In episode 425 of “Smashing Security”, Graham reveals how “Call of Duty: WWII” has been weaponised – allowing hackers to hijack your entire PC during online matches, thanks to ancient code and Microsoft’s Game Pass. Meanwhile, Carole digs into a con targeting the recently incarcerated, with scammers impersonating bail bond agents to fleece desperate families.
All this and more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault.
Warning: This podcast may contain nuts, adult themes, and rude language.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Who's going to remember how to code and read code from 2017? I can't understand this at all.
Smashing Security, Episode 425: Call of Duty, from Pew Pew to Pwned, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 425.
My name's Graham Cluley.
My name's Graham Cluley.
And I'm Carole Theriault.
What's coming up on the show this week, Carole?
Well, first, let's thank this week's wonderful sponsors, Drata Adaptive Security and Vanta. It's their support that helps us give you this show for free.
Now, coming up on today's show, Graham, what do you got?
Now, coming up on today's show, Graham, what do you got?
I'm going to be talking about how Call of Duty has gone from battlefield to bedlam.
Ooh, okay. And I'm talking about bad bails for James Ransomware release. All this and much more coming up on this episode of Smashing Security.
Now, chums, and you particularly, Carole, I've got a question for you.
I'm picturing you, you know, after you've done a hard day's work, you've decided you're going to relax, you're going to slouch in your Lazy Boy in front of the TV and do a bit of video gaming.
Isn't that your kind of thing?
I'm picturing you, you know, after you've done a hard day's work, you've decided you're going to relax, you're going to slouch in your Lazy Boy in front of the TV and do a bit of video gaming.
Isn't that your kind of thing?
No.
No?
No. I'm married to someone who I think would love to relax that way.
But your Yeti who you married, he's not the kind of chap who would play a game like Call of Duty: World War II, is he?
No, but he does play something. I don't know what it's called, but he's really, really up there.
Up where?
I know, high up on the score sheet. He mentioned it to someone else who knew about the game and they were oh my God.
Candy Crush or something like that?
Basically all that says is he spends a lot of time.
Well, I suspect he wouldn't have been playing Call of Duty: World War II very much in recent days, because a lot of people have been having trouble logging into it.
Okay.
Now, if you're not familiar with it, Call of Duty: World War II, it came out in 2017. Decades ago in gaming years. We thought we knew what war would be like.
But nothing prepared us for this. Came out on the PlayStation 4, Windows, Xbox One. It was a big hit. It earned over $500 million in its first 3 days of release.
I mean, if you— and that's 2017. I mean, that just tells you how big the world of video games is compared to, well, anything else really. It's just absolutely huge, isn't it?
It became the highest-grossing console game of that year in North America, tens of millions of players.
But nothing prepared us for this. Came out on the PlayStation 4, Windows, Xbox One. It was a big hit. It earned over $500 million in its first 3 days of release.
I mean, if you— and that's 2017. I mean, that just tells you how big the world of video games is compared to, well, anything else really. It's just absolutely huge, isn't it?
It became the highest-grossing console game of that year in North America, tens of millions of players.
What do you do on it?
Oh, Call of Duty: World War II. Call of Duty is one of these sort of first-person shooting games.
So you've got a rifle in your hand and you're going through, I imagine, occupied France or something like that.
So you've got a rifle in your hand and you're going through, I imagine, occupied France or something like that.
Pew pew pew pew, murder murder.
Yes, yes, that kind of thing. Look, neither of us play these sort of games. I would get travel sick playing a game like this.
I would get so nauseous, the motion sickness would be unbearable. I can't handle 3D games. I need a simple 2D game. That's about the best I can do.
But, you know, people love these sort of things and it makes huge money and people are just absorbed by them. And some people, sadly, they like it just a little bit too much.
And in late December 2017, so shortly after the game came out, there was an online dispute between two players of the game and things, as they inevitably do, can escalate.
I would get so nauseous, the motion sickness would be unbearable. I can't handle 3D games. I need a simple 2D game. That's about the best I can do.
But, you know, people love these sort of things and it makes huge money and people are just absorbed by them. And some people, sadly, they like it just a little bit too much.
And in late December 2017, so shortly after the game came out, there was an online dispute between two players of the game and things, as they inevitably do, can escalate.
What? Someone used an exclamation point or something? Or bold font?
I think it was a bit worse than that.
Okay.
These two guys fell out. There was a guy called Casey Viner. He threatened to have another player called Shane Gaskill swatted. Now you're familiar with swatting, I expect.
What, get kicked off the game?
No, no, worse than that. This is where someone makes a hoax call to police.
Oh, yeah, yeah, yeah.
They pretend to be you and they say, oh, I've just killed a member of my family, or I've got a bomb, or I'm holding someone hostage.
And of course, the police send round a tactical weapons team.
And of course, the police send round a tactical weapons team.
A SWAT team.
Yeah, a SWAT team.
Mm-hmm.
And it can end very, very badly.
And in this particular case, in December 2017, it ended very badly because these two Call of Duty World War II players, one of them was threatened online with being swatted.
That guy, he gave a false address to the guy threatening him. Alright, send the SWAT team if you want. Here's my address. And he gave somebody else's address.
And so when a 911 call was made to police pretending to be from that address, the caller said, "I shot him in the head and he's not breathing anymore." "I'm holding family members at gunpoint." "Sorry, poured gasoline all over the house.
I might just set it on fire." But police swarmed Andrew Finch's home, an innocent man with no connection to the game.
"Walk this way!" He was shot and killed by police who thought he was reaching for a gun. Absolutely horrendous.
Completely, entirely uninvolved person ended up dead as a result of this.
And in this particular case, in December 2017, it ended very badly because these two Call of Duty World War II players, one of them was threatened online with being swatted.
That guy, he gave a false address to the guy threatening him. Alright, send the SWAT team if you want. Here's my address. And he gave somebody else's address.
And so when a 911 call was made to police pretending to be from that address, the caller said, "I shot him in the head and he's not breathing anymore." "I'm holding family members at gunpoint." "Sorry, poured gasoline all over the house.
I might just set it on fire." But police swarmed Andrew Finch's home, an innocent man with no connection to the game.
"Walk this way!" He was shot and killed by police who thought he was reaching for a gun. Absolutely horrendous.
Completely, entirely uninvolved person ended up dead as a result of this.
I don't know if I would blame the guy who gave the false address, though. I kind of think I blame the guy who called 911.
Yes. So he ended up with a 20-year sentence.
Right.
It turned out he wasn't actually the game player.
The actual one who initiated the attack, he used— it was actually a homeless guy who was offering to ring 911 or use a voice-over-IP system from a library to have people swatted.
So, the guy who made the call, he ended up with 20 years.
I think the guy who spoke to the person who made the call, who initiated the call, if you want, they ended up with a couple of years in prison as a result.
But obviously, one person lost their life. Absolutely horrendous. Now, nothing I'm gonna talk about today is quite as horrific as that. But it does involve—
The actual one who initiated the attack, he used— it was actually a homeless guy who was offering to ring 911 or use a voice-over-IP system from a library to have people swatted.
So, the guy who made the call, he ended up with 20 years.
I think the guy who spoke to the person who made the call, who initiated the call, if you want, they ended up with a couple of years in prison as a result.
But obviously, one person lost their life. Absolutely horrendous. Now, nothing I'm gonna talk about today is quite as horrific as that. But it does involve—
So it's a bit boring, but you thought you'd add some colour and some murder.
I'm just telling you how obsessed people are with this game.
Right.
But my story today does involve this intense rivalry that players of that game and other video games can feel towards each other, sometimes beyond rationality, definitely breaking well beyond what's considered lawful behavior.
So why am I talking about this game from 2017? Why is it back in the news again now?
And the reason is that in recent days, it has become available to a wider audience because Microsoft have released it on the Xbox Game Pass.
So why am I talking about this game from 2017? Why is it back in the news again now?
And the reason is that in recent days, it has become available to a wider audience because Microsoft have released it on the Xbox Game Pass.
Okay. I don't even know what that is.
If you're not a gamer, your husband might know about this. I don't know. But my son certainly knows about this.
It's a subscription service which lets you play games on your Xbox console or on your PC for a set monthly fee.
It's a subscription service which lets you play games on your Xbox console or on your PC for a set monthly fee.
Right. So gaming as a service, basically.
It's a bit like Netflix, something that. Amazon Prime, Disney Plus. You're paying a monthly fee, but rather than being for movies, it's for video games.
Right.
But there's a problem.
Okay.
Because a serious security vulnerability has been found in Call of Duty: World War II on PC.
From 2017?
Yeah, this game from 2017, which has now been rolled out across millions and millions of people, made available and been promoted as, 'Look at this, you can now get this classic version of Call of Duty: World War II.' It is a remote code execution vulnerability, an RCE, that allows attackers to run any code they like on another player's computer via the game itself.
Oh my God.
Yeah. So reports have flooded in that hackers are taking control of other players' PCs during online matches.
And unlike typical game hacks or cheats that affect only in-game behaviour, and that is a problem.
You know, people have invincibility shields, or they can see through walls, or they have an aimbot, which allows them to shoot perfectly all the time.
Those sort of tricks, which there are plenty of people doing, and the gaming industry tries to prevent from happening.
This, however, this remote code execution hack, can effectively hijack your PC as if the hacker was sat in front of your PC, sat at your keyboard.
And unlike typical game hacks or cheats that affect only in-game behaviour, and that is a problem.
You know, people have invincibility shields, or they can see through walls, or they have an aimbot, which allows them to shoot perfectly all the time.
Those sort of tricks, which there are plenty of people doing, and the gaming industry tries to prevent from happening.
This, however, this remote code execution hack, can effectively hijack your PC as if the hacker was sat in front of your PC, sat at your keyboard.
I've never heard of this. This is pretty amazing.
So we've heard of this kind of hacking technique, this sort of remote code execution before. Sure. But this is happening via the video game, which millions of people have got.
Thanks to Microsoft, right? They have it. Is that the issue?
Well, yeah, because they've made it available via the Xbox Game Pass. So people have basically had it available for free.
It's a bit like if you put a movie up on Netflix and then suddenly everyone can go and watch 50 Shades of Grey or something equally traumatic like that.
It's a bit like if you put a movie up on Netflix and then suddenly everyone can go and watch 50 Shades of Grey or something equally traumatic like that.
Yeah, they would be running to watch that.
So a hacker could display prank messages on your screen. They could install malware. They could steal data.
This kind of vulnerability is one of the nastiest types of flaw that a piece of software can have.
This kind of vulnerability is one of the nastiest types of flaw that a piece of software can have.
They can do anything they want because they can write any code they want to that machine. Am I right in saying that?
Yes, exactly. They can do whatever they like.
So it could be as innocuous or outrageous or horrific as per their whim.
Right. And there's a number of things which are being done already with this.
So in some cases, the attackers are simply opening a Windows command prompt and a Notepad window will pop up.
The typical thing which you do with vulnerabilities is you get the calculator or Notepad to pop up. So you can do that and you can display a taunting message.
So some people have had this message pop up which references a law firm which Activision who were the original makers of Call of Duty, they've used in the past against cheats at video games.
Sometimes they're freezing the game, or they're crashing the game. Sometimes they are shutting down the computer entirely.
They are changing the wallpaper, sometimes to be images of lawyers. Sometimes they've been using images which they've taken from Pornhub.
So in some cases, the attackers are simply opening a Windows command prompt and a Notepad window will pop up.
The typical thing which you do with vulnerabilities is you get the calculator or Notepad to pop up. So you can do that and you can display a taunting message.
So some people have had this message pop up which references a law firm which Activision who were the original makers of Call of Duty, they've used in the past against cheats at video games.
Sometimes they're freezing the game, or they're crashing the game. Sometimes they are shutting down the computer entirely.
They are changing the wallpaper, sometimes to be images of lawyers. Sometimes they've been using images which they've taken from Pornhub.
But this is only because most of them are under 12, it seems, because they're doing tiny little— You know, kind of muscle flexes.
You shouldn't probably be playing Call of Duty at 12, but I'm sure plenty of 12-year-olds are.
But you could just as easily use this method to install a virus or ransomware or a remote access Trojan.
But you could just as easily use this method to install a virus or ransomware or a remote access Trojan.
The thing is, I wonder in the UK at least, this would be breaking the law because you're unauthorized.
Yeah, it's by taking advantage of this vulnerability, it's an unauthorized modification to someone else's computer.
Yeah, it's by taking advantage of this vulnerability, it's an unauthorized modification to someone else's computer.
So it's against the law in many countries around the world, this kind of thing. But of course, you're thinking, well, what are the chances I'm going to get caught?
And if you're a teenager, you may well think, well, I'm invulnerable anyway. No, what do I care? This isn't— I'm king of the world.
Yeah, I mean, this in a way links in with what Joe Tidy was talking about with his book a couple of weeks ago, Control Chaos, where he was talking about this underbelly in the world of computing, where there's lots of young teenage males typically who are doing things for bravado and think that they're never going to get caught, but are causing problems.
And you have to remember, this particular attack is all happening under the safe, beautifully polished umbrella of Microsoft's game store, of the Xbox Game Pass.
You know, this isn't a piece of cracked software that's been downloaded onto people's computers via a torrent or a pirate website.
This is something where you think, oh, I'm in a safe place here, but it clearly isn't safe.
And if you're a teenager, you may well think, well, I'm invulnerable anyway. No, what do I care? This isn't— I'm king of the world.
Yeah, I mean, this in a way links in with what Joe Tidy was talking about with his book a couple of weeks ago, Control Chaos, where he was talking about this underbelly in the world of computing, where there's lots of young teenage males typically who are doing things for bravado and think that they're never going to get caught, but are causing problems.
And you have to remember, this particular attack is all happening under the safe, beautifully polished umbrella of Microsoft's game store, of the Xbox Game Pass.
You know, this isn't a piece of cracked software that's been downloaded onto people's computers via a torrent or a pirate website.
This is something where you think, oh, I'm in a safe place here, but it clearly isn't safe.
What have they said? What have they said?
Well, what they've done is this. They have, for now, taken down Call of Duty: World War II. They've removed it from the store.
Good.
Right. Yeah. They've also shut down the servers. They say that they are handling what they call a technical issue, which they are investigating.
They say they've done this as a precaution, but it's not necessarily going to be easy for them to fix this.
And in the meantime, the game's entire online functionality is offline for PC speakers. So you've got to go to your games consoles instead.
They say they've done this as a precaution, but it's not necessarily going to be easy for them to fix this.
And in the meantime, the game's entire online functionality is offline for PC speakers. So you've got to go to your games consoles instead.
Who's going to remember how to code, and read code from 2017? I can't understand this at all.
That is it, right? But it's worse than that.
AI will figure it out for them. Come on, come, come.
Because the Call of Duty World War II code, you're right, dates back to 2017, but a lot of it apparently, according to some reports, relies heavily on multiplayer infrastructure and technology dating back to Call of Duty 2, which was written in 2005.
So you could be looking at some very old code. And the root of this problem with Call of Duty appears to lie in the game's networking architecture.
So, when the game was initially released, it would typically use a central server. This is often the way in which games companies do this.
They set up a gaming server where they can police it and they can control it.
But after a while, it's only a few years, it's well, why should we keep up the expense of this gaming server?
And so they sort of switch over these games to a peer-to-peer model where a computer will be connecting to other computers directly in order to do the online gaming.
That way they don't have to spend any of the money.
So all players are effectively connecting directly to the sort of host computer, which is hosting the gaming session when you're playing multiplayer.
And that's different from the modern dedicated server model where the gaming company can handle all of the data, potentially police what's going on there.
So you could be looking at some very old code. And the root of this problem with Call of Duty appears to lie in the game's networking architecture.
So, when the game was initially released, it would typically use a central server. This is often the way in which games companies do this.
They set up a gaming server where they can police it and they can control it.
But after a while, it's only a few years, it's well, why should we keep up the expense of this gaming server?
And so they sort of switch over these games to a peer-to-peer model where a computer will be connecting to other computers directly in order to do the online gaming.
That way they don't have to spend any of the money.
So all players are effectively connecting directly to the sort of host computer, which is hosting the gaming session when you're playing multiplayer.
And that's different from the modern dedicated server model where the gaming company can handle all of the data, potentially police what's going on there.
Yeah, you've got a mishmash of technologies there spanning decades.
So at the time of writing, Call of Duty: World War II, and by the way, there are question marks as to whether other versions of Call of Duty might be vulnerable to very similar problems.
So beware. But on PC, the multiplayer remains disabled. The game is unavailable for purchase on PC platforms, pending a patch.
My advice, while you're waiting for a fix, for which there's no timeline at the moment, is if you love Call of Duty: World War II, maybe you should go to a regular gaming console like your Xbox or your PlayStation or whatever else it may be available instead, because those tend to be much safer, much more locked down in terms of security.
So beware. But on PC, the multiplayer remains disabled. The game is unavailable for purchase on PC platforms, pending a patch.
My advice, while you're waiting for a fix, for which there's no timeline at the moment, is if you love Call of Duty: World War II, maybe you should go to a regular gaming console like your Xbox or your PlayStation or whatever else it may be available instead, because those tend to be much safer, much more locked down in terms of security.
What? Then Microsoft's Game Pass.
Yes, on a Windows computer. Windows general purpose computers. Oh my goodness. So many opportunities for shenanigans compared to a games console.
That's true.
Krow, what's your story for us this week?
Okay, my story. So have you ever been arrested? I don't know if that's too personal to ask on air.
Not arrested.
Oh.
No.
What?
Well, I've had interactions with the police.
Like, oh, hello, Bobby.
Well, they've asked me to move along or, you know, sort of said, will you stop doing that? Or, oh, wow. You know, those sort of things.
I haven't done anything very naughty, but you know.
I haven't done anything very naughty, but you know.
Have you ever had to bail anyone out of jail?
I've never, have I ever bailed you out of jail? I'm just trying to remember, sorry. Oh. On those occasions when you've been imprisoned. Unbelievable. Was it me who paid up the bail?
I can't remember. Definitely not. I seem to remember you had an interaction with some Canadian police.
I can't remember. Definitely not. I seem to remember you had an interaction with some Canadian police.
I don't remember. But let me tell you, when someone is arrested, the legal process, I imagine, must be, you know, rather overwhelming, right?
Like for everyone involved, not just for the arrestee, but their family, their friends, all that.
Like for everyone involved, not just for the arrestee, but their family, their friends, all that.
I was once interviewed about a murder.
Oh, yes, yes.
They came and questioned me about that.
That's interesting.
That was a bit scary. I certainly wasn't— can I stress, I was not arrested. I was not arrested.
No, you said to people, "I was in jail." So I don't know. I've never been arrested, so can I just say.
Okay, okay.
Now listen, now in the US, a common solution to get out of jail before a trial is through the use of a bail bond. And this is not something we really have here in the UK.
Here, you might be granted bail at the time of being charged or from a court, but it's not something you typically guarantee with a financial payment.
Here it's about curfews and electronic monitoring, presenting yourself at a police station, all this kind of stuff.
But back in the States, you get this bail that you would pay, and the amount is set by a judge.
And it's based on a bunch of things like the severity of the alleged crime, the defendant's criminal history, perceived flight risk, and so on.
And of course, this will vary from judge to judge, state to state.
Here, you might be granted bail at the time of being charged or from a court, but it's not something you typically guarantee with a financial payment.
Here it's about curfews and electronic monitoring, presenting yourself at a police station, all this kind of stuff.
But back in the States, you get this bail that you would pay, and the amount is set by a judge.
And it's based on a bunch of things like the severity of the alleged crime, the defendant's criminal history, perceived flight risk, and so on.
And of course, this will vary from judge to judge, state to state.
And I imagine— I don't really know about this— I imagine if you then absconded, then obviously you don't get that money back.
Right, right.
That's your incentive.
It basically serves as a guarantee that the defendant will return to court for the trial.
And if the defendant attends all required court appearances, the bail amount is refunded, regardless if they're guilty or innocent.
And if the defendant attends all required court appearances, the bail amount is refunded, regardless if they're guilty or innocent.
Oh, okay.
But if they fail to appear, they forfeit the bail amount and an arrest warrant may be issued.
Right.
So let's pause for a second so you can try and guess the bond amounts for famous arrests.
Okay?
O.J. Simpson for the alleged murder of his wife Nicole. Is that her name? Nicole Simpson?
$5 million.
$500,000.
Oh.
Bernie Madoff, the poster child for the Ponzi scheme.
Okay. $1 million.
$10 million.
Okay.
Okay. And finally, Michael Jackson for, you know, child molestation in 2005.
Oh.
Obviously a huge case.
A huge case.
Well, because everyone knew about it.
$20 million.
Ah, $3 million. You did really well there.
That doesn't mean anything to Michael Jackson. He's got more than that in his back pocket.
I don't know. It was managed through an affordable bail bond service. Because it turns out that the late Michael Jackson, a lot of people cannot afford to pay the full bail amount.
Right.
Even obviously much more modest ones than his.
Right.
And this is where bail bond agencies come in. These bond agencies guarantee the full bail amount to the court if the defendant fails to appear.
In exchange for a service fee that's paid upfront. So typically 10 to 15% of the total amount.
In exchange for a service fee that's paid upfront. So typically 10 to 15% of the total amount.
Okay, you're going to have to explain this in very simple terms. How does this work for them?
Okay, so I'm the bonds guy. You can't afford the bond. Let's say, I don't know, your brother is in jail, right? And you're in the States and you want to get him out.
And it's going to be $10,000. You don't have $10,000. You call me.
And it's going to be $10,000. You don't have $10,000. You call me.
No, not to spend on my brother. No, certainly not.
You call me, the bonds guy. Right. You're we need help. We need help. And I don't know, I guess I interview to find out if you have a job, you can pay me back. You understand?
Okay.
You then give me a tenth of that, so a grand, or, you know, $1,500.
Yes.
And then I will post the bond, and I guarantee the bond with the authorities.
Oh, I pay you back when he turns up at court later on, because I'll get the money back, won't I?
Right. You'll get the money back at the end if he does all his court dates.
Hmm. Wasn't there a guy called Dog the Bounty Hunter?
I have no idea.
I think there's a reality TV show about a guy in Hawaii who goes out capturing people who've sort of run away. That's how he makes his money.
Right.
Okay.
Well, I'm going to introduce you to a real one. Okay. A Floridian bail bondsman. In this case, Chris Belton.
Dog the Bounty Hunter exists. Bounty Hunter. He definitely exists.
Chris Belton of Belton Bail Bonds.
Oh, yes. Chris. Yes.
He has a very old school kind of site, not being HTTPS.
But the homepage says, Belton Bail Bonds, a family-owned business, has served residents from Lake County communities for over 43 years.
But the homepage says, Belton Bail Bonds, a family-owned business, has served residents from Lake County communities for over 43 years.
Oh, lovely.
The next line is, the agency is located next to Lake County Jail in downtown Tavares, Florida.
Very sensible.
That's where you want to be.
Yeah.
And they're available 24 hours a day, 7 days a week. Call us anytime. Here's the phone number.
Right. Okay.
And they have a testimonials page, which I will put in the show notes because it is just a fascinating experience to read.
Is it— is Michael Jackson one of those people who gave them a— No, no, no.
But the problem, the reason I'm talking about this guy, is this: back in late June, Chris noticed something wasn't right.
Someone was pretending to be him and had been contacting the families of the recently jailed or arrested, asking them to send money to secure the bonds for their arrests.
And the Lake County Sheriff's Office reported that they'd received over 30 reports where alleged scammers were using this guy Chris Belton's name.
Apparently, a few paid up some $400 to $500, and the highest was $6,500. Now, this is not a one-off, right?
Just last week, a Tennessee county sheriff's office warned residents of the scam happening in their neck of the woods.
And one who remained nameless paid more than $5,000 trying to help a relative get released.
And apparently, calls came from someone claiming to be a lieutenant with the sheriff's department.
And they said the bail had been lowered and to take the money to a kiosk to secure the release of the guy.
And it didn't stop there because the guy made the payment, and then they got greedy. They said, "Look, we need a car impound fee. There's extra on that.
And oh, the ankle bracelet monitoring, that costs a bit of a whack." And it was a bank teller that noticed what was happening after a series of these bogus payments and told the guy, "You're being scammed." This is why you go to the bail guy who's next door to the police station, right?
Someone was pretending to be him and had been contacting the families of the recently jailed or arrested, asking them to send money to secure the bonds for their arrests.
And the Lake County Sheriff's Office reported that they'd received over 30 reports where alleged scammers were using this guy Chris Belton's name.
Apparently, a few paid up some $400 to $500, and the highest was $6,500. Now, this is not a one-off, right?
Just last week, a Tennessee county sheriff's office warned residents of the scam happening in their neck of the woods.
And one who remained nameless paid more than $5,000 trying to help a relative get released.
And apparently, calls came from someone claiming to be a lieutenant with the sheriff's department.
And they said the bail had been lowered and to take the money to a kiosk to secure the release of the guy.
And it didn't stop there because the guy made the payment, and then they got greedy. They said, "Look, we need a car impound fee. There's extra on that.
And oh, the ankle bracelet monitoring, that costs a bit of a whack." And it was a bank teller that noticed what was happening after a series of these bogus payments and told the guy, "You're being scammed." This is why you go to the bail guy who's next door to the police station, right?
Right? Don't trust a search engine. Don't trust someone who contacts you via WhatsApp. Just go next door to Chris's place. He's been there 43 years. He can be trusted.
Apparently, another scam genre in the bail and jail category involves scammers calling you to say there was an error with your loved one's bail bond.
They may claim that the bond was underpaid or demand immediate payment to prevent the defendant from being sent back to jail.
Apparently, what makes these scams so believable is that there's so much information that is available in a public forum.
They may claim that the bond was underpaid or demand immediate payment to prevent the defendant from being sent back to jail.
Apparently, what makes these scams so believable is that there's so much information that is available in a public forum.
This is what I was wondering.
So in most states, a private citizen can access certain criminal records to find out whether someone has been arrested for or convicted of a crime.
And criminal records are not just limited to conviction records. They can also include arrest and booking records, criminal complaints and charges, and sentencing records.
And criminal records are not just limited to conviction records. They can also include arrest and booking records, criminal complaints and charges, and sentencing records.
I know in the past there've been issues because there've been websites which have been set up which trawl these public announcements and then publish mugshots of people who've been arrested, even if they haven't been found guilty.
And in order to get yourself removed from those websites, they charge an extortionate fee.
In some ways you can think, well, good that this information is public, but in other ways you think, well, this can be exploited by other criminals.
I mean, other people who definitely are criminals.
And in order to get yourself removed from those websites, they charge an extortionate fee.
In some ways you can think, well, good that this information is public, but in other ways you think, well, this can be exploited by other criminals.
I mean, other people who definitely are criminals.
Yeah, you kind of wish that if someone was arrested, they would say this is where all the information will be posted.
You know, so everyone knows what information is publicly available at what time.
So they might not be duped into someone because, you know, armed with that information, a scammer could be very convincing.
You know, so everyone knows what information is publicly available at what time.
So they might not be duped into someone because, you know, armed with that information, a scammer could be very convincing.
I'm thinking it is helpful in some ways that police would publish this information because if you had someone, you know, like your Uncle Jerry or something, Uncle Jerry's always getting into scrapes.
Uncle Jerry's always late, doesn't necessarily come back until the following day at about 3 o'clock in the afternoon is normally when he sort of drags his sorry ass back to your house.
And you think, 'You know what, I'm just going to check the website to see if he got arrested last night, you know, and then at least I'll know where to pick him up from.' So it is handy to have that kind of information, but of course, if it's open to absolutely everyone, then it's open to fraudsters as well.
Uncle Jerry's always late, doesn't necessarily come back until the following day at about 3 o'clock in the afternoon is normally when he sort of drags his sorry ass back to your house.
And you think, 'You know what, I'm just going to check the website to see if he got arrested last night, you know, and then at least I'll know where to pick him up from.' So it is handy to have that kind of information, but of course, if it's open to absolutely everyone, then it's open to fraudsters as well.
So things to look out for if ever you find yourself in this type of situation, which I hope you don't. One of the big things is ignoring the cold calls, right?
So bail agents are hungry everybody else, not all, but some. And they might be trolling these sites and calling you directly. Some might be very above board, some may not be.
So the advice is to ignore cold calls that come to you directly about loved ones that might be incarcerated or jailed. Watch out for fake websites. This is a hard one.
So bail agents are hungry everybody else, not all, but some. And they might be trolling these sites and calling you directly. Some might be very above board, some may not be.
So the advice is to ignore cold calls that come to you directly about loved ones that might be incarcerated or jailed. Watch out for fake websites. This is a hard one.
Because Chris Belton's website isn't HTTPS, for instance, which instantly makes you a bit suspicious. But maybe a fraudster would have a more professional looking website.
Yeah, maybe. Don't make payments via crypto or QR codes or Apple Wallet or whatever. That is not how it's done. This is not how a bail bondsman will do it or should do it.
And it's not how the cops will do it.
And it's not how the cops will do it.
Right. They're not going to accept a Starbucks gift card.
Right. Exactly. Check, obviously, with the bail agent's license and make sure everything's above board. And don't sign any agreements without closely reading it, as I always say.
But don't accept services without an agreement. So, you know, you're kind of locked in there. And better yet, just maybe stay out of jail if at all possible.
From what I hear, it's not actually that fun.
But don't accept services without an agreement. So, you know, you're kind of locked in there. And better yet, just maybe stay out of jail if at all possible.
From what I hear, it's not actually that fun.
Great advice. Yeah, well, sometimes it's the simple advice which works the best.
The common sense things.
Yeah. This episode of Smashing Security is brought to you by Adaptive Security, the first cybersecurity company backed by OpenAI. Yes. That OpenAI.
In a world where deepfake voices, vishing, and AI-generated phishing emails are hitting inboxes and Zoom calls, Adaptive Security is leading the charge to stop AI-powered social engineering attacks.
Their AI-native platform simulates cutting-edge deepfake threats, trains your team with expert-vetted modules, and even triages real-time phishing reports.
Their AI-native platform simulates cutting-edge deepfake threats, trains your team with expert-vetted modules, and even triages real-time phishing reports.
And now Adaptive's new AI content creator helps security teams instantly generate custom training by just pasting in a news article or compliance doc, whether it's a breaking threat or an internal policy update, Adaptive can spin it into interactive multilingual training in seconds.
Trusted by top security leaders, Adaptive is building the future of cyber defense. To learn more, head to adaptivesecurity.com. That's adaptivesecurity.com.
Now, Carole, according to Vanta's latest State of Trust report, Cybersecurity is the number one concern for UK businesses, and of course, Vanta can help you with that.
Whether you're a startup growing fast or already established, Vanta can help you get ISO 27001 certified and more without any of the headaches.
You see, Vanta allows your company to centralise security workflows, complete questionnaires up to 5 times faster, and proactively manage vendor risk.
To help your team not only get compliant, but stay compliant.
To help your team not only get compliant, but stay compliant.
So stop stressing over cybersecurity and start focusing on growing your business in 2025. Check out Vanta and let them handle the tough stuff.
Head to vanta.com/smashing to learn more. That's Vanta, V-A-N-T-A, dot com, slash, smashing. And thanks to Vanta, Sophos for sponsoring Smashing Security.
If you are leading risk and compliance at your company, you are likely wearing 10 hats at once, managing security risks, compliance demands, and budget constraints, all while trying not to be seen as the roadblock that slows the business down.
Head to vanta.com/smashing to learn more. That's Vanta, V-A-N-T-A, dot com, slash, smashing. And thanks to Vanta, Sophos for sponsoring Smashing Security.
If you are leading risk and compliance at your company, you are likely wearing 10 hats at once, managing security risks, compliance demands, and budget constraints, all while trying not to be seen as the roadblock that slows the business down.
But GRC isn't just about checking boxes. It's a revenue driver that builds trust, accelerates deals, and strengthens security.
That's why modern GRC leaders turn to Drata, a trust management platform that automates tedious tasks so you can focus on reducing risk, proving compliance, and scaling your program.
That's why modern GRC leaders turn to Drata, a trust management platform that automates tedious tasks so you can focus on reducing risk, proving compliance, and scaling your program.
With Drata, you can automate security questionnaires, evidence collection, and compliance tracking. You can stay audit-ready with real-time monitoring.
And you can simplify security reviews with Drata's Trust Center and AI-powered questionnaire assistance.
And you can simplify security reviews with Drata's Trust Center and AI-powered questionnaire assistance.
Instead of spending hours proving trust, build it faster with Drata. Ready to modernize your GRC program? Visit drata.com/smashing to learn more. That's drata.com/smashing.
And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like.
It doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like.
It doesn't have to be security related necessarily.
Better not be.
Now, as you know, I have purchased in recent months an e-reader, an ebook reader called the Kobo. And I've been reading lots of books.
Oh yeah.
And my pick of the week this week is another book which I've been reading. It's a book by Iain Leslie, and the book is called John and Paul: A Love Story in Songs.
Oh, sounds like it's about a kind of bug.
It is kind of bug, the Beatle kind of bug, as regular listeners will know. I'm a bit of a fan of the Fab Four.
This is a beautiful book about the partnership and relationship between John Lennon and Paul McCartney.
Told through the lens of their music, it's an analytical and moving— it's a bit emotional, this, Carole.
Look at their friendship, their rivalry, their falling out, their genius, their misunderstandings.
This is a beautiful book about the partnership and relationship between John Lennon and Paul McCartney.
Told through the lens of their music, it's an analytical and moving— it's a bit emotional, this, Carole.
Look at their friendship, their rivalry, their falling out, their genius, their misunderstandings.
This sounds like a cut and paste.
It isn't. These are all my own words.
Really?
But yes, but it is.
It's all of these things because quite often, like any other two guys who'd been brought up in Liverpool, they were really bad at talking to each other, but sometimes they communicated through song with each other, both when they weren't talking to each other and when they were.
And it's wonderful. And it paints some well-known songs in a new light. And I've been really enjoying reading it.
And maybe there are some other old fuddy-duddies out there who like songs that you can whistle along to as well, in which case you may also be interested in this book.
I've really enjoyed it. John and Paul: A Love Story in Songs by Iain Leslie is my pick of the week. There you go. Krow, what's your pick of the week?
It's all of these things because quite often, like any other two guys who'd been brought up in Liverpool, they were really bad at talking to each other, but sometimes they communicated through song with each other, both when they weren't talking to each other and when they were.
And it's wonderful. And it paints some well-known songs in a new light. And I've been really enjoying reading it.
And maybe there are some other old fuddy-duddies out there who like songs that you can whistle along to as well, in which case you may also be interested in this book.
I've really enjoyed it. John and Paul: A Love Story in Songs by Iain Leslie is my pick of the week. There you go. Krow, what's your pick of the week?
Do you like Bill Nighy?
Oh, Bill Nighy, the actor?
Yeah.
Yeah, he's alright. Yeah, he's kind of got a shtick, hasn't he?
I think he's rather handsome. I think he's rather dashing. I like him.
He's rather distinguished. I think he'd look good in a cravat.
Yeah.
And a jacket. There's a movie he's in which always makes me cry.
Okay. The Pirates of the Caribbean. He was the bad guy in that.
No, no, no, no, no. It's called About Time. It's, oh, for God's sake. It's horrendous. So sad.
But he's done it all, right? Theatre, radio. He was even shortlisted to be a Doctor Who at some point.
That's nonsense.
I read that.
He was in a Doctor Who. I've heard the rumours as well. There were rumours he was going to be Doctor Who, but I don't think that was ever serious.
But he was in the Doctor Who episode with Vincent van Gogh. And he was very good in it.
But he was in the Doctor Who episode with Vincent van Gogh. And he was very good in it.
Well, there you go. Well, he plays the lead role in the BBC's dramatization or audio drama of my pick of the week, The Charles Paris Mysteries.
Now, I have never read the books, which I hear there's about 20 of them, but I have devoured the audio dramas by the BBC a lot because of Bill Nighy. I kind of like him.
Now, I have never read the books, which I hear there's about 20 of them, but I have devoured the audio dramas by the BBC a lot because of Bill Nighy. I kind of like him.
Yeah.
And his character, this Charles Paris, is kind of an internally hopeful, semi-drunk, and perpetually failing actor who somehow manages to find himself surrounded by corpses and micro disasters every single season or every series.
Oh, sounds fun.
Yeah. And then he dons the detective hat and tries to find out who might be behind the latest murder.
Yeah.
But it's quite quick-witted. It's got a little bit of sarcasm. It's got a bit of scathing humor, a bit of slapstick. And they all kind of sit together rather cozily.
It's almost like this kind of nice hug. I don't know. There's also Suzanne Burden as his semi-detached wife, and John Glover, his worse-than-useless agent.
It's almost like this kind of nice hug. I don't know. There's also Suzanne Burden as his semi-detached wife, and John Glover, his worse-than-useless agent.
What do you mean a semi-detached wife?
Well, she's kind of married to him, but they live separately, but they kind of will go out together occasionally and hang out. They like each other, but they drive each other mad.
So I don't know. A modern arrangement, Graham. A modern arrangement.
So I don't know. A modern arrangement, Graham. A modern arrangement.
Okay. Does she have a terrorist husband, perhaps?
I'll just say it's very enjoyable. And there are loads available on BBC iPlayer.
I'm sure if you look about, you might find some on the YouTubes or in podcast land, or, you know, bug your libraries to get the audio dramas in. It's worth it.
So that's my pick of the week.
I'm sure if you look about, you might find some on the YouTubes or in podcast land, or, you know, bug your libraries to get the audio dramas in. It's worth it.
So that's my pick of the week.
What's its name again, Carole?
BBC audio drama called The Charles Paris Mysteries.
The Charles Paris Mysteries.
There's about 8 to 10 seasons. Oh my goodness. And each season has 4 episodes. So knock yourself out.
Fantastic. I think next time I have a long car journey, maybe we'll give that a try.
You won't be sorry.
Well, that just about wraps up the show for this week. You can find Smashing Security on Bluesky, unlike Twitter, which wouldn't let us have a G.
And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
And huge, huge thank you to our episode sponsors, Drata, Adaptive Securities, and Vanta. And of course, to our wonderful Patreon community.
It's their support that helps us give you this show for free.
For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 424 episodes, check out smashingsecurity.com.
It's their support that helps us give you this show for free.
For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 424 episodes, check out smashingsecurity.com.
Until next time, cheerio, bye-bye. Bye.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Episode links:
- Call of Duty: WWII trailer – YouTube.
- Warning: Do NOT Play COD WWII on PC Gamepass – YouTube.
- 2017 Wichita swatting – Wikipedia.
- Call of Duty: WW2 on PC Game Pass yanked offline amid reports security exploits are leaving players with screens full of smut– Eurogamer.
- Common Bail Bond Scams and How to Avoid Them – US Attorneys.
- Can I Check out Another Person’s Criminal Record? – Nolo.
- Belton Bail Bond Testimonials.
- ‘They know everything’: Families of inmates at Sumner County Jail targeted in bail scam – Nashville WKRN.
- Latest scam targets NJ families of those who were recently arrested, demanding bail – New Jersey 1050.
- John & Paul: A Love Story in Songs by Ian Leslie review – let it be the new gold standard in Beatles studies – The Guardian.
- Introducing ‘John & Paul: A Love Story In Songs’ – Ian Leslie.
- Charles Paris mysteries – BBC Radio 4.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Drata – The world’s most advanced Trust Management platform – making risk and compliance management accessible, continuous, and 10x more automated than ever before.
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
- Adaptive Security – request a custom demo featuring a real CEO deepfake simulation today from adaptivesecurity.com
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a Patreon supporter for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
