This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

GRAHAM CLULEY. For goodness' sake, he travels for 111 days, 8,000 miles, on a bit of cardboard, effectively, halfway across the Pacific.

---

CAROLE THERIAULT. Good for him!

---

UNKNOWN. Well, good for him! And you're saying, oh dear, what a trial it will be to watch a movie with the occasional ad in it.

Smashing Security, episode 419: Star Wars, the CIA, and a WhatsApp malware mirage with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 419. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. And Carole, this week we are joined by a special guest, someone who hasn't been on the show for a while. It's our pleasure to welcome back to the stage ransomware sommelier. It's none other than Allan Liska. Hello, Allan.

---

ALLAN LISKA. Hello, thank you for having me.

---

GRAHAM CLULEY. Hi, Allan.

---

ALLAN LISKA. I missed you all so much. It's so good to be back. I'm a little disappointed that I couldn't get episode 420, but, you know, I'll take 419.

---

GRAHAM CLULEY. Yep, wait for that one next week, folks. What's coming up this week, Ro?

---

CAROLE THERIAULT. Well, first, before we kick off, let's thank this week's wonderful sponsors, MetaCompliance, 1Password, and Vanta. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

---

GRAHAM CLULEY. I'm going to be asking the question, why does the cute Star Wars fan website now redirect to the CIA.

---

CAROLE THERIAULT. Okay, and what about you, Allan?

---

ALLAN LISKA. I'm gonna talk about a country full of call scam centers that you may not be aware of.

---

CAROLE THERIAULT. Okay, and I'm looking at WhatsApp and what new scams are hitting it. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, chums, are we all Star Wars fans? How do we feel about Star Wars?

---

ALLAN LISKA. Yeah, I'm a Star Wars fan.

---

CAROLE THERIAULT. Yeah, well, are you a diehard? Do you have the Lego?

---

ALLAN LISKA. So, funny story, my local library has a Lego club, and the kids there had been building TIE fighters and other dark side ships, and I could not let that stand. And I found out that the only way they build ships is if they're donated. So I went and I bought a bunch of Rebel LEGO ships and donated them to the library because I cannot allow the local library to be a harbinger of the dark side.

---

CAROLE THERIAULT. Yeah, you don't want— yeah, that's not where a library belongs for sure.

---

GRAHAM CLULEY. Wow. Okay. Well, there are, of course, lots of websites devoted to Star Wars, which have cropped up, I suppose, ever since websites existed. The films themselves have been going for so many, many years. There's lots of them out there. There's the official ones, and there's the ones created by the community as well. For instance, there's a website called starwarsweb.net. And if you went to starwarsweb.net, where once you saw pictures of R2-D2 and Lego sets and kids dressed up as Jedis, now you will be redirected to the CIA's website.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. And it's an interesting story as to why that actually happened. And that's what I'm going to be sharing today.

---

CAROLE THERIAULT. Okay, well, crack on.

---

GRAHAM CLULEY. Last year, Reuters revealed they had located on the Internet Archive, you know, that place where you can go in the Wayback Machine and see old versions of websites. It located a now defunct network of websites that were used by spies and informants in various countries around the world to covertly communicate with the CIA.

---

CAROLE THERIAULT. What? So instead of using a messaging app, you would use a weird website?

---

GRAHAM CLULEY. Who would use a messaging app? These messaging apps could have backdoors.

---

CAROLE THERIAULT. Right.

---

GRAHAM CLULEY. The intelligence services could be wise to these messaging apps.

---

CAROLE THERIAULT. So instead they use a forum?

---

GRAHAM CLULEY. Well, I will reveal all.

---

CAROLE THERIAULT. OK, OK. Sorry, sorry.

---

GRAHAM CLULEY. According to this Reuters report, they found that at least 20 Iranian spies and potentially hundreds of informants had been exposed by using a vulnerable messaging system hosted on this network of websites. One man said he was captured by the Iranian authorities.

He was imprisoned for a decade and subjected to torture. Really horrible stuff.

---

CAROLE THERIAULT. Because he did what?

---

GRAHAM CLULEY. Because he was using one of these websites to communicate with the CIA. He was an informant inside Iran.

---

CAROLE THERIAULT. And he got caught, I bet.

---

GRAHAM CLULEY. And he got caught doing it. Each website created by the CIA was assigned to just one spy.

Each spy or informant had their own little website. Now it wasn't messagethecia.com. Instead, it would be something starwarsweb.net.

---

CAROLE THERIAULT. Oh, they weren't all Star Wars sites.

---

GRAHAM CLULEY. No, they weren't all Star Wars. I was just thinking that's a bit of a giveaway.

---

CAROLE THERIAULT. I don't know.

---

GRAHAM CLULEY. For instance, there was one called iraniangoals.com, which was designed for Iranian football fans. And if you went there, you could see lots of messages about football and videos and message boards and chatting about soccer.

But if you looked at its code, you found some JavaScript located where its search box was. So any other of these web forums, I'm sure you've been on lots of these things over the years, Carole, and you too, Allan.

---

CAROLE THERIAULT. You get a little search box, right? And you type in whatever it is that you want to search, something that you're interested in, right?

---

CAROLE THERIAULT. Okay.

---

ALLAN LISKA. I go right for Jar Jar Binks content.

---

CAROLE THERIAULT. Right. Gross.

---

GRAHAM CLULEY. It's you that we have to blame for Jar Jar Binks.

---

CAROLE THERIAULT. You make the SEO happen.

---

GRAHAM CLULEY. Me so, I'm happy. You're a big Jar Jar Binks fan.

So if you looked at the code of the website, you found this little bit of JavaScript where that search box was. And if you look at the script, you'd find that the search box, they'd actually called it password.

That was the identifier they used on the search box because all the informant had to do was go to the website and in the search box, enter a password. And if they entered the right password, a secret messaging window would pop up on this normally completely legitimate looking Star Wars or Iranian goals website.

And through that, they could covertly communicate with their handlers at the CIA. They could write their message and the CIA could communicate back with them via this website.

The bad thing was that the code, as I said, wasn't very well hidden because it identified that that search box was a password. And in fact, the password was hardcoded into it.

So it was possible for anybody to go to the website and with a little bit of kung fu in their browser, they could actually unlock and cause this messaging window to pop up. So there were lots and lots of websites which were all using the same or similar code.

So there was IranianGoals.com, for instance, which was set up for one informant. There was this Star Wars website set up for another.

There was another one called IranianGoalKicks. And so it went on and on and on.

And the CIA had made it too obvious which of these websites had actually been meddled with. And furthermore, another one of the mistakes the CIA made— I mean, this is basic kind of OPSEC fail.

Was that the IP addresses pointing to these sites were sequential, meaning that after discovering one, it was pretty straightforward for anyone investigating to find others that were very likely in the same network. You must see problems that all the time, Allan, when you're hunting down these ransomware gangs.

---

ALLAN LISKA. Oh yeah. I mean, it sounds like a combination of Google doxing and a little bit of quick searches and you find those and we find stuff like this all the time when in fact that's how we can sometimes connect ransomware groups like, oh, they're basically just using the same code.

---

GRAHAM CLULEY. Yeah. So the authorities in Iran are thought to have found out about these websites around about 2011, 2012. And apparently they'd intensified their hunt for informants after Barack Obama publicly outed a secret Iranian nuclear facility in 2009.

So they went looking, thinking, who's doing this informing? And with a little help from Google, they discovered these suspicious sites.

---

CAROLE THERIAULT. Well, I imagine they probably tapped certain people in Iran to find out where they were going.

---

GRAHAM CLULEY. Maybe, but with help from Google, they were able to find out all the other sites as well.

---

CAROLE THERIAULT. Sure.

---

GRAHAM CLULEY. Maybe they found one informant and then all the others tumble out because of all these clues which have been left lying around the net. Now, unfortunately, they did not responsibly disclose their discovery of the vulnerability to the CIA.

Funny that, isn't it? And it was only when the CIA realised that quite a lot of its informants were being rounded up or weren't making contact anymore, for reasons you can probably understand, that they closed down the operation in 2013.

---

CAROLE THERIAULT. And it wasn't just Iran. Authorities in China, they'd also caught on.

Between 2011 and 2012, more than two dozen CIA assets were reportedly executed in China. So this has serious consequences.

---

CAROLE THERIAULT. Do you not think every country's kind of doing a version of this, though?

---

GRAHAM CLULEY. Well, hopefully if they are, they're not doing such bad OPSEC to make it so obvious what the websites are and how to unlock them.

---

CAROLE THERIAULT. Yeah, it's hard for me to remember back in 2012 what the OPSEC would have and should have been, you know, what was expected. Because of course, I'm putting on my 2025 hat on and going, how hilarious.

---

GRAHAM CLULEY. But yeah, it's always a problem, isn't it? And the thing is, you may have made a mistake in the past and then subsequently fix that mistake.

But if your website is getting archived, if someone's able to dig around in old versions of the website where maybe you had been a bit more careless, that's not so good, is it?

---

ALLAN LISKA. I mean, this is one of those things that seems a really good idea on the surface, right? This is the type of covert communication makes a lot of sense.

You don't have to have a lot of expensive technology. You don't have to use apps that may be hacked. But the execution is just as important as the idea.

---

CAROLE THERIAULT. Right.

---

GRAHAM CLULEY. Absolutely. Now, one researcher, a committed Google dorker called Ciro Santilli, he has now taken it upon himself to go digging for these websites.

He's fascinated to know which websites were being created and run by the CIA on the quiet. So using tools the Wayback Machine, IP history lookups, DNS records, he's managed to uncover many more CIA-affiliated domains, and they all had these sort of sequential IP addresses, had telltale URL structures.

They often included the word news in the domain. And interestingly, some even targeted US allies Brazil, Germany, France, and Italy.

So it wasn't just nations which would normally be considered hostile to the United States, I don't know, Canada at the moment, Greenland. It wasn't just them who were being targeted.

The situation today is that more than 350 such websites have been identified due to the CIA's carelessness, including beauty websites, fitness websites, entertainment websites, a fan page for Johnny Carson, of all people.

---

CAROLE THERIAULT. Can you imagine? I have to go every day because I'm some secret informant. I gotta go to some internet café back in 2011, right? And go get beauty reviews.

---

GRAHAM CLULEY. Or go and write about Johnny Carson.

---

CAROLE THERIAULT. Right? Ugh.

---

GRAHAM CLULEY. Now, all this got me thinking, what other ways have people tried to covertly communicate with each other without being spotted by intelligence agencies and law enforcement? And there've been all kinds of techniques. In 2015, there were sources inside Israel's spy agency Mossad, which claimed that members of ISIS and al-Qaeda had been sending coded messages through eBay, for instance.

---

CAROLE THERIAULT. I'm not surprised. I'm not surprised at all. It's like newspapers. That's what it was before the internet, right?

---

GRAHAM CLULEY. Yes, in the classifieds.

---

CAROLE THERIAULT. So you just bury it in the haystack and tell someone where to find it.

---

ALLAN LISKA. Does anybody then try to offer up a piña colada for getting caught in the rain? Feel free to cut that. That was just a really bad joke that I really wanted to get in there.

---

GRAHAM CLULEY. I think that joke will go down really well with people of my demographic. I'm not sure all of our listeners will have understood it.

---

CAROLE THERIAULT. Probably a few. Probably a few.

---

GRAHAM CLULEY. There's also been talk of online video games being considered a viable covert communications channel. Obviously, some games have got their own in-game chat system. That'd be fairly obvious. But you could also have a real-time strategy game where if you made certain troop movements, or in-game actions that might transmit a message or send a message covertly to someone else. Or I even was thinking, well, you know, these games where you explore the environment, you could take over a lighthouse in a video game and send Morse code messages by flashing the light to someone on the other side of the gaming world. Yeah. So these things are possible.

I was also reading some other ideas people had. If you were in close vicinity to your contact, right? Imagine you wanted to communicate with someone who was fairly close, but you didn't want to use the phone.

---

CAROLE THERIAULT. Or my mouth.

---

GRAHAM CLULEY. Or you couldn't use your mouth or SMS or send them a letter. You couldn't use the internet.

---

CAROLE THERIAULT. Pigeon.

---

GRAHAM CLULEY. Pigeon. You could rename your Wi-Fi network to communicate discreetly. You could put messages in your hotspot name.

---

CAROLE THERIAULT. Hi, how are you doing?

---

GRAHAM CLULEY. Well, it could be encoded as well. Well, you know, to send to somebody. It's another way of communicating. And you think, well, what might the CIA itself use, right? So the CIA set up the Star Wars website and etc. to send these things. But, well, maybe we can learn a lesson from General David Petraeus. He's a former director of the CIA. He was having a bit of a naughty affair with the woman writing his biography.

---

CAROLE THERIAULT. Of course. Of course.

---

GRAHAM CLULEY. Not wanting to be found out, they struck upon a way of communicating. They didn't email each other or text or WhatsApp. Instead, they shared a Gmail account. And what they'd do is one of them would go into the account, write a message for the other one, and save it as a draft.

---

ALLAN LISKA. Mm-hmm.

---

CAROLE THERIAULT. It's a draft method.

---

GRAHAM CLULEY. So, it never gets sent. Yeah. And the other one would go in later, read the draft, write their response. Unfortunately for them, in that particular case, a family friend of Petraeus reported to the FBI that she thought she was receiving harassing emails from someone, and the FBI investigated, found the IP address of the person sending them, ended up back with Petraeus's biographer.

Maybe she was getting a bit jealous of this friend of Petraeus, and they discovered that that person was logging into David Petraeus's Gmail account and saving drafts when communicating with him. All kind of embarrassing.

---

CAROLE THERIAULT. It's just ridiculous. It's just ridiculous.

---

GRAHAM CLULEY. Well, if the CIA can't get it right for their informants, it seems they also can't get it right for themselves either. And so it's complicated.

---

CAROLE THERIAULT. It's complicated.

---

GRAHAM CLULEY. Just go to starwars.com. Because if you go to starwarssweb.net, if you enter that right now, you will end up on the CIA's homepage. Allan, what have you got for us this week?

---

ALLAN LISKA. Well, when we think of scam centers, big call centers filled with people that launch scams around the world—

---

GRAHAM CLULEY. Yes.

---

ALLAN LISKA. What countries do you think of?

---

GRAHAM CLULEY. Myanmar is spoken about a lot, isn't it?

---

ALLAN LISKA. Mm-hmm. Myanmar's a big one. Laos.

---

GRAHAM CLULEY. Yeah.

---

ALLAN LISKA. We see some in Thailand, but where a lot of people don't know about them is Cambodia. And there's a new report out about Cambodia becoming the center of the global scam economy, largely driven by Chinese organized crime.

It's the same thing in Myanmar, where it's still the Chinese organized crime that's running it. But Cambodia really is becoming a huge part of this global scam network. And in fact, the estimates are that it accounts for about 50% of the GDP in Cambodia now.

---

CAROLE THERIAULT. 50%?

---

ALLAN LISKA. Yes.

---

GRAHAM CLULEY. Wow.

---

ALLAN LISKA. And now that's just one report, so we take that into account, but roughly $75 billion annually. Obviously those are huge numbers and they're so big that, you know, basically it allows the people who run them to control whatever politicians and law enforcement and everything else and be able to operate kind of unscathed.

---

CAROLE THERIAULT. Are these people that have kind of been tricked into working there or maybe working there because they've chosen to and they're basically scamming people around the world and defrauding them somehow?

---

ALLAN LISKA. Right. And the estimate is that the Cambodia scam economy has about 150,000 coerced workers.

Workers is— that's a very loose use of the word workers when we talk. So it is a huge, huge problem in Cambodia. I mean, it's a huge problem in many parts of the world, but I think Cambodia doesn't get the kind of attention that Myanmar and Laos normally do. Again, these Chinese criminal gangs are able to operate there because they're able to control so much of the government because they make so much money, right? And it's one of these things where— and I know you all have talked about this before where it's bad for everybody involved.

Obviously, the people around the world getting scammed, it's terrible. But the people who are forced to do the scamming also are living in horrible conditions and often can be killed if they try and leave or try and escape or anything like that.

---

GRAHAM CLULEY. They are essentially slaves, right? We can't underline that enough. These people are not doing this willingly at all.

---

CAROLE THERIAULT. No. And if you've seen, I think it was the New York Times that did an exposé on this, but there was these huge, vast camps of these huge warehouses where they're all working, you know.

It's just a bunch of computers in there and people, you know, without passports, right?

---

ALLAN LISKA. Right, because all their passports are seized. Modern slave labor. And so that's 150,000 essentially slaves in Cambodia, and then you multiply that by however many are in Myanmar. Yeah, there may be as many as a million people who are being basically forced into slave labor to carry out these attacks. But, you know, that's a million people. How many are they reaching out to every day, and how many people are getting scammed that we just don't know about because it's so underreported as well.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. And do you think that Cambodia has the resources and the expertise to deal with this on its own? Can it handle it, or is this something where they need help from other bodies internationally?

---

ALLAN LISKA. I think this is something where other bodies are going to have to step in and they're going to have to step in broadly. I mean, we saw this just a few months ago where the authorities in Thailand raided one of these compounds in Myanmar and rescued 7,000 people that were being held captive there. 7,000 just in one compound in Myanmar. You know, it's going to take the larger governments to step in and do this. And yes, because it's the right thing to do, but also protect your own damn citizens, you know, who are getting scammed by this.

---

CAROLE THERIAULT. Yeah, totally. And China was kind of, I think, putting pressure on Thailand to deal with it. And I wonder if that will happen again, right? Because their interests may be different in this case.

---

ALLAN LISKA. Yeah, right. Well, you know, it is interesting that on one hand the Chinese government stepping in to try and help, on the other hand they're not stopping the actual Chinese mafia from setting up these centers and so on. So this same can be said for any government where on the one hand they're trying to help with one thing, but on the other hand they're causing the problem. Certainly not the U.S. government. We never go around the world causing problems, but other governments engage in that.

---

CAROLE THERIAULT. It's a bit like the end of Graham's story. It's complicated. It's complicated.

---

GRAHAM CLULEY. Exactly. Carole, what have you got for us this week?

---

CAROLE THERIAULT. I'm talking WhatsApp. Do you guys use it? Do you like it?

---

GRAHAM CLULEY. I can't stand it. I have recently had to start using it because there's some groups who insist upon using it, like my son's football team and that sort of thing. It's like, oh, really? Do I have to use this? To be honest, I think I'm a bit old for all the learning new apps now, Carole. It's a bit of a struggle.

---

CAROLE THERIAULT. Okay, Allan, what about you?

---

ALLAN LISKA. Same. I get dragged kicking and screaming into it because it's so pervasive in the world, but it is not my first, second, third, or fourth choice of communication. I would rather go to StarWarsWeb.net.

---

GRAHAM CLULEY. In some parts of the world, though, I mean, WhatsApp absolutely dominates. It is how people do business with each other. It's how they communicate, how you order things. It's how you buy things in some parts of the world. Thank goodness I'm not living in one of those. But it is everywhere.

---

CAROLE THERIAULT. It apparently accounts for 36% of the world's population, 2.95 billion monthly active users as of early 2025. Huge. Apparently there's 140 billion messages exchanged daily. Do you know that WhatsApp was turned down by Facebook way back in 2009?

---

ALLAN LISKA. Wow.

---

GRAHAM CLULEY. Oh, they tried to sell it to them then, did they?

---

CAROLE THERIAULT. And Facebook were like, no thanks, no thanks. But then they acquired it for $19 billion in 2014.

---

GRAHAM CLULEY. So, yeah. And I think the WhatsApp founders, didn't they fall out with Mark Zuckerberg later? And they walked away, didn't they? They weren't happy with what Meta's plans were for it.

---

CAROLE THERIAULT. Yeah. And there was a bit of irony because soon after the sale, the WhatsApp co-founder Brian Acton defended his decision to sell the company while encouraging students at Stanford to delete their accounts. BuzzFeed quote Acton saying, "You go back to the Silicon Valley culture and people say, 'Well, could you have not sold?' And the answer is no," he said, referring to the decision to make the rational choice to take a boatload of money. So I don't know, maybe a moral quandary. Perhaps, but I digress.

Okay. What was the first non-English market, do you think? I love having a little few weirdo facts.

---

GRAHAM CLULEY. Non-English?

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. America. Russia.

---

CAROLE THERIAULT. Oh, Russia, which is interesting. But India by far has the most users. So 535 million users in India. And the next country is Brazil with 148 million. So India really dominates with the WhatsApp.

So it's a big, fat, well-used service. And of course, as we've seen again and again, when something becomes effectively ubiquitous or is used by a huge glut of people, it becomes a sexy target for baddies.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. So over the years, we've seen a number of scams and malware attacks targeting WhatsApp users from the get-rich-quick schemes, a la crypto scam, or romance scams. You know, that move targets to WhatsApp to get more cozy and personal. And there was that pink theme scam. Do you remember that? This was in 2021.

---

GRAHAM CLULEY. Oh, I've heard of similar— is this something where it's oh, you can turn WhatsApp pink, you've just got to do this?

---

CAROLE THERIAULT. Yes. Yeah, my goodness, it's a pink makeover. Yeah, and it was for the Android, but downloading it installed malware. In fact, the scam presented itself as an official update, so users were warned not to click the fake APK download link that spreading around on the WhatsApp groups.

But a smattering of news articles from India this morning reported that a new WhatsApp threat is doing the rounds, one that has a nasty financial twist. So here I'm thinking that this could be perhaps a good story for Smashing Security. We haven't covered WhatsApp in a while, and this attack seems to have a new twist. And the reports are all coming out of India, where we know WhatsApp is incredibly popular.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. But I have concerns that perhaps the story is a little light in the loafers. And maybe you two cyber detectives will show us how to sniff that out.

---

GRAHAM CLULEY. All right.

---

CAROLE THERIAULT. So we have Madhya Pradesh, a 28-year-old guy from Jabalpur. And let's imagine perhaps he was chilling out somewhere, right? He's chilling out. Maybe he's enjoying a delicious mango lassi on his break.

---

GRAHAM CLULEY. Okay.

---

CAROLE THERIAULT. And he receives a WhatsApp message. And the thing is, he doesn't recognize the number, right? He doesn't recognize the number, but Madhya can see the message. And the message is asking him if he knows the person in the attached photo.

---

GRAHAM CLULEY. Okay.

---

CAROLE THERIAULT. And then his phone rings from the same number, but Madhya doesn't answer the phone, right? And it rings again and he doesn't answer. So—

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. So how's Madhya feeling right now, right? He's probably a bit nervous because, you know, he's enjoying his mango lassi and now his phone's ringing, messages are coming in. But you want to know who that person is because maybe you do know them, right?

---

GRAHAM CLULEY. Okay.

---

CAROLE THERIAULT. You're curious.

---

GRAHAM CLULEY. All right. Yes.

---

CAROLE THERIAULT. I think, am I, Allan? I mean, would you be? I mean, if you take off your, I know everything about cybersecurity hat off.

---

GRAHAM CLULEY. Quite a large hat, I imagine.

---

CAROLE THERIAULT. Think of your dad or your mom or someone.

---

ALLAN LISKA. Right. Right. Yes. If it was one of my parents or maybe one of my kids, despite all the warnings I've given them, they would absolutely need to know and investigate. I would fall for it if it was, you know, can you tell me about this bottle of wine?

---

CAROLE THERIAULT. Right. It is a bit gamified, right? It presents you with a quest of sorts. Who knows who you're going to see in that picture, where it's going to lead?

Anyway, Madia's probably hovering his finger over the image and decides, you know, I got to see who it is. And in doing that, he downloads the image. And this ends nowhere good because within minutes, Madia's phone was reportedly compromised, and unauthorized transactions drained the equivalent of about $2,000 from his bank account.

---

GRAHAM CLULEY. Just by viewing the image?

---

CAROLE THERIAULT. By viewing the image, because he downloaded it. And it seems investigations revealed that malware had secretly infiltrated his phone via the image file, so that when Magyar downloaded the image, it was game over.

The malware was silently installing on his device.

---

GRAHAM CLULEY. Hmm.

---

CAROLE THERIAULT. So they're saying it's hidden inside the image itself.

---

GRAHAM CLULEY. Sounds like a vulnerability in WhatsApp. I mean, they have had vulnerabilities before where you could send certain images sequences of characters.

---

CAROLE THERIAULT. Yes, theoretically. They had one in 2019. A CVE was raised about an innocent-looking GIF greeting that was able to hack your smartphone.

So WhatsApp patched this critical security vulnerability in its app for Android, which had remained unpatched for at least 3 months after it had been discovered. And had it been exploited, it could have allowed remote hackers to compromise Android devices and potentially steal files and tap messages. Now, all the reports I've seen, they've only come out today.

They're all— there's a smattering of all the reports are in the show notes, but they're all papers that are— I can validate, but I can't verify as well as the ones that I can do in my own country.

---

GRAHAM CLULEY. I'm a little bit cautious. There'd have to be a vulnerability in the WhatsApp client to actually run the code, which was hidden inside the image.

Now that is technically possible and there have been vulnerabilities found like that in the past, but it would be interesting to hear what WhatsApp have to say about this. I would imagine that if there is such a vulnerability, they'd be rolling out a patch pretty darn quickly.

---

ALLAN LISKA. So when you download the image, it's still rendering in WhatsApp though, right? You're not downloading it.

I mean, I know this is going way, way back, but I mean, that used to be a common exploit vector for Internet Explorer. That's one of the reasons why nobody uses Internet Explorer anymore is, you know, you were constantly finding in the image rendering process, you were constantly finding new vulnerabilities to the point where it just became almost impossible for Microsoft to keep up with the patching. But it is really rare now.

I'm guessing the articles didn't mention, but did they say what kind of image it was? Because there are certainly some types that are you have to do this with others.

---

CAROLE THERIAULT. Nope.

---

GRAHAM CLULEY. Like whether it's a JPEG or a TIFF or— Mm-mm. I've just done some Googling on this guy, Madja Krol, and there are some reports.

I found one from April 17th, so that's about 6 weeks ago now. I'm dubious. I think that if this had been confirmed, we would be hearing quite a lot about this.

From other sources, including Meta itself. Now, sometimes these hoaxes can spread a lot. Everyone seems to be mentioning the same guy as well, this Madja.

---

CAROLE THERIAULT. Well, that's my next thing that makes me worried, right? Because when you start doing a round, why is there only one person that's happened to?

So that means what?

---

GRAHAM CLULEY. Yeah, it means everyone's repeating the same story. I'm wondering if this person lost a whole load of money and is thinking, oh crumbs, you know, I've lost some money or I spent it on the horses.

Maybe I can blame it on a hacker instead. I don't know, I'm just skeptical, I'd love to hear what Meta and WhatsApp have to say about it.

---

CAROLE THERIAULT. Okay, so I'm going to say good detective work, boys. I think we have to assume it's hogwash.

---

GRAHAM CLULEY. All right.

---

CAROLE THERIAULT. And that maybe one media outlet wrote it up and other papers are just copycatting, which means you effectively only have a single source. And you have to ask yourself, is that single source trustworthy?

And you can't assume that because other news outlets cover it, that it is trustworthy. The problems we have here are that all the articles are extremely light on technical details.

Like what kind of image? Is it a vulnerability that was being exploited?

The articles cite one guy, Madhya Pradesh, but in none of the articles did I see him quoted. There's no comment or response from WhatsApp, as you say, Graham.

And unnamed security experts and their companies. I mean, give me a break.

Who in the cyber spokesperson rat race would not want their name in lights? Now, if you are a WhatsApp user, reluctant ones like us or avid fans like 99% of my mom friends, here are a few safety tips that you should definitely consider.

Enable two-factor authentication by using the secret PIN provided by the WhatsApp service.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. Check your privacy settings, so you can control who can see your personal info. Control groups.

So WhatsApp groups change all the time. New members come in, members decide to leave.

Make sure you remove old or unknown contacts regularly and block unwanted or unknown contacts. But yeah, in this case, I think we need to wait for further evidence before we believe there is a current WhatsApp image scam that will steal all your money.

---

ALLAN LISKA. I mean, if you think about it, just a few months ago, you all reported on Troy Hunt falling for a scam. I mean, you know, all of us are susceptible to it.

I think the thing that we benefit from is we're aware that we're susceptible to being able to fall for things like this. And if this does turn out to be a mistake or, you know, a false report, it's good to get out there that this thing is floating around that may or may not be true.

---

GRAHAM CLULEY. Yeah. And don't forward warnings like that unless you're absolutely sure it is legitimate.

It's easy to fall for these kind of things, Carole. I mean, I can imagine lots and lots of people doing it.

I can understand. But well done, you.

Well done on you for realizing this probably isn't true. Now, the folks at MetaCompliance know that real cybersecurity starts with your people.

That's why their approach is different. They don't just deliver generic cybersecurity training, they personalize it.

---

CAROLE THERIAULT. That's right. Every employee gets content tailored to their role, location, and level of risk.

It's engaging, it's relevant, and most importantly, it drives real behavior change. MetaCompliance has created a free security awareness planner, your 12-month roadmap to building a culture of cyber awareness.

It's designed to save you time, increase staff engagement, and make it easy to plan meaningful campaigns that reduce risk.

---

GRAHAM CLULEY. Whether you're just starting out or looking to improve your current program, this planner gives you a clear, structured path to follow, and it's completely free. Download it today and take the first step towards smarter, more effective cyber awareness.

Just visit metacompliance.com/planner. That's metacompliance.com/planner.

---

CAROLE THERIAULT. And thanks to MetaCompliance for sponsoring the show.

---

GRAHAM CLULEY. Now, Carole, according to Vanta's latest State of Trust report, cybersecurity is the number one concern for UK businesses. And of course, Vanta can help you with that.

---

CAROLE THERIAULT. Whether you're a startup growing fast or already established, Vanta can help you get ISO 27001 certified and more without any of the headaches.

---

GRAHAM CLULEY. You see, Vanta allows your company to centralize security workflows, complete questionnaires up to 5 times faster, and proactively manage vendor risk to help your team not only get compliant, but stay compliant.

---

CAROLE THERIAULT. So stop stressing over cybersecurity and start focusing on growing your business in 2025. Check out Vanta and let them handle the tough stuff.

Head to vanta.com/smashing to learn more. That's vanta, V-A-N-T-A,.com/smashing. And thanks to Vanta for sponsoring Smashing Security. Do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? Oops, I didn't think so. So my next question is, how do you keep your company's data safe when it's sitting on all those unmanaged apps and devices?

---

GRAHAM CLULEY. Well, 1Password Extended Access Management helps you secure every sign-in for every app on every device because it solves the problems traditional IAM and MDM can't touch.

---

CAROLE THERIAULT. 1Password Extended Access Management is the first security solution that brings all these unmanaged devices, apps, and identities under your control. It ensures that every user credential is strong and protected, every device is known and healthy, and every app is visible.

---

GRAHAM CLULEY. So secure every app, device, and identity, even the unmanaged ones. Go to 1password.com/smashing. That is 1password.com/smashing. And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week.

---

ALLAN LISKA. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily.

---

CAROLE THERIAULT. Better not be.

---

GRAHAM CLULEY. Well, my Pick of the Week this week is not security related. My Pick of the Week this week. Have either of you heard of the Kon-Tiki?

Nope. No. Or a Norwegian fella called Thor, or Thor Heyerdahl?

Oh, this guy was a hero when I was a child. I remember hearing about this guy. And the other day, my lovely wife and I were cuddled up on the sofa and we thought, what shall we do? How shall we entertain ourselves? And we started talking about the Kon-Tiki. Let me tell you what it was.

In 1947, there was a journey made by a Norwegian explorer called Thor Heyerdahl. And what he did was he led an expedition. He decided to cross the Pacific Ocean between South America and the islands of Polynesia. Right, it's about 8,000 miles.

---

CAROLE THERIAULT. Wow.

---

GRAHAM CLULEY. And he did it on a primitive raft made out of balsa wood with no nails, using only tools that would have been available to people a couple of thousand years ago. And he wanted to demonstrate that ancient South Americans could have settled Polynesia rather than the theory which had been at the time that they had come from Asia. And so he set off on this little raft for 8,000 miles.

It took him 111 days, but they managed it. And it is an incredible story of both endurance and death defiance because they really could have come a cropper a number of times. And there is on YouTube the actual film of the expedition, which won the Oscar in 1951 for best documentary. It's brilliant.

---

CAROLE THERIAULT. I know, I've just, I've known you a long time.

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. And there's a lot of words that I would use to describe and ascribe to you.

---

GRAHAM CLULEY. Thank you very much.

---

CAROLE THERIAULT. But adventurous person, you know, world wanderer with an adventurous spirit is not one. But you, maybe you live vicariously, I see.

---

GRAHAM CLULEY. I'm doing it from the comfort of my sofa on this occasion.

---

CAROLE THERIAULT. That's true.

---

GRAHAM CLULEY. That is why I'm so impressed by these people who do. I mean, these guys could have died.

I mean, even when they got to the islands, well, first of all, they had to land. There was a coral reef.

They realised they could have died. They were dealing with these huge sharks and whales, which were attacking them as well.

This is all in the movie. And they had a little parrot as well called Lorita.

But it is an incredible story. Once they eventually got to the islands, of course, it was uninhabited.

And so they then had to try and make contact with locals because they had nothing with them to help them to prove that they'd managed it. It's an incredible story.

You can watch it on YouTube. It's called Kon-Tiki, K-O-N-T-I-K-I.

And I'd really recommend it. It's an hour spent, if you don't mind watching old movies in black and white.

---

CAROLE THERIAULT. And how many ads?

---

GRAHAM CLULEY. Oh, barely any adverts.

---

CAROLE THERIAULT. All right.

---

GRAHAM CLULEY. There may be about 3 or 4 ad breaks in the hour. It was fine.

It was worth it. For goodness' sake, he travels for 111 days, 8,000 miles on a bit of cardboard, effectively, halfway across the Pacific.

---

CAROLE THERIAULT. Good for him.

---

GRAHAM CLULEY. Well, good for him. And you're saying, oh dear, what a trial it will be to watch a movie with the occasional ad in it.

Anyway, it's my pick of the week. I greatly enjoyed it.

And can I tell you, Mrs. Cluley greatly enjoyed it as well. So we had a good old time.

---

CAROLE THERIAULT. Sounds fabulous.

---

GRAHAM CLULEY. Thank you very much. That is my pick of the week.

Allan, would you want to have watched a documentary that?

---

ALLAN LISKA. I would, but I love old black and white films, so—

---

GRAHAM CLULEY. Well, where were you just now when she was slagging me off? When she was saying, why have you been watching that?

You could have chirped up then, couldn't you? And said, "Yes, Graham, this sounds a wonderful documentary.

I'm going to watch it as soon as I hang up on this call."

---

ALLAN LISKA. It does sound a wonderful documentary, and I'm going to watch it as soon as I hang up on this call.

---

GRAHAM CLULEY. Good man. Okay, Allan.

---

CAROLE THERIAULT. He's lying to you, Graham. He's lying.

---

GRAHAM CLULEY. Allan, what's your pick of the week?

---

ALLAN LISKA. My pick of the week, continuing the travel theme, is season 10 of Still Standing is now out on Amazon Prime.

---

CAROLE THERIAULT. I don't even know what Still Standing is.

---

GRAHAM CLULEY. What is Still Standing? I'm sure it's going to be very, very good because I actually appreciate your picks of the week, Allan.

So what is Still Standing?

---

ALLAN LISKA. We live our lives in misery, right? You know, we're constantly dealing with hacks and scams and all this other stuff, and sometimes you just need a little bit of happiness. And so, Still Standing is a Canadian show with host Johnny Harris.

He basically travels to small towns in Canada and does a profile of them, and at the end of his profile, he does a 5-minute sitcom set. But basically the idea is, you know, there are all these small towns in Canada that are struggling, but they're finding ways to survive and change and adapt, you know, as factories close, as fisheries close, etc.

They're finding ways to continue to survive and even thrive. And we get to go to all these amazing small towns in Canada, not on a cardboard raft.

We get to go with Johnny traveling with his crew, and we get to meet all of these cool people in these small towns doing fun, interesting things. Maybe they're making dream catchers.

They're doing all of these fun things, and they're just— It's just really filled with interesting people, and it's just— after a day of misery, it's just so nice to sit back and watch happiness, and it makes me want to go visit every small town in Canada. Ah!

---

GRAHAM CLULEY. It sounds heartwarming, Allan. Sounds lovely.

---

CAROLE THERIAULT. Where are you watching this, Allan?

---

ALLAN LISKA. I can watch it on Amazon Prime in the US.

---

CAROLE THERIAULT. Okay, okay. I'll take a look for that here in the UK.

---

ALLAN LISKA. But I think it's also on the CBC website. I just don't know if it's available to watch outside of Canada, or, you know, outside of the CBC website. But Amazon Prime in the US has all 10 seasons of it.

---

CAROLE THERIAULT. And this is Still Standing. Season 10, you said? Season 10.

---

ALLAN LISKA. Season 10, yes. But all of the seasons are wonderful. And, you know, and I love Johnny Harris because, you know, he is so sincere and just so interested in all of these people's lives that it, you know, that it just adds to the enhancement.

---

GRAHAM CLULEY. Who is Johnny Harris? Is he a Canadian institution? Is he someone you've heard of, Carole?

---

CAROLE THERIAULT. No.

---

GRAHAM CLULEY. Right?

---

ALLAN LISKA. So, he is the star of something called The Murdoch Mysteries. So, he is a Canadian actor, but I don't think he's well known outside of Canada.

---

GRAHAM CLULEY. Okay. All right.

---

CAROLE THERIAULT. We have a lot of very special treasure that we keep just for the Canadians. And because I don't live there anymore, I don't even get access, so.

---

GRAHAM CLULEY. Some of them are allowed out though, aren't they? Like William Shatner and Mike Myers. Me? You, yes.

---

ALLAN LISKA. Bryan Adams, Michael J. Fox.

---

CAROLE THERIAULT. Celine Dion. Oh, I just watched Eurovision. She was supposed to show up. She never did. It's very sad.

---

GRAHAM CLULEY. Always got to be a downer, haven't you? Carole, what's your pick of the week?

---

CAROLE THERIAULT. My pick of the week is a just-opened exhibition at the Somerset Hauser Wirth Gallery. So the Yeti and I were away this weekend in this tiny town called Bruton, B-R-U-T-O-N, in Somerset. And it's a tiny, tiny foodie village and is home to one of the Hauser Wirth galleries.

And it's a pretty swank village. Like, the Spar looks like Whole Foods, right? The Spar is like your corner shop where you go get your whatevers. And this gallery is so beautiful, and it's home to mega contemporary art exhibitions.

And we went to see the Niki de Saint Phalle and Jean Tinguely Myths and Machines exhibition. Links in the show notes. Saint Phalle is known for her huge, dazzling female sculptures, often outside, maybe 15, 20 feet tall, and they're covered with a mosaic of tiles or mirrors.

And they just make you smile and love life. And her partner in art crime, Tinguely, was more focused on recycling dead machine parts into new configurations. They were big in the '80s.

And these configurations are pretty scary. They move as well. It's a free exhibit.

Go for free. You don't even have to book. Just walk around, take a few hours and enjoy it.

And then you can spend your coppers at their fancy farm shop or their fancy bookshop or their fancy cafe restaurant. And you can walk around the gardens. It was great.

Home to Godminster cheddar cheese as well. So you can go by there. So highly recommended pick of the week is the Somerset Hauser Wirth Gallery showing Saint Phalle and Tinguely Myths and Machines exhibition, and it's available till the 1st of February, 2026.

---

ALLAN LISKA. So wait, a museum with a farm shop and the bookshop? I mean, I can't imagine, you know, if you had a wine bar there, then I might just move in.

---

CAROLE THERIAULT. And kids love it. Like, there's loads of place for the kids to run around, and it's just really a special spot. That was really great.

---

GRAHAM CLULEY. Fantastic. Well, that just about wraps up the show for this week. Thank you so much, Allan, for joining us. I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way for folks to do that?

---

ALLAN LISKA. You can follow me on Bluesky at ransomwaresommelier.com.

---

GRAHAM CLULEY. Terrific. And you can find Smashing Security on Bluesky as well, unlike Twitter, which wouldn't let us have a verified account. And don't forget to ensure that you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.

---

CAROLE THERIAULT. And huge, huge thank you to our episode sponsors, MetaCompliance, 1Password, and Vanta. And of course, to our wonderful Patreon community. It's their support that helps us give you this show for free. For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 418 episodes, check out smashingsecurity.com.

---

GRAHAM CLULEY. Until next time, cheerio. Bye-bye. Bye.

---

ALLAN LISKA. Take care.

-- TRANSCRIPT ENDS --