podcast

Flipping the script.

Dave's phone is blowing up with smishing attempts. Joe shares a story about fake license renewal attempts from The New Zealand Transportation Agency. The catch of the day flips the script on their attacker. Later in the show Carole Theriault speaks with Jamie Bartlett, the brains and host behind The Missing Cryptoqueen, an amazing BBC podcast about trying to get to the bottom of the OneCoin scam.

Links to stories:

Transcript

Jamie Bartlett: [00:00:00] Rather than doing multilevel marketing and selling vitamins or Tupperware and having to have a garage full of rubbish, she could sell a fake cryptocurrency through multilevel marketing. 

Dave Bittner: [00:00:13]  Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: [00:00:31]  Hi, Dave. 

Dave Bittner: [00:00:32]  We've got some great stories to share this week. And later in the show, Carole Theriault is back. She speaks with Jamie Bartlett. He's the host of "The Missing Cryptoqueen" podcast, which is from the BBC. It's a great story about trying to get to the bottom of the OneCoin scam. 

Dave Bittner: [00:00:47]  But first, a word from our sponsors at KnowBe4. So who's got the advantage in cybersecurity, the attacker or the defender? Intelligent people differ on this, but the conventional wisdom is that the advantage goes to the attacker. But why is this? Stay with us, and we'll have some insights from our sponsor KnowBe4 that puts it all into perspective. 

Dave Bittner: [00:01:14]  And we are back. Joe, I'm going to kick off things this week. 

Joe Carrigan: [00:01:17]  OK. 

Dave Bittner: [00:01:17]  And I kind of a grab bag of things I want to talk about this week. 

Joe Carrigan: [00:01:21]  A grab bag, huh? 

Dave Bittner: [00:01:21]  I say grab bag. You might say scattered. 

Joe Carrigan: [00:01:23]  OK. 

Dave Bittner: [00:01:23]  But either is an accurate description. First, I wanted to point out a tweet from someone who goes by Jake on Twitter. This is @JCyberSec_. And he laid out a bunch of phishing sites, a bunch of landing pages where if someone tries to phish you, this is where you will land. 

Joe Carrigan: [00:01:42]  One of the places you'll go. 

Dave Bittner: [00:01:43]  The first one that is here looks exactly like an Apple login page, which I guess is not surprising because what these folks do is literally just scrape... 

Joe Carrigan: [00:01:53]  Right. 

Dave Bittner: [00:01:53]  ...The code from the Apple landing page or whatever... 

Joe Carrigan: [00:01:58]  And there are tools out there that help you do this. One of the problems with the web is that in order for your browser to render what the company wants you to see, it has to give you all the code to render it. And once that's downloaded, you can copy it very simply using - you know, manually - and go ahead and host it on a different site. There's nothing stopping you from doing that aside from legality and the fact that all of our listeners are moral, upstanding people. 

Dave Bittner: [00:02:23]  (Laughter) Right, exactly. So other details in this tweet here, it has one of the messages that will lead you to this page. 

Joe Carrigan: [00:02:30]  Right. 

Dave Bittner: [00:02:30]  This is an SMS message, and it says, your phone ID is on hold due to wrong payment address. Please confirm your details at apk-signinauth.com/.gb - it's the .gb that's the tipoff there, I suppose... 

Joe Carrigan: [00:02:44]  Right. What country is GB? 

Dave Bittner: [00:02:46]  ...To avoid permanent account termination. I don't know what... 

Joe Carrigan: [00:02:49]  The Gambia? 

Dave Bittner: [00:02:50]  My initial impulse was Great Britain. 

Joe Carrigan: [00:02:52]  Yeah, so .gb actually is Great Britain. It's fallen into disuse because of the U.K., so it's still a valid top-level domain. 

Dave Bittner: [00:02:59]  OK. Some other things in this tweet - there's a page where they show a bunch of - I suppose it's JavaScript code. This tweet also includes a bunch of screenshots of other pages that are hosted on the same IP. So there's a lot of other things on here - different logins, logins that pretend to be from things like GoDaddy, from Apple, of course, a variety of - Instagram - a bunch of things. So I guess one rogue IP address is hosting a bunch of these different phishing landing pages... 

Joe Carrigan: [00:03:26]  Right. 

Dave Bittner: [00:03:26]  ...Which is not surprising, I suppose. 

Joe Carrigan: [00:03:28]  That IP address is hosting multiple domains, really, is all it is. 

Dave Bittner: [00:03:31]  Yep. So what do you have to say about the code here? 

Joe Carrigan: [00:03:35]  The code is actually - looks like it's using jQuery to harvest credit card information. 

Dave Bittner: [00:03:39]  Oh. 

Joe Carrigan: [00:03:40]  And then there is this huge UDUD (ph). I don't know what that is, but it's a long string of random text. It might actually be something that - it looks like it's something that's Base64 encoded and may also be some other content, I don't know. 

Dave Bittner: [00:03:54]  I see. So behind the scenes here, this gives away what they're after here. They're harvesting credit card numbers. 

Joe Carrigan: [00:03:58]  Yeah, it's obvious that they're harvesting credit card credentials. 

Dave Bittner: [00:04:00]  OK. All right, good to know. Well, so the second part of my grab bag of things I wanted to talk about this week was that since the new year, I have been getting a lot of SMS phishing messages. 

Joe Carrigan: [00:04:12]  Have you? 

Dave Bittner: [00:04:13]  And I don't know why, but up until that point, I got virtually none. 

Joe Carrigan: [00:04:16]  Really? 

Dave Bittner: [00:04:17]  In my entire time having a smartphone, for some reason, I never got very many of them. 

Joe Carrigan: [00:04:23]  But now you're getting them. 

Dave Bittner: [00:04:25]  Now I'm getting them. And what's interesting to me is a couple of things. So fortunately, my - I use an iPhone, and it does put them into a junk folder, which is helpful. 

Joe Carrigan: [00:04:34]  That's good. 

Dave Bittner: [00:04:35]  Yeah. But here's an example. It says hello, Dave. And I say Dave because Dave is all-caps. 

Joe Carrigan: [00:04:40]  Right. 

Dave Bittner: [00:04:41]  So it says, hello, Dave. Your DHL package with tracking code is waiting for you to set delivery preferences. I'm going to jump right on that. Here's another one - Amazon 2020 resolutions. One, not to be greedy - that's ironic - two, care more about the customers, so you'll get $130 freebies to do a survey, Dave. Now... 

Joe Carrigan: [00:05:00]  That sounds like it came from the same data set, Dave. 

Dave Bittner: [00:05:03]  (Laughter) Here's one that puzzles me. It says, congratulations, Ilana. Your code printed on your last receipt is among seven we randomly picked for $1,000 Walmart gift card promotion. Now, Ilana is my wife. 

Joe Carrigan: [00:05:16]  Yeah. I was going to say the listeners should know that Ilana is your wife. 

Dave Bittner: [00:05:19]  Yeah. 

Joe Carrigan: [00:05:19]  And that's interesting because now we can see that some of this data is getting cross-referenced. There's somewhere where your phone number is associated with your wife's name 

Dave Bittner: [00:05:29]  Yeah, yeah. We have a shared account. We have a family account for all of our phones from the same service provider, so I could see there being some cross pollination there. 

Joe Carrigan: [00:05:38]  Or maybe she signed up for an affinity program using your name... 

Dave Bittner: [00:05:41]  Right. 

Joe Carrigan: [00:05:42]  ...Or your phone number. 

Dave Bittner: [00:05:42]  Maybe she's just using my phone number on everything so that I get these instead of her. 

Joe Carrigan: [00:05:45]  (Laughter) That's very smart on Ilana's part. 

Dave Bittner: [00:05:51]  Have to have a conversation when I get home, yeah. I don't know what to make of this. It definitely started at the beginning of the year, and there's just been a flood of them. And... 

Joe Carrigan: [00:05:55]  Well, maybe there's some scammer out there who made a new year's resolution to try to scam the Dave Bittner. 

Dave Bittner: [00:06:02]  Podcast hosts (laughter). Yeah, exactly. 

Joe Carrigan: [00:06:04]  Or security podcast hosts. 

Dave Bittner: [00:06:05]  They'll get it - yeah, we'll get them. They will show us. 

Joe Carrigan: [00:06:08]  They're going to come after you and me and... 

Dave Bittner: [00:06:09]  Yeah. 

Joe Carrigan: [00:06:10]  ...All the other security podcast hosts. 

Dave Bittner: [00:06:12]  Yeah, brace yourselves, yeah. Graham Cluley, you're next. 

Joe Carrigan: [00:06:16]  Yeah. Ran Levi, Jack Rhysider... 

Dave Bittner: [00:06:17]  Carole, yeah. 

Joe Carrigan: [00:06:18]  ...Pay attention. 

Dave Bittner: [00:06:18]  Yeah, everybody. All right, well, that's what I have this week. Joe, save us here. You got something a little more focused? 

Joe Carrigan: [00:06:25]  I do. Dave, the New Zealand Transportation Agency, the NZTA, has issued a warning about an ongoing phishing campaign. And it is targeting people with license renewals for their vehicles... 

Dave Bittner: [00:06:39]  OK. 

Joe Carrigan: [00:06:39]  ...Right? So here, you know, it's typical, right? You get an email that says, hey, the license for your car - here in the States, we call them registrations for the car... 

Dave Bittner: [00:06:47]  Right. 

Joe Carrigan: [00:06:48]  ...Your license is due for renewal. Go to this page, and pay your renewal fee online. 

Dave Bittner: [00:06:54]  Right. 

Joe Carrigan: [00:06:54]  Right. And then, of course, it takes you to a fake payment page, and you lose the money, or you have to file a claim with your credit card company or something as a fraudulent charge. This doesn't seem like anything great, right? But the story kind of struck me as interesting for a couple of reasons. One, when the NZTA... 

Dave Bittner: [00:07:10]  NTZA. 

Joe Carrigan: [00:07:11]  NZTA - let's say NZTA, right, because that's easier to say. When NZTA announced this, they said, you know, there's two things an email is going to contain from us. And one, it's going to come from our domain, which is nzta.govt.nz And that's a legitimate domain. You can go there. But the spamming campaign doesn't spoof that email address. And the other thing they said is that an email from NZTA will contain information like the actual tag number, the expiration date and the vehicle make. 

Dave Bittner: [00:07:38]  Right. 

Joe Carrigan: [00:07:39]  These emails do not contain that. 

Dave Bittner: [00:07:40]  OK. I could imagine a VIN number, too, if the... 

Joe Carrigan: [00:07:43]  Yeah, probably a VIN number. 

Dave Bittner: [00:07:44]  ...Something, yeah. 

Joe Carrigan: [00:07:46]  It could be. I chose this story for a few reasons. One, this is a very low-effort campaign, right? We're just going to target people in New Zealand with these efforts. It's very easy to steal the branding that would come on one of these emails. If you've ever gotten an email from NZTA, then you know exactly what the email looks like. And you actually have - just like I was saying with the webpage, you have everything you need already. 

Dave Bittner: [00:08:04]  Sure. 

Joe Carrigan: [00:08:05]  You can spoof it. They don't go through the trouble of spoofing the email address. They could've done that. And they didn't have the data - I'm guessing they didn't have the data and the dataset of the car registration information, because if they did, then they could've made a much more compelling campaign out of this. But I think this is just a spray-and-pray campaign. 

Dave Bittner: [00:08:27]  Yeah. 

Joe Carrigan: [00:08:27]  I think here in the States, we can expect to see a lot of these phishing campaigns coming very soon. And the reason I say that is because we've seen a lot of data breaches that have a lot of information in them. And there may even be vehicle information in these data breaches. Because here in Maryland, we do a lot of our DMV stuff online. And I haven't been to the Motor Vehicle Administration to renew a registration on my car in decades, right? I've done that online for about 20 years. 

Dave Bittner: [00:08:55]  OK. 

Joe Carrigan: [00:08:56]  So that kind of makes us susceptible to these kind of campaigns. Now, the Motor Vehicle Administration will send you a letter in the mail saying that your registration is due for renewal. 

Dave Bittner: [00:09:07]  Right. 

Joe Carrigan: [00:09:07]  And it will have all this information about your car on it. But if somebody sent me an email that said, go ahead and renew online now, that might work. 

Dave Bittner: [00:09:16]  Quick and easy. 

Joe Carrigan: [00:09:17]  Yeah, because Maryland tends to be a pretty technologically advanced state that's focused on providing government services to its people. 

Dave Bittner: [00:09:24]  Yeah. 

Joe Carrigan: [00:09:24]  And I can see this being something that would work. 

Dave Bittner: [00:09:26]  The other thing that strikes me about this is that the scammers could take advantage of our low expectations. 

Joe Carrigan: [00:09:32]  Yes. 

Dave Bittner: [00:09:32]  And by that, I mean this. If I get an email from, say, Apple... 

Joe Carrigan: [00:09:37]  Right. 

Dave Bittner: [00:09:38]  ...A company who is known for their impeccable design, it's going to look a certain way. Everything is going to be just so. 

Joe Carrigan: [00:09:44]  Yeah, everything in Apple is like that. 

Dave Bittner: [00:09:46]  So if it's not looking a certain way, if it's not just so, that's going to grab my attention. That's going to be a red flag. 

Joe Carrigan: [00:09:53]  Right. 

Dave Bittner: [00:09:53]  If I get a messy email from the Motor Vehicle Administration... 

Joe Carrigan: [00:09:56]  Right. 

Dave Bittner: [00:09:57]  ...That looks normal to me. 

Joe Carrigan: [00:09:58]  Yeah, yeah. 

Dave Bittner: [00:09:59]  Right? They simply don't have the funds or the time or the interest to make that a priority. 

Joe Carrigan: [00:10:05]  Right. 

Dave Bittner: [00:10:05]  So that makes it easier on the bad guys because... 

Joe Carrigan: [00:10:07]  That's an excellent point, Dave, because if you go to any of these websites, like the Social Security Administration website, that website looks at least 10 years old. 

Dave Bittner: [00:10:15]  Right, right. And it probably is. 

Joe Carrigan: [00:10:17]  It probably is, you know? 

Dave Bittner: [00:10:18]  Yeah. 

Joe Carrigan: [00:10:19]  'Cause 10 years ago, they said, we want to modernize this. 

Dave Bittner: [00:10:21]  Yeah. 

Joe Carrigan: [00:10:21]  But, you know, the government doesn't spend a lot of money on modernizing the look and feel of websites... 

Dave Bittner: [00:10:25]  Yeah. 

Joe Carrigan: [00:10:25]  ...As long as it's functional... 

Dave Bittner: [00:10:27]  Right. 

Joe Carrigan: [00:10:27]  ...And hopefully secure. And I'm not sure I want my tax dollars going to make flashy websites for government agencies. 

Dave Bittner: [00:10:33]  Yeah. 

Joe Carrigan: [00:10:33]  I'm fine with a bland government agency website. 

Dave Bittner: [00:10:36]  Yeah. 

Joe Carrigan: [00:10:36]  Right? There's better ways to spend my money. 

Dave Bittner: [00:10:39]  Yeah. 

Joe Carrigan: [00:10:39]  But you're right. The low expectations that we have make it a lot easier to dupe us. 

Dave Bittner: [00:10:43]  Yeah. 

Joe Carrigan: [00:10:43]  This story kind of took me on a tangent... 

Dave Bittner: [00:10:45]  OK. 

Joe Carrigan: [00:10:46]  ...Here, because last week, I got an email about a license renewal for software, right? 

Dave Bittner: [00:10:51]  Oh, OK. 

Joe Carrigan: [00:10:51]  And that struck me as - immediately as, this seems right. This is correct. I do have this software. It's for VMware Workstation, which we have a license for that has to be renewed annually at Hopkins because it's an academic license. And it struck me as this could be a phishing email. I don't know if this is legit or not. So here's what I'm going to do to address this license issue. I'm going to go to the website. And I'm going to log in with my credentials and see if this is, in fact, correct. And that's what I recommend anybody do when you're... 

Dave Bittner: [00:11:19]  Right. 

Joe Carrigan: [00:11:19]  ...Dealing with any of these government agencies. Just go directly to the website. 

Dave Bittner: [00:11:23]  Don't click the link. 

Joe Carrigan: [00:11:23]  Don't click the link. 

Dave Bittner: [00:11:24]  (Laughter). 

Joe Carrigan: [00:11:24]  Just go to the website and renew your car license or car registration or whatever, or your software license or whatever it is. 

Dave Bittner: [00:11:32]  You could even go there in person. 

Joe Carrigan: [00:11:34]  You could. 

Dave Bittner: [00:11:34]  (Laughter). 

Joe Carrigan: [00:11:35]  Yes, but that's not fun. 

Dave Bittner: [00:11:37]  Well, no. But I guess in a way, it's - I mean, it's more secure. I don't think there are people setting up decoy registration offices around town. 

Joe Carrigan: [00:11:47]  (Laughter) Right. 

Dave Bittner: [00:11:47]  Hasn't quite come to that yet. But you never know. 

Joe Carrigan: [00:11:51]  That's true. 

Dave Bittner: [00:11:52]  All right, well, that is a good story. It is time to move on to our Catch of the Day. 

0:11:57:(SOUNDBITE OF REELING IN FISHING LINE)  

Dave Bittner: [00:12:00]  Our Catch of the Day comes via Twitter. This is someone online. And he goes by the name Steven Murdoch. He's @sjmurdoch. And he lays out this - how he's sort of turned the tables on some people who were trying to hit him with a gift card scam. He writes, and he says, (reading) today, my head of department emailed me about something. It sounded urgent, though it's odd; he switched to using a Gmail address. And he has a thread. Joe, I'm going to let you play the part of Steven. And I will play the part of the scammers. I will kick things off. Here's the first message Steven got. It said, are you available at the moment? Best regards, head of department, Steve. 

Joe Carrigan: [00:12:36]  Hi, Steve. Sure. How can I help? Best wishes, Steven. 

Dave Bittner: [00:12:40]  OK, I'm in a meeting right now. And that's why I'm contacting you through here. I should've called, but the phone is not allowed to be used during the meeting. I don't have any idea when the meeting will be over, and I was hoping you could help me out on something very important right away. Thanks. 

Joe Carrigan: [00:12:54]  No problem. I understand the situation. What can I do to help? 

Dave Bittner: [00:12:57]  OK, thanks. I was hoping you could help me get some Steam Wallet gift cards or Amazon gift cards from the store. I will reimburse you when I'm done with my meeting. I need to send it to someone now. And it is very important because it's one of my best friend birthday and going through cancer at the hospital - needs the cards to download his favorite music and videos to boost his confidence on his next phase of surgery and fight over cancer, which he's going to undergo today. I fear I may not get it on time myself if I decide to wait it out. Thanks. 

Joe Carrigan: [00:13:22]  Sorry to hear about your friend. Do pass on my best wishes. I should be able to get some Amazon gift cards quite easily. Can I drop them off at your office after the meeting? How much shall I get? 

Dave Bittner: [00:13:33]  OK, thanks. I want you to get the value of 100 pounds each in five pieces or 50 pounds each in 10 pieces, which will make a total of 500 pounds. I will reimburse you back, OK? Once you get the cards, just get them scratched, take a picture of the cards, attach to the mail, mail them to katyclara1001@gmail.com and send to me. Also, kindly keep the cards safe with you just in case I call for them later on. Thanks. 

Dave Bittner: [00:13:54]  So then Steven sort of takes things under his own control... 

Joe Carrigan: [00:13:58]  Right. 

Dave Bittner: [00:13:58]  ...When he writes, I've got the vouchers, but we both know how insecure email can be, so I encrypted the file. 

Joe Carrigan: [00:14:04]  Then he says, hi, Steve. The shop had a long queue, so I got a printable voucher instead. Hope that's OK. Please find it attached. I've also sent this to Katy's email address. Best wishes, Steven. 

Dave Bittner: [00:14:15]  And actually what he sent was a tracker, right? 

Joe Carrigan: [00:14:17]  (Laughter). 

Dave Bittner: [00:14:20]  And what he discovered when he sent his tracker - that Steve was using an iPhone and is in - wait for it - Nigeria. 

Joe Carrigan: [00:14:28]  Lagos - look at that. 

0:14:28:(LAUGHTER) 

Joe Carrigan: [00:14:28]  Good work, Steven. 

Dave Bittner: [00:14:30]  So Steve replies and says, hi, Steven. Katy can't find the login and password. And then Steven finds that, oh, no, Steve's email address is not working anymore. 

Joe Carrigan: [00:14:40]  Right. 

Dave Bittner: [00:14:40]  Maybe this could be something to do with me forwarding the earlier emails to Google security. 

Joe Carrigan: [00:14:45]  (Laughter). 

Dave Bittner: [00:14:46]  Katy is still around, though, but hasn't been clicking on links or her email. Maybe she thinks something is wrong. And then Katy replies and says, hi, I can't found those cards. Steven replies... 

Joe Carrigan: [00:14:57]  Hi, Katy. Did you manage to open the vouchers? Best wishes, Steven. 

Dave Bittner: [00:15:01]  Yes, I did, but asking me to put the login and password. And then Steven says, let's try again with a modified version of a genuine Amazon voucher. 

Joe Carrigan: [00:15:09]  Maybe there's something wrong with the encryption. Here's the original email. Please be careful with it. 

Dave Bittner: [00:15:14]  Hi, how much did you send? 

Joe Carrigan: [00:15:16]  It should be for 100 pounds. 

Dave Bittner: [00:15:18]  Yes, just 100. But I hope you're going to send me 500. 

Joe Carrigan: [00:15:21]  Steven says, hi, Katy. I'm having trouble getting in touch with Steve regarding the reimbursement for the Amazon vouchers I bought. He seems to be having email issues. Do you have an alternative contact for him? 

Dave Bittner: [00:15:31]  And then finally, Steven closes it out. And he says, looks like Katy has been hit with the same issues as Steve. Bye-bye. I hope all goes well with your hospital treatment. 

Joe Carrigan: [00:15:40]  Yes. 

Dave Bittner: [00:15:40]  And Katy's email address is no longer active either, so the good folks at Gmail caught wind of what was going on and shut them down. 

Joe Carrigan: [00:15:49]  Yes, so it would seem. Good job, Google. 

Dave Bittner: [00:15:52]  Yeah. And nice that Mr. Murdoch here spent some time wasting these people's time. 

Joe Carrigan: [00:16:02]  Not just wasting their time, but actually shutting down the assets they had. So good work, Steven. Thank you. 

Dave Bittner: [00:16:03]  Yeah, yeah. All right, we'll have a link to that whole exchange if you want to check it out. It's a hoot. 

Joe Carrigan: [00:16:09]  Yep. 

Dave Bittner: [00:16:11]  Send thanks to Steven Murdoch. And that is our Catch of the Day. Coming up next, Carole Theriault joins us. She interviews Jamie Bartlett. He is the host of "The Missing Cryptoqueen" podcast, which is from the BBC. That's a story about trying to get to the bottom of the OneCoin scam. 

Dave Bittner: [00:16:26]  But first, a message from our sponsors, KnowBe4. Now let's return to our sponsor's question about the attackers' advantage. Why did the experts think this is so? It's not like a military operation, where the defender is thought to have most of the advantages. In cyberspace, the attacker can just keep trying and probing at low risk and low cost, and the attacker only has to be successful once. And as KnowBe4 points out, email filters designed to keep malicious spam out have a 10.5% failure rate. That sounds pretty good. Who wouldn't want to bat nearly .900? But this isn't baseball. If your technical defenses fail in 1 out of 10 tries, you're out of luck and out of business. The last line of defense is your human firewall. Test that firewall with KnowBe4's free phishing test, which you can order up at knowbe4.com/phishtest. That's knowbe4.com/phishtest. 

Dave Bittner: [00:17:31]  Joe, it's always great to have Carole Theriault on the show. This week, she has actually part one of a two-parter. 

Joe Carrigan: [00:17:38]  Oh, OK. 

Dave Bittner: [00:17:38]  She is speaking with Jamie Bartlett. He is the person behind "The Missing Cryptoqueen" podcast, which is from the BBC. It's an amazing story about them trying to get to the bottom of the OneCoin scam. 

Joe Carrigan: [00:17:51]  I have listened to this podcast, and it is excellent. 

Dave Bittner: [00:17:53]  Yeah. So here's Carole Theriault speaking with Jamie Bartlett. 

Carole Theriault: [00:17:57]  Boy, do I have a treat for you. Joining me today is Jamie Bartlett, podcast host and investigative journalist behind "The Missing Cryptoqueen," a BBC podcast first aired in September 2019. Now, it's a highly produced mystery, a scandal and criminal pursuit all rolled into one. Is that basically a high-level, fair description, Jamie? 

Jamie Bartlett: [00:18:23]  (Laughter) Yeah. I've never heard it described that way, but that's exactly it, yeah. 

Carole Theriault: [00:18:27]  Oh, cool. Jamie, "Hacking Humans" is all about how technology is misused to bamboozle us, getting us to fall for a scam and what not. I don't think I've ever covered a billion-dollar scam, especially one that is alive and kicking, still duping people all over the world. But as usual, I'm getting ahead of myself. 

Jamie Bartlett: [00:18:44]  Well, I was going to say if only it were just a billion. I mean, it's considerably more than that. And I've also looked at this for a long time and looked in this world as well, and I've never seen anything like it either. 

Carole Theriault: [00:18:56]  Let me start at the beginning. So who is this missing cryptoqueen? 

Jamie Bartlett: [00:18:59]  Right. So her name is Dr. Ruja Ignatova. She is a doctor, by the way. She has a doctorate in law. She is now - I guess she's probably 39 now - but in 2014, when she was 34 - born in Bulgaria, age of 10 or so moved to Germany. And nothing particularly remarkable about her - incredibly intelligent, did very well at school, went into the world of finance, worked for McKinsey. But in 2014, really out of nowhere, just as a lot of people were looking at cryptocurrencies and bitcoin and thinking about other types of cryptocurrencies beyond bitcoin, she turns up really out of nowhere and says, I've got a new one. It's better than bitcoin. I've made my own cryptocurrency. It's going to be easier to use. It's going to have mass adoption. And you know how you've - maybe think you've missed the bitcoin craze? 

Carole Theriault: [00:19:50]  Yeah. 

Jamie Bartlett: [00:19:51]  You haven't missed this one yet. Price is still really low. Get involved now. This is OneCoin. This is the next bitcoin. It's going to - she even called it the bitcoin killer. Say mid-2017, over 4 billion euros had been invested from 175 countries into her cryptocurrency, OneCoin. So that's why she's the cryptoqueen. She calls herself the cryptoqueen. 

Carole Theriault: [00:20:14]  Which is a pretty catchy title, really. 

Jamie Bartlett: [00:20:17]  Oh, I know. Yeah, it's brilliant, isn't it? I mean, partly the hubris just to call yourself that. 

Carole Theriault: [00:20:21]  (Laughter). 

Jamie Bartlett: [00:20:21]  But when you're making a podcast and you're looking for a very good name, I mean, it's perfect. And as the name suggests, she disappeared. 

Carole Theriault: [00:20:28]  Aha, so you are basically trying to track her down. 

Jamie Bartlett: [00:20:35]  Yeah. You know, everyone's for a very long time - me included - people have looked for a story - of telling the story of cryptocurrency hype and crowd madness, almost. But that can be a bit boring and technical. But because she's this woman that came out of nowhere, and then in October 2017, disappeared - vanished off the face of the Earth, never to be seen again - there was a sort of opportunity to try to find her and through that story explain how she managed to pull off this - I mean, I think probably the most sophisticated, perfectly executed scam of this century. 

Carole Theriault: [00:21:09]  So let's talk about how sophisticated it is. So how was she able to get an army of people to help her sell this OneCoin? 

Jamie Bartlett: [00:21:19]  Have you ever met anyone that does multilevel marketing? They've ever tried to sell you, like, vitamin tablets or Tupperware or Avon Products, trying to - the selling where you sell products to your friends and family who in turn sell to their friends and family. Have you ever come across that before? 

Carole Theriault: [00:21:38]  Yeah, totally, like a pyramid scheme. 

Jamie Bartlett: [00:21:41]  Well, a pyramid scheme if the product is fake or there's no real product and all the money comes from recruiting other people to sell for you. Then it's a pyramid scheme. 

Carole Theriault: [00:21:50]  Oh, right. 

Jamie Bartlett: [00:21:51]  But if it's just through selling to people who sell to people and it's a real thing, that's legal. That's called multilevel marketing or sometimes network marketing. It's controversial because people say, well, in any kind of sales system like this, the people at the top are going to make all the money. And some people criticize it for having very, very tough targets, and you're under a lot of pressure to basically turn your friends and family into customers, which is stressful. 

Jamie Bartlett: [00:22:17]  But she figured out that rather than doing multilevel marketing and selling vitamins or Tupperware and having to have a garage full of rubbish, she could sell a fake cryptocurrency through multilevel marketing. So it's actually - even though she's called the missing cryptoqueen, actually what this was was an old-fashioned pyramid selling scam that used a fake cryptocurrency that kept going up just like bitcoin. You know, your OneCoin is now worth $10. Now it's worth $15. Now it's worth $20. She was doing an old-fashioned pyramid scam with a fake cryptocurrency as the product. And I'm sorry, that is an amazingly clever idea. 

Carole Theriault: [00:22:58]  Yeah. 

Jamie Bartlett: [00:23:00]  It's brilliant. It's brilliant. 

Carole Theriault: [00:23:00]  OK, so she gets this army of people who presumably join her because they're going to get some money out of it, right? Join early, you get - you're near the top of the pyramid. You get more cash, I'm guessing. 

Jamie Bartlett: [00:23:11]  You know, millions and millions of people are involved in this multilevel marketing industry. And she manages to persuade a lot of the best multilevel marketers in the world to stop selling their vitamins, to stop selling their Tupperware and health supplements and start selling OneCoin instead. So she - this is the reason it spread so quickly. You know, a couple of years later, we're talking about hundreds of thousands of people have invested in OneCoin because it went through an existing network of sellers who already had thousands of people below them in their multilevel marketing network. 

Jamie Bartlett: [00:23:45]  And you're right. People who were near the top of this pyramid were making a lot of money because basically, how it worked was this - you would sell the OneCoin not through a marketplace, like when you buy bitcoin, but by purchasing what were known as packages of OneCoin. So you'd buy a package, and you'd receive X amount of OneCoin, and you'd pay X amount of euros for those. And whoever sold them to you would receive a sales commission of 10% and then secondly, a weekly bonus depending on how many sales were below you. They call it your downline, so the people below you. There were some people who were near the top of this pyramid that were making, I mean, literally a million - over a million euros a month on commissions through selling OneCoin. So people at the top were making a fortune. But their pyramid was probably about a million people big. So those few thousand at the top made a fortune, and most people lost out. And, of course, that's just based on the sales commission. I mean, everyone lost out in terms of the OneCoin they thought they had. 

Carole Theriault: [00:24:46]  So these people that were in her marketing network, did they know that OneCoin was maybe not bitcoin and, in fact, not even a cryptocurrency? 

Jamie Bartlett: [00:24:57]  Oh, I mean, well, she knew, of course. But so they - you wouldn't get any bitcoiners (ph) buying OneCoin because they would have known, well, there's no publicly available blockchain. I can't check it. I don't know why we've got to buy and sell through these commissions or pyramid selling. So any bitcoiners that took a look at this immediately knew something was wrong. So the people that were buying and selling were not specialists in this field. They just were kind of hyped up by cryptocurrencies and profits and soaring valuation. 

Carole Theriault: [00:25:25]  So this is almost like a problem of greed, isn't it? It's like you have a promise of big bucks in the future. 

Jamie Bartlett: [00:25:31]  Greed and hype, yeah. I mean, it's such a powerful thing. And I think the other thing is the fear of missing out. Like, I've seen these other people buying bitcoin for a dollar and selling them for $1,000, and I want a piece of the action. And it's a very hard question, though. To what extent did - I suppose there's two distinct (ph) questions. To what extent did people selling this know? And I can't look into people's souls and ever know, really. But the other question, maybe more importantly, is, to what extent should they have known? If they are selling this to people, what due diligence should they have run? How much should they have checked? And there is a legal concept, which is - I can't remember the exact phrase. It's something like intentional ignorance. A lot of people selling things who didn't try to find out because they might have suspected - they didn't want to know the truth. 

Carole Theriault: [00:26:19]  Yeah, it's like playing the ostrich. 

Jamie Bartlett: [00:26:21]  Exactly. 

Carole Theriault: [00:26:22]  See? I told you it was interesting - so interesting, in fact, that we have made this a two-parter. Tune in next time to hear the second part of my interview with Jamie Bartlett, host and investigator behind "The Missing Cryptoqueen" podcast. Next time, you'll hear how Jamie first heard about OneCoin, the techniques Dr. Ruja and her multitiered team actually used to dupe people. And I ask him the big question, what will you ask her if you find her? Find out next time. This was Carole Theriault for "Hacking Humans." 

Dave Bittner: [00:26:53]  Well, Joe, I don't know about you, but I'm just going to leave this podcast and go tune into "The Missing Cryptoqueen" podcast, right? 

Joe Carrigan: [00:27:00]  Right. I've listened to it. I might listen to it again. I mean, I've never listened to another podcast again. It's only eight episodes, so it's good podcast. But following in Dr. Ignatova's footsteps, I hereby declare myself the podcast king. 

Dave Bittner: [00:27:15]  (Laughter) Fair enough. 

Joe Carrigan: [00:27:15]  Right? 

Dave Bittner: [00:27:15]  Yes, OK. Why not? (Laughter). 

Joe Carrigan: [00:27:17]  So everybody should listen to all the podcasts I'm on. 

Dave Bittner: [00:27:20]  Yeah. Sure. 

Joe Carrigan: [00:27:21]  And I'll make billions as well. 

Dave Bittner: [00:27:23]  OK. Fair enough. 

Joe Carrigan: [00:27:25]  This scam is so interesting. 

Dave Bittner: [00:27:27]  Yeah. 

Joe Carrigan: [00:27:27]  It's one part cryptocurrency, or fake cryptocurrency, it's one part multilevel marketing and one part cult. 

Dave Bittner: [00:27:33]  There's something for everyone. 

Joe Carrigan: [00:27:35]  Right. 

Dave Bittner: [00:27:36]  Lots of balls in the air here, yeah. 

Joe Carrigan: [00:27:38]  There are. You know, I had a brief experience with multilevel marketing when I was younger. And this was with a family member who was very good at manipulating people, and we actually don't involve ourself with this family member anymore... 

Dave Bittner: [00:27:50]  (Laughter) Oh, my. 

Joe Carrigan: [00:27:51]  ...Because it takes a certain personality type to do this, right? And I asked this guy one time, I said, how is this different from a pyramid scheme? And rather than answering the question, he redirected me to an organizational structure for a large corporation with, you know, a CEO at the top, and you're down here at the bottom. What are your chances of making it up to the top of this, right? He didn't really address my question about the pyramid scheme. 

Dave Bittner: [00:28:17]  Right. 

Joe Carrigan: [00:28:17]  So I kind of pressed him on it. And his response to that was, when the FBI looks at pyramid schemes and multilevel marketing, they use our organization as an example. 

Dave Bittner: [00:28:28]  (Laughter). 

Joe Carrigan: [00:28:28]  And in my head, I immediately think, so anything more than this, you're committing a crime, right? Is that what you're saying, that this - you're very close to the edge of legality here... 

Dave Bittner: [00:28:43]  Right. 

Joe Carrigan: [00:28:43]  ...Right? And that was the end of it. I never discussed it with him again. I think he realized that I was thinking critically about it because this had been later in our relationship, and I was - and he was trying to goad me into this again. 

Dave Bittner: [00:28:54]  He moved on to an easier mark, right? (Laughter). 

Joe Carrigan: [00:28:55]  Exactly. Now if you listen to the podcast, there are some red flags about OneCoin. But those red flags only go off if you understand cryptocurrencies, right? So that's one of the big advantages that Dr. Ignatova had over the people she duped, is people don't understand cryptocurrencies. 

Dave Bittner: [00:29:15]  No. 

Joe Carrigan: [00:29:15]  When you hear terms like private blockchain - right? - that should set off flags. And private blockchain run on a SQL database. That's not how blockchains work. Blockchains aren't public databases by design... 

Dave Bittner: [00:29:28]  Right. 

Joe Carrigan: [00:29:29]  ...That are a way to increase consensus provided that more than half - just more than half - of the people working in the blockchain are honest. 

Dave Bittner: [00:29:38]  It's like jumbo shrimp or military intelligence (laughter). 

Joe Carrigan: [00:29:41]  Right, yeah. Private blockchain should be - there should be no such thing as a private blockchain. A blockchain is not good for private data. 

Dave Bittner: [00:29:47]  Yeah. 

Joe Carrigan: [00:29:48]  It is good for public data. 

Dave Bittner: [00:29:49]  Yeah. 

Joe Carrigan: [00:29:49]  Right. 

Dave Bittner: [00:29:50]  But people don't know that. 

Joe Carrigan: [00:29:51]  No, people don't know that. 

Dave Bittner: [00:29:52]  What people know is that people are getting rich on cryptocurrency. That's what they know. 

Joe Carrigan: [00:29:55]  Right. They're getting rich selling bitcoin. They're not really getting rich in any other cryptocurrency, just bitcoin. 

Dave Bittner: [00:29:59]  Right. 

Joe Carrigan: [00:29:59]  Right. If you listen to the podcast, one of the things that struck me is that they're recruiting people in Africa. Now, Africa is the last continent on the face of the earth that has to be industrialized or will be industrialized, right? So this is an emerging market, and people are starting to have money. And they're going in there, and they're exploiting people's ignorance just like they did all over the rest of the world. They've already exported to the rest of the world, but now Africa is where they're working most now. And I think it's despicable the way - what they've done to people. They've ruined lives. 

Dave Bittner: [00:30:26]  Yeah. All right, well, we will look forward to part two of Carole's interview with Jamie Bartlett. We'll have that for you all next week. 

Dave Bittner: [00:30:33]  And that is our show. We want to thank all of you for listening. 

Dave Bittner: [00:30:35]  And, of course, we want to thank our sponsors, KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can find at knowbe4.com/phishtest. Think of KnowBe4 for your security training. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: [00:30:57]  The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: [00:31:10]  And I'm Joe Carrigan. 

Dave Bittner: [00:31:11]  Thanks for listening.

Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.

Supported by:
KnowBe4 Logo
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.

Subscribe to the CyberWire
Subscribe to the CyberWire Podcast: RSS Stitcher Google Play Music Castbox
Follow the CyberWire