Smashing Security podcast #372: The fake deepfake, and Estate insecurity

This is the PayPal security team here. We've detected some unusual activity on your account and are calling you as a precaution. Smashing Security episode 372 the fake deep fake and estate insecurity with Carole Theriault and Graham Cluley hello hello and welcome to Smashing Security episode 372 my name is Graham Cluley and I'm Carole Theriault Carole exciting times for you of course because you are exhibiting at Arts Week, aren't you? Some of your paintings and things. How's that been going?

Well, I'll tell you about it in my pick of the week. How about that?

Oh, terrific. Look forward to it.

All right. But first, we thank this week's wonderful sponsors, Collide, Kiteworks and Vanta. It's their support to help us give you this show for free. Now, coming up on today's show, Graham, what do you got? I'm going to be talking about a telephonic con job. And I'm going to ask, did they fake a deep fake? And if they did, why? All this and much more coming up on this episode of Smashing Security.

Now, chums, there you are at home. And there's a device in the corner of the room, isn't there? A device maybe which might be on a wire, depending on how old you are. Let's hear what noise it makes. It goes... recognize that noise yeah our audience isn't five years old are you going to answer it?

Yeah yeah hello yes Graham.

Okay you answer the phone and a robotic voice speaks it says this is the PayPal security team here we've detected some unusual activity on your account and are calling you as a precautionary message. Please enter the six-digit security code that we've sent to your mobile device.

Graham, this is so apt that you're speaking about this right now. Oh, really? Because I'm in the process of trying to get a new credit card. And, you know, I don't get a lot of these calls, but when I get them and I realize it's a robotic voice, I typically just hang up, right? I just go, oh, God. And this happened, but I hung up too quick. And then I heard that it said the name of the credit card company. And I think they're trying to validate or verify me via my phone now. And yeah. Okay. So carry on. I'm interested.

So you received this call and you think, fair enough. And you look at your mobile phone and beep, beep. Sure enough, you have received a six digit code from PayPal via text message.

Yeah. I can see that working. Okay. Yeah.

So what you do is you switch back to the call where the robot's waiting for you and you go... Yep. And a hacker has just bypassed multi-factor authentication and accessed your PayPal account.

No.

Yeah, yeah. It could have been just as easily your bank account, your credit card, your Amazon account, your email, your cryptocurrency wallet. Shazam! The money has gone.

Right. I hope you're listening, credit card company.

So this is obviously not good. What's happened here is there are online services which will, if you forget your password, for instance, as an additional form of authentication, will text you a number to your smartphone and you then enter that number as you try and log in and it allows you access to the account.

Yeah. I have a number of accounts that do this. Right. And you know, the thing I always think is hilarious is that they send you the number, right? And they say, don't share this with anyone. But then they're requesting it.

So this isn't sharing it with anyone. This is sharing it with PayPal's robot, which has just rung you up. And because it's not someone going, hello, this is, do not worry at all. Because this isn't someone from, maybe I shouldn't do an accent. I'm not sure.

No, definitely you shouldn't do an accent.

Okay. God, how many years? How many years? Because this isn't someone speaking to you saying, oh, you know, this is PayPal, we're about to call you. Because it's a robot saying, this is the PayPal security team. You think, well, that's quite plausible.

No, no, I agree with you. A number of services I use, use this method as an extra level of authentication with me. And it's a valid approach that bona fide companies use all the time. So I can see why you'd fall for it.

And as you said, it doesn't matter that the text message you have received will normally say, do not tell anyone this number. And you think, well, you're only sending me the number because I have to enter it onto a PayPal site or in this case, respond to the so-called PayPal robot. Meanwhile, hundreds or thousands of miles away, the attacker behind this hack has had a message pop up on their screen saying, got another boomer. Now, a boomer is someone...

A whale?

No, no, no, no, no, no. My son has called me a boomer before.

You're not old enough to be a boomer.

Well, I agree. Boomers have to do with the baby boom, right?

Yeah, that's what I know it has to be. That's my parents' age. Wasn't the baby boom around about after World War II? Everyone came back from the war and decided to have sex. As if there weren't enough things going wrong in the world.

Well, they probably weren't tapping that as regularly while they were fighting. I suppose not. But as if life weren't miserable enough, they have a baby, out it pops. But I think baby boomers, they must be at least about 80, around about 80 by now.

Yeah, yeah, my parents' age. Yeah, yeah. Right. Okay. Yeah. So I don't know what I am. You're close to that. Well, I think I'm a product of the summer of love, maybe slightly delayed. I'm sort of- Are you digressing from the story at all?

Possibly I am. Anyway, so this message pops up on the hacker screen saying, "Got another boomer." And it turns out there have been over 93,000 attacks that have taken place like this via a highly secretive service called Estate. Which is a strange name for a cybercriminal site, isn't it? Normally you'd expect it to be, you know.

Warlord Z, dark blood, death to all. Octopus death, star beast. No, it's called Estate. It's named after a station wagon. Oh, and also to give it an elite feel, you know, you're exclusive. We don't just accept anyone in this club.

I think it's largely self-preservation. It's probably like one of those gentlemen's only clubs, which doesn't allow women inside, like the Garrick Club in London.

Well, what would I know about them, Graham?

Well, you wouldn't know anything. Correct. But of course, if women were to join a club like that, it would disrupt all the old fogies. This is absolutely terrible women coming in with all their sort of liberal views.

Vaginas and stuff.

Yeah. Well, exactly. And what a terrible thing. So I think it's about self-preservation. And also, of course, they don't want law enforcement finding out what's going on. To the outside world, if you did stumble across it, it would purport to be a stress testing service. So something which maybe a penetration tester could use or someone setting up a service, something like that.

Like bonafide service that, you know. Yes, yes. Yeah, that security professionals would use. Can I ask a question? Just one thing that occurs to me about the attack you mentioned. This call you receive is not tied to a purchase you have just made. It's not like you have gone to use your PayPal and then it's coming in and verifying that that is correct. Right. So it's just out of the blue. It's out of the blue it happens.

Most likely it would be out of the blue, exactly. And of course, they would choose a service like PayPal because there's a higher chance you will have a PayPal account or an Amazon account or a Gmail or Yahoo account, something like that, rather than one particular bank, for instance.

So it's obviously been very successful, right, these attacks?

Absolutely. It's been successful for the criminals in one way, but very unsuccessful in other ways. Because the database has now been accessed by this security researcher, because Estate had a glaring security flaw of vulnerability. Embarrassing. That exposed its entire juicy database, unencrypted.

Uh-oh. It's a bit like a bank robber accidentally live streaming their heist on Twitch. That's what Estate has done. So every single ne'er-do-well who decided to use this service has their information now in the wrong hands.

It depends what information they gave when they created their account. So it may be an email address or it could be a throwaway address. But also what it appears is that people were writing scripts in order to use Estate in different ways. Maybe to write the script which the robot would speak or other ways in which it would operate. And some of these users were so full of confidence that their information was being held securely that they contained within their code comments and other information which identified themselves. Maybe a copyright message. Oh, yes, this was written by Jim Smith. You know, something like that.

Oh but you know it just goes to show we're all human you know. Everyone screws up even the baddies who sit there and take advantage of you.

Yeah so there's an alarming number of affected users looks like they've been something like almost a hundred thousand attacks and it seems in particular older folks have been targeted I think because they're more likely to answer a random call. So there you are, Carole. You're a youngster. When you get a call and you think, I don't recognize that number, you just hang it up. Or if you hear a robot, you just hang it up. Older people are grateful for a phone call. It reminds them of the old days.

Except that I'm not getting my credit card, right?

Right. Maybe it's my nephew ringing me. Maybe someone's actually remembered I exist.

Oh, maybe he needs money and he's in Thailand and I can help him out.

So follow Carole's advice. Just

hang up. I'm telling you, the future is bright if you just follow my lead. Don't read emails. Don't pick up the phone. Pick up a paintbrush.

Carole, what have you got for us this week?

Do you remember that story, the deepfake of the teen cheerleader fiasco?

Ah, this was a cheerleader's mom or something, or maybe the coach.

Yeah, yeah, yeah. Yeah. Basically, there's been a few developments in this story. So I would want to recap it because it's nuts. The whole story is nuts. It's like a roller coaster and it's still careening about in the media sphere and it's complicated.

So remind me what happened. I don't remember all the details.

So we're going to start with Ali Spone. Okay. It's 2020 and Ali's this cheerleader in the team called Victory Vipers. This is an all-star squad based near Pennsylvania. Okay, yeah. Now, weird fact, weird fact, while I'm researching this story, right, I find out that cheerleading accounts for 65% of spinal or cerebral injuries across all female athletes in America.

Well, I'm not surprised because do you see, have you seen what these cheerleaders do? Yes. They fling each other up into the air and they land on their heads or whatever. I'm not surprised they're doing damage. Well, they do if they miss their stuff, exactly. Yeah. But, you know, they do it for the fame, the glory, the scholarships, right? So it's obviously worth the risk. You can get a scholarship as a cheerleader. Really? Yes. How do you think footballers, you know, they get scholarships for being amazing footballers and baseball players and everything.

I suppose so. I mean, it's still athletics, isn't it?

It is athletic. It's extremely athletic. You should try. Why don't you add that to your box fit routine? You'll be surprised. Well, no, don't. You might hurt yourself. I don't want you to hurt your spine or your head.

So they're, you know, tumbling and jumping away. But things kind of go nuts because someone has sent an incriminating video directly to some of the girls' coaches. And it shows some of Ali's cheerleading squad members vaping and drinking. Right. And kind of not wearing a lot of clothes. And one of the parents contacts the police and reports receiving harassing text messages anonymously that her daughters received these things. And they tell the police they fear the videos could lead to their daughter being kicked off the team.

Yeah, so it'd be bad for the image, I suppose, wouldn't it?

Oh, yeah. Yeah. Totally. Right. And two more families come forward saying their daughters received similar messages. So remember these messages also went to coaches. So they were already aware. Right. And the thing is, is the teens portrayed in the video say, no way, that's not us. This has been totally faked. So the cops go and investigate. And they say they trace the number that was sending the harassing messages. They get that number and they follow the data to an IP address, which showed activity to the house where Ali Spone lives with her parents. Okay. And five male police officers go bang, bang, banging on Spone's front door with a search warrant. They take all the electrics in the house, right? They take the Xbox and the TVs and the computers and the phones and even the chargers and everything. And everyone's scared.

I'm just imagining these five policemen arriving in sort of coordination with pom-poms. Here we go, we're gonna get you. Ooh, hands up. I'd love to be a cheerleader.

I should say that the time between the parents complaining to the cops and this being presented is almost a year, okay, in time. And so presumably cops have been investigating that whole time. Right. We'll find out more about that later. Now, cops, you know, have taken all this stuff. They're combing through all their findings. And they see that mommy's smartphone kind of coordinates with the IP-based evidence. And they think they can link her and the numbers that were used to send the harassing text and images. So basically they're thinking, they made a line there. And they also determined that the videos were deepfakes, just as the girls said, right? Digitally altered images that appear to be authentic. Right. So basically, the accusation is the mom trolled the social media of these girls, doctored the pictures, and then sent them to the coaches and to the girls.

Pretty impressive mom to use that sort of deepfake technology, to be honest. That's, you know.

Yes, Of course, and you know, by the way, she doesn't own a computer at all. So the idea is that she would have done all this on her phone. Okay, right. Impressive.

And I remember the mugshot of the mum that was republished everywhere, wasn't it? When she was caught. She looked she looked a little bit. Well, she looked a bit sinister.

I really feel for people who have mugshots taken because you know, if you had your mugshot taken and you were brought in for whatever, whether they were trumped up charges or not, I doubt it would be the best picture that you would use.

I wouldn't add it to my portfolio.

Exactly. And it's not your choice that it's being sent around to everybody.

No, no, that's true. Like the cops obviously released that, right? So people are appalled, right? How could a mom do this, right? Even Trevor Noah mocks Miss Spone on The Daily Show. So not a cheerleader's mum on her smartphone.

Right. The Daily Dot looked into the deepfake claims and asked about the method used to establish that the videos had been digitally altered. They were asking the cops this, and the cops, they had relied on their naked eye, adding that they hoped Mrs. Spone during the course of the preliminary hearing or trial will enlighten us as far as what her source and intent was. Right. You know, so despite the tech industry citing serious issues, the case burns on. And in March 2022, Spohn was found guilty and convicted on charges that she used secret phone numbers to arrest three girls on her daughter's cheerleading squad. So where is all the deep fake stuff that they headlined in the press? Because she wasn't charged with that. And it seems they dropped those charges just before the trial. Like maybe like you might do if you were the prosecutor and you didn't think that the evidence would hold up to the court.

But the deep fake was the main thing that the police were sort of running with, wasn't it? In terms of the press interviews and things.

Well, isn't that interesting? Yeah. And according to Mrs. Spohn's lawyer in the case, since that infamous press conference, he, the lawyer, said, hey, send them to me. I want to see what we're talking about here. But he never got them. Right. And he was only allowed to see this evidence against his client a year after she was charged. And he found that the nude image was actually a screen grab from Snapchat featuring this cheerleader in a pink bikini that had been blurred out, you know, like in a basic photo editing software on your phone. You'd swipe with a finger rather than any kind of sophisticated AI digital editing.

Oh, I see. So not the use of a deep fake tool, more a use of something like Microsoft Paint. Like using paint choosing the flesh tone and then swiping your finger across the bikini bits is right and it seems that there was no real investigation like the cops basically had taken the victim at her word that the image was made to look as though she had been drinking and vaping when she says she hadn't been but it seems that maybe she had been oh and the image was never deep faked in the first place. A year? Yes.

So the complaints being made. So like, I'm worried about my daughter. She's getting these complaints. I don't want to get it kicked off the team. Tick, tick, tick, tick, tick, tick. Months, months, months, months, months, months.

Yeah. Can you bring it? We're a bit busy. Can you bring it around in 14 months, please? Right. We'll have a look at it then.

But weirdly, by then, the victim had a brand new phone, right? Socials were deleted. So there's no source material anymore to back up these allegations.

It's a bit like these members of parliament who keep on deleting all their old WhatsApps so they can't count them in for the COVID inquiry. It's crazy.

So this is why mama's bone is fighting back right she's bringing a civil action alleging that she was vilified in the press throughout the criminal investigation for something she did not do okay fair enough

Does she admit that she did send some pictures of these girls smoking and drinking

No one really knows right I've seen her say yes and no in two different interviews, okay? But this is what I think happened. It seems that she'd look at her kids' socials once in a while, make sure fair enough. And she sees these pictures of these girls partying and she's like, what are they doing drinking, they're just teenagers. And what are they doing smoking and vaping, what, you know, what's going on. And sent them to the coaches saying, are you aware that this is what some of the girls are doing. And I think the girls didn't like that and basically said they'd been faked and the moms backed them up. And the police got called. This is what I think happened.

Sounds plausible. And then this woman appears in headlines all around the world and have photographs everywhere. Oh, totally. I think her life has been a complete nightmare. She says she has no friends anymore, she lives inside, she never goes out, all the horror show. What a crazy story, unbelievable. And it's not finished yet, deepfake mania, even fake deepfake, I can't even speak deepfake fake. Legacy managed file transfer tools are dated. They lack the security that today's remote workforce demands. Companies that continue relying on outdated technology put their sensitive data at risk. This podcast is sponsored by Kiteworks, who enable organisations to effectively manage risk in every send, share, receive and save of sensitive content. To do that, they've created a platform that delivers content governance, compliance and protection to customers, tracking, controlling, and securing sensitive content as it moves within, into, and out of organizations, all while ensuring regulatory compliance on all sensitive content communications. Kiteworks provides the industry's first private content network for protecting risky third-party communications with secure email, secure file sharing, secure mobile, secure web forms, managed file transfer, and governed SFTP servers. Visit kiteworks.com to get started today. That's kiteworks.com and thanks to them for supporting the show. If you are building a SaaS business, achieving compliance with ISO 27001, SOC 2, or other in-demand frameworks can unlock major growth for your company and establish customer trust. However, this process is often time intensive and costly. You've probably heard us talk about Clyde before, but did you know Clyde was just acquired by 1Password? Well, that's pretty big news since these two companies are leading the industry in creating security solutions that put users first.

How could I forget? Right. Well, I want you to scrub box fit from your memory. No, I'm guessing you've been in a park.

A bit more than that. Park run is an institution. Park run is a thing which has been going for the last 20 years. It's not in the UK, but it's happening in dozens and dozens of countries around the world now. Okay. Where people meet at nine o'clock Saturday morning and everybody runs for five kilometres. And it is a non-profit thing, you don't have to pay, you just show up in the park and I showed up at my local park the other day to do this and there were probably about 250 people there and off we all went. You run around and it's a lovely community experience. Are you chatting during your run? Are you sitting there going, you know, telling them all about cyber security in the podcast? You pretty quickly realize that you can't talk that much. I remember years ago, Carole, you and I, we used to pop out from that company we used to work for, and we'd pop out for a little jog.

Yep. But typically, I would jog for about 40 seconds and then walk for about two and a half minutes. I said to my partner, when we went out on this park run, I said, look, that's what's going to happen. Of course it is.

There are people there with dogs. There are kids there. There are people with pushchairs. There's all kinds of things going on, right? So I said to her, look, this is what's going to happen because I've never run for more than one minute without collapsing.

Yes, you have. You just don't remember.

Well, I don't think I've ever jogged five kilometres before without stopping, which is what I managed to do. So I did the couch to 5K without actually having to install the app and do anything in between. I basically moved from a couch and jogged five kilometres.

How did you feel the next day?

It was terrific. My quads, I believe they're called, I didn't even know I had quads, are aching a bit. And since then, I went for another run on my own around the local lake, which was about 6.3 kilometres. That was a lot more difficult because there weren't hundreds of people around me, making sure that I went slowly enough. It was pretty good. Pretty good exercise. Well, that's very good. It's excellent. Well, I think that's a good thing. But it is a lovely institution run completely by volunteers, is utterly free of charge, a charity thing, which people perhaps would like to participate in.

Yeah, exactly. Let's check in into the fall.

Or until I discover something else that happens on Saturday mornings. So that park run is my pick of the week.

Excellent. Graham, what's your pick of the week? Art, art, art. So as you mentioned earlier, it's Oxfordshire Art Weeks. It's going on right now. It's a brilliant, brilliant thing where artists open up their studios and their houses to say, hey, this is what I'm working on. And you can buy some stuff and, you know, say hi. And it's just great. And I've been doing it for a number of years. But this year, I helped create an art collective. How groovy is that? So my co-host on Art Musings, Sally Ann Stewart, and I, we founded the East Oxford Art Collective. We're currently 10 members plus a robot. And we already have a waiting list for more artists that want to get on the showcase. And we've been showing our best work in a church hall called Greyfriars in East Oxford as part of this Oxfordshire Art Weeks thing. So, you know, it's a bit of work because you got to coordinate with everybody and, you know, organizing a conference. And you advertise and you go to the press and I even had to buy a tablecloth, all this kind of stuff. And it's Thursday. So we set up on Friday, show kicks off Saturday morning. And I get a few emails. First one from the church saying, oh, I just want you to know, we cleaned up, we moved this stuff, we moved this, we're ready for you. Fantastic. Two hours later, by the way, I just found out that we had the electrics tested yesterday and they failed on everything. Just wanted to let you know.

What? So you can't use electrical light at your art exhibition? Exactly. So my co-host calls me, she goes, have you seen the email? And then we share it with the group and people start freaking out, going, oh my God, because people have put hundreds and hundreds of hours and dollars and stuff into getting prepped for this. Bloody hell.

The first day was about 500 and the second day was quieter, but still crazy. And the feedback's been amazing. Neighbors were coming over saying, we haven't seen this place used in 30 years. And I'm like, I know now because don't touch the electrics. I had one young artist, she was talking to me and she was looking at all my work and then she goes, I just want to live in your paintings. Best compliment ever, best compliment ever. Anyway, so it's been really dramatic but amazing and it's really worth checking out if you're in the neighborhood. So we're open again on this weekend, Greyfriars Church Hall in Oxford. You can go to artweeks.org and you can search for me, Carole Theriault, not Graham Cluley, and you will see all the details. So that's my pick of the week. Hope to see you there if you can.

That's fantastic. And when does the exhibition close?

Yeah, Sunday. So this is last weekend. Saturday, Sunday.

So that'll be Sunday the 19th of May.

Yeah, Saturday 18th, Sunday 19th of May.

Oh, that's fantastic. Well, Carole, first of all, incredible, can I say? Because, I mean, to actually organize something like this with all the challenges it sounds like you've had, quite astonishing.

Yeah, I wasn't alone, but together we really muscled through. We were a pretty amazing team, I think.

Good old Sally, your co-host on the wonderful Art Musings podcast, but also terrific to see your artwork. Anyone who hasn't seen Carole's artwork and isn't able to get to the exhibition, if you go to carole.wtf is Carole's website.

My kind, Graham.

You can see some of the selections there. Well, you know, I hope you can handle the flood of traffic, which is now going to go there. Terrific. Great pick of the week.

Yay.

And that just about wraps up the show for this week. Don't forget, you can follow us on Twitter at Smash Insecurity, no G, Twitter wouldn't allow us to have a G. And you can also ensure that you never miss another episode by following Smash Insecurity in your favourite podcast apps, such as Apple Podcasts, Spotify and Pocket Casts.

And thank you to our episode sponsors, Fanta, Kiteworks and Collide. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest lists, and the entire back catalogue, more than 371 episodes, check out smashingsecurity.com.

Until next time, cheerio.

Bye-bye.

Bye-bye. Well done on the old running, mate.

Thank you very much.

Just trying to get a little bit fitter. Type in harder as well. I'm hitting the keys harder than ever because I reckon that could be a good way to burn calories.

That's a good way of getting RSI, actually, so be careful with that.

Oh, that's true. I need one of those big mechanical keyboards, one which you have to literally jump up and down on every key to hit.

I'm sure that exists. I'm sure you'd get a floor one, right? Like a floor mat, like those dance mats. Like Dance Revolution.

Wouldn't that be cool?

TM Colterio! TM Colterio! Oh, you've trademarked it. Damn.