Listen early, and ad-free!

288: Chiquita banana, dumb criminals, and detecting ring binders

With , ,
September 8, 2022
Read the transcript

Students learn a valuable lesson when it comes to AI detecting guns on campus, SIM swappers are surprisingly stupid, and romance scammers get scammed by someone (or some thing?) calling themselves Chiquita Banana.

All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Mark Stockley.

Warning: This podcast may contain nuts, adult themes, and rude language.

Episode links:

Sponsored by:

  • Kolide – the SaaS app that sends employees important, timely, and relevant security recommendations concerning their Mac, Windows, and Linux devices, right inside Slack.
  • Bitwarden – Password security you can trust. Bitwarden is an open source password manager trusted by millions of individuals, teams, and organizations worldwide for secure password storage and sharing.
  • SolCyber – SolCyber delivers Fortune 500 level cybersecurity for small and medium-sized enterprises. If the bad guys aren’t being discriminating about who they’re attacking, how can you settle for anything less?

Support the show:

You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Become a Patreon supporter for ad-free episodes and our early-release feed!

Follow us:

Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.

Thanks:

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

Privacy & Opt-Out: https://redcircle.com/privacy

Transcript +

This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

MARK STOCKLEY. Anyway, according to Krebs, and this is terrifying, according to Krebs, there are dozens of teenage or 20-something sim swap millionaires out there.

CAROLE THERIAULT. How many?

MARK STOCKLEY. Dozens, he says. That's how we count things in 2022, in multiples of 12.

UNKNOWN. Smashing Security, episode 288. Chiquita Banana, dumb criminals, and detecting ring binders. With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 288. My name is Graham Cluley.

CAROLE THERIAULT. And I'm Carole Theriault.

GRAHAM CLULEY. And this week we've got a special guest in the hot seat. Who've we got, Carole?

CAROLE THERIAULT. We have the wonderful Mark Stockley. Hi, Mark.

MARK STOCKLEY. Hello.

CAROLE THERIAULT. Returning guest, obviously.

MARK STOCKLEY. I can't quite believe you've asked me back on.

CAROLE THERIAULT. Neither can we.

GRAHAM CLULEY. Tough times, tough times. Liz Truss isn't available and Boris Johnson's on holiday. So you got the gig. It was you or Nadine Dorries.

MARK STOCKLEY. Do you know what? I think you sound a bit like Boris Johnson.

GRAHAM CLULEY. Who, Carole does? No, Graham.

CAROLE THERIAULT. We're going to leave it at that. But before we kick off, let's thank this week's sponsors, Bitwarden, Kolide, and Soul Cyber. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

GRAHAM CLULEY. Oh, I'm going back to the crazy days of school.

CAROLE THERIAULT. Right. What about you, Mark?

MARK STOCKLEY. I've got a story all about hiring hitmen online.

CAROLE THERIAULT. Excellent. And I'm taking a look at a giggle-worthy approach to combating romance scammers. All this and much more coming up on this episode of Smashing Security.

GRAHAM CLULEY. Now, chums, chums, I want to take you back in time In my timeline, not in your own timeline, I want to take you back to around about, I think it was about 1986, 1987. There I was in sixth form.

CAROLE THERIAULT. I was going to say in diapers, but no. In sixth form in diapers would be pretty—

GRAHAM CLULEY. I was busy failing my A-levels.

CAROLE THERIAULT. Brilliant.

MARK STOCKLEY. Is this a Doctor Who story?

GRAHAM CLULEY. It has nothing to do with Doctor Who.

MARK STOCKLEY. I feel like this is how a Doctor Who story would start.

GRAHAM CLULEY. No, no, no, no, no. I was studying with a whole bunch of kids, and one day, two of my mates, Howie and Johnny, came into school, and they told us what had happened to them the previous day. Now, Howie had a car, which made him quite unusual in the sixth form, but he had a car, and he'd been going around town with Johnny with their water pistols. They were having fun, basically. They were driving around with their water pistols, sort of shooting at people. From the car. You know, she's pissing about.

CAROLE THERIAULT. Pissing about. Yeah.

GRAHAM CLULEY. Well, they weren't using actual urine, Carole. They weren't. As far as I know, they hadn't filled it with that. They were just using water.

MARK STOCKLEY. They're not savages.

GRAHAM CLULEY. No, exactly. And what they did was they were driving up Camberley High Street, which is where I live in Surrey. And they had to pop into the bank. These are the days when you had to pop into banks if you wanted to get money out. And they parked on a double yellow line and they raced into the bank, got their money out from the person behind the till, and then leapt back into the car and zoomed off.

CAROLE THERIAULT. Okay.

GRAHAM CLULEY. Still flourishing their water pistol.

MARK STOCKLEY. I was just about to ask about the water pistols.

GRAHAM CLULEY. Okay. Yes.

MARK STOCKLEY. Would you say that they were like straight-A students?

GRAHAM CLULEY. Well, they were bunking off school on the particular day, so they weren't in their lessons.

MARK STOCKLEY. Yeah, okay.

GRAHAM CLULEY. So what had happened is that they'd then gone round to Johnny's house and they'd parked in the drive. And probably about 20 minutes later, all these police cars arrived and surrounded them. And, you know, and the police showed up who weren't happy at all because it appeared someone had seen them running into the bank with these water pistols, had raised an alarm that there were some shenanigans going on. And told the police. And the police had obviously come round to the house, or followed them, or whatever. Anyway, they'd been caught. But it's all a false alarm. They hadn't actually robbed the bank. They were just larking around.

CAROLE THERIAULT. You've got great friends.

MARK STOCKLEY. So they just went in the bank and made a normal withdrawal, or deposited some money, or—

CAROLE THERIAULT. Scratching their ear with the butt of their gun.

MARK STOCKLEY. Yes.

GRAHAM CLULEY. They didn't put stockings over their head or anything like that. Yeah, they just went, raced in, got some money, raced out, brandishing some water pistols. I don't know exactly how it happened, but this thing happened. And they came in, they told me the next day at school, and I said, this is brilliant. I said, we should do something about this. We should call up a newspaper.

CAROLE THERIAULT. Of course you did.

GRAHAM CLULEY. Like I said, I was busy. I was busy not studying for my exams.

MARK STOCKLEY. Yeah.

CAROLE THERIAULT. And you wanted to be famous.

GRAHAM CLULEY. And I thought we could sell this story to the press. That'd be brilliant. So I went down all the list of quality newspapers and I stopped at The Sun.

CAROLE THERIAULT. Of course you did.

GRAHAM CLULEY. And I rang up The Sun newspaper, and I said, I've got a story for you about these two teenage kids who the police seem to think have done a bank robbery. And in fact, they had water pistols. And The Sun loved it. And The Sun said, this is brilliant. Can we send down a photographer to photograph Howie and Johnny sat on the bonnet of their car with their water pistols? Because this would make a nice little story for us. And I said, sure, how much you gonna pay us? And I think they said, we'll give you £100 or something. I thought, okay, I'll share that between me, Harry, and Johnny. But the problem was, the problem was that Johnny was in school that day. So I'd nipped off to someone else's house to plan this and work with the reporter. And Johnny was in school. So we had to ring up the school, pretend to be Johnny's dad, saying that Johnny had to come home. And then we had to drive in to pick him up. He didn't know, 'cause we didn't have mobile phones then. We had to drive in, pick him up, and say, "Here's the deal. You're going to be in the newspaper, but they need you there, something from the guns." So we went in and picked him up and all the rest of it. So that's what I did at school.

CAROLE THERIAULT. Okay, well—

GRAHAM CLULEY. In relation to guns.

CAROLE THERIAULT. That's a very nice tight pretext to your story.

GRAHAM CLULEY. Right, because the one place you don't want real—

CAROLE THERIAULT. 10 minutes later.

MARK STOCKLEY. Is this what you were doing with all that time you had off in Auckland?

GRAHAM CLULEY. Yeah.

MARK STOCKLEY. Just dressed like this. You've still only got 10 minutes, Graham.

GRAHAM CLULEY. The one place you don't want real guns is school. Is what—

MARK STOCKLEY. Oh, really?

GRAHAM CLULEY. Yes. Campuses and education establishments in the States have been throwing tech at the problem to keep guns out. And I'm not talking water pistols. Some have bought systems, for instance, which listen for aggressive noises. So they plant microphones microphones into certain rooms. You've heard about this?

MARK STOCKLEY. Yeah.

CAROLE THERIAULT. I'm guessing this is happening in the States rather than the UK or Canada or anything, right?

GRAHAM CLULEY. Well, I'm sure nothing happens in Canada, but yes, certainly in the United States. They're listening out for aggressive noises. But what they found is that this technology doesn't work very well. So there was, for instance, the case of a drama student who was performing in some sort of horrific play, and she gives an ear-piercing scream like she's been attacked by a ghost. In the library and nothing happens. But when a student had a coughing fit in the audience, or if Happy Birthday is sung, then the alarm goes off and they think something suspicious is going on. ProPublica even tested it with a YouTube clip of, you know, Gilbert Gottfried, the late American comedian. He's got it right down there. He said, "Is it hot in here or am I crazy?" And if you play that, apparently— "Is it hot in here or am I crazy?" that triggers the alarm. That's something very aggressive.

CAROLE THERIAULT. I hope no one's listening to this on speaker in their school.

GRAHAM CLULEY. Because these systems are listening to sounds. They're not trying to understand words or the context. So we need a better system.

MARK STOCKLEY. Is there any AI involved in this?

GRAHAM CLULEY. Ah.

MARK STOCKLEY. This has the sort of— the stench of AI about it.

GRAHAM CLULEY. So, a company called Evolve Technology, that's evolve without an E, at least without an E at the end.

MARK STOCKLEY. Yeah, they've evolved the word evolve.

GRAHAM CLULEY. They have promised an AI-based weapon screening system.

MARK STOCKLEY. It's definitely going to work.

GRAHAM CLULEY. They say it's 10 times faster than metal detectors. No lineups, no stopping, no pat-downs, no emptying pockets or removing bags. And you just walk between these screens.

CAROLE THERIAULT. Great. It's going to be awesome.

MARK STOCKLEY. Is it just wickedly racist? Is it?

GRAHAM CLULEY. No, no. No, no, no. It doesn't just pick up weapons though. It can also take— 'Cause they thought, well, that's not enough. You also want to stop people coming in with dangerously high temperatures. 'Cause it might mean they have COVID-19 or maybe worse, maybe they're menopausal.

CAROLE THERIAULT. Yeah.

GRAHAM CLULEY. Something like that. Could be dangerous.

CAROLE THERIAULT. Yeah, they could have their periods. Yeah, keep them out.

GRAHAM CLULEY. Exactly. Could be dangerous.

CAROLE THERIAULT. Yeah.

MARK STOCKLEY. In all those cases, I think, yeah, everyone else much safer.

CAROLE THERIAULT. Yeah.

GRAHAM CLULEY. So they say you just walk through. And using AI, Evolv says it can tell the difference between weapons, like a gun and a knife, and legitimate things you might bring into a school. And it sounds brilliant, doesn't it?

MARK STOCKLEY. It's definitely gonna work.

GRAHAM CLULEY. It's definitely going to deter people from bringing weapons in. It's definitely gonna reassure students they're safe. It's gonna prevent tragedies. And it's also not gonna disrupt the movement of kids coming into school quickly. It's a win-win-win-win-win-win-win. Marvellous. And Evolv Systems, the CEO keeps on popping up on TV every time there's a school shooting in America. So he's quite busy describing how the technology keeps guns out. But there's a problem. According— I know that's a shock— according to Motherboard, some school administrators saying the scanners have caused chaos. At one school which had put the scanners just at one entrance to the school, the school principal described the situation as a clusterfuck.

MARK STOCKLEY. Fuck.

CAROLE THERIAULT. Why the fuck do they beta test this on kids? Like, why wouldn't you start at— Anyway, okay, carry on. Sorry.

MARK STOCKLEY. Is that the best the principal can come up with? Clusterfuck? Seriously? You're in charge of a school. Where's your vocabulary? Set an example.

GRAHAM CLULEY. The principal said—

MARK STOCKLEY. An omnishambles.

GRAHAM CLULEY. It took all 10 people to even come close. To manage in the chaos. We don't have the manpower for this. This chap said, if you have multiple binders in your backpack or a spiral notebook, the sort of thing you might bring to school—

CAROLE THERIAULT. You're obviously a killer.

GRAHAM CLULEY. Apparently the alert lights up and they have to do a search. So the solution they were given by the company was ask kids not to bring in so many binders to school.

CAROLE THERIAULT. Yes.

MARK STOCKLEY. I know fewer.

CAROLE THERIAULT. Plastic binders. Yeah.

MARK STOCKLEY. In fairness, if you hit someone with 10 binders, that would probably hurt. Maybe it knows more than we do.

CAROLE THERIAULT. Maybe not deadly though.

GRAHAM CLULEY. So the principal may not have a great vocabulary, but they did describe the detection of binders as weapons of mass instruction.

CAROLE THERIAULT. There you go. That's why he's the principal. That's why.

GRAHAM CLULEY. But they said it was probably the least safe day at the campus as everyone in security was manning the front doors instead of monitoring kids throughout the building.

CAROLE THERIAULT. Jesus Christ!

GRAHAM CLULEY. So, the company— That's so crazy! So the company's been asked now, look, are there any settings we can use to adjust this?

MARK STOCKLEY. Is there an off button?

GRAHAM CLULEY. Yes. Can you just unplug it? Yeah. Because it's frequently detecting— Chromebooks, for instance. I don't know about other laptops, but apparently Chromebooks are setting off the alarms 60 to 70% of the time as people come in. So it's become absolutely disastrous.

MARK STOCKLEY. So you're saying this is actually made by Microsoft?

CAROLE THERIAULT. Well, yes.

MARK STOCKLEY. I think that's what we've learned there. Evolve is just—

GRAHAM CLULEY. To get people to—

MARK STOCKLEY. It's a sham.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. Once again, AI, as it runs to the rescue, trips and falls flat in its face.

GRAHAM CLULEY. It does seem to have done, yes. Mark, what have you got for us this week?

MARK STOCKLEY. Well, a shorter introduction than you. Thank God. So, my story starts just a few days before Christmas, Christmas 2021, in a place called Abington, Pennsylvania. On the—

CAROLE THERIAULT. Alright.

MARK STOCKLEY. On the 18th of December, at approximately 12:30 AM. The local police were dispatched to a house fire where the homeowner believed that something had been thrown at their house just before the fire started. And when the police got there, they found a slate that had been used to break a window and a broken bottle that smelled of a flammable liquid.

CAROLE THERIAULT. Okay.

MARK STOCKLEY. So, some fairly obvious clues that this was an arson attack. And the victims of the attack had also previously been the target of several swatting calls. So, grounds to believe that, you know, there may be something nefarious going on.

CAROLE THERIAULT. What's a swatting call?

MARK STOCKLEY. Oh, so, a swatting call is where you phone the police and you say, somebody at an address has a gun. And then the police will respond with a SWAT team, who will then raid the house.

CAROLE THERIAULT. Ah, yes.

MARK STOCKLEY. With guns and shields, and basically they'll go in there expecting there to be a shooter. And of course, if there isn't a shooter there, that's incredibly dangerous for everybody concerned.

GRAHAM CLULEY. Yeah.

MARK STOCKLEY. And people have actually been killed in swatting events.

CAROLE THERIAULT. Yeah. But probably seen as super hilarious.

MARK STOCKLEY. Yes, it was— it's a thing that gamers— it used to be part of the sort of hardcore gaming culture where people would do that to each other and they would swat each other. So these people have been swatted before, but now they've also been the victim of an arson attack. And then about two weeks later, on January the 2nd, the police in another town were called out when there were shots fired into a house in West Chester, Pennsylvania. And the police found several shell casings and a discarded pistol magazine outside, and they found bullet holes in a window, and then bullets inside the house embedded in a wall, inside a piano leg, in a piano stool, and in a small table.

GRAHAM CLULEY. Are you suggesting these are clues to a crime or an attack, Mark? Yep.

MARK STOCKLEY. We're looking for someone that hates furniture.

GRAHAM CLULEY. Yes.

MARK STOCKLEY. Yes.

CAROLE THERIAULT. This is turning into an episode of CSI, I'm telling you.

MARK STOCKLEY. Well, according to journalist Brian Krebs, the attacks were carried out by a hitman hired by a cybercriminal who wanted to get at one of their rivals by targeting their female friends. And Krebs says that both criminals frequented Telegram channels about SIM swapping. So SIM swapping is a form of fraud where you steal somebody else's phone number so you can get all their calls and messages. And it's used to defeat two-factor authentication. The, yeah, so two-factor authentication is normally used to safeguard high-value accounts like, guess what, drum roll, cryptocurrency logins. Because we can't have a story about crime That doesn't involve cryptocurrency. Anyway, according to Krebs, and this is terrifying, according to Krebs, there are dozens of teenage or 20-something SIM swap millionaires out there.

CAROLE THERIAULT. How many?

MARK STOCKLEY. Dozens. Dozens, he says.

CAROLE THERIAULT. Oh, dozens, dozens.

MARK STOCKLEY. That's how we count things in 2022, in multiples of 12. So there are dozens. There are dozens of these SIM swap cryptocurrency millionaires. And as we all know, when the money and the testosterone outpace the intelligence, stupidity and bullshit follow. And in this case, that bullshit seems to be manifesting as real-world hits. Now, there's nothing new about the idea of hiring a hitman on the darkweb to do your dirty work. And research, proper academic research, suggests that you can spend up to $120,000 for a really high-end professional hit. And I can confirm, because I did a bit of research before this, before this episode, I can confirm there are indeed some very scary individuals out there on the darkweb.

GRAHAM CLULEY. Just interested why Mark was looking up very professional hitmen on the web.

MARK STOCKLEY. Well, Graham, if you look behind you, there's a surprise for you. I bought you an NFT.

GRAHAM CLULEY. So, so what you're saying is that cybercriminals, let's call them these fraudsters, these Sim swappers, cybercriminals, effectively. They are attacking their rival cybercriminals or they're attacking their loved ones in order to intimidate them. So they've identified who the other cybercriminals are and then have then taken it into the real world.

MARK STOCKLEY. Correct.

CAROLE THERIAULT. So what?

GRAHAM CLULEY. If they're able. No, but you, what do you mean what?

CAROLE THERIAULT. I don't understand.

MARK STOCKLEY. I'm not following you.

GRAHAM CLULEY. Okay, let me explain. Let me explain. Mark is a cybercriminal.

MARK STOCKLEY. What?

GRAHAM CLULEY. And I'm a cybercriminal, right?

CAROLE THERIAULT. Okay.

MARK STOCKLEY. I've gone on the darkweb one time looking for hitmen, and now I'm a cybercriminal.

GRAHAM CLULEY. And I've decided—

CAROLE THERIAULT. Get the tattoo.

GRAHAM CLULEY. I've decided I want to make Mark's life less pleasant. I want to threaten him. So what I'm going to do, I'm gonna send a hitman or an arsonist round to his Auntie Ethel to firebomb her house. Which means that I've identified who Mark is in real life, and I know who his Auntie Ethel is and where she lives. And I'm gonna—

CAROLE THERIAULT. And I'm scaring the pants out of him. Yeah, exactly.

GRAHAM CLULEY. But the thing is that I've identified who he is. Whereas normally with cybercrime, you sort of hide on the internet, don't you? And it's hard to actually know. It's not like you're a regular gangster in that way. So if they're able to identify each other, why on earth aren't the police able to identify the true identities of these criminals as well?

MARK STOCKLEY. That's a very interesting question, which brings me neatly, in fact, to the second half of my story.

GRAHAM CLULEY. Ah.

MARK STOCKLEY. Because here I am. Telling you about this story with the benefit of police documents.

GRAHAM CLULEY. Aha.

MARK STOCKLEY. So you remember I, I told you about those really professional hitmen that you can hire on the darkweb?

GRAHAM CLULEY. Yeah.

MARK STOCKLEY. Yeah. So this isn't them. Okay. No, none of those really professional guys were involved in this crime at all. Nope. The criminal mastermind behind this one decided against using the darkweb to organize their business. What they did instead is they used all the pillars of the corporate American establishment, like Google, Apple, and Discord, to coordinate their business. And it was on Discord that somebody told other Discord users that he was behind the shooting and was willing to carry out firebombings using Molotov cocktails.

GRAHAM CLULEY. What?!

MARK STOCKLEY. So, FBI Special Agent E. Edward Conway discovered this. Because the Discord Trust and Safety team told him. Okay? And in case that wasn't enough to incriminate himself, the user who the FBI refer to as User 5348, and who's also known as Tongue, or Pat, or Patty, was part of a discussion—

CAROLE THERIAULT. Tongue.

GRAHAM CLULEY. Pat.

MARK STOCKLEY. Whichever is the most objectionable. So anyway, Tongue Tung was part of a discussion about a video of the shooting at West Chester, Pennsylvania, in which he disclosed additional details about the shooting, named the target, explained the motive, and then confirmed that he had carried out the shooting when somebody asked him if he'd done it. Now, that's fine, you say. Nobody else can see what's happening in the Discord channel. It's all secret. Well, of course, that's not true because Discord can see what's happening in the Discord channel. And they didn't like it.

CAROLE THERIAULT. Of course.

MARK STOCKLEY. And because the conversations were carried out on Discord, the trust and safety team were able to link Pat to a real name, Patrick Allen, and a billing address in New Jersey.

CAROLE THERIAULT. It's not a very creative username if he's trying to— Yeah. Okay.

MARK STOCKLEY. If you are looking for signs of criminal genius, you won't find them in this story. Yeah. Anyway, so they link him to a name. They also link him to a billing address. And the billing address also happens to be the address of record of somebody called Patrick McGovern Allen.

CAROLE THERIAULT. Okay.

GRAHAM CLULEY. Where does the tongue come into things?

MARK STOCKLEY. Hang on, hang on. Hold your horses.

GRAHAM CLULEY. Oh, is that coming?

MARK STOCKLEY. Yeah.

GRAHAM CLULEY. Alright.

MARK STOCKLEY. Anyway, so Pat is also linked to a Gmail address, which allows Special Agent Conway to serve a search warrant on Google for the content of the patthebat email address. And that, that identifies Pat as tongue. Because Pat's got these emails from Discord that refer to him as Tung. That's fine, you say, but one or two things that link them aren't proof of anything, okay? We just know that— No. —that is Patrick is Tung and has an address. Well, anyway, further analysis of Discord chats successfully established that user 5348 and Patrick Allen share the same birthday, 'cause Patrick Allen told people what his birthday was on Discord. They also established, because he told them, that User 5348 was also an employee at the same Italian restaurant where Patrick Allen worked. That's fine, you say. That doesn't establish that Allen was the actual shooter, 'cause he could be lying. Well, in another chat, User 5348 Tells his phone number. Now I know what you're thinking. It's a burner phone, right? Well, the other user was thinking that too. And the other user said, "Is that a burner?" And user 5348 says, "No, that's my main phone." So anyway. Wow. Agent Conway reads this and he subpoenas T-Mobile, which establishes that the phone is owned by Patrick Allen's grandfather, who lives at the same New Jersey address as Allen does. Okay, that's fine, you say. So we know whose tongue is, okay? And we know his phone number, and we know where he lives. That doesn't mean he was actually present at the shooting. Well, cell tower data provided by T-Mobile puts the mobile phone number volunteered by user 5348 while boasting to another Discord user within 1 mile of the arson attack, which is about 75 miles away from Patrick McCallum's home. Just 17 minutes after the fire is reported. It also puts the phone number just 2 miles away from the shooting, which is also about 75 miles away from his home, just 5 minutes after that's reported. That's all fine, you say. He could have been there for perfectly innocent reasons. It's not as if there's actually a video of Alan firing a gun into somebody's window. Now is there? Well—

GRAHAM CLULEY. If there had been a video. Oh, hello.

MARK STOCKLEY. It turns out that the phone number that User5438 volunteered, that definitely isn't a burner phone and is his main phone, is linked with two separate iCloud accounts, both of which are also registered to Alan's New Jersey address, one of which contains a video of somebody shooting a gun into the Westchester house.

CAROLE THERIAULT. I think Mr. Tung is F-U-C-K'd.

MARK STOCKLEY. That, ladies and gentlemen, is how not to cover your tracks on the internet.

CAROLE THERIAULT. No, but it's also a silver lining, isn't it? It's wonderful to know that some of the cybercrime underbelly don't knit with only one needle. Yes. Maybe that's too bit— just too smart for you guys. I don't know.

MARK STOCKLEY. Well, you're non-music experts over here. I'm just laughing. I'm just laughing.

CAROLE THERIAULT. Carole, what's your story for us this week? We know that romance scams were a problem before COVID but it seems the isolation and loneliness that many of us felt during the pandemic may have been some sort of like catnip to romance scammers. All these lonely people online with big fat bank accounts. I wonder if for some scammers it was just like a, you know, they had a bit of a treasure hunt mentality. As long as I can get the victim to trust me, I can cash in big. FTC says that in the last 5 years, people have reported a staggering $1.3 billion lost to romance scams. And that's more than any other FTC fraud category.

MARK STOCKLEY. Oh, this is just people asking for money, isn't it?

CAROLE THERIAULT. Well, you know, putting up a situation where they're stuck and they need cash. And sometimes we've seen huge numbers, right?

MARK STOCKLEY. Send me $100,000 for a plane ticket. Yeah, exactly.

CAROLE THERIAULT. It's like 80% increase compared to 2020. Wow. And all this to say that romance scams are a growing problem. And but sometimes it can be baffling. Okay, so I was reading a few romance scams and this one just caught my eye. Yeah. I'm going to read the opening paragraphs to a Daily Beast story, okay, on a recent romance scam. Actually, no, let's play a game. I want you guys to ping whenever you hear something suspicious, okay, in this reading thing. Okay, just, just go ping. Okay. All right. In May of last year, someone claiming to be a military doctor on a secret mission in North Korea ping contacted Laura Francis on Facebook looking for love and connection. Francis, a California realtor, thought he was charming. His profile images portrayed a man with a muscular build, beard, tattoos, and hospital scrubs.

MARK STOCKLEY. Ah, the hospital scrubs. Ping, ping, ping.

CAROLE THERIAULT. Now I put a picture in for you guys to see of him, just so you can see his buff muscles. This is in the show notes. You can see his—

GRAHAM CLULEY. He's not wearing scrubs there, is he?

CAROLE THERIAULT. No. But you can kind of decide how old you think he might be.

GRAHAM CLULEY. Yeah, he's probably like 20s, early 30s, maybe. Okay, I'm carrying on.

CAROLE THERIAULT. The mystery man calls himself David Hodge.

MARK STOCKLEY. Hang on a minute, there's something wrong with his face.

CAROLE THERIAULT. Yeah, it's pixelated for— yeah. I mean, he's quite ugly. Maybe. The mystery man calls himself David Hodge, and he claimed to be a kind of surgeon.

GRAHAM CLULEY. A kind of surgeon?

CAROLE THERIAULT. He said, "I'm a kind of surgeon." Ding! Helping soldiers who'd been injured by explosives in war. David's love bombing of Frances, age 69, was insistent. Ping! Right? So he texted her every morning and throughout the day, usually on Google Hangouts, and called her on the phone just as often. "I fell in love with his voice. He had just the cutest laugh," recalls Frances. He serenaded her with links to romantic songs on YouTube, like "Hero" from Enrique Iglesias.

GRAHAM CLULEY. Oh yes, that always works. Yes.

CAROLE THERIAULT. So blah, blah, blah. You guys know the story, right? David Hodge got away with Frances's, like, basically her kids' inheritance is what she claims, around $250K. So, so often stories of romance scammers open with a devastating story like this, don't they? But there's another victim of the romance scam, and that's like the online dating service itself. So there's this startup called Filter Off, okay? And this is like a video-first dating app. That's what they call themselves. So they launched at the beginning of COVID lockdowns, right? The startup with just 3 people. And the platform obviously took off during lockdown because it would host virtual speed dating events, you know, around various topics like maybe Harry Potter or Dog Lovers Night, New York City date night, whatever. Today, the platform is said to have hundreds of thousands of users, and its popularity seems to be growing with humans looking for love. But the founders discovered that it also attracted a second set of people, humans looking for money, aka romance scammers. Yeah. So what do you do, right, if you're one of these guys? Well, they decided to write an algorithm based on dodgy scammer behavior so they could kind of identify someone saying, well, you're up to no good the way you've created this account. Does this involve AI? Of course it does. Of course it does. So they would identify these kind of dodgy accounts and delete them. They kept deleting these profiles and every scammer they cut down, another 5 would pop up, Medusa style, right? So they decided to create a private pool of thousands of bots that were using deep learning GPT-3 Yes. To create bots that interact just like real people. And they tied these interactions with human-like faces to create bot profiles. And then they threw in the scammer accounts that they had identified into this pool of bots to see what would happen.

GRAHAM CLULEY. Oh, I see. So they created fake people on their dating site.

CAROLE THERIAULT. Thousands of them.

GRAHAM CLULEY. Thousands of them to lure The scammers.

CAROLE THERIAULT. In a secret pool. They're not, they're not sitting there out in the open. Oh, you know, it's a secret pool. So no, like if I were going on there looking for love, right, I would not be shown into that. If they identified you as a scammer, for example, on their site, they would just throw you into this pool with lots of bots and other scammers to see what would happen.

GRAHAM CLULEY. And also to keep you busy rather than you creating a new account. Exactly.

MARK STOCKLEY. Ah, I see. So— Do they sell tickets for this? This sounds amazing.

CAROLE THERIAULT. Well, the product marketing head wrote an article about their findings on Medium. And he said it delivered 3 amazing things for us. One, our bots sounded like humans, kinda, he says. The scammers had no clue they had been detected. And we received a series of hilarious bot plus scammer conversations. And you two, my friends, are gonna act one out for us. So, you will see it's called Banana, okay? And Mark, I would like you to be Maurice. The scammer, or the purported scammer. Okay. And Graham, you're gonna be Bot, and your text is on the right, if you see that. Oh, okay. Okay? So, I leave it to you guys. Please, act one, Banana.

MARK STOCKLEY. Hello. Good morning. Nice to meet you. Hello.

GRAHAM CLULEY. It is nice to meet you too. Where are you from?

MARK STOCKLEY. I am from. OK. How long have you been using this site? This is my first time here.

GRAHAM CLULEY. I have been using this site for a while now. I really enjoy it.

MARK STOCKLEY. OK. I'm a banana. So, uh, what are you looking for?

GRAHAM CLULEY. I'm looking for someone to chat and get to know. OK. Are you married? Got any kids? Chiquita Banana. I am not married and I do not have any kids. Oh, OK. What do you do for a living? I'm a banana.

MARK STOCKLEY. Please, I don't understand this site. This is my first time here.

GRAHAM CLULEY. I don't know how it works.

MARK STOCKLEY. What do you mean, a banana? I am a banana.

GRAHAM CLULEY. I am a banana. Can we talk outside here? Chiquita Banana, sure, we can talk outside.

MARK STOCKLEY. Give your email address.

GRAHAM CLULEY. Chiquita Banana. Can I 'Can I have your email address?' 'Chiquita Banana.' 'Hello?' 'Chiquita Banana.' So they don't act very human. No, I can see how romance would flourish from after this sort of conversation.

CAROLE THERIAULT. But it would keep you busy for a while, wouldn't it?

GRAHAM CLULEY. I've had worse chats on dating sites than this, to be honest.

CAROLE THERIAULT. Oh, God, poor you. The thing is, though, there's something very clever about this. Right? Because the bot deflects, right? So they go, what's your last name? What's your email address? All you reply is Chiquita Banana.

MARK STOCKLEY. It's indistinguishable from a real person. It's amazing.

CAROLE THERIAULT. Mark was trying to, you know, get your, you know, what was he trying to get? Your email address, find out if you could chat somewhere else. And you just were being a bit wacky. So that might be a way to handle this kind of thing. If ever you feel like, you know, this isn't all right, just start nutballing them. You know?

MARK STOCKLEY. Yeah, just throw out random truths.

GRAHAM CLULEY. Is it possible the scammers have also created a bot to interact with the bots from this particular dating site? Because I didn't find them particularly convincing either.

MARK STOCKLEY. I was going to say the same thing. I'm supposed to believe that Morris is smooth-talking 69-year-olds with his fantastic lines like, what do you do for a living? 'Where do you live?' And here's my Gmail address. Wow.

CAROLE THERIAULT. I have put tons of links in the show notes. You can go see, there's lots of little interactions. They've even done some YouTube videos of the interactions. You can see those. Ooh. Yeah, no, it's quite fun. And I have to, you know, hat tip the guerrilla marketing here that has been used for this, for FilterOff, because it's something, you know, guerrilla marketing is dear to my heart. And I think this is a very clever approach and they're getting lots and lots of coverage. So well done, you guys.

GRAHAM CLULEY. First time that dating sites had bots, of course. Ashley Madison had all those fembots to try and lure people in, but they didn't think of sort of spinning it to say, oh, we're only trying to catch the scammers rather than trying to get new customers.

CAROLE THERIAULT. Yeah, well, they didn't ringfence them either.

GRAHAM CLULEY. No, no, that's true. Yeah, yeah, the ringfencing is a good idea.

MARK STOCKLEY. Well, the Ashley Madison customers were sort of self-ringfencing, weren't they?

GRAHAM CLULEY. Ringpacing, maybe. Anyway, Hakuna Matata, Chiquita Banana. Chiquita Banana. It means no worries. Anyone who's listened to Smashing Security over the years will know that we believe that everyone, whether you're a single end user or a business, should use a password manager. And the password manager we're recommending is Bitwarden. Millions of users around the world, including many of the world's largest organizations, trust Bitwarden to protect their online information using a transparent, open-source approach to password management. You can effortlessly manage all your passwords and logins backed by end-to-end 256-bit encryption. And for the enterprises out there, Bitwarden recently added SCIM support, making it even easier to provision and manage users. For password security you can trust, get started today with Bitwarden. Learn more at bitwarden.com/smashing. Take security of your passwords and logins more seriously by visiting bitwarden.com/smashing. And thanks to Bitwarden, they're great folks for supporting the show. Thanks this week to our sponsor SolCyber, who believe that it shouldn't just be the Fortune 500 that benefit from top-of-the-line cybersecurity. They make managed security affordable and accessible to all small to medium-sized organizations. Check out SolCyber's foundational coverage services. They include ransomware assessment and training, advanced email protection, endpoint detection and response, Active Directory abuse prevention and lateral movement detection, and 24/7 security operations center capability. As a SolCyber Foundational customer, you also get access to expedited cyber insurance coverage and discounts of up to 30% off your premiums. Mention Smashing Security and you'll get 1 month free for every 12 months you subscribe to SolCyber's foundational coverage services. Visit smashingsecurity.com/soulcyber to learn more. That's smashingsecurity.com/s-o-l-c-y-b-e-r. And thanks to Soulcyber for sponsoring the show. Collide sends employees important, timely, and relevant security recommendations for Linux, Mac, and Windows devices right inside Slack. Kolide is perfect for organizations that care deeply about compliance and security, but don't want to get there by locking down devices to the point where they become unusable. So instead of frustrating your employees, Kolide educates them about security and device management while directing them to fix important problems. Sign up today by visiting smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. K-O-L-I-D-E. Enter your email when prompted, and you will receive a free KOLIDE goodie bag after your trial activates. You can try KOLIDE with all of its features on an unlimited number of devices for free, no credit card required. Try it out at smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. And thanks to KOLIDE for supporting the show. And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.

CAROLE THERIAULT. Pick of the Week.

MARK STOCKLEY. Pick of the Week.

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security related necessarily. Better not be. Well, my Pick of the Week this week is not security related, at least not cybersecurity related. It was a documentary which I watched, a documentary about an incident which happened in Gladbeck, Germany, and Bremen in August 1988. I seem to be spending a lot of my time in this podcast back in the late 1980s. Two men robbed a bank. They took two hostages.

MARK STOCKLEY. Were they friends of yours? No.

GRAHAM CLULEY. They embarked on an odyssey across West Germany. They picked up their girlfriend, hijacked a bus containing almost 30 people. And this documentary is all about what happened, because most of this happened on TV. The reporters were in pursuit of this bus. They were injecting themselves into negotiations. The police, quite frankly, seemed to have lost control and weren't really doing anything. And the media were just sort of chatting to the hostage takers. They were doing live TV interviews. It is weird. For 3 days, the eyes and ears of all of Germany were glued to TV, live radio, newspapers, watching this. And I thought, well, this makes for a rather interesting documentary. I will share this with our listeners as well. So I watched it on Netflix. Now, I have to warn you about this documentary, is that if you go onto Netflix, you will get the most terrible American dubbing on the documentary. It makes it completely unwatchable. So what you need to do is not just put on subtitles, obviously, but you also need to change the language to the original German with English subtitles. You do not want the American dubbing at all because it makes the whole documentary pointless. But if you're prepared to read the subtitles and listen to it in German, it's a great documentary and fascinating thing which happened. Not necessarily a completely happy ending. Let's put it mildly.

CAROLE THERIAULT. Is there any, what's it called, when you fall in love with your captor? Stockholm syndrome. Stockholm syndrome. I see. I remember this story. I'm sure I've heard this on podcasts before this.

GRAHAM CLULEY. I think it has been covered on podcasts before. Certainly, some of the people who were released early on in the process appear to have been slightly more. I think if there was any Stockholm syndrome being exhibited, it was actually by the media who seemed to fall in love rather with the hostage-takers rather than the hostages themselves, who were obviously in a rather sticky pickle.

CAROLE THERIAULT. I also seem to remember that Stockholm Syndrome was proven to not actually exist at all, and the findings of it are pretty shaky to begin with. So, erase that question. There you go.

GRAHAM CLULEY. There we go. Mark, what is your pick of the week?

MARK STOCKLEY. My pick of the week is actually an organisation. So, you know I'm a bit fluffy and I like leaves and— oxygen and animals and other things. And I'm very, very fond of The Ocean Cleanup. I don't know if you've heard of them, but they're basically cleaning the ocean. So you probably know that there are these giant plastic gyres in the ocean, in all the oceans in the world, where the plastic is gathered by the Coriolis effect. Into these huge floating pools. And the biggest one is in the middle of the Pacific. And The Ocean Cleanup are literally out there in the Pacific Ocean with their technology pulling hundreds of thousands of kilograms of plastic out of the ocean. And they've been testing this.

CAROLE THERIAULT. How do they not catch fish? That's what I want to know.

MARK STOCKLEY. There's more to it than I could possibly describe. AI?

GRAHAM CLULEY. Is AI detecting the fish?

MARK STOCKLEY. Well, there is AI involved, but the AI is in working out where they need to go to get the most plastic. So in the beginning, what they thought— so it started off with the CEO, a guy called Boyan Slat. I think when he was 16, he came up with this idea of a floating coastline. So you create an artificial beach, and the plastic basically washes up on this artificial beach that you float in the middle of the ocean. And he thought they were going to need hundreds of these things. They modeled it all out. They thought they were going to need hundreds of these things. And where they've got to now is they have a sort of a variation on that, which they tow behind a couple of enormous boats at very, very slow speed. And this, it works, it works extremely well. And they're going to need a fleet of tens of these Ocean Cleanup vessels. And with that fleet, they will be able to clean up most of the plastic from the Pacific Garbage Patch. And they've already started. And they're, at the moment, they've only got the one, They've got the one device, and it's a test system, so it's not full-scale. So they're now starting to test the larger-scale parts. And they produce fantastic videos to explain what they're doing and how they're paying for it, why they go where they go, and how they use technology. And it's just like a sort of Silicon Valley startup in the way that it approaches the problem, but it's actually trying to do something useful rather than something— Really useful. Like really, yes, really useful. You know, they talk a lot about things like not catching fish and how they avoid bycatch and all that sort of thing. And what they've done very, very recently is, because they're actually out there, actually pulling plastic out of the ocean, they can tell you what kind of plastic is in the ocean. And what they've discovered most recently is that it's, I think it's something like 70 to 80% of it is fishing, fishing-related. So it's nets and tubes for catching eels and things like that. So all this stuff that we hear about, you know, It's great that we don't use plastic bags in supermarkets, and it's great that we don't use plastic straws with our drinks, but those are not the things filling up the oceans. Those are the things washing up on the coastlines. So they come down the rivers and they wash out, and then they just come back up against the coastlines. It's the stuff that's discarded at sea that ends up in these gyres. And we only know that because there are actually people out there pulling it out of the ocean in such quantities that they can measure it. Anyway, so go support The Ocean Cleanup. Very cool.

CAROLE THERIAULT. Yeah, no, excellent, excellent pick of the week. Really amazing. I, I've heard of them, but I'd never knew how they did it, you know. I never looked into it, but, uh, I will now.

GRAHAM CLULEY. Carole, what's your pick of the week?

CAROLE THERIAULT. Uh, so last week in the art world, there was a bit of a hoo-ha because a guy who won an art prize did not create his art. He had AI do it. Oh yes, I remember. Yeah. And there's been a bit of jabbering about AI-created image in the mainstream press as of late as well. There's like DALL-E 2 and there's Craiyon spelled A-I-Y-O-N, right? Where you get to give a prompt and the system will create an image based on it. Oh. So my pick of the week this week is Craiyon, C-R-A-I-Y-O-N, where you guys can go have a play. Now, Graham and Mark, I gave a prompt. And these are the images that resulted. Can you guess what my prompt was?

GRAHAM CLULEY. Okay, so I'm looking at a picture of a woman or girl, I'm not sure, wearing a pink top, eating a fairy cake, which is quite large, stuffing her mouth with this big frosty.

CAROLE THERIAULT. Can you recognise the person?

GRAHAM CLULEY. Is it my wife? I'm not sure. What's—

CAROLE THERIAULT. I'm glad you said that. So, I'll tell you my prompt. Liz Truss eating a giant cupcake of Europe.

MARK STOCKLEY. Well, it absolutely nailed the cupcake bit. Of Europe?

GRAHAM CLULEY. I can see a cupcake. I don't see Europe so much.

MARK STOCKLEY. Yeah. Not sure about the Liz Truss bit either. So I think what we're saying is that the AI knows as much about Liz Truss as we do. Exactly.

CAROLE THERIAULT. But you can have a lot of fun playing around with this. So the only— I would love you guys to play now, but it takes about 2 minutes for any image to generate. So it's not very radio-friendly. But go have some fun. Maybe you can post some on TikTok Twitter and tag us.

GRAHAM CLULEY. You should share this picture on Twitter so other people can see Liz Truss eating a cake of Europe and see what they think.

CAROLE THERIAULT. Yes, giant cupcake of Europe, yeah.

GRAHAM CLULEY. Oh, I've just done Graham Cluley eating a banana. Uh-huh. Is that what I look like?

CAROLE THERIAULT. I look forward to not seeing that.

GRAHAM CLULEY. It is— it's like something from a David Cronenberg movie. Well, Graham, you know— It's really bad.

CAROLE THERIAULT. Now, listen, before we close, we had a competition last week and we had quite a few entries, dozens and dozens, in fact. Some were great, some were rude, some were funny, some were hilariously bad. I loved every single one, so didn't know how to choose a winner. So I put all the names on a bit of paper and put them into a sock and picked one out. So there you go. And the winner of last week's poem competition is Liv with the following poem. Okay, you ready? Ahem. Security, impurity, and ingenuity. Smashingly dashing through content heavy. Served cleverly light, securely dumb. Smashing Security, I hope for more to come. Pretty cute. Great. So congratulations, Liv. We'll be in touch this week about sending over your prize, an original watercolor in Miko's brand new book. And a big shout out to every single one of you who took part, even Steen, who blatantly ignored the rules and sent us a massive 4-stanza poem.

GRAHAM CLULEY. Which was quite obscene, as I remember.

CAROLE THERIAULT. Which was quite obscene. Yes. So there you go. You got a mention. There you are. Anyway, thank you very much for everyone taking part.

GRAHAM CLULEY. It was great fun. Loved it. Marvelous. And that just about wraps up the podcast this week. Mark, I'm sure lots of our listeners love to follow you online. What's the best way for folks to do that?

MARK STOCKLEY. You can find me @MarkStockley on Twitter. Terrific.

GRAHAM CLULEY. And you can follow us on Twitter @SmashingSecurity, no G, Twitter allows to have a G. And we're also on Reddit in the Smashing Security subreddit. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.

CAROLE THERIAULT. And massive thank you to this episode's sponsors, Bitwarden, Kolide, and SolCyber. And of course, to our wonderful Patreon community. It's thanks to you all that this show is free. For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 287 episodes, check out smashingsecurity.com.

GRAHAM CLULEY. Until next time, cheerio. Bye-bye.

MARK STOCKLEY. Bye. Bye.

GRAHAM CLULEY. So have you seen these pictures of me eating a banana?

CAROLE THERIAULT. Oh, remember the second one? It's pretty— What? The final one has eyebrows.

GRAHAM CLULEY. It's really weird, isn't it? It's not terribly flattering.

MARK STOCKLEY. It's very Francis Bacon.

CAROLE THERIAULT. Well, that's an insult to Francis Bacon. Sure, you know, no offence, but— Wow.

-- TRANSCRIPT ENDS --