I want you to think of Nigeria. Oh yeah, Nigeria the country. I want you to think—

Well, as opposed to Nigeria the flan. What do you do?

Take a deep breath, take a deep breath.

Sorry, I'm still recovering. Smashing Security, episode 413: Hacking the Hackers with a Credit Card with Carole Theriault and Graham Cluley.

I am Cluley. Hello, hello, and welcome to Smashing Security episode 413. My name's Graham Cluley.

And I'm Carole Theriault.

Carole, what's coming up this week on the show?

Well, first, before we kick off, let's thank this week's wonderful sponsors: Dashlane, Drata, and Vanta. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

I'm going to be looking into a side hustle for hackers.

A side hustle for hackers? And I'm heading to Nigeria, the birthplace in the case of the 419. All this and much more coming up on this episode of Smashing Security.

Now, chums, a Swiss cybersecurity outfit with the rather amusing name of ProDaft.

I don't know, I think I would just, I them already.

Okay, anyway, ProDaft, they have launched something called the SysVPN Initiative. Now that's SYS as in S-Y-S, not C-I-S. Yeah. And I couldn't work out when I was reading about this what actually S-Y-S stands for. It could be Surveillance, Yes Sir, or Shady Yet Sanctioned, or Sell Your Secrets, as you will begin to find out when I explain what it is.

I always assumed it was System.

System Initiative? Well, you know, let me tell you what it's all about. Because ProDaft is a threat intelligence operation. Oh, so they collect information as to what all the bad guys are up to. And they say that they want to get a step ahead of the cybercriminals.

Right. Right. Right.

To gain better access, to have greater observability, greater vision as to what is going on out there. They say that they have decided to purchase underground forum accounts from people who've created hacking accounts.

So they're buying up basically shitty accounts that have been used for bad stuff.

Exactly so.

From bad people.

From, one would assume, bad people.

Right. Or a negotiator, a middleman, whatever.

Yeah, it's not creating an Amazon account or a PayPal account. You've probably installed Tor, you know, you've gone on the darkweb. And of course, there's lots of legitimate reasons why you might do that. But you've also gone to a breach website or a cybercrime site where they're discussing how to hack into businesses, where they're discussing the sale of data which has been stolen. They want to see what the cybercriminals are planning, what they're saying to each other, what they're up to in order to give the companies who pay them for their services some intelligence, some better protection than maybe otherwise they would have. And they say that by searching for patterns and tactics and observing techniques and procedures that the criminals are putting into operation, you can better understand the bad guys.

Okay, maybe, maybe. Yeah.

So they are saying they are going to buy from existing users their forum accounts, which will allow them to then enter these underground networks and use them to gather intelligence. They can detect and mitigate potential cyberattacks. In short, if you've got an account on an underground cybercrime forum, ProDaft might be prepared to buy it from you. And that's all great, of course, that's terrific. But the activities of cybercriminals lurk in the shady corners.

Okay, can we just remember this when I tell my story? Because this could be a— this is very interesting. There's a little weird connection there. Okay, carry on, carry on.

They are out there on the deep darkweb, on underground forums. Now, this is part of how ProDaft are selling this. And ProDaft wants to ensure that it isn't blocked from seeing what they are up to. On their webpage, they say, you know, maybe back in 2015, you were diving into topics that were a little bit too risky to search for on Google. And these Swiss chaps at ProDaft, they've come up with this interesting approach.

Mm-hmm.

Or perhaps in 2020, when you were trying to buy things online that seemed suspicious or dangerous, substances, they say, that claimed to cure a virus, maybe you created an account, they're saying. It doesn't matter, they said, what you were doing back then. What matters now, they say, is whether you want to move past that part of your life and leave it behind for good. Wow.

This is really interesting. I like this a lot.

They say that anyone who's been involved in these activities and is now looking to turn the page, you don't have to explain your past or answer any questions. No judgment, they say. No questions asked. Just a simple, secure transaction which will benefit both of us.

Is this bull poop? Is this all bull poop? Is this all a weird—

Well, I wondered that. And in their FAQ, they do have the question there saying, is this all a wind-up? And it doesn't appear to be. It appears that this is genuine. Now I'm beginning to think, did they just post this on April 1st? And I've only just discovered it.

That happened to me before. Do you remember? I wrote a whole story that turned out to be an April Fool's joke. We had to re-record. I fell for it hook, line, and sinker.

Oh my goodness. That was a while ago.

And see, listeners, I don't even remember which one it was, so I can't even give you the callback.

Could've been any of them. Now they say they are going to do their due diligence, right? So one would They say no judgment, no questions asked, just a simple, secure transaction that benefits both sides and helps you leave that old life behind. They say this is your opportunity to step away and start a stress-free life without the weight of your past holding you back. assume there's a Now they don't say how much they will pay you for your cybercrime account. Presumably it varies.

It's not about money, Graham. Everything about you doesn't have to come down to dollars and cents. This is a way out. This is a way towards the right way, towards the light.

bit of shadiness going on. Well, then they could donate it, Carole. No, no, they are going to pay money. That's the whole thing. They are saying they are going to buy it. They just don't mention how much. It's not as though I've got a whole bunch of accounts, Carole, that I'm planning to sell to some Swiss outfit called ProDaft.

Are you sure?

They say that their team will carefully analyse the account. Assess its value, verify what it has access to, and then make an offer. And they say the payment will be secure. One imagines it will be in cryptocurrency. They say for full transparency, all purchased accounts will be reported to law enforcement. I guess they want to make sure that they don't have their collars felt in the future. So they say that we now own this account, we're using it for research purposes. However, they say they will still strictly protect the identity of the seller and not disclose it any further.

When you hear my story, you will not believe that this is your story.

Okay.

That's all I'm saying.

What do you think about this though? Does this feel legit?

I love this.

You love this?

Well, I don't want to talk too soon because I have a whole section which ties in very well. So you're going to have to wait. You're going to have to wait for that opinion.

All right. They say, "While we guarantee anonymity for sellers, we will also conduct due diligence to ensure that the accounts we acquire have not been used for illegal activities that cross ethical or legal boundaries." I wonder how much—

I have a problem with that.

—due diligence they do. Okay, what's that? Well, okay, I have two problems so far. So one is they want to do their due diligence. Are you saying Prodaft may be scammed?

No, no, I'm saying Prodaft might get inundated with requests and their due diligence that they promise might go out the window if they're suddenly getting 100,000 email addresses, you know, people going, "Hi, save me, save me, save me." And two, if the account has done something bad, I mean, surely if they were a successful scammer or hacker, that account will have been used to do something bad. Well, yes. So why would you turn them away? Surely the goal should be, let's get those accounts, learn from them, check the metadata, la la la la.

I guess the perception would be that it wouldn't be good to give those guys money. Yeah, we'll talk about that in my story.

Sorry, don't mean to plug your bloody story again. I think incentivizing bad people to get off the streets and giving them a way out is kind of key to this whole story and actually to mine.

Okay. All right. Stop plugging your story. That's later in the podcast.

Well, we should have done our stories in reverse, it turns out. As if that would ever have happened. As if I ever could have had the first go.

Now, get this, get this. On the website, they have testimonials from cybercriminals.

I've never been so happy. I've seen the light.

It's not clear if these are people who have sold their accounts to Prodaft. I think they haven't. I think they're just saying Prodaft really know their stuff compared to other threat intelligence companies. Anyway, I was interested in what the conditions were, and the conditions are that your accounts should have been registered before December 2022.

Not quite sure why that is. And it says your account is not on the list of the most wanted by the FBI or any other law enforcement agency. So they've got an FAQ and they say, "Is this legal?" They say, "Imagine giving up clothes you used to wear during your emo era. And while you might have created some nice memories when you were wearing them, you know it's time to let them go and close this chapter of your life." See, I don't know if I like that combination, because I had a lot of very cool clothes when I was in my 20s, and I've given them away to people, and I regret it so much. Anyway, but I agree. I like this. I like this.

So on one hand, it seems clever. It seems almost brilliant, doesn't it? You want visibility into closed criminal networks. You want to know what ransomware groups are plotting before they hit your local NHS hospital. Pay someone with access and boom, you've got instant threat intelligence. But the problem is, are we fighting cybercrime by funding it? You're giving money or at least incentive to people who've either participated in cybercrime or benefited from it, or they're fueling these forums by logging in and participating in the discussion. It's like saying thank you for all the hacking which you've been doing. Here's some cash, go away, tell your story in the public speaking circuit.

Sorry, do you have an opinion column in The Telegraph?

Well, I think a lot of people would agree with me that this is ethically a little bit questionable. I mean, I can see both sides of this, yeah. But there is a risk that we are sheltering people who've participated in cybercriminal activities from facing the consequences of that.

What do you think they should do? Go to jail for 20 years?

It all depends on what they've done, doesn't it? Right. And there is a line clearly between active participation and passive observation. So if you're just lurking in a crime forum versus engaging or posting or posing, I wonder whether that sort of barometer, the ethical barometer, changes as to just how dodgy you are and whether that would actually change our opinions as to whether this is acceptable or not.

Thank you, Philosopher Cluley. Thank you very much. Because another thing to consider is that hackers hack other hackers. What's to stop a hacker stealing control of an underground account from another hacker and then profiting by selling it to ProDaft? Is that what you write for?

Your answer to every question can't be, do I write for a right-wing newspaper?

It can be a question. It turns out rhetorical questions can be very useful tactics in a negotiation, actually, I think you'll find.

I think you'll find. So, I don't know.

Phase 2. Phase 2's coming, don't worry, we got part 2 coming up.

My feeling is if accounts are sold without the original owner's explicit consent, in other words, there is a danger someone might sell accounts they don't rightfully own, then some poor other hacker could be being ripped off. Now, do we care about them being ripped off? I suspect most people wouldn't care about them being ripped off, to be honest, if they're cybercriminals.

Are you starting a charity? No, no. Another question. I'm not sure. We're looking forward to your treatise on the topic.

Well, I think I've asked lots of questions. I haven't had any answers from you which I found acceptable.

Well, I bet you can't. I want you to think of Nigeria.

But it appears that we've reached the point where cybercrime doesn't pay, it just invoices. And that's where we're going from now on.

Oh, yes. Nigeria, the country.

It seems — seems a little bizarre, but that is the world we're living in today. Thank you very much.

I want you to think—

Now, I can't wait, Carole, to hear your story this week. Well, as opposed to Nigeria, the flan. What do you do? So they're saying that when you were a hacker,

Take a deep breath.

Take a deep breath. Sorry, sorry, I'm still recovering.

And I want to know what comes to mind when I say the word Nigeria. It's big. It is. It's the most populous Black nation on Earth.

it was a bit like you were into emo Right. And it's home to the 419 scam. music, but you've now moved on.

It is. Unfortunately, that is one of the ways that we in our industry describe Nigeria, right? Scams.

Yeah.

As you say, in the 1990s, that was when the Nigerians attained notoriety for defrauding Westerners of millions of dollars. And basically the way it worked is you got contacted and asked to pay an admin fee to help you move large amounts of money from one country to another with the promise, right? You had a promise that you'd be rewarded with a cut of the cash later on. Yeah. And these became known as the 419 scam after a section of the Nigerian Penal Code that tackles such crimes. But I found, according to a 2019 BBC article, Nigerians who are generally religious also linked the aptness of this number, the 419 number, to the Book of Psalms, chapter 41, verse 9, which seems to describe the typical advance fee fraud. And it says, quote, "Mine own familiar friend in whom I trusted, which did eat of my bread, hath lifted his heel against me." So I'm no Bible buff, but yeah.

Are you going to explain that to me, Carole, what that meant?

No.

Oh, okay. It speaks for itself. It speaks for itself. Maybe not.

These days, according to the Global Anti-Spam Alliance, investment scams are rampant in Nigeria. Right. And regular Smashing Security listeners will remember that we've covered investment scams very recently, episode 411. But things seem to be taking a turn because Nigeria perhaps no longer wants to be known as the hotbed for investment scammers and romance scams and phishing scams and all the rest. Yeah. And it's working with Interpol and 6 other African countries to crack down on scammers in the region. And according to the latest press release from Interpol, Nigerian police have arrested 130 people, including 113 foreign nationals, for their alleged involvement in cyber-enabled scams such as online casino and investment fraud. And the suspects who converted proceeds to digital assets to conceal their tracks, so threw it into bitcoin or crypto, were recruited from different countries to run illegal schemes in as many languages as possible. And Nigerian authorities have established that some of the people working in the scam centers may also be victims of human trafficking, another topic we've covered recently, you know, forced or coerced into criminal activities. So overall, the investigation led to the seizure of 26 vehicles, 16 houses, 39 plots of land, and 680-odd devices. This operation was delivered through Interpol's African Joint Operation Against Cybercrime. So a very easy-to-remember acronym: AFJOC. Okay. And this is an initiative funded by the UK's Foreign Commonwealth and Development Office. So kudos to the UK for investing in something that will make a difference internationally as well as on UK soil. But here's the bit I wanted to bring up for discussion with you. And I have written here, in my notes, I was like, Graham's gonna think my thinking is naive. No change there. But I know you'll point that out.

Okay.

So it doesn't matter. So, okay, during all this is going on, right, so Nigeria's cracking down on these scammers. They're arresting people left, right, and center. And a 28-year-old internet fraudster voluntarily surrendered himself to the Benin Zonal Directorate of Economic and Financial Crimes Commission, another very easy acronym, EFCC. Right, he did this last week, declaring his desire to abandon cybercrime and turn over a new leaf, Graham. Okay, and in a statement issued by the EFCC on Friday, the commission disclosed that the suspect, and that he's remaining anonymous, was involved in romance scams where he impersonated foreign nationals to deceive victims into fake love relationships online. So quote, "I tell my victims that I am from China and that I work as a medical doctor in a war-torn country. My victims are foreigners who I deceive into love relationships. I communicate with them in Chinese using a mobile app translator."

Oh boy.

"I profess my love for them by telling them how beautiful and attractive they are." Right, he says his decision to surrender stemmed from a deep sense of fear and a need for personal transformation.

Isn't this interesting? Okay, yes, it has a parallel with my story. Yeah, okay, it does have a parallel.

And listeners may not know that we don't - you know, discussed before, but here's proof. So this got me thinking, right? Say you were a scammer, a decades-old scammer, knee-deep in illegal poo-poo. And perhaps you found out it wasn't all cracked up to be, you're anxious all the time, or you don't like how you're being treated by your big scam boss, or the moral weight of what you've been doing is weighing on your shoulders. I don't know.

But you want out.

I do. What do you do is my big question. I started Googling and I found it really difficult. So I'd like you to try. So say you're that person, right, you're a scammer, you want out. Where do you go? Is there a playbook of how you get out?

Well, couldn't you just take a new job? Couldn't you just become a pizza delivery guy or something? Stop, just stop. Yes, I mean, that seems the easiest way, isn't it?

But maybe you need someone to hold your hand, a bit like Alcoholics Anonymous or something, or an addiction. Maybe it becomes a lifestyle that you need assistance with. Well, I suppose the money—

I mean, you could get used to the money, couldn't you? And you could have ended up buying a house or making some expensive purchase which you need to pay off. And you think, how am I going to afford to pay this without continuing the crime? I can imagine that.

See, I would like them to be able to go to an outfit like Prodaft and say, hey, I'm in trouble here. But if the account has been used for illegal activity, maybe they're not into that.

I was unclear on that. I guess all these Nigerian scammers need to create accounts on underground forums and then try and sell them to Prodaft. If they created thousands and thousands of them and made them convincing and alluring enough.

I don't know. I just thought this was excellent advice for tech and government listeners, right, to create a campaign to incentivize scammers to get out of the business. Come clean to authorities and help them legitimize their skills for the good of the world. And—

Well, they've already got incentive schemes, Carole, haven't they? It's called stay out of prison. That's the incentive, isn't it?

That's not how incentives work, right? That's a stick and not a carrot. And I know that you live in a different world than I do. I feel that maybe some people are brought up in a neighborhood where we don't know how different cultures work, but in Nigeria, it seems very clear that the big kings of the scammer world are the ones driving around the flash cars, wearing the flash clothes, looking cool, looking great, and basically setting the whole tone for the kids who are trying to grow up there. And if they had a different option, like someone saying, "Hey, get in touch with me." Because they have both verifiable and anecdotal information on operations and where they were working. You know, they're so intimately aware of the lay of the land. Surely that could be a useful resource in the search of bad actors causing financial havoc via phishing, romance scams, whatever.

One imagines there are Nigerian cybersecurity firms who may be looking for expertise and people who've maybe, you know, poacher turned gamekeeper. If you trusted them, you may want to have someone who's experienced as to how you scam people to help in terms of education, help in terms of raising awareness inside companies. So that would potentially be a method of doing this.

You see? So maybe we don't have to say, "Oh, have you learned your lesson? You should go to prison for 80 years."

Very good. Stolen credentials are the number one cause of data breaches, and there's a better way to solve that password problem, and that's with Dashlane.

Dashlane is doing what others aren't: providing complete credentials and password management, preventing employees from adopting poor password habits, streamlining secure access, and simplifying workflows.

And with Dashlane, you get real-time phishing alerts to stop employees from taking the bait, and you're protecting your data with patented security and the very strongest encryption available.

So what are you waiting for? Give Dashlane a try today at your work or at home. There are versions of Dashlane for both personal home use and business use, and by being a listener to Smashing Security, you get savings off both. Save 25% off a new business plan or 35% off a new personal premium plan by visiting smashingsecurity.com/dashlane. That's smashingsecurity.com/dashlane. And thanks to Dashlane for supporting the show. If you are leading risk and compliance at your company, you are likely wearing 10 hats at once, managing security risks, compliance demands, and budget constraints, all while trying not to be seen as the roadblock that slows the business down.

But GRC isn't just about checking boxes. It's a revenue driver that builds trust, accelerates deals, and strengthens security. That's why modern GRC leaders turn to Drata, a trust management platform that automates tedious tasks so you can focus on reducing risk, proving compliance, and scaling your program.

With Drata, you can automate security questionnaires, evidence collection, and compliance tracking. You can stay audit-ready with real-time monitoring, and you can simplify security reviews with Drata's Trust Center and AI-powered questionnaire assistance.

Instead of spending hours proving trust, build it faster with Drata. Ready to modernize your GRC program? Visit drata.com/smashing to learn more. That's drata.com/smashing. Now, Carole, according to Vanta's latest State of Trust report, cybersecurity is the number one concern for UK businesses. And of course, Vanta can help you with that.

Whether you're a startup growing fast or already established, Vanta can help you get ISO 27001 certified and more without any of the headaches.

You see, Vanta allows your company to centralize security workflows, complete questionnaires up to 5 times faster, and proactively manage vendor risk to help your team not only get compliant, but stay compliant.

So stop stressing over cybersecurity and start focusing on growing your business in 2025. Check out Vanta and let them handle the tough stuff. Head to vanta.com/smashing to learn more. That's Vanta, V-A-N-T-A,.com/smashing. And thanks to Vanta for sponsoring Smashing Security. And welcome back.

And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily. Better not be. Well, my Pick of the Week this week is not strictly security-related. It is a movie, a French movie, Carole Theriault, called — and maybe you'll be able to translate this because I know you're pretty familiar with the old franglais — Boîte noire.

Mm-hmm. Mm-hmm.

Which, as you may have guessed, is all about aeroplanes. It is a French thriller, which is great from my point of view because it absolutely means there will be subtitles. Something you can sleep through. I always love to have subtitles on, whether it's in English or not. But if it's a French thriller, you know there's going to be subtitles. It absolutely wins in my book. This is the story of a chap who is a forensic analyst, and he is called in after a jet airliner mysteriously crashes in the Alps. And he's trying to investigate the black box because he thinks there's something strange that's been recorded on it. And then his boss goes missing, and he's stepping in at the press conference, and he hears something which sounds like, 'Was that someone trying to get into the cockpit?' Or, you know, 'What's going on here?' Anyway, it's really good fun. It's well acted. It's thrilling. And it's not too showy.

Is this in the theatres or is this on telly?

It was in the theatres a few years ago. It's just been on BBC. So it's on iPlayer. You can go and catch it up there. That's where we watched it. Okay, Black Box. And I'll also link to — it may be on other services as well as BBC iPlayer. I'll link to the trailer too. So I think it came out about 3 years ago, but it's good fun. And what I like about it is the pace of it. You know, it's not always bang wallop. It's a bit more thoughtful. It's quite good fun. And actually, there's some bits of it, Carole, which may be familiar to you because some bits of it are a little bit like editing a podcast because he's listening to the audio and he has the sound waves on his screen and, you know, he's sort of zooming in on them and listening intently. Rather like we listen so intently to the recording of every episode of Smashing Security to make sure it's utterly pure by the time it reaches your lug-holes, ladies and gentlemen. Anyway, the name of the movie is Black Box. It's great fun. I'd recommend it. And that is my pick of the week. Boom. What's your pick of the week, Carole?

So over the weekend, I was taken out by friend of the show, Anna Brading. We went into West London and had a little fancy schmancy dinner. And then we went out to see Katherine Ryan performing her Battleaxe tour at the Palladium. Who is Katherine Ryan?

Really? Well, I mean—

Can you just Google her while we're talking?

Let's just have a look. Katherine Ryan. Is it Katherine with a K? Yes. Oh, it is with a K. Oh, I know her. Isn't she Canadian? Yes. So many Canadians on this show.

So, Anna got seats in the fourth row. So, we were right up there. And she came down, Katherine Ryan came down with no warm-up act, wearing heels and feathers, saying basically, we all get to get out of there by 9:45. And isn't that the goal?

And also, she gets more of the cash.

And she says that. She's like, why would I share? This was her 70-something event doing this comedy routine, this Battle Axe tour. So think about that. There is definitely an art form to keeping material fresh on delivery. One that you've given 70 times? Right? Anyway, so she truly owned the stage. I think it's the best live comedy I've ever seen. I've seen quite a few. I really liked her punchy, daring, un-PC, peppered with adult humor. But just the confidence of her on stage was quite a delight to see. But the controversial bit was that she was told by lawyers a few days before she did this show that we went to see to take out a whole section of her act because it revolved around a male British comedian and podcaster whom I don't find at all funny or charming or good.

She has spoken publicly about him before. Yes.

On, I think it was on Louis Theroux's Interviews With is where it all kicked off. You guys can go find that.

And he's now been charged, hasn't he? That particular individual who we're not naming. Yes, charged with multiple sexual offenses. He, of course, denies all charges. With something else, I suppose, yes.

And you know what, Miss Katherine Ryan, you stole from my show, Sticky Pickles, because she basically said, text me your dilemmas and I'll advise you on them on stage.

Did she also tell any anecdotes about artificial intelligence and the changes that's making on society, which would be a bit more like my podcast? No, it was more sticky fingers.

It was very funny. I mean, there was even a question about butt munching and I blushed, right? Because I'm a total prude face, as we all know. And because I was so close to the front, I got called out by Ryan. She looked right at me and said, yes, ma'am, it happened. She ma'am'd me.

I got ma'am'd. Oh my God, Carole. A large mammary happened. Yeah. My pick of the week goes to Katherine Ryan. If you get the chance to see her, you will see a top-notch comedian at the top of their game. Just don't sit in the fourth row, obviously. And that just about wraps up the show for this week. You can find Smashing Security on Blue Sky, unlike Twitter, which shouldn't let us have a G. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.

And huge, huge thanks to our episode sponsors, Drata, Dashlane, Fanta, and to our wonderful Patreon community. It's their support that helps us give you this show for free. For episode show notes, sponsorship info, guest lists, and the entire back catalog, more than 412 episodes, check out smashingsecurity.com.

Until next time, cheerio, bye-bye. Bye!