Like I say, they're having fun.

Smashing Security, Episode 423: Operation Endgame, Deepfakes, and Dead Slugs with Carole Theriault. Hello, hello, and welcome to Smashing Security episode 423. My name's Graham Cluley.

And I'm Carole Theriault.

And Carole, we're joined by a special guest, someone who's been on the show a couple of times before. Please put your hands together for BBC cyber correspondent and author, ooh la la, Joe Tidy. Hello, Joe.

Hello. Yes, I like that and author bit. That's very new to me, but it feels nice hearing that. I'm saying it as often as possible.

Your book's out now, isn't it? Control Alt Chaos.

Yes. Been out a few weeks. Yeah. My first book.

Congratulations.

Thank you very much. A labour of love.

How many hours? Come on. How many hours?

Well, you know what? I actually worked it out pretty accurately.

I bet you did.

Because what I did was I would do my working day, put the boys to bed about 8, and then work till about half past 10, 11. Right. And I did that for about a year. I just basically quit watching TV.

And talking to your wife.

Oh yeah. She loved it. And I think it was probably about 400 hours sat at the laptop, tip-tapping away. And that doesn't include all the other nonsense you have to do around a book. But yeah, a lot of work.

Well, you've been busy. I've seen loads of publicity for it and you've been popping up all kinds of places. Well, no, but that's absolutely terrific. How's it going?

Yeah, good. Yeah, obviously I've got no frame of reference at all, 'cause I've not done this before. But yeah, lots and lots of nice feedback really. There's been enough people now that are being nice about it to make me think that actually maybe it is a good book, you know, because the first few people you think they're just being nice, but actually no, it's been pretty good. I got some nice reviews in the press and some people have commented on it and it's been a really amazing thing. It's the hardest thing I've ever done, but I've done documentaries and I've done podcasts and all the rest of it. But writing a book has been, you know, massive. I liken it to kind of an Ironman. I've done an Ironman before and it's a bit like that in terms of an endurance race or the sacrifices and discipline, but it's the most rewarding thing I've ever done already in terms of just what I learned and what I'm hearing. And yeah, I'm really, really enjoying it.

Well, I was lucky enough to get my copy. I went along to the launch party down in London.

Beautiful.

Control Alt Chaos.

Yes. Thank you for coming.

Now, I must admit, I haven't finished it yet, Joe, but that's not your fault.

He's probably spent 400 hours reading it so far though.

I hope it doesn't take that long.

But I can confirm something which you said at the launch party, which is the font is quite beautiful. They've done a lovely, lovely done a jolly job with the typeface.

They have, they have. And that's all you're going to say, Graham?

Well, I think we're going to be talking a little bit more later on about the book and the story which it covers, which is absolutely fascinating.

Ah, thank you. Yeah, I think so. But I would say that. But then again, we're all geeks here, aren't we? So hopefully we'll all find it interesting.

Well, two-thirds. Before we kick off, let's thank this week's wonderful sponsors: Flare, 1Password, and Vanta. It's their support that helps us give you this show for free. So coming up on today's show, Graham, what do you got?

I'm going to be asking if this is the endgame for ransomware.

What about you, Joe?

Well, as you know, I'm here for the first time as a salesman. So, you know, roll up, roll up, apples and pears, apples and pears, all that business. I'll be talking about the book.

And I'm going to be covering deepfakes and recruitment. All this and much more coming up on this episode of Smashing Security.

Now, chums, for years, the fight against ransomware has felt a bit, well, you know, how can I put it? Maybe a little bit one-sided, perhaps something like that. Cybercriminals, they've been swanning around in their Telegram channels. They've been selling access to corporate networks. They've been launching attacks left, right, and center. They've been doing donuts in their Lamborghinis around Red Square. And they have been laughing all the way to the bank, or maybe more specifically, their cryptocurrency wallet.

I was going to say, yeah.

Yes.

The crypto banks.

Crypto banks. Meanwhile, however, the cops, law enforcement, they've been telling people to watch out for phishing emails or asking their Russian counterparts, very nicely, one assumes, if they wouldn't mind having a word in the ear of some of those who are responsible for these attacks. There's a good lad. Maybe just give them a nudge. It's been they've been asking nicely for suspects to come in for questioning. And you've thought, isn't this a losing battle? Well, I'd postulate that maybe it isn't. Maybe it looks something may have actually changed, and it's not all going the way of the bad guys any longer. Because I know over the last few months, there have been lots of headlines about the likes of Marks & Spencer and Co-op and British Library and insurance companies in the States and Victoria's Secret being hacked, all that sort of stuff. But maybe it's not all bad news on the cybercrime front because there has been something going on. There is a police operation called Operation Endgame, which has stormed onto the scene and it's not mucking about.

Okay.

I've seen this. They've been doing these videos, haven't they? Have you seen the videos they've been putting out?

They're extraordinary.

They're brilliant. Europol are having such a good time, and it's great to see. They've been using AI, no doubt. I've watched these videos and it looks they're AI-generated. And they've been basically taking the mick out of all these people that they have uncovered and unmasked as being behind these big ransomware crews.

They've done this before, haven't they?

Oh, but they've taken it to a whole new level, Carole, with Operation Endgame.

Everybody has two sides. There is the light and there is darkness.

The EU imposes first-ever sanctions on leading cybercriminals.

Yin and yang. Love and fear. On the grand scale of life, most people tip to one side.

But some lean toward the other. They exit the light and enter the night.

But here's the thing: the scale doesn't tip itself.

You do.

We'll include some links to these in the show notes. It seems now if you want to be a cybercrime cop, you also need skills to create AI videos with Russian subtitles aimed at the criminal underground. Some of these videos are mocking the malware authors for infecting their own computers with malware. Others are telling them to go straight and turn a new leaf, saying it's never too late to change. They actually, if you go to the Operation Endgame website, and this is a police operation, as I'm about to explain, they're releasing seasons of these videos. You can binge-watch them as if you were sat in front of Netflix.

I have. This is my Netflix. It's the sort of life I lead.

Now that you don't have to write a book anymore, your feet are up on the desk, popcorn going in the mouth, and watching this.

They're brilliant. They're anime and manga, and they're really stylised.

Look at me here.

I'm setting up a botnet named QuackBot, earning us lots and lots of money.

We had success all over the world.

Unfortunately, QuackBot was taken down in August 2023, making me feel very sad.

The amount of money we had was decreasing rapidly. I was looking for answers to our problems.

But without much luck.

What's wrong, honey?

You seem a little down.

Oh, just a bad day at the office, honey.

I did not want to let your mom know, kids, but boy oh boy was I worried. And every day I grew increasingly paranoid. So Operation Endgame, it sounds a Marvel superhero movie, but despite the cheesy name, it has been succeeding in disrupting and smashing up parts of the criminal underworld. And I thought it was worth just talking about some of the ways in which they've been doing that. At the end of May, for instance, Dutch police working with the FBI, they announced that they had taken down—

It's always the Dutch.

The Dutch are amazing, aren't they?

They are absolutely brilliant. They've got such a good cybercrime sort of division or something. I don't know what it is, but they are involved in every single major international operation.

I wonder also whether the Dutch have got a history and experience of setting up very hardened anonymous web servers.

True.

And so maybe cybercriminals have been drawn to hosting some of their operations there.

Bulletproof cloud providers, yeah.

And then when they become undone, inevitably, obviously, the local police are involved as well. Anyway, for over a decade, this website, AVCheck, offered this really convenient service. What you could do is you could upload a suspicious file you found on your computer, and it will tell you which antivirus products detected it and what they detected it as. A bit VirusTotal, which you may have heard of.

Mm-hmm.

And this was an absolute godsend to the cybercriminals because all they had to do was just tweak their malware code, keep on uploading it to this service until it said, nope, nothing detects this, and then boom, launch it into the wild undetected because the site very carefully didn't share uploaded files with security vendors, unlike VirusTotal.

Mm-hmm.

And that in itself is highly suspicious that they weren't doing that.

There's only one reason why you would use that website. Yeah. It reminds me of the DDoS-for-hire services where you can go on and they say, oh, well, this could be for internal testing for your own web service or whatever. And you think, yeah, okay. But that one, there's no disclaimer possible, is there? There's only one reason why I'd use that.

Yeah. I mean, why wouldn't you use VirusTotal? Why wouldn't you use the one which everybody uses? So that service was running for over a decade. Makes you wonder how many attacks slipped through because of it. But Operation Endgame brought it to a halt. They took down the site and Operation Endgame didn't stop there. Earlier in May, they also went after initial access malware. Those are the tools that cybercriminals use to sneak into systems before deploying ransomware, we're talking about malware with crazy names like QuackBot and TrickBot and Danabot. Danabot has infected over 300,000 computers around the world. It's caused an estimated $50 million worth of damage. And there've been variants of it actually, which are specifically, it appears, designed to conduct espionage for the Russian state. So Danabot.

And you've just reminded me that one of the videos from Europol is Danabot, Danabot. They actually make up a song, don't they? They make up this theme tune for it.

Yeah.

Yeah, someone said to me once, there's 3 ways that you would take down a cybercrime gang. You could either arrest them, disrupt their infrastructure, or you can unmask them. Because obviously anonymity is part of their power.

Yes. So the authorities have taken down the Danabot malware botnet. The DOJ has launched indictments against a number of these Russian hackers. On the same day as they took down Danabot, they also took down LumaStealer. There were over 2,300 domains that were hosting LumaStealer control panels and payloads. LumaStealer was a piece of malware that infected your computer and would extract usernames and passwords from various apps and send them to servers controlled by the attackers. The cops, when they took over LumaStealer, they not only put up their sort of standard This website has been taken down banner and began collecting traffic about infected victims. They also posted a message to LumaStealer's Telegram channel, again, mocking them for what they had done.

That sort of stuff is effective though, because, you know, these guys want to seem all powerful in their forums and on their channels and stuff. So if you can rip the carpet from underneath them, or rug pull, as they say, make them look silly, they're far less likely to get anyone following them and using their services.

And every time one of these malware service providers, effectively, these cybercrime service providers, gets compromised by the police and that information falls into police hands, it's gonna make cybercriminals more nervous as to who next are they gonna partner with. Is something already being compromised?

You love to see it. Yeah.

They're probably also getting more backing from kids who are watching the videos going, oh, that's pretty cool. You know, wow, they've got a personality. Wow, the good guys.

Who knew? Yeah.

I'd like a job as a cyber cop because I get to make videos like that.

Right.

Yeah, exactly. And that's good. Making the good guys look cool is actually what we need, isn't it?

It definitely is.

Trust us, we've been trying for decades, Joe. So, Luma Stealer has really been something of a market leader when it comes to this information stealing market. It's because it's got this simple, point-and-click interface. It means even the thickest cybercriminal could handle it, make money out of what they stole. They could even very easily— there was an option to sell all of the data which you had stolen with this tool on a private marketplace, which was operated by the creators of LumaStealer. So they really made it easy. It was like the Etsy of cybercrime. So in just one month, Operation Endgame, which has been running for a while, and had various victories, but they've managed to go after the major tools that help cybercriminals steal credentials and passwords, the tools which help them test their malware to see if it's detected or not and to gain access to networks. This has been a real strategic hit, I think, to ransomware infrastructure. And that, I think, combined with these crazy anime videos with Russian subtitles aimed at the criminal underground. It's doing a pretty good job.

Like I say, they're having fun.

They are having fun, which is good because obviously, you know, these cops must get fed up. If they're not succeeding in collaring some of these cybercriminals, they might as well have some fun taking the mick out of them.

I suppose that the proof will be in the pudding though. So it doesn't always have an impact, because sometimes of course these people will rebrand their services and pop back up and use a different alias. I think there's definitely something to be said for unmasking and embarrassing these individuals who are just men, normally always men, who have got egos and they want to be seen to be all powerful. So, yeah. And you can't arrest them because quite often you can't get hold of them, can't That will have an impact. But if Danabot's down, will there be a Jannabot that pops up in a few weeks' time? That's the frustration, I think, with these law enforcement operations is how long-lasting they are.

I think you're right, because sometimes they do, yes, rear their head worryingly quickly again. And appear to come back.

get in the countries that they're in, potentially Russia. So you can do the other

But of course, you always have to think, is it actually them that are back, or is it the cops masquerading as them? So hopefully that uncertainty will make things better.

two. And sometimes that makes a difference and sometimes it doesn't.

If you go to the Operation Endgame website right now, you can not only see these videos, you can also see the mugshots of the suspects, some of Europe's most wanted, including some anime drawings of suspects when I guess they didn't have photographs.

They should call it Operation Shame, Name and Shame. So that's basically what they're doing.

Well, that's what these criminals are doing to companies, their victims, aren't they, all the time? You go on there. And that's what I quite liked about a similar one from— it was led by the NCA in the UK. Smashing Security against LockBit, because they took over the LockBit name and shame website, the leak site. And instead of having the victim companies, you know, normally you have this kind of graveyard-style darknet site where you scroll down, you see all the companies that have been popped by LockBit. Instead of that, they had the names of the people who are part of LockBit and statistics on how many people have been arrested and threats of more action to come. They were the boxes. I really remember that as being quite a strong message being sent.

They were practically doxing the cybercriminals, weren't they?

That's it, yeah. In some cases, that's all you can do.

Yeah.

You can't arrest them.

Yeah. Because they're

Yeah.

Russia is allowing cybercriminals to operate with impunity as long as they don't attack Russian companies. So they're not facing justice. So these cartoonish videos, these catchy jingles, all very entertaining. But you're right, they're no real substitute for actual arrests. mostly in Russia, I guess.

Yeah.

But they are a lot of fun. Joe, what have you got to talk to us about this week?

Well, I would like to talk to you about a brand new book that has hit the bookshelves called Control+Alt+Chaos: How Teenage Hackers Hijacked the Internet. So I'm shamelessly using my little slot that you've given me to plug my book. I'm a first-time author, and all the support and help that the community can give me would be wonderful to prove that cyberbooks can be a success. So the book is about, as the subtitle suggests, this trend of teenage cybercriminals on the internet. We have heard over the years so many stories of teenagers finding their way into systems and networks and causing havoc and mayhem and chaos to not only businesses but people's lives. And the thesis of the book is that this is an element of the cybercrime ecosystem that we always underestimate. We don't like to admit that we've been popped by teenagers, hackers in hoodies in bedrooms. We like to think, oh no, it's definitely the Russians or the Chinese or the North Koreans. But actually, quite often, it is indeed little Johnny upstairs when he's not playing Minecraft or Roblox. He's causing problems online. And the thrust of the book, the thread that runs through, is this criminal called Julius Kivimäki, who was a teenage cybercriminal who I interviewed at Sky News when I used to work there, when I was a general reporter. And it was in 2014 at Christmas time. And I don't know if you guys remember this, but he was part of a gang called Lizard Squad, which took down the PlayStation Network and Xbox Live and caused— it was a big DDoS attack, which hit both companies simultaneously. And it meant that about 150 million people couldn't play on their new games or register new consoles.

I don't think my therapist takes notes, so.

Christmas was cancelled as a result. Exactly. That's one of the names of the chapters. Correct.

Yeah. Yeah, we cover this stuff.

Yeah.

How come?

You guys talk about it week in, week out. Well, so he was 17. The other guys were roughly around the same age. They were absolutely loving the attention back then. He did an on-camera interview with me from over Skype. I do it all the time on BBC News and at Sky News before that. He's Finnish, which we put on Sky News around the time. And he was like, yeah, we did it for fun. We did it to prove that we're more powerful than the companies.

Why?

But this type of breach, this type of vulnerable data, bear in mind, these people are already quite often vulnerable themselves already. Why did you do this? It affected so many people.

Why we did it? Mostly to raise awareness to ourselves. They should have more than enough funding to be able to protect against these attacks.

You say that you're doing it to make sure that people understand the security, or lack thereof, on these networks, but you're laughing when you're talking about it. On the internet, you're obviously bragging about it, but this is a serious thing. There are victims to this, aren't there?

Consider the biggest victim Sony and Microsoft, because they actually lost money from this.

Do you not feel guilty that you've taken so much enjoyment of gaming away from more than 100 million people over this Christmas period?

I'd be rather worried if those people didn't have anything better to do than play games on their consoles on Christmas Eve and Christmas Day. What?

And that for me was just such a moment in my career, a kind of fork in the road where I thought, hang on a minute, how can people, especially kids, have so much power with a keyboard and a mouse? And from that day, I just became obsessed with cybersecurity. And I've sort of tried to follow this individual who went missing for a few years after many other cybercrimes and then popped up back in 2022 when he was accused of what is, I would argue, the cruelest cyberattack in history against a chain of psychotherapy centres in Finland called Vastamo. He hacked in and stole the patient notes of about 33,000 people. And for my money, I can't think of anything worse than having my therapy notes stolen. You know, we talk about data breaches all the time, don't we? Oh, well, that's good. Keep it that way.

More than most of us. Yes.

But your name, address, telephone number, email address, or whatever, Social Security.

But it's more than that though, Joe, isn't it? Because they didn't just take the information, they then contacted the patients. And said, unless you pay up, we're going to publish this online.

Step 1, pretty cruel, pretty nasty to steal that data. Step 2, went to the company CEO and tried to get them to pay €400,000, and he wouldn't. So then the kind of final Hail Mary, which is arguably why I put it in that cruelest cyberattack ever, is because, as you say, he then emailed about 27,000 people who he could find email addresses for, saying, "I have your notes." Oh, I thought you'd been saying "coolest."

No, I get it. I was going, "Wow, this guy's dark." No, definitely cruel with an R.

And in the book, I speak to lots of the victims of this. And the impact it's had on their lives is absolutely immeasurable.

Devastating.

Yes.

And the badges on LinkedIn are actually real, So to have this extra stress on their lives, absolutely unbearable. And there's some suggestion from some of the lawyers that some people even took their lives over this. aren't they? It's not like a Twitter badge,

So Joe, having spent hundreds of hours writing this book and presumably a huge amount of time and experience researching this topic, why is it that teenagers are drawn to this? Have you seen some common explanation as to what's going on?

which someone can just pay for. Every single hacker that I've ever interviewed started off in gaming and there's this thing that the NCA actually did in 2015. So, you know, 10 years ago they put this what they call a pathway to cybercrime. They did a survey and they put this out and said, this is by far and away the most likely scenario. So you're a young teenage boy and it is normally always boys. You play games, then you want to beat your friends. So you go on the internet and you find ways to cheat in games. Then you find ways to get more, basically hack the game in a sense and get more kind of powers or whatever. Then you find yourself on cheating forums and hacking forums. Then you find yourself carrying out more traditional hacking. For fun and out of curiosity. Then there's money sometimes that becomes involved, and then serious cybercrime follows. And I think in my book, what I talk about is why? Why does this happen? And why, why particularly do we see this shift from the sort of do no harm hacking to what we see today with teenage cybercrime, how it went dark essentially? And I think the things that I landed on are, first of all, the rise of Twitter. I'd say that that had a big impact because before that, social networks were about being social. People in your network, whereas Twitter was about followers and likes and retweets. So it was about becoming famous and more particularly, more specifically becoming infamous on the internet. So that's how you got these massive gangs rising up and they had logos and they had spokespeople and hacking was sort of brought out of the shadows and made to look cool and fun. And then Bitcoin as well. Bitcoin meant that suddenly you've got really easily transferable money, which you can hide behind as well. And I think they're the reasons why, you know, we've seen some of this teenage cybercrime culture or teenage hacking culture move towards cybercrime.

Wow.

It's kind of scary though to imagine, like, I don't know, if they're kids and teenagers, I kind of think their kind of ethics

This is going on, and the technology is extraordinary, not only in deepfaking the voice and the faces, but also, as you've just suggested, in terms of giving the fake recruitee information to answer the questions. In fact, I have a slight personal interest in this because someone recently launched their service, which claims to be able to help you to get through any job interview online by listening in and giving you the answers.

So it's kind of like we're letting them down somewhere. Badly without realizing it. and sense of self is not yet fully developed either.

And they've called this damn thing Cluley AI. Yeah, one hacker said to me that when you're a teenager, you've got an invincibility cloak around you. So you don't really care about the damage that's being done. But also, you don't really know as well. So they're using—

Right.

I think, hang I don't get to the answer. No spoilers there. It's a very complicated problem. on a moment, Yes, exactly. So, they may well think, well, I'm so young, it's not like I'm going to get locked up.

And they can be recruited or groomed for

let me see.

that, you know.

Yeah, definitely.

By people that are overage saying, look, you can do it, you're under 18.

Mind you, I remember someone who was in their late 80s who tried to buy a fake driving license in a pub because they wanted to be able to drive and they weren't able to get a real driving license. And their attitude was, well, they're not going to put me in jail, are they?

And even if they do, how many years will it be?

At least I'll get dinner. Yeah.

So it's called Clueley is how they've spelt it. I think that's right. So maybe one day we'll have hackers who are nonagenarians as well. I'm not sure. Yes, Clueley. So C-L-U-E-L-Y. The other thing which comes through in the book is it's a very, very misogynistic community as well. So it's the common misspelling of my name. And my search engine optimization has completely tanked since these guys came along, this AI startup. For sure. Cybersecurity in general is obviously very male skewed because I don't know reasons, I suppose. But in the hacking world, in the cybercrime world, you speak to some— I have spoken to some female hackers. I know this is why I'm really complaining, but apparently it's—

You're locked out. Yes, exactly. Yes. And, you know, is that a bad thing? Exactly. Yeah. And also, you know, if you say it starts with the gaming, a lot of games, most games, especially if you're talking 10 years ago when they might have There's a lot more male-focused games or boy-focused games, I think.

Yeah.

Yeah. Yeah. Although, did you hear about the Grow a Garden? Did you hear about this one?

Yes, I have heard about Grow a Garden.

What's that, Joe?

So there's this new Roblox game. Obviously, Roblox is a kind of universe of games that anyone can make. And I don't know if Roblox has made it or somewhat a creator on the platform made it. So Grow Your Garden is just you have a really rubbish-looking blocky garden, Roblox style, and you just plant stuff, and then you watch it grow. Literally, that is it. But it's absolutely monstrous. I think they said something it's broken the record for having 16 million concurrent players. Before that, it was Fortnite, and now this ridiculous grow-a-garden game.

But how sad, get them outside.

Get them outside. Well, yeah, but you know what? I know. I was picking up my son yesterday from football, and I thought it was so funny and also quite wholesome because all the kids that were waiting to run onto the pitch, boys and girls, were all discussing grow a garden. And I was listening and they were going, oh yeah, I grew a courgette today. Oh yeah, you should see my cauliflowers. And then, and I was, what is going on? And then they all ran on the football pitch and they started playing football in the sunshine. I thought, that's childhood, you know, you can have it all. You can have the computer games and the online life and you can have the offline life and you can be a fully rounded individual. You don't have to go from gaming to cybercrime, which is where my brain always goes, obviously.

I think Operation Endgame needs to stop making these videos and start making Roblox games set in people's gardens. And maybe we'll get—

TM it, Graham. TM it.

Maybe we'll get the overlords of Lockbit and other ransomware gangs growing marrows rather than creating malware.

Marrows, not malware. That's the campaign.

Yeah.

Yeah.

There we go. And the legislation isn't there. So the companies would have to go, oh yeah, we did hire North Korean workers.

Get the t-shirt made right now. That's the slogan. Carole, what have you got for us this week?

Sorry, we just didn't know. Okay, we're talking deepfakes. Of course, we know AI has seriously reshaped how many businesses do all their stuff from recruiting people and coding and manufacturing, fulfillment, marketing, sales. The list goes on.

While companies and employees often sing AI's praises, we know, we Smashing Security folk know, there's a darker side where AI tech is used for the not so good. Take deepfakes in the business world, for instance. With a veritable cornucopia of AI-powered tools available, people without much training can create highly realistic fake identities. We've heard about scammers posing as C-levels on video conferencing calls to dupe employees into big payouts, right? We even talked about that in the show.

There was that big Hong Kong one, wasn't there?

There was. Millions was lost, wasn't it?

Something crazy, yeah.

Oh yeah, okay. Yeah. Yeah. But what I was hoping to talk about today is deepfakes in the recruitment process. So as you'll soon hear, some of these attempts are really rather convincing.

And then use solutions to help identify VPNs. And I mean, especially in the cybersecurity industry, you'd expect people to use VPNs, you know, and maybe their exact number, but use a VoIP number instead.

Wow.

And then they say, of course, in-person onboarding, make that mandatory wherever possible. So I mean, I'm just reading this and thinking this job recruitment has never sounded so fun, you know? So, good luck millennials, good luck Zoomers, bonne chance, and the Alphas, hopefully it'll all be clear and great by the time you hit the market. Wow. That's in 3 years, not even.

Goodness.

And so the idea is that this needs addressing pronto. And the thing is, we're not just talking about an applicant attempting to put a bit of spit polish on their true identity or to skirt around a background check. It seems there's a mounting concern of organized criminals and nefarious state hackers. So I'm very interested in what you think about this, Joe. Maybe it's teenagers, but these guys using artificial intelligence to pose as remote job applicants in an effort to infiltrate companies from the inside, steal data, hold them to ransom. So a company called Pindrop— this is a company that offers tools to help detect fakes— but they did a spot of research last week saying it has seen applicants from across the globe creating as US-based candidates. So they name Russia, China, Pakistan, and parts of Africa. So they have this interview candidate they called Shamar, and he sailed through the initial screening, right? So Shamar's resume looked like a perfect match for the role. They were looking for a software engineer, so he had experience building scalable systems in Python and Go. He had familiarity with cloud environments like AWS and direct alignment with key technologies in their stack. So they're interested. Shamar even referenced contributions to real-time systems in sensitive environments. That means absolutely nothing to me, but they say that is exactly the kind of language that catches the eye of recruiters and hiring managers alike. So they were basically running this job search, and they were then looking at everyone that was coming in to see if they were deepfaked or not. They write that his work history checked out too. So he held roles for 2 or 3 years at a time with a clear and logical progression from junior to senior positions. His resume was well-structured, clean formatting, concise bullet points. I mean, everything that AI can do these days.

He's perfect. He's so perfect.

Even his LinkedIn profile looked legit, which is why he didn't raise any flags. I haven't seen mine in 10 years. So his LinkedIn profile included a verification

Yeah, but then some of the talent is abroad, isn't it? I was on it and

badge, the kind that LinkedIn displays when a user has verified specific information, like

And then, you know, we're meant to be in a globalised world

No, that's right.

their identity or employer, that sort of stuff.

I'm afraid it hasn't kept my attention. where you can work from anywhere and, ah, yeah.

Yeah.

They were a bit more careful, aren't they?

Yeah. So basically, nothing felt off. And this is from a company that's looking for these things. And it was the kind of resume that they say they see, they trust from experienced engineers in today's remote talent market. However, in their postmortem, they reported that Shamarr used high-fidelity face swap, clear audio, strong English fluency, fast response times, and long polished answers, some of which were likely to be AI-assisted. And they figured that out by apparently coming prepared to detect for AI-assisted interviews by pre-testing the questions against common LLMs to anticipate potential responses. Is it spelt correctly? Well, they love you now because you've just given

Right.

them a load of—

They'll put that on their promos. Exactly. AI upstarts.

It's helping people with their real-time conversations and helping people fake and cheat at everything in order to pass job interviews.

Deepfakes are a strange technology. I was thinking about this the other day. It's a little bit like we were talking about with that AV testing cybercriminal service. I can't really think of a good use of the deepfake technology. We've got this way of swapping faces now. And if you're a Hollywood producer and you're making a film or whatever, I can see how that will be useful. But—

Well, no, not Face/Off. You don't need deepfakes for Face/Off, surely.

Actually, you just get John Travolta and whoever it was.

Just get him

So basically the name of the game is

to play the

you listen to tunes and you put them

But I was thinking about it, you know, obviously deepfakes came in and they've become, like many industries, turbocharged by porn. And, you know, I can see that as being a use case that is unethical. Illegal in some cases, of course.

other part. That's right.

into a chronological musical timeline.

But then what else is there? You hear about deepfakes being used to victimize women and for people to use them for BEC scams and stuff like that.

Sextortion as well of young people.

Yeah, I can't really think. I wish we could put it back in a box. You know, I know you can't. As a technologist, I shouldn't be saying that, but there are some technologies that you just think, why? Why is it here? It doesn't feel like it's a good idea.

Another thing they had in their postmortem was that his LinkedIn profile had successfully passed the identity verification through CLEAR using a Jamaican government-issued ID. So that was a kind of, "Oh, that's odd," since he claimed to be a US-based person.

I have to say, this appeals

And the IP address found across two of Shamar's interviews was linked to a known Astral VPN range, an anonymization service repeatedly cited by Mandiant and Unit 42 from Palo Alto as a key obfuscation tool used by DPRK, also known as North Korea.

to my competitive nature.

So there's your red flags.

I think I'd be quite good at this.

There's your red flags. But they had to dig quite deeply.

Yeah, exactly.

It's the Wombles, for goodness' sake. Come on.

The North Korean worker stuff is absolutely fascinating, isn't it? There's this whole industry of potentially thousands of North Koreans who run multiple jobs at the same time, earning normal wages. And if it goes wrong, there have been cases where they steal the company's data on their way out and use that as another way to make money.

Yeah.

I think it's just fascinating to me. But then if you're funding the regime, you could get yourself in trouble because of sanctions. Oh, it's a nightmare.

Yeah, it is quite astonishing. I've also seen people say, well, get the person you're interviewing to share their screen in case they've got other, but again, they're ready for that now. They can really convince you that they are genuine and they're not necessarily. And of course, remote working has opened up so many more opportunities for this.

Now, advice, right? Be interested in your take on these. Here's some advice to prevent being

Throw your computers in the sea, do everything in person.

duped by deepfake candidates.

Exactly.

Yeah, that's it.

So, before you do that, you might want to consider tools that aid detection. So, maybe foolproof vetting, which I don't understand how you could do. A robust identity verification process that includes verifying all contact details and working with specialized providers for sensitive roles. Ka-ching! That adds a zero to your process. Train interviewers, educate those responsible for hiring about candidate fraud and how to spot suspicious behavior. But that's the problem, it's really hard to spot. Require candidates' camera be on during interviews, ask in-depth questions, and watch for evasive answers. But again, I think anybody in a job interview is going to give something evasive at some point, aren't they?

Yeah, I'd come across very suspicious.

Exactly. Yeah, well, I've never done— I'm not in a managerial position, but I know from speaking to my boss, hiring is already really, really hard. So you add in all these layers.

Or hire local, you know, go

And sometimes they claim to be based in your country as well.

back to the old days. Come on in. Come in for coffee. Graham would be "sorry, I'm a very busy man and I don't drink coffee." If you're a security or IT professional, you've got a mountain of assets to protect: devices, identities, and applications. It's a lot, and it can create a mountain of security risks. Fortunately, you can conquer that mound with 1Password Extended Access Management. Over half of IT pros say discovering SaaS apps is their biggest challenge. With the growing problem of SaaS sprawl and shadow IT, it's not hard to see why. Trelika by 1Password inventories every app in use at your company. Then pre-populated app profiles assess SaaS risks, letting you manage access, optimize spend, enforce security best practice across every app your employees use.

So take the first step to better security for your team by securing credentials and protecting every application, even unmanaged shadow IT. Learn more at 1password.com/smashing. That's 1password.com/smashing.

There are lots of threats out there affecting businesses, but what if you could see them all and exactly how they impact your organization all in one place?

Well, with Flare, you can. Flare gives security teams real-time visibility into cybercrime forums, Telegram channels, Stealer Logs, and darkweb marketplaces, so you're not blindsided by the threats.

Flare helps you prioritize real risks and kick off remediation fast so your team can move from awareness to action before any damage is done. Think of Flare as your exposure management platform built to help you detect, prioritize, and respond with lightning speed.

Sign up now for free at smashingsecurity.com/flare. That's smashingsecurity.com/flare.

And thanks to Flare for sponsoring the show.

Now, Carole, according to Vanta's latest State of Trust report, cybersecurity is the number one concern for UK businesses. And of course, Vanta can help you with that.

Whether you're a startup growing fast or already established, Vanta can help you get ISO 27001 certified and more without any of the headaches.

You see, Vanta allows your company to centralise security workflows, complete questionnaires up to 5 times faster, master and proactively manage vendor risk to help your team not only get compliant, but stay compliant.

So stop stressing over cybersecurity and start focusing on growing your business in 2025. Check out Vanta and let them handle the tough stuff. Head to vanta.com/smashing to learn more. That's Vanta, V-A-N-T-A, dot com, slash Smashing Security. Smashing. And thanks to Vanta for sponsoring Smashing Security.

And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.

Better not be.

Now my pick of the week this week is not security related. Are either of you on Mastodon? Do you remember when the whole world was going crazy about Mastodon? Everyone said, oh, we'll go to Mastodon because we hate Twitter now.

I don't think the whole world was, but—

Yeah, maybe a few.

Oh, there was a lot of talk about it.

Shame on you. I am still there. I'm on Mastodon. There's actually a lot of cybersecurity-related stuff people out on Mastodon. You may want to consider it, Joe. Okay. But I used to use the standard Mastodon web client on my desktop computer, but I found it a real pain because that's my own personal account. But there was also the Smashing Security account, and to switch between both of them, I had to log out and then log in again with a different password and then go in and out. Oh, I was getting really frustrated with it, and I wanted something that wasn't going to irritate me on my desktop, and I have found it. So for those 3 of you listeners who still use Mastodon, this is my recommendation. It's called Phanpy. Now it's spelt a little bit peculiarly. It's P-H-A-N-P-Y, phanpy.social, and it is free.

Do we know why it's called that?

Oh, I don't know why. I think it may have been created by an Asian chap. And so maybe it means something in his particular language. I don't know which particular part of Asia he's from, but it is a free website. It's a minimalist Mastodon web client, which can handle multiple accounts, runs entirely inside your browser. So you can use Chrome or Safari or Firefox. Doesn't gain access to your accounts, which is obviously really important. Has some nice features like a catch-up, which shows you a sortable list of posts within the last hour. We can make it up to 12 hours. Doesn't scroll infinitely, so you can feel you're done. It's really helped me get a proper handle on my Mastodon presence. I am on Bluesky as well, and LinkedIn, and those sort of places too, but it's really helped me in terms of Mastodon. And that is why my pick of the week is Phanpy, P-H-A-N-P-Y, dot social.

Don't you just miss Twitter? It just makes me miss Twitter.

The name?

The place, you know, it used to be my favourite website on the internet. And it's gone.

From about 10 years ago. Yeah, I did. Twitter was my favourite, I have to say. And something went badly wrong with Twitter, didn't it? It's hard to put our finger on exactly what went wrong. But—

Oh, there was a lot going wrong before then too.

Yeah, you know, it's a lot worse now from what I've seen.

Phanpy is the future.

Dry your tears, guys.

Joe, what's your pick of the week?

My pick of the week is not security related. It's not technology related. It's not even audiovisual related. I'm afraid I'm going to choose something really, really sad, but something that I just cannot get enough of. It's my mini pond in my garden.

Mini pond.

The time before last I came on your show, I talked about my wildlife camera and now I'm talking about a mini pond. And yes, if you put the two and two together, I am a garden geek when I'm not on my computers.

When you're not on your Roblox garden. Yeah, no, I'm not growing anything. Unless you count sort of maggot fly larvae and stuff like that. But it just brings me pure joy and it's just fascinating.

I can bring over bags and bags of snails and slugs for you. My garden's full of them, all of them ruining my plants.

But if I throw them in the pond, will they die?

Oh, probably. I don't know.

I don't know. I did actually get back from holiday once. I went on a two-week holiday, which is very rare. And I could smell the pond from the other end of the garden. I was like, what is going on? And I walked up to it and there were about 40, no joke, I counted them, dead slugs just floating in the water. And I've no idea what happened. I think one or two fell in. And of course slugs eat slugs. So I think a few of them went, oh, that looks tasty. Fell in, another one went, that looks tasty, fell in. So over the course of two weeks when I wasn't there doing my usual—

They're like lemmings.

Yeah, exactly that. Yeah, I'm normally there doing pond husbandry, as I call it, you know, tidying it up and sorting it out. And without me to remove the carcasses, I think it can quite easily become a death trap. So that aside, mini pond, everyone should have one. They're awesome.

Amazing.

Fantastic. Carole, what's your pick of the week?

Well, my pick of the week is a board game. So I've chosen Hitster. Not hipster, but Hitster.

Hitster.

Yeah. And I discovered this game a few years ago, but I had some friends over on the weekend and we played it and it was a total gas. So I thought I'd share it with you guys.

Oh. So the first player to have collected 10 hits in the right order is crowned the winner. And that's it. So you get this box of 300 cards, you pick a music card and scan the QR code.

Are these modern songs, Carole? Are they songs that I'm likely to know?

From the last 100 years. So they have a century of songs. So some might be more modern. You might be less aware of them, less au fait, but the ones from the '50s and '60s.

I would be terrible at this.

One app drawback is the app dependency, right?

That's a bit annoying, isn't it?

Because you can't, I was thinking you could do that on camping, but then you need signal and stuff, don't you?

Well, you can do it, I think. You could play, as long as someone's playing the Maestro, they would just be able to have a list of the songs, play them, and then you could make a list. I think you could do it pen and paper as long as someone's playing it. Who was going to be the boss.

Oh, I see.

Do you get told the name of the song and the artist, or is that a secret? Do you just get to hear it?

No, no, you just get to hear it, and I think you can get extra points if you can name the artist, if you can give the exact year. It's quite fun. Check it out.

My sister would be expert at that.

Mm-hmm. Yes, and actually, Joe, not being good at it is actually very fun as well.

Yes, because you can embarrass yourself.

People then, everyone goes, "How do you not know this?" You know, So that's my pick of the week. It's the board game Hitster with a T. Enjoy. and everyone loves that.

Fantastic. Well, that just about wraps up the show for this week. Thank you so much, Joe, for joining us today. I'm sure lots of our listeners would love to find out what you're up to and follow you online and maybe find out some more about your book. What's the best way for folks to do that?

Yeah, usual places really, LinkedIn and Blue Sky, and Instagram as well.

And can you remind us what your book's called again?

Control Alt Chaos.

That's it. And very good it is too. And you can find Smashing Security on Blue Sky, unlike Twitter, which wouldn't let us have a G. And don't forget, to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.

And huge, huge thank you to our episode sponsors, 1Password, Vanta, and Flare. And of course, to our wonderful Patreon community. It's their support that helps us give you this show for free. For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 422 episodes, check out smashingsecurity.com/podcast. Smashingsecurity.com.

Until next time. Cheerio. Bye bye.

Bye. Bye bye. 424. That is amazing. Congrats, guys. That is seriously good.

It's bonkers.

Why does Twitter not want you to have a G?

Oh, people sometimes ask that. We don't have an account up there any longer, but the simple basic answer is it was too many characters. So we had to drop one of them. Yeah.

Right, I see. So it used to be Smashing.

Yeah, Smashing Security perhaps. You see, it's all very clever. Very clever.

We are very clever.