Smashing Security podcast #354: Chuck Norris and the fake CEO, artificial KYC, and an Airbnb scam

Chuck Norris here, and I want to give a shout out. This is the dawn of a new beginning with endless possibilities. Keep up all the great work and just know you are Chuck Norris approved. Your friend, Chuck Norris.

Smashing Security, episode 354 Chuck Norris and the fake CEO Artificial KYC And an Airbnb scam With Carole Theriault and Graham Cluley Hello, Hello and welcome to Smashing Security, episode 354. My name is Graham Cluley.

Now, chums, I'm sure you all know about the metaverse, don't you? You've heard about the metaverse. Maybe you've dipped your toes into the metaverse. Against my will, I know a little bit about it, but that's about it. Yeah, I think it's for young people, really. It's not for people like us, is it? Do you want to explain what it is for the 300,000 listeners? It's the virtual world. It's the Lawnmower Man, that movie from 25 years ago. It's people having cyber sex with avatars of each other rather than each other because their own physical reality is too revolting. So it's the opposite of a real doll. So a second life? I mean, it's second life. It's a bit that. Mark Zuckerberg has poured billions of dollars into it, thinking it's the future, before he realised artificial intelligence was actually the thing that people were excited about. But, you know, people are strapping monitors to their eyeballs and choosing. It's just a horrible... Anyway, I don't want to talk about the metaverse. Why is it we talk about Facebook when I'm on the show? Why? So maybe, I guess you're into streaming superhero shows. Maybe some of you have watched a few of these Marvel TV shows. Maybe you've heard about the multiverse. You heard about the multiverse where there's parallel universes? And this isn't real, by the way, Carole. Well, maybe it is. Who knows? In case you were confused. Anyway, I want to actually know if you've ever heard of the hyperverse. So not the metaverse, not the multiverse. Have you ever heard of the hyperverse? Can I say that I've missed this over the holidays? Really? No. Tell me about the hyperverse, Graham. I'm dying to know. Hyperverse, formerly known as Hyperfund, is a now defunct cryptocurrency hedge fund. Cryptocurrency hedge fund? Yeah, cryptocurrency hedge fund. Okay. All right. I'm in. I know, already alarm bells are ringing in your ears, I'm sure. So the reason why you might have heard of Hyperverse is not just because the company collapsed in 2022, but rather that when it did collapse it resulted in approximately 1.3 billion dollars worth of losses for its customers. What was that number? That was a billion. 1.3 billion dollars worth of losses for its customers. So a huge amount of money. In fact, according to experts, more money was lost in 2022 through Hyperverse than any other alleged crypto scam. It's a big number. Millions and millions was lost. Well, billions. This is an Australian... Yeah, okay. Millions and millions does add up to billions eventually. Well, you need a lot of millions, but yes, okay. I'll give you that. You do.

There are multiple ongoing developments within the Hyperverse ecosystem, and we are very excited to slowly unreveal and share them with you. They certainly put a lot of money into that.

Well, you know, impressive, exciting background music. I think you agree. But here's the thing. Stephen Rhys-Lewis doesn't exist. And we know he doesn't exist because the sleuths at The Guardian decided to do a little bit of digging after Hyperverse basically folded. They thought, well, let's go and speak to the CEO. And so they tried to contact him and they weren't able to contact him. So they went to the University of Leeds and the University of Cambridge. And they said, we've never had anyone here who's a student by that name. Do you know, though, it's weird, right? Because if you called a company up and said, hey, did Steve Reese ever work there? They could say we can't divulge any information on our employees. But universities always cough up, don't they?

Wait, they usually can verify if they will say yes or no if someone has worked there. Isn't that usually, maybe this is a country specific thing, but usually they can just say, yes, that person has worked for us or no, they haven't. They may not say you were a rubbish employee. Yeah, they'll just verify, yes, you worked there. You shat on the carpet or something like that. But they may say, yes, they worked here from these dates.

Okay, interesting. I'm pretty sure. Listeners, if you know different, let us know because I'd love to know the answer to that. So the Guardian contact the universities, no record of it. Nor did any records exist of Stephen Reese Lewis at Companies House, which is where all companies register, or on the US SEC. He didn't even have a LinkedIn profile. And I have to say, if you're going to fake your identity, create a LinkedIn profile. That feels like a sloppy thing to forget.

You did all the other stuff and then not the LinkedIn? Isn't that usually what social engineers go for first, is the fake LinkedIn profile? Wow.

So, the question is, who the hell was this Stephen Rees Lewis guy and what was his background? The Guardian, I was reading this article just a few days ago, not able to find out.

Oh, it's Satoshi Nakamoto, definitely.

They couldn't work it out. But that doesn't mean, of course, that nobody on the internet could uncover the truth. And I found a YouTuber going by this strange name of Nobody Special. So this YouTuber, Nobody Special, he took it upon himself to do a little bit of digging. So he took a screenshot of the Stephen Rhys Lewis CEO announcement video. So he had his face and he loaded it into PimEyes. Now, I think we've spoken about PimEyes before. It's an extraordinarily scary website where you can upload people's images and it will trawl the internet, not looking for that exact image, but actually do a kind of facial recognition. So it will find social media pictures, all kinds of things of who it thinks is the same person. And it can be really, really quite convincing. You know, it's quite reliable. You've done it, right? You've tried it out?

Yeah. Yeah. I've done it. And some people, I think, well, that isn't me. But there's quite a lot. It's like, bloody hell, it has found me here and there. You know, including pictures of me when I was much younger, more handsome, etc., etc.

Anyway, this YouTuber, Nobody Special, he found images of someone who looked very much like Stephen Rhys Lewis. Found images of this guy sprawled drunkenly around in cocktail bars in Bangkok, hanging out with strippers and prostitutes. So not living your typical... I mean, he's clearly quite drunk in these images. And it could definitely not be the Stephen he's looking for. So Pim Eyes isn't saying the name of these people, it's just saying this is an image that looks really similar. Unfortunately none of these pictures did reveal the man in the picture's true identity, right? It didn't say who he was. So what Nobody Special the YouTuber did was he started searching for images of other people seen in these drunken snaps in Thailand cocktail bars alongside our mystery man, assuming they must be his drinking buddies because he'd been photographed. And one of them was a guy called Chris Malton. He found Chris Malton's Facebook page. He was looking through images Chris had posted up on Facebook. And he found one of Chris with one of his mates eating pizza in a Bangkok bar. It was clearly the same guy again, right? It's Stephen Rhys-Lewis. It's the CEO. And it's the same guy who appears in these Thailand cocktail bar pictures as well, right? It's a real roller coaster ride. Okay but the problem is Chris Malton hasn't tagged our mystery man in these photos. Like oh, we're so close now but he hasn't tagged him in the photo, so what's his identity? But the YouTuber who's investigating all this, he saw that the photo had been liked five times. And so he thought, I'll just look to see who liked this. And one of the people who liked the photo was someone with the same face. And that was how they were able to identify Stephen Rhys-Lewis's true identity. So Stephen Rhys-Lewis liked the video that he featured in. He liked a photo of himself with his friend up on Facebook and that's where the link was. And his real name, it turns out, is Steve O'Harrison, originally from Bournemouth, which is a fairly sleepy town on the UK south coast. It's a beautiful place. I used to go there as a kid. I used to go, maybe everyone seemed old when I went there as a kid. Maybe now I'd think they're all youngsters. If it's that boring, I think it's quite a party place now, but it's not Bangkok, right? It's not quite the same. And what this YouTuber did was he compared videos of Steve O'Harrison with Stephen Rhys Lewis, and it's clearly the same voice and it's the same look. In fact, I'll play it now. Here's a bit of Stephen Rhys Lewis speaking, the CEO. Unknown. And we are very excited to slowly unveil and share them with you. And here's Steve O'Harrison. Unknown. I'm currently training for Spartan in three weeks. I'm going down there to do the trail run which is 10k and I think I've done this course before. I would Say that's the same voice, would you not agree? I'm not an expert. I feel this is just crazy research because English people just sound the same. No, no, because people confuse Carole and I all the time, right? I do, I have to say. Yeah, we're actually the same person. We've been meaning to tell you this. Similar, but this feels like the right time. So you know, you suspected it all along. Okay, I admire and appreciate this guy's, this YouTuber Nobody Special's work here. But I'm hoping that there's something a bit more proofy to this story than pure conjecture. Well, I think it's pretty compelling. I'll link to the video so you can check it out for yourself and see if you agree with his evidence. Anyway, he looked up Steve O'Harrison's LinkedIn account, and what you find is it describes himself as a TV presenter and sports pundit, not a cryptocurrency CEO. Well, what do you need to be a qualified cryptocurrency CEO, to be fair? He says this. He says he works alongside international businesses to help front their products and services. It sounds like he's been hired to pretend to be the CEO. He's a rent-a-CEO. Yeah, oh, the twists keep coming. And maybe we should have guessed that because if you look at Steve Reese Lewis's Twitter account, he's pinned a tweet which has a link to the promo video for the Hyperverse. And there's a caption which reads, "where reality ends and imagination begins." And I think that's really the case. Now, interestingly, why have Chuck Norris, Steve Wozniak and other celebrities fallen for this? Why are they endorsing Hyperverse in this video? And what you notice when you check out these endorsement videos by Woz and Chuck Norris is that they're not that professional.

Chuck Norris here. And I want to give a shout out to Hyperverse. Under the leadership of CEO Devin, Hyperverse will be the leader of Metaverse space. This is the dawn of a new beginning with a Metaverse odyssey with endless possibilities. Keep up all the great work and just know you are Chuck Norris approved. Your friend, Chuck Norris.

I was gonna say, you know, remember we were talking about it just before last at the end of the year that rent? Yeah, you pay a fee, Cameo. Yeah, that's the thing, wasn't it? Yep, it was Don Johnson and Elijah Wood or something who were saying things about was it Vladimir Zelinski or something having a drug problem. They'd been tricked into saying things. Well, it seems to be the same thing. So Woz has recorded a video where he's recorded it basically up his own nostrils. And Chuck Norris is a little bit more professional. You'd think Woz would know where his webcam is. But these appear to be Cameo videos. So this company just paid a few bucks. You can normally ask a celebrity, wish someone a happy birthday, or in this case, endorse a cryptocurrency scam. Geez, I thought they vetted those things way more carefully. They usually have a whole list of rules of stuff they won't say. I guess they don't. That's wild. Yeah, but that probably goes direct to the person. And you're like, yeah, sure, I'll read that. I don't care. Probably haven't read it. I need 20 bucks. Chuck Norris needs 20 bucks? What world is this? He roundhouse kicks his 20 bucks into his pocket. Like, why would he need 20 bucks? So Steve Harrison hasn't been collared by the law. As far as I know, he's still out in Bangkok doing whatever he does out there. Someone else allegedly linked to the Hyperverse has been now arrested and charged in the United States. Someone who's known as Bitcoin Rodney. Bitcoin Rodney, also known as Rodney Burton. Bitcoin Rodney. Is that his real first name? Is this a bit like Judge? That's his Christian name, Bitcoin Rodney. He's alleged to have made fraudulent presentations claiming high returns for investors, but it was all obviously a whole load of garbage. So Hyperverse, who would have thought it, we're kicking off 2024 with some cryptocurrency scamming. I suspect there's lots more of this to come. Come on Chuck, get your act together. And Woz, work out where to point your webcam next time. Maria, what have you got for us this week?

I'm amazed that I picked a story, not knowing what yours was about, that is also about AI fraud and a little bit of Bitcoin. Just completely by chance. And I mean that for real. This story, I saw the beginnings of it trickling through on Reddit and the Fediverse of all things a couple of days ago, maybe about a week ago. I don't remember exactly, but right around the new year. And I saw a toot. All right, post. Post? Let's not call them toots. We don't say toot anymore on the Fediverse. I saw an image that looked totally innocuous, and I don't often see a lot of images on my feed on Mastodon because I follow a bunch of nerds, so it's always text only. And it was just like a very normal verification post is what the title said at the top of the image. And the image below was of a youngish woman looking right at the screen, holding up a piece of paper. It's a completely insignificant image that reminds me of the gajillions of these that I've done for. I've done one for Binance, for example, where you have to hold up a government ID, take a terrible selfie, and they run it through. I don't know what they run it through. A person, an automated system, both. And it's supposed to verify that you are who you say you are. And, of course, everyone always looks kind of terrible in these pictures. But that's what this image was. It just says verification post and I'm just wondering why am I seeing this on my Mastodon feed? Like, did somebody make a security boo-boo and post something publicly that they shouldn't have like a credit card? And then I looked a little more closely at the image, just a smidge. And I noticed that the piece of paper that she's holding up to the camera, it has two lines of handwritten notes on it. And the first one was clearly a Reddit username, sorry, a subreddit name. And the second line was a Reddit username, which was u slash your mom.

And I'm going, okay, that's an interesting Reddit username. What is going on here? And then, of course, I did the thing I should have done, which was read the text that came with it. And this was from a user named Nixcraft. And they said this, this is crazy. Stable diffusion created a verification image of someone doing their KYC for a bank or similar. AI will impact know your customer, which is what KYC means, not Kentucky Fried Chicken or whatever I thought it was. AI will impact know your customer identity verification processes. As AI makes it cheaper and easier to impersonate someone's likeness and identity markers, which are often found in a breach, it will become simpler for attackers to take over accounts and steal money, data, impact brands, etc. I was wow that's a great thing to read on my feed first thing in the morning so I did what any good nerd would do is I went straight to Reddit and I wanted to find the original post where this was happening and I went into the rabbit hole on Reddit where this was posted it was on stable diffusion and there's a Reddit user there who was publishing a workflow that I don't know much about AI at this level but it was complicated but not impossible a workflow to create really convincing deep fake identification selfies way more convincing than anything I've ever seen that would take maybe at most a day to fake someone else's government ID and verification image and not only that but there are also video versions of this so if you're thinking well you know could just what's the difference between this and Photoshop there's a very easy way for generative AI to make these know your customer videos that someone could just upload pretty easily to, I don't know, your bank to pretend to be you. And the barrier keeps just dropping on how easy this is becoming. And, you know, this information is posted pretty wildly and widely. But think of all the companies five years ago, everyone that we spoke with, we're talking biometrics. Biometrics are everything, you know, and they invested loads of money in that. And I always hated the idea because you only have one face. So biometrics are dead, effectively, in a lot of ways. TechCrunch also saw the same thing I did. A lot of people saw this on Reddit. And they put an article together that I'm sure we can link in the show notes about this specific thing. And they also included a security research firm called Sensity that said they found that the 10 most popular know-your-customer providers are severely vulnerable to real-time deepfake attacks. So, I mean, I feel an entire industry just got killed off effectively by Gen AI right now. Whether or not you miss it, it's not really here or there. But TechCrunch also included a quote from the chief security officer for crypto at Binance, which is the same thing that I had used for this exact thing. And they said that, yeah, this is very easy for deepfake tools to completely bypass their security measures to pass liveness checks, which is what they call it. So I guess everything needs to go back to in person. It's essentially what I'm taking. Maybe it'll have to be stuff you'll get on the video. Right. And then they're going to have to spew out something unexpected. Like do jumping jacks right now. Oh, my God. Right. Or run around in circles. Yeah. Those Google captchas have already gotten super weird. I got one the other day that was which animal is heavier or something. And I was what the hell is this captcha? So, yeah, they're going to be just going to throw random things at you, find something that's pink in your house right now or something. Wow. Maybe we're going to get to a point where we actually need to physically go somewhere.

Well, that would be great.

Maybe there'll be brokers where you could go to someone in the high street and they have certain security standards. And so you have to go there, present yourself, and they will affirm that you are the...

They've closed all the branches. The branches are all closed.

Well, Carole, what's your answer? Are you going to have a barcode under your armpit or something, which people can scan in? What are you going to do? It's a fascinating problem, and I don't know what the solution is. Does anybody? Unknown. I'm just not going to buy anything again. That's all. I'm not doing anything.

Oh, Carole, your story was heartbreaking. I felt for you. Unknown. Oh, poor Carole. I almost fell for a scam myself, so don't worry. You're not alone. Did you get your money back yet, Carole? Unknown. No, not yet. Watch this space. Sorry. Listen to our last episode, everyone, if you want to hear about Carole's friend Charlotte, who was scammed. I loved your reaction so much. I wanted to tell you right away, and I said, no, keep it for the show. Keep it for the show. Well, okay, Charlotte, what have you got for us this week? Unknown. Okay. Are you guys Airbnb users? Do you use that to rent houses? Or is it VRBO in the States? Do you use that?

VRBO? Yeah. Yeah. I've used them.

Yep. I've used Airbnb. Yeah. A number of times.

Yeah. Right. I'm an Airbnb-er. And for the most part, it's been a pretty good experience. I only rented a place once for one night with a very tightwad buddy of mine. And that experience was not great because we got what we paid for. Sorry about that. Not you. Unknown. So typically, you know, when you're organizing an Airbnb, you back and forth via the Airbnb messaging app. You share basic contact info, pay for the visit, then off you trot, right? And you have a check-in time, right? So imagine you're sitting around the corner from your Airbnb, you know, maybe you're sipping a cranberry juice, Graham. A latte for Maria. Until it's time for you guys to check in. And then you get a call apologizing, saying, look, the planned rental is not possible. And you're panicking a bit, right? Because you are around the corner. And this is going to impact your romantic getaway or, you know, whatever, if you're sleeping on the streets in a far-flung city. And the caller explains, look, sorry, sorry, sorry. The previous guest flushed something down the toilet, flooding the unit. But don't worry, I've got another property until the problem gets sorted. Thank goodness. Right? Thank goodness. It's not ideal. You want the property you booked, but, you know, you're in a tight jam now. These things happen. These things happen. You're going to be terribly nice about it in English. You're not going to complain. You'll say, oh, no. You'll probably be the one apologizing.

I would actually apologize, probably. So I'm sorry that you had to go to the inconvenience. I would do. Honestly, I would. Find me somewhere else to stay. Even though it wasn't my poop that blocked the loo. But despite that, on behalf of everyone who poops, I would like to apologize.

You're going to take that on yourself so gracious such a gentleman oh my goodness but the guy says look look i've got this other place and it's you know it's three times bigger and you'll get it for the same price and he sends you a few pics and the property does look bigger brilliant you know it looks fine and uh you know the guy's like i need to know you book in or you cancelling what do you want to do so you change the reservation by the airbnb app to this new property and off you trot to the new property and it takes you a bit to find it. You're going to take that on yourself. So gracious, such a gentleman.

Like a shed. Like a, like a vamped up shed. It's not like the furniture, it's a bit of a shithole basically. But you're like, it's one night, it's one night.

I can imagine myself apologizing again for this inconvenience cycle. Yeah, yep. Exactly. You'd apologize. Yeah. Yeah. It is a bit of a shame.

And so you're going to go, fuck it. I'm going to go to a hotel. I'll sort this out when I get home. Right. And there were some positive reviews as well. But when you started looking at who they were, it turned out that they were also Airbnbers sharing very similar properties, like perhaps identical. Yeah.

And you can see it's just basically different angles of the same room. And like, it's exactly the same apartment.

Oh, yes. Uh-oh. Okay. So Allie's snooping unveiled five accounts controlling 94 properties in eight different cities that all seemed to be suspiciously run by the same people. Yeah and have nowhere to stay.

Oh nightmare.

Right.

And remember this was back in 2019 and there's an update. Right because according to Daily Beast Joss Dalio, he wrote that Stray, I don't know how you say this last name, it's G-O-E-L.

Goel? Stray Goel. Stray Goel. He's the alleged Airbnb scammer. Oh. And this was because Ali Conti published her very detailed piece in Vice way back in 2019. She got a call from the FBI wanting to hear more. Oh, jeez. So he and his cohorts would contact the lower paying renter at the last second. So he'd rent it to two people. Yeah. The thing that I don't like is, remember, at the beginning when Ali Conti was gathering evidence, Airbnb didn't want to know. Yeah, yeah. But it does show that if you share your story of how you have been scammed or almost scammed, it can help other people.

From the most in-demand frameworks to third-party risk management and security questionnaires, Vanta gives SaaS businesses of all sizes one place to manage risk and prove security in real time. And as a special bonus, Smashing Security listeners can get a stonking 20% off Vanta. Just go to vanta.com slash smashing to claim your discount. That's vanta.com slash smashing. And thanks to Vanta for supporting the show. And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week. Well, my Pick of the Week this week is not security related. In fact, it's maybe not even a Pick of the Week. It might actually be a nitpick of the week. Yeah, well, starting 2024 with a bang. Back in the day, I used to work with Carole Terrio at a security firm. And this is just an example of something which niggles me. Because it has to do with percentages. We would do a press release maybe saying the dirty dozen spam spewing countries. And there are a number of anecdotes regarding that. Let's not mention the Pitcairn Islands. But anyway. The trouble we got into with that. But there would be something for instance, you know, India has risen from 28% to 37% of all, as a percentage of all the spam spewed in the last month. Something like that would, you know. A bunch of stupid numbers, as Carole would mention. But it got so much attention every time. It was an easy way of getting coverage for the company we were working for. So we would mention that a number would rise from, I don't know, 5% to 20%. And you'd want to explain that in some way. You have to be careful to say 15 percentage points. It's actually a 300% rise if you go from 5% to 20% because how many fives have you got, right? Sorry for being boring about this. Or is my actual problem, is my actual nitpick of the week with mathematics itself. Because maybe maths should simply be different. Maybe Carole is right, that a rise from 5% to 20% should be able, you should be able to say that's a 15% rise. Yeah, is math real? I have not seen it, but I'll keep my eyes open. I think you might really like it, I really do. Well, mine is a detective series. So for some reason, when my cousin was over during the holidays, we started talking about that show Naked Attraction. Yeah, right. I think we've talked about it in the show, people of old timers out there, you'll remember we've talked about this.

I'm surprised the whole channel hasn't been cancelled. It was basically for exhibitionists, wasn't it? The point of the show was they would pull up a little drawbridge to reveal your gen... Well, it's a dating show where you have three potential dates and you get to gauge which one you choose based on their nude bodies, completely nude, junk and stuff. Nude.

Oh, okay. All right. Because we watched one show and we're like, oh my God, look, look at his penis. And then we got bored. We were scouting around Channel 4 and I found the show called Before We Die. Oh my God, now don't let the name put you off. Yes, I know. Okay, series one opens with D.I. Hannah Lang, that's played by Leslie Sharp, and she launches a manhunt when her secret lover, also a cop, goes missing, right? And then soon it seems that a Croatian mafia-esque family known as the Mamichas are involved. I'm just listening. Normally I'd be on the phone to someone else chatting while you're talking but no on this occasion I'm just listening to you.

Sorry about that. I'm just wrapped. I'm listening.

Okay.

Okay. I found it quite fun and I hated the title Before We Die but we got it from Channel 4 streaming service or failing that if this sounds really boring you can also find Naked Attraction there and you can look at boobies and dongs. Pass. Pass. I'm just giving, you know, no judgment. Just whatever your thing is. Nah. Pass. Rule 34. Mega pass. Well, one of those suggestions was a great pick of the week. We have a one. Could have been a pickle of the week. Who knows? Not a sticky pickle, though. Boom. That just about wraps up the show for this week. Maria, I'm sure lots of our listeners would love to follow you online or find out what you're up to. What's the best way for folks to do that? Unknown. Well, I host a daily show for space professionals called T-Space Daily, which you can find at space.n2k.com. And I also am on Sticky Pickles with Carole. So you can look up either T-Space Daily or Sticky Pickles. Either one, you'll hear my damn voice. Beautiful voice. Tremendous. And you can follow us on Twitter at Smash Insecurity. No G, Twitter and Louse tab a G. And you can also look up the Smash Insecurity subreddit. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favourite podcast apps, such as Apple Podcasts, Spotify and Overcast. And massive shout out to our episode sponsors, Vanta and Collide. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest lists and the entire back catalogue of more than 353 episodes. Check out smashingsecurity.com. Until next time. Cheerio. Unknown. Bye bye. Bye. Au revoir Maria. Super. Oh thank you for having me on. Always you're beautiful.