This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

GRAHAM CLULEY. There is a slight twist to this tale.

---

LIANNE POTTER. You're as predictable as an M. Night Shyamalan movie, I have to say, Graham.

---

UNKNOWN. Smashing Security, episode 402: Hackers Get Hacked, The British Museum IT Shutdown, Ransomware and social media kidnaps with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 402. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. And Carole, we are joined this week by a very special guest returning to the show. It's my great pleasure to bring back to the guest—

---

CAROLE THERIAULT. Smashing Security.

---

GRAHAM CLULEY. Oh yes, that's it. Thank you. Bring back to the Smashing Security sofa, Lianne Potter from the Compromising Positions podcast. Hello, Lianne.

---

LIANNE POTTER. Hello. Well, what a comfy sofa it is. It's a chaise lounge of security. Thank you for having me back.

---

CAROLE THERIAULT. Do you like the colour? Graham chose the colour.

---

LIANNE POTTER. The colour is a bit much, you know, and I'm prone to spilling things. So, you know, it's a bit too decadent for me, but I will live. I will live.

---

GRAHAM CLULEY. I blame past guests for the colour of the sofa, actually. I know Dave Bittner, he had an unpleasant spillage once. As long as you found a clean patch, that's good for us, Lianne.

---

LIANNE POTTER. I have indeed. I have indeed. It's lovely. I will just avoid that weird stain there.

---

CAROLE THERIAULT. Okay. And I'm just going to run off and thank this week's wonderful sponsor, 1Password, and Tailscale. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

---

GRAHAM CLULEY. I'm going to be telling you how there's no honour amongst thieves.

---

CAROLE THERIAULT. Okay. And what about you, Lianne?

---

LIANNE POTTER. Well, we've got another disgruntled employee taking down a much-loved British attraction.

---

CAROLE THERIAULT. Oh, and I'm going to discover what woes befall the social media influencer. All this and much more coming up on Smashing Security.

---

GRAHAM CLULEY. Now, chums, chums, bad, bad news, I'm afraid, because 18,459 computers around the world have been compromised in a malware attack. Not the biggest number in the world, let's be honest. There have been times when there have been much bigger outbreaks, but this particular story is about 18,459 PCs which, according to the researchers at cybersecurity outfit CloudSec, have unwittingly become infected with spyware. The computer enthusiasts who own those PCs have found that they're now compromised.

They can be spied upon, their data can be exfiltrated, their passwords stolen, snapshots can be taken of their screen, their registry can be fiddled with, and all of this can be commanded from a Telegram-based command and control server. At the bidding of hackers. Nasty, nasty little botnet capable of stealing information.

---

LIANNE POTTER. Ruh-roh.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. We haven't talked about botnets and spyware in a long time, Graham.

---

GRAHAM CLULEY. Yeah, well, it's—

---

LIANNE POTTER. Having a comeback. It's having a comeback. You know, everyone goes through peaks and troughs. It's having a comeback.

---

GRAHAM CLULEY. Yeah. And central to these things is often this command and control server, you know, which is what the hackers use to send messages to the compromised computers all around the world to get them to do their bidding. It's a communication channel, effectively.

It's not just for sharing pictures of your cat or whatever it is you may be doing. You know, those sort of things are happening via these messaging systems. And the hackers have successfully stolen via this spyware browser credentials, system information, Discord tokens to hack into people's Discord accounts, Telegram data from computers around the world. And the worst-hit computers are in Russia, the United States, India, Ukraine, and Turkey. So it's not as though it's— you know, sometimes we see attacks where Russian computers aren't attacked, for instance.

---

LIANNE POTTER. That is interesting.

---

GRAHAM CLULEY. Yeah, they don't seem to care. They'll infect people anywhere. These guys have got no qualms at all.

---

LIANNE POTTER. Well, in a world where, you know, lots of DNI initiatives are being torn up, it's nice to see equal opportunity hacking across the board. I'm very pleased about that.

---

CAROLE THERIAULT. I'm just waiting. I'm just waiting because all this sounds very average at the moment, and I'm waiting for the twist in the tale because Graham always has it.

---

GRAHAM CLULEY. Do I?

---

CAROLE THERIAULT. Yes.

---

GRAHAM CLULEY. Well, the research done by these CloudSec guys, it discovered that the hackers who use names like Shiny Enigma and Millennium Rat, they have stolen so far over 1 gigabyte of browser credentials from infected devices. So they've gathered a fair haul of data, which of course they will be exploiting. We can expect that to happen. So it's bad, bad news. Now, Carole, your spider sense.

---

CAROLE THERIAULT. Yes.

---

GRAHAM CLULEY. I think it may have tingled correctly, because there is a slight twist to this tale.

---

LIANNE POTTER. You're as predictable as an M. Night Shyamalan movie, I have to say, Graham.

---

GRAHAM CLULEY. You know what? When I went to see The Sixth Sense, I'd been told in advance, oh, there's a twist in it.

---

LIANNE POTTER. Oh, I hate that. I hate that when that happens, because you're always looking out for it.

---

GRAHAM CLULEY. Well, yeah, I was sat in the cinema, and right at the beginning, Bruce Willis gets shot. And I'm like, "Oh, so he's dead then." And I had to sit through the rest of the movie thinking, "Well, that's why no one else is talking to him, because he's already dead." So it was completely wasted on me.

---

LIANNE POTTER. I had the spoiler revealed to me when I saw it for the first time as well. It kind of takes the fun out of that movie, doesn't it? It's still a good movie, I have to admit. But yeah, it does take the fun out of it.

---

GRAHAM CLULEY. Sorry if we've just ruined it for everyone who listens to Smashing Security who hasn't seen it yet. You've got to catch up. You've got to be current on your Bruce Willis movies before listening to Smashing Security. So there is a twist in the tale, and that is that there is something that links all the victims of this attack.

---

CAROLE THERIAULT. Aha, here we go. Here's the meat. Okay.

---

GRAHAM CLULEY. Because it turns out they all appear to have downloaded a particular piece of software from the net.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. They all seem to have installed a piece of software called XWorm RAT Builder. Not your typical piece of software. So what does that mean?

---

LIANNE POTTER. What does that do? To me, it has my spidey senses tingling. That doesn't sound like something I'd want to download.

---

GRAHAM CLULEY. Yes, something called XWorm RAT Builder.

---

CAROLE THERIAULT. Yeah, yeah, it sounds a bit Trojan-y to me. Yes.

---

GRAHAM CLULEY. So it turns out that these people who downloaded this piece of software, they appear to be script kiddies, new to cybersecurity, novices who are perhaps keen to explore the dark side of the internet and maybe keen to play around a little with malware themselves. It appears they downloaded this software after reading tutorials online about hacking other people's computers, which they may have viewed on Telegram and other channels, or watching YouTube videos that pointed them towards this particular download, which was up on file sharing services like Mega, is on GitHub repositories.

So these guys were downloading the XWorm RAT builder, thinking it would help them hack other people.

---

LIANNE POTTER. Oh, there's no honour amongst thieves, is there? Hee baggum.

---

GRAHAM CLULEY. So exactly, so XWorm RAT, the real one, promises to deliver advanced capabilities like reconnaissance, data exfiltration, command execution. Something very handy if you wanted to steal data or plant ransomware.

But the bad news for these people, these 18,000-odd people, was that the XWorm RAT builder that they downloaded was in reality trojanised. So, oh yes, sad trombone.

---

CAROLE THERIAULT. Wop, wop, wop. Yeah, so yeah, okay, this is a difficult one. I'm trying to get the ethics of it — do I feel bad?

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. For these guys because they were duped.

---

GRAHAM CLULEY. Right. I think that's a very interesting discussion. How should we feel about this? I mean, they are victims, but they were planning to perpetrate some kind of cybercrime, we assume, themselves.

---

CAROLE THERIAULT. Or they were learning.

---

GRAHAM CLULEY. Yeah, they could have been perhaps wannabe security researchers — that is possible. It turns out this particular malware would detect if it was being analysed, if it was being run in a virtual system, and it would refuse to do its bad stuff because it was trying to avoid detection. They were told that this was a way to use the RAT Builder for free, downloading it from these sites.

But in fact, of course, it did infect their systems with malware.

---

CAROLE THERIAULT. Did they read the small print, Graham?

---

GRAHAM CLULEY. I don't know how small the small print was, but it must have been infinitesimally small in white writing on a white background. I don't think it actually existed.

---

CAROLE THERIAULT. Oh, come, come.

---

GRAHAM CLULEY. I don't think the bad guys tend to do that, Carole.

---

CAROLE THERIAULT. Well, I'm just saying, can I ask, do we know who trojanised, quote unquote, the RAT Builder?

---

GRAHAM CLULEY. Well, we think it is these groups who call themselves Shiny Enigma or Millennium Rat — we don't know any more than that at the moment. But the guys at CloudSec, they did do an analysis. What they did was they studied the malware in detail, working out how it operated, looking at Telegram, looking at the botnet.

They also managed to get hold of the images that had been captured from infected devices. So these were screen captures and they did an OCR on those images — so optical character recognition, it's CSI, this.

---

CAROLE THERIAULT. Right.

---

GRAHAM CLULEY. So they did the OCR. They were able to filter out the URLs that were on people's screens and work out the various URLs where the malware had been distributed from. So it's quite clever from that point of view.

And then, of course, they could contact those providers, those service providers online and get those URLs shut down to prevent further distribution of the malware. The other thing which CloudSec did is they found a way to deactivate and uninstall the malware on those 18,459 computers, at least attempt to. So when they did their in-depth analysis of the trojanised version of the RAT, they discovered that it had an inbuilt command to uninstall itself.

---

LIANNE POTTER. Right.

---

GRAHAM CLULEY. And so what they were able to do was they were able to send messages to the Telegram bot with each individual machine ID. So each machine, when it gets infected by the malware, is given a unique identifier. It's like a 4-digit number. And then if that computer was online and it received the uninstall command, their computer would be cleaned up.

So that's what CloudSec did. They sent every number from 1 to 9,999 to the botnet telling them to uninstall, which didn't work perfectly. Because first of all, infected PCs had to be online at the time that CloudSec were sending the messages. But also Telegram rate limits how many messages can send at once. So you can't send 10,000 all at once. CloudSec had to do them in batches.

---

CAROLE THERIAULT. And you know, they would be doing this to computers that they're not authorized to access as well.

---

GRAHAM CLULEY. This is the other interesting discussion, is it?

---

CAROLE THERIAULT. Right.

---

GRAHAM CLULEY. So what's your opinion, you guys? Is it right for security companies to clean up people's computers, whether they be potential villains or not, without displaying anything, without popping up any messages?

---

CAROLE THERIAULT. No, they should not, in my view.

---

GRAHAM CLULEY. You don't think so?

---

CAROLE THERIAULT. No.

---

LIANNE POTTER. It is a very ethical grey area, isn't it? Because, you know, that thing they've downloaded, they might be stopping the spread of it, you know, going further, because who wants to stop them going to their mates? It's like, "oh, I downloaded this great tool to do some hacking with. Here, do you want a copy?" And then start moving it along.

Yes. But yeah, yeah, I don't know how I feel about, it's kind of saving the day, but I wouldn't want someone just to access my computer. What if I was a security researcher and I was also doing that? So, you know.

---

GRAHAM CLULEY. Right, right.

---

LIANNE POTTER. You've ruined my investigation.

---

GRAHAM CLULEY. Yes, yes, maybe there were rivals to CloudSec who were doing a similar ransomware, maybe their honeypot grabbed this thing and suddenly CloudSec are going in. And they're like, "oh, for goodness sake, you know, we were analyzing this and now you've uninstalled it."

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. Technically, you could argue that is a computer crime in itself, isn't it? Unauthorized modification of someone else's computer.

---

CAROLE THERIAULT. I think it is in the UK under the Misuse Act.

---

GRAHAM CLULEY. Yeah. Yeah. Yeah. I think in many countries around the world. Also, when a regular person or their computer gets hit by a piece of malware and they clean up, they get a message or their antivirus comes along there's a bit of a life lesson which is learned, right? About—

---

LIANNE POTTER. Ah, yes, good point.

---

GRAHAM CLULEY. Being more careful online, about learning how to behave better so that you don't have a problem in future. These particular script kiddies, as they're known, these people who are inexperienced at doing this or begin to dip their toe in, there's two life lessons they're not learning.

They're not learning a lesson which they could have learned about being safer online if they'd had to deal with it themselves. But they've also not learned the repercussions of getting involved in the murky world of cybercrime and what can go wrong. Because unbeknownst to them, they've been sorted out.

---

LIANNE POTTER. What would be interesting is to check forums and message boards to see if these script kiddies are like, "Hey, what happened to this piece of software I downloaded? Have they gone broke or something like that?" It'd be interesting to see if they think it's just the company themselves taking it off rather than the security research team just swooping in, saving the day.

What's the moral of the story though? Is it, be careful, wrong ones might do wrong things?

---

GRAHAM CLULEY. I think we all need to be careful, don't we? But Carole, you seem to have come down on the side against what CloudSec did. You feel that that's wrong.

---

CAROLE THERIAULT. What countries are these computers in? What jurisdictions do they have? What is CloudSec's right to those computers?

---

GRAHAM CLULEY. All over the world.

---

CAROLE THERIAULT. Right. So they've just kind of gone in and randomly accessed these systems based on whatever intentions, good or bad, I don't think that's the issue. It's more that you should not do that. It's against the law. So, yeah.

---

GRAHAM CLULEY. Would it have been for the greater good if the information CloudSec had collected had been passed on to law enforcement around the world for them to take action? Or do we then think that would have taken months and months or years or would have been impossible? And I mean, sometimes we do see law enforcement doing this kind of thing as well, don't we? Where they're the ones who clean up the computers.

---

CAROLE THERIAULT. Tell the journalists, tell the cops, make a big show and dance about it. Put a pop-up on the machine. That's a bit like malware.

---

GRAHAM CLULEY. Maybe they could have popped up a message saying, oi, stop being so naughty, we're on to you. You shouldn't be doing stuff like that.

---

CAROLE THERIAULT. Yeah, but I would also be like, what the hell is that? That is so creepy. Who are these people?

---

LIANNE POTTER. Or we could have a community hacker engagement liaison. So someone coming into these hacker forums and saying, hey, just a little heads up, what you've just downloaded might not be kosher, so just be careful. It's interesting, isn't it?

---

GRAHAM CLULEY. I don't think there's an easy answer to this one, but certainly what CloudSec did was very clever. I think the jury's out as to whether it was the right thing to do or not. I think there'll be opinions on both sides. Lianne, what's your story for us this week?

---

LIANNE POTTER. Well, I've got two questions for you. The first one is, have you ever got revenge on a previous employer? And do you want to admit it on the show?

---

GRAHAM CLULEY. I don't know that I've wanted to wreak revenge on a previous employee. I can't think—

---

CAROLE THERIAULT. Employer, Graham. Employer.

---

GRAHAM CLULEY. Oh, sorry. Employer. I don't think so.

---

CAROLE THERIAULT. No, I don't think so either.

---

LIANNE POTTER. Very good. Well, I'm very pleased to hear that. You must have had wonderful, brilliant jobs.

---

GRAHAM CLULEY. Oh, I wouldn't say that.

---

CAROLE THERIAULT. Well, we just don't admit it, of course.

---

LIANNE POTTER. Yeah, yeah, of course. Of course, yeah. I don't want you to get into trouble or anything. The other question I was gonna ask you is, have either of you ever been to the British Museum?

---

CAROLE THERIAULT. Yes.

---

LIANNE POTTER. It's fantastic, isn't it? It's a gem. And one of the things, I've just come back from a trip away, and one of the lovely things I love about going to London is how most of the museums are completely free, and the British Museum being one of them.

---

GRAHAM CLULEY. It's a great way to see treasures which have been stolen from around the world and looked after by good old Britain. On their behalf, whether they like it or not.

---

LIANNE POTTER. So, for anyone who's not been to the British Museum, yes, as Graham says, a lot of it has been pilfered from around the world. But you can go see— my favourite one is to go see Egyptian exhibits. They're absolutely stunning things there. But, oh, they had a bit of trouble the other week. Well, the other day, actually. They had a disgruntled employee who was recently dismissed coming on an evening and shut down several of the systems, including its ticketing platform.

---

CAROLE THERIAULT. Okay.

---

LIANNE POTTER. So it was an IT contractor. They were dismissed, then they trespassed. So, in my eyes, this is the closest we've got to, in British history, to a Jurassic Park incident. If anyone remembers what happened in Jurassic Park, well—

---

GRAHAM CLULEY. Hang on. There was something preserved in amber or something. Didn't they reanimate it? So—

---

CAROLE THERIAULT. Wasn't it a mosquito?

---

GRAHAM CLULEY. I'm thinking this guy, he goes into the British Museum, he goes up to one of the Egyptian mummies or something like that, takes a bit of DNA, reincarnates Nefertiti to launch an attack on everybody. Well, what happened? Well, how's this like Jurassic Park, Lianne?

---

LIANNE POTTER. It's like Jurassic Park because if you don't look after your employees or look out for the signs that your employees are unhappy, then bad things can happen. But also just giving someone so much access to be able to shut things down. So I think one of the weakest parts of your security posture is putting someone in charge of the delete button, really.

And so this person was able, even after they were dismissed... You'd think if someone was dismissed, that's different from someone just leaving. You know, sometimes people have lax offboarding processes, can take a little bit while. But if you are thinking this person's gonna be dismissed, you need to turn off their access as soon as that meeting is over.

---

CAROLE THERIAULT. But if he just turned off the machines, is that what you said?

---

LIANNE POTTER. But he had access to the IT system, so he was actually going in and turning off the IT system.

---

CAROLE THERIAULT. Oh, I see. Okay.

---

LIANNE POTTER. So, I had a quick look. For the most part, the British Museum is completely free to enter. However, what did get affected was, the British Museum do exhibitions.

---

CAROLE THERIAULT. Uh-huh.

---

LIANNE POTTER. Right. And that's 25 quid a pop.

---

CAROLE THERIAULT. Yeah.

---

LIANNE POTTER. So what happened is, people couldn't go see it. 'Cause they couldn't scan the tickets and things like that, couldn't pay for tickets.

---

GRAHAM CLULEY. Right.

---

LIANNE POTTER. British Museum actually lost out on quite a lot of money over the last few days.

---

GRAHAM CLULEY. When you talk about him being able to access the systems, he actually physically came in.

---

LIANNE POTTER. Yes.

---

GRAHAM CLULEY. This is the thing, 'cause we've heard, of course, about IT people in the past who've still got their passwords, still able to log in remotely.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. It's alleged that he had the audacity to actually come into the building and access the systems physically by hand.

---

LIANNE POTTER. Yep. So you can just imagine the scene. You get dismissed, and you think, "Right, that's it. I'm gonna take my revenge. How dare they get rid of me? I am king of the IT." Could be a queen.

---

GRAHAM CLULEY. Don't be sexist, Lianne.

---

LIANNE POTTER. Well, it does say it's a man in his 50s. He could call himself a queen. And I would be very fine with that.

---

GRAHAM CLULEY. Could be a drag queen. Could be a drag queen.

---

LIANNE POTTER. Could be indeed.

---

GRAHAM CLULEY. Lianne.

---

CAROLE THERIAULT. It could be.

---

GRAHAM CLULEY. They should have spotted that as he gets past reception.

---

CAROLE THERIAULT. Okay, Piers Morgan.

---

LIANNE POTTER. Just imagine the scene. So, "Well, I'm going to go back in, and I'm going to teach the British Museum a lesson." And you go past Dave on reception with your key card, and he's like, "Oh yeah, I've not heard anything about you being dismissed." Yeah.

And then goes in, and with organizations I've worked in, you know, to get into high-secured areas, you got to use your card again to get into places, logs in.

---

GRAHAM CLULEY. Yes.

---

LIANNE POTTER. That not monitored there, you know, was just speculating here, that's not monitored, and is able to cause quite a lot of havoc.

---

CAROLE THERIAULT. Huh. I was just recently in the Ashmolean, different museum entirely, but, you know, I was noticing secure areas, everyone had key fobs to get in, right?

---

LIANNE POTTER. Mm-hmm.

---

CAROLE THERIAULT. You know, and they all have these cards, I guess, to get into the private areas. So yeah, he must have just been able to replicate that and just get in everywhere.

---

GRAHAM CLULEY. Or maybe blag it. You know, I wonder whether the human element is really key here. I wonder whether someone who's just been dismissed the following morning, for instance, they come in and you simply go, "Oh yeah, you know, I've left my card at home or whatever. Can you just buzz me in?" And they've been working with this guy for months or maybe years. And so they wouldn't necessarily know this was now an ex-employee, or even if they did know they'd left, they may not know that it was on bad terms.

---

CAROLE THERIAULT. Yeah, you'd be like, "Oh, Kate, you know, they just let me go, but the thing is, I left some porn on the computer. Can you help me go delete it, please?" Right?

---

GRAHAM CLULEY. Or, "I'm coming in 'cause they've asked me to return my laptop," or something like that. So you could come across as quite innocent and say, "Oh yeah, I left yesterday, but I'm just returning a few things." Yeah. "Can you buzz me in 'cause I've got a meeting with Brian?" I want to empty out my locker.

---

LIANNE POTTER. I want to get my mug.

---

GRAHAM CLULEY. Sure.

---

CAROLE THERIAULT. So, Lianne, this guy, obviously, so they know who he is, and he's arrested. This is a crime, right? Yeah, he's been arrested.

---

LIANNE POTTER. Arrested, he's going to be questioned. One of the interesting things I was reading around the subject about malicious insider threats, most insider threats do tend to be the non-malicious kind, AKA boo-boos, screw-ups, where people don't mean to do wrong, but they do. But malicious insider threats, apparently they did a survey, cybersecurity professionals more concerned with that last year than they were of any other type of threat up by 74%, which I thought was really interesting.

Now, normally malicious insider threats are financially motivated, sometimes a little bit of espionage, but actually it's relatively low for grudges to be the reason why. But I guess the moral of the story is, you know, treat your employees right. And even through that kind of offboarding process, particularly if it's a negative offboarding process, maybe, you know, you've had discussions with someone saying, "Hey, either you're going to be made redundant or there's been a performance issue or something like that," it's just make sure that they don't have access. Having your offboarding, please hand in your badge, your laptop, and your vendetta at the end of the day. Thank you.

---

GRAHAM CLULEY. Hand in your vendetta. Carole, what have you got for us this week?

---

CAROLE THERIAULT. I'm going to talk about social media influencers. And let me start with this premise. Would you agree with this or disagree? They are basically glorified salespeople, aren't they? They market a lifestyle or a persona, gimmick, a fund, whatever.

---

GRAHAM CLULEY. Yes. If you saw a post by me and I said, "Oh, this Ozempic is really great, hashtag ad," you know, I'm selling.

---

CAROLE THERIAULT. And then you're sitting there with a full picture of you and your little skivvies going, "Hello, 6 makes bank."

---

GRAHAM CLULEY. I was actually imagining myself with a bucket of Kentucky Fried Chicken, but which would be more like reality. But yeah, yes, yes, they are salespeople, right?

---

CAROLE THERIAULT. Because they're securing followers in order to sell stuff, and the idea is that everyone makes bank.

---

LIANNE POTTER. So selling a lifestyle, yes, selling a dream, the definition of advertising, isn't it? Yeah.

---

CAROLE THERIAULT. And it's a legit job. Selling stuff is a legit job, totally. But it's not one that I typically would imagine kids dreaming of doing. Right? Like, what kid goes, oh, one day I'll be able to sell my very own vacuum cleaners?

---

GRAHAM CLULEY. I don't think they think of it that, though. I think they're looking at the Instagram influencers and thinking, oh my God, I want to be Kim Kardashian or whoever it might be. They're living the dream. They're going to expensive hotels. They're flying around the world. They've got luxury cars.

---

CAROLE THERIAULT. They're rich.

---

GRAHAM CLULEY. Yeah. They're not seeing the hassle of dealing with the advertisers and invoicing people.

---

CAROLE THERIAULT. Okay, maybe you're right. Let's see what you guess here, okay? Kids 8 to 12 were asked what they want to do when they grow up. Okay, and they have choices. They have 5 choices. So teacher. Okay, teacher.

---

GRAHAM CLULEY. No.

---

CAROLE THERIAULT. Professional athlete.

---

GRAHAM CLULEY. Yeah, maybe.

---

CAROLE THERIAULT. Musician.

---

GRAHAM CLULEY. Yeah, maybe.

---

CAROLE THERIAULT. Astronaut.

---

GRAHAM CLULEY. Definitely.

---

LIANNE POTTER. That was always a top one for me.

---

CAROLE THERIAULT. Right? Or a vlogger slash YouTuber.

---

GRAHAM CLULEY. Yeah, 98%.

---

LIANNE POTTER. Yeah.

---

GRAHAM CLULEY. They want to be YouTubers.

---

CAROLE THERIAULT. Not quite 98%. But a third, 1 in 3, right? 1 in 3 want to have a modern-day sales rep job à la social media influencer, then jet off into space.

---

LIANNE POTTER. How many of those want to be influencer astronauts though?

---

CAROLE THERIAULT. Oh, that would be good, wouldn't it? We've had one. We've had one. What was his name?

---

GRAHAM CLULEY. Chris Hadfield.

---

CAROLE THERIAULT. Yes, Chris Hadfield.

---

GRAHAM CLULEY. With his tash.

---

CAROLE THERIAULT. With his tash. Gosh, I got all distracted there. So, okay, yeah, you were talking about that. Why do kids buy into this? It's the riches, it's the glamour. What is it?

---

GRAHAM CLULEY. It's the not having to actually do anything. It's the perception is you just loll around on holiday and you get paid a ridiculous amount of money. I think that's attractive, isn't it?

---

LIANNE POTTER. And with all these things, you only ever see the good side of it, don't you? So it just looks so idyllic and idealised.

---

CAROLE THERIAULT. And they really know how to market the joie de vivre, don't they? A lot of influencers. And I think it's the social alphaness of it all, you know, the fact that there's people there, they're doing stuff, and people are volunteering to follow them and learn everything about them. It's you're a big alpha dog.

---

LIANNE POTTER. I imagine that validation piece, because that's what it's all about, isn't it? The likes and the shares and the how many views have I had. That's becoming ever more important, isn't it, in valuing our social. So I imagine that plays a lot into that.

---

CAROLE THERIAULT. So am I right, though, that I don't think many parents would be super thrilled if their kid was all about becoming an influencer? Parents would not be "Oh, thank God," if they said they wanted to become, I don't know, a lawyer or a doctor, the stuff of when I was a kid.

---

LIANNE POTTER. Well, it depends, 'cause quite a lot of parents are influencers themselves nowadays. It's the family business.

---

CAROLE THERIAULT. That's true.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. That's true. 'Cause I'd to think that we're maybe parents are older and very much wiser and they can see the hidden costs to being a social media influencer. It is a lot of work. You've got to build content all the time.

---

LIANNE POTTER. Yes, we all three of us know what a grind that is.

---

CAROLE THERIAULT. But, you know, one of them that was at the height of his game described it quite well. He said, "You know, the scary thing is you never know how long it's going to last, and that's what I think eats us up at night. You know, what's next? How long can we entertain everyone for? How long before no one cares?"

---

LIANNE POTTER. And what if that life wasn't worth living? You always see a spate of, for example, YouTube is where I get most of my quote-unquote influencer content. You see all these YouTubers and they're all just burning out saying, "I'm taking a break from the channel," and things like that.

---

CAROLE THERIAULT. Right, burnout.

---

GRAHAM CLULEY. And I, yeah, I think burnout is real for these people, but at the same time, it's not like they're working down a tin mine.

---

CAROLE THERIAULT. Not many people are. You sound like my dad is, "I used to have to walk to school." But there are many much worse jobs which are not as well compensated.

---

GRAHAM CLULEY. So I mean, it's hard to feel the largest amount of sympathy.

---

CAROLE THERIAULT. Do you think the average influencer actually makes a buck?

---

GRAHAM CLULEY. Oh no, I'm sure they do. I think there's lots of wannabes who would like to. The people at the top of the tree, the MrBeasts and the Kardashians of this world, they're obviously making an absolute fortune.

---

CAROLE THERIAULT. Yeah, but they're a very, very small percentage. But I think some of them are really struggling to make a tiny bit of money.

---

GRAHAM CLULEY. Which is why you go and do something else.

---

CAROLE THERIAULT. Uh-huh. Uh-huh. Because also, you know, you can get a blip, right? You might get a video that gets nearly 200,000 views and it be all exciting for a week, your 15 minutes of fame, but then, you know, your view count starts to drop and then you have to build more content. And if you can't, it's a hard pill to swallow. But it seems to be all based on greed in a way, right? This insatiable need to secure more followers. That's why you are driven to do more content. And whether you're 10,000 followers or a million followers, the relevance of you, it seems in this world, is measured on growth. You're going up or you're going down.

---

LIANNE POTTER. I agree with that.

---

CAROLE THERIAULT. Maybe that's why people in the influencer sphere tend to do some bonkers things to maintain or grow their following. What about fake kidnapping? Well, it's crazy. Last month, Instagram model Victoria Rose, better known, Graham, as Woah Vicky.

---

GRAHAM CLULEY. Sorry, why are you saying better known, Graham?

---

LIANNE POTTER. Woah Vicky.

---

GRAHAM CLULEY. I think, oh, Graham will now know who this is.

---

CAROLE THERIAULT. Just in case. Just in case.

---

GRAHAM CLULEY. Woah, woah, Vicky.

---

CAROLE THERIAULT. Whoa, come on, you don't know it.

---

GRAHAM CLULEY. Whoa, whoa, Vicky.

---

LIANNE POTTER. That was as bad as those hacker names earlier.

---

CAROLE THERIAULT. But she apparently sparked outrage after admitting to fabricating a kidnapping story. Okay, the influencer had previously posted a series of tweets claiming she'd been kidnapped and held at ransom in Nigeria. One of the tweets read, I have kidnapped Vicky. She is with me in Nigeria. I am demanding $1 million for her release. And this, of course, caused widespread panic amongst her followers. And then during an Instagram Live on Sunday, she confessed that the entire ordeal was made up. She says, quote, "We kind of got carried away with the joke, you know, and we just have fun and joke.

You know, I don't drink or go to the club, so this is how I find my entertainment." I mean, if I rang up a school and said I'd planted a bomb, then I'd expect the police to come round, right? And say, you can't do things like that. So why don't the police—

---

GRAHAM CLULEY.

---

CAROLE THERIAULT. She's not the first, right? She's not the first. Even a few years ago, you have the mom influencer, Kate Sorensen. She falsely claimed that a couple tried to kidnap her kids at a craft store in an Instagram video. And she even went to the cops and filed a false police report.

---

GRAHAM CLULEY. What?

---

LIANNE POTTER. The police should have known something was up. People who go to craft stores, they're usually very nice.

---

GRAHAM CLULEY. I agree.

---

CAROLE THERIAULT. I agree. And she ended up facing jail time for this, quote, you know, prank. So while some influencers outright lie about kidnappings, about things as serious as kidnappings, some actually find themselves, well, kidnapped.

This week, a financial content creator in India known as The Stock Exploder was on his way to a Coldplay concert. And he's sitting there on a private bus.

---

GRAHAM CLULEY. To be honest, I'd rather be kidnapped than go to a Coldplay concert. It's a lucky escape, if you ask me.

---

CAROLE THERIAULT. And along the way to his Coldplay concert, Cybercell officers pull him over. There are five of them. And they forcibly remove him from the private bus, saying they're investigating a complaint.

One of his followers has suffered excessive losses due to Stock Exploder's advice. So he followed Stock Exploder's advice and he's now in the hole, right?

---

GRAHAM CLULEY. Okay.

---

CAROLE THERIAULT. So the Cybercell officers then transport him to an undisclosed location, an undisclosed location. And here the true intentions are revealed. These are not Cybercell officers at all, but data thieves.

And they want access to his social media empire. So you see, Stock Exploder apparently operates his business on Instagram. That's where his crews are.

Telegram and Instagram are his business places, apparently. But he runs this through a network of 16 mobile phones with an iPhone serving as the primary server. And the perps got their hands on two of his phones and managed to link their own SIM cards to his social media accounts to access his follower base.

And the ultimate goal, as the police think, is to defraud the followers. And, you know, poor Stock Exploder. Not only is his business impacted, but, you know, he missed Coldplay. And that's pretty bad.

---

GRAHAM CLULEY. Small mercies. So did this actually happen or not? Or is this just nonsense?

---

CAROLE THERIAULT. No, no, no, it's not nonsense. This has happened. My question is, this is day one. So are we going to find out that this is real or not real in a few days?

And that's the problem with people doing pranks, right? Some people doing pranks on trying to get more viewers by, you know, lying about a kidnapping. So now I'm doubting what—

---

GRAHAM CLULEY. Oh, I see. So what you're saying is because there has been a history of influencers faking things like kidnappings, when someone genuinely gets kidnapped, people are going to think, "Yeah, yeah, right, pull the other one." Right.

---

CAROLE THERIAULT. Well, let's wait and see what happens.

---

LIANNE POTTER. So I guess if you and Graham get kidnapped, we need a safe word, make sure it's genuine, or should we just call you out for the charlatans that you are for faking your own kidnapping?

---

CAROLE THERIAULT. Everyone these days has a VPN as a sponsor, but Tailscale isn't those. This isn't about hiding your browsing habits from coffee shop owners, and it's not about watching Netflix in any other country.

---

GRAHAM CLULEY. That's right. Tailscale is a modern networking solution for connecting your applications, your services, and devices securely. It's great for companies and it's great for self-hosters too.

And it's fast, really fast. It's private, it's easy to deploy, zero config, no fuss VPN. Plus it means zero trust. Every organization can use this.

---

CAROLE THERIAULT. Thousands of companies already use Tailscale like Instacart, Hugging Face, LastPass, Duolingo, and more. So why not try Tailscale for free today? You'll get 100 devices and 3 users for free with no credit card required. Want to learn more? Visit smashingsecurity.com/tailscale. That's T-A-I-L-S-C-A-L-E. And thanks to Tailscale for supporting the show.

---

GRAHAM CLULEY. Now, regular listeners will know that 1Password is a long-term supporter of the Smashing Security podcast, and this week we want to tell you about how 1Password's extended access management can help your business.

---

CAROLE THERIAULT. This is the first security solution that brings all the unmanaged devices, apps, and identities used in your company under your control, and it ensures that every user credential is strong and protected, every device is known and healthy, and every app is visible. 'Cause 1Password Extended Access Management solves the problems traditional IAM and MDMs can't. It's security for the way we work today, and it's now generally available to companies with Okta, Microsoft Entra, and in beta for Google Workspace customers.

---

GRAHAM CLULEY. 1Password's award-winning password manager as well is trusted by millions of users and over 150,000 businesses from IBM Slack, and now they're securing more than just passwords with 1Password Extended Access Management. Find out more right now. Go to 1password.com/smashing, and thanks to 1Password for supporting the show. And welcome back. Can you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week?

---

CAROLE THERIAULT. Pick of the Week.

---

LIANNE POTTER. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.

---

CAROLE THERIAULT. Better not be.

---

GRAHAM CLULEY. Well, my Pick of the Week this week is not security-related. My Pick of the Week is a tool which I run on my Apple Mac computers. And it is called Raycast. Have either of you heard of Raycast?

---

CAROLE THERIAULT. No.

---

LIANNE POTTER. Not a dickey bird, no.

---

GRAHAM CLULEY. Oh, it's wonderful. Well, it's an incredibly versatile tool for improving productivity for Mac users. And you know, Carole, you've got a Mac, haven't you?

---

CAROLE THERIAULT. Mm-hmm.

---

GRAHAM CLULEY. And you know, there's a thing called Spotlight Search, which maybe you sometimes for finding apps. All the time. Yeah. Okay. All the time. Right. So at first I thought it was just a replacement for Spotlight Search, but it's turned out to be much, much more than that. You can use it for pretty much anything. So you can search for apps, you can search for files on your computer, you can search on the internet, you can manage tasks, manage apps, you can create and install as well custom extensions to tailor this tool to do anything you want. So I've got, for instance, now keyboard shortcuts to turn my studio lights on and off. If I'm doing a webinar or something, I can just press a button on my keyboard and it will do that. All through this program, Raycast. I can do window management. I can place windows around my desktop, you know, say, oh, send that one over to this screen, send that one over there, go on that half of the screen. I can turn on or off my webcam. I can do translation. I can do dictionaries. I can work out the times between different dates. I can track flights. I can have code snippets. So if there's a piece of text which I'm often writing, I can just have it as a shortcut. Have a clipboard history.

---

CAROLE THERIAULT. This is pretty exciting.

---

GRAHAM CLULEY. It replaces lots of other tools which I have on my Mac. So I have everything in this one thing and I found it's really streamlined my work. So Raycast, I find really easy to use. I keep on finding new functionality and there are all these custom extensions you can add on to it to do more and more things. And it's free forever with—

---

LIANNE POTTER. Hey, that was going to be my question. You know, how much brass is it?

---

GRAHAM CLULEY. It's free forever with almost all of the functionality. And I did use it for a while for free, very happily. And then out of curiosity, I thought, oh, they're saying you can try it with those extra little bits for 14 days and then it becomes $8 per month. And so I've now actually upgraded to the pro plan because I am finding it gives me more $8 worth of value for some additional functionality, like syncing between my devices, like an unlimited clipboard, AI integration as well, if you want to use some AI functionality.

But it's changing the way I use my Mac and my workflow. And it's a really cool little thing. So it is called Raycast. The geek in me is absolutely loving it. So that's my pick of the week, Raycast. Cool.

---

LIANNE POTTER. Very nice.

---

GRAHAM CLULEY. Okay, Lianne, what's your pick of the week?

---

LIANNE POTTER. So my pick of the week is something I came across over the Christmas period. So the Christmas period is, I always treat as a very nice downtime for me. I'd like to call myself a gamer, but in actual reality, I just don't have time anymore.

---

GRAHAM CLULEY. Yeah.

---

LIANNE POTTER. But I'd love to sit down, and that's when Christmas really comes into play, and I play a lot of video games over Christmas, really get it in. And I came across this really fantastic game, and it's by a company that did a really brilliant game back in 2019, and some of your listeners might have had to play around with it, which was called Untitled Goose Game, where you played a goose and terrorised the neighbourhood.

---

CAROLE THERIAULT. Oh yes.

---

LIANNE POTTER. Yes, it was a fantastic game. Brilliant.

---

GRAHAM CLULEY. Great fun.

---

LIANNE POTTER. Well, this company have brought out a new game, and if anyone's caught my accent during this episode, you'll see why I also think it's wonderful. My pick of the week is a game called Thank Goodness You're Here.

---

GRAHAM CLULEY. It's very northern, isn't it? Thank goodness you're here.

---

LIANNE POTTER. It's very northern. Thank goodness you're here. Very northern, and it's a fake town called Barnsworth, which I believe is a bit like Barnsley because I've been to Barnsley myself and it kind of looks like that.

But thank goodness you're here is a beautiful and hilariously funny game. It's almost to me like an interactive story. Your gaming really involves you going to the fishmongers and having to stamp on all the fish's heads until cigarettes come out of them. That's one of the tasks you get to do.

But what really makes this a really special game. It comes in about— I completed it in 3 and a half hours. Yep, there isn't much game there, but what is there is absolute gold.

When you're just walking around, the joy of it is just to look at the artwork, to look at the inside jokes, to listen to the story. I've not laughed so much playing a game in so long. It is really brilliant.

It is very Northern. You get a choice at the start of the game to how Northern you want it. I put on max because I can understand the language and the lingo.

---

CAROLE THERIAULT. Wonderful.

---

LIANNE POTTER. But you do have the option to tone that down a little bit so you can still follow along. It's absolutely hilarious and brilliant and I really recommend it. And it comes sometimes as a bundle on Steam, so you can buy Untitled Goose Game, which I absolutely recommend as well, as a kind of bookend to that. But thank goodness you're here is absolutely brilliant and I can't recommend it enough.

---

GRAHAM CLULEY. I have had this game recommended to me before, I think by a listener who got in touch saying, "Oh, you'd really like this." I haven't played it, but I've seen some videos of it, and it does look hilarious, great fun.

---

LIANNE POTTER. I've got a theory that the North is really into surrealism. Because you got things like Vic Reeves. He's from the North. League of Gentlemen. It's got a very League of Gentlemen vibe to it as well.

Quite a lot of them are from the North as well. If you like The League of Gentlemen, you know, the early days of Vic and Bob and things like that, I think you'll love this game.

---

GRAHAM CLULEY. It's got a really fantastic sort of comic book or cartoon-like feel to it as well, doesn't it? It really does look great.

---

LIANNE POTTER. It's beautiful. It's a beautiful looking game. As I say, belly laughs throughout. All I would say is some people might be like, oh, this might be suitable for kids. It's not really. There is some quite rude jokes in it. But yeah, it's excellent.

---

CAROLE THERIAULT. I'm tagging this for my next date night with the Yeti. Yeah, we'll do this. Perfect.

---

GRAHAM CLULEY. Terrific. Carole, what's your pick of the week?

---

CAROLE THERIAULT. Mine is a little bit more serious. It's a podcast called The We Society hosted by Will Hutton. Will Hutton, well-known journalist in the UK, writes a regular column for The Observer. And this podcast, The We Society, has been going for a number of years. It just launched season 7.

---

GRAHAM CLULEY. How do you spell we, Carole? Is that as in French?

---

CAROLE THERIAULT. W-E, us.

---

GRAHAM CLULEY. Oh, just one E. Oh, okay. Right. Now I've got you. Yeah.

---

CAROLE THERIAULT. I didn't even think that way, Graham.

---

GRAHAM CLULEY. It's because of Lianne and her rude Northern game. My mind has gone there.

---

CAROLE THERIAULT. No, this is more about discussing the bigger questions about society or looking at big questions through this social science lens. So things like, should we and how do we improve education, or what is the future of democracy? Big things like that. Hate crime, how do we stop it? War on drugs. So big topics. And Will Hutton has experts and researchers on who share their specific insight on the realities of the situation and then explore, how did we get here? Where are we going? What should we do? Basically, that's the way I would say it.

---

LIANNE POTTER. Big heady stuff.

---

CAROLE THERIAULT. It's heavy, but also relevant. And I find it hopeful as well. So, you know, in a world where lots of headlines are very bad all the time, it's nice to have something where you learn from it, but also that you enjoy and you find a little bit more uplifting. So it's The We, just W.E. Society with Will Hutton. And that's my pick of the week.

---

LIANNE POTTER. Nice. I'll check that out.

---

GRAHAM CLULEY. Fantastic. I feel like we've covered it all this week in pick of the week. We've got the whole gamut there, haven't we? So that just about wraps up the show for this week. Thank you so much, Lianne, for joining us. I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way for folks to do that?

---

LIANNE POTTER. On LinkedIn all the time. But if you want to hear some more of my shtick, Compromising Positions is the podcast. Put Compromising Positions Podcast into Google. Do not just put in Compromising Positions. Nothing but the worst things you might see will come up if you don't put in podcast as well. I can't be held responsible.

---

GRAHAM CLULEY. Anyway, you can find Smashing Security on Bluesky, unlike Twitter, which wouldn't let us have a G. And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.

---

CAROLE THERIAULT. And huge, huge thank you to our episode sponsors, 1Password and Tailscale. And of course, to our wonderful Patreon community. It's their support that helps us give you this show for free. For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 401 episodes, check out smashingsecurity.com.

---

GRAHAM CLULEY. Until next time, cheerio. Bye-bye. Bye. Bye.

---

CAROLE THERIAULT. Lianne, tell me about your new podcast.

---

LIANNE POTTER. Like a little exclusive here, we've got a new podcast coming out in summer this year. So if you follow us on Compromising Positions, we will let you know when that comes out. But it's going to be called Tech Film Noir, and we're going to be going through films, so your Terminators, your Lawnmower Mans and things like that, and putting them in the historical context.

And we'll also be geeking out, so we'll be looking at what kernels they're using as well, do a deep dive into the code. So it's a good mix of if you like your films and you like your tech, you're going to enjoy Tech Film Noir.

---

GRAHAM CLULEY. That sounds a lot of fun. Carole and I, we once did with Maria Varmazis a commentary on Zardoz, which—

---

CAROLE THERIAULT. Against my will. Against my will.

---

LIANNE POTTER. But Carole, you know, he's such a hairy beast and someone who's also a fan of some hairy beasts.

-- TRANSCRIPT ENDS --