B (2:53)

Yeah, 18. Yep.

A (2:55)

And I've seen a few other articles around, as you know, how many Devices are actually vulnerable to that.

B (3:01)

Right.

A (3:02)

And I was thinking about whether that's actually true. Right. And so the thing about the kit was that it required you to go to a particular website. And so there seems to be a step missing between how does it affect the. There's probably hundreds of millions of people still using iOS 18 and maybe haven't updated. So that is a lot of people.

B (3:26)

Sure.

A (3:27)

But. But how does it get onto hundreds of millions of phones? They've got to visit a website that.

B (3:31)

Right.

A (3:32)

And so there's a problem there. And I was also thinking about Android exploit kits, which must exist, I'm sure, because there's, you know, a bazillion.

B (3:43)

There's lots of Android, so they just ask.

A (3:47)

There's even more Android and it's more fragmented. And I think updates are harder to come by for many versions of Android phones, but there's no press about them because no one cares. And I think, to me, it would make a lot of sense, because the Dark Sword exploit was published on GitHub for a while, that if you've got an Android exploit kit, you would go, okay, well, I may as well grab that and it'll make a small difference, incremental difference to how well my kit works. Like there's just a few more extra people.

B (4:21)

Yeah. Like you'll.

A (4:21)

Yeah.

B (4:22)

It costs you nothing and it might net you a couple hundred bucks or whatever.

A (4:27)

Yeah. And if you're. If you're doing the work to maintain that kind of git, you would go, I will use something that's pretty.

B (4:34)

Yeah. So the marginal cost of just extending it a little bit with some free code is effectively free, so you may as well do it.

A (4:43)

Yeah. And I suppose there was stuff to extract information as well, I think in that kit maybe that was published on GitHub, so it's not a lot of work. And then. So it'll make an incremental difference to something that no one cares about.

B (4:59)

Yeah. So I think you brought up an important point there with the watering hole attack thing. And when you're doing intelligence analysis against an adversary, you need to think about things like capability, opportunity and intent. So capability in this case would be like, are they able to do the thing? So if they've got this free Dark sword kit from GitHub, they have the capability to exploit an 18x iOS system. So that's capability, then opportunity. So somehow they have to get you to visit a website. Like you have to be one of these people who has to visit a website that they've infected.

A (5:45)

Yep.

B (5:45)

So that's the opportunity, which means cuts down on a huge amount of people right there. Like just the opportunity is just not going to exist.

A (5:53)

Yeah, yeah. And then you can like get access or compromise. A website that a ton of people visit is pretty small basically.

B (6:01)

Right.

A (6:02)

So then you're left with very small ones.

B (6:04)

Right. And so then the other part is intent. Like someone has to want to do this, put the effort in and like I'm sure there's people who do want to exploit other people for the hell of it or to make money and so on, but I'm not sure that they overlap with the people who would get an iOS 18 exploit kit and hack a bunch of websites to inject and somehow like I'm just, I'm not seeing the entire chain of operations that goes from downloaded kit from GitHub make lots of money.

A (6:42)

Right. I mean I was thinking of infosteelers in particular and I'm not sure. I don't think they just run off, drive by watering hole things. I think they're like install this malvertising or install this piece of. They've got a lure. Like here's a Claude code agent.

B (7:04)

You download, it's very much download a cracked copy of Word and you get an info stealer or play a crypto game and you get an info sealer. It's much more. You have to actively go out and it sort of puts you in a risky demographic to begin with.

A (7:23)

Right, right. Yeah. So you have to be party to your own demise.

B (7:26)

I guess it's your own fault is what we're saying. We're victim blaming here between two nerds.

A (7:34)

So now when you said that we're all safer, my first thought was but what about scams? Because it seems like from a technical point of view, people spend more effort on making sure that phones and devices are harder to hack. Not perfect, but harder. But it seems that criminals have gotten much better at scams. So the rise of industrialized scam compounds. So this is my story about being scammed. I was looking for a water bottle and there was a brand I liked.

B (8:13)

So essentially you were at a vulnerable point in your life. You were without a water bottle for a while.

A (8:19)

That's right.

B (8:19)

Very strange.

A (8:20)

Your hydration was at risk and so I went looking for this brand. There's a particular site which is, you know, brandaustralia.whatever.com, i suppose. I can't remember.

B (8:35)

It seems totally legitimate.

A (8:36)

Well, the site did seem leg, but the order flow seemed a bit weird and I went ahead and paid with PayPal. And I was thinking, well, worst comes to the worst, I'll just claim it back from PayPal. And in retrospect, it seems like one of those sites where someone has told ChatGPT or whatever to recreate a legitimate looking site because it matched very well that brand other sites. But after I emailed and it bounced, the message on the website doesn't work. I claimed on PayPal, like lodged a dispute and whoever it was put a tracking number in in response and it tracked to someone else's house.

B (9:23)

Well, look, they said they were giving you a tracking number, not your tracking number. Yeah.

A (9:29)

So I think it was just a very. Seems like a really bad scam because they didn't try to take any more money than the value of the.

B (9:36)

So. So you were hit with a. A watering bottle attack.

A (9:42)

Yes, that's right. And like, I don't know how many people would want to buy that brand of water bottle. Doesn't seem like a very good attack.

B (9:49)

At least one. Right. It's. Yeah, it's quite a lot of effort for like 100 bucks or something.

A (9:57)

Like it's costs of setting it up have gone down so much that although it wasn't a particularly good website and presumably it'll get bounced eventually or it's a terrible vendor either way. But that's the sort of thing that seems possible now that you could set up legitimate looking websites and get.

B (10:19)

Well, it's a lot, it's a lot easier and cheaper these days because you can just have Claude do it for you. Whereas before you had to like find someone who could do it for $5 on fiverr. So. But no, look, okay, this is a fair point because I think I have to agree with you that like from my point of view, all of this complaining about exploits and how we're less safe, I think that's very misguided. Like, I think we're much safer. Yeah, it's. We're much safer than we've ever been. If you're a company or you have a lot of crypto or you're in other particularly vulnerable demographics where you're going to be targeted. Sure, you are vulnerable, but that's because you're being targeted. If you're a regular person, you're safer. Except I think scams are coming back in a way that they haven't since 1890.

A (11:15)

Right.

B (11:15)

Like it's sort of back back when we had this like professional criminal underclass. Like the professional criminals, they had like different hierarchies of like if you were a burglar you were like, fairly cool. And if you were like a, like if you're a shoplifter, you weren't very cool. Like, but the guys at the top were the ones that did the Big Con. Like, they do the, like the store is what it was called. And so if you've ever seen the movie the Sting.

A (11:42)

Oh, yeah, I remember that. That's quite an old movie now, but I remember it as being very good.

B (11:47)

Yeah, so like that's, that's based on the book called the Big Con. And it's taken, like the whole thing is taken out of one of the scams that they used to run. And there's all these beats to the scam. And like, when you read about them, like, on the one hand they seem archaic just because of the time that it's taking place, but they're manipulating people. Right. Like, people haven't changed.

A (12:12)

Right, right, Yep.

B (12:14)

So, like, essentially it would be that you go and you hang out somewhere where you can find people who are going to be likely targets. You befriend one of them and then. So this would be the inside band, the guy who like hangs out with the mark. So you befriend this guy and then at a hotel that you're both staying at, you find a wallet on the floor and you discuss with him and you're like, maybe we should return this. Oh, look, the ID shows the picture of that very well dressed rich man over there having lunch at the cafeteria. Why don't we join him, get invited. And the guy's like, oh, thank you very much. You guys have been great. Here's a tip on the horses. And they go and they bet somewhere and they make some money and they're like, wow, that was really great. Hey, I've got an idea. Why don't we get some money together and see if this guy will help us out. It's sort of all of these different stages where you show that this is a legitimate thing, that these are real people, that you can make money at this, and then you do things where you kind of frustrate the guy. So you give him a tip and then you send them to go and place the bet. And just before the time for the betting is closed, Right?

A (13:27)

Yep.

B (13:28)

Yeah. The person.

A (13:28)

Remember the scene from the Sting?

B (13:29)

Yeah, yeah, yeah, exactly. Right. So like, that's to make him frustrated and like, more intent on doing it and like not getting screwed over because, yeah, he was this close. Right?

A (13:40)

Yeah. And of course the horse goes on to win.

B (13:43)

Yeah. Like at, you know, 20 to 1 or something like that. And he's, oh, this is outrageous. And so what happens? So, like, the tricks that they used to do is they'd say over the phone, they'd be like, okay, place it on nose to win. You'd go, and you'd find that nose to win is one of the horses. And so you put your money on nose to win. To win. But then they would come in second or they would place. Then because the phrasing was ambiguous, the guy would be able to say, oh, you idiot, why did you do it? That's not what I said. I told you to place. You know, and so, like, this would allow them to do it multiple times because the guy would feel like it wasn't that he was being scammed, it's that he had made a mistake. Like, he had. Like he had misinterpreted. And, like, you know, this time I'll do it right, and I'll get all our money back. So they do that a few times, and then at some point, when they thought that the guy was getting close to figuring it out, they'd have to blow him off. So what they did in the sting was they pretended that there was a gunfight and that he was now involved in a murder. And so he had to run to, like, avoid the police. And that was called a cackle bladder, because you do it with basically a balloon of blood in your mouth that you would break down it. And they didn't have balloons back then, so they used the bladder of a chicken. So, yeah, cackle platter. But all of that came to me again because last year I saw this tweet about a guy who got scammed, and it was all the same beats from that sort of thing. Like, he was found out. He was brought into this environment of super rich people, and they were very cool and he wanted to fit in, and they were all throwing money around. And so he starts throwing money around.

A (15:44)

Yeah, yeah. It's an amazing story. Like, it's. First of all, it's. To me, it's incredible the amount of money involved. So he starts out with, I just got scammed for over a million dollars. And basically it starts out with him donating to a good cause. So he donates to a Mr. Beast and Mark Robar charity to create clean water in Africa. Not create clean water to help people get clean water in Africa.

B (16:10)

Yep.

A (16:12)

And that's a legitimate charity. But I guess the key thing here is that Mr. Beast thanks him publicly on Twitter. So he subsequently gets invited into a WhatsApp group with Mr. Beast, Mark Grober, a number of other well known, very wealthy people.

B (16:30)

So the WhatsApp group appears to be set up by this charity that he's donated to. So the invitation that comes to him is like, here are the people that you donated with. Here's a WhatsApp group for the big spenders, the people who are our vip, best of the best, come and join and hang out with the super cool people who care about charity and all that. He joins this group and it's got all these big names that he recognizes and he's a little bit overawed of. Wow. I'm actually in the same room as all of these people. This is great. And they're all like, you know, chatting and, you know, first name basis and talking about stuff. So like he's in this thing, he's very excited. Mr. Beast has come out and said there's this opportunity for VIPs to get in and buy a crypto coin for Coinbase. And because it's this, you know, Coinbase crypto coins, very legit. But you can't talk about it because they can't have that information going out. It would upset the markets. And you have a limited time because it's going to like, it's going to go out publicly. So here's this opportunity for everyone to do it. And so this guy is kind of excited about it, but he's a little hesitant and he calls up a crypto friend who was like, coinbase, my God, like that's the best thing you can get. We can get in early. We have to do this, man. We got to get in. This is a surefire win.

A (17:53)

Yeah.

B (17:55)

So they put in like 500,000 or something. They're super excited. They get in their money and one of the big names in the group comes out. He's like, oh, I got to get in on this, this is great. And unfortunately, he's just too late.

A (18:10)

Yeah.

B (18:11)

Oh, too slow. Right. So that's the, you know, see like you, you, you were fortunate enough to catch this opportunity before it like shut down.

A (18:19)

Yep. And someone else, very famous, missed out.

B (18:22)

Yeah. And then a little while later, Jimmy, who, you know, basically the scammer, comes back, realizes that he's got a good, like he's hooked a good fish, like he's got a whale here. He's like, good news, everyone. They've reopened another like tranche of coins at a slightly higher rate, but, you know, still pre market, whatever. And so once more he's super excited and he sends another 750k.

A (18:53)

Yeah. Amazing.

B (18:55)

And then after a little while, he starts thinking, I'm not sure about this. So the third time, when the scammer comes back, he's like, good news, everyone. Another opportunity has opened up. Now he's starting to think, you know, let's hang on for a second. Let's call up Jimmy or Mark Rober or some of the other people in the chat and see what their feeling is. And so he calls up Mr. Beast and he's like, you know, I want to talk to you about this Coinbase crypto coin in the WhatsApp group. And Mr. Beast is like, what are you talking about?

A (19:28)

Yeah.

B (19:31)

And so this guy's like, you're kidding me, right? Mr. Beast is like, I have really no idea what you're on about. At which point he realizes that he's in for 1.25 million to escape. I'm not particularly worried about falling for that one because I don't have.

A (19:51)

Thank goodness for that. I mean, just few.

B (19:55)

I would hate to be the sort of person who could just sort of donate a million and then lose another 1.25 million and be like, shucks, time to post on Twitter.

A (20:03)

I feel silly about this. Yes, silly, but not poor. It is striking how much exactly like the sting. It is.

B (20:16)

Yeah.

A (20:16)

Like, you know, the same. Like, I can actually see the movie in front of me for some of those. Those elements, the, you know, running up to the window and the window shutting, like actually the gate dropping. Exactly the same thing. And I suppose all these characters can now be done by AI, Right?

B (20:40)

You don't even need your friends to pull that sort of scam, right?

A (20:42)

Yeah, that's right. And I think they would help you get the tone and there would be so much backstory.

B (20:52)

Right, right. And if you give them, like a Twitter feed so that they've got current events, they'll be able to talk about all sorts of things to just make it seem fresh and current. The other thing is, you don't need to speak 24 7. Right. It would be weird if they were on all the time, but you certainly want to have a catching up, dropping in. Hey, how's it going? Just invested in whatever sorts of things to sort of make it seem alive and give it flavor. But that would be very, very easy to do with LLMs these days.

A (21:26)

In a previous episode, we talked about how it seems that for things like big butchering scams, it's people being approached at a vulnerable time of life. And after we did that episode, someone got in touch and said the marketing term for that is total addressable market. And so at the time my thinking was that the TAM is who at any is at that point in their life.

B (21:54)

Right.

A (21:55)

And like that's like a large number of people. But this seems like a different type of scam. It's not finding someone who's particularly at a vulnerable time of life, it's finding a high roller who and putting them in a situation. So it's, I guess it's expanding that, that addressable market for. Or is it market segmentation maybe to find a.

B (22:21)

This is not a sales sal targeted podcast as you can tell, Finding that bottom line of the marketing funnel, I

A (22:41)

guess to bring it back to what you were saying. The funnel actually or the number of people you can reach is bigger. And also because AI is so good at translation, like you're literally talking to potentially the whole world. Whereas before it might have been the people that you could actually hold some sort of conversation with.

B (23:01)

Right, right. So like if you go back to the like the old time criminals, like the way that they found people was they'd go on luxury cruise liners in first class and they'd sort of walk around and get friendly with the other people in the same class that they could try and find the high rollers who would be, you know, good targets. And obviously this is quite expensive because you have to, you have to act like a high roller. Right. So you got to spend all of the money that you made on the last scam to establish yourself for this next scam. And you know, now you don't need to like. How much does it cost to set up a WhatsApp account? Nothing. Right. How much does it cost to set up like a chat GPT bot that can impersonate famous people? Basically nothing. So you don't need to do the same sorts of expensive marketing schemes as you would had to do in the past. You don't have to go.

A (24:00)

The barriers to entry are lower as well.

B (24:07)

For more business tips,

A (24:13)

You were talking about capability, intent. Was there a third thing you were going to mention?

B (24:17)

Yeah, so it's capability, opportunity and intent. And so the capability is just the ability to lie. The intent is I want to scam people and make money, which we already have, then the opportunity is the thing that has changed. So there's a lot of people who have the intent of scamming and the capability to scam. But historically they would have had to go on a cruise liner to meet people. They would have to travel in trains and try and meet people in first class and stuff like that, which was obviously a lot slower. These days, that's not a necessary requirement because we're all just so much better connected that, like you said, the opportunity has changed. It's much bigger. There's, like, we're more vulnerable in that sense, and that there's just more opportunity to run into scammers. I mean, even at the lower end, you have the people who put up those ads of, like, you've been infected, call this number. Or you'd get the email saying, like, here's the invoice for your software. You have to pay $250. Otherwise, call us to get this canceled. And you call up and they do this whole thing. If they're like, okay, I'll transfer the money. Oh, no. Accidentally transferred $3,000 to you. You have to send it back to me. You know, I. I think scamming is probably in a new golden age, but I think hacking is like, hacking in terms of, like, just the average person that's sort of over, it seems to me. So I think, okay, we are all less safe,

A (26:01)

But not for the reasons you think.

B (26:03)

Yeah, I don't blame hackers for this one. This is all Silicon Valley. Yeah. Yeah.

A (26:09)

I've got to say, you know, I got the money for my water bottle back.

B (26:17)

Thanks a lot, tom. Thanks, rob.