a munch of something? What was that?
CAROLE THERIAULT. That was me snapping my lips. I was just wondering whether they had to have full accounts or not. You're right.
GRAHAM CLULEY. I think they would do, wouldn't they? Really?
CAROLE THERIAULT. Yeah.
RAN LEVI. So actually scammers and Match.com are kind of entwined in mutually beneficial relationship.
CAROLE THERIAULT. Yes, that's where I think things get a little bit yucky, right? That's exactly the point. They're kind of directly profiting from the romance scammers attempting to find fresh victims.
RAN LEVI. But let's not jump into conclusions because it really reminds me of what people were saying about the antivirus industry for a very long time. That the antivirus vendors were creating viruses to, you know, to have more clients. And of course, this was ridiculous because nowadays there are so many viruses and malware that you don't need to create anything specifically. But back then in the early '90s, people really thought that antivirus vendors were creating viruses for their own products to catch.
CAROLE THERIAULT. I think that's a super amazing point. I, my view wasn't, when I read this and did my research, I did not feel, oh, Match are behind the scammer emails at all. It doesn't make business sense for me at all from a share-run company. It doesn't make sense.
RAN LEVI. Maybe it was a bad call from management to kind of prevent the service from the free tier.
GRAHAM CLULEY. They've, although they've grown 60%, you said, since January, you know, they're doing all right. They might be turning something of a blind eye to the problem and maybe not addressing it quite as well as they should.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. I want to know if any of our listeners are on— if there are any genuine Match.com users and whether anyone out there listening is on Match.com. And if they are, if they could send a message to HotOxfordTamale, that would be—
CAROLE THERIAULT. Why HotOxfordTamale?
GRAHAM CLULEY. Isn't that your username, Carole? I thought you'd researched this.
CAROLE THERIAULT. So my advice, right, when I read all this, I'm thinking, okay, we like to end with some good advice. And the only advice I have All the millennials and the Z-gens out there, why don't you return to old school cool? You know, take out the headphones, go outside, talk to real people in real life.
RAN LEVI. Outside? Carole?
GRAHAM CLULEY. Sunlight?
CAROLE THERIAULT. If someone came up to you and said, "Hi, you've caught my eye. Are you single?" Would you be insulted or would you be like flattered?
RAN LEVI. I'm a male. I'd be very flattered.
GRAHAM CLULEY. Carole, that's how disease is spread. The bubonic plague began because of things like that.
CAROLE THERIAULT. It's much safer to meet and interact with people I wasn't suggesting that you actually catch the person's eye literally. I thought it more figuratively, Graham.
GRAHAM CLULEY. I don't like the zombies.
RAN LEVI. With a barbed wire. Catch his eye.
GRAHAM CLULEY. It's just Graham. You have to forgive him.
CAROLE THERIAULT. No, I was talking about you.
RAN LEVI. No, I missed the Tinder revolution. I was married long before they—
CAROLE THERIAULT. Join the club. Join the club.
RAN LEVI. I'm so bummed out. I mean, it would have made my life as a single Bachelor. So much easier.
GRAHAM CLULEY. A lucky escape, I reckon.
CAROLE THERIAULT. At the beginning of the show though, I said that you had a very sexy voice, right?
GRAHAM CLULEY. Oh, here we go.
RAN LEVI. Thank you. Thank you.
CAROLE THERIAULT. Made you feel good. No, whether, you know, just like it's a nice daily thing. So I'm saying to millennials and Z-Gen to get out there and just tell people you might enjoy it. Old school cool.
GRAHAM CLULEY. Sponsors.
CAROLE THERIAULT. Don't you love of a win-win situation. Imagine if you could have both enterprise-wide password management with single sign-on. What is single sign-on? Well, Graham, let me dazzle you. Single sign-on is designed to connect employees to high-priority apps, all without needing the user to log in at every single hurdle. Now, by combining these two services, our friends at LastPass may have just revolutionized security at the enterprise level. Learn more at lastpass.com/smashing. You don't need to say the forward slash. Ah!
GRAHAM CLULEY. So you've got an IT security team, but you want to turn them into security superstars? How can you best provide each employee with the opportunity to upskill themselves? Immersive Labs provides a cloud-based system, meaning it's available 24 hours a day, whenever it's convenient for them to learn. It provides hands-on experience with tools, technology, and even sandboxed ransomware, phishing, and ransomware. The platform provides story-based threat simulations. It lets teams enhance their skills while stopping an online banking breach or the hack of industrial control systems. Lots of fun to be had there. Check out Immersive Labs' skills development platform to drive down your organization's cyber risk while reducing training costs. Check them out at immersive labs.com/light. Immersive labs.com/l-i-t-e. Okay, so it turns out that we are all bad people.
CAROLE THERIAULT. Well, not all of us, most of us though, because 60% of employees who quit their jobs admit to taking data. That's why Code42 provides data loss protection for when employees quit. It can help you detect insider threats, investigate file activity, and respond before damage is done. A really cool aspect is that at any time, Code42 can tell you what data lives where, when it leaves, where it goes, and who has access to To learn more about how you can protect your company from insider threats, visit code42.com/smashingsecurity. Now on with the show.
GRAHAM CLULEY. And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week. Pick of the Week.
RAN LEVI. Yeah, naturally.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever it is. They wish. Doesn't have to be security-related necessarily.
CAROLE THERIAULT. Better not be.
GRAHAM CLULEY. And my pick of the week this week is not security-related. I had a fantastic time last week because I popped out to a local art center and I saw a chap talk and the chap's name is Mark Lewison and he is the world's foremost authority on something I hold very close to my heart, which is the Beatles.
RAN LEVI. My favorite band ever.
GRAHAM CLULEY. Oh, really? Oh, Ran.
RAN LEVI. I grew up.
GRAHAM CLULEY. Mark Lewison is, he's a historian and he has been writing an incredible 3 volumes. He's only written the first one and only takes them up to the first recording session. It's about 800 pages of the Beatles history. Anyway, at the moment he is doing in the UK a tour called Hornsey Road. I won't explain why it's called Hornsey Road because that's one of the secrets revealed during his talk, but it is all about the 50th anniversary of the Abbey Road album. Of course, the last album ever recorded by the Beatles back in 1969, and it was fabulous.
CAROLE THERIAULT. I know that it was fabulous because I happened to talk to you the next day and you waxed lyrical about this show for about 20 minutes.
GRAHAM CLULEY. Which is probably the longest we've ever been on the phone other than a podcast. It was terrific. So what Mark had done is he had taken the isolated tracks from Abbey Road, which actually had been sort of ripped off a guitar, a Rock Hero game. I think there was a Beatles rock band game, video game a while back, which had the isolated tracks and someone broke the encryption, managed to get the individual tracks of all these Beatles songs. No way. Yeah, for real. And he's able to use those and he's remixed them into his own version of Abbey Road, which highlights individual pieces of musicianship like Paul McCartney's incredible bass guitar playing, the drumming obviously, the lead guitar of George Harrison. It's tremendous. So he was doing this and he'd made up these little videos and things. There's video footage, interviews, tapes of them chatting in the studio, but also so much background information. You find out who the real mean Mr. Mustard was, if you remember that song from the medley on side too. And another of the revelations which comes to light is he actually got a recording of a business meeting which the Beatles had had after Abbey Road was recorded, where they discuss how they want to actually record another album, which never happened. But one of the things which comes up is discussion of Maxwell's Silver Hammer, which is a controversial Beatles track. And it turns out during this recording that even Paul McCartney who had insisted they record it and had multiple hundreds of takes of this particular song, he admitted that he didn't actually particularly like it either. So no one in the band actually liked Maxwell Silver Hammer, but it still ended up on the album.
CAROLE THERIAULT. This is amazing.
GRAHAM CLULEY. John Lennon's kind of saying, well, couldn't you have given it to someone else? It was an incredible two and a half hours, and for a Beatles fan like me, really unbelievable.
RAN LEVI. This is amazing. I would have loved to watch it.
GRAHAM CLULEY. Well, sadly, it isn't going to be videoed. It isn't. And I don't think it's going to go on tour overseas either. But if you go to hornseyroad.net, you can find out where other dates on the tour are in case you want to go and check it out. But 50 years on, still a magical album and put in so much fantastic context by Mark Lewisohn. So it had to be my pick of the year.
RAN LEVI. And Spotify, by the way, has a special special Abbey Road playlist with commentary, which is also great. I just listened to it a few days ago. It's amazing.
GRAHAM CLULEY. Yeah. Brilliant album. Ran, what's your pick of the week? Okay.
RAN LEVI. So my pick of the week is a website called jigsawexplorer.com, Jigsaw Explorer. And as you can probably understand from the name, it's a jigsaw puzzle kind of website. And actually, it's a fantastic website to jigsaw lovers like me, like myself. You can— I mean, there are hundreds and thousands of puzzles and you can kind of tweak the individual puzzles to the level of complexity that you wish to have. And lots of, you know, little tweaks that can help you, like they can kind of move all the pieces to one side of the screen, etc. So it's very, very nice user experience in terms of bringing a puzzle together on a computer screen, which is not an easy thing to do.
GRAHAM CLULEY. So I'm— yeah, so I'm trying this right now, right? It's enormous fun. So basically it presents itself a bit like a tabletop with all of the jigsaw pieces turned the correct way up, which obviously is the biggest nuisance normally of jigsaws. But then you can sort of with your mouse, you can point and click and attach them to each other. And once you've got the correct connection, they stick together, don't they?
CAROLE THERIAULT. Like a jigsaw.
RAN LEVI. Like a jigsaw, exactly.
GRAHAM CLULEY. Like a wonderful jigsaw. So you're never left in any doubt as to whether you've got it right or not.
CAROLE THERIAULT. You know, guys, they do say that, you know, older generations are quite, quite happy to do a little jigsaw for quite a long time. Graham, are you saying that's what you want for your next celebration?
GRAHAM CLULEY. I'm going to put this on my Tinder profile or Match.com profile, I think.
RAN LEVI. Do a jigsaw together. It's so romantic.
GRAHAM CLULEY. I'm going to say to some young lady, I've got a piece which would fit you just fine.
CAROLE THERIAULT. Oh, your digital door is going to get blown down with that line, sugar face.
RAN LEVI. So actually, I mean, I very much loved puzzles even when I was a kid, but being now a father of 3 kids, so I don't have much time to actually do a real, you know, real world puzzle. And even if I would, the kids would probably run all over it and blow it up to pieces again. So on a computer.
CAROLE THERIAULT. How old are they? 20, 30?
GRAHAM CLULEY. I wish.
RAN LEVI. And so puzzles on a computer screen are much easier for me to, in a more practical sense. And actually, I love doing puzzles when I'm listening to podcasts. It's so relaxing and you can listen to podcasts and and you don't have to stare at nothing for a few, an hour or something. So it's great fun. I really recommend it.
GRAHAM CLULEY. Cool.
CAROLE THERIAULT. I've been playing with it too.
GRAHAM CLULEY. It looks cool.
CAROLE THERIAULT. It's definitely something to put into your, the bored file, you know, the I'm bored at work file folder on your browser.
RAN LEVI. Exactly.
GRAHAM CLULEY. Yeah. So jigsawexplorer.com. Very nice.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. Love it.
CAROLE THERIAULT. HTTPS too.
GRAHAM CLULEY. They are all the best sites are. Carole, what's your pick of the week?
CAROLE THERIAULT. Mine is a Netflix show called Criminal. Watch it. That's all I have to say.
RAN LEVI. No, so isn't it based off a podcast? There is a podcast called Criminal.
CAROLE THERIAULT. No, I don't think it is. I— well, maybe I, I read somewhere that Criminal had sold the rights, so it's possible, but I didn't go and do that research because, yeah, the Criminal with Phoebe Judge is an excellently great podcast, and it does have a similar approach, but it's kind of different. This is more 4 miniseries. Each miniseries has 3 independent programs in our shows or episodes, and each miniseries focuses on a different European country. So we have the UK, France, Spain, and Germany, and all of it is set in the same, uh, investigative room. So the whole idea is someone's sitting in the room, the police want to talk to that person, they have a file, they've brought them in, you don't know why and you go in and start learning as they ask questions. It's really good if you're into that whole character study.
GRAHAM CLULEY. So you might not know whether the character is a baddie or not, but they might have a, they might have a tell. Is there a one-way mirror? Is there one of those funny mirrors?
CAROLE THERIAULT. And you go behind, you're often in that back room watching what's going on. So you're with the investigative team of the group, and the rooms are only two rooms effectively. There's like the back room and the interview room. And each, uh, so say for the UK, the first one has David Tennant who plays the perp who's being interviewed in the first one. He is very good. And the game is, of course, you have to decide whether he's guilty or not before the end of the show. That's the game I play anyway.
GRAHAM CLULEY. We played our house.
CAROLE THERIAULT. Well, interesting you said that. So it's really kind of cool to compare how it works in Germany versus the UK and Spain and France, how lawyers act, for instance, how the law works. It's just, it's really insightful and cool, and I love it. So go watch Criminal. It's on Netflix. Netflix. And Graham, you'll love it. I promise, promise, promise.
GRAHAM CLULEY. It sounds good to me.
RAN LEVI. It's an interesting idea. I mean, the idea is fantastic.
CAROLE THERIAULT. It's a great idea. Yeah.
GRAHAM CLULEY. So great to see the UK working together with European countries on a project as well, isn't it? It is.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. As we head into our glorious future, back to the 1600s. Anyway, that just about wraps it up for this Ran, I'm sure lots of our listeners would love to follow you online and find out more about the Malicious Life podcast. What's the best way they can do that?
RAN LEVI. Yeah, the website is malicious.life, and we are of course on every podcasting application out there, CastBox, iTunes, whatever.
CAROLE THERIAULT. Alexa, play Malicious Life.
RAN LEVI. Interesting if that would work. I think it should. I think I don't have an Alexa. Sub, but it should. And if you want to follow me on Twitter, that's @ranlevi, R-A-N-L-E-V-I.
GRAHAM CLULEY. And you don't have a Match.com user ID, you're claiming?
RAN LEVI. Not yet.
GRAHAM CLULEY. And you can follow us on Twitter as well, @SmashingSecurity, no G, Twitter won't allow us to have a G. And you can join the conversation on Reddit as well. Just check out the Smashing Security subreddit.
CAROLE THERIAULT. Once again, thanks to this week's Smashing Security sponsors: Immersive Labs, LastPass, and Code42. Check out smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us.
GRAHAM CLULEY. Until next time, cheerio, bye-bye, bye-bye, later skaters.
CAROLE THERIAULT. Now this week we thought we'd share an independent intended comment on our last show. This one comes from Twitter. Victor PC, or @Victor_TheyKnow, said, "The last episode of Smashing Security had me dying. Graham Cluley's laugh should have its own show. It's so communicative." I agree. Hashtag hello boys?
GRAHAM CLULEY. I think that's because we were talking about the advert, Eva Herzogova, weren't we, last week? And her décolletage.
CAROLE THERIAULT. Thank you, Victor_TheyKnow. I have to say that many people have often told me that Graham sounds like he's indeed dying when he's laughing. So I don't want you to die with him.
GRAHAM CLULEY. In fairness, we are all dying, aren't we? It's not just that I sound like— well, I mean, it's just, it's just a question of speed.
CAROLE THERIAULT. That's the deepest thing you've ever said to me in 20 years. I'm blown away, and that's saying something.
RAN LEVI. It was great fun, guys.
GRAHAM CLULEY. Thank you so much, Ran.
-- TRANSCRIPT ENDS --