In our latest episode we discuss how a woman hid under the bed after scammers told her she was under "digital arrest", how hackers are hijacking YouTube channels through malicious sponsorship deals, and how one phone company is turning the tables on fraudsters through deepfake AI.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by special guest Maria Varmazis.
Warning: This podcast may contain nuts, adult themes, and rude language.
Episode links:
- 'You are under digital arrest': Inside a scam looting millions from Indians - BBC News.
- Digital Arrest Scam: How You Can Stay Safe - YouTube.
- Tamil Nadu Professor Placed Under Digital Arrest, Duped of Rs 10 Lakh - YouTube.
- 'Mann Ki Baat' episode 115 - India Prime Minister Narendra Modi.
- “My YouTube Channel Got Deleted Last Night..” - Bitz on YouTube.
- NCA shuts down major fraud platform responsible for 1.8 million scam calls - National Crime Agency.
- O2 launches free anti-scam caller identification for millions of customers - O2.
- AI Scambaiters: O2 creates AI Granny to waste scammers’ time - YouTube.
- “StreamJacking” - Hijacking Hundreds of YouTube Channels Per Day Propagating Elon Musk Branded Crypto Giveaway Scams - Guardio.
- Graham Cluley on Bluesky.
- Maria Varmazis on Bluesky.
- Dan Da Dan - Netflix.
- Butter by Asako Yuzuki - Harper Collins.
- 'Butter' book review: Meditations on murders - The Guardian.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- 1Password Extended Access Management – Secure every sign-in for every app on every device.
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
- ThreatLocker - the Zero Trust endpoint protection platform that provides enterprise-level cybersecurity to organizations globally. Start your 30-day free trial today!
SUPPORT THE SHOW:
Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.
Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!
FOLLOW US:
Follow us on Bluesky, or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.
THANKS:
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
CAROLE THERIAULT. I get the whiff of horseshit through all this phone call.
GRAHAM CLULEY. When you're dealing— oh, you're so bold now, aren't you? You're so bold. When there was an American policeman in New Hampshire, Carole, while we were driving through it and he was telling you to stop and pull over, you weren't so bold then, were you? No, you pulled over then, didn't you?
MARIA VARMAZIS. There was a gun on his hip, that's why.
UNKNOWN. Smashing Security, episode 394: Digital Arrest Ransomware, phishing, phishing, darknet scams, and streamjacking with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 394. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. And Carole, we're joined today by a very special guest.
CAROLE THERIAULT. Very VIP.
GRAHAM CLULEY. Yes, delighted to welcome back Maria Varmazis. Hello, Maria.
MARIA VARMAZIS. Hi, thanks for having me back.
CAROLE THERIAULT. She had a voice change.
MARIA VARMAZIS. And you squealed with delight.
CAROLE THERIAULT. Welcome back, Maria.
GRAHAM CLULEY. Thank you. Maria, obviously in your day job, you're working on N2K Space Daily, T-Zero, what one is it called? Something that, there's so many names.
MARIA VARMAZIS. T-Minus Space Daily, that's the show I host, yes.
GRAHAM CLULEY. That's it, that's the one.
CAROLE THERIAULT. And she's on Hacking Humans a lot.
MARIA VARMAZIS. I'm also on Hacking Humans, yes.
GRAHAM CLULEY. Yes?
CAROLE THERIAULT. Yes. How about we kick the show off? But first, let's thank this week's wonderful sponsors, 1Password, Vanta, and ThreatLocker. Now coming up on today's show, Graham, what do you got?
GRAHAM CLULEY. I've got a digital arrest drama worthy of a Bollywood movie.
MARIA VARMAZIS. Ooh.
CAROLE THERIAULT. And what about you, Maria?
MARIA VARMAZIS. Bits gets streamjacked.
GRAHAM CLULEY. Ooh.
CAROLE THERIAULT. Okay. And I've got Granny Daisy to the rescue. All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chums, chums, I want to take you over to India today where an extraordinary story is unfolding about how scammers have weaponised people's fear of law enforcement.
CAROLE THERIAULT. Okay.
MARIA VARMAZIS. Okay, fair, fair, yes.
GRAHAM CLULEY. Are you scared of police at all? You know, if Roscoe P. Coltrane— you live in the States, Maria.
MARIA VARMAZIS. Yes.
GRAHAM CLULEY. If someone were to stop you, pull you over to one side?
MARIA VARMAZIS. I've had some experiences with law enforcement. I mean, their job is to intimidate. Yeah, I don't enjoy it. I don't. But I don't think I'm supposed to.
CAROLE THERIAULT. Graham, we had a, I don't know, friendly chat with a highway cop once when I was driving.
GRAHAM CLULEY. We were driving through New Hampshire, weren't we?
CAROLE THERIAULT. A little bit quickly.
GRAHAM CLULEY. And the police over in the States have guns. And he was standing in the middle of the freeway telling us to stop, wasn't he? Anyway, yeah.
CAROLE THERIAULT. Anyway.
GRAHAM CLULEY. Anyway. Yeah. So picture this, right. We're in India. You are a respected neurologist in Lucknow, India. You are Dr. Rachika Tandon, an associate professor. You're at the top of your game. You are, aren't you? Life's going well. You recently came back from a conference in Goa.
MARIA VARMAZIS. Ooh.
GRAHAM CLULEY. Neurology. That is your bag. You are an expert in it. You are competent. You are a professional. That's how I'm picturing you both.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. As respected neurologists.
MARIA VARMAZIS. That's okay. I'm all right with that.
GRAHAM CLULEY. And then your phone rings. That's the phone ringing. I guess I didn't have to do the sound effect. But anyway, the phone rings and you pick up the phone. I won't do all the sounds. And it's the telecoms regulator on the phone to you. They're saying, apparently your number has been used to send harassing messages.
CAROLE THERIAULT. Harassing?
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Yeah, messages of harassment have been sent from your phone number 22 times. There have been complaints. 22 times? That's a lot of complaints. That's more than we had about last week's episode, isn't it?
That's a lot of complaints. Moments later, a senior policeman joins the call. I don't know if he wrestles the phone off the telecoms operator. He accuses Dr. Ruchika of using a joint bank account with her mother to launder money for the trafficking of women and children.
MARIA VARMAZIS. Oh, wow.
CAROLE THERIAULT. As a respected urologist, if this is true, this has got to be quite a difficult situation to be in.
GRAHAM CLULEY. It is a bit of a sticky pickle, isn't it? It is.
MARIA VARMAZIS. Mm-hmm.
GRAHAM CLULEY. I mean, Maria, have you ever been accused of laundering money for the trafficking of women and children?
MARIA VARMAZIS. Not yet, but there's still time.
GRAHAM CLULEY. And it would make you nervous, wouldn't it, if you had been? If you were pulled over by a cop, let's imagine on the telephone rather than on the freeway.
MARIA VARMAZIS. Pulled over by the cop on the phone. Okay.
GRAHAM CLULEY. Right.
MARIA VARMAZIS. Okay.
CAROLE THERIAULT. He doesn't remember how it works.
GRAHAM CLULEY. And while — and while — I've been working from home for a long time. And while this conversation is going on, and you're feeling a bit nervous, "Well, what's all this about? What's this about?" You hear this chorus of voices shouting in the background, "Arrest her! Arrest her! Arrest her! Arrest her!" "Nts, nts, nts." No?
MARIA VARMAZIS. Oh, okay.
CAROLE THERIAULT. I would think it's a prank call.
GRAHAM CLULEY. Well, she's feeling upset. She thinks it can't be true.
CAROLE THERIAULT. Right. I'd be that too.
GRAHAM CLULEY. And this policeman on the other side says, well, the police are going to come in 5 minutes to arrest you. All of our police stations have been alerted to you. Don't go on the run. She says, it can't be true. And he says, don't worry, don't worry, he says, because I am calling from India's federal detective agency, the CBI, the Central Bureau of Investigation.
And he says, this is a matter of national secrecy, he says. And because of the high stakes involved, I will try and talk to my colleagues and I will persuade them not to put you in physical custody, says this policeman. He says, instead, you're going to be put in digital custody. Have you heard of digital custody?
MARIA VARMAZIS. Digital custody?
CAROLE THERIAULT. No.
GRAHAM CLULEY. This is where, rather than — I guess it makes a lot of sense, especially in these cash-strapped times. Rather than putting someone in a cell, they say, you're going to be watched on your phone 24 hours a day in your room. So you have to set up your phone in a corner of the room, turn the camera on. We will watch you. We will question you via a Skype call as we investigate until we've cleared you. You have to obey our rules.
CAROLE THERIAULT. Interesting.
MARIA VARMAZIS. Okay.
GRAHAM CLULEY. Wow. Kind of sensible in some ways, right?
MARIA VARMAZIS. Can I go to the bathroom?
CAROLE THERIAULT. Can I go to the bathroom? Oh, oh!
GRAHAM CLULEY. Well, there are rules, Crow. There are rules, which I shared with you. And some of the rules include: you have to place the phone everywhere you go in the house. While you're cooking, while you're sleeping, even when you go to the loo. You are allowed to place it outside the loo, but only after you've shown them there's no other exit from the loo. So, they're tracking this woman's every move.
CAROLE THERIAULT. Why don't they just get a Roomba?
GRAHAM CLULEY. You know, oh, what, with a camera?
MARIA VARMAZIS. But this all hinges on her complying with what they're saying, and they're not there in person, so they're just assuming that she's one of those rule follower types. But if you're not a rule follower, this just falls apart.
GRAHAM CLULEY. No, but frankly, I get the whiff of horseshit through all this phone call. When you're dealing— oh, you're so bold now, aren't you? You're so bold. But when there was an American policeman in New Hampshire, Carole, while we were driving through it and he was telling you to stop and pull over, you weren't so bold then, were you? No, you pulled over then, didn't you?
MARIA VARMAZIS. There was a gun on his hip.
CAROLE THERIAULT. That's why.
GRAHAM CLULEY. Oh, was it really a gun or was it a water pistol? Was he really a policeman or was he wearing fancy dress? We don't know. It could have been anything.
CAROLE THERIAULT. I think he doth protest too much, and I'm right. Yeah.
GRAHAM CLULEY. Now, the problem was that Dr. Rachika has got a rubbish phone. It doesn't have a camera on it. It's an old-fashioned phone. So she's told by the policeman, "Right." He says, "What you're gonna do is you're gonna drive down to the store and buy a smartphone right now." And this respected neurologist does exactly that. She goes down to the store, she buys herself a smartphone, and she begins obeying the rules. This new smartphone with its camera on is watching her every move.
She lies to her workplace. She says, I'm too ill to come into the hospital where I work. She told her relatives she was too sick to see them. When her uncle popped round to her house, she hid under the bed. With her phone camera running all the time. So she wasn't answering the door. She didn't want him to see her through the windows. Hid under the bed.
CAROLE THERIAULT. Jesus!
GRAHAM CLULEY. She even wakes up her medical students at night, asking them to go out and buy extra data for her phone to keep the digital arrest going. This goes on— with this long list of rules for 7 days.
CAROLE THERIAULT. Oh my God!
MARIA VARMAZIS. Oh, this poor woman. Oh my God.
GRAHAM CLULEY. All the time she's been questioned about her life and work, and they've reassured her that they're legitimate because they know all about her. They know where she's been. They know she's been at this conference. They know stuff that they found on social media. And the scammers— and yes, newsflash, and I know this will be a shock to you— they were scammers.
MARIA VARMAZIS. What? Never!
GRAHAM CLULEY. They even faked a trial done via Skype. There was a fake court online where she was ordered to dress in white to show respect to the judge, because judges are real sticklers for dress codes.
MARIA VARMAZIS. They committed to the bit. Okay.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. And the court is saying, well, look, we need to make sure we've got the right person here. You have to verify your identity. So could you transfer your savings? Oh— temporarily. It's only just for government verification. And, of course that's what she did. She transferred her savings into this account.
CAROLE THERIAULT. Oh my God, this is awful.
MARIA VARMAZIS. She lived the nightmare, this poor woman.
GRAHAM CLULEY. Well, this is the thing.
CAROLE THERIAULT. Unbelievable. Even if she had the wish of wanting to call the cops, she was kind of terrorized in her own home because she mentally fell into their trap.
MARIA VARMAZIS. Well, she thought she was talking to the cops, so why would you call the cops on the cops? That's a—
CAROLE THERIAULT. Because there must have been something where you're going, I can't believe cops do this.
MARIA VARMAZIS. Yeah, but genuinely, who would you call? Yeah.
GRAHAM CLULEY. And this was it, because after this happened and she thought this is a bit strange. I don't seem to be in digital custody anymore. They don't seem to be carrying on with the trial.
CAROLE THERIAULT. And where's my money?
GRAHAM CLULEY. Where's my money? So she started Googling digital arrests, and what she found is that hundreds of people have had the same experience in India. She went down to the police station, and again, she was unsure. Is this a real police station? Am I reporting to the genuine police? And she said to them, this is what's happened. Have you heard of it? The policeman apparently laughed at her. Which isn't very sympathetic. And they said this is happening all the time. So similar digital arrests have been taking place across the country. People have lost in total millions and millions.
CAROLE THERIAULT. You laughed at me actually when I got scammed.
GRAHAM CLULEY. Laughed? Yeah, laughed.
CAROLE THERIAULT. We went, Carole!
MARIA VARMAZIS. So there was no laughter in this one at all.
GRAHAM CLULEY. Yeah, that's a lie. That was hysteria. That was a mixture of upset, the emotions were bubbling out of me. So, the problem is so big, last month, Prime Minister Modi of India warned about it during his monthly radio address. But the scammers behind this, they are believed to run call centres in Cambodia, Myanmar, Laos, and possibly the individuals who are working these call centres are actually working against their will. We've talked before about these pig butchering scams and other scams.
MARIA VARMAZIS. Mm-hmm.
GRAHAM CLULEY. Where— The people working in the call centre have had their passports taken away from them, and they're effectively slaves.
MARIA VARMAZIS. Yeah.
GRAHAM CLULEY. It's horrendous, but lots of people have fallen for this. Another guy who fell for this was actually a guy who was writing the autobiography of the Prime Minister. And again, he was duped. And he says, "Well, they knew all about me. They found out information about me. They appeared to be genuine police." Sometimes they actually have video calls with you, and they're dressed up as policemen, wearing their little uniforms.
MARIA VARMAZIS. High school theatre club stuff, their dreams. We can't make it on Broadway, so we're gonna make it in scams. We're gonna do it our way, damn it.
GRAHAM CLULEY. It's astonishing, isn't it? So the Indian cops have arrested some people in connection with these digital arrest frauds, but it seems there's quite a lot of it going on, so I think they probably only grabbed some of the people. The Indian Prime Minister, he's given some advice. 3 steps to digital security, he says. Stop, he says. Don't panic. Don't give away your personal information. Think, he says. Does it really sound something a government agency would do? Would they threaten you on the phone? 'If it smells fishy, it probably is,' which is good advice, unless you have actually bought some fish. Is that what he said? I don't know if that's verbatim. I don't—
CAROLE THERIAULT. Well, okay. Sorry.
GRAHAM CLULEY. No, well, no, I'm not quoting.
CAROLE THERIAULT. I thought you were quoting.
GRAHAM CLULEY. He said, he said, 'Stop, think, and take action. Call the National Cyber Helpline.' He said, 'Report the crime. Inform your family all about this.' And maybe we've done our little bit, because we've got a lot of listeners in India. Maybe we've done our bit to raise awareness of this as well, Hope.
CAROLE THERIAULT. Yes, and I'm actually talking about phone scams as well. So, double dose-y this week.
GRAHAM CLULEY. Ah, interesting.
MARIA VARMAZIS. Mm.
GRAHAM CLULEY. So, do you think this could happen to you?
CAROLE THERIAULT. Well, of course.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. Of course this shit could happen to us. And it would just be a way that would, you know, I look at this one and go, oh, I wouldn't fall for that. But of course there's a billion things I would fall for.
GRAHAM CLULEY. It wouldn't happen to you, Carole, 'cause you never bloody well answer the phone.
CAROLE THERIAULT. Correct.
GRAHAM CLULEY. That's the ultimate defence. Maria, what's your story for us this week?
MARIA VARMAZIS. So, are either of you familiar with Bitz?
GRAHAM CLULEY. Bits, as in an eighth of a byte?
MARIA VARMAZIS. Oh, that kind of bits. What if I told you that Bitz was a person? Bitz the person. The person Bitz.
GRAHAM CLULEY. Is it with a Z?
MARIA VARMAZIS. With a Z, yes.
GRAHAM CLULEY. Oh my God. How did I know? I just— In which case, I definitely wouldn't know about them. I would have avoided them because that's a stupid way to spell bits. Who is Bitz with a Z? Or a Z?
MARIA VARMAZIS. Bitz with a Z, or a Z as I would say as a Yank. Bitz is a YouTuber with at least 63,000 subscribers. And he's one of those gaming YouTubers where he streams himself for hours as he plays video games. Which is a thing. Yeah.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. It's a career. It's a career. It's perfectly easy.
MARIA VARMAZIS. I'm in the wrong line of work because I love video games and I just, could I make money just playing Civilization all day with people watching me as I swear at Gandhi? I mean, it could happen. Maybe I'm doing—
CAROLE THERIAULT. Maybe. But you like talking too, Maria.
MARIA VARMAZIS. And I do. I do like the gab. I'm just rethinking my career right now as I'm speaking to you both. I'm wait a second, maybe I should do this. Yeah. So Bitz is a YouTube gaming streamer. And he's got a lot of followers. He's worked really hard over many, many years to build up his account. It is a career. People make money doing this somehow. His stream is very cozy. He's sitting in his gamer chair. There's a lot of obligatory LED lights behind him making it look very much like a gaming cave, but then there's a fireplace in the background. It's very cozy, like a gaming lodge.
CAROLE THERIAULT. I can imagine kids watching that would just be, one day that's gonna be me, one day.
MARIA VARMAZIS. And me as a not a kid going One day that's gonna be me. No. And subscribe, everybody. Yeah, so he—
GRAHAM CLULEY. Oh, I've just clicked through to his channel. He has an enormous fire running in the background, doesn't he? Is that for real?
MARIA VARMAZIS. You know, I've actually been wondering, is that a gas fireplace? What the deal is? 'Cause it looks quite nice.
GRAHAM CLULEY. Is he aware there's so much fire in his living? I mean, that looks dangerous. I'd want to warn him.
MARIA VARMAZIS. There's a lot of creosote in your room, sir. That can't be good for your gaming setup.
CAROLE THERIAULT. I just went and looked. It is ginormous. Oh dear, he looks like he's got fire.
MARIA VARMAZIS. He's like he's burning, burning with the flame of gaming. Yes, he's having a good time. So he uploaded this video very recently with the title simply, "My YouTube channel got deleted last night." Oh yeah, not his doing, not his doing.
So Mr. Bits was — Sir Bits? Mr. Bits was the victim of a thing that I'm just learning about called streamjacking. Which is a targeted attack that tends to go right after YouTubers with a large following.
Can you guess what the goal is of streamjacking? Steal followers?
GRAHAM CLULEY. Yeah, it's going to be to promote something or advertise to all those 63,000 people who follow him.
MARIA VARMAZIS. Yes. What, what, what, pray tell, could somebody with bad intentions be wanting to redirect people to do or purchase? Any cryptocurrency scam?
CAROLE THERIAULT. Yes, I was going to say swilling. Isn't there the new fad on TikTok, swilling oil in order to, you know, cure oil? Yeah, you swill oil in your mouth for a minute or two.
GRAHAM CLULEY. Like diesel?
CAROLE THERIAULT. Like, like mouthwash. And then, yeah, anyway, whatever. Okay, right, crypto.
MARIA VARMAZIS. It's crypto. It's eventually, it's a crypto scam. It's a very, very long way of getting to a crypto scam.
But the thing that I found interesting about this — here's sort of the chronology of what happened to Mr. Bits. He was casually browsing Twitter/X, whatever the hell we're calling it now, right? He got a security notice saying there was an attempted login on his account.
I'm guessing the geofencing or whatever was noticing somebody was trying to log into a session from a different location. And then pretty much right after, he got logged out of his account, and anytime he tried to log back in, he couldn't.
And at the same time, his TV logged out. I'm guessing maybe that's the fireplace thing, there's a TV.
GRAHAM CLULEY. So his TV would have logged out.
MARIA VARMAZIS. His fireplace logged out, as one's fireplace often does.
GRAHAM CLULEY. Hashtag dad jokes.
MARIA VARMAZIS. Yes, yes. Then he went on to his YouTube, he tried to get onto his YouTube account, and he found out that that account he also could not access. So it had been hacked. His Twitter had been hacked.
GRAHAM CLULEY. He must have been having kittens. This is livelihood, because this is his whole life, his whole existence. YouTube channel.
MARIA VARMAZIS. It is, yep. And his whole identity of his YouTube channel also changed pretty much immediately. The channel's name, the banner up at the top of the channel, even the email address and his password all pretty much instantly changed and started live streaming crypto-related videos.
And you know, this, the scam calls to action saying, you know, go to this website to double your crypto wallet, that kind of thing. It's a crypto scam. He was shitting bricks, as they say. Just absolutely just painful. Yeah, not really.
GRAHAM CLULEY. Oh, snow curl.
CAROLE THERIAULT. Oh, sorry, I thought you said colorful.
MARIA VARMAZIS. Oh, it's not. Yeah, I would presume that it is. I will say that the happy ending to the story is it took only 12 hours for him to get through to YouTube support and recover his account.
And the reason I say it's happy is in many cases streamers who have been stream jacked as Mr. Bits did, they never get their accounts back. They— many people have said their account just basically is nuked.
And these are people who get hundreds of thousands of subscribers and they can never get that back after years and years of work. So it's just gone in an instant, which is so terrible.
So 12-hour recovery is pretty great. And yeah, he uploaded this video to let his followers know if you ended up clicking any of that stuff, you need to check out your stuff right away because you probably have malware.
So how did this all happen and how did this streamjacking occur? Because this is the thing that I also found super interesting.
He had received through his email an NDA through DocuSign for a sponsorship deal, and it all looks totally legit. It was a real legitimate DocuSign document.
The organization was all legit. It all passed the initial sniff test.
However, it wasn't. He was misled by someone with bad intentions.
And signing that NDA caused him to download a malicious file to his machine that then essentially cloned his browser and its sessions. That allowed the attacker to get access to all of his sessions across his browser, everything he was logged into.
Because what he had noted on his—
CAROLE THERIAULT. God, right.
MARIA VARMAZIS. What he had noted on his video was that he smartly has a separate email account for every single one of his social media things. So YouTube has its own email, Twitter has its own email, Twitch has its own email.
So if one of those gets compromised, he doesn't lose the whole lot. So he thought okay, I'm good.
CAROLE THERIAULT. I've not heard of that before. It's clever.
MARIA VARMAZIS. Yeah, it is. Now that I know that— except in this case, they were able to completely bypass that.
Apparently he had two-factor authentication on.
GRAHAM CLULEY. Well, it sounds like maybe they'd grabbed the session cookies from his browser. Yeah, so sort of able to replicate— as he was logged into all of those accounts, maybe they were able to replicate being logged into the accounts themselves.
MARIA VARMAZIS. It sounds like it. So they just snarfed it all up and they were able to just log into all his things that he was logged into.
So given all that, it's quite amazing that he was actually able to recover anything at all, because that, to me, that's just— the keys to the kingdom are gone. But I guess he was able to outrun some of the attackers to change some of those passwords before they could get to it.
But in any case, he was able to recover his account. But yeah, this whole thing just revealed to me— I didn't know streamjacking was a thing.
I had no idea. But yeah, in the end it was all crypto scam.
But my goodness, in the meantime, people who have large YouTube followings or followings on any social media, just beware of unexpected NDAs and deals coming into your inbox. The fact that it even went around his two-factor authentication I suppose would give you a false sense of security, but if it hijacked your browser sessions, then yeah, that's wow.
GRAHAM CLULEY. A lot of these cryptocurrency scams, which I've seen lately, have used the face or the name of Elon Musk as well, haven't they?
MARIA VARMAZIS. They sure have.
GRAHAM CLULEY. It's strange how they've sort of embraced him and used him.
CAROLE THERIAULT. Isn't he the doggy coin guy?
GRAHAM CLULEY. Well, he's taking on this new position, isn't he? He's going to be very, very busy. I don't think he's got time just to hand out cryptocurrency to everyone.
CAROLE THERIAULT. You laughed at me on air when I said that was happening. You said, he's not gonna take that role, are you insane? Or something along those lines.
MARIA VARMAZIS. And the question is, how long will he last? Yes, how long will he be in it?
CAROLE THERIAULT. Oh, they're gonna stay super good friends, you'll see.
GRAHAM CLULEY. Oh really? Oh really? I will laugh at that one. Carole, what's your topic for us this week?
CAROLE THERIAULT. Okay, well, we've been talking a lot about scams. My story is about scams as well.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. But if you get a phone call and you don't recognize the number, what do you do?
MARIA VARMAZIS. I do not answer.
CAROLE THERIAULT. You do not answer?
MARIA VARMAZIS. I don't even answer phone calls from people I do know.
CAROLE THERIAULT. Yeah, no, I do the same. I do the same. You, Clue?
GRAHAM CLULEY. Yeah, yeah, straight to voicemail.
CAROLE THERIAULT. Really? If you don't recognize it, even if it could be a journalist you don't recognize or, you know?
GRAHAM CLULEY. Nah, these days I just think, who the hell are you calling me? I look at the area code as well.
CAROLE THERIAULT. Oh, well.
GRAHAM CLULEY. That might be an indicator. Who calls?
MARIA VARMAZIS. I call people.
CAROLE THERIAULT. I'm old school. I don't email. I don't do anything else. I guess I can't ask you guys how many scammy or nuisance calls you get because you have no idea because you don't take—
MARIA VARMAZIS. No, I get a lot. That's part of the reason I get so many every day. Daily? Probably about 5 or 6. And that's after subscribing to one of the services that's supposed to help filter them out. So I probably get even more than that. But, yeah.
CAROLE THERIAULT. And you'd think in these crazy days of advanced tech, the powers that be would have figured out a way to address the spam call epidemic because it seems it is an epidemic and it's getting bigger and bigger all the time. So I'll sprinkle a few numbers so you can get an idea of how big of a thing it is.
But in the US, Truecaller states Americans have received 2.9 billion calls every month. That's their average, 2.9 billion. And more than a third of calls from non-contacts in the US are unwanted or spam calls, nuisance calls. The FTC showed that consumers reported losing more than $10 billion to fraud in 2023, the highest ever recorded. And calls are a big part of that.
GRAHAM CLULEY. And in some US states, you probably get those robocalls, don't you, from politicians or political groups?
CAROLE THERIAULT. Oh, yeah.
GRAHAM CLULEY. To vote one particular way. I imagine they don't care about some states, but in key battleground states, they would have done that. That must be really irritating.
CAROLE THERIAULT. Yep. And the UK, it's not much better. The UK reported it has the highest fraud call rate in Europe. 27% of calls being fraudulent are classified as nuisance.
GRAHAM CLULEY. Wow.
CAROLE THERIAULT. But the recorded losses seem to be much less, even if you take into account population ratio. So UK finance figures for last year recorded losses of £136 million. But another report said 70% of people who have faced this scam situation have never reported it.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. So 70%.
GRAHAM CLULEY. I probably wouldn't report it.
MARIA VARMAZIS. Yeah, same here.
GRAHAM CLULEY. Yeah. I'd be honest.
CAROLE THERIAULT. And especially if you spotted it and nothing happened. Let's say, you know, it was obviously a scam and you hung up.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. You probably wouldn't call, right? Because it's a pain in the ass to call. Or you imagine it's going to be a long process, complicated. I don't have time. I got to go make dinner.
GRAHAM CLULEY. I think in some cases you can forward the number, can't you, to addresses and things. But yeah, I probably— I feel bad about it, but I probably wouldn't.
CAROLE THERIAULT. And worldwide, it's not much rosier. USA Today just reported that in the last 12 months, we've hit a new high, a global loss to scam calls of $1 trillion.
So in short, scam calls are annoying. They waste time. They can dupe you into parting with your hard-earned cash. Banks don't like it. Telecom companies don't like it. Nobody likes it except for the scammers that win. So what can you do? What can you do about all this?
Well, this year the UK seems to have made a concerted effort into educating the public about scams and how to avoid them. Graham, you may have seen the national campaign, which is similar to the one that you mentioned earlier in India, Stop Think Fraud, which launched earlier this year. You may have seen that around London or in buses, public transport, that sort of thing. And the Home Office is working with stakeholders across a variety of industries. You've got banks like Barclays and telecom companies like BT and O2 and the Royal Mail and TikTok. So loads of people are involved in this. And they even held their first fraud summit in London this year. And then there was the big arrest last August. The National Crime Agency reported that they shut down the platform RussianComms, which was used by hundreds of criminals to defraud victims across the world through scam calls. They estimate 170,000 people across the UK were believed to be victims.
GRAHAM CLULEY. Geez.
CAROLE THERIAULT. And financial losses in the tens of millions.
MARIA VARMAZIS. Yeah, sadly.
GRAHAM CLULEY. Yep.
CAROLE THERIAULT. And this platform allowed criminals to basically hide their identity by appearing to come from preselected numbers, most commonly financial institutions or telecom companies or law enforcement agencies. Very similar to what you were saying earlier, Graham.
GRAHAM CLULEY. Yeah, this is where it really can be convincing is it looks like it is a phone call coming from your telephone operator, for instance, or coming from your bank or a text message which may appear to come from them as well. So yeah, that's a real nuisance, isn't it?
CAROLE THERIAULT. And I mean, according to the adverts shared across social media for RussianComms, the service included unlimited minutes, hold music, encrypted phone calls, instant handset wipe, and 24/7 support.
MARIA VARMAZIS. What?
GRAHAM CLULEY. What?
MARIA VARMAZIS. Sorry.
GRAHAM CLULEY. Whoa, whoa, whoa. What's this instant handset wipe?
MARIA VARMAZIS. Handset wipe.
GRAHAM CLULEY. Is that because people are worried about getting infected by a dirty telephone? Like the Golga Frinchum?
CAROLE THERIAULT. I imagine it means wiping the number or whatever you're pretending to be from the handset, I imagine. Okay.
There's a lot of efforts going on. There's a lot of a smattering of work going on that I've certainly noticed when I'm out and about London. But there's a new effort in the UK that is launched this week from telecoms company O2. Meet Daisy, the AI granny and head of O2's scammer relations. So she's been designed to answer phones and keep the fraudsters on the line. The idea being to waste their time and keep them away from you. Because if they're on the phone with them, they may not be on the phone with you. So O2 tout that Daisy is so lifelike that she has successfully kept numerous fraudsters on calls for 40 minutes at a time. So that could be 3. Numerous, I don't know. What is numerous? What's numerous?
GRAHAM CLULEY. Numerous means a number, I think. I think that is the strict definition of numerous.
CAROLE THERIAULT. I'd imagine more than one.
GRAHAM CLULEY. Ideally, it'd be more than one. Yes.
CAROLE THERIAULT. I'd like to think so. So let's see what we think. "Hello, scammers. I'm your worst nightmare. I'm an AI created by O2 to waste phone scammers' time." So W's, then a dot.
GRAHAM CLULEY. 3 times W and then dot.
CAROLE THERIAULT. "I think your profession is bothering people, right? I'm just trying to have a little chat."
MARIA VARMAZIS. "It's nearly been an hour, for the love of—"
CAROLE THERIAULT. "Gosh, how time flies. Because while they're busy talking to me, they can't be scamming you. And let's face it, dear, I've got all the time in the world." So what do you guys think? Maria?
MARIA VARMAZIS. Yeah, I mean, if I didn't know I should be suspicious about it, that might fool me. I could see that.
GRAHAM CLULEY. From my days of doing tech support of elderly relatives, that sounds very convincing, actually. That's the sort of phone call I could imagine myself being on.
CAROLE THERIAULT. I mean, she is winding them up something fierce as well, right? Just having circular conversation. And I do like it because it is a bit funny. It educates and it's compelling. They have a great ad, which I'll put in the show notes if you want to see it in action. And we all like seeing someone get wound up when they've been doing something shitty, like attempting to scam a granny.
GRAHAM CLULEY. Well, the great thing is that this is using up a scammer's time, isn't it? Which they could have been spending attacking someone else and scamming someone else out of their money. So it could have been a real granny they were talking to rather than Daisy.
MARIA VARMAZIS. Yeah, exactly.
CAROLE THERIAULT. And apparently they did a survey and 70% of folks said they wished they could get their own back against scammers that have duped them or a loved one. But maybe they didn't necessarily have the time to go do the scam baiting thing and didn't have the technical expertise. So rather than trying to scam bait a scammer, which I do not recommend—leave that to the people that know what they're doing—what you can do is if you think you've got a scam, do report the scam. So in the UK, you would do this to Action Fraud. The number is 7726. That's what you text. And I very much support this. And O2 say, and I love this, they say by reporting dodgy calls and messages, telecoms companies are able to investigate and block the mobile numbers used by fraudsters. And they can also use scam texts to help refine these blocking services to make it easier to identify and stop new trends faster in future. They boast that they blocked 89 million texts last year alone, thanks in part to Action Fraud 7726 and people like us reporting it.
GRAHAM CLULEY. Very good. Well done, Daisy.
CAROLE THERIAULT. I know. Yeah, well, why don't we let Daisy have the last word here? "It's showing me a picture of my cat Fluffy."
GRAHAM CLULEY. "It's showing you the picture of your card, Fluffy. Stop calling me dear, you stupid fuck! Got it, dear."
CAROLE THERIAULT. Do zero-day exploits and supply chain attacks keep you up at night? Worry no more. You can harden your security with ThreatLocker. Imagine taking a proactive deny-by-default approach to cybersecurity, blocking every action, process, and user unless specifically authorized by your team.
ThreatLocker helps you do this and provides a full audit of every action for risk management and compliance. Onboarding and operation is fully supported by their US-based support team.
Stop the exploitation of trusted applications within your organization to keep you running efficiently and securely. Worldwide companies like JetBlue trust ThreatLocker to secure their data and keep their business operations flying high.
To learn more about how ThreatLocker can mitigate unknown threats and ensure compliance for your organization, visit smashingsecurity.com/threatlocker. That's smashingsecurity.com/threatlocker. And thank you to ThreatLocker for sponsoring the show.
GRAHAM CLULEY. Whether you're starting or scaling your company's security program, demonstrating top-notch security practice and establishing trust is more important than ever. Vanta automates compliance for SOC 2, ISO 27001, and more, saving you time and money while helping you build customer trust.
Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center, all powered by Vanta AI. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and security in real time.
Get $1,000 off Vanta when you go to vanta.com/smashing. That's vanta.com/smashing for $1,000 off.
Quick question: do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? I wouldn't think so. So my next question is, how do you keep your company's data safe when it's sitting on all of those unmanaged apps and devices?
Well, 1Password has an answer to this question, and it's called Extended Access Management. 1Password Extended Access Management helps you secure every sign-in at every app on every device because it solves the problems traditional IAM and MDM can't touch.
Go and check it out for yourself at 1password.com/smashing. That's 1password.com/smashing. And thanks to the folks at 1Password for supporting the show.
And welcome back, and you join us at our favourite part of the show, the part of the show that we like to call Pick of the Week.
MARIA VARMAZIS. Pick of the Week!
CAROLE THERIAULT. Pick of the Week!
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses whatever they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they like. It doesn't have to be security related necessarily.
CAROLE THERIAULT. Better not be.
GRAHAM CLULEY. Well, my pick of the week this week is not security related. My pick of the week this week is social media related. For all I know, you're a huge fan of social media. You can't stop yourself.
CAROLE THERIAULT. Are you talking about Blue Sky like every other person on the planet?
GRAHAM CLULEY. So my pick of the week this week is Blue Sky.
MARIA VARMAZIS. There it is.
GRAHAM CLULEY. So, it can't have escaped your notice, gentle listener, that there's a new— well, it's not that new. It's been around for a few years. I've had an account on it for a while as well, but I haven't been very active on it until the last couple of weeks because I've decided to close my Twitter account. Huzzah!
MARIA VARMAZIS. Me too.
GRAHAM CLULEY. Ah, excellent.
MARIA VARMAZIS. Mine's gone. I deleted it. Yeah.
GRAHAM CLULEY. Yep. Maria, I know you're on Mastodon. I'm on Mastodon as well, yes. But I've never really embraced Mastodon entirely.
I've not completely got into it. I'm enjoying Bluesky though.
It's someone said to me, is it the new version of Twitter? And I said to them, no, it's the old version of Twitter before Twitter became shitter when Elon Musk took over.
So it's Twitter 1.0, not Twitter 2.0. At the moment, it's lovely.
There's no ads. The algorithm— well, you can define your own algorithm.
You can just have a chronological feed of everybody who you're following rather than Elon Musk popping up all the time being promoted even when you're not following him. And it's utterly charming.
There are easy ways to block people and it seems to be quite civilised. So I'm really enjoying Blue Sky, and that's why I'm posting and mostly hanging out now.
And I think it's great. I know there's been a lot of hype about it.
I saw today, day of recording, they've just passed 20 million users, which is extraordinary.
CAROLE THERIAULT. Have people been leaving X? Have there been any in droves?
GRAHAM CLULEY. Yes, the Guardian newspaper left X, as they like to call it. The Clifton Suspension Bridge in Bristol, they left.
MARIA VARMAZIS. I've been waiting for that one.
GRAHAM CLULEY. I believe that Shatner and Mr. Sulu and various other members of Star Trek.
MARIA VARMAZIS. LeVar Burton.
GRAHAM CLULEY. Geordi La Forge.
MARIA VARMAZIS. Yep.
GRAHAM CLULEY. Have made the jump to blue sky as well. So people are leaving.
MARIA VARMAZIS. And Mark Hamill.
GRAHAM CLULEY. Yes, Mark Hamill. Mark, yes, he is. He's there.
MARIA VARMAZIS. Mark Hamill left. Yes, he's there.
GRAHAM CLULEY. He's a superstar. So, lots of people are leaving Blue Sky.
If you're nice, why don't you come join us?
MARIA VARMAZIS. If you're not, stay on X.
GRAHAM CLULEY. You know what, Maria, I will put a link to your Blue Sky in the show notes as well as my own. Carole, are you joining Blue Sky or you're not really into social media as much as maybe—
CAROLE THERIAULT. I just have real friends when, you know, well, all right.
MARIA VARMAZIS. I was just gonna say we need to get Sticky Pickles on Blue Sky, but maybe not. I don't know.
CAROLE THERIAULT. Well, no, you can do that.
MARIA VARMAZIS. I mean, you know. Okay. I'm still on Mastodon too, though. I just wanna say I both.
GRAHAM CLULEY. Yes.
MARIA VARMAZIS. They're just very different.
GRAHAM CLULEY. Yeah, yeah. I Mastodon too. It's just at the moment, Blue Sky is a little bit more engaging for me.
MARIA VARMAZIS. Yes.
GRAHAM CLULEY. Maria, what's your pick of the week this week?
MARIA VARMAZIS. So, it's been a little while since I've been on the show, and I've been watching a lot of TV. The two of you know, I'm pretty sure that I recently moved houses, so I haven't been able to get out in the world and do things. My only entertainment has basically been just TV when, you know, I'm exhausted from a long day of unpacking or throwing boxes out, right?
I'm gonna get my nerd on. I'm gonna get my full total anime dork nerd on, and I'm gonna give you my recommendations. It's an anime on Netflix called DanDaDan, okay? And I'm absolutely obsessed with it.
Oh, I'll just read you the pitch. In a bet to prove whether ghosts or aliens exist, two high schoolers face terrifying paranormal threats, gain superpowers, and maybe even fall in love. Basically, there's a nerd who's really into UFOs, and then there's the weird outcast girl who's really into spiritual, paranormal aura stuff. And they both think the other one is wrong.
They're like, there's no way UFOs could exist, there's no way ghosts are real, and they both find out that the other one is right. It's just super funny. I really have been enjoying the hell out of it, and it's on Netflix, so a lot of people can watch it.
Netflix, I think, gave this show a ton of money for their art direction, so it's unusually good for an anime. The opening theme song is insanely good. So yes, it is an anime, so I know many people, that's just a non-starter.
But if you are willing to watch an anime, this one's really, really fun and I greatly enjoy it. DanDaDan.
GRAHAM CLULEY. How do you spell DanDaDan?
MARIA VARMAZIS. DanDaDan, like DanDaDan.
GRAHAM CLULEY. Oh, okay, okay.
MARIA VARMAZIS. Okay, yep, cool. It's a lot of fun.
GRAHAM CLULEY. Cool. All right, check it out. Crow, what's your pick of the week?
CAROLE THERIAULT. So my pick of the week is a book called Butter by Asako Suzuki. It was published in Japan in 2018, and this year was made available in English. And it's a novel, it's a fiction book, and the central character is Manako, and she's this curvaceous femme fatale and foodie and lover of butter.
And she's in detention and awaiting trial for having killed 3 men.
MARIA VARMAZIS. Oh, okay, a bit of a turn.
CAROLE THERIAULT. And they seem to have died from things like heart attacks and maybe natural causes, but she was always involved.
GRAHAM CLULEY. Uh-oh.
MARIA VARMAZIS. Eating too much butter.
GRAHAM CLULEY. High cholesterol.
CAROLE THERIAULT. And then we've got this journalist named Rika, and she wants this woman's story, right? She wants to do the true reveal, you know, the piece about this foodie killer. But the problem is the foodie killer doesn't want to talk to the press until the journalist writes her with a request for a beef stew, right?
So that's how it all kicks off. And it's a thrilling search for what happens to actually these men, but also there's a lot about food. So if you like food and reading about food, this is a great fun book to read.
It touches upon Japanese society as well, and demanding beauty standards that Japanese women are expected to maintain, and fatphobia, and all kinds of things. Plus, plus, Butter is based on a real-life case of the Konkatsu Killer, which was a con woman and talented home cook called Kijima, and she was convicted of poisoning 3 of her male lovers.
GRAHAM CLULEY. Blimey.
CAROLE THERIAULT. Wow. So it's a fat book, like 500 pages. It's great. The holidays are coming around the corner.
Get it for your foodie friends who like to read. So Butter by Asako Suzuki, my pick of the week.
MARIA VARMAZIS. Wow.
GRAHAM CLULEY. Excellent. Well, that just about wraps up the show for this week. Maria, thank you for joining us. I'm sure lots of our listeners love to find out what you're up to and follow you online.
What's the best way to do that?
MARIA VARMAZIS. You can find me on T-Minus Space Daily every day, wherever you find your great podcasts. And I also am on Hacking Human.
GRAHAM CLULEY. And you can find Smashing Security on Bluesky as well, unlike Twitter, which wouldn't give us a G. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Pocket Casts.
CAROLE THERIAULT. And huge, huge thank you to our episode sponsors, 1Password, Vanta, and ThreatLocker. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 393 episodes, check out smashingsecurity.com.
GRAHAM CLULEY. Until next time, cheerio, bye-bye. Bye.
CAROLE THERIAULT. Bye.
MARIA VARMAZIS. Tiny waist, thank you.
-- TRANSCRIPT ENDS --