Coming Soon

The 2FA Show On-demand security-based streaming content. A new initiative from KBI:

Episode 112: Satnam Narang

Satnam Narang is Staff Research Engineer at Tenable with over 14 years of experience in the industry (M86 Security and Symantec). He contributed to the Anti-Phishing Working Group, helped develop a Social Networking Guide for the National Cyber Security Alliance, uncovered a huge spam botnet on Twitter and was the first to report on spambots on Tinder. 

He’s appeared on NBC Nightly News, Entertainment Tonight, Bloomberg West, and the Why Oh Why podcast.

 

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

Introduction (00:13)
You're listening to KbKast, the Cybersecurity podcast for all executives cutting through the jargon and height to understand the landscape where risk and technology meet. Now here's your host, Karissa Breen.

Karissa (00:28)
Satnam. Welcome to the show. I'm excited to have you here today. Now, I want to get into something that I think a lot of people don't really know much about. I don't think many cybersecurity companies are focused too much on this. And I know that you're obviously doing a lot of research in this space, so I'm keen to really dive into the specifics of this. But before we talk about that, we always like to start off with you your journey. So can you walk us through where you started to where you are now?

Satnam (00:54)
Yeah. Thanks so much for having me, Karissa. So I've been working in cybersecurity for about over 15 years now. I started off at a really small firm, maybe like 200, 300 people, doing web filtering, and then transitioned over to working for Semantic for about five years, had a brief stint in the world of cryptocurrency, doing some consulting, and then been at Tenable for the last almost four years. And throughout my journey, I would say that one of the things that's been really consistent has been my interest in social media. And I think just as a byproduct of being a social media user and early adopter of new social media platforms, it's allowed me to sort of see the evolution of scams on these platforms. And I always jokingly call myself the social media scam Whisperer, because to be quite honest with you, I don't always go looking for social media scams. They come looking for me.

Karissa (01:52)
So what do you mean they come looking for you? How does that work? People just hit you up and say, hey, Satnam, there is a scam going on. Do you want to look into it?

Satnam (01:59)
It's a combination of things. No, not necessarily that. I mean, the scammers come towards my door, right? It's not like I'm going towards the scammers door. They come to my door, I'll get private messages or I'll see something in my feeds. And then because of my inherent nature of being an inquisitive person, I'll go down the rabbit hole, so to speak, and I'll discover more and more about these scams. I was one of the first people to find spam bots on Tinder back when Tinder first was bubbling up. And I've been very adept at finding scams and spam on Twitter, Facebook, Instagram, Snapchat, vine when that was a thing a while back. And most recently, I've done a lot of research around TikTok, but also because of my interest in new technologies. I've also been interested in cryptocurrency over the last five or six years. And as a result, I started to see some of the scams proliferate primarily on Twitter in the beginning, but I've watched them sort of evolve over time, pivoting from Twitter to other social media platforms like Instagram, YouTube, less so Facebook. But also Telegram is pretty much a hit or miss there too, because that became a big platform for scammers when a lot of cryptocurrency companies were launching channels on Telegram.

Karissa (03:22)
I love this. I love this topic. I mean, it's a big topic. We could be on here for hours. Now, I do want to focus on cryptocurrencies, but just go back to the Telegram for a second. Yesterday I was on a phone call, and then obviously, I was added into one of those massive 50,000 people Telegram groups, and they just kept adding me to it. It was really frustrating and it kept popping up on my phone. I'm sitting there on a conference school. This is really annoying. So I can totally relate. And then going back to your point around Tinder, I think someone said to me the other day, it's like 60% of those profiles are just purely like fake trying to scam people. But I don't know whether Tinder does anything about it. I think they're like, oh, well, they're sort of paying for a premium account, so we don't really mind. So it's definitely an interesting world, interesting in terms of how companies are responding to it. But it's a very slow because so much is changing now, especially with deep fakes. I mean, I've read your research reports, especially on TikTok and YouTube and all these things, but I want to sort of focus now on the crypto stuff.

Karissa (04:25)
I knew a guy, he called me, and I think he was involved in a crypto scam. Now, the specifics going back a while ago, but, yeah, I think that it's very prominent. I think people are maybe a bit embarrassed to say they got scammed out of it. I mean, their heart and their intentions in the right place, but they may be not sure how to navigate it. So, yeah, just give me the lay of the land, like, what is happening out there, considering you're doing this all the time, this is your area of expertise and it's something that you love doing. So I'm really keen to hear it from you.

Satnam (04:56)
Yes, Karissa. I think one of the key things about cryptocurrency that make it such an attractive space for scammers is there's a combination of things, right? Primarily, I think it's this fear of missing out. You know, people are seeing Bitcoin surgeon price Ethereum surge in price, a lot of these alternative coins, or altcoins, as they're called surging in price. And people want to get in on that action, and they wish that they got in sooner. So one of the most attractive draws for cryptocurrency scammers is this idea of advanced fee fraud where they'll post these tweets using fake accounts or hacked verified accounts or as in some of my researches, I've also shown they'll be using fake YouTube live streams to drive people to websites using pre recorded footage of known individuals like Elon Musk Vitalik. Buterin one of the co founders of Ethereum, Michael Taylor, one of the big proponents of Bitcoin in terms of his company, has purchased quite a bit of Bitcoin on their balance sheet, leveraging existing footage because it's already there for scammers and then overlaying it on these YouTube live videos with text saying, hey, if you send your money here, there's a giveaway going on.

Satnam (06:09)
Michael Taylor is giving away money. Elon Musk is giving away money. Vitali giving away money. And if you want to double your cryptocurrency, so if you send as small as 0.1 Ethereum or 0.1 Bitcoin, you can double it and get 0.2 Bitcoin or 0.2 Ethereum. And so this idea of sending your cryptocurrency to an unknown address and hoping to get back double because it's claiming to be from one of these known individuals or celebrities, it's just a really simple but very effective technique that's being leveraged by scammers. And this has been going on since 2018. I first started noticing this on Twitter and at that time it was very rampant on the platform. It's been curtailed a bit since then, but they're still out there and they're also pivoting and leveraging other components of the cryptocurrency world. There's decentralised finance or DeFi, as well as nonfungible tokens or NFTs, which has definitely become pretty hot in this space. So they're finding other ways of scamming users. I can dive into that in a little bit if you'd like me to, or if you have any questions or something about the existing research I've talked about.

Satnam (07:21)
Happy to dive in further.

Karissa (07:24)
Oh my gosh, yes, so many questions. Okay, so one of the questions I do have going back to sort of deep fakes, for example, or people just like overlaying it on their account. Now maybe this is a dumb question, but I think even in your research, you screen grab. If you go and cheque that person's profile, you can clearly tell it's not illegal because it's like, oh, they got 6000 followers. Is this an assumption that why aren't people doing rudimentary DD on an account? It's not like they have to go through it like consecutively and look at everything to the end degree, but they actually just click on it. You can tell that it's clearly not the account, it's not verified, there's barely any content, they've got less followers, they're not following anyone. It just looks like a scam account, maybe because I'm in cybersecurity myself. So it's obvious. But this does seem obvious to me.

Satnam (08:14)
Yeah. And you would think that would also create some warning signs for users on the platform. But the problem, Chris, is that a lot of these videos show up on the Sidebar. Like if you're searching for certain things and you land on a cryptocurrency video, if you look at the related videos on the side, you'll see, for example, these very prominent thumbnails showing, like Elon Musk says Doge coin is going to reach $1 in the next six months. And if you click on that video, you'll see that there's maybe like 10,000, 20,000 people live streaming that video at that point. So you're looking at that number as an individual going, Wait a minute, 10,000 people are watching this video, irrespective of whether that profile has only been around for a short period of time or only has a few videos on it, it doesn't matter because the users are simply focused on this video. Content that just showed up on my feed looks very peculiar to me and I want to look into it. And then they see this existing footage. It's not even a deep fake, Chris. It's existing footage of Elon talking to Jack Dorsey and Kathy Wood doing an interview from maybe six, seven months ago or a year ago.

Satnam (09:25)
And this interview is easily accessible on YouTube because it's a live stream. That happened and all the scammers do is they repurpose, repackage that content, and then they add this little template around it where they put text and it's like in big bold letters and it says, go to this website. They don't even necessarily have to link you directly to the website within the comments or within the description of the video. They just simply put it on this little template here. And users will willingly go to the website. And these websites are so well designed, too. So when users go to it, they think, wow, this seems legit. And at the end of the day, when users go to the website, they'll see like even a small section at the bottom showing what looks like transactions on the blockchain showing money being exchanged back and forth. It's all bogus that the scammers have created, but it looks legitimate. So it's very easy for users to fall susceptible of that.

Karissa (10:21)
So going back to the live stream for a second, that's obviously the hook makes sense. Nothing draws a crowd like a crowd. Those 10,000 people, like arbitrary numbers. Are they real people or is it sort of like they've generated like, bots to make it look like, oh, yeah, there's 10,000 people in our livestream. So can you explain that perhaps a little bit more?

Satnam (10:42)
I think they're genuine people. I mean, I can't necessarily validate that myself because I'm not working at YouTube. So I can't give you a specific way of determining whether all of those people are, in fact, individuals. But by and large, I think most of the people who are on YouTube, because YouTube has tonnes and tonnes of people watching every single day. You know, they're one of the biggest platforms for video on the internet, right? So next to TikTok, they're right at the top. So I wouldn't be surprised if all those 10,000 users are legitimate users live streaming those videos. That's not to say that all 10,000 users are going to fall for the scam. Even if 1% of those users fall for the scam. That's still quite a lot of money for the scammers if they're able to convince 1% or even half of a percent of those users to fall for it. The other component of it, too, Karissa, is that I know you mentioned that these accounts are often unverified. Scammers have also been able to hack into verified YouTube accounts, pivot them into whatever their preferred version of this is. Like if they want to impersonate Michael Sailors company or Tesla or SpaceX or during last year, when Elon was set to host Saturday Night Live, they were pivoting a lot of these YouTube channels into fake Saturday Night Live channels and using those to try to stream Elon on Saturday Night Live, even though it wasn't actually a clip of him on Saturday Night Live.

Satnam (12:05)
They were just using that as a hook, and they were able to take advantage of users. And I think I'd have to go back and double cheque my numbers. They made about $10 million off of users, not just on YouTube, but on Twitter as well. But by and large, the majority of the money that the scammers made at the time was from those YouTube Live streams. They made about $9 million off of users scamming them out of $9 million, I should say, across different cryptocurrencies.

Karissa (12:32)
That is wild. So another scam that I've seen, I don't know if you notice this as well. So on Facebook, if you say there's like a big page that people follow and then there's all these comments on, there like really generic stuff, like, I don't know, it's like an image, and then it's like, use your predictive text and it's like thousands of comments, millions of comments, and it's like someone then saying, hey, you've won. So and so click my profile. And then I think that I've definitely seen the same type of thing happening, and they send them to a site and they can say, oh, this looks legitimate, and then it's not. So I think that's something I've noticed on Facebook as well. It's pretty subtle. It's not so in your face, but I do think people are still falling for that.

Satnam (13:14)
Yeah, no, Facebook scams are still pretty prevalent. I mean, they're not as bad as they were about a decade ago when I was discovering a lot of the Facebook scams. Scammers were very much invested in going after users on Facebook, but they've branched out. There's so many different platforms now that they could take advantage of Snapchat, Instagram, a lot of scams also drive you to other platforms. So if you're on a specific platform, for example, whether it be TikTok or Tinder, they may drive you to, say, Snapchat or WhatsApp WhatsApp is a really popular place now for scammers to drive users, too, because that's sort of another space for them to take advantage of folks because now when you go on, say TikTok, if you look at some of the messages you receive, there's a little warning dialogue box that pops up. So it incentivizes the scammers to say, hey, I'm an attractive female, want to have a conversation with you, come message me on WhatsApp? So they drive you off platform to another platform in a way to get you, not necessarily in an unregulated fashion, but somewhere else where the TikTok moderators won't be able to get those signals that hey, this person is trying to scam me and it's just another vehicle for scammers scammers.

Satnam (14:34)
The one thing I will say about them, they are very determined and adept at what they do. So no matter the platform that emerges, TikTok has been around for a few years now. It was previously musically, and they merged and became TikTok. In the beginning, there weren't like a tonne of scams, but I started to see the scams begin to emerge and now they've taken full form and they've become much more mature. And that's typically what happens on new social media platforms. So whatever comes after TikTok, because inevitably something will follow TikTok and become the next big thing. Whatever that platform is, it's going to go through a growing phase. And that will come with growing pains when it comes to dealing with scammers.

Karissa (15:18)
Gosh, it's so wild. Now, one of the things I know, correct me if I'm wrong, apparently on Tinder, for example, obviously it's the same kind of thing, like, oh, I'd be on WhatsApp? And then it's like the next person takes over, it's like a full on organised crime and then they're just doing this and apparently the hit rate is pretty high. That's really escapes me as to why someone sitting there, I don't know, mess me on WhatsApp, it's just, I don't know, and trying to get me to do some scam. I don't fall for that stuff. So I think it's good to have you on the show, get that awareness out of what people should be looking for. But one of the things I noticed in your research is that you mapped out a very clear template that scammers use to promote, like fake cryptocurrencies, like, for example. So can you walk through the five components?

Satnam (16:03)
So I believe, if I'm not mistaken, you're referring to the fake YouTube Live template that I showed an example of what that looks like on YouTube. One of the ways you can tell really easily that you're dealing with a scam. First of all, if you see anything that's claiming that Elon Musk Vitalik, Buterin Michael Sailor, any of these other CEOs or heads of these other alternative cryptocurrencies out there are talking about the price of that cryptocurrency rising within the next six months, or talking about price price action, predicting price action, because at the end of the day, users are very invested in seeing those cryptocurrencies rise in value. Because if they rise in value, it means more profit for them. So the way that you can identify these is if you see these videos, they're obviously going to be in a specific template. They're going to have a small section of the YouTube live stream will be dedicated to that video footage, and it will be stolen video footage from another interview. It also contain information like a fake tweet, for example, from, say, Michael Sailor, Elon Musk, Vitalik. Buterin. And these fake tweets will say, hey, I'm giving away X amount of money as part of a giveaway.

Satnam (17:18)
Go to the website to learn more information. There'll be a section that talks about the event itself, and it'll say the different denominations, such as, if you send 0.1 Bitcoin, you will get 0.2 bitcoins. If you send 0.2, you'll get 0.4, and it increases as you send more. So the more you send, the more you'll be able to earn back. Because they talk about doubling your cryptocurrency. It will talk about the various rules that are in place. And then they'll have a little section of that video dedicated to telling you what the website URL is, because they can't necessarily put it in the description box, because YouTube will potentially pick that up pretty quickly and take those videos down. So it does require the users to manually type in the URL, but that's obviously not necessarily going to disturb the users or get them to, like, not go forward with it. They'll willingly type it in and go to those websites, even if they have to do it themselves manually. So that's pretty much the components that make up the template. They'll also have logos associated with the brands too, right? So Tesla, SpaceX, Ethereum, Michael Sailors company as well.

Satnam (18:27)
So basically, that's the template in a nutshell.

Karissa (18:31)
So what you're saying is even if people have to manually type in a URL, that doesn't deter them, they still think it's legitimate?

Satnam (18:38)
Yes, absolutely. If you go on to Reddit, for example, there's quite a few Reddit posts that appear where folks say that they've fallen for these live stream scams. It's really sad. It blows me out to see that people are falling for this stuff.

Karissa (18:52)
It's terrible. Okay, so walk me through the journey quickly. So basically, I'm Karissa, I go on YouTube, I'm looking to double my Bitcoin. I see this live video. Yes, it's a fake video in terms of it's been copied from elsewhere. There's 20,000 people on this live stream. It looks legit. I have to manually type in the URL, send my Bitcoin, and then it's thanks very much. And then they just never hear back. And then from that moment that they know they've been scammed, or was it like, oh, actually, as soon as they send it, they kind of know they've been scanned. When is that sort of time that perhaps the consumer knows? Actually, what I've done is not right.

Satnam (19:36)
It can vary, Karissa. They can know right away like something doesn't feel right after they send it. Or it could be anywhere from half an hour to an hour to the very next day. It really depends. I will say, though, one thing that I really want to point out, it's not necessarily that these users are going on to YouTube looking for ways to double their cryptocurrency. Just like most people, they go to YouTube to find out more information because typically you would Google some things. But also people use YouTube as sort of their own search engine to find information. Like if you're very passionate about Bitcoin or Ethereum or Dogecoin or whatever alternative cryptocurrency you're a big fan of, you're going to go on to YouTube, find other YouTubers that are talking about these cryptocurrencies, giving you information. There's a lot of well known cryptocurrency channels out there that are dedicated to educating users about cryptocurrency, providing them updates with the news. And it's when you go onto these videos that on the Sidebar there you'll see these live stream videos. They're not necessarily seeking them out. They get recommended to them because if there's like 10,000, 20,000 people looking at a live stream about a cryptocurrency that you're looking at a video for, YouTube will recommend that video to you and users will say, hey, that looks like an interesting video and they'll click on it.

Satnam (20:53)
And unfortunately, that's one of the ways that they end up falling prey to these scams. And one of the other challenging parts of this, too, Kris, is that last year I also encountered a situation where if you were watching these videos from some of these content creators during the advertising portion of it, scammers were purchasing ad space to promote fake cryptocurrencies, like a fake SpaceX token, claiming that Elon Musk was going to launch his own SpaceX token. And it was one of the most creative things that I had seen in this space in a very long time in the world of cryptocurrency scams, because they would send you to a website and the website wasn't the most well designed, but they walk you through the process of installing a wallet on your browser. So MetaMask, one of the most popular cryptocurrency wallets that you can use. They show you how to install it. They show you how to go to a decentralised finance website like Uniswap to go and transfer your existing cryptocurrency, swapping it out for this fake cryptocurrency that they've created. And what ends up happening is in your wallet, on your browser and your MetaMask, you will see the SpaceX token appear.

Satnam (22:05)
So you'll think that you actually got the cryptocurrency, even though in reality what ends up happening is that contract that these scammers created was designed in a way that you can then no longer sell those tokens. So you can easily purchase these tokens which have some value, but as soon as you do, you can never sell them. So you're stuck with these tokens. And once the scammers amass enough money into this contract, they could then exit all that liquidity out into their own wallets and you'll be left with worthless tokens.

Karissa (22:39)
Wow, that's so bad. Oh, my gosh, it makes me so angry. Okay, so this is really interesting. So what's coming up in my mind is, I mean, I used to work at a bank in security, right? So something happened. The bank would take responsibility, but in this equation, right? Like, okay, I've been scammed out of my Bitcoin. Who are these people? Sort of blame is not the right word, but there's no real accountability. Then it's like, okay, well, that sucks, right? You got scams. That's terrible. But, like, in a traditional banking fashion, when your credit card gets skimmed or someone steals money because they've credit card numbers breached online or whatever it is. Right? And everyone's card has been used, the bank will cover you. It doesn't happen in this case. So what a sort of YouTube doing to prevent this? Yes, of course they're doing what they can, but are they taking some level of responsibility or who does it sit with, really, at the end of the day, ultimately on the users. But then I guess it sort of opens people up for being compromised. Like, there's a lot more risk in this.

Satnam (23:45)
Yeah, and I think you're absolutely right, Chris. One of the biggest challenges here is that this is not an industry that has the regulations that banks do. And unfortunately, there is no centralised authority involved in a lot of the equations. You are primarily interacting with platforms that are decentralised. So when you send your cryptocurrency to an address somewhere, if it is said, you can never go to like you said, you can't go to your bank and say, hey, I sent this, someone scanned me. Can you reverse the charges? Once it's gone, it's gone. And that's why scammers are very much targeting users, going after cryptocurrency. Even scammers on dating apps, too. They'll try to get you involved in these fake investment scheme opportunities because they know it's one easy way to target users who are trying to make money and they have no recourse. And you're looking at a wallet address. That is anonymized right? It's not associated with you or me. I don't know what your wallet addresses. Unless you have, like, a vanity Ethereum address, like KBI.Eat, for example, then I would know that I'm sending money to you. Otherwise, I don't necessarily know who is the owner of that wallet.

Satnam (25:00)
I mean, that's the other challenge about it. It's anonymous and there's no recourse. And you're right, it's an unfortunate part about cryptocurrencies. I don't necessarily know what the answer is on how we can address this. I know that financial regulations are being looked at across the globe about this, and we'll have to see how this plays out.

Karissa (25:23)
Yes, I guess it's hard. No one has any of these real answers. I mean, it's just up for discussion because looking at the traditional banking side of things, it gets tricky depending on where your card was used and all of these types of things. Correct me if I'm wrong. In the US, if just hypothetically, I don't know, someone puts a charge my card, it wasn't valid. Does your bank then recover those funds? I mean, I've even heard of people saying, oh, well, it was my responsibility and that's it. I've sat there on stages and people asking me, what do you think is going to happen? Because I used to give you some insight. I used to report on the numbers the bank was losing. This is going back like seven or so years ago on how much money that they would lose to all different cyber espionage or whatever it may be. But even credit card skimming, it was a lot of money. Right. So you got to think like their downside, risk and impact of people doing the wrong thing is quite high and it's probably getting worse. So I'm just curious to know what is going to happen.

Karissa (26:26)
Like, yeah, we can regulate it all we want, but it's really hard when you're across different countries and there's different regulations in different places. It's going to be really hard to find some level of unity in all of this.

Satnam (26:39)
Yeah. No, going back to your point about in the US, if you do see a transaction, that's not something that you purchase. For example, if someone put $1,000 on your card for a transaction at a hardware store, you can dispute it. Right? There's an easy mechanism. You can call your bank or you can call your credit card company and say, hey, I didn't make this charge. They'll consider it fraudulent. They'll reissue a new card and they won't charge you those funds that will actually be recovered. But yeah, it's not something that's easily achievable in the current state of affairs of cryptocurrency today. That said, the one thing I will say that is a testament to cryptocurrency is that you can sort of track transactions as they occur through the blockchain because blockchains, by their very nature, are supposed to be public. Right. You're supposed to be able to see what transactions are happening on the network. It's part of the beauty of blockchain, so to speak. Right. And in some instances, I've heard some researchers, what they do is they will contact certain centralised exchanges, like the finances, the coin bases of the world, and they'll alert them to potential fraudulent activity for certain wall addresses.

Satnam (27:52)
So if they do detect some sort of transactions coming inbound, they can freeze those accounts from being able to transfer those funds out. So there is still some mechanism in place. But then you are very much relying on still decentralised authorities. But not all transactions that occur through these platforms happen through there. And there are also ways of getting your money out and sort of laundering your funds, so to speak, in cryptocurrency, there are certain platforms that allow scammers the ability to launder their funds across multiple addresses. But there's also companies out there that are trying to dedicate themselves to trying to figure out how to solve this problem.

Karissa (28:32)
So going back to social media sites for a second, like Tik Tok YouTube, are they in their terms? Because, as we often see, social media sites can update their terms whenever they want, and that's part of signing up. They have authority to do that. So you're just accepting that, are they sort of like wiping their hands clean of okay, if you get scammed, it's not on us. You can't try to come after us or we're not going to take your call, we're not going to respond. Do you know anything about that side of things?

Satnam (28:59)
No. To be honest with you, I've never really looked at the terms and conditions of most of the social media sites as far as how some of these scams proliferate. In some instances, like I said, for example, scammers will try to take you off platform and they'll take you away from, say, TikTok and take you to WhatsApp, which is sort of like glorified SMS based app. Right. And so it's really hard to say, like, what culpability or liability these companies have when it comes to dealing with the scams. I can't really necessarily comment on that.

Karissa (29:32)
Yeah, fair enough. I mean, I only ask that simply because it's a bit of a breeding ground for a lot of these scammers to sort of get people from there, then take them off platform, whether it's what's up or whatever it is. I'm just curious to know, like YouTube and friends trying to reduce their risk because they don't want to say, oh, okay. Well, Carissa Breen got scammed out of a Bitcoin. Now we've got to pay a Bitcoin back. I mean, that's how bank works, right? So I guess it's a hard one to answer. Like, who should the buck start and stop with a little bit not a blame, like, because these things happen, but it's kind of really unknown at the moment. Yeah. I don't know. It's such new sort of thing that we don't know, like for going back to the bank situation, the bank's problem, like your card gets scanned or scammed or someone puts a charge on there, they'll sort it out with you. So it's not the same, though, in this sort of capacity. So, yeah, I don't know. I think that maybe they want to try to reduce people blaming them for them being scammed out of their Bitcoin.

Karissa (30:39)
For example, moving on, one of the things that I want to talk about is now we sort of touched this a little bit about the celebrity side of things, but I'm just curious to get understand a little bit more about that because ultimately it doesn't look good for celebrity. Right. Like it damages their brand in some capacity. I'm just curious to know a little bit more about what that looks like and how they're sort of responding to this type of stuff.

Satnam (31:10)
Yeah. One of the challenges when it comes to cryptocurrency scams is that there's a lot of individuals that scammers can easily impersonate. Elon Musk happens to be one of the primary people that they like to impersonate because he's one of the more vocal individuals talking about cryptocurrency. He's been a proponent of them. He's really associated with Dogecoin and there's a very strong and passionate community of folks who are Doge coin holders. So that's what ended up happening last year when he was on SNL. There was that run up to when he was appearing on SNL Saturday Night Live. And there was this belief that his appearance, when he gets on the Saturday Live, he's going to talk about Deutsche coin, which is going to help propel the price of that coin. So Scammers knew that there is this fervent interest in Dogecoin, Elon Musk, SNL. So it was an easy vehicle for them to essentially impersonate him on Twitter, impersonate his companies like SpaceX, Tesla and Saturday Night Live impersonations. And so they created these fake YouTube accounts or they hacked into existing verified YouTube accounts, turned them into Saturday Night Live accounts talking about Elon giving away money.

Satnam (32:28)
It was just a perfect vehicle. And it's often the case with a lot of these scams, like Michael Sailor, who is a huge proponent of Bitcoin, he's become the face of most Bitcoin scams today. Historically, it would have been Elon Musk. But now because Michael Sailor is so vocal and passionate talking about how much belief he has in Bitcoin as a store of value, it just gives scammers a really simple way to sort of say, hey, I know this figure is very much associated with the Bitcoin movement, so all we need to do is take his existing footage of him talking about how beautiful and how wonderful Bitcoin is as a store of value and just it's right there. They don't even have to do a lot of the work. It's just very simple. And same thing with other individuals associated with cryptocurrency like Vitality. Buterin, co founder of Ethereum, gives tonnes of interviews talking about Ethereum and what a benefit Ethereum is in terms of its contributions to this cryptocurrency space. And so they have existing footage of his that they can take and it's just a ripe opportunity. It's like you see a bunch of money sitting on the side of the road.

Satnam (33:42)
Scammers are like, I can just go and grab that money, that's all. I don't have to do anything. It's just right there for me. That's what it's like when it comes to all these video footage that they're able to obtain. That interview, for example, that I mentioned with Elon Musk, Jack Dorsey, who's also big on Bitcoin, Kathy Wood, who is associated with Bitcoin and Ethereum three individuals that are easily reputable when it comes to talking about cryptocurrency. They just take that live footage, repurpose it, and just put it out there on YouTube and it's just instant way for them to make money.

Karissa (34:14)
Do you think with all the research that you do as a best guess, do you think it's going to get worse because of where with Metaverse and all these NFTs coming out and people talk about cryptocurrencies, more businesses want to trade with that. So are we just at the beginning of a massive problem here or do you think it will sort of stabilise? I'm just purely ask. I think I know the answer to this, but I'm curious to hear your thoughts.

Satnam (34:45)
It's like if you remember from the cartoons or things like that, where you have a snowball starts to roll down the Hill, it gets bigger and bigger as it gets further. That's pretty much what's happening in the cryptocurrency space. It's just going to continue to grow and grow. It's already happening. You mentioned NFPs. A lot of these big NFT projects that are getting a lot of attention. Scammers are already impersonating them. Hijacking verified Twitter accounts, using those hijacked verified Twitter accounts to promote fake air drops where they're giving away money because those projects already did air drops. So people who missed out on it may see these tweets go to these websites and do the thing that they're not supposed to do, which is they get fished by connecting their wallets. And that's no fault of the user. Right. The user wants to believe this is a verified Twitter account. They're clicking on this link, they're looking at the branding. It's exactly the same as what they would see on the actual website for these NFT projects. And they click on the button that says Connect your MetaMask wallet. And then they open it up and their MetaMask wallet shows up and it says, hey, you want to connect to this website?

Satnam (35:53)
So naturally the users are like, okay, cool. They don't see anything wrong with this equation. Because right now when you interact with websites that are legitimate, you have to do the same thing. You connect your wallet to them and you give them access to your wallet. You give them the permission to transfer your funds out or access your funds. So unfortunately, they may not realise that they are visiting a phishing website. And once they do connect their wallets, the scammers are then able to transfer out their existing cryptocurrency, transfer out their NFTs, and they just lose hundreds of thousands of dollars to the tune of millions of dollars. Unfortunately, that's what we're seeing now, and we're going to continue to see it, especially now with the Metaverse. Like you said, we could talk about this for hours because the Metaverse is just going to be the next step in their evolution of the scams.

Karissa (36:48)
Oh my gosh, yes, I know. You're absolutely right. Okay, so as a cybersecurity professional. How would you advise someone to do this securely and do it right now? I know people have got cryptocurrencies. What would you do with your knowledge and your research to do it properly, to make sure my gosh, I don't know the terminology. Even I'm bad at this. You're trading with someone or you're swapping something, but they're doing it securely. Can you walk through perhaps what that may look like?

Satnam (37:19)
Yeah. I mean, to be honest with you, Karissa, it's really hard. It's really hard because some of these websites, like I said, they're dead ringers for the original websites. They're really hard to determine. I mean, at the end of the day, what I typically tell users to do is be sceptical. And I know that's very cliche advice to say be sceptical. But I genuinely believe if you see something that seems too good to be true, okay, you missed out on this air drop or you missed out on this Mint for this Metaverse project, go to this website. Hey, we're refunding the gas fees associated with this particular project that we just launched. And if you tried to Mint your Metaverse NFT, hey, you can get your gas fees recouped by going to this website. You don't need to do all that. You should pause for a moment. Go to the original source. Right. If you're going for a project, let's say you're looking at the Board apes, right? Board Ape Yacht Club is one of the biggest NFTs on the planet. So you go to their website. That's one resource. You go to their Twitter account.

Satnam (38:26)
That is probably the most invaluable resource you can go to and see what they're saying. If they're not commenting on it, I would hold I would wait until I see official announcement from the project. And that's probably your best step in this whole process is wait to hear from the official project. The problem is that there are some projects that haven't even launched yet that scammers will then recreate accounts for, and then they'll claim that they're launching the project already been launched. You can go to this website, but still, if you go to that original profile, it's going to tell you, okay, this is the one. This is the right one. Now, the challenge there is that if scammers are able to hijack, say, a verified Twitter account that has more followers than the original project, then you're confused. Like, wait a minute, how do I know which is which? Well, you go to the original website and they'll have links to their actual project, Twitter account, their discord. We didn't really even talk about Discord. I know. We talked about Telegram. Discord is another place where the cryptocurrency projects live now. And it's ripe with scams.

Satnam (39:31)
Ripe with scammers who've even managed to hijack accounts within existing projects on Discord and using those hijacked accounts to Phish users. The biggest thing I would say and I say it every time, it's just be sceptical. I would much rather miss out on ten X 100 X gains if it means I wouldn't lose any of my cryptocurrency, because I think one of the challenges, especially in the world of cryptocurrency, is the sense of urgency. If you feel like you're going to miss out on something, you might be more inclined to make a mistaken.

Karissa (40:08)
That's how they get you, though.

Satnam (40:09)
Yes, that's how they get you. The urgency factor.

Karissa (40:13)
Oh, my gosh. I'm just going to say it. This seems like a lot of work. I get this stuff worth a lot of money, but it seems like you're doing lots of Recon to do something. I don't know whether you've got Bitcoin or any sort of cryptocurrencies. I mean, I don't. I know people who do. I know a lot of people who don't. Do you still think it's a bit of a wild west out there? I don't know. This still feels all too hard basket for me. It just feels like I got to watch my back, and I don't know if, like, someone's wallet, I can't validate them. This feels really convoluted and messy, and I feel anxious listening to these stories that you're saying. So what do you think should be able to stay away from it for a bit until there is some level of regulation around it, until it stabilises a bit more? I'm just keen to hear what you think.

Satnam (41:06)
Yes. At the end of the day, I think people should make the best choices for themselves. And I don't think people should pour their life savings into cryptocurrency because of the inherent risks associated with it. Right. Don't play with money that you're not willing to lose, because at the end of the day, there is a pretty strong likelihood that you may lose money. And there's a whole thing going on right now with some stuff in the cryptocurrency world, a lot of tokens are crashing in price because of some things that have been happening. I won't go into the weeds on that, but I've been hearing stories about people taking their lives because of all the losses from it. So it's extremely saddening to hear this. And I get it. Cryptocurrencies are a very attractive investment vehicle for folks who want to try to make money outside of the traditional finance. And I'm not saying that there's no value in it. There's certainly value. And for me personally, I always like adopting new technologies, and that's why I've been on all these social media platforms. And why I've even delved into the cryptocurrency space in the first place is because I want to understand it.

Satnam (42:17)
And I think there's a lot of folks who are also like me, who are curious, who want to understand it better. They're seeing all these reports. Major companies are talking about getting involved in cryptocurrency, adding it to their balance sheet. So it's definitely legitimised over the years. If we're talking five or six years ago, people didn't want to go near it. Most companies weren't even wanting to go near it. But now you have major brands, major organisations that are getting themselves more directly involved in it. And it's arrived. And I think it's sort of like Pandora's box. It's been opened. You're not going to be able to put it back at this point. We're in it. And I would just say that scepticism that I talked about earlier is truly, truly one of the biggest gifts that you have as a user is to just be sceptical. Don't believe everything that you read. If it sounds too good to be true, it probably is.

Karissa (43:15)
So that leads me to my next point on cryptocurrencies that businesses are looking to get into right now. This is a big topic. Again, what's your advice on this? Like you spoke before around how to do this securely being sceptical. But what about your advice for businesses like, I don't know. This seems really like risky business. So I'm keen to hear what advice would you have potentially for companies? Is it too soon to get involved? I get there's going to be a massive payoff. There's still a huge risk associated with it.

Satnam (43:50)
I mean, I think it's already happened, Karissa. I mean, you have a lot of companies that already have Bitcoin on their balance sheets, for example, maybe less so when it comes to some of the other cryptocurrencies. But there are other ways of getting sort of exposure to it. There are companies out there that have been created that will securely hold cryptocurrency for you. There are businesses that already are offering this as a service to other businesses. So a lot of times these major companies, probably the smaller ones, are going to have the biggest challenge. But the big companies, the big ones out there, they've already got existing relationships. I think even Coinbase has a custodial service for major clients. So they're going to securely hold your cryptocurrency for you in a way that you don't have to worry about the potential threats that are out there. And a lot of times businesses are acquiring lots and lots of cryptocurrency, whereas individual users are probably just getting involved with smaller amounts of money, not their life savings, hopefully. So I think the risk profile is different for businesses. Right. Like Michael Sailors company, they own a tonne of Bitcoin.

Satnam (45:05)
Jack Dorsey, he's part of Square and they own a tonne of Bitcoin, but they also allow people to purchase Bitcoin through their platform. I believe Elon Musk owns quite a bit of Bitcoin and other cryptocurrencies on the balance sheet. I think it's just Bitcoin. I have to double cheque that. But on the Tesla balance sheet. Right. So obviously companies that want to get exposure into this space are certainly doing it. And I think as time progresses, you'll see more and more businesses getting involved in that. And there are other companies out there that will help sort of bridge the gap so that they're not trying to custody their own cryptocurrency on their own. I think that would just be bad advice for them, especially for the sheer volume that they're going to be procuring for themselves.

Karissa (45:52)
But I guess some of these larger companies have probably calculated their risk that they could lose it, but it's okay because they've got other money. So it maybe doesn't play a drop in the ocean for something like anyone must like. I mean, it depends on how much he's losing. If his life savings or all of these companies, maybe that's a different story, but perhaps they're in this mindset of okay, well, I may lose it and if that's the case, then that's okay. But I guess, as I say, you got to risk it for the biscuit. I'm probably more calculated in my risk taking abilities versus other people, but some companies, they are prepared to lose it because I've got enough money. It doesn't bother them as much. So maybe there's that side of things as well on how they thought through investing in a lot of these cryptocurrencies.

Satnam (46:34)
Yeah, Karissa, I think it's less so about the loss, meaning the theft of the cryptocurrencies and more about a drop in price. If they purchase it at a certain price and it drops in value, I think that's more of the inherent risk of holding these types of assets for these businesses less so the potential theft of them.

Karissa (46:55)
You're so true. Gosh, this is such a great topic. I really appreciate your insight and your thoughts. I've never had anyone on the show before to talk around this and I think this is going to be a more prominent topic and problem that we're facing, like you said with the snowball. So I really do appreciate your thoughts and your insights on this that name and I can't wait to get you back on the show.

Karissa (47:18)
Yeah, it'd be my pleasure. I love talking to you about this too. This is one of my favourite subjects social media scams cryptocurrency. I love it and it's more of a passion for me because I work for a vulnerability management company. So it's like something that I appreciate that they allow me to do this research.

Karissa (47:35)
Thanks for tuning in. We hope that you found today's episode useful and you took away a few key points. Don't forget to subscribe to our podcast to get our latest episodes. If you'd like to find out how KBI can help grow your cyberbusiness then please head over to KBI Digital. This podcast was brought to you by KBI Media. The Voice of cyber.