Listen early, and ad-free!

323: Botched Bitcoin blackmail, iSpoof, and Meta’s billion dollar data bungle

With , ,
May 25, 2023
Read the transcript

13 years jail for spoofing scammer, a rogue IT security expert's Bitcoin blackmail goes wrong, and Facebook's eyewatering GDPR fine may be only the beginning of its problems.

All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by the Imposter Syndrome Network podcast's Zoë Rose.

Warning: This podcast may contain nuts, adult themes, and rude language.

Episode links:

Sponsored by:

  • Bitwarden – Password security you can trust. Bitwarden is an open source password manager trusted by millions of individuals, teams, and organizations worldwide for secure password storage and sharing.
  • Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. It’s Zero Trust for Okta. Watch a demo today!
  • Centripetal - Centripetal's CleanINTERNET defends your assets from cyber threats by leveraging dynamic threat intelligence on a mass scale.

SUPPORT THE SHOW:

Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.

Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!

FOLLOW US:

Follow us on Twitter at @SmashinSecurity, or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.

THANKS:

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

Privacy & Opt-Out: https://redcircle.com/privacy

Transcript +

This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

CAROLE THERIAULT. And he's probably in the meetings going, look, I really think you should probably pay it. I'm just thinking, you know, it makes sense, right? They'll go away. I won't make it public. Yeah, hush, hush. Tell no one.

ZOE ROSE. Shh.

UNKNOWN. Smashing Security, episode 323, Botched Bitcoin Blackmail, I Spoof, and Meta's Billion Dollar Data Bundle with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 323. My name's Graham Cluley.

CAROLE THERIAULT. And I'm Carole Theriault.

GRAHAM CLULEY. And Carole, who have we got in the hot seat this week joining us?

CAROLE THERIAULT. We have Zoe Rose of the Imposter Syndrome Network podcast. Hi, Zoe.

GRAHAM CLULEY. Hey. Welcome back, Zoe.

ZOE ROSE. Yeah, it's lovely to be back.

CAROLE THERIAULT. Yeah, it's been a while. It's been a minute. It's been a minute.

ZOE ROSE. A minute.

CAROLE THERIAULT. Yeah, I like that expression a lot. It's saying, "I haven't talked to you in ages." Oh, is it?

GRAHAM CLULEY. Oh, I see. Yeah. Fair enough. You could just say, "It's been an age." It's been an age.

CAROLE THERIAULT. I could say that too.

ZOE ROSE. It's been a while.

CAROLE THERIAULT. Tell us about your podcast.

ZOE ROSE. Yeah, well, I co-host it, so more credit to my co-host because he probably does a lot more than I do.

GRAHAM CLULEY. It is important to give credits to your co-host, isn't it?

ZOE ROSE. Isn't it?

GRAHAM CLULEY. That's what I've been told.

CAROLE THERIAULT. I've heard that. I've heard that. Heard that.

GRAHAM CLULEY. Imposter Syndrome Network. What is it all about?

ZOE ROSE. Yeah, well, it's basically we're interviewing extremely successful people and talking about their journeys, their careers. It's technical careers. So it's anybody from security to engineering to, I don't know, anything you really want to do. Developers as well. And yeah, we're just talking about why the bloody hell they're there, what they're doing, and how they got there. And it's been really interesting because some really good advice has been shared about how to overcome not just feeling like an imposter, but also overcoming mistakes. Because that's probably been a huge part of my career, is I've made slight errors that have been massive.

CAROLE THERIAULT. Who hasn't though?

ZOE ROSE. Well, it's the best way to learn, from my opinion.

CAROLE THERIAULT. Yeah, of course. If you've lived long enough, you haven't fallen flat on your face at least once. What's going on? What kind of shoes are you wearing?

GRAHAM CLULEY. I think the thing is a lot of us, though, we look around us and we think, "Oh, those people aren't as idiotic as I am." But they are, and that's the best part.

CAROLE THERIAULT. Yeah. I'm not sure there's many people that are more idiotic than Graham. I'm not sure.

ZOE ROSE. Well, okay. Degrees, degrees. But it's awesome because it's we'll interview somebody, and the entire time I've just sat there, "Bloody hell, you're so amazing." And then they're talking about all these simple things that they've done wrong, and I'm just, how is that possible? You're just so perfect. It's just really cool.

GRAHAM CLULEY. Well, listeners, go and check out the Imposter Syndrome Network podcast to hear more from Zoe and her co-host and her guests.

ZOE ROSE. Yes.

CAROLE THERIAULT. And let's get this podcast on the road. Before we kick off, let's thank this week's wonderful sponsors, Bitwarden, Kolide, and Centripetal. Their support helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

GRAHAM CLULEY. I'm going to be talking about a bizarre bitcoin blackmail plot.

CAROLE THERIAULT. Oh, nice alliteration. What about you, Zoe?

ZOE ROSE. I'm talking about Meta's exceptionally large fine for failing to follow GDPR.

CAROLE THERIAULT. And I'm going to talk about why you can't trust caller ID. All this and much more coming up on this episode of Smashing Security.

GRAHAM CLULEY. Now chums, I want to take you back to February 2018. That's where my story is going to begin. And it begins in the offices of an Oxford company, Carole. Oxford Biomedica, just down the road from you. Very swanky building, lots of glass. It's near your neck of the woods, Carole. If you know where Lidl is, near the big Tesco's.

CAROLE THERIAULT. I do know where Lidl is.

GRAHAM CLULEY. Right, opposite Kennington Flooring. If you go down there— Oh, you know them as well? All right.

CAROLE THERIAULT. They did our floors. Oh! There you go.

GRAHAM CLULEY. Oxford Biomedica. They are gene and cell therapy firm. They worked on Parkinson's disease, they partnered with Microsoft to use their AI and machine learning to work on treatments for a large number of sicknesses, and perhaps most famously, they manufactured a vaccine for COVID-19. Oxford Biomedica.

CAROLE THERIAULT. That's right.

GRAHAM CLULEY. And, well, way back, 27th of February 2018, actually, they suffered a cyber attack. What happened was a hacker accessed their systems and senior members of the company received a ransom demand from the attacker.

CAROLE THERIAULT. Right.

GRAHAM CLULEY. Nothing that unusual, really. Kind of thing that happens all the time, right, Zoe?

ZOE ROSE. Well, it happens more than you hear about, to be fair.

GRAHAM CLULEY. Yes, exactly. Yeah, right. So, as far as I've been able to work out, Oxford Biomedica never went public about this particular attack. I did search, and it doesn't look like they ever actually admitted it. But anyway, it's now come out into the open because of the story I'm about to tell you. So a hacker accessed their systems, senior members of the company received the ransom demand, and what do the bosses at the company do? What do you do when you receive a ransom demand?

CAROLE THERIAULT. Pay them and get them to go away.

GRAHAM CLULEY. Exactly.

ZOE ROSE. Shh, shh, shh.

GRAHAM CLULEY. Here you are, here's the money.

ZOE ROSE. What's this here?

GRAHAM CLULEY. Clear off, clear off, why don't you?

ZOE ROSE. I mean, that's better than pretending it was a security researcher for a bug bounty, isn't it?

GRAHAM CLULEY. Oh yeah, yeah, exactly. Don't take the Uber route. Yeah, exactly. Don't do that. Well, what they decided to do was they brought in the IT boffins. So they have people obviously inside their company, IT experts, and they said, look, we've received this email, slightly worrying. Have we been hacked? What should we do? And so they brought in the geeks inside the company, which included a 23-year-old IT security analyst called Ashley Lyles.

CAROLE THERIAULT. Okay, security analyst.

GRAHAM CLULEY. Yeah. Yeah.

CAROLE THERIAULT. Okay.

GRAHAM CLULEY. And Ashley and his— I guess it just means he worked on the IT security team, you know?

CAROLE THERIAULT. Right, right, right.

GRAHAM CLULEY. And it's one of those sort of, you know, names, isn't it? Ashley and his colleagues, they worked alongside the police to try to mitigate the incident, find out what was going on. Because obviously there was the threat that maybe a hacker had broken in, stolen sensitive information, maybe planning to leak it. They were obviously demanding money as well from the company.

CAROLE THERIAULT. And they did this on the QT. Right? Is this Ashley guy was under NDA to do it on the hush-hush?

GRAHAM CLULEY. Well, Ashley's just one of the employees. It's like any—

CAROLE THERIAULT. Oh, right, right. Sorry, sorry, sorry. I thought he was a consultant brought in.

GRAHAM CLULEY. Oh, no, no, no. He's working for Oxford Biomedica. He's on the staff.

ZOE ROSE. I feel like I know where this story is going.

GRAHAM CLULEY. Right. So—

ZOE ROSE. Because, yeah, I'm excited.

CAROLE THERIAULT. I feel for Ashley right now, I think.

GRAHAM CLULEY. You think?

ZOE ROSE. I don't think so. I feel you're uncovering a—

CAROLE THERIAULT. I'm going to believe in them until proven... Okay, quite right, Zoe.

GRAHAM CLULEY. Thank you. Quite right. I your attitude. Zoe, you're just so cynical.

ZOE ROSE. Anyway. But it's an interesting story, and interesting stories always have a not-so-ethical situation. So I feel I know where it's going.

GRAHAM CLULEY. Alright, alright, come on, just calm down.

ZOE ROSE. I'm excited though, I'm excited.

GRAHAM CLULEY. Can everyone just calm down? Calm down, right? I'm telling you the story. Here we go. Right, so Ashley and his colleagues are looking into the incident. They've got the blackmail email, they've got the communications which are going on. They're trying to work out, have we been compromised? Has any data been taken? They're working alongside the police. The thing is, Ashley's company, Oxford Biomedica, and his colleagues and the cops didn't know that Ashley had plans of his own.

CAROLE THERIAULT. Oh, you darn it. It's not to give it to charity, right?

ZOE ROSE. The giveaway was that they were actually named. Because you're saying Ashley and Connie.

GRAHAM CLULEY. Yes, the fact that I'd named an individual.

CAROLE THERIAULT. You're so clever, Zoe. Yes.

ZOE ROSE. No, I'm just a little bit suspicious.

GRAHAM CLULEY. It's watching an Agatha Christie. If you have a— It's not going to be the extra who hasn't got a name. You know, it's going to be someone with a name.

CAROLE THERIAULT. Special guest star.

GRAHAM CLULEY. Now, you're probably thinking, oh, Ashley. Must have been the guy behind the attack. He must be the one who hacked. He must have been the one who sent the ransom note. No, no, no, he didn't. He was just a regular IT security guy at a company which happened to get hacked, which happened to receive a ransom demand.

CAROLE THERIAULT. Okay.

GRAHAM CLULEY. But, but what he did was he accessed the private email account of a board member at Oxford Biomedica, the one who'd received the ransom demand from the hacker.

CAROLE THERIAULT. Yeah, post, post post-ransom demand, post-ransomware. Right. Okay.

GRAHAM CLULEY. It was the typical kind of ransom email, right? Which just says, pay us or you're toast. Just pay X hundred thousand pounds worth of bitcoin into this cryptocurrency wallet. And maybe you can understand why an IT guy inside your company would want to see that email, maybe want to access the member of staff's email account with their permission once or twice to see what the hacker had demanded, if there were any follow-up emails. Et cetera, et cetera. That, I think, would be understandable. That'd be understandable. But what Ashley did was he accessed the board member's email account over 300 times.

ZOE ROSE. Oh no. Doesn't have a good memory.

GRAHAM CLULEY. And what's more, what's more, he took the original blackmail email stored on their email server, and he changed it. The actual ransom—

CAROLE THERIAULT. He changed the account numbers.

GRAHAM CLULEY. Yes.

CAROLE THERIAULT. The ransom demand, which included a bitcoin wallet... Can you just send it to Barclays sort code?

ZOE ROSE. No, no.

GRAHAM CLULEY. He changed it so it was a different bitcoin wallet where the money had to be sent.

ZOE ROSE. Invoice redirection.

CAROLE THERIAULT. I kind of admire Ashley. I do. I love the— This is going to work.

ZOE ROSE. This is going to work.

CAROLE THERIAULT. Who's going to find out?

ZOE ROSE. Business email compromise, you know?

CAROLE THERIAULT. He's Dexter, man. He's on both sides.

GRAHAM CLULEY. You see, when I heard that he'd changed the ransom email. I thought it would change the demands. He'd say something "Please, can we eat doughnuts again in the office?" Or, "Can the toilet paper be improved in the staff loos?" Or—

CAROLE THERIAULT. "Can we not get fired if we photograph our butts on the photocopier machine?" "Don't serve fish on Fridays.

GRAHAM CLULEY. It makes the whole office stink." You could— all kinds of things you could put in the ransom demand for a bit of fun. But no, he changed the bitcoin wallet address to which the ransom should be paid.

CAROLE THERIAULT. And so he's playing the game, "Are they gonna pay it or are they not gonna pay it?" And he's probably in the meetings going, "Look, I really think you should probably pay it. I'm just thinking, you know, it makes sense, right? They'll go away." "I don't wanna make it public." "Yeah, hush, hush.

ZOE ROSE. Tell no one." And also, who's gonna believe the criminal? The cybercriminal is like, "You didn't pay it." It's like, "Yeah, we did.

GRAHAM CLULEY. We have proof." Poor old criminals are gonna feel like they've been defrauded. They'll say, "Hang on, hang on a minute.

CAROLE THERIAULT. What's going—" Even while he's flying out of there. Sayonara!

ZOE ROSE. That's brilliant.

GRAHAM CLULEY. So he changed the crypto wallet address. Brilliant. So he would end up with the cash if the company decided to pay him.

ZOE ROSE. Brilliant. Well, I guessed that. I didn't think he would. Yeah.

CAROLE THERIAULT. I would watch this movie. I'm just saying, anyone out there who's a movie writer, this is a good one.

GRAHAM CLULEY. Furthermore, he created an almost identical email address to the one which was used by the original hacker. And he began to email his employers at Oxford Biomedica, pressurizing them to pay the money. It was just sort of applying the thumbscrews, going, "You know, your data's gonna get it." You know, that kind of thing.

CAROLE THERIAULT. Do you think people that work there that would get these emails are pretty smart and might have spotted the little, you know—

GRAHAM CLULEY. Well, no, they were leaving it with the IT security team, Carole. They wouldn't— The board member wouldn't notice. Oh, that's true.

CAROLE THERIAULT. Bring it down to IT and go, "This is weird." And go, "No, no, no, that's..." That's perfectly normal. That happens all the time, as Ashley would say.

ZOE ROSE. He's having the argument with himself.

GRAHAM CLULEY. Yes. Arrives on Ashley's desk, he says, "No, this looks legit. It looks like it's from a hacker to me." Great story, Graham. So, police officers from Southeast Regional Organised Crime Unit, the cybercrime unit there, they identified that someone had been accessing the board member's email, traced the hack back to Lulz's home address, presumably his IP address. Which makes me think he didn't cover his tracks properly. It's unclear whether he's using a VPN or not.

ZOE ROSE. Let's be honest though, security and IT are different things. And then also, even in security, operational security and, you know— Yeah. Those are different paths. So I could understand he maybe didn't think of all of the solutions.

CAROLE THERIAULT. And it takes one time, right?

GRAHAM CLULEY. Yeah, you only have to goof once. Could've been. Anyway, the police, they grabbed his computer, laptop, and phone, and a USB stick to analyse them. Now, apparently Ashley Lyles had realised the police investigation was heating up. So a few days before he was raided—

CAROLE THERIAULT. Can you imagine how he felt?

GRAHAM CLULEY. Fuck, fuck, fuck! Yeah, so he wiped all the data from his devices.

ZOE ROSE. And he'd be snapping at everybody, "Shut up!" I mean, I think this guy, he's quite a genius. Yes. But do you actually feel bad for him? I know that's silly because, you know, obviously— He's 23.

GRAHAM CLULEY. He was young at the time. He was 23.

ZOE ROSE. I mean, technically his brain is fully developed because that's 21, isn't it? But—

CAROLE THERIAULT. He might never have thought about doing this unless the hackers did it in the first instance and he just got on the train and thought—

GRAHAM CLULEY. Opportunistic, I think.

ZOE ROSE. Yeah, opportunistic.

CAROLE THERIAULT. Exactly. That's what he should put in his CV.

GRAHAM CLULEY. So he tried to delete the data before the police get there, and he did zap the data, but apparently he didn't do it very securely. So that's his mistake number 2.

ZOE ROSE. That's another skill set as well.

GRAHAM CLULEY. Yeah, empty trash doesn't always work, right? So, yep, so he'd failed to properly wipe the data.

ZOE ROSE. He needs to upskill.

GRAHAM CLULEY. Yep. Put that on his CV, training required. So the cops were able to recover his data.

Anyway, back in 2018, he denied any involvement. It's taken forever to go through the courts.

He asked for £300,000 ransom. He was denying everything until this week at Reading Crown Court.

He did finally plead guilty, and he is due to be sentenced. I think—

CAROLE THERIAULT. in July. I was a juror, so I would have loved this case.

ZOE ROSE. I would have loved it.

GRAHAM CLULEY. Well, they could have called on you, Carole. You are local.

You could have gone down there. You know, shared your expertise.

This would have been awesome. If you were popping down to Lidl or Kennington Flooring, you could just pop over the road.

I would love that. Zoe, what are you going to talk about this week?

ZOE ROSE. My story is about Meta, and we all know that social media is not really well known for privacy practices. But Meta decided somewhere in their processes that if people signed standard contractual clauses— apparently is the term— but people signed it, the consumers of Facebook specifically— this fine is related to Facebook— then they can transfer the data from the EU to the US.

And it was since the 16th of July, 2020. So at the time they had that whole agreement with transferring data between US and EU, but obviously that was recently decided that wasn't good enough.

But they were still sending massive amounts of data consistently from the EU to the US because people sign those clauses and they're, it's okay.

GRAHAM CLULEY. Well, so the users are agreeing to the terms and conditions, is that what you're saying?

ZOE ROSE. So essentially, yeah, you sign up to Facebook, you say, you know, you accept their policy, whatever, the terms and conditions that nobody reads, including myself. Well, no, that's not true.

There are privacy people that do actually read these things. They are excellent people.

CAROLE THERIAULT. Exactly. Not something I'm good at.

GRAHAM CLULEY. But, you know, Carole does it for us so we don't have to.

ZOE ROSE. Oh, and that's why we love you.

CAROLE THERIAULT. I just look to see what they try and hide in them.

ZOE ROSE. Well, this is one of the things they tried to hide, I suppose.

CAROLE THERIAULT. So, so the argument's really interesting. So basically you're saying inside the EULA or whatever privacy notice, they're saying, yeah, yeah, we transfer data to and back from the States, we've got an agreement, cool, cool.

And then when you sign it, you've effectively agreed to it. And that's what they're using as their argument, essentially.

ZOE ROSE. Yeah, because it's just the way that they're processing the data. So in organizations protections, you know, you send data to wherever you store your data and you process it or whatever, and it makes sense.

The problem is they did the EU data in America, which you're not allowed to do without having appropriate protections. And I think the reason it was that the American agreement or whatever was declined essentially is because they didn't have appropriate protections protecting European data from, what was the term they used, the spy agencies or something?

GRAHAM CLULEY. Oh, the intelligence agencies. Yeah, intelligence.

ZOE ROSE. Yeah, that's why it was declined or whatever. But the thing is, because they did this on a consistent process and it's essentially all the data, like it's a massive amount of data, they are being issued with, or they've been issued with, the largest GDPR fine ever. How much is it? €1.2 billion.

GRAHAM CLULEY. It's a lot of money. It's a lot of money.

ZOE ROSE. I mean, let's be honest, how likely are they actually going to pay that amount? I don't know.

GRAHAM CLULEY. This does feel like a good opportunity to have an enormous party. We should stop the podcast right now just because the thought of Facebook possibly having to pay over $1 billion is rather wonderful, isn't it?

ZOE ROSE. But let's look at that, though. I looked at another article, and it says May— the 25th of May will be the 5th anniversary of GDPR, blah, blah, blah.

Privacy Affairs has tracked the fines. And all 1,701 of them for a grand total of over $4 billion American. Meta accounts for 50% of all GDPR fines.

Wow, 50%. Yeah, they are keeping EU running.

GRAHAM CLULEY. Well, the GDPR fines, as I recall, it can be based upon how much money your company makes, can't it?

CAROLE THERIAULT. I think it's like— okay, I don't— don't quote me. I think it's 4% of the annual turnover. I think you're right.

ZOE ROSE. I think that sounds right. I believe— I could be wrong, but I believe they chose to do the full amount that they can actually owe.

And I feel like this probably has something to do with the fact that they've been fined multiple times. So I think they've just been like, bloody hell, like, I'm done, I'm done, just bloody pay us, because we're, you know.

But here's the other part that I found really interesting. It wasn't just that they have to pay a fine.

It's also that they have to become compliant. So it says, so actually, if you follow Privacy Matters on Twitter, he's a lovely man, and he clarifies a lot of privacy issues and concerns and news.

I found him so interesting. But so he's highlighted on his Twitter the three demands, essentially.

The require Meta Ireland to suspend any future transfers of personal data to the US within a period of 5 months. That might sound long, that is not long.

I remember when we had a year to prepare for GDPR and there were people, there were organizations that were like, within this year we won't even know if we're able to be compliant. But they've got to do this in 5 months and then they've got that €1.2 billion fine, which is quite exceptional.

And then also they have to bring its processing operations into compliance with Chapter 5 of the GDPR by ceasing any unlawful processing, including storage in the US, personal data of EU/EEA users within 6 months. So in the next 5 to 6 months, they have to have a massive digital transformation.

They also have to pay an exceptional fee.

CAROLE THERIAULT. But you know what, I'm just looking here, apparently in 2022, Facebook's ad revenues hit $135.9 billion.

GRAHAM CLULEY. It's still a hefty fine though. It's a hefty fine. And it's all the upheaval caused by trying to fix this, to try and become compliant.

ZOE ROSE. It's going to be a more and more business process, right? And they have to change their entire business process, which as we know is very difficult to do, especially at that scale.

CAROLE THERIAULT. It's not like they haven't had years of warning that this might come.

ZOE ROSE. No, no, no. This is why when they changed their name to Meta, I thought it was absolutely hilarious because when I think of Meta, I think of metadata, which is like, hey, we've got all your data. I think they claimed it was beyond, beyond social data.

But I was like, no, no, no, it's the data, but whatever. But I think the other interesting thing is, not only is this a scary big thing that's going to happen for them, but also, is this setting a precedent?

Are other organizations going to be less likely to want to transfer— do you want to deal with EU data, or are they going to be more cautious? Hopefully, because the risk of misalignment is quite an exceptional fine.

GRAHAM CLULEY. I also wonder whether— I mean, a company like Facebook will have employees all based around the world, helping their users in different areas and working on the data. And maybe we're going to begin to see more silos of people dotted around different parts of the world rather than just in one single place. So the data doesn't have to be moved to that part of the world in order to do some work.

ZOE ROSE. But here's the thing, Graham, that I don't understand is we had these conversations when GDPR was coming out. And there was so many discussions about, oh, where is our data centers?

Do we have them, you know, not just do we have them in different locations for resilience, but also so do we have EU-specific, you know, when we go to get contracts with third parties, do they keep their data in the EU? This is not new.

GRAHAM CLULEY. No, no, that's true. But they're Facebook, they probably think they're above the law. It's just embarrassing.

CAROLE THERIAULT. Yeah, and how much money did they make by not following the law for the last 4 years?

ZOE ROSE. And how many situations have they caused? How many political, how many not so ethical situations have been associated with Facebook in general? It's almost like a, well, is it really financially worth it to care?

CAROLE THERIAULT. Zoe, are you saying we shouldn't trust Facebook?

GRAHAM CLULEY. What? Seriously? Come on. What the hell's going on? And now a word from our sponsors, Facebook. Do apologise about Zoe.

ZOE ROSE. We're not having her back.

GRAHAM CLULEY. Carole, what have you got for us this week?

CAROLE THERIAULT. Well, I just wanted to talk about life as a hacker, because it can't be easy, right? The poor little sausages.

Stressful. You gotta lie and cheat.

You gotta love up lonely grannies. You know, you have to dupe staff members into giving you credentials, and all the time you can't tell anybody. You got to stay on the down low.

You never reveal, haha, I'm the one who did this. And it's got to be difficult. I mean, Graham, I bet even if you empty the dishwasher, I'm sure if someone's around you'd be, I just want you to know I emptied the dishwasher, because you would want to get the points.

You wouldn't want, you know, them to think someone else had emptied the dishwasher.

GRAHAM CLULEY. I did turn on the dishwasher earlier today. I just want to tell everyone that.

CAROLE THERIAULT. Did you tell anyone?

GRAHAM CLULEY. No, there was no one else here to tell.

CAROLE THERIAULT. I'm telling you, I'm telling all the listeners, but your typical hacker, they can't go around showing off, right? They have to stay schtum because if the information gets into the wrong hands, they gotta say sayonara to their big fat bank accounts, their big houses, their yachts, golden slippers.

ZOE ROSE. I mean, how many malicious actors were caught because they were bragging?

CAROLE THERIAULT. So, but there must be many, many that are smarter than that and stay schtum. So if anonymity is key, you might be tempted by a service that claims to guarantee that for you, ensuring that if the authorities got wind of a cyber heist, they would have no idea who was behind the crime.

GRAHAM CLULEY. A privacy service for the hackers.

CAROLE THERIAULT. Excellent. And this is how sites like iSpoof.cc fill a very necessary business gap. Now we spoke about iSpoof.cc in our 300th episode, but I wanted to revisit the story because there's been some very interesting news that broke only this week.

So to recap, this is an underground website created in 2020 that sold spoofing services to ne'er-do-wells, people that want to pretend they're someone else. And the business model was very simple.

For a handsome fee, iSpoof would allow its users to display a false caller ID, one that matched the services they are pretending to be, which were normally banks. So were you to get one of these calls, they say they were from your bank saying that maybe there was suspicious activity on your account, and you wisely would look at the caller ID number and say, oh my God, that is correct, that is my bank.

You'd be inclined to think the call is legitimate and provide any information they requested, right?

GRAHAM CLULEY. If it's a spoofed number, if my phone tells me it's you calling, Carole, then I expect to hear your voice at the other end. You'll go, "What up, asshole?" Well, yeah, well, that's how I would tell it was you rather than someone pretending to be you.

CAROLE THERIAULT. No, no, I was saying that's what you would answer.

GRAHAM CLULEY. Oh, I see. Oh, yes. That's right. And I don't want to upset a fraudster who's pretending to be you. So— But anyway, yes, you're absolutely right. If you spoof someone's phone number, then it's a large part of the social engineering you've already got.

ZOE ROSE. I think it's important to note that it's actually not difficult to do. So if you do trust by default, for people that aren't aware, don't do that. I was going to say something witty, but I couldn't.

CAROLE THERIAULT. Yeah, but it's one of those things though that somehow, even though you know that, it does give the caller a sense of authority.

ZOE ROSE. It's just showing up with a business card. You know, I might have printed it at home with my fancy printer, but it doesn't actually mean anything.

CAROLE THERIAULT. Now, iSpoof, what made them particularly successful is they didn't just focus on a single geography. This operation was global, baby. At its peak, it had almost 60,000 users who paid up to 5 grand a month in bitcoin to access software.

ZOE ROSE. Could you imagine how much they made though if they're paying that much a month?

CAROLE THERIAULT. It's incredible. iSpoof was reportedly used to make 10 million fraudulent calls worldwide. 40% were in the US and 35% in the UK.

And at one point they say as many as 20 people every minute were being targeted by callers using technology bought from iSpoof website. So big deal, right?

And they say that the iSpoof services is said to have helped fraudsters nab around $100 million from victims all around the world. Now, in 2021 and 2022, it was part of an investigation by numerous law enforcement agencies.

We talked about this bit in episode 300, so you can go listen to that. It was shut down in November 2022 as a result of Operation Elaborate.

That was the name. And this was a multi-agency investigation. So you had the Met, the Netherlands police, Europol, and Eurojust.

But what happened to iSpoof.cc ringleader TJ Fletcher, right? Because he got arrested as part of this.

GRAHAM CLULEY. Not TJ Hooker. TJ Fletcher. TJ Fletcher. Okay, it wasn't— it wasn't Shatner. It wasn't William Shatner who was behind this.

CAROLE THERIAULT. No, no, it wasn't Shatner. But he was found guilty for running this complex banking scam in the UK courts. And just a few days ago, he was sentenced to 13 years in the clink. Interesting.

ZOE ROSE. That doesn't sound very long.

CAROLE THERIAULT. No, see, I thought it seemed like a long time in the UK.

ZOE ROSE. Okay. Yeah, that does seem long for the UK. Yeah.

CAROLE THERIAULT. And what makes this case kind of, well, makes it completely unusual for me is that—

GRAHAM CLULEY. Can I guess? Can I guess what the unusual thing is? Yes. Was he also hit by a GDPR fine? 'Cause I'm thinking if they have that many customers with that many accounts and that much money sloshing around, they must have been accessing European— And it's global. Exactly. I'm thinking, let's stop imprisoning people for the scams. Let's just get them for GDPR. It's the old Al Capone thing, isn't it? Where they got him for tax evasion. Love it.

ZOE ROSE. Love it.

CAROLE THERIAULT. I was just thinking, wow, you made a GDPR joke. That's amazing.

ZOE ROSE. Let's call the Irish, commissioner, get them on the phone. Yeah, why not?

GRAHAM CLULEY. Sorry, Carole, carry on. Tell me more about TJ Fletcher.

CAROLE THERIAULT. But what makes it kind of unusual though is that the thousands who lost money through all these sophisticated scams, right, were not direct victims of Fletcher or his junior partners, but he did create the opportunity.

GRAHAM CLULEY. Exactly. Oh, but so I manufactured a hammer, Zoe, and other people chose to take the hammer and smash people's windows. Are you going to imprison me?

ZOE ROSE. That's— to me, that's a little bit different though, because you're not advertising your hammer as effective murdering devices.

GRAHAM CLULEY. No, no, not necessarily, but it could be a device for maybe, you know, if you wanted to bruise a pineapple or something like that, then it would be— or if you wanted to crack a coconut in half. There's all kinds of ways of presenting it.

ZOE ROSE. I suppose that's true. It is a slippery slope. You do make a good point, because it is a slippery slope. VPN.

GRAHAM CLULEY. iSpoof could be advertised as a practical joke service where you call up people claiming to be their auntie. Or training. Yes.

CAROLE THERIAULT. Yeah, if they just had an emoji in the corner with laughing emoji, that's their icon.

ZOE ROSE. Yeah. Or it could also be, you know, privacy. You don't want people to know who you are or what your number is.

GRAHAM CLULEY. Yes, that's also possible, yes. I would be prepared to pay £5,000 worth of bitcoin a month for such practical joke facility.

CAROLE THERIAULT. The prosecution described the business up. They were effectively luring criminals into the service, is what they were accused of.

ZOE ROSE. They were manipulating criminals to be criminals.

GRAHAM CLULEY. Naughty. So it was really the copywriters that iSpoof hired who wrote the content for the web pages. It's not this poor TJ Fletcher guy who was just too busy running his site and didn't realize what the bloody marketing people had written on some of the web pages. I should have been on his defense team. Oh really? I could have got him off this.

ZOE ROSE. Objection, Your Honor. I mean, you do make a slightly interesting point though, because— slightly interesting, slightly interesting. I didn't say overly. But with the skill set that I have to develop in my career, funnily run into situations where people are like, I don't trust you because you're a hacker. And I'm like, no, not really. And they're like, no, no, you're gonna hack me. And I was like, why would I hack you? You know, such a weird thing. But also, but that's a valid point. I mean, if I create a solution that's very privacy-focused, does that mean I'm enabling hackers?

GRAHAM CLULEY. Yeah, you see, you see? It's deep.

CAROLE THERIAULT. That's deep, Zoe.

GRAHAM CLULEY. It's not appropriate for this podcast, this kind of depth of thinking. I think we've— Yes, let's move on.

ZOE ROSE. Broken the show.

CAROLE THERIAULT. Smashing Security listeners, did you know that Bitwarden is the only open-source, cross-platform password manager that can be used at home, on the go, or at work. Bitwarden's password manager securely stores credentials spanning across personal and business worlds. And every Bitwarden account begins with the creation of a personal vault, which allows you to store all your personal credentials. These are unique and secure passwords for every single account you access. And it's easy to set up. It's easy to use. I honestly love Bitwarden. I use it at home, use it at work, use it on the go. Get started with a free trial of a Teams or Enterprise plan at bitwarden.com/smashing, or you can even try it for free across devices as an individual user. Check it out at bitwarden.com/smashing, and thanks to Bitwarden for sponsoring the show.

GRAHAM CLULEY. Now there's some big news from our sponsor Kolide. If you are an Okta user, they can get your entire fleet up to 100% compliant. How do they do that, you're asking yourself? Well, if a device isn't compliant, the user can't log into your cloud apps until they fixed the problem. It's that simple. Kolide patches one of the major holes in zero-trust architecture, which is device compliance. Without Kolide, IT struggles to solve basic problems like keeping everyone's OS and browser up to date. Unsecured devices are logging into your company's apps because there's nothing there to stop them. Kolide is the only device trust solution that enforces compliance as part of authentication. And it's built to work seamlessly with Okta. The moment Kolide's agent detects a problem, it alerts the user and gives them instructions on how to fix it. If they don't fix the problem within a set time, they are blocked. Kolide means fewer support tickets, less frustration, and most importantly, 100% fleet compliance. Visit kolide.com/smashing to learn more or to book a demo. That's k-o-l-i-d-e.com/smashing.

CAROLE THERIAULT. Smashing Security is also brought to you by Centripetal. Centripetal is the global leader in intelligence-powered cybersecurity. The company operationalizes the world's largest collection of threat intelligence in real time to protect your company from every cyber threat. Now available as a cloud-based deployment, Centripetal's Clean Internet service is a revolutionary approach to defending your assets from cyber threats by leveraging dynamic threat intelligence on a mass scale. The addition of AWS Clean Internet Cloud protects your enterprise, whether on-premise, remote, or in the cloud, removing the need for a more costly cybersecurity infrastructure. Learn more about Centripetal's intelligence-powered cybersecurity solutions at smashingsecurity.com/centripetal. That's C-E-N-T-R-I-P-E-T-A-L. And thanks to Centripetal for sponsoring the show.

GRAHAM CLULEY. And welcome back. Can you join us? Our favorite part of the show, the part of the show that we like to call Pick of the Week.

ZOE ROSE. Pick of the Week. Pick of the Week.

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily. Better not be.

Well, my pick of the week this week is not security related. I love a documentary. I love a good documentary. I'm not really interested in that drama nonsense so much. But give me a documentary, and I'll be very happily eating my popcorn. And I have been watching a documentary this week. Not for very long, because it's only 16 minutes long. It's 16 minutes long.

ZOE ROSE. That is the shortest documentary I've ever heard of.

GRAHAM CLULEY. It's a micro-documentary. And why not? I think, you know, we're all busy. If that contains the whole story, then it's wonderful. The documentary is called John Was Trying to Contact Aliens.

CAROLE THERIAULT. What a gloriously interesting title.

GRAHAM CLULEY. This is a documentary on Netflix about an electronics whiz called John Sheppard. And he spent 30 years of his life all on his own, not really making any friends, poor chap, trying to find extraterrestrial life from his cottage in rural Michigan.

CAROLE THERIAULT. What do you mean, poor guy? I think he probably had the time of his life.

ZOE ROSE. I mean, he was trying to make friends, alien friends.

GRAHAM CLULEY. Well yeah, he was trying to make— he was doing his bit. That's what he was into from a young age. He was interested in contacting extraterrestrial life. And unlike the rest of us who, I don't know, may have filled up a balloon with helium and thought maybe it will get through the atmosphere, or how about I write a really large word in the crop circle, he actually built transmitters, enormous amounts of electronic wizardry, which began to dominate his grandparents' sitting room.

In the documentary, you begin to see pictures of the grandparents sort of sat in front of the TV, you know, on a typical evening, and they're just surrounded by all this electronics and this bearded guy. And he's playing jazz, he's playing world music into space. I think I'd like him. Incredible array of electronics. And then he gets really serious and thinks, I have to take this up a notch because just going a bit past the moon with my transmissions isn't going to be powerful enough. I need to send them further.

Now, this documentary isn't really about aliens. It's actually about love. And I'm not going to give away everything which happens in the documentary, because it is only 16 minutes long.

CAROLE THERIAULT. You've been talking for five. It's a third through.

GRAHAM CLULEY. But it is a heartwarming, lovely documentary, which I'd recommend to everyone. It's called John Was Trying to Contact Aliens, and I really enjoyed it. And so I wanted to share it with you two and all of our gorgeous listeners today. And it is my pick of the week.

CAROLE THERIAULT. Lovely. Sounds great.

GRAHAM CLULEY. So Zoe, what's your pick of the week?

ZOE ROSE. Yeah, my pick of the week is I wanted to highlight things that have helped me with insomnia. I had really severe insomnia for many, many years, exceptionally bad, where I would only sleep for two hours at a time. And then now I'm a mum and sleeping is vital but also not very readily available. So I figured, here's some ideas that I've had that have worked for me in the past.

Mind you, if it is really severe, I would still recommend seeing a doctor, going to your GP. But yeah, so one of the ones that I— the most important thing for me was eye covers. And I know that sounds really silly, but—

CAROLE THERIAULT. You mean an eye mask?

ZOE ROSE. Yeah, yeah, yeah, right, right.

ZOE ROSE. Yeah, because I've bought many and I've always found them very rubbish. And then I was feeling, I don't know, silly, I guess, and ended up spending probably more than I expected I would spend on an eye mask.

CAROLE THERIAULT. How much did you spend, Zoe?

ZOE ROSE. It wasn't crazy, but it was like, I think the one I bought was probably just shy of €30 or £30 because I was in the UK at the time. Quite expensive, but I did add a link because I think that one wasn't quite that much. And I don't know if that's the exact model I have, but it's similar. It looks similar to the one I have.

GRAHAM CLULEY. Okay, so we're going to put a link in the show notes where people can check out your eye mask or something similar to your eye mask.

ZOE ROSE. Yes, similar. And I actually noticed it made a huge, huge impact because it was also a routine. It was not just that I put the mask on and I went to sleep. That didn't happen. But I put the mask on and I didn't look at my phone because I have my mask on. And if I do that, I have to take it off. And, you know, I didn't look around the room. It made me focus, forced me to focus. It's going into those— what is it called where you reduce the senses? What is it? An isolation tank?

CAROLE THERIAULT. Sensory deprivation. Yeah. That's the word.

ZOE ROSE. It's not to the extreme, obviously. You could still hear and everything, but it forced me to be in the dark. And it was this routine that when I started to get a bit tired, I put it on and it required me not to do anything because I have a very short attention span and I'm not so good at that. So it's had a huge impact in my sleeping quality, which has been great. But for people that do not stuff on their face, which I understand. I'm very picky about materials. There's also the option of blackout curtains, and if you rent me, you don't want to install them, and you don't really usually have the money to buy really fancy curtains anyway. And so what I found is suction cup based blackout blinds. So it's basically blackout material, but they suction cup to your window, and so you can remove them. So they're good for travel, they're good for a variety of sizes of room because you can suction them, and then they also have Velcro to reduce the size if you need to. They're not perfect, but it does make your room quite a bit darker because you put it on there and then you put your curtains that you do have over.

CAROLE THERIAULT. Yes, quite helpful. I just learned about these things because I have a friend who has a slopey roof, a window, what's it called? A Velux window. And one of their kids sleeps in that room and now the sun's out all the time, but getting a blind in that shape was super expensive. So I was just suction cups and we looked it up and there they were. So yeah, really cool. Makes such a smart idea.

ZOE ROSE. Making the room darker specifically was what made a huge benefit to me. The suction cups, podcast selection was interesting.

GRAHAM CLULEY. I fall asleep listening to podcasts. If I can't sleep, I just put on a podcast. I literally will fall asleep within probably 5 minutes.

ZOE ROSE. Well, I'm not a fan of you right now. I'm not saying your podcast. No, I'm just jealous.

GRAHAM CLULEY. Carole, what's your pick of the week?

CAROLE THERIAULT. Well, I'm making Netflix's Jewish Matchmaking my pick of the week. So last week I had a lot of mundane tasks to do, you know, signing stuff, putting things in bags, all kinds of— because I was doing this little art thing and I needed something that was good but not great, right?

GRAHAM CLULEY. So this is a good but not great pick of the week.

CAROLE THERIAULT. Sometimes you need that in life, you know, you need something that's kind of interesting but not fascinating.

ZOE ROSE. I 100% understand. I need the background noise.

CAROLE THERIAULT. Exactly, it's a background noise thing that you want to look up occasionally and kind of go, huh. And that's about it.

So I'm not a reality TV, you know, I don't have much knowledge of this area, but, you know, occasionally I binge a bit, you know, Doritos, you know, sometimes you just need to have a few Cool Ranches. So I was talking to my friend telling him about I needed something this, and he said, try this show.

He said all his friends, all his Jewish friends love it, right? So, you know, typical reality show, you have all these beautiful people who say they're looking for love or looking to start a family, and they hit up our Aleeza Shalom. She's our very Jewish matchmaker queen to find them the perfect person.

And so a typical scene will be Aleeza's talking to her 30-year-old client Ori about the date she sent him on with a gorgeous, vivacious, intelligent, brown-eyed brunette Israeli Jewish actor who spoke Hebrew. Okay. And how did it go?

Meh, says Ori. She wasn't the gorgeous, vivacious, intelligent, it was a blue-eyed, blonde Israeli Jewish woman who spoke Hebrew that he requested, was she?

GRAHAM CLULEY. He also requested big assets as well, didn't he? I've watched this, Carole. When I saw that you were going to recommend this, I've actually spent this afternoon watching a couple of episodes of this in readiness for the review.

CAROLE THERIAULT. So what do you think? What do you think? Do you understand what I mean?

GRAHAM CLULEY. I know what you mean about it being casual wallpaper TV. It's not entirely gripping, and some of these people are horrendous. I liked the very first woman on it because she was looking for a man with strong eyebrows.

CAROLE THERIAULT. She was, she's, she had beautiful eyebrows. She's, my eyebrows are beautiful, and I would someone who has beautiful eyebrows too.

GRAHAM CLULEY. Strong eyebrows. Strong eyebrows.

ZOE ROSE. Someone out there for me. I can, I can relate to her because I do not have strong eyebrows, and I actually despise my eyebrows. They're white. So I have to draw them on.

GRAHAM CLULEY. You can always get a Sharpie.

ZOE ROSE. Not really, that would look kind of ridiculous. Oh, okay. But also, my daughter has white eyebrows, and I feel very guilty for passing that down to her.

GRAHAM CLULEY. You should. You totally should. Yeah, that's awful. That's totally your fault. Yeah, terrible mother.

ZOE ROSE. I'm saving up for her to get as many tattooed eyebrows as she wants. That is my requirement.

CAROLE THERIAULT. Well, look, while you're pondering that, maybe you want to check out Jewish Matchmaking. It's on Netflix. Guardian gave it 3 out of 5. I think I'd agree.

GRAHAM CLULEY. Well, that just about wraps up the show for this week. Zoe, I'm sure lots of our listeners would to follow you online and find out what you're up to. What's the best way for folks to do that?

ZOE ROSE. We've got Twitter, which I'm @RoseSecOps, and then Mastodon, which I'm . You can use Morse code, smoke signals. Yeah, you could try that. I probably won't see it, but you could try.

GRAHAM CLULEY. And you can follow us on Twitter @SmashingSecurity, no G, Twitter won't allow us to have a G. And there's also a Smashing Security Mastodon account. And make sure to never miss another episode, follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Overcast.

CAROLE THERIAULT. And huge shout out to this episode's sponsors at Kolide, Centripetal, and Bitwarden. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest bios, and the entire back catalog of more than 322 episodes, check out smashingsecurity.com.

GRAHAM CLULEY. Until next time, cheerio, bye-bye.

CAROLE THERIAULT. Bye, Rose. Sorry. Yo, Rose!

GRAHAM CLULEY. Hey, Rose, why aren't you saying goodbye to the audience? What's your problem, Rose? Cheers! Yeah, that'll do.

ZOE ROSE. Okay. I'm so bad at cues.

-- TRANSCRIPT ENDS --