Smashing Security podcast #337: The DEA’s crypto calamity, and scammers’ blue tick bonanza

Confusingly this phrase is used in two different ways so airdrops can to related to cryptocurrency are one thing what you're thinking about them can be associated with threats for instance people send unsolicited dick pics to people on the train or on their bus.

Isn't the reply always sorry I don't smoke isn't that like.

Smashing Security, episode 337. The DEA's crypto calamity and scammer's blue tick bonanza. With Carole Theriault and Graham Cluley. Hello, hello and welcome to Smashing Security, episode 337. My name's Graham Cluley. And I'm Carole Theriault. Now, Carole, I am dashing off to the airport. I've got to catch a plane to Sweden where I'm giving a talk. Very exciting for you. Well, it is exciting, obviously. Perhaps more exciting for me than it will be for people in the audience. But maybe we should just get this thing done and August will be over.

Yes. OK, before we kick off, let's first thank this week's wonderful sponsors, Collide and Beyond Identity. It's their support that helps give you this show for free. Now, coming up on today's show, Graham, what do you got? I've got a cock up. I've got a crypto cock up. Ooh, and I've got a customer complaint problem. All this and much more coming up on this episode of Smashing Security.

Now, chum chum, I was reading Forbes. I was reading Thomas Brewster, who's a cybersecurity journalist. He's got some good scoops. And my eye was caught this week by a report from him, which perhaps underlines that anyone can fall for a scam. So let me tell you what happened. Back in May, the US Drug Enforcement Agency, the DEA, seized over half a million dollars worth of cryptocurrency from two Binance accounts. And they did this because they thought that the proceeds of drug sales were being funneled through these cryptocurrency accounts.

Right. So, they seized the cash thinking, this is up to no good. This is illegal earnings. Yeah, right. They just ripped it away, I suppose, from the drug dealers or whoever was using this. And, you know, good news, right? Criminal enterprise, drug proceeds nabbed by the law. Except they're unregulated. So, you know, keep that in mind.

Well, certainly, yeah, it's harder to do things, isn't it? So the story doesn't end there. It doesn't end with the seizure of the cash. If it did, it would really mean that I'm rushing to the airport.

Exactly. I was going to say, you're really late. Okay. Well, good story.

I haven't packed my backpack yet. Can't find my toothbrush. But I'll do that in a minute.

What's new? Every single time we've travelled together, there has always been a journey to some Marks and Spencer's version to get Graham some pants or to Boots to get a toothbrush. You always forget. Or cables. That's the other thing.

Yeah. It was Prague. I forgot my underpants, didn't I? So we had to go and get some, I think, there. But anyway, yes.

You're welcome, by the way.

Thank you very much. So the story doesn't end there, though, because cryptocurrency, it's now in the Fed's hands, right? It's in their hands. But what are they going to do with it? And, of course, one of the important things is they need to secure it. It needs to be securely held because this is the matter of an investigation. You're not going to leave it on the counter at McDonald's, right?

No, no, no.

So what they do is it's quite sensible. They store it in a hardware wallet like those made by Trezor rather than an online exchange, which get hacked all the time or suffer some kind of security breach. And so that hardware wallet, that thing which plugs in via USB stick, is stored somewhere at Drug Enforcement Agency HQ. It's located in a secure facility. No one unauthorized is likely to be able to just wander into the building and plug it in and steal the money. They'd still need all the keys and things.

The thing is, we should remind listeners, of course, if you use this type of thing, you cannot lose that little piece of hardware. Let's not misplace that down the couch. Don't do that. Right. Don't let it fall out of your pocket when you're on the loo or something.

Don't let it slip down any cracks at all, unless you're trying to hide it from law enforcement, I imagine. But yeah, don't do anything like that. But also they had to move the funds because it's not up to the DEA to store the funds. So they can't keep it forever in that cryptocurrency wallet. What they needed to do was pass it over to the U.S. Marshals who handle all the funds. So they're the ones with the big buckets of bitcoins or whatever. And so what the DEA did, they said, well, we're going to have to do a cryptocurrency transaction. And so what you do is you send a very small test amount to the cryptocurrency wallet, which is owned by the US Marshals. So they had the US Marshals cryptocurrency wallet address, and they transferred $45.36 worth of cryptocurrency to the US Marshals. So they're waiting for that $45.36 to be returned to them by the US Marshals or acknowledged and saying, yeah, the test works, all good. We've got that. Yeah, now send the rest of the money or something like that. So you expect something like that to happen just to make sure there's no little screw up on the way. But there is with cryptocurrency this thing called the blockchain. And the blockchain is public. And so anyone is able to look at the transactions which are being moved between different wallets on the blockchain. And so this is no secret transaction from the DEA to the US Marshals. You may not know that it's the DEA sending it to the US Marshals unless you happen to know their cryptocurrency wallet addresses. But you see the movement of the funds. And what the scammers did, because there are scammers involved in this story. No. I know, it's a shock. It's a shock on Smashing Security when scams come up. So what the scammers did is what's known as an airdrop scam. Now, have you heard of this airdrop scam before?

No, I know what airdrop is from the kind of Apple parlance. Is that the same kind of thing? No.

Okay. So confusingly, this phrase is used in two different ways. So airdrop scams related to cryptocurrency are one thing. Airdrops, what you're thinking about, can be associated with threats. For instance, people send unsolicited dick pics to people on the train or on their bus via airdrop. So you get a message pop up on your iPhone saying someone's trying to airdrop you a picture. And you look at it and go, oh, my goodness gracious, I don't want that. Isn't the reply always, sorry, I don't smoke? Isn't that what? One woman received a dick pic recently. And she said, oh my God, you know, thank you very much. That's very flattering, but I think you need to see a doctor. And she claimed to be a medical expert and said that she'd spotted some unpleasant mark on his sort of, I don't know, lower abdomen, which suggested he was going to... Anyway, he managed to completely scare this guy. But you digress. But I digress. Anyway, normally, unsolicited dick pics sent via airdrops. There was last summer a pilot on a Southwest Airlines flight who said he was refusing to take off until someone stopped sending naked photos to other passengers. And I've actually got some audio of that right here.

So here's the deal. This continues while we're on the ground. I'm going to have to pull back to the gate. Everybody's going to have to get off. We're going to have to get security involved. And it's vacation. It's going to be ruined. So you folks, whatever that air drop thing is, send a naked picture. Let's get yourself to the combo. He's keeping very calm, that pilot, I think. He sounds like my parents. This is insane.

I didn't know that you could choose your number, like a kind of license plate or something. Presumably it's assigned to you or have you stolen it from someone else, a similar one on purpose? I don't know. I don't know. Sorry. Okay, pretend that never happened.

Because people can't remember 30 character long cryptocurrency wallet addresses but they do sometimes quite often look at the first few characters and the last few characters and say oh yeah that's it that's them so what the scammer did was he saw this transaction and then he sent an identical amount of funds into the DEA's cryptocurrency account right so he sends an identical amount which the DEA sent to the US Marshals.

Right. Saying, hey, money received, here it is back, all good. But he's the scammer.

And then what happened is the person at the DEA just copied and pasted the entire cryptocurrency wallet address.

Job done. Let's go home. It's Fajita night.

Yep. Rather than typing it out. And they sent they sent $55,000 worth of cryptocurrency. Thankfully, not the full half million. Okay, right. So they were sending just a chunk of it. And by the time they realised, the two different agencies realised, hang on, we've sent you the cash. No, you haven't sent us the cash, blah, blah, blah, blah. By that time, the money had been moved out of the scammers account.

I mean, you would move pretty freaking quickly if you pulled that off, wouldn't you? You'd be like, go, go, go, go, go, go, go, Go, go, go. So the FBI is now investigating. They've associated two Gmail addresses with the cryptocurrency wallets which were held on Binance. Okay, wow, they're getting close. The heat's on. In the hope that they might find out more who was behind the heist. Yeah, it's a chunk of change, yeah.

From the IRS, anyone ever gets money from the inland revenue. Hard to imagine. Oh, he must have gone to prison for a long time.

That's the one people you don't screw with, right? The thing is, this money had initially been seized by the IRS from his older brother, Larry. He was so pissed off. So, Gary and Larry... You can't make it up. Right, so he's keeping a low profile then.

That's cool. He's keeping a low profile, but did manage to get money out of the inland revenue. So I don't know if that's a modern Robin Hood or not.

Oh, yeah, it's very modern. Don't share the money with anybody. Keep it for yourself and dance around kissing it making you know sweet sweet love to it.

Robin Hood Carole, what's your story for us this week?

Well customer complaints. Okay Graham, let's say you are feeling rather chuffed with yourself, right? And you even feel that you should get yourself a little something to celebrate. Okay, right. A little present, a little present to me day. And you've narrowed down the choice to two different products from well-respected online retailers. And I've put them in the show notes for you to take a look at both of these and make your final decision of which one you're going to want to purchase.

Yes. Okay. So do you want me to describe these people? Yep. Yep. I think they're probably worth describing. So the first one is...

It's called the ostrich pillow. Well, it's for the man who has everything, of course, right?

For the man who has everything. This is a travel essential, it says. And it's some sort of, it's actually a sort of stuffed toy. You put it over your head like a balaclava, but it looks like an ostrich. So that means I can just lay my head down anywhere, in any direction.

On a lap, on your tray, if you're on a plane. It looks rather cumbersome, I have to say.

It might get a bit sweaty under there. Yeah, but this is on your top list. So there's this one. Oh, yes. And let's scroll down. Oh, OK. So you've got something. It's interesting. So it's sort of, it's a cat. It's a cat tissue holder. And you pull tissues out of its butt. It's actually called the cat butt tissue holder. Right, for the man who's got everything. Right. Homex cat butt tissue holder. Lovely. Are they sponsors this week? So which one are you going to go for? I'm not sure. I'm not sure either. Oh the cat butt tissue holder only costs $40 at Amazon. Whereas the ostrich pillow is $99. So I'm going to go for the $40 cat butt tissue. Are they tissues for my butt or is it called butt tissues because they come out of the cat's butt? These are things that you've obviously pre-researched when you put them on your short list.

OK, so you have decided on the cat butt tissue holder. Fantastic. It arrives on time. You open the box excited, but the product is defective. It has no butthole, okay? But they have taken the payment. Oh, that's annoying. Right? And so what do you do?

Well, I'd probably reach for the corkscrew, I suppose. I mean, it's easier than waiting for a replacement.

It is made of ceramic, so that might be complicated. Oh, is it ceramic?

Oh, it wasn't clear from the photograph. Okay, that's obviously why it costs so much. Well, I suppose I'd say, hey, you know, can I make a complaint here? My cat butt tissue holder appears to have some sort of malfunction.

Right. And when do you hit the socials? Because if I recall, you're quite good at getting problems sorted out on Twitter. For fuck's sake. I mean, X.

Just call it Twitter. I don't think we should go along with that game. Anyway, when do I? Well, it would normally take me a few weeks of interaction before I get so frustrated that I think...

So you'd send things directly, you'd get no reply, you'd get annoyed, and you'd hit the Twitter. And by then, you're simmering. You're kind of just, for fuck's sake, I want my cat hole butt holder to work.

I want to put tissues in it and pull them out. There's no point having tissues inside a cat if you can't pull them out through its butt. Where did you find this?

Complaints. It's in the show notes, everyone. The list of 42 weird items available on the internet. Now, complaints can range from shoddy customer service or products or delays or payment problems, whatever. And many people take to online in order to bellyache about one of these problems. I couldn't help myself. It is August. I was feeling a little frivolous. So I thought I'd check out some of the more hilarious complaints that have been made on the socials. So one guy complained to Domino's that his pizza came with no toppings, right? Just bread. He's annoyed, and Domino's replies, "Dude, we're really sorry," you know, and give him the address to contact and then he went, "Oh, forget it. I'd opened the box upside down."

You know, until someone shows up. "I've been stuck in here with no lavatory paper. I haven't got a cat butt tissue holder. I'm going to have to use

Charles Dickens is proving very useful." Anyhow, the whole point of complaining is to get a response. Well, you know, one that acknowledges the complaint, perhaps even solves the problem, right? That'd be nice. If you get this stellar rep that helps you slalom through all the bureaucracy stuff, it's an amazing feeling because it's a pain in the ass otherwise. So getting back to your purchase of your cat butt tissue holder, you've taken to Twitter, X, whatever, and you get this amazing response, right? And you're a security boffin, you know, and you happen to notice the blue tick and you're like, and this is of course from a reputable online retailer?

Well, anyone having a blue tick on Twitter is instantly suspicious these days. You know that.

Oh, I was going to say, because I, yeah. So can you care to enlighten us on the tick changes?

Well, there's been this switcheroo because of course, blue ticks used to mean that your account had been verified by somebody to suggest that you were a person of either some prestige or an official company. It was meant to differentiate you from scammers so people could find the real poet. But now, of course, our good friend Elon Musk, he's so desperate for money that he's primarily, it appears, given it to racists and misogynists and unpleasant people spreading conspiracy theories. And so now your temptation is actually to block anyone who has a blue tick because there's just so much nonsense going on with them.

There's a fee now, a monthly fee with the blue tick, isn't there? Like 11 pounds or something. Is that right?

Yeah. And there may be some advantages of doing that. I mean, other than the tick, there are some functions which would be useful and things which used to be available for free, like access to TweetDeck, for instance, which is how I used to access Twitter. And now you have to pay for it. But I simply object on principle now to giving any money to Elon Musk. I just think it's just gone so downhill that I can't bring myself to give him, you know, $10 a month.

But they have also introduced new additional check marks, right? There's the gold and the gray one. So gold is for verified organizations and it costs a whopping 950 pounds. Isn't that per month, I think? I think that's a monthly fee.

Yeah, it's astonishing.

Yeah. And Twitter claims that the changes to verifications are required to reduce fraudulent accounts and bots. So yeah, I was going to say, is that smart? Is that bullshit? Well, funnily enough, Graham, it has not been all smooth sailing since this change has taken place.

Come, come, surely not.

I know. But as predicted by some are indeed going awry thanks to the way this paid for X verification service works. So Andrew Thomas was contacted by a verified account from Bookings.com, or was it after posting a complaint on Twitter/X? Quote, "I'd been trying since April to get a refund for our holiday flights, which were canceled and frankly resorted to X," right? Similar to what you said, right? You're trying to go direct, you're trying to go direct, you're not getting anywhere, you hit the socials. Right? Oh, absolutely. You'd expect them to have a social media presence for much longer than that.

Right. And this is at this point where he says, "I then checked the WhatsApp caller ID and found it was a Kenyan number." So lucky for Andrew, Bookings.com refunded him after The Guardian intervened. But this is happening more and more, particularly it seems in the travel and hospitality and banking arenas.

Well, you know what? I've just remembered this has actually happened to me. In the last few months, because there was, I was having a bit of an issue with an energy company where the account had changed into someone else's name and they'd screwed up. Despite numerous phone calls over many months, they kept on messing up and trying to charge me tens and tens of thousands of pounds. And it's like, you really haven't understood, have you, what's actually happened? Eventually, after plenty of emails, I did go on to Twitter and post a message. And they said they'd get back to me. But I got this other message saying, oh, we're looking into this again. Can you please follow this link? And it was from a scammer. So they obviously had a bot set up or something looking for references to this particular company. And then they would jump in with their fake account. Thankfully, I didn't give them any sensitive information. I didn't fall for it, but it was extremely convincing.

And this is just like in June, passengers who were planning to go on holiday on EasyJet and BA flights. These flights have been cancelled. They were targeted by cyber criminals with fake profiles after they resorted to X to demand refunds. After the people's flights had been cancelled. And both airlines told the Observer that fraudulent accounts are reported to X. I don't know who's reading those reports. And BA even pinned a tweet alerting users to fake accounts on X. But that's the thing, like who should be held accountable, right? And what advice do we have other than delete X and stop using it?

Well, I think that's really good advice. And maybe the big... I know, but you have a complaint. Well, that's true. Yeah, that is true. I mean, it should be easier to get in touch with companies, to get a response to a genuine problem. You shouldn't have to go onto social media to try and shame them into some kind of rapid reaction to the issue that you're having. But I would expect many of these brands are getting pretty fed up with this kind of fraudulent behavior happening on Twitter. Are they worried about it enough to actually invest in their customer service department? Well, they might be beginning to think we're not going to advertise any longer. And maybe, you know, we're going to pin a message up saying, if you want to get in touch with us, then here's our online forum or here we are on Threads or wherever it is. People might begin to do that instead, I don't know. But it doesn't feel like it's very good for Twitter's long-term success to not get a proper handle on this problem.

And it doesn't even have that name anymore. The Guardian went out and tried to get a comment from Twitter X, yeah, of course they didn't reply. Seems like no one's home anyway. There you are, there's my story.

Thing is normally if you email Twitter's PR department they reply with a poop emoji. You'd probably need one of your butt tissues to clean it up. Exactly. I think you could use your cat butt tissue for something like that. 80% of breaches are the result of stolen credentials. Why does your organization still rely on passwords? Hackers don't break in, they log in. Which is why organizations are moving to zero-trust authentication, a key requirement for zero-trust architecture. What if you could continuously authenticate every user and device access in your system, ensuring that they are who they say they are and that they are using secure devices. Well, Beyond Identity gives companies the ability to eliminate reliance on passwords and protect against password-based breaches, fraud and ransomware attacks. Go to smashingsecurity.com/beyondidentity for a free demo. That's smashingsecurity.com/beyondidentity. And thanks to Beyond Identity for sponsoring the show.

If you work in security or IT and your company has Okta, this message is for you. For the past few years, the majority of data breaches and hacks you read about have something in common. It's employees. Hackers absolutely love exploiting vulnerable employee devices and credentials. But imagine a world where only secure devices can access your cloud apps. Here, credentials are useless to hackers, and you can manage every OS, even Linux, from a single dashboard. Best of all, you can get employees to fix their own device security issues without creating more work for IT. The good news is, you don't have to imagine this world. You can just start using Kolide. Kolide is a device trust solution for companies with Okta, and it makes sure that if a device is not trusted or secure, it can't log in to your cloud apps. Visit kolide.com/smashing to watch a demo and see how it works. That's K-O-L-I-D-E dot com slash smashing.

And welcome back. Can you join us at our favourite part of the show? The part of the show that we like to call Pick of the Week.

Pick of the Week. Pick of the Week. Pick of the Week is the part of the show where everyone chooses to sound they like. I think they probably do.

Now, you've got a MacBook, I believe, or a Mac computer of some description, don't you?

Mm-hmm.

And so have I. And it's been many years and we've been running versions of Mac's operating system called Mac OS X. Do you remember what came before Mac OS X?

No. It's not that hard to work out. It was Mac OS 9. But the thing is.

Sure. But it might be 9.8 or 9.5.1 or something. That's right. But the thing is that over time, the Mac operating system has greatly changed. And it used to be this thing called System 6 and System 7 and things like this. Now, if you go to this website, which is my pick of the week called InfiniteMac.org, it is a collection of classic Mac system releases and software. And you're thinking, how dull is that, Graham, just to get the software? Well, no, no, no, no. No, what this is, is it has emulated old versions of the Mac operating system inside your browser. I'm looking at it right now. I'm trying to find paint. So if you can go back as far as 1984, the initial version of the Mac operating system, which was shipped way back then. And it's amazing to see how the user interface has changed. And not only can you play around. And this is a proper emulation of the software. But there's also accessibility to CD-ROMs. So earlier on, I was using my fairly modern computer to emulate a computer from about 1990, where I was running an ancient version in black and white of a 3D chess game, all through an old version of the Mac operating system. And I found it all rather charming. I've got to say, it felt like time travelling. I really love opening it up, though, and hearing that beep, because I had one of these. We had, I can't. Oh, did you? Oh, of the actual monitor, the frame. Yeah, the monitor, the frame, yeah. And of course, this is way before Windows came along. And what Apple were doing was, suddenly on the home computer market, was really innovative to do all this. So I think this is a real labour of love. And I love that websites like this exist because they're not making any money. They're just asking for donations if you really enjoy it. But you can play around with this. And it's a good way to, you know, time suck a good 90 minutes or so playing around in a very slow game of chess of dubious quality. And yeah, I really enjoyed it. And that is why infinitemac.org is my pick of the week. All right, pretty cool. Carole, what's your pick of the week?

Well, Graham, I also decided to go into a different, unusual pick of the week this week for me. Because, you know, we're all in the last throes of summer, many of us, right? And kids might be getting a bit bored and you might be feeling a bit broke because you've gone to Legoland or on holiday or whatever you've done. And you might want your kids to do something fun, but also start stretching their brain muscles before getting ready for the onslaught of learning that's about to come.

Because they're going to get such a shock, aren't they?

When they get back to school. Yep. No, you can't go to bed at 10.30 anymore. So I found with the help of my friendly perplexity.ai chatbot tool, which I'm testing out, very fun. You can check that out. That's in the show notes if you want to have a look. I found a few brain teaser sites for you to try out. So one of them is called crazygames.com. So there's a link in the show notes if you want to go there while I describe it, Graham. So this is basically a site filled with basic graphic games, everything from cards, card games, racing games, building, adventuring. But they also have this game called Brain Teaser that tests your thinking by providing a set of questions. And it says you need to think out of the box if you don't want to get stuck. And I utterly failed. I did so badly. Do you want to have a try? Well, I have just failed on the first question I've tried. It put up some pictures on the screen. It had one of an apple and a strawberry and a watermelon. I did exactly the same thing. Did you? Yes. And then they go, oh, that little thing's the watermelon.

Eyes and their mouth. Yes. Which should I choose?

So you choose whatever one you like and have a crack. I'm going to go for mouth. All right. Okay. Okay. And it's so much fun. So there you go. Is it fun, Carole? Or is this something just to send the kids off to school happy? They're thinking, thank God we're not playing that Braingle game anymore.

Maybe that'll work. But there's lots of other Braingle games. Hang on, they're not even going to know who John Travolta is. Are they? Well, there are other games that may be more suitable for your kids, right? Jeez, don't be pissing on my beautiful parade. How desperate are you to get me to endorse your pick of the week by mentioning chess? Although that does actually work. I'm going to now have a look, see what chess games are on.

So there you go, two wonderful sites jam-packed with fun puzzles for the whole family. I mean, Graham's middle-aged and he's going back to play a little chess. You know he's going back. So that is my pick of the week.

Wonderful. And that just about wraps up the show for this week. You can follow us on Twitter. We don't call it X. At Smash Insecurity. No G. Twitter won't allow us to have a G. And we're also on Mastodon. And don't forget, you can ensure you never miss another episode by following Smashing Security in your favourite podcast app. Go on, do it. Such as Apple Podcasts, Spotify and Overcast.

And huge, huge thank you to this episode's sponsors, Collide and Beyond Identity, and of course to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship information, guest lists and the entire back catalogue for more than 336 episodes, check out smashingsecurity.com. Until next time, cheerio. Bye-bye. Bye. So I actually bought you the ostrich head pillow thing.

And what is it? Does it not have a hole in it? How am I going to put my head in it? Am I going to have to contact them via Twitter to complain?

The ostrich head pillow, imagine seeing that on a plane. Lovely. My dad went on crowdsource or some crowdfunding site and bought this thing to help him sleep in a plane. Thing was basically a strap that held you by the forehead and the chin and you would wrap it behind your seat to hold up your head so you could just lean forward and be dangling. The problem that no one thought about is of course people's TV screens are in the back of the seat. So the strap, right? So just if you guys are thinking of buying one of these because it's a good idea, maybe think again.