Facebook crime forums existed unchallenged for up to nine years

You say he's a powerful guy, but Brian Krebs doesn't have 702,048 followers on Twitter, Carole, like some people do.

That's true, and I can tell you though—

You're just jealous, Graham, it's disgusting.

Totally, totally. Smashing Security, Episode 74: Smashing Security Isn't Bullshit, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to another episode of Smashing Security, episode 74. My name is Graham Cluley.

I am Carole Theriault.

And we're joined today by a special guest, new to the show, BJ Mendelson. BJ, you're the author of Social Media is Bullshit and a new book entitled Privacy and How to Get It Back. Welcome to the show.

Well, thanks so much for having me. You know, I'm really happy that that second book title does not have a swear word in it.

I was just thinking, do we have to censor the name of this book?

Yes, we will.

It's going to be Social Media is Beep.

Bull. I think bull is all right, isn't it?

That's how Amazon abbreviated it. If you go to search for it within Amazon, it'll only go to bull and then stop.

Oh really? Now, BJ, I'm fascinated by your first book, Social Media Is Bullshit, came out. So you're obviously not a big fan of social media, right?

That's putting it mildly.

So explain to me how somebody who thinks social media is bullshit— I'm going to be putting in that bleep sound a lot. Has 702,048 followers on Twitter that you nurture.

So I've been on Twitter for about a decade now. I did my best for about 5 years to troll as many of those followers as I could and get rid of them. I succeeded in doing about 300,000. But where those people came from, Twitter— this is a little bit of a history lesson for Twitter. When they first launched, they used to have a little sidebar on the right back when it was just marketing people talking about how great Twitter was. They would suggest other accounts to follow. And I was very early on there writing jokes as a comedian. So it was me and then the guy from Marvel, Agent M, and then a few other people that were on the sidebar being featured. And then during the depression, which I don't call it a recession, I call it the depression here in the States, because that's what it was. During the States when I was working as a mall Santa, I got really desperate to find a job. And so I applied to Twitter to be their secretary because I don't know a thing about coding or anything else. So I said to them, hey, you know, I'm a breast cancer advocate. I'm doing this thing on the side where we're raising money for different nonprofits. Could you promote my account the same way you used to? I didn't hear anything from them for about two months. And then all of a sudden, they roll out this suggested user list. And so it was 30 celebrities, and then you would scroll down the list, and then there was my ugly face at the very... And then here's the best part. You had to bulk follow everybody. And so no matter what you did when you signed up for Twitter, you would follow Bill Cosby back when he was a comedian, not a monster. You would have Bill Cosby and all these comedians and celebrities that you would be following me. So that's, you know, I was almost up to a million followers at one point.

You know, and that's sort of where the

Did it go to your head?

book came from is because I realized real

No.

fast it didn't matter.

They weren't going to go to your funeral if something—

Exactly. Well, they wouldn't meet me at the Dunkin' Donuts.

They wouldn't even meet you for a donut.

We'll all go to Bill Cosby's funeral. That's what he's hanging on for. Don't worry, Bill, we'll be there.

Well, let me tell you, so the best part was, so my ex-wife and I— and this is why she's my ex-wife— we decided to do this nationwide breast cancer outreach tour, and we had the bright idea of doing it entirely through Twitter. So we would go to different places and be like, hey, if you're on Twitter, come and meet us at Washington, D.C. and come to the Dunkin' Donuts or come meet us at the Sheraton in Raleigh, North Carolina. And so no one showed up. And this is with a million followers. And so I said, all right, maybe, maybe they're shy. Maybe they're like me and they're just, you know, antisocial atheists like I am. And so, right, lazy antisocial atheists, which is the title of my next book. And so I was like, all right, let's do a fundraiser for a nonprofit. I'm going to ask all 1 million of you or whatever it was at the time to donate $1. And if you could do that, then this will be, you know, even a fraction of you do that, this will be a big success. And can you guess how much money we actually raised?

I'm going to guess.

Yes. But the funny thing is the answer is no. So what I'm finding is I have a very small, I have a cult following is what I, how I describe it.

I'm going to say 1,500 quid, 1,500 bucks.

Social Media Is Bullshit is a cult classic around the world. You know, it was printed in Russian and Polish and Spanish and all over the place. And so what I found though is that no matter what I do, if it's a comic book or talking about the book, I have the same thousand or so people that will show up and interact with me. Lower. No. And then occasionally there's a couple of drive-bys that don't involve bullets, I'm pleased to say. But that's it. My audience is mostly people that read about me or listen to podcasts. Yeah, it was $1 and it was donated by my ex-wife. And so after that, I was kind of like, okay, either I'm doing something wrong or it just— It's not people that follow me on social. On social, it's just that core group that I've had since 2008.

They're all bots, right?

Or it's bots, or it doesn't work the way it's been advertised. And so I started to do the research and that's where Social Media Is Bullshit came from.

How fascinating. But you must have been able to use this platform to support the other things you do. You said that, you know, you're a comedian and you're a comic book writer.

Hey, yeah, I mean, you've got 2,508 followers on Instagram. That's 2,508 more than I have.

Well, they're probably all bots.

They're probably all under the control of Vladimir Putin, aren't they?

Well, either that or they're from Bangalore. And I can tell you for a fact because I hate the term growth hacking, but I ghostwrote a book for a tech company CEO and it was about growth hacking and all the funky bullshit that companies like Airbnb and Facebook actually did to grow and not what they were telling people. And so we went and we were working with bot farms and all that. So I have no doubt that most of those Instagram followers are probably based out of Bangalore and were part of that project. Thanks to MetaCompliance for supporting this episode of Smashing Security. People are the key to minimizing your cybersecurity risk posture, and MetaCompliance makes this easier by providing a single platform for phishing, cybersecurity training, policy, privacy, and incident management. Listeners can get a 10% discount off the high-quality cybersecurity e-learning catalog by quoting the code SMASHING. Just visit www.metacompliance.com. That's www.metacompliance.com. And welcome back. Now, as you know, and you're probably aware of this, some big companies are now doing their utmost to scare the willies out of us, aren't they, about the dark web and the personal information that has been exchanged about us and shared between criminals on the computer underground. And there seems to be a lot more awareness of the dark web right now, and it seems that more and more companies are using the phrase the dark web to get you interested in things. I saw an ad from Experian, for instance, recently, which featured none other a cybersecurity celebrity than Rudy Giuliani. And let's take a look at it right now.

With constant cybersecurity threats, Americans need to take responsibility and protect themselves from identity theft.

That's why Experian monitors the dark web globally and alerts you.

The thing I love about this video is, do you see how he's looking at his smartphone? That look he has as he looks down at his mobile, that sort of old man look of—

I can't see my screen really. I'm pretending I'm looking at it.

It's like I'm peering at this thing and I have to hold it this far away.

Now, every American needs protection from the dark web. Protect yourself and your family.

So this is Rudy Giuliani of New York fame.

Alleged America's mayor.

Friend of Donald Trump.

Yes.

Who runs a computer security firm that no one's quite sure what they do.

Is that true for most security firms, that no one really knows what half of them do?

Yeah, but at least most of the computer security firms claim what they're doing on their web pages, whereas this one keeps it a bit quiet. Maybe that's the definition of proper security. We're not going to tell you what we do, for God's sake. Just give us your cash.

It works well in the States.

Videos like this are very good about worrying people about the dark web and thinking, oh, you should do a dark web scan for your information. But sometimes this exchange of your personal information is being done in broad daylight on places like Facebook. And maybe sometimes it's been going on for years and years. Facebook has just deleted over 100 private discussion groups which were helping identity fraud and cybercriminals share information and get involved in these various crimes. And it's been going on for years uncontroversially, completely cool in the open.

So Facebook were aware of these discussion groups and chose to turn a blind eye. And now because of all the pressure, they've gotten rid of them?

Not quite. No. What happened was this: cybersecurity hero Brian Krebs, who we all know, of course, he spent a couple of hours last week using a highly sophisticated technique called searching to find these groups on Facebook. So he was sort of putting credit cards, you know, carding, spamming, botnet help desk, DDoS.

Legit terms that anyone of us would apply to cybersecurity and cybercrime.

Lo and behold, he found hundreds of these groups. In fact, he found groups which contain more than in total 300,000 members. And they were just openly advertising what they were doing. You know, they weren't claiming to be the Black Hand Gang or something like that. They weren't being all sort of, "Ooh-hoo," you know, a bit mysterious about things. It was right there. And you could apply to join these groups, and then you could begin exchanging your credit card details, or rather the ones that you'd stolen from other people, with other criminals.

Any story involving Facebook where they say they don't know, it just frustrates me because I know for a fact that they do know, and they've just succeeded over the years of just pretending that this stuff is magic and, oh wow, well, I didn't know that was happening. It's a lot like, do you remember this story with the Fappening over on Reddit?

Yes.

Yeah, where the pictures were there for over a week, and then finally Reddit turned around, went, oh, this is happening in our backyard, we'll get rid of it right away. Yeah, yeah, they do, because they had most of their traffic for the past two weeks was coming from people looking at those pictures, right?

Because they were nude female celebrity photos, weren't they, which had been stolen by hackers and placed up on Reddit and many other sites. And they were on all the social networks, I'm sure people were posting them up there, but they were claiming ignorance. The thing is, even though Facebook's community standards don't allow the sale of illegal goods or services such as credit card data used by online fraudsters, right, waits for users to report the activity. And the criminals who participate in this group are unlikely to report the group which they are profiting from. So all it takes is someone like Krebs just to spend a couple of hours noodling around on Facebook, and he finds so much evidence of this, some of which had been going on for, you know, well, up to 9 years these groups had existed and nothing had happened. It's only when you report these groups that Facebook's team then, you know, sort of races into action. To review them and consider what it should do and hopefully locks them down. Now they have shut them down in this particular case, but far too often Facebook doesn't really seem to be policing itself. It's leaving it up to you.

Pretty hard to police though. It's pretty ginormous and I'm not defending them, but you know. Whoa, hang on a minute. I mean, they're kind of hiding things. No, no, no, no, no, no. Facebook had— I kind of understand the cybercriminal's point of view on this. Pretty smart, right? I mean, there's millions and millions and millions of people on there. Let's just hide in plain sight. Let's just call our group Cybercriminals Unite.

Facebook has the resources to build a facial recognition database to analyze every image which has been uploaded and compare it to facial templates which it's collected of all these other Facebook users, and then auto-suggest, oh, that could be a photograph of your Auntie Marge. It doesn't have any problem with that. What is so difficult about them writing a routine looking maybe for common phrases being used by criminals online and then tipping off their team to say, maybe you want to have a look at these groups. 9 years gone. On average, around about 2 years these groups had existed.

Yeah, one of the things that frustrates me is— so I've worked with a lot of startups, including companies in the Valley, and people who have worked at Facebook. The basic answer is they don't want to spend the money.

Yeah.

Yeah, and that's what I mean. I hate to sound like that, but that's what it comes down to. I've always had this discussion of, well, why don't you just hire more moderators? And you always see the same expression across Silicon Valley where they furrow their brow and then they say, well, humans don't scale. Yeah. So we don't want to pay for it, basically. And so whenever I see stories like this, I mean, it's true. It's easy to hide in plain sight because no one is sitting there monitoring this stuff. But the other side to it is that it's just not a priority for them. As long as it's not a priority, they're just not. This has been going on for years. You could buy fake traffic on eBay right now, and I can tell you for a fact that eBay knows that you can purchase fake traffic, and they've only gone and scrubbed that stuff when reporters ask about it. Otherwise, they just don't want to spend the time or resources to take it down.

And hey, if these people are on the platform and using it every day, it bumps up numbers, particularly if it's hundreds of thousands, right? So everyone's back gets scratched.

That's right.

Right.

Chances are that Krebs has only just sort of chipped away at the top of the iceberg here. He only spent a couple of hours looking. He limited himself to English-speaking groups. He didn't count groups which had less than 25 members.

But what a powerful guy, right? The fact that he can go spend a few hours looking at this, drop an email, and the sites are scrubbed completely, and probably what happened in less than 3 days.

You say he's a powerful guy, but Brian Krebs doesn't have 702,048 followers on Twitter, Carole, like some people do.

Yeah.

I know that's true. And I can tell you though, here's a fun game.

You're just jealous, Graham. It's disgusting. Sorrell was the one that kind of took this company that was— WPP was nothing. Like they were basically owning parking lots and grocery stores.

Totally. Totally.

Well, here's a fun game that everyone at home can play. If you find, so, I mentioned eBay and so I'm going to use them as an example. If you find a page on any of these platforms where something illicit is happening, it doesn't matter how many followers you have.

I just was thinking, because I met one guy from WPP who was pretty high up in the chain, and he was coming to do a pitch for a company I worked for. And he came in wearing this beautifully cut suit, but he was also wearing leather slip-on slippers, literally. So he stepped out of his limo and walked in with his slippers and his suit and conducted the entire meeting that way.

If you report it to them, if you say, hey, I'm a reporter and they see the keyword reporter or journalist, within an hour, I promise you they will go and scrub that entire page and that entire group because that's what happens. I found at least 10 pages worth of people selling traffic from Russia over on eBay. And I said, look, I'm friends with— or not my friends, but I was working with NBC at the time producing a segment. I said, can you comment on this? And within an hour they went and wiped the entire thing. So it doesn't matter how many followers you have. That sounds about right. I mean, look, I've worked in the advertising industry or up until I retired, quote unquote. And so having seen the inner workings, you know, they were not dealing with people that listen to this podcast because people that listen to this are beautiful and smart and intelligent. I mean, look, Brian Krebs is my personal hero when it comes to cybersecurity. But it doesn't matter.

And yes, they are.

Yes. And they're able, they're able to do so.

That's right.

Well, one of them. So, yeah, sorry.

Don't cry, Graham. Stop. Just wipe your tears.

Graham, you're a close second.

Just big deep breaths. I'm not Krebsy.

It's true. I revel in my ugliness.

No, you're not.

It's only because I found Krebs first by accident. And so, he was my first and you were my second. Never forget.

Never forget.

So a lot of people don't understand that when you deal with data and when you have these discussions, it's because the people within these agencies don't know any better. And so if Facebook and Google and Amazon comes to them and say, well, this data is worth a fortune, these metrics are the thing you should pay attention to, then that's the thing they pay attention to. This is true. This is very true.

So the moral from all this, I think, is that you don't need to resort to scanning the dark web to find out if your personal information has been disclosed out there and is in the hands of criminals.

And we are the victims of it.

You can just as easily find this stuff publicly online being shared. So chances are your details are already up for grabs following large major-scale breaches like the ones which happened at Equifax not so long ago either.

We are.

Good old Equifax.

BJ, what's your— by the way, BJ, before we go on to your story, I have to ask.

It's what's being sold and we're getting no piece of that pie. Oh God, he's gonna ask about your name. I'm warning you.

That's okay.

Ask about the initials. You're sure?

That's all good. No. And that's my whole thing is I think people should be paid for their data. I don't— yeah, that's not an original idea. You know, Lawrence Lessig talked about that in 2000 and Jaron Lanier talked about that in 2011. So I'm just part of a long line of people that have suggested that. But it's not a hard system to implement. I'm a little bit of a crypto pessimist, but I do think that there's space there that we could start compensating people. And if WPP breaks up, then maybe that opens up the reins a bit for us to try that.

Is it a euphemism for bubble jet printer? I'm just wondering.

I wish it was. The downside to being BJ is that when you go into a Starbucks and you tell them what your initials are, they laugh at you.

But I was going to ask, do you think that agencies aren't getting the returns they want?

As if anyone would be that immature. What's wrong with bubble jet?

I don't get it.

Yeah, you know, we all had one back in the day.

Oh, they're not. They're totally not. I mean, so here's the crazy thing. I've sat with, I'm trying not to name names. I've sat in the room after a campaign ended and, yeah. Oh, well, I can, we can spend the whole episode talking about that campaign. And they sat there trying to fudge the numbers because they didn't get as many impressions as they thought. And they just sat there saying, you know, the client doesn't understand. So we're just going to say they had a half million impressions as opposed to 2,000 impressions, because no one knows what the fucking impression is. And so they were able to do that. And that's really what you're dealing with. And that's why Facebook is worth as much as it is and Google is worth as much as it is and your data is worth as much as it is. Because you're just dealing with idiots, for lack of a better description.

What's your story for us this week? BJ Mendelson.

So I did something a little different. I wanted to show people where the money is and why we have to deal with what we have to deal with in the security world with our data. And so a lot of people don't realize that WPP is one of the world's largest advertising agencies. And between them, Google, Facebook, there's just this constant flow of billions of dollars going between them and their clients and these tech companies that's entirely fueled by your data. And that's why, you know, when we read all these stories about why Facebook does what it does or why is Facebook creeping on you, not that Mark Zuckerberg would ever do such a thing, but it's because there's billions of dollars at stake.

Because how many social media departments and marketing departments

And Facebook actually has employees embedded with WPP and vice versa. And so it's just this disgusting little orgy. Yes, that goes on. And so a lot of people don't understand that. And so I thought I would bring up that as a topic this week because Martin Sorrell, who is in charge of WPP, is actually resigning.

And so hopefully have targets on how many people view a page

And so what does that mean for WPP then if he resigns? Hopefully, well, so there's the good situation and the bad situation, right? Like with anything in life, the bad situation is nothing. It's just, you know, the world keeps on spinning and our privacy keeps just dribbling away. Exactly right.

They're motivated to inflate their numbers, and that works very much into Facebook, Google's favor.

So that's the bad side. But the good side is that there's been a lot of smoke and hopefully some fire about WPP breaking up because the advertising industry is really an oligopoly. It's, you know, there's not a lot of ad agencies. There's like three or four large companies that own every single ad agency around the world.

or get clicks or get likes or get influencers? to scratch each other's back.

And if you believe that most of the traffic on the web and most of the traffic that comes through Facebook is fake or bot, for lack of a better description, then you have to wonder why am I paying all this money on Facebook advertising?

So we shouldn't just be angry at Facebook and then the privacy and security debacles which surround Facebook. There are also these other companies which are enabling Facebook, and that includes both the big brands which advertise on Facebook, but also these advertising agencies, these marketing goliaths like WPP, who've been supporting them as well. They've been getting money out of people, out of businesses, been pouring it ultimately into Facebook, who've turned themselves into a humongous company with perhaps not the fantastic results which those companies may have wished for, but marketing agencies have been pulling the wool over the bosses' eyes as to the success of campaigns. And everyone's thinking, well, we've got to go digital, haven't we?

Well, thank you.

We have to do it this way, even if the results aren't actually as impressive as they are sometimes portrayed.

Unless the end goes really bad, in which case—

Exactly. Right. That is always possible. Spoiler alert,

Nervously drinking water.

everybody dies at the end.

Well, that's it.

That's it.

Yeah.

I mean, there's a lot of good practical advice actually in BJ's book. I'm about halfway through BJ, so, but you've got a lot of really good stuff in there.

So this is what I've encountered with promoting my book. Nobody wants to talk about privacy because to them, people don't care or it's too hard. And so it's easier for, at least from the American media perspective, to be hey, look at Mark Zuckerberg, he's a dork, haha, and tell that story, as opposed to, no, this is what's happening with your data.

So I would recommend if anyone of our listeners want to kind of get a better handle on their privacy. I like actually the way you divided it. Yeah, there was actually a really good piece on social and privacy problem on an NY Mag Select All. It was published, I think, on the weekend called Internet Apologizes. And it's a really good piece. You kind of said, look, you can do this by kind of campaigning in your state to try and increase laws to help prevent this stuff, or you can actually, if you don't like having more laws, you can also just employ better tools to help improve your privacy. You give a good list in your book as well.

One of the things which concerns me is in

I'll put a link in the show notes. But it just talks about the people that built the internet and how they've realized they've created a monster. So it's the people that have kind of exited, Tristan Harris and them. It's a good read. I recommend it.

Although, can I just add, I kind of have an issue with those people too.

A lot of people focused on his physical demeanor and haha, he's a bit like Data from Next Generation, you know, Star Trek. I didn't see that. Oh no, it's very He was. It's very easy to repeat those things, but it's no, no, no, you're missing the point. Yes, of course you want to slap him. Of course he's a bit weird, but there's something much, much more serious going on here. the media, since Zuckerberg was appearing in front of

Oh, tell me. And so this is Trump though,

the Senate, etc., a lot of people—

I do. Okay, so I know Tristan Harris, he was promoting a book and he was on 60 Minutes and

right? It's the same thing.

there's a whole bunch of ex-Facebook and Google employees. They're all, "Oh, look at all this evil stuff we've done."

You're getting swayed by the looks. I think they did, though. So, okay, here's my argument. Having worked with these people and knowing that they believe that people don't scale and, you know, you're talking about 19, 20-year-olds that have billions of dollars being dangled over their head, they are incentivized to do evil to make that money.

And I'm thinking, if it was that evil, why'd you do it?

Hey, if they're saying sorry, mea culpa, then we gotta listen. We gotta listen, right? You're not gonna— you're gonna be bitter old man if you carry on this way, BJ.

Jesus.

Well, I'm 35. I'm just about to turn 35, so I guess that's old, BJ.

You're definitely very old.

Well, I guess that the lack of hair flapping in the wind does do it for some people.

Stop kidding yourself.

And then the pasty orange. You're right.

You know, I don't know

You're old. And then, so I watched the hearing, and I, you know, I'm friends with a lot of journalists, and they were just piling on how he looks and how he acts and how dumb the senator seems, you know, because that was the other thing.

That's the end of it.

if they knew at the time, though. Hope you have a retirement plan.

Oh, I do.

Right.

Right.

Right?

Stage clown.

We'll have to leave that for another podcast. Carole, what's your story for us this week?

So I want to talk about Action Fraud. Now, Action Fraud is the UK National Reporting Centre for Fraud and Cybercrime. So this is where you go if you've been scammed, defrauded, or experienced cybercrime, right? This is similar to the USA's FBI Internet Crime Complaint Centre, IC3, or Canada's Anti-Fraud Centre. So they're all basically nationally recognized trusted places where you report a cyber incident.

Yep.

So boys, imagine you guys get scammed, right? And you get scammed and you log a report with Action Fraud. And a little while later, you receive a robocall that says, "Press 1 if you have made a report to Action Fraud." So what do you do?

So you're getting an automated phone call saying, "Press 1 if you've made a report." Yeah, I'll do it in the voice if you want.

You know, Graham, since now

Okay.

that he recommends Rachel, I "Press 1 if you've made a report to Action Fraud."

I would love that.

now am interested.

Well, you have made a report to Action Fraud, so I imagine many people would press 1.

Yes.

Exactly. It's a good pick of the week.

Thank you.

Thinking, okay, they're getting back to me.

You're thinking you're getting a callback. That's how actually Apple support works, right? You log an online request and they call you back. It's brilliant.

Oh, right. Okay. Now, if you hadn't reported a scam and you received this call, you'd probably just roll your eyes and hang up, right? And this is exactly what the scammers are hoping for. Scammers are pretending to be Action Fraud.

This is great. I just bought a range extender for my dad and all the issues that you were talking about, I was just sitting here and nodding my head. Awesome. Yep.

That's a little ironic. Well, I think on that bombshell, we've just about wrapped up this week. If you want to follow us on Twitter, you can do so @SmashingSecurity, no G. So, so the fraudsters are pretending to be the people you report the fraud to?

Yep. That's it.

Yes.

Twitter wouldn't allow us to have a G. We've got an online store where you can buy stickers and t-shirts and things at smashingsecurity.com/store.

It's kind of genius. So this sounds wonderful.

And I guess we have to also thank BJ. Thank you very much, BJ, for coming along today and joining us.

And they're trying to catch that tiny, tiny little sliver number of people that said, yes, that's me. They're finally calling me back.

Okay, all right.

Yeah. So when the call is answered, an automated voice says, "Press 1," and the responder presses 1. They are transferred to a fraudster, a live fraudster.

Oh, he sounds trustworthy. I'm sorry, Officer John Thompson or David Jones because we're in the UK. These are names that have already been used, and they introduce themselves and inform the victim that his or her computer has been hacked, which has led to their online bank account being compromised and funds being withdrawn. And fantastic social engineering, isn't it? Because you absolutely reported some sort of shenanigans going on, maybe with your credit card or something online, and now it appears as though the authorities have contacted you, said, 'Thank you for your report. We've investigated this.

Now, to gain trust, they will actually confirm some of your personal details. So that can happen. They may know your name, your address, your email address, that sort of thing. And they may also try and gauge your knowledge with questions. So one of them was, "Is your broadband router displaying flashing lights?" Right? And, "Oh, you see, there's criminal activity going on." Sorry, Carole, I'm going to have to interrupt you right now because I've just looked down at mine and mine is flashing. Okay, so what I need you to do now, Graham, is I need you to give me remote access to your system so I can help fix the problem.

Okay, username admin, and password is— yeah, password is just password, so you should be able to get in on that. Yeah, if you can give me your admin— exactly, that's what I need. Okay, and then once I have— obviously, as the fraudster gets remote access to the machine, it's game over, right?

Yeah.

I mean, and those are the ones which are actually getting reported as well. Chances are that there's even more than this occurring.

Oh yeah, because you only report it once you're aware of it. If someone is smart enough just to take £5 out of someone's account on a monthly basis and just dribble out accounts. People may not even notice that happening.

And I used to report these kind of things to Action Fraud, but ever since they rang me back and scammed me out of even more money, I'm kind of reluctant.

Oh man. I feel bad because you know that there's a lot of people out there that will fall victim to this and not report it because they don't want to look dumb.

Yeah.

Yeah. It's like it happened to someone in my family. They had a problem with their Kindle. And so they did a search for, can I get some Kindle support? And the first link was in one of the ads, but it was a criminal one, right?

Isn't this a terrible thing, Carole? I mean, your advice, although correct, it's just such a terrible indictment upon us because basically what you're saying is if someone phones you up, be very, very cynical.

Yeah, and be suspicious and don't

And you know, what kind of world is that for us all to live in? You know, because what will have happened is these scammers will already have got some of your details, maybe your phone number, your name, maybe even some digits from your credit card from some other scam which has occurred, some other data breach, maybe an ISP got breached or something like that. They've already got all of those details about you.

believe anything they say.

And so they're saying, can you confirm this is your name? And you want to be helpful. You want to say yes.

And going back to things like the Equifax data dump, I mean, they may have a lot of this information from you because it's just floating around the web. So, yeah, they're able to confirm some things, get more information out of you. In one case, they were actually told one of the recipients of the call, the potential victim, that £40,000 had been fraudulently taken from their account.

I think it's definitely one to be aware of, the fact that they're pretending to be Action Fraud. And of course, in different countries around the world, they may pretend to be other agents as well.

So keep your wits about you and don't get too paranoid. It's always good to be cautious. You know, I know some really smart people that have logged into fake banking accounts. I bloody hate it though. I want the world to be a nice happy place where you can trust your neighbor. I hate all this. But you're right.

Where everybody knows your name. Exactly.

Yeah, it was just right on tune. Right on tune.

Thank you. I can't remember what the tune was.

Sounded like the real thing there. Hey, Graham.

Yep.

It's almost time for our favorite time of the week. Yes, it is.

Yes.

And thanks once again to MetaCompliance for supporting this episode of Smashing Security. People are the key to minimizing your cybersecurity risk posture. You can save 10% as a Smashing Security listener off the high-quality cybersecurity e-learning catalog by going to metacompliance.com and quoting the code SMASHING.

And welcome back.

It's our favorite time of the show, the part of the show which we like to call Pick of the Week.

Pick of the Week. BJ, can you say it too?

Oh, Pick of the Week. Sorry. I was mesmerized for a second by the cat cleaning himself. It was just a mess over here.

His lizard brain kicked in.

That's right.

Oh, cat's licking itself.

I wish I could do that.

Do you?

No. I do. Who doesn't? Any guy that tells you that they wouldn't is lying. Yeah, I'm a girl though. Yeah, just saying. Pick of the Week is that part of the show where everyone chooses something they like. Could be a funny story, a book they've read, a TV show, a movie, a record, an app, a website, podcast, whatever they like. I never use TuneIn. And I saw this as your pick of the week and tell me why you use it.

So obviously you can use it to listen to podcasts, you know, but there's plenty of other podcast apps. You can listen to news and you can listen to radio stations from around the world as well.

All in the same app.

Yes, and if you're prepared to give them $9.99 per month, you can listen to live sports like NFL and MLB— I don't even know what these are.

Yawn.

MLB, NBA.

MLB is the only one that matters.

Is it? Okay, what does that mean?

Major League Baseball.

Okay, so American sports where people run around and get hot and sweaty and those sort of things. If you want to, you can do that.

Very important stuff happens. But the reason why I have started using tunein.com is I have a new favorite Trump crush. What?

It could be worse.

Misery does love company.

Misery loves company. The thing is, if you're over here in the UK, you can't watch CNN, you can't watch the American version, you only get the Europe— whereas the American version of CNN is pure 24-hour Trump, right?

Yep.

And similar MSNBC. So I'm able now via TuneIn to listen to the soundtrack of MSNBC. And so I'm able to catch up on my Trump crush.

You need to get a freaking life.

Rachel Maddow. I think you'd quite like her.

Oh, would I?

She—

Yes. Oh, she has an hour-long show where— and I love her delivery— where she talks about what's been going on during the day in the crazy world of Trump and associated cronies. And that is why I use tunein.com.

Hmm. Interesting pick of the week.

Now I've lost half of our American audience again.

I will, but you'll get, you'll gain them right back. I think MSNBC, just taking a step back at just the historical context of MSNBC. They always thrive when we have an idiot in the White House.

Yeah.

So they were great when Bush was in office for both terms, and they've been wonderful with Trump in probably both of his terms because that's how Americans vote. But yes, I do highly recommend Rachel Maddow for anyone listening. She is terrific. MSNBC in general is generally terrific. And now that I've said that, I'm sure Fox News will never invite me back. And that's okay.

Well, I've heard Sean Hannity's quite entertaining this week.

Oh yes.

Oh, I think you would be interested, Carole. Yes, I'm sure she does do a podcast as well, so you can tune in on your regular podcast app just to her show.

Okay.

So BJ, what's your pick of the week?

I have this thing about zombies. I'm afraid of zombies.

Oh really? I think they're so great.

I have them around for tea all the time. I have them in my graphic novel where, you know, there's a picture of them going by on a golf cart and the zombies are playing on their phone and just, I'm terrified of them. So for me, I will generally avoid zombies in the media.

Ah, yes, I've seen that. Santa Clarita Diet.

I've always been a sucker for Drew Barrymore. I mean, you know, she was in high school. I had a big crush on her and, yeah, and she's just very funny. Her timing has always been wonderful. And even that wasn't enough to sell me on the show. But I decided just randomly not to do work, which is odd for me.

Very important.

I'm a workaholic. And so I was like, all right, I'm just not going to do anything for the next day or two and I'm going to binge watch something that I otherwise wouldn't have taken the time to. And it was Santa Clarita Diet and it's wonderful.

What's the premise of the show? So the show is Drew Barrymore and her husband are realtors, and she, under mysterious circumstances, becomes a zombie. And the family goes to these hilarious lengths to try to cover it up.

So, but it's also gruesome. It is gruesome. Like she's sitting there chewing on a leg and covered in blood.

Like The Walking Dead or something. It's not as gruesome as I'd say, like The Walking Dead. Like I've seen some stuff from that, that was just, I couldn't watch it after watching. But yeah, the first 6 episodes are a little rough, pretty graphic, but it does kind of settle down a bit. When you say it's funny, view it as a sort of a zombie version of Weekend at Bernie's.

My favorite movie of all time.

But in this case, horror. The undead.

I'm hearing a lot of clinky clinky. I don't know who's clinky clinking.

That's the dog. Sorry, she just made her grand entrance into the room. So far she's well behaved. So if it's just clinking, we're okay. But yeah, so I mean, I love the show. It's— I can't recommend it enough.

Did you— do you know the show? I can't remember the name of it. Have you seen Braindead? It was on Amazon Prime. And it's a kind of political alieny rather than zombie, but I think you might enjoy it. It's wonderful.

I saw promos for that. It was on CBS, I think, here in the States. I got to check it out.

Hmm.

And that was my pick of the week.

Carole, what's your pick of the week? Mine is not gross. Mine's really useful. So I live in a modestly sized house, but it has super solid walls, and anyone who has solid walls knows solid walls are not good for Wi-Fi. So I've been looking for a solution and I think I've found one. Enter Devolo. So I bought the dLAN 550 Wi-Fi Starter Kit Powerline. So you get two adapters in the box, right? You put the first Powerline adapter, plugs into the router and plugs into the power socket. The second one, you plug into wherever you need to extend your connectivity. Hopefully not actual boom.

Well, it depends on what you're into.

But the idea is that you're basically extending your wireless network using the electric wires of your house, your existing— Exactly, it's a dLAN. Yes, exactly. And it's kind of cute because they've even added an extra socket on the adapter so you don't lose a power socket, which is nice. Really, I imagine— okay, the nerd in me is going to ask this question. I would imagine that you can encrypt the communication going down your power line if, for instance, Carole Vladimir or Donald wanted to snoop upon your communication via my electrical wire. I know it's a little bit extreme, but it would be fairly easy for them to encrypt those messages as well. I imagine they're doing that, aren't they?

And yes, they do.

Cool. Well, that sounds like a good solution for you. Because this is the quintessential thing. Suddenly in my family, it matters less if the power goes out or the water is stopped than if the Wi-Fi stops. That is the thing, as my position of CTO of my house.

Well, the extender will not work if you have no power though.

Oh yeah.

Good point.

And there you go. That's a perfect end. End scene. And click.

End scene.

Yes, you were a brilliant guest.

Thank you so much. If people want to find you online? What is the best way for them to do that? Honestly, it's just BJMendelson.com. I use Twitter, but I mostly tweet about comic books and professional wrestling. So if you're into that, you can follow me @BJMendelson.

BJ, are you single?

I am.

And anyone who's interested in asking BJ for a date, please use this number.

I am all for it. Yes.

But don't text in the word sheep for us. Thank you for tuning in. If you like the show, rate it on Apple Podcasts. It really does help new listeners discover us. And you can go to www.smashingsecurity.com for past episodes and for details of how to get in touch with us. Until next time, thank you very much. Cheerio. Bye-bye.

Adieu tout le monde. BJ, you can say bye.

Oh, bye everybody.

I love that it happened twice.

You stay classy, San Diego.

Stay classy!