What do a sleazy nightclub carpet, Google’s gaping privacy hole, and an international student conned by fake ICE agents have in common? This week’s episode of the “Smashing Security” podcast obviously.
Graham explains how a Singaporean bug-hunter cracked Google’s defences and could brute-force your full phone number. Meanwhile, Carole dives into a chilling scam where ICE impersonators used fear, spoofed numbers, and… Apple gift cards to extort terrified migrants.
Plus: Nazis, door safety, and the age-old struggle of telling Ralph Fiennes from Liam Neeson.
All this and more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault.
Warning: This podcast may contain nuts, adult themes, and rude language.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
There you are mid-dance and then suddenly you stop. There is the person of your dreams leaning against the wall in the corner nonchalantly nibbling on a couple of toothpicks.
And you think—
And you think—
A couple of toothpicks.
You think to yourself, I want them to want me. Does that at all sound familiar to you? No. Rack your memory, Carole.
Do you have a specific memory in mind that I'm not remembering?
Oh, no, no.
Okay.
No, no, no, no, no.
Okay, good.
Don't panic. Smashing Security, episode 421. Toothpick flirts, Google leaks and ice scammers with Carole Theriault and Graham Cluley. Hello.
Hello and welcome to Smashing Security, episode 421. My name's Graham Cluley.
Hello and welcome to Smashing Security, episode 421. My name's Graham Cluley.
And I'm Carole Theriault.
What's coming up on the show this week, Carole?
Well, first, let's thank this week's wonderful sponsors, Flair, Drata, and Vanta. It's their support that help us give you this show for free.
Now, coming up on today's show, Graham, what do you got?
Now, coming up on today's show, Graham, what do you got?
I'm going to be talking about how hackers could have shimmied through Google's defenses to steal your phone number.
And I'm looking into a hidden problem in ICE's immigration directives. All this and much more Ransomware coming up on this episode of Smashing Security.
Now, chums, chums, question for you, and I suppose specifically for you, Carole Theriault. Do you remember your younger Footloose days when you were fancy free?
Certainly do.
You think of them fondly, right?
Well, I have a pretty good life now too, as well. In many ways.
That's good. I'm talking about the days when you'd shimmy and groove around to the latest hits at the discotheque, strutting the dance floor, doing the Harlem Shuffle.
We were recently talking about a club that was nearby called Sticky's, and it was called Sticky's because the carpet was so disgusting.
They had a carpet and it would be full of beer and gum and whatever, because people smoked back in the old days. It's just disgusting. And you would actually stick to it.
So you never fell over.
They had a carpet and it would be full of beer and gum and whatever, because people smoked back in the old days. It's just disgusting. And you would actually stick to it.
So you never fell over.
Yeah, absolutely. Well, but I can picture you there. I can picture you and there you are mid-dance and then suddenly you stop.
There is the person of your dreams leaning against the wall in the corner, nonchalantly nibbling on a couple of toothpicks. And you think—
There is the person of your dreams leaning against the wall in the corner, nonchalantly nibbling on a couple of toothpicks. And you think—
A couple of toothpicks—
You think to yourself, I want them to want me. And so you boogie over in their direction and you slip your business card into their pocket and you say, call me.
And on the card, of course, is your phone number. Does that at all sound familiar to you?
And on the card, of course, is your phone number. Does that at all sound familiar to you?
No.
Rack your memory Carole.
I think Google me.
These are the days before Google.
Do you have a specific memory in mind that I'm not remembering?
No. No, no.
Okay.
No, no, no, no, no.
Okay, good.
Don't panic. Anyway, you would then shuffle away from them, thinking shuffle?
Yeah, yeah, on my hands and knees.
What am I like with your zimmer frame? I mean, your work was done and that's how people got each other's numbers in the good old days, wasn't it?
No, people did not do business cards. What are you like?
Did they not? But they exchanged numbers, didn't they? They exchanged numbers in some fashion.
Yeah.
Now, breaking news, times have changed. I'm not sure you today would feel happy giving anybody your number these days.
No.
I'm also thinking probably other people wouldn't be happy to get your number either these days. I don't know. I mean, it's— that's a little bit unfair perhaps.
But you know, what is a fella to do? If he falls for the charms of a cybersecurity podcast co-host and amateur artist who's doing a line dance down at the club, down at Sticky's.
But you know, what is a fella to do? If he falls for the charms of a cybersecurity podcast co-host and amateur artist who's doing a line dance down at the club, down at Sticky's.
Sorry, amateur?
All right.
I am in the Oxford Art Society, darling.
How are they supposed to make contact? Well, maybe—
They could just say hi.
They could just say hi.
And then say, hi, hi, you look nice. Yeah, you look nice too. Do you want to do coffee sometime? Yeah, sure.
Where?
Why don't we meet down at the cafe on blah blah street? Okay, I'll see you there at 3 tomorrow.
Bye. Okay, but what if they're a bad guy?
Okay.
What if they don't want to announce that they're after your number?
Okay.
Maybe they could just ask Google what your number is, and maybe, just maybe, Google would just spit it out at them.
Because an awful lot of people, as you probably know, have Google accounts.
Maybe people created their Google account when they got their Android phone, or when they created a YouTube account, or because they use Gmail for their email.
In fact, it's estimated there are between 2 and 3 billion Google accounts. That's billion with a b-b-b-b-b-b.
Because an awful lot of people, as you probably know, have Google accounts.
Maybe people created their Google account when they got their Android phone, or when they created a YouTube account, or because they use Gmail for their email.
In fact, it's estimated there are between 2 and 3 billion Google accounts. That's billion with a b-b-b-b-b-b.
Yeah.
And of course, you don't want to lose access to your Google account. It could be the heart of much of your online persona.
And so— Oh God, how sad is that?
But you know, think about it. It's where you keep all your information. It's where you've got your contacts, maybe. It's where, you know, your phone is linked to it and your email.
And that would be a big problem, losing access to that.
And so you might have given Google your phone number in the past as an emergency backup measure if you ever forget your Google password. Right.
And that would be a big problem, losing access to that.
And so you might have given Google your phone number in the past as an emergency backup measure if you ever forget your Google password. Right.
Multifactor authentication system. Yeah.
Well, that's, that's one thing you could do. Yeah. You can have multifactor authentication so that when you log in, you could ask it to SMS you a code.
Not sure we always recommend that particular method of multifactor authentication.
Not sure we always recommend that particular method of multifactor authentication.
Better than not doing anything though.
Better than nothing.
Better than nothing.
But you can also use it as an emergency backup. So if you do lose your password, you say, "Oh, I'm in a pickle here, Google. I told you my phone number 8 years ago.
I'm gonna enter it again. You text me the code and I'll get back into my account." Okay?
But you would think that if you gave that number to Google for that purpose, just as an emergency backup measure, they would keep it private.
I'm gonna enter it again. You text me the code and I'll get back into my account." Okay?
But you would think that if you gave that number to Google for that purpose, just as an emergency backup measure, they would keep it private.
Yes, 100%. I would assume, expect, want, desire that. Yes.
Not so fast. Because somebody found a sneaky way to figure out your full phone number. Not just yours, Carole, but anybody's.
I don't answer my phone. It's going to be a waste.
That's true. It would be useless to have your phone number.
I should write a book, I think, you know, how to live like Carole, because it's turning out it's working for me. Yeah.
They found a way to get your phone number even if you never shared it publicly. A security researcher from Singapore going by the name of BruteKat.
He also sometimes called himself Skull. He is a bug hunter. He finds vulnerabilities. He finds security holes and flaws and stuff. And then he tells companies about them.
And if he's lucky, he gets a payout from those businesses for finding the flaw rather than making millions of dollars by exploiting it for malicious ends.
And this, of course, is a great way for software companies to fix problems. You know, it's worth it for them to run a bounty program.
Hopefully before the bad guys can exploit the flaws. You know, you find the flaw, you fix it, hopefully before the bad guys get it.
And BruteKat found three little bugs in Google systems that when used together transformed themselves into a huge privacy problem. I'm not going to explain to you what it was.
Now, we all know Google does much more than search. People say, "Google me, Google me," and you just think Google is a search company. It's much more than that.
Google has got Google Ads, there's Google Drive, there's Android, there's Gmail, there's Google Chrome, there's YouTube, there's Google Maps, there's Google Gemini, whole heap of things that they do.
And chances are that most of us could name maybe, I don't know, half a dozen or maybe a dozen different things that Google does, but actually they do scores of different things.
He also sometimes called himself Skull. He is a bug hunter. He finds vulnerabilities. He finds security holes and flaws and stuff. And then he tells companies about them.
And if he's lucky, he gets a payout from those businesses for finding the flaw rather than making millions of dollars by exploiting it for malicious ends.
And this, of course, is a great way for software companies to fix problems. You know, it's worth it for them to run a bounty program.
Hopefully before the bad guys can exploit the flaws. You know, you find the flaw, you fix it, hopefully before the bad guys get it.
And BruteKat found three little bugs in Google systems that when used together transformed themselves into a huge privacy problem. I'm not going to explain to you what it was.
Now, we all know Google does much more than search. People say, "Google me, Google me," and you just think Google is a search company. It's much more than that.
Google has got Google Ads, there's Google Drive, there's Android, there's Gmail, there's Google Chrome, there's YouTube, there's Google Maps, there's Google Gemini, whole heap of things that they do.
And chances are that most of us could name maybe, I don't know, half a dozen or maybe a dozen different things that Google does, but actually they do scores of different things.
Mm-hmm.
And they have lots and lots of esoteric services and products, and one of them is something called Looker. Have you ever heard of Looker?
No, no, no.
I hadn't heard of Looker before today either. Google acquired Looker back in 2019 from another firm, and it's an enterprise platform for business intelligence data applications.
Now you understand why we've never heard of it. Sounds really, really boring. It's now part of the Google Cloud Platform.
And most people have never heard of it, but it has heard of you because being part of the Google ecosystem, it knows about your Google account so you can log into it if you wanted to.
And if someone creates a business intelligence report in Google Looker and tries to transfer it, it's one of the things you can do, transfer it to someone else's Gmail address.
So you can sort of say, "Oh, could you share it? Could you chuck it over to this other person who I'm working on this report with?"
Now you understand why we've never heard of it. Sounds really, really boring. It's now part of the Google Cloud Platform.
And most people have never heard of it, but it has heard of you because being part of the Google ecosystem, it knows about your Google account so you can log into it if you wanted to.
And if someone creates a business intelligence report in Google Looker and tries to transfer it, it's one of the things you can do, transfer it to someone else's Gmail address.
So you can sort of say, "Oh, could you share it? Could you chuck it over to this other person who I'm working on this report with?"
You're right.
Okay. It doesn't just show you their Gmail address. It also shows you that person's full name right back at you, even if you don't know them.
So this is the name which you associated with your account when you created your Gmail account. It's not just your email address.
So this is the name which you associated with your account when you created your Gmail account. It's not just your email address.
And also unlikely to be a pseudonym, right? Or sexycat49 or something.
Which, of course, is your Gmail address.
It is!
So that isn't great privacy for starters, and it's pretty creepy if you're trying to remain anonymous with your Gmail account.
And people do, of course, create Gmail accounts anonymously and with the thought that Google isn't going to spill the beans.
And people do, of course, create Gmail accounts anonymously and with the thought that Google isn't going to spill the beans.
Oh, that's a good point. Yes. Maybe to do nefarious stuff or—
Or maybe for completely legitimate reasons they want to remain private. Maybe they're sharing sensitive information online. All kinds of things.
Sure, you don't necessarily want everyone knowing your business. But how does that help someone get your phone number? So they've got your name now. They know your email address.
But how do they now get your phone number? Well, there's a page on Google's website where you can try to recover access to your account.
And it will confirm if a specific account display name like John Smith rather than Sexy Cat 49 is associated with a recovery email address or a phone number.
Sure, you don't necessarily want everyone knowing your business. But how does that help someone get your phone number? So they've got your name now. They know your email address.
But how do they now get your phone number? Well, there's a page on Google's website where you can try to recover access to your account.
And it will confirm if a specific account display name like John Smith rather than Sexy Cat 49 is associated with a recovery email address or a phone number.
Okay.
So, you know the name, you know the email address, you don't know the phone number. If you go to that webpage, Google will ask you, well, enter the name, right?
It's trying to confirm if you really own the account. So, you enter the email address, say, I can't get into this. And it says, well, what's the display name associated with it?
It's trying to confirm if you really own the account. So, you enter the email address, say, I can't get into this. And it says, well, what's the display name associated with it?
Yeah. Right?
You put that in. Yep.
And then Google will show you the last 2 digits of your phone number and it will say, I'm gonna text you at your recovery phone number, the magic code to regain access to your account, right?
So it doesn't show you the full phone number very sensibly, but it tells you the last 2 digits. So if you've got a few different phones, you say, oh, that's going to this phone.
And then Google will show you the last 2 digits of your phone number and it will say, I'm gonna text you at your recovery phone number, the magic code to regain access to your account, right?
So it doesn't show you the full phone number very sensibly, but it tells you the last 2 digits. So if you've got a few different phones, you say, oh, that's going to this phone.
Mm-hmm.
Now what you could try to do with that information is you could try to visit that page multiple times.
And brute force your way through, trying to think of every possible combination as to what the full phone number might be.
And brute force your way through, trying to think of every possible combination as to what the full phone number might be.
Mm-hmm.
But Google is smarter than that. And after a few goes, Google will chuck up a CAPTCHA, one of those bot checkers.
Yeah.
And it asks you to prove that you're human and not a bot.
But what BruteKat did, this security researcher, is he discovered he could get through Google's rate limiting protection by using a couple of techniques, including different IPv6 addresses for each request.
So different IP addresses. And it wasn't picking up that he was doing this multiple times.
But what BruteKat did, this security researcher, is he discovered he could get through Google's rate limiting protection by using a couple of techniques, including different IPv6 addresses for each request.
So different IP addresses. And it wasn't picking up that he was doing this multiple times.
Right.
Which meant he could go enough times to complete and get the right phone number.
How many times would that be? Do they only just give you the last 2 digits every time you kind of—
They only give you the last 2 digits.
So you've gotta hammer it what, 8 billion times? What's the number? A lot.
Not 8 billion because different countries have different numbers of digits in their phone numbers. So this guy is based in Singapore, for instance.
And what he found was in the Netherlands and Singapore, numbers could be brute-forced in seconds. In the UK, it took 4 minutes.
In the United States, it takes roughly 20 minutes on the computer system which he set up. So not very expensive.
And he could do this by renting a server at a cost of about 30 cents per hour. So he could do this en masse.
And what he found was in the Netherlands and Singapore, numbers could be brute-forced in seconds. In the UK, it took 4 minutes.
In the United States, it takes roughly 20 minutes on the computer system which he set up. So not very expensive.
And he could do this by renting a server at a cost of about 30 cents per hour. So he could do this en masse.
You sound a little impressed with this guy, Graham.
Well, it is an impressive thing to find, right? And thankfully, he's not being malicious because—
That's true, yeah.
We have seen lots of hackers in the past who would have taken this kind of, you know, phone numbers are really considered highly sensitive information because they're kind of information which is used for social engineering attacks, SIM swap attacks, where a hacker hijacks your phone number.
They could break into accounts, they could even pretend to be company employees and phish you with fake texts or calls, et cetera.
So we have in the past said you shouldn't use SMS-based multifactor authentication because of SIM swap attacks, but use an authentication app or a physical hardware key instead.
But sites like Google do give you this recovery method with your phone number. So I think it's probably okay to use your phone number for account recovery.
That feels like a reasonable thing, provided the tech companies don't reveal your ruddy phone number.
They could break into accounts, they could even pretend to be company employees and phish you with fake texts or calls, et cetera.
So we have in the past said you shouldn't use SMS-based multifactor authentication because of SIM swap attacks, but use an authentication app or a physical hardware key instead.
But sites like Google do give you this recovery method with your phone number. So I think it's probably okay to use your phone number for account recovery.
That feels like a reasonable thing, provided the tech companies don't reveal your ruddy phone number.
Ruddy.
Yes. So Google has slipped up. They made it too easy to find out what someone's phone number is.
Tell me this, are they owning up to it? Are they going, oh God, that was a really bad oversight on our part. Let's get down to that. Sorry, folks, we're on this.
They have. They have. So BruteKat told Google about this in April. They've just patched it. It's now June, and they gave BruteKat $5,000 as a reward for his hard work.
That's disgusting.
It's not very much money, it feels to me, for such a huge problem.
Add a zero, Google.
They could afford to, couldn't they?
Add two zeros. He would have got more money from the Daily Mail.
Now, this isn't actually the first time that BruteKat has found this kind of problem at Google.
Back in February, Google fixed two vulnerabilities that BruteKat found, which revealed the email addresses behind YouTube channels.
Again, a big privacy problem because there are YouTube channels.
Again, you may be sharing sensitive information on YouTube and not want certain parties to know who the hell you are.
Back in February, Google fixed two vulnerabilities that BruteKat found, which revealed the email addresses behind YouTube channels.
Again, a big privacy problem because there are YouTube channels.
Again, you may be sharing sensitive information on YouTube and not want certain parties to know who the hell you are.
What are you doing on YouTube?
Well, what's anyone doing on YouTube? What are you talking about?
Well, what do you mean sensitive bits? Do you mean they're watching?
Oh, like whistleblowing, or if you are—
Oh, okay, okay.
Yeah. If you had a political point of view or something, there may be a regime which is trying to shut you down.
If you're able to exploit vulnerabilities to find out who someone actually is or get a lead like that, big, big problem.
So I guess the moral is, just because a company is huge like Google doesn't mean their systems are perfect.
Luckily this time it was a good hacker who seemed to have found the hole first. So thank goodness for BruteKat.
If you're able to exploit vulnerabilities to find out who someone actually is or get a lead like that, big, big problem.
So I guess the moral is, just because a company is huge like Google doesn't mean their systems are perfect.
Luckily this time it was a good hacker who seemed to have found the hole first. So thank goodness for BruteKat.
Please be a good guy.
Carole, what's your story this week?
Okay, so right now, a big news item on both sides of the pond and probably in many parts of the world is in the US and its current approach to dealing with immigration.
Oh, yes.
Right. For the last few days, LA has been in disarray protesting the new immigration directives.
According to the IB Times, the immigration crackdown is reportedly driven by directives from the administration. And they name-check Deputy Chief of Staff Stephen Miller.
And he's said to have pushed a policy of mass arrest with a focus on increasing deportation numbers regardless of criminal records.
So ICE officials apparently have been openly discussing their goal of arresting at least 3,000 migrants daily.
According to the IB Times, the immigration crackdown is reportedly driven by directives from the administration. And they name-check Deputy Chief of Staff Stephen Miller.
And he's said to have pushed a policy of mass arrest with a focus on increasing deportation numbers regardless of criminal records.
So ICE officials apparently have been openly discussing their goal of arresting at least 3,000 migrants daily.
Wow.
A figure that would constitute a significant increase over previous efforts. And there are reports of increasing raids in workplaces. The yada, yada, yada is just not very nice.
And our current gold-toned buffoon sporting chief of the USA wants strong hands to deal with these naysayer protesters and sent in the National Guard to deal with the problem in LA.
And our current gold-toned buffoon sporting chief of the USA wants strong hands to deal with these naysayer protesters and sent in the National Guard to deal with the problem in LA.
Right.
All without the okay from state honchos. So it's messy and it's getting worse.
Yes.
He then ordered active duty US Marines—this is the latest as of this morning—and 2,000 more National Guard troops into LA following those protesting immigration arrests would be hit harder than ever.
Right?
And then we have the governor of California, Gavin Newsom, who slammed this move, posting on X that US Marines shouldn't be deployed on American soil facing their own countrymen to fulfill the deranged fantasy of a dictatorial president.
This is un-American. Right? So messier, messier, and messier.
Right?
And then we have the governor of California, Gavin Newsom, who slammed this move, posting on X that US Marines shouldn't be deployed on American soil facing their own countrymen to fulfill the deranged fantasy of a dictatorial president.
This is un-American. Right? So messier, messier, and messier.
Yep. He's not a Trump fan, is he?
No, no. Well, you know, some people aren't, Graham. Some people aren't.
You don't say.
According to the BBC just today, Tuesday, demonstrators in a number of other U.S. cities have joined LA in protesting the immigration raids.
Protesters were filmed on Monday in Boston, Houston, Philadelphia, as demonstrators entered their fourth day in LA. Okay, messy, messy, messy, messy, messy, messy.
So with all this going on, with all this attention being paid to this, what is a lowly scammer to do? Graham?
I mean, how can a scammer capitalize on this situation and make it, you know, good for them, maybe worse for everybody else?
Protesters were filmed on Monday in Boston, Houston, Philadelphia, as demonstrators entered their fourth day in LA. Okay, messy, messy, messy, messy, messy, messy.
So with all this going on, with all this attention being paid to this, what is a lowly scammer to do? Graham?
I mean, how can a scammer capitalize on this situation and make it, you know, good for them, maybe worse for everybody else?
I could—so, okay, so I'm imagining I'm a scammer, right? And I'm going to take advantage of this situation.
Maybe I could spam out a message saying, would you like convincing identity documents? Or, you know, something like that, which I could sell people, right?
Maybe I could spam out a message saying, would you like convincing identity documents? Or, you know, something like that, which I could sell people, right?
I'm sure that exists. Yeah.
Yeah, I'm sure it does. So I could do that, maybe.
Maybe I could dress up as a policeman, as a member of ICE, and—Oh, I was going to do something maybe involving a singing telegram.
But no, maybe that's not what people—People don't want one.
Maybe I could dress up as a policeman, as a member of ICE, and—Oh, I was going to do something maybe involving a singing telegram.
But no, maybe that's not what people—People don't want one.
That's not what people expect from ICE, I don't think.
Well, I'm just thinking there will be some people who would be amused in the office if someone turned up saying, "We're going to deport you," and then they actually sing you a song?
Oh, I was thinking of an ice stripper, Graham, or something.
Could we in any way link it with Vanilla Ice?
No, I'm sorry.
And Ice Ice Baby?
Okay, I'm moving on. What about posing as an ICE agent and maybe scaring the crap out of people to the point where they pay you to go away?
Oh, God. Yeah, that—I can imagine that working. Yep.
So meet Shreya Bedi. She's an international student from India. She comes to the U.S. on an F-1 visa in 2022 so she could do a master's at Indiana University.
This is all according to Newsweek. Ms. Bedi's dream: work at a product company as a UX designer. Okay, fair enough.
This is all according to Newsweek. Ms. Bedi's dream: work at a product company as a UX designer. Okay, fair enough.
Okay.
But her world was rocked on May 29th this year when she received a call from ICE officers. Or dweebs purporting to be officers. These guys weren't idiots though.
They handed over their badge number and name and told Ms. Bedi to verify his office details by going to the ice.gov website and looking up the office in Maryland.
They handed over their badge number and name and told Ms. Bedi to verify his office details by going to the ice.gov website and looking up the office in Maryland.
Yes.
And Ms. Bedi confirmed it was the same phone number that the scammer or the ICE officer was calling from.
So she didn't call the Maryland office, but she saw that the number they'd given her was of the Maryland office. She confirmed—
Correct, because she's still on the phone with these guys.
Yeah, of course, of course, right?
They knew Miss Betty's port of entry because remember she's on a visa here, right?
So they knew her port of entry, her academic background, where she was from in India, and where she studied.
The scammer pretending to be the ICE officer kept her on the phone for 3 hours according to Newsweek, warning her not to hang up and not to contact anyone, saying her phone was being monitored.
So they knew her port of entry, her academic background, where she was from in India, and where she studied.
The scammer pretending to be the ICE officer kept her on the phone for 3 hours according to Newsweek, warning her not to hang up and not to contact anyone, saying her phone was being monitored.
Oh my goodness.
A second scammer then calls Miss Betty from another spoofed number claiming to be the police department in the area and said that there was a warrant for her arrest unless ICE confirmed the case was under investigation.
Newsweek quotes Betty: "I feel completely trapped because they kept me on the phone for 3 straight hours repeatedly warning me that hanging up or contacting anyone would violate my case and make things worse.
I was too scared to risk it." The scammers then told her to buy Apple and Target gift cards.
Newsweek quotes Betty: "I feel completely trapped because they kept me on the phone for 3 straight hours repeatedly warning me that hanging up or contacting anyone would violate my case and make things worse.
I was too scared to risk it." The scammers then told her to buy Apple and Target gift cards.
I'm laughing. I'm laughing.
But I know, I know, I know. And I want to deal with that in a second. Okay, so there must be at this point, you must tweak, right?
Especially if you're doing a master's somewhere, you must tweak.
Especially if you're doing a master's somewhere, you must tweak.
I know. But if you've been on the call for hours though, maybe you're in such a state at this point.
Yes. And you're scared.
Yes.
Out of your wits.
Because you think you're going to get kicked out of the country.
Yeah. So gift cards totaling $5K, $5,000, and to share the codes over the phone to prove that she'd got them.
The scammers then told her a police officer would collect the cards the next day. But of course, that never happened because they now had the codes.
The scammers then told her a police officer would collect the cards the next day. But of course, that never happened because they now had the codes.
Right.
And somehow these guys convinced Miss Betty that she was violating immigration laws, saying that she had not sent her administration number.
They pressured her into paying, you know, these payments to avoid arrest and threatened deportation. And what duped her was how much information they had on her.
Remember she said, you know, they knew her port of entry, academic background. At that point, she must have thought they were officials.
But at the point when they started saying, "Can we have some gift cards, please?" she might just be thinking... Also, she's an international student, right?
What does she really know about the workings of America? She's looking at all this craziness going on TV with immigration in the papers.
They pressured her into paying, you know, these payments to avoid arrest and threatened deportation. And what duped her was how much information they had on her.
Remember she said, you know, they knew her port of entry, academic background. At that point, she must have thought they were officials.
But at the point when they started saying, "Can we have some gift cards, please?" she might just be thinking... Also, she's an international student, right?
What does she really know about the workings of America? She's looking at all this craziness going on TV with immigration in the papers.
Well, exactly. Who can keep track of it all if it's not your job?
You know, she says she and others don't fully understand the system, how it works.
And when you read in the news about immigration crackdowns and students being sent home, you're nervous.
And that nervousness is exactly what I think these little scammers are banking on. And even if she twigged it was fake, the guy knew stuff about her, right?
And scared the poop out of her. And it's not someone you'd want to mess with. So by the time they're asking for vouchers, you might just be saying, "I just want to pay and get out."
And when you read in the news about immigration crackdowns and students being sent home, you're nervous.
And that nervousness is exactly what I think these little scammers are banking on. And even if she twigged it was fake, the guy knew stuff about her, right?
And scared the poop out of her. And it's not someone you'd want to mess with. So by the time they're asking for vouchers, you might just be saying, "I just want to pay and get out."
Yep.
Now, Miss Betty is not the only victim. And my gut says this is going to get worse.
Way back in March, there were reports of individuals posing as federal immigration agents being on the increase across the country.
Even prompted officials to warn immigrant communities to be aware of their rights and take steps to protect themselves from ICE impersonators.
And a question to you, Graham, how the heck do they do that? How does a frickin' immigrant protect themselves from ICE impersonators? Tell me.
Way back in March, there were reports of individuals posing as federal immigration agents being on the increase across the country.
Even prompted officials to warn immigrant communities to be aware of their rights and take steps to protect themselves from ICE impersonators.
And a question to you, Graham, how the heck do they do that? How does a frickin' immigrant protect themselves from ICE impersonators? Tell me.
I would like to think that this federal department has an office somewhere you can contact and an official website. Which she checked?
Well, she checked and she verified the phone number, didn't she?
Well, she checked and she verified the phone number, didn't she?
Yeah, is that—that's not enough?
It seems it isn't.
You see, that's my point.
It's and the real pickle is this, you have an immigration service at the moment that's probably not allowed to allocate any resources to finding people that have been duped that are on visas or with immigration status.
So what a perfect target. I don't know. Anyway, it's just yucky.
It's and the real pickle is this, you have an immigration service at the moment that's probably not allowed to allocate any resources to finding people that have been duped that are on visas or with immigration status.
So what a perfect target. I don't know. Anyway, it's just yucky.
But maybe, maybe we just got to keep on saying out loud that anyone who asks you for Target gift cards and all these other, you know, Apple—
Yeah, but they asked for that later on. So maybe you've shared information already. That's the other thing.
During that three-hour process, are they not quizzing her and getting more information because they're pretending to be officials?
During that three-hour process, are they not quizzing her and getting more information because they're pretending to be officials?
Yeah, I guess.
And so then you're going, oh my God, I've given them access to everything. I don't know. Anyway, it's a scary thing.
I don't really have advice here other than, you know, be wary, be careful. Boy.
There are lots of threats out there affecting businesses, but what if you could see them all and exactly how they impact your organization all in one place?
I don't really have advice here other than, you know, be wary, be careful. Boy.
There are lots of threats out there affecting businesses, but what if you could see them all and exactly how they impact your organization all in one place?
Well, with Flare, you can.
Flare gives security teams real-time visibility into cybercrime forums, Telegram channels, Stealer Logs, and darkweb marketplaces so you're not blindsided by the threats.
Flare gives security teams real-time visibility into cybercrime forums, Telegram channels, Stealer Logs, and darkweb marketplaces so you're not blindsided by the threats.
Flare helps you prioritize real risks and kick off remediation fast so your team can move from awareness to action before any damage is done.
Think of Flare as your exposure management platform built to help you detect, prioritize, and respond with lightning speed.
Think of Flare as your exposure management platform built to help you detect, prioritize, and respond with lightning speed.
Sign up now for free. At smashingsecurity.com/flair. That's smashingsecurity.com/flair.
And thanks to Flare for sponsoring the show.
Now, Carole, according to Vanta's latest State of Trust report, cybersecurity is the number one concern for UK businesses. And of course, Vanta can help you with that.
Whether you're a startup growing fast or already established, Vanta can help you get ISO 27001 certified and more without any of the headaches.
You see, Vanta allows your company to centralize security workflows, complete questionnaires up to five times faster, and proactively manage vendor risk to help your team not only get compliant, but stay compliant.
So stop stressing over cybersecurity and start focusing on growing your business in 2025. Check out Vanta and let them handle the tough stuff.
Head to vanta.com/smashing to learn more. That's Vanta, V-A-N-T-A, dot com, slash smashing. And thanks to Vanta for sponsoring Smashing Security.
If you're leading risk and compliance at your company, you're likely wearing ten hats at once, managing security risks, compliance demands, and budget constraints, all while trying not to be seen as the roadblock that slows the business down.
Head to vanta.com/smashing to learn more. That's Vanta, V-A-N-T-A, dot com, slash smashing. And thanks to Vanta for sponsoring Smashing Security.
If you're leading risk and compliance at your company, you're likely wearing ten hats at once, managing security risks, compliance demands, and budget constraints, all while trying not to be seen as the roadblock that slows the business down.
But GRC isn't just about checking boxes. It's a revenue driver that builds trust, accelerates deals, and strengthens security.
That's why modern GRC leaders turn to Drata, a trust management platform that automates tedious tasks.
So you can focus on reducing risk, proving compliance, and scaling your program.
That's why modern GRC leaders turn to Drata, a trust management platform that automates tedious tasks.
So you can focus on reducing risk, proving compliance, and scaling your program.
With Drata, you can automate security questionnaires, evidence collection, and compliance tracking.
You can stay audit-ready with real-time monitoring, and you can simplify security reviews with Drata's Trust Center and AI-powered questionnaire assistance.
You can stay audit-ready with real-time monitoring, and you can simplify security reviews with Drata's Trust Center and AI-powered questionnaire assistance.
Instead of spending hours proving trust, build it faster with Drata. Ready to modernize your GRC program? Visit drata.com/smashing to learn more. That's drata.com/smashing.
And welcome back.
And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something that they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
Better not be.
Well, my pick of the week this week. Carole, you said, don't worry, pick of the week is going to cheer us up. Yeah.
And I don't know quite why, but recently I've been thinking a fair bit about Nazis. Oh.
And I don't know quite why, but recently I've been thinking a fair bit about Nazis. Oh.
And that sounds super cheery.
As you know, there are a few movies that I've never seen. And it's time for me to catch up with.
And so yesterday I was in the mood and I said to my lovely partner, I said, well, you know, maybe we should watch a couple of movies or something.
And so there's two movies which we watched, neither of which I've ever seen before. One of them was Conspiracy, a made-for-TV drama from 2001 with Kenneth Branagh.
And so yesterday I was in the mood and I said to my lovely partner, I said, well, you know, maybe we should watch a couple of movies or something.
And so there's two movies which we watched, neither of which I've ever seen before. One of them was Conspiracy, a made-for-TV drama from 2001 with Kenneth Branagh.
Yes.
Stanley Tucci and Colin Firth.
I love that film. I remember seeing that years, a decade ago. I love it. I love it. Stanley Tucci is just a great actor. Dreamboat.
Oh yeah, it's back when he had hair. He looks very young in it.
Hair schmear. He's still cute.
Oh yeah, he still is.
Anyway, for those who don't know, this depicts something called the Wannsee Conference of January 1942, where high-ranking Nazi officials met to discuss and coordinate the implementation of the Final Solution.
Not that cheery topic for my pick of the week. Now, the script was based on the only surviving transcript of the conference.
And what it really is is an exercise in how you can get genocidal policies through a bunch of people, some of whom are objecting to what's actually being talked about, under the guise of administrative planning.
And yeah, it is an exercise in how to run a meeting and how not to get any opposition. And get everyone else to basically rubber stamp it.
Anyway, for those who don't know, this depicts something called the Wannsee Conference of January 1942, where high-ranking Nazi officials met to discuss and coordinate the implementation of the Final Solution.
Not that cheery topic for my pick of the week. Now, the script was based on the only surviving transcript of the conference.
And what it really is is an exercise in how you can get genocidal policies through a bunch of people, some of whom are objecting to what's actually being talked about, under the guise of administrative planning.
And yeah, it is an exercise in how to run a meeting and how not to get any opposition. And get everyone else to basically rubber stamp it.
Oh, I should watch it again. You see?
It was really good.
Yep.
So I watched Conspiracy. I'd never seen it before. It's very wordy. It's very stagey. So you have to be prepared for all that. But it's a great bunch of actors.
They're all terrific in it. And having watched that, I thought, well, what other movies haven't I seen which involve Nazis? And I've never seen a movie.
You've probably never heard of it, Carole. It came out in 1993. Called Schindler's List. So just I haven't seen E.T. or Jurassic Park, I haven't seen Schindler's List.
Well, now I have seen Schindler's List. And I think everyone in the world apart from me has seen it before. Now I do have a bit of a problem with Schindler's List.
They're all terrific in it. And having watched that, I thought, well, what other movies haven't I seen which involve Nazis? And I've never seen a movie.
You've probably never heard of it, Carole. It came out in 1993. Called Schindler's List. So just I haven't seen E.T. or Jurassic Park, I haven't seen Schindler's List.
Well, now I have seen Schindler's List. And I think everyone in the world apart from me has seen it before. Now I do have a bit of a problem with Schindler's List.
What is it, 20 years on?
Well, 32 years it's taken me to watch it. My problem with Schindler's List is the casting because of Ralph Fiennes and Liam Neeson.
And what I have come to realize is that I cannot tell apart Ralph Fiennes and Liam Neeson.
And what I have come to realize is that I cannot tell apart Ralph Fiennes and Liam Neeson.
For God's sake!
If you show me a Ralph Fiennes movie, I think it's Liam Neeson. If you show me a Liam Neeson movie, I think it's Ralph Fiennes.
And this is the perfect storm where they're acting opposite each other. I find it quite confusing.
But anyway, that's all about— Obviously, it's an extraordinary story about this chap, Oskar Schindler, who saved more than 1,000 refugees.
And this is the perfect storm where they're acting opposite each other. I find it quite confusing.
But anyway, that's all about— Obviously, it's an extraordinary story about this chap, Oskar Schindler, who saved more than 1,000 refugees.
Everybody knows what Schindler's List is about.
Okay, all right. But anyway, it turns out it's a great movie, even though they've got both Ralph Fiennes and Liam Neeson in it.
And that is why Conspiracy and Schindler's List are my picks of the week.
And that is why Conspiracy and Schindler's List are my picks of the week.
Boom, boom.
Carole, what's your pick of the week?
Okay, I have to start with a little story that happened this weekend. So I'm in town, I'm dropping somebody off near the shopping district of Oxford, right? And it's very difficult.
There's a lot of traffic, it's hard to drop people off.
There's a lot of traffic, it's hard to drop people off.
It's a mess in Oxford.
It's a bit of a mess at the moment, it is. Anyway, so I'm at a red light, right? I'm at a red light and I know it's a long red light. So I'm thinking, okay, she can jump off here.
It's perfect, you know, she's close. But after the bus stop, I pull in, put my hazards on to grab her bag, and she opens her door.
It's perfect, you know, she's close. But after the bus stop, I pull in, put my hazards on to grab her bag, and she opens her door.
Right. Wham!
Bike goes right into the door.
What goes into the door?
A bike.
A bike?
A cyclist. Exactly, exactly.
Oh my God.
Exactly. So thank God he's okay. The guy was okay, he's going to be bruised, I'm sure. It was all apologies and everything, and then you're kind of panicking.
His bike was okay, car's okay, he's okay most importantly, and everyone was shocked, right?
His bike was okay, car's okay, he's okay most importantly, and everyone was shocked, right?
Yes.
And I still think about it and I'm, God, I don't even know the guy's name. So if you're listening, I'm so sorry.
I'm sure he's a listener.
She's so sorry. And so later on, I'm telling the Yeti about this, right? And I'm explaining what happened, and he went, "Well, that's why people do the Dutch reach."
Ah, I know about this.
Do you? Well, I didn't. I was, what is the Dutch reach? So Graham, why don't you tell us?
The Dutch reach is a different way to open your car door. So rather than using your hand which is closest to the door to pull the lever, you use the opposite hand.
Doesn't matter what side of the car you're on, so use the opposite hand. And that, by its very nature, turns you around a bit because you're more facing the door.
And so there's greater chance you will see if there is a bike, for instance, coming up alongside.
Doesn't matter what side of the car you're on, so use the opposite hand. And that, by its very nature, turns you around a bit because you're more facing the door.
And so there's greater chance you will see if there is a bike, for instance, coming up alongside.
Exactly. How brilliant is that?
It's terrific.
Yeah, I mean, I have not actually driven since, but I'm going to be, and I'm going to train myself because I know it's going to take training to do.
Oh yeah, it will take a lot of practice to get into it.
I will have to practice. Yeah, because it's like a muscle memory thing. But I think it's worth it. They do it all over Amsterdam. I've just looked at the AA in the UK recommend it.
It seems to be recommended now in many places of the world.
So, you know, it's easy to do and significantly reduces collisions, both minor, things like mine, or major with pedestrians and cyclists and scooters. Scooterers, people who scoot.
I don't know, scooterers.
It seems to be recommended now in many places of the world.
So, you know, it's easy to do and significantly reduces collisions, both minor, things like mine, or major with pedestrians and cyclists and scooters. Scooterers, people who scoot.
I don't know, scooterers.
Scooterous.
Scooterous. Anyway, my pick of the week, the Dutch Reach. Simple, elegant, effective.
I love it.
Thank you very much.
And that just about wraps up the show for this week. You can find Smashing Security on Blue Sky, unlike Twitter, which wouldn't let us have a G.
And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
And huge, huge shout out to our episode sponsors, Drata, Vanta, and Flare. Of course, to our wonderful Patreon community.
It's their support that helps us give you this show for free.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 420 episodes, check out smashingsecurity.com.
It's their support that helps us give you this show for free.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 420 episodes, check out smashingsecurity.com.
Until next time, cheerio. Bye-bye.
Bye.
Dutch reach. Very good. Very good.
Yeah.
Good one. Probably better than Schindler's List.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Episode links:
- Bruteforcing the phone number of any Google user – Brutecat.
- Leaking the phone number of any Google user – YouTube.
- Researcher Found Flaw to Discover Phone Numbers Linked to Any Google Account – The Hacker News.
- Google fixes flaw that could unmask YouTube users’ email addresses – Bleeping Computer.
- ICE Scammers Are On The Rise: What To Do – Newsweek.
- Student visa holder tricked by fake ICE agent scam, loses thousands – Newsweek.
- Conspiracy – IMDB.
- Schindler’s List – IMDB.
- Dutch Reach car door opening method – The AA.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsored by:
- Drata – The world’s most advanced Trust Management platform – making risk and compliance management accessible, continuous, and 10x more automated than ever before.
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
- Flare – Uncover the latest threats across the dark web and Telegram. Start your free trial today.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a Patreon supporter for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
