Inside the Smishing Triad

Speaker 1: All it takes is once, and that's what these actors are counting on. It's a numbers game.

Speaker 2: For the last two years or so, Ford Merrill has been investigating a sprawling criminal enterprise. It is so sprawling, Scott, as to be kind of hard to find a way into explaining. So to start, I wanna talk about tap to pay on mobile phones.

Speaker 3: Okay.

Speaker 2: I'm assuming you use tap to pay on your phone, Scott.

Speaker 3: I do. NFC is great. I love having your credit card linked to a phone. I forget my wallet all the time because I am old and forgetful.

Speaker 2: Me too, but I always have my phone because I'm addicted to it. It's very useful. Tap to Pay is interesting. When you tap your phone on a payment terminal, the device isn't sending your real credit card information. Instead, it's basically like proving to your bank that this specific phone is authorized to act as your card. The phone and the terminal do a little handshake over NFC, and then your phone sends two pieces of information. First is a token. Token looks just like a normal credit card number, 16 digits. It's not your real number. It's a device account number created when you first add your card to Apple Pay or Google Wallet. It only works on that device. The merchant never sees the real number. They just see that token. And if someone steals just the token, it's useless on any other phone. The token is bound to the device and validated using keys stored inside of the phone's secure hardware.

Speaker 3: This was the whole pitch when they brought this stuff out was your your credit card number will be protected in these NFC transactions. It'll be more secure even online payments using something like Apple Pay or Google Pay. It will it will be more secure because we are not using your credit card number. If there's a compromise to their payment database, it won't affect you.

Speaker 2: Exactly. Because the second thing your phone sends is this little piece of cryptographic data. That's created inside of your phone's secure hardware, and that little cryptogram is like it's it's unique to the actual transaction. It's time limited, and it's mathematically tied to the device's secret keys. Those secret keys are issued to the device during this process we're gonna be talking about a lot this episode called wallet provisioning. That's when you add the card to your phone, and they're stored in hardware that the operating system can't even really access. So the phone sends the info to the terminal when you when you tap it to pay, and that sends these two little bits of information through the normal payment rails, The processor, the card network, and finally, it all gets to your bank. The bank checks whether the token belongs to the cardholder and whether the cryptographic code matches what the device should have produced based on those secret keys. If all of this lines up, the bank says cool, and it approves the transaction. This all happens super fast. And during this process, no credit card number, as you mentioned Scott, is ever exposed, and that one time code can't be reused. That's tap to pay.

Speaker 4: Tap to pay.

Speaker 2: Now, as I understand it, and as you said, in basically every way that matters, this is a lot more secure than a traditional credit card. Even if someone skims all the info from that transaction, they can't really do anything with it. They don't have the phone, The code was time sensitive. Therefore, it's all more secure. That's not really the case with a normal credit card number. They need all these extra layers of fraud detection and prevention in case you were to lose it. If the number gets used on, like, a different continent 30 after you last used it where you live, a bunch of alarms go off.

Speaker 3: The insecurity of the classic credit card is so bad that they use probabilistic modeling and behavior modeling to try and make them moderately secure. But there's nothing going on there that's actually making them secure. They added three extra digits, what, twenty years ago to the back of the card?

Speaker 2: That really locked it down.

Speaker 3: Yeah. But but you can't use the card without those three digits. So every payment database has those three digits in it as well. So it's it's not really a thing.

Speaker 2: Fraud systems with Tap2Pay still watch for weird device and spending patterns, but the cryptography of

Speaker 5: all that does way more of the heavy lifting than it does for, like,

Speaker 2: Mag, Stripe, or just, like, the plain card number. Lifting than it does for like Mag, Stripe, or just like the plain card number payment. Tap to Pay can afford to be a little more loose. So we get to our subject this episode, and maybe as an exercise, we're gonna imagine exactly what you would have to do to compromise mobile wallet tap to pay at any kind of scale. First, you would need a system for stealing the credit card info, like the the original number in the first place. There's a whole world of solutions for how to steal credit card numbers. Traditionally, like a very common one has been smishing, like spam text messages that trick people into going to a fake site, filling in their credit card info. If you really wanna get nasty with it, you could spoof an ecommerce site that people might willingly go to on their own, and then, I don't know, maybe promote your fake version of a real e commerce site on, just to pick a random example, Facebook.

Speaker 3: Mhmm. Mhmm.

Speaker 2: You can listen to our episode about what percentage of Facebook's revenue is Right. The kind of scam ads I'm describing right now.

Speaker 3: Not to mention some physical tactics like skimmers. Yep. They have massive issues with skimmers at, like, gas stations and ATMs that are in public. You know, the classic old school way of stealing credit card information.

Speaker 2: The mobile top to pay, prevents against with all that cryptography. Correct. Then this is where you'd have to get really innovative. Because as we mentioned, traditional credit cards have a robust security layer for fraud detection, but Tap to Pay is less so. But getting someone's credit card number that you've stolen added to your mobile wallet on a phone you're controlling without their consent would require a custom built automated software that works in concert with the spoofed e commerce site To when they give the real credit card info, auto add that credit card to a phone wallet you control. You might, for example, do this by, displaying the credit card number on a fake credit card on one screen, and then having a phone with its camera open over here scan that fake credit card to upload the information basically instantaneously. At which point, two factor authentication is gonna occur. The fake e commerce site that they're staring at that they think they've uploaded their real credit card information to might tell them a lie. Like your bank requires a code to approve this transaction. They get the two factor authentication code to add their credit card to a new wallet. Maybe it auto fills on the fake e commerce site and boom, they have then unknowingly verified someone else's phone to be able to spend money on their credit card.

Speaker 3: It's quite ingenious. It's elaborate. Yes. Elaborate. The idea of setting up all of this physical infrastructure, having a virtual card simulator, because chances are like, I know when I add cards to my phone, it wants the card to match the style of card it is. So I wonder if they don't have fraud preventions in there to be like, well, this doesn't actually look right. You know? The numbers and stuff check out, but the card doesn't match the aesthetic that we would expect. You know? There's probably catches like that in there that they've had to deal with. So when they read your card in, they're gonna have to look up and find out what kind of card it is and immediately render something out, then a phone scans in and adds to a wallet. It's clever.

Speaker 2: It's very clever. This wallet provisioning process is an innovation that kind of like traditional smishing and credit card fraud never really had cracked.

Speaker 1: Mhmm.

Speaker 2: And I'm letting this all sound as complicated as it is to give a sense of the scale of the enterprise that our subject this episode, Ford Merrill, has been researching.

Speaker 1: And I have to kinda give them a bit of a compliment. They have been so innovative and so creative over the years and months that we've been tracking them that they've continued to adapt and and pivot.

Speaker 2: It's called the SMishing Triad. And a main player within that, a phishing as a service developer called Lighthouse. To me, Lighthouse looks a lot like a vertically integrated business, specifically like enterprise grade software. Because that whole software stack that I described from thousands of fake ecommerce site templates through to this never been done before wallet provisioning process. All of it. That stack? They license it out to people. Wallet provisioning is one of a handful of features inside of Lighthouse that have never really been done at scale in these kits. Lighthouse is innovating in weird new ways that as we discussed this episode are just getting weirder. This is the second recent story in which a giant Google lawsuit plays a role. They issued a lawsuit against 25 unnamed John Does. They highlighted more than 1,000,000 victims across 120 countries, between twelve and one hundred and fifteen million US payment cards compromised, 200,000 fraudulent websites linked to activity of Lighthouse, with about 25,000 phishing domains, and an estimated 1,000,000,000 US dollars in fraud losses tied to Lighthouse enterprises. In Google's own words, the lawsuit described Lighthouse as a fishing for dummies kit powering a, quote, relentless smishing operation.

Speaker 3: The population of The USA is, you know, roughly 340, 345,000,000. So when you start talking about upwards of 115,000,000 credit card details. It's insane. Yeah. You're talking about a third of the country. And if you assume a third of the country is children that don't have credit cards, you're actually talking about like half of the country. That's that's that's wild.

Speaker 2: Yeah. It's enterprise grade software is what it is, and we talk about this in the interview.

Speaker 3: I love I love you know, we've we've talked about this a few times in multiple episodes, just how cybercrime is becoming its own enterprise and its own market niche. 100%. And this is this is one of those things where you've got a business that's now spending in research and development, developing new products and services to bring to their market. The real question that I have, though,

Speaker 5: do you

Speaker 3: think they bill, like, a monthly flat, or do you think it's a percentage of take?

Speaker 2: Sure. Is it a commission or is it

Speaker 3: Like, is it we we take 15 or 20% of, like, all revenue generated, or is it something like just give us $12,000 a month?

Speaker 2: I'm sure they'll take your money if you want some tools for smishing people. Yeah. Yeah. Ready to jump in?

Speaker 3: We are, but I think there's one last thing we have to do. I think this is our last episode that comes out before the holiday season. You are correct. So I think we just gotta wish a big happy holidays to all of the fans and listeners of the show. We thank you so much for your your time and the attention. And we hope we keep you company when you do all the fun things in life that we all listen to podcasts when we do. And we love to see the comments of people washing their dishes and mowing their grass. Lots of commuting. I think aside from that, there's been some requests for a hotline hack. Mhmm. So stay tuned. That's gonna come out sooner than you might think.

Speaker 2: It will. Thank you so much for spending this year with us. It means a lot to us. We really appreciate it. We're excited for, one last one this year. This is a wild one. I got on the horn with Ford Merrill, Senior Director of Research and Innovation at SEC Alliance, part of CSIS Security Group to talk about Lighthouse and the Smishing Triad here on Hacked. Ford, good to get to talk to you. This is a wild story. We have enterprise grade software, an organized crime operation. I have to think even with all of your experience in this, the years of research, you must still get struck by this feeling of, like, wow, this is pretty out there.

Speaker 1: Yeah. I mean, when we started looking into this, when I started looking at it around August 2023, we really had a huge revelation, and we were shocked that this was the first group we had ever seen using digital wallets for fraud, like Apple Wallet and Google Pay. But at every turn, there have been sort of innovations that also just kinda leave us a little bit flabbergasted or just impressed at the ingenuity and creativity of these, these threat actors.

Speaker 2: Wanna start super high level. You've been researching this organized crime syndicate built around these phishing scams for years now, long before any of us in the public had a name like Lighthouse to kind of point towards. Super high level, what is Lighthouse, and where did it come from? Take me through this thing.

Speaker 1: Yeah. Well, maybe you even zoom out before, above Lighthouse at a higher level. Right?

Speaker 5: Mhmm.

Speaker 1: What we've been looking at is sort of Chinese smishing and and what that is is like all these package delivery or redelivery messages people have been getting, all the toll road scams that have been prevalent in North America. They've also done things like government impersonation, tax refund scams, and various other lures. But it starts with a text message or an iMessage or an RCS that you receive telling you to, you know, click this link to have a package redelivered or pay a small toll fine, something along those lines. Mhmm. And subsequently, the victim will lose their personal information, their credit card information. And a the most important and interesting, sort of innovation from them was the ability to do real time, two factor or multi factor authentication bypass. So they'll also recover the victim's text message or SMS based OTP code, Mhmm. And that will be used for other the types of fraud that require multi factor authentication bypass. And so Lighthouse is a phishing as a service developer, effectively, that makes software to enable people to do this. Google, in their, complaint, I guess, that we'll talk about in a bit Mhmm. Called it sort of phishing for dummies. You pay a couple $100 a month. You get the software to run these smishing and phishing sites. They're all templated and skinnable, so you can just pick whichever country and whichever organization you wanna impersonate, whether it be United States Postal Service or, you know, DHL or FedEx or whatever it is. And then you point a domain at the thing and start spamming out, and that's all you have to do.

Speaker 2: I mean, you alluded to this, but the thing that struck me about this is just how industrial it feels. There's this enterprise equality to it. I think Google says Lighthouses, if they hit about a million people, 120 countries, up to a 115,000,000 credit card numbers, you know, profits in the billions. I guess my question is, like, again, super high level. Like, where does a cybercrime operation end as end not legal, but basically just a software as a service industry project begin? And is that is that boundary, that binary even real at this point?

Speaker 1: Well, I mean, I'm not sure. I I really have a great answer for that other than just to say, I mean, definitely, we've been sort of shocked by the scale of these operations and sort of, totally agree. They're industrialized. They're automated. They operate like a business. This whole ecosystem sort of evolved just like it would in a capitalist society in the sense that certain actors in this ecosystem specialize in various, specific things. So the phishing as a service developers, all they do is make the software that you run on the website. There are people that do nothing but specialize in spam operations for text messages, iMessages, so on and so forth. There are people that specialize in the money laundering side of things. Just so many different aspects that, that, yes, this is organized crime. It is sufficiently advanced, at this point. And and where it really starts and when it transitions to become, like, you know, at that level where you now determine it as organized, I'm not sure kind of the inflection point, but it's there, and it has been for some time.

Speaker 5: I

Speaker 2: wanna dig into the tech, but just one last little thing. Just for you personally, like, what was the thing or moment that pulled you into all of this? Like, what did you see that made you realize this wasn't just spam text messaging as we're used to it? Kinda take me through that personal story for you.

Speaker 1: At my at my day job, I've been involved in a in a lot of, work around anti phishing. I developed an anti phishing platform where we basically track all the phishing sites in the world, and we do mitigations and and takedowns and stuff like that for customers. But, we were tracking in 2023 just this massive spike in package delivery fraud. All of a sudden, we were just seeing tens of thousands of domains targeting United States Postal Service, and we were like, you know, this is the largest single campaign we've ever observed. Right? And we started looking into it, and we ultimately kinda got lucky because some of the threat actors left some of their phishing kit source code behind. That was, Wang Duo Yu or, also known as Lao Wang, who would later go on to create Lighthouse. And so we had this very early version of his fishing kit. We're able to identify him, identify his Telegram channel, and start to kinda look into peek behind the curtain into this whole ecosystem. And from there, it just kinda snowballed. I mean, we saw that they were involved in the digital wallet, fraud, that that part of what these phishing kits enabled was the bypass of two factor and then subsequently taking the victim's card and putting it into a wallet. And that for me was the point I was like, okay. This is something really big. And I started putting putting together a presentation deck about it and started talking to some of our customers about it. And, you know, over the years, it just continued to snowball and grow and grow.

Speaker 2: I wanna know more about the digital wallet, that wallet provisioning layer. I think most of us think of, like, okay. What is phishing? Someone sends a text. They trick you into giving them your credit card, and they go buy sneakers with it or whatever. When did you first realize that that there's, like, there is a meaningful innovation here, this wallet provisioning layer? Explain that kind of whole concept to us.

Speaker 1: I mean, kind of from the start, like, when you click on this link to begin with, the actors already do some pretty important controls to make sure you're not, like, a security industry scraper or something like that. So it's gonna be geofenced to the IP, the geolocation. So if they're targeting United States Postal Service, you'll need to come from an American IP. But even more than that, they also require you to be on a mobile user agent. So you have to be on a phone to get the real phishing page. And then once you do, it'll be incredibly authentic looking version of the site. They'll ask you for the personal information, you know, in this case, to make sure your delivery can be scheduled or something. They'll ask you for a small payment of, like, 30¢. And this payment is actually never gonna be charged to your card at the time. It's just a reason for you to input the card information. And then, subsequently, once you put your, name and and card number and expiration and CVV, you're gonna start spinning. And presumably, you think that you're waiting for, like, the card to be processed or something like that. But on the back end, the threat actors have, like, a visual representation of your card, literally like an unbranded. Imagine, like, a black credit card that has no branding or anything. It just has your name and your phone number on it. And what they do with it is they have a, a phone ready to go on the back end with, like, Apple Wallet or Google Wallet open, ready to add a card. And when you add a new card to your wallet, the first thing the device does is say, okay. Can I use the camera? Show me the card. And so they would scan the picture of this card that they've automatically generated in the kit off the screen with the camera, and the phone doesn't know. It's just like a a a computer screen version of the card. And this rapidly provisions the card number into their phone so they don't need to type the numbers in, which is important because you, the victim, are waiting and spinning. And then immediately, Apple will prompt them or Google will prompt them and say, okay. If you wanna add this card, you need to complete a two factor step. Select, do you want email or phone? And they'll pick phone, and then you, the victim, will get advanced to the MFA bypass page where, now they'll ask you, okay. We just sent you a two factor code. Please input it here. And, you will also have just received that message with a code on the same device most likely. This is part of the reason that they require you to be on a mobile user agent. They want you to be on the phone when you visit the site because you're most likely to be on the same device that will receive it. And then on top of that, if you've ever used the feature on, like, an iPhone or a Google phone where it can automatically populate the two factor code you just received from the message in the background to whatever form you're on, Uh-huh. Victims also use that. Right? So they're on that page, on the phishing page that's asking for your code. As soon as you receive it, your iPhone will tell you, hey, autofill from messages. And you just click that button, it inputs the code, and, you know, that's it. They're able to complete the provisioning of your card in their digital wallet, and you've effectively told your buy your financial institution that you trust that device to spend that card anywhere, and no MFA will ever be needed again. So that was kind of the genius Unreal. Yeah, of the of the digital wallet angle.

Speaker 2: So they do all of this while you're waiting. You input the two factor authentication. Yep. They you have basically verified their device as being your device, and they can go spend money on that device. Do you have a sense of and I appreciate the scale of this is so significant that there isn't any one answer. But now that they have a device loaded up with your card, what happens immediately after that? Where does that device go? What do they do to try and juice as much money out of this as humanly possible?

Speaker 1: Mhmm. So, yeah, we we know a lot about how this works. So in in the beginning, when we first started seeing this, what was really interesting is actually they would wait almost two to three months before they did anything.

Speaker 6: Oh, wow.

Speaker 1: And part of this, we believe, is they were worried about sort of the risk control signals that it would give to a bank if suddenly a random device added a card and then just started spending right away. So in the in the very early days, they would add these cards, and they would wait a long time to spend them. But nowadays, you'll be lucky if they wait, like, a couple of day you know, one to two days, maybe three days or seven. But, then they have a lot of different ways to launder the money and get the money out of the card. Because, if you can imagine, when you have a card in a digital wallet, and you're just a legitimate user, I mean, there's a lot of ways you can use it. You can tap to pay for things. You can buy things online, in apps. You can also tap to withdraw from ATMs in some countries and with some banks. So there's a lot of immediate options available. And one of the things that you might think of doing is just go to the store and tap to pay for something. And that did work a lot in the early days. But as time goes on, the banks get better and better about their risk controls and all this kind of stuff. So imagine if you're a threat actor sitting in China and you have a lot of American victims cards on your device. If you go to the store and just try to buy something traditionally, probably the geo controls are gonna block you because you're not in the right country. But even if that purchase did go through, you're on camera. Right? And, eventually, that transaction will be reported for fraud. There will be a charge back of some sort, and that merchant now has you on camera, which is probably not a good look. So one of the first things they started to do was look to what we call merchant account laundering. And the way this works in the online version of it is you will create or the threat actor will create a fraudulent account with something like Stripe or PayPal or Zettle or one of these online sort of credit card acceptance or payment provider solutions.

Speaker 2: Mhmm.

Speaker 1: And then with their fraudulent Stripe account, they will generate a fraudulent invoice for something like, let's say, a short term room rental on Airbnb, $500 or whatever. And then they will go to that invoice with the device that they have with the victim's card loaded, and they'll use the pay with Apple Pay function to pay themselves the Stripe invoice. And then that'll go to their merchant account, and then that is an interesting angle, but it's not without its challenges because merchants are used to credit card fraud, so they withhold money for a long time. And it's not the ideal way to launder, but it is a way. The other thing we've seen is that some of the threat actors will obtain physical point of sale card terminals. So just like if you run a business and you need to accept credit cards in person or tap to pay in person, you just get, like, a Square device or some other kinda, like, physical terminal. They would obtain and collect a lot of terminals, and then they would have, you know, 100 phones with five cards loaded on each one. So they got, like, 500 credit cards, and they would generate fake invoices on, like, a little point of sale terminal machine, and they would just have to pay with the victim's cards over and over again. Mhmm. And this was another form of merchant laundering, physical merchant laundering. But the most interesting ones and probably the ones that have driven the most losses and been most impactful are, physical goods purchases, through the use generally of mules. Yeah. And then the other one is gift card purchases. And why those are so dangerous is because once those physical goods or those gift cards have left the building, somebody is guaranteed to take the loss. It's either the merchant that sold the product, the bank that issued the card, or the victim who had the card with the bank. But somebody is going to lose their money, and you can't really put it back in the bottle. So those are are are sort of, like, some of the key ways they do it. Before I jump into, like, the the mule thing and the NFC relay, I mean, do you have any questions or should we talk a little bit more about how that maybe something's not clear?

Speaker 2: Yeah. My next question was going to be to explain the mules to me because as I was reading through this, there's something that hits very emotionally different for that mule layer than the other ways that they're laundering this money. These are real people who think they're doing, like, a temporary job. And I guess I'm curious. Help people understand how that whole process works. Do you have any insight into how the people behind us see those mules? Like, tell me about them.

Speaker 1: Yeah. So our our visibility into this sort of mule process is a little bit limited because we we don't actually go through the process of, like, trying to become a mule ourselves and get involved in it. We just observe and see, kind of from the discussions and the advertisements that they have. But we generally believe that they advertise on various platforms, TikTok, Facebook, you know, AdSense, other kind of social media, probably, on, like, WeChat and and other forms. And they're just basically looking for people who wanna make extra money by doing sort of, you know, small tasks or whatever. And, what they'll ultimately be signing up to do is, buying things in physical stores, mainly gift cards, but also sometimes luxury physical goods or other products that are easily resellable. And the way that they'll do this is they will be instructed to to have a certain type of phone. Usually, Usually, it'll be a Samsung Galaxy phone. It's necessary to support the NFC relay story. And they will be, given, like, an APK or an Android app to download. And when they open this app, it will basically just provide them credit cards to use that work for Tap to Pay. So, the way this kinda works, fully is, they will usually be in close coordination with their mule handler or the operator, and that person will be operating, I like to say, behind the curtain. Right? They might be in China. They might be in Southeast Asia. They might be somewhere else. But effectively, they're they're sitting somewhere else with, stolen cards that have already been loaded onto digital wallets. So they have a lot of iPhones or Androids or whatever with these cards on them. And they will have another device, an Android device that is running, generally, I think it's gonna be rooted, and it's running, the server version of this NFC relay software. And when they touch those two devices together, the wallet device with the card on it and their Samsung running this custom software, it will relay that NFC card to the mule that has the client side version of that software running on their Android phone in the field. Oh, wow. So now the the mule can basically just walk up to the point of sale terminal and tap to pay for whatever it is using the card from behind the curtain from, like, 10,000 miles away. And it works just like a real tap to pay transaction because, actually, effectively, it is a real tap to pay transaction. It's a perfect relay. And, yeah, it it's that's basically what they do. They just take stolen cards. They add them to wallets all day long. They hire mules to go out into the physical places to buy the things that they want, and the mules go up there and just buy gift cards, or so on from, like, automated kiosk or self checkout kiosks. And they will generally then scratch the codes off of the gift cards, take pictures of them, and then send them back to their mule handler who will cut them in on some of the money.

Speaker 2: Unreal. Starting some new isn't just hard. It can be downright terrifying. You put a lot of work into a thing. You're not entirely sure it's going to work out. You're taking a huge leap of faith. I've started a few things. Now I know I was right for believing in, you know, the idea, the product, despite all of those fears and hesitations, but boy, does it sure help when you have a partner like Shopify on your side. Shopify is the commerce platform behind millions of businesses around the world and 10% of all e commerce in The US. From household names like, well, hacked podcasts merch, to brands just getting started, you can get started with your own design studio with hundreds of ready to use templates. Shopify helps you build a beautiful online store that matches your brand style. Did I mention that that iconic purple shop pay button that's used by millions of businesses around the world? I don't know why I wouldn't. I should. It's why Shopify has the best converting checkout on the planet. It also helps boost conversions, meaning less carts, sort of getting abandoned in the parking lot, and more sales for you. It's time to turn those what ifs into sign up for your $1 per month trial at shopify.com/hacked. Go to shopify.com/hacked. One more time, That's shopify.com/hacked.

Speaker 7: This Father's Day, do more with dad and spend less with low prices guaranteed at the Home Depot. Get him fired up with a new grill and accessories, like the next grill five burner for just $299 so you can spend more time together while he becomes the grill master he was always meant to be. Or build memories with savings on top brand power tools so you can tackle projects side by side. Gift more and do more together this Father's Day with help from The Home Depot. Exclusions apply at homedepot.com/pricematch for details.

Speaker 2: So much of this seems as though I can imagine it being automated. There's stages to this process that I have more questions about that seem like you could have this running in the background on a on a computer somewhere. That seems like it would require a ton of human labor. Like, you are just coordinating with a small army of people running around doing these transactions, running these these fake cards. I also saw a a number. It was Lighthouse boasting Lighthouse boasting, like, 300 plus front desk staff worldwide. I'm not sure what that means. What does the scale of this mean to you operationally? Like, what should we visually be picturing? Is there are there call centers full of people running this? Is this decentralized? Like, what does this workforce look like?

Speaker 1: Well, we we don't know exactly in terms of visually what it looks like, but, some of the things we do. We know the spam centers or the spam, operations. You know, we've seen racks of iPhones and Androids as, like, a 100 to 200 phones deep on, like, a rack that will have, let's say, 20 phones wide and and five phones deep. And one operator is sort of just visually managing, like, 100 phones at a time. And those are all being automated to blast out, like, iMessages or RCS. And maybe at some point, one of the phones will get, like, banned by Apple or something, and he'll need to pull it out of the rack, reset it, you know, set up a new iCloud account on it, put it back into the automation, and keep it going. So that's you know, imagine there's there's many actors like that on the spamming side. On on the phishing side, I mean and just in this ecosystem as a whole, I mean, just individual channels for just, for instance, Lao Wang, who sold Lighthouse, his Telegram channel had something like 21,000, impressions or views and almost, like, five or 6,000 people in it by the time it was the first one was shut down, by Telegram. And we believe you know, we track 10 major phishing as a service actors just like, Lao Wang. And so if he has 6,000 in his channel, we know some that have ten and twelve thousand in their channel. I mean, it's tens of thousands of Chinese speaking individuals that are in these, groups. And so, yeah, we believe there's easily tens of thousands of people involved in in every aspect of this fraud, and some of them are gonna be smaller operators that they just buy access to the software. They pay a spammer to send their messages, and maybe they target, you know, The US or Canada or whatever their little geographic region is. And they may do it for their own gain. And, collectively, when you start to add up all these small actors, it's a tremendous amount. And then, we've also seen evidence to support. There are some groups that are truly organized crime in the sense that they're just openly advertising that we do it all from spamming to mule operations to point of sale laundering to, you know, phishing platforms to giving you data to target your fish. Like, everything is so it's pretty big.

Speaker 2: Yeah. When I was first reading about it, it I I mentioned this earlier, but it kinda drew a parallel with, like, software as a service. But it the more you look at it, the more it's like, yes. There's software as a service and enterprise grade software when there already exists a marketplace. There's this much larger marketplace of of people that are trying to spin up these types of operations. Someone can say, oh, I'm gonna target this part of the world with this type of messaging. Oh, I'm gonna target this group with these types of lures. How does that how does that fester? Like, where does that come from? Is this all just growing on Discord channels on the Internet? Like, is there a top down way of thinking about this? Like, how did this grow in the first place?

Speaker 1: Well, I mean, when there's money to be made, people are interested in in making more. I think, you know, Lao Wang, who who authored Lighthouse and then subsequently or or also Darkula, were kind of some of the OGs, when it comes to Chinese mission operators. And they developed probably some of the first really sophisticated kits that could do these real time SMS, OTP bypasses and be used for digital wallets. And And so we're not exactly sure who really invented, this sort of recipe with the digital wallet cash out angle and the real time, OTP bypass. But it was probably one of them or somebody that they were close to or inspired by. And then, you know, once they started having a little bit of success doing this, I think one of the things they quickly ran into or realized at least at that time before a lot of it was automated was, well, I mean, one person can only sort of put so many cards in wallets at a time. Right? Like if you send out a, if you send out a blast of spam and you have a thousand victims rolling in and, you know, let's say, let's say 50 of them are putting their cards in at the same time, and then you need to provision those wallets. Like one person can't do all that. So there's a lot of, of loss that, you know, fish basically, fish catch that you're losing by not being able to have enough hands on the the problem. And so they were like, hey. This is free money that we can't monetize. We could sell this software to a service and sort of, like, advertise it so that other people can get in on this action, and we can happen to profit from from that activity too. And what was really interesting is in the early days, we believe almost all of these kits were backdoored. So their customers would pay them a fee every month to use the software and the service, but they could then come behind and just scoop up all the card information and the victim information anyway. Now granted Of course. Granted, they couldn't tokenize it once the victim's no longer on the hook and they don't have the MFA anymore. Right? But they could still use that card data for, like, card not present fraud or follow-up vishing or social engineering, things like that. And so it's just really interesting. They were, like, double dipping by selling the software to their customers and stealing.

Speaker 2: And why would their customers assume privacy when they're purchasing privacy infringing software in a sense? Correct. You you you mentioned them a couple of times, La Wang, the, like, the author of Lighthouse. What do we know about them? Tell me about them.

Speaker 1: Well, what we know is is, kind of limited in terms of real term, personal attribution, but we know they've been around since February 2023. He, originally provided sort of tuition, not just the software as a service, which he certainly did, but he also offered people an ability to be under his apprenticeship and learn how to create and modify these kits. And we believe he was, he apprenticed somebody who he called the young lady, which we believe later went on to become an actor, that was known as Chen Lun. And she created what he called one of the most advanced kits his students had ever made, and it was a gov dot u k, tax based phishing kit at the time. But he was, sort of, like I said, a visionary and OG. He had around 17 brands that he targeted with his, targeted with his original kit that we call version one, but his most prolific victim, was the United States Postal Service and the American people through the use of United States Postal Service package delivery lures, by far, his his most popular kit. The other thing that he specialized in and still does specialize in to this day is fake shops. So he supports a workflow that instead of sort of getting a message and needing to log in and do something and lose your data, he will allow you to set up a fake shop, an ecommerce site selling anything you want. It could be, you know, toilet paper, dish detergent, or electronics. And it looks just like a real ecommerce site. And when the victim goes to check out for this, product that they think they're buying, they literally just lose their personal information. They lose their card information, and then they lose their OTP again because they think they're doing that for the payment validation. And these are a lot more sinister in some ways because they have a lot more staying power because no messages are sent out. Not a lot of people report them. They also don't require you to receive a message and click on something to be victimized. You can just be searching for something you wanna buy online and see this ecommerce shop that looks to have a good deal. And they advertise these sites on AdSense, like, on Google AdSense, on meta platforms, on TikTok. You know, I'm sure you've seen the news that Facebook had, like, $18,000,000,000 in revenue from scam advertisements. Like, things like that are driving people towards these fake shops, where they then self victimize. So that was another big part. He was kind of a pioneer in that fake shops space as well. And he went on in August 2024. He would later he would launch the kit that was would be known as Lighthouse, and for a number of reasons. He wanted to modernize the code base. Base. He wanted to make it more modular, basically, just improve functionality across the board. And when Lighthouse originally launched, he only targeted 17 brands with the old kit. Within a month, he targeted 29 brands. And a month later, he started targeting 63 countries. And each of those countries would often have multiple brands. So just kind of like the new kit skyrocketed his ability to scale the brands for his customers. And, yeah, we believe he was very successful for, you know, since early twenty twenty three. And, finally, Google released this civil action, this lawsuit against, Doze one through 25 related to Lighthouse, and he's subsequently shut most of his Telegram stuff down, gone dark. It looks like a lot of his infrastructure got knocked offline, and so he's probably licking his wounds and and rebuilding, would be my guess.

Speaker 2: Yeah. Since you brought it up, this is the second story in as many months about Google being involved in a lawsuit with alleged cyber criminals. We reported on their lawsuit against a group installing malware on these cheap consumer electronics. This lawsuit, it, you know, kind of frames Lighthouse under Rico basically saying, like, this is an organized criminal enterprise. You alluded to this a second ago in terms of him kind of going off and licking his wounds, but, like, from a researcher's perspective, why does Google do these lawsuits? And what role does legal action play in disrupting stuff like this? Like, is this just whack a mole, or do these lawsuits have an impact?

Speaker 1: Well, I mean, first off, the disclaimer. Obviously, I don't work for Google, and I'm not a lawyer. So it's it's hard for me to kind of do anything but speculate. But I I can do a little bit of informed speculation anyway because of of my knowledge on sort of this subject. Appreciate it. I think this action or this type of action, taking civil action against a cyber criminal actor, is really interesting. Obviously, we also saw it in the past with Microsoft using it to obtain default judgments and then go after, like, c twos of known malware or botnets that were causing a lot of problems for Windows users and things like that. And I think one of the more interesting parts of it or or ingenious parts of doing it in a civil way is that in a criminal case, you really have a high barrier, like, for proof that, you know, you need a lot of proof, and it all has to be proper chain of custody and everything. There's really a high bar to prove somebody is guilty, and then you have the jurisdictional problem where if these actors are sitting somewhere, you can't really reach them or you don't have jurisdiction over them. That becomes hard to do a criminal thing. And then, like you said with whack a mole, well, if you do get a criminal action against somebody and you arrest some folks, I mean, there's plenty more people that are gonna pop up. And so you're gonna have to rinse and repeat that more expensive process over again. Whereas with the civil action, you can file a suit against these folks in a jurisdiction that's relevant for you and almost 100% chance they're never gonna come to defend themselves. So you will win by default, obtaining a default judgment, and then you can take that thing to hosting providers, domain registries, domain registrars, all that sort of stuff, and say, hey. We obtained a judgment. These actors are on your platform doing bad things, and we would like you to take them down. And most legal departments are gonna say, hey. To avoid any extra liability or any chance that we get caught up in this thing, it's you know, they they have a court order. We need to take this stuff down. So I think at least in terms of disruption, even though it might be temporary, it does, cause pain and and impose costs for these threat actors. And to some extent, it sorts it starts to limit their horizons. Right? If they know that they can no longer use a hosting provider that used to be friendly, then they'll need to look for another one. And as these things continue, to come and they get shut down from place after place and get, run from provider to provider, eventually, they'll be left with sort of no other option other than the bulletproof hosters, the bottom of the barrel stuff that has zero reputation. And those become easier to block, and automatically list, stuff as suspicious from. So it Mhmm. I do think it has a positive impact, and it is and it is a good approach. There are trade offs with it. Right?

Speaker 2: Tencent I mean, on that note, it seems like a pretty large percentage of these, like the domains linked to this were coming from Tencent and Alibaba Networks. Those are two of, I believe, the first and largest listed companies in China. If big tech companies in China ever did cooperate with, say, US takedowns lawsuits like this, how much of this ecosystem actually would collapse? And how much of it is, again, just to use that metaphor, is just whack a mole that's gonna pop back up somewhere else?

Speaker 1: Well, as far as I know, Alibaba and Tencent at least do respond to some complaints and do take some action on them, although they tend I don't wanna say malicious compliance, but they tend to do it in a way that's sort of if you could drag your feet as much as possible and require as much information and make the pain the process as painful as possible for a reporter to actually get something done, It seems the way to be the way they handle these complaints. At least that's been what I've heard, from folks who who actually try to get these taken down, and we also submit data to clearing houses that try to get these things taken down. So we've had sort of some of that experience as well. Yeah. I mean, a vast majority is hosted, or or so many of them are hosted at Alibaba on Tencent. That's for sure. And oftentimes, I mean, so many of them are also protected, behind CloudFlare free accounts. Right? So there's, you know, there's a bit of a tech enabler as well with CloudFlare. But that being said, you know, if Cloudflare was to stop offering protection for these proactively and they can make a good argument that, hey. You know, we potentially, it's not always possible for us to identify these things proactively. And I do know that they they are responsive to abuse requests. They have an API for that kind of stuff, so I don't wanna you know, I'm not trying to throw them under the bus here. But, you know, I think if Alibaba and Tencent did something about this, it would make a meaningful impact. Again, you know, the actors probably would just shift somewhere else to another hosting provider and and just continue to do that until they've been chased to the bottom of the barrel.

Speaker 6: Whatever your thing, it could be anything. Canva helps you make that thing a thing. Canva is a simple online tool thing. It's a way to design with our magic AI tool things. You can social media your thing, generate images or videos of your thing, make decks or presentations to show your thing. Whatever needs to be done for your thing, Canva can make it an even better and bigger thing. Canva, the thing that makes anything a thing.

Speaker 5: Study and play. Come together on a Windows 11 PC. And for a limited time, college students get the best of both worlds. Get the Unreal College Seal, everything you need to study and play with select Windows 11 PCs. Eligible students get a year of Microsoft three sixty five premium and a year of Xbox Game Pass Ultimate with a custom color Xbox wireless controller. Learn more at windows.com/studentoffer. While supplies last, ends June 30, terms at aka.ms/collegepc.

Speaker 8: When you need to build up your team to handle the growing chaos at work, use Indeed sponsored jobs. It gives your job post the boost it needs to be seen and helps reach people with the right skills, certifications, and more. Spend less time searching and more time actually interviewing candidates who check all your boxes. Listeners of this show will get a $75 sponsored job credit at indeed.com/podcast.podcast. That's indeed.com/podcast. Terms and conditions apply. Need a hiring hero? This is a job for Indeed sponsored jobs.

Speaker 2: I'm curious to go back to the groups themselves a little bit. And this feeling I got in reading through this story of, like, growing ambitions, you know, this starts out and it it feels kind of familiar. It's the, you know, the postal service lure. It's familiar stuff. And there seems to be this escalation of, like, you've got card theft, kinda moving into, like, even bank logins. There was stuff about brokerage accounts.

Speaker 1: Yes.

Speaker 2: There's a real sense of, like, we are climbing the ladder that is the Western International Financial System. What should we take from that? Are they just truly ambitious? Are they learning? Like, what's what's going on there?

Speaker 1: I think it's a combination. I mean, they're they're ambitious for sure. They they want money. Right? They they are financially motivated, and they've been to their credit, and I have to kinda give them a bit of a compliment. They have been so innovative and so creative over the years and months that we've been tracking them that they've continued to adapt and and pivot. You know, when they started with NFC Relay I mean, first off, they invented digital wallet fraud. I mean, it's crazy enough. Right? And real time, OTP and and SMS, bypass to be able to facilitate. That's crazy enough. But then they basically invented NFC Relay, the ability to relay an NFC payment, a tap to pay payment around the world. And that's, like, mind blowing levels of nobody thought that was possible until they invented it. And then they learned how to scale it and use it. And then even on top of that, now they've got technology that allows them to do NFC relay multicasting. So a single user behind the curtain with one device, that's operating as a relay server and cards that he touches to that device can now support not just one mule operating in the field, but it can support 20 or 30 or 50 or however many mules simultaneously. And because it's it's so clever how they've created it, because tap to pay is a one time token transaction where you can't replay the token, if one of those 50 actors that's receiving that card taps to pay for something, all the other actors temporarily lose the card on their app. And then as soon as that transaction is completed, all the other actors receive the card again, so it's ready to go. And so, you know, things like this, I mean, first, they hit you with NFC Relay, and then they come with multicasting. And it's not even a couple of months after they just invented this tech. And then to your point about banking and brokerages, as the banks have gotten better at protecting against digital wallet provisioning, So in other words, the the the process of them adding your card to their device, that has gotten harder for them because the banks do receive some interesting controls and data from Apple and from Google that give them some ideas about risk levels of that device and all sort of stuff. And, they're starting to get better at preventing these malicious wallet provisionings. So the actors have also built in a system that will automatically tell them which cards, they should automatically reject and which cards they should bubble up to the top, and prioritize because those will be the ones with weaker controls, like smaller credit unions or smaller banks instead of the mega banks. And then as provisioning continues to get harder and harder and they scrape the bottom of the barrel, they start using these tools that are perfect for real time phishing and MFA bypass to do things like account takeovers, where they'll take over the victim's PayPal account. Or, more interestingly lately and and, more saddening lately, is, brokerage account takeovers. So the way this works is you'll you'll get a text message that, like, hey, your Charles Schwab account has had some suspicious activity. You need to log in and do something about it. And it will be a phishing site that looks exactly like Charles Schwab. They'll take your login information, you'll give them your two factor or your multi factor, and they will log in, and now they own your, your brokerage account. Now, you might have a million dollars in there or whatever, investments you have in there, and they can't take the money out in terms of wiring it out of the account because the controls are too good for that. But what they can do is effectively liquidate all your positions and buy Chinese penny stocks or Chinese IPO stocks

Speaker 2: Oh, wow.

Speaker 1: That they already own in their own personal accounts or their own criminal accounts offshore. And as you are as you are buying those penny stocks, they're selling against your order flow. So it's like a Oh my god. Twist on a classic pump and dump where they used to have to convince you to buy a penny stock. Now they just take your account, they control it, and they buy whatever's They want it. Yeah.

Speaker 2: Wow. The penny stock one, that's nuts. I hadn't caught that. That's that's crazy.

Speaker 1: Yeah. And it's very I mean, it's really sad, and it's really damaging. We know some people that have lost their entire life savings. They're retired. They're on pension or or whatever. Right? And they lose everything. And when you lose $400, I mean, you know, there's this kind of saying, like, if you owe the bank $400, it's your problem. If you owe the bank $4,000,000, it's the bank's problem. Sure. But if you lose your entire brokerage account, it's unlikely, depending on where you are and how much it was worth. I mean, it's much less likely that you'll be reimbursed. So those are really, saddening. But, you know, again, like I said, they're financially motivated. And so at every turn, they've sort of increased their ability to do this, to scale it, to steal greater amounts. We believe that well, we know that some of them are also involved in pig butchering, type of scams. You name it. They're involved.

Speaker 2: I'm curious. And innovation feels like such a weird word for this because of the kind of harms we're talking about. But, like, I'm curious to understand where this innovation is coming from. I feel like here, when we talk about people developing really complicated software, the two stories are either, like, the the wonderkinned in a basement that hacks it together themselves or increasingly often, like, the person who gets ungodly gobs of, like, venture capital money and then poaches talents and points it at a problem like a machine gun. And I'm curious, what does this look more like? Is it the individual author creating all of this? Is it more of the investor business model? Is it a crowdsource software project where it's wisdom of the crowd and people working together to come up with NFC relays and wallet layers. Like, how where is that innovation coming from?

Speaker 1: I think wisdom is wisdom of the crowd is probably the closest one to the truth in in at least just from what I observe. We believe a lot of these developers are, you know, students or people who have recently graduated, you know, maybe in twenties, thirties kind of age. They have computer science degrees and backgrounds. They are developers. Some of them, we believe, did you know, had a real day job when they started working on this stuff and ultimately went on to kinda do this as a side hustle that became their main hustle. But in a lot of these channels, there is, you know, that you'll see, there are so many people offering their own services, willing to work, pitching ideas, or, hey, does anybody have something that could work with this card or whatever. And so there seems to be a collaborative nature to, hey. I wanna get some money. You wanna get some money. How can we figure out to to do this? And then I'll also, at least in the the Chinese fraud ecosystem as we've seen it, there has not really been much, shame around copying other people's work. So if one phishing actor came with a new feature, for instance, in early twenty twenty five, we saw this massive rotation in The US and North America to toll road scams. Whereas, before that, everything was pretty much United States Postal Service package delivery scams. But people had gotten so tired of it, so fatigued. I mean, how how many of these package messages did you get every day? And you kinda knew it was a scam at that point, so people weren't falling for it. So one of the actors decided to try a a playbook that had worked in another part of the world, in Australia and New Zealand. These toll road scams had been very popular in Australia and New Zealand from 2023 onwards. And so they decided, hey. Why don't we try these in The US? And they apparently had massive success. And within just two or three days of one actor adding, basically, US toll roads to their kit, almost all the other major fishing as a service actors also supported toll roads. And so I think part of that innovation is kind of like when one person figures out something that works, they all that's the new baseline, and then everybody's looking for the new thing that will improve that. Right? So they went from manually inputting, card details to provision these wallets to automating it. And we've seen some of the actors use, like, LLMs and AI to help a customer create, like, a very convincing brand impersonation. So imagine if you have a particular brand you wanna impersonate and the kit doesn't yet support it. There are features within the kit that are, like, AI enabled or AI powered that allow, like, a user who has no technical skill to say, okay. I wanna impersonate this website, and it'll go out and, like, make a capture, scrape it all down, put things in the right format, for, like, creating a skin for the phishing site. And then that becomes a new template. So they've really been smart about how they kind of automate things, about how they approach development, and treat all of this like a real business.

Speaker 2: This is a maybe an unfair question or maybe more just to putting you on the spot, but I am curious. With every everything that you know about this, if you could redesign any part of the financial ecosystem, like how card issuers work and mobile wallets and telco messaging systems, if you could redesign some part of the financial system to try and shut down a big chunk of this fraud overnight, like, where would you intervene? What's that bottleneck?

Speaker 1: Yeah. This is always a tough one because everybody wants a silver bullet, and and and there there is no silver bullet. There's a lot of things that need to come together. But I think one one thing that would have a massive, impact in general is if we would move away from SMS for second factor because, a, it's clearly one of the easiest forms of MFA to bypass even if we don't talk about SIM swapping, but, of course, SIM swapping does exist. SMS is unencrypted. It's, you know, an aging protocol, very old at this point. It was really just a hack to begin with. And and one of the biggest sort of things that I see against SMS, at least as a as a second factor, is that a lot of times when the victim receives that, that two factor code from their issuing authority, there's not a lot of context about what it's for. It's just at at best, it's like, hey, this is Chase, and here's your code. Don't give it to anyone. And, you know, we at least with app based authorizations, like let's say bank app based authorizations, you will get some information that's like, hey, somebody is trying to add your card to an Apple Wallet device. Are you sure you want to allow this? And that becomes a lot harder for these threat actors to overcome because even if the victim fell for the fish and they put all their information, their card information in, and the actor says, okay, now you need to open your banking app and approve. When they see what it's for, I bet you a a high percentage of people actually bail out at that point. So I think there's something to be said for getting red or getting onto stronger forms of multifactor authentication, either app based. Generator based is is obviously a little better than text but still it's kind of weak because it's just a time based code and there's no context there you just have to provide your code for some thing things like FIDO and passkeys and so on also really interesting. We're not aware that these actors are able to bypass, passkeys because of sort of the nature, of them. Of course, I have some misgivings about some of the other things that passkeys enable, which is a lot of centralized lock in to big players. But, the other thing, I mean, I know you asked for a single thing. The other thing that is happening and we are getting much better at is we're we're so good at filtering spam messages from email, and we have been for many, many years now. But we're terrible at it when it comes to text messaging. But that is changing. Right? Android released an, an awesome feature related to, like, scam detection and possible scam detection for messages. They also do things like call screening. IOS now 26 apparently has a lot of anti scam or or sort of anti spam message features as well as call screening. Unfortunately, it's not available anywhere except The US as far as I'm aware. Maybe that's changed, but we don't have access to it where I live in Europe. So if we can prevent people from seeing these messages and clicking on them and going to them, that's a big, you know, impact as well.

Speaker 2: I'm curious where this goes next. Like, they they have truly embraced the move fast and break things philosophy. They are iterating and coming up with new, like, templates and lures and ways of doing this. What's that next adaptation? Where does this go, say, in 2026?

Speaker 1: I think it's, yeah, I think it's really gonna be towards more account takeover type activity. Whether that's brokerages, I'm not sure. Maybe the brokerages will will probably, due to the amount of money involved, probably pretty quickly kinda shut that down. I would assume, could be wrong about that. But other forms of account takeover that allow them to monetize and do things useful, whether that might be stealing, like, you know, Amazon accounts or PayPal accounts or Stripe accounts. These kind of things that often have some sort of a payment, like a payment channel associated with them or a card associated with them and allow you to buy things or transfer money. I think that's an area that so far, we know that certain threat actors go after those type of things. But the digital wallets was such a low hanging fruit that it just seemed like everything gravitated there for a long time because of all the advantages. But, yeah, I would think probably more targeted spear phishing, more account takeover, more kinda social engineering backed stuff. We know that they also have the the capability to bypass KYC controls. There's a lot of stuff in the ecosystem about providing fake documents, fake passports, fake Social Security numbers, ID cards. And we believe that they're also starting to leverage, like, a generative AI for videos to bypass these type of controls that when you open, for instance, a crypto account and you need to have your phone's camera pointed at your face with a selfie and holding a passport next to it and move it in and out and all these kind of things. We believe they're also able to bypass those kind of controls. So, yeah, it's hard to say exactly because I could have never predicted NFC relay or or some of the other things that they've rotated to. But whatever it is, I have a feeling it will be effective, for sure.

Speaker 2: To wrap up, because you've been super generous with your time, you've spent years researching and unraveling and, like, trying to paint a picture of this. What is it about this topic that kinda keeps you curious and engaged? Like, what is the thread that you feel like you haven't pulled all the way on?

Speaker 1: I mean, unfortunately, it has been my feeling has been since I started looking into this that I wanted some closure before I was done. Right? And and I say unfortunately because I I can see now that that is probably never going to happen. But I I really initially thought, like, wow. We've learned a lot about this. We understand how it works. If we just talk to the right people, like, we can make a difference and solve this problem. And the reality is while we've had I've had and a number of other people that are really close to this, have had good impact here, at the end of the day, like, it's a never ending battle. Right? This tale is as old as time. You know, that if you can convince somebody to give you your password or you can social engineer somebody into defeating the controls, then no matter how sophisticated the controls get, it never matters. Right? Like, you can always just convince a human to defeat the controls for you. So in that sense, I don't think this will ever really be resolved. But my hope was that through our research and what we shared, we could really, like, shut it down to a significant extent. So that's kinda what keeps me going. And the other thing is as long as people have an interest in this and as long as people are losing money to this and wanna talk about how it works, I'm happy to share that. Right? Because I think there needs to be more visibility, more understanding of what's going on. And when I talk to people about how it works, no matter if they're technical or not technical, they always love to hear the story and learn how it works because we've all seen these messages. And we all kind of, I guess, subconsciously wondered, like, what's that about? Or how are they even making money from this? And when you show somebody that and their eyes kinda light up and and that light bulb goes off in their brain, and they're like, oh, that's how it works. You know, then they can go and tell their family and be like, hey, I understand how that works. You need to be really careful about this. Or let's look at our OPSEC, or let's look at how we address how we handle security. Because it is a very you know, it's not only a personal responsibility. It's also a societal and sort of government regulatory, responsibility. It's a responsibility of these companies, but it's a responsibility of all of us to sort of lift the the the level or the security level, let's say. So I I guess that's really what keeps me going. The hope that we can really make a difference in this kind of thing. And the fact that people are interested in learning more about it and understanding more about it.

Speaker 2: Just as an aside, I I think that people I think that we all have this feeling that we are on a daily basis, even in something as innocuous as a text message, you know, the bad fat, like, Facebook ad scam ad that you try to avoid clicking on, the the link to the ecommerce site that seems seems right. Right? Like, it seems like it's the real thing. We all have this feeling that, like, you are kind of in order to exist online, you sort of have to consent to just being lied to with the potential for very real harm all of the time. There's this feeling of, like, when I wade into this world, I'm wading into a space where people are gonna lie to me to try and steal from me all of the time. And that feeling, even if people aren't technical, doesn't go unnoticed. People it sort of builds up on you like a residue that there's there's someone always trying to tell me a lie. So even for nontechnical folks, I get why this would be a really compelling story.

Speaker 1: Yeah. And, you know, to your point, I mean, it's unrealistic for anybody to have their guard at, like, you know, the highest level at all times. Right? So even if you don't fall for 99 out of a 100 text messages, the one time that you're busy or stressed or you've had something to drink or it's just early in the morning and you just woke up or you're tired. All it takes is once, and that's what these actors are counting on. It's a numbers game. We we know from the numbers that they only one to three out of every one thousand victims that receives these messages actually goes through with clicking the link and losing their information and getting their card information provisioned. So that's less than one percent of everybody that receives it, but it's clearly enough for them to to make money at scale.

Speaker 2: Ford, thank you so much for your time. It was really good to get to talk to you. I appreciate it.

Speaker 1: Yeah. Absolutely. Thanks so much for the time.

Speaker 4: If you've got an insurance question, you could talk to the butcher at your local grocery store. He'd probably talk about trimming the fat but it'd be about your brisket, not your insurance policies. Or you could talk to your local GEICO agent. They offer personalized assistance in finding the choicest cuts of coverage for all your insurance needs, which means more money for filet mignon. Or if you're a vegetarian, tofu lay mignon. To find a GEICO agent near you, visit geico.com/local.

Speaker 9: This episode is brought to you by Nespresso. Being the best version of yourself is an everyday journey, and it begins in the morning by taking a moment to ground yourself. With the new Nespresso Vertuo Up coffee machine, morning routines become rituals. Just one gentle press. And coffee brews, unfolding into whatever you need today. Bold or delicate, iced or hot, familiar or new. Press to explore. Every coffee, a new world. New Vertuo up. Shop now at nespresso.com.

Speaker 10: The right window treatments change everything. Your sleep, your privacy, the way every room looks and feels. At blinds.com, we've spent thirty years

Speaker 5: making it surprisingly

Speaker 10: simple to get exactly what your home needs. We've covered over 25,000,000

Speaker 5: windows and

Speaker 10: have 50,005 star reviews to prove we deliver. Whether you DIY it or want a pro to handle everything from measure to install, we have you covered. Real design professionals, free samples, zero pressure. Right now, get up to 45% off-site wide, plus get a free professional measure at blinds.com. Rules and restrictions apply.