« Reply All

#91 The Russian Passenger

2017-03-16

Somewhere in Russia, a man calls for a car. Somewhere in New York City, a stranger's phone buzzes.

Email us at replyall@gimletmedia.com and use the subject "theory" if you think you can provide us additional information.

Further reading

haveibeenpwned.com

A good article on how and why you should use password managers, and the best password managers out there.

Further listening

Simplicity by Macroform

Learn more about your ad choices. Visit podcastchoices.com/adchoices

This is an unofficial transcript meant for reference. Accuracy is not guaranteed.
This episode is brought to you by better for him a new podcast from eighty people. In each episode Francesca Ramsay talks to visionaries in business leaders about mistakes. They ve made how they work their way through them and came out better for it. Listen on sport fi or wherever you get your pot. This episode is brought to you by a Sana! A saga is an app designed to help teams plan, organise and execute all the work they do together. It helps you. It sure nothing falls through the cracks, so you can focus on the work that matters most learn more try Osanna for free visit, asano dot com to get started. That's a ass, a dot com, from Gimlet reply: all I'm Alex Comin He gave us this week. We have our backs,
Alex Bloomberg in the studio Alex actually just got back from vacation the Bahamas. I wasn't there was great, so Alex you asked us to come into the studio, and I don't have any idea why so late on us. I need some soup export help. Why? Oh, your crossing segments ahem him! That's right! What's your super tech support question So I. Was coming home, so I got home from vacation. I woke up the next day. Look at my phone and- I see some upper notifications. And this is where it because I haven't called you because it was six in the morning and that was well enough. But the really weird thing is that the uber notifications were in Russian here's a screenshot so at I actually speak little Russian, oh right! So what does it say this once?
as a large number of Pooty, which means your your goobers en Route Arthur Forefront Stars is, will be there in one minute you know, then the next one Dennis is arriving in a Mercedes, Benz Class labour law Arthur is arriving and we are Rio, so it's more literally one rides and more than one ride to like two different people have called goobers in Russia and the notification of being sent to my phone So I have some questions. Yes, did you check your Ebay account to see if these rides appeared in your history? If that's possible? Ok, so I checked my bank account and in fact my bank account had been charged with two rides
twenty five dollars so like what my brain is saying is somehow someone in Russia got the password Gruber and is just like an act. My work, yea rate, is still being too My bank account right does actually, this seems annoying, but it seems like you call you tell them. This happened. They refund the charges, may change your password. How naive up up up up up up a how an innocent man gave a little lab okays aware of, and so then I like press the I call on my phone to like go in and instead of the north, thing that happens when it shows up- and it says, high Alex Limburg Bob allow. Where would you like to go wherever the normal three and I get this screen at? as its Buber get moving with Goober enter Europe. Open. A Mercedes treaty is a new user dreamy, as that, as I have just downloaded the up, and they have no record of who I am or anything.
And we re if you're on your phone is on my phone is the app there was installed on my phone, but when I open it up, it doesn't recognize me so that I might go so then the next step would be to call over its impact Oliver right. So we may help that overnight come and I got a email response from them. Saying like we are unable to find an account associated with this email and mobile number, and then Arab and I was like that's really weird, because that's my fauna Brits definite associate with this account. I have. I have just received notifications this morning to this number ready. Charges from your come. I M going to court. Judges from recovery is at our that are set out and they wrote back the same thing and they were backside here. Your trouble. We are unable to find a kind of Sis II with email number. Monsieur de reasons busy, and so then I kept on writing and then they captains and in the same form Emma back and forth. And I was like ok. What do I need to do? How do I? How am I gonna get out of this machine loop them?
hurray like where they keep sending me the same form letter back over and over and over again, and so then I was like. Maybe if I live, I wrote the word escalate I don't think we can all caps wait. You started cursing justice decision I get me a higher level of service when you were a robot on the phone. Sometimes, like you say the right word agent, aided in air. I was doing the email equivalent of will you do. You know where you're setting these always individually male J and as I have like one, two, three, four, five, six, seven, eight, nine ten. You know it's like. Basically, fifteen twenty emails back and forth between. Man over and all getting the same as are getting the same thing. So by this time had rubbed my wife nominated helping way, but this in and we found and she stood her goober apis to working, and so she found inside the app there is a will. There is a number that you can find and it's the net
that you are supposed to call if you ve been assaulted or endangered, that's the one number that is an actual human being on the other end ha so icon that number and, as I said, I had been assaulted by driver by needed to a person. I need to turn our version because and then very, very nice, lady, whose like I will try to. Let me try to help you explain it all story and she's. Like I m your phone number, I guarantee fund a branch like there's? No, I have no memory of this fund and get out of here and she was like hold on, and then she came back like there's one more thing I can do this is a little unorthodox that you give me your credit card number. I think I can call up your account through that and I was like okay and I gave her my credit card number, the credit number that had been charged that very morning from Russia and she was like. I have no record of this critical effort existing at numerous. We're that's bonkers! Higher existence has been erased if you'll creepy its super creepy.
And then I was leg, is there anybody that can help me and she was leg, there's nothing. I can do serves like ok, so then I started emailing some are and what were you getting any in respond? Then they should be viewed by then, and then they just stopped even auto response. They stopped spider emails at all. Yet so I haven't, I've heard from them in three days. Ok, here my questions, yeah go for it. I want to know. How did this happen and then did did somehow I'd? I do this, or is this purely like a data breach at goober? Ok, I think that I
I hope that I can answer that. I will look into it for you and I will get back to you ok a week ago. Yes, you came to me with a problem I did, and the first thing that I wanted to know was like. Is this a freak occurrence, or does this happen all the time and almost immediately? I heard that our courts Crystal VERDI, had a story that I needed to here as an early January. Twenty. Sixteen I started getting these notifications in the middle of the night that There is somebody there is a clear goobers arriving, but it was in Arabic and there is a scam. That was taking trips around Casablanca in Morocco and so at first I was they freaked out, because the amounts for really high like fifty or something or sixty, and maybe, if you like, fifty mad and ivy like well
like. I don't even take frigid arbours on my account like water, who are you to be like taking his leg, expensive movers, and then They did the math and anathematizing okay. Now it's like a dollar, and so it's like ok, like I could be fine with this for a little bit, because I wanted you just keep on seeing where he was going hold on you're. Just like. Ok, I'm fine with this for a little bit, I'm just gonna. Let this go. Yes, he was pretty respect for that. Like it was a way towards the end. It was like a couple times a week and a sort of became like wearily addicted to seeing these trip. So my googling, where he was starting and where he was going and who is actually up My overrating, because I had a fairly burying because I always like requested, and then I take a very long time to get to the car. So is it. This is great like this. Guy is like so punctual like you, like requests Huber he's dead there he gets in the car, and so, unlike okay, this is actually very symbiotic and also unlike helping somebody out, you know what WWW, so I let it keep going for.
About a month, and then I was like ok, warlike. I probably do have to do something about this, because I was finally disguise. Can you boys, but I didn't want necessarily like everybody in Morocco D Artagnan, my path, so Chris ended up chain his password and that put an end to rides around Casablanca. But what I was struck by was just how common this Buber hacking turned out to be like it wasn't. Just you ran it wasn't just Chris Ray it's not a gimlet exclusive, they get their wired. I went on and found a ton of people who are having similar problems like I found people who are reporting that there were rights that they do. Were taken in places like London in Hong Kong and France in Indonesia like happening all over the world while and what I was curious about is like where these hacked accounts we're coming from like our people getting their hands on it, and I saw that Joseph Coxe, who is a red from other board, and- he was on the show the other week helping me holding on you have my phone? Yes, so I saw that he
had written about exactly this problem. Yes, I can hear me: well is Joseph yeah, so I called him up in Berlin and he told me that a while back he was browsing the dark web and if you don't know if it is, that is just a part of the internet. That is not easy to get to require special software to get on and a lot of illegal stuff is sold there. So I was just browsing one of the dog. What marketplaces which sure ass you spend a lot of time. Doing you just go through the listings, like you're, on Amazon or Ebay or whatever and you'll come across, something pretty interesting. Like seventy percent of the time, can you give me an example: hazmat suits ok, forty seven of us up up up up we'll get stuff really so Joseph adjust poking around not really looking for anything in particular- and I
came across this vendor who said he was selling uber accounts. I thought well that's very interesting than we looked into her ends. There were a hell of a lot of people, selling stolen labour accounting What an just have told me that their relatively cheap how'd she be cheap there between four and seven dollars. Each seeking by somebody else's over account for forty seven dollars right and then and then basic. What you're doing you're buying my password and login. You use name and password. The fact that, like oh there's all these accounts like to me that suggest that it's not everybody's fault that somebody isn't getting. Somebody shows and I got a thousand neuber accounts- you wanna buy one, it's not cause, they guessed two thousand passwords it because like who were made a mistake totally and that's what I assumed was the case also except Joseph specifically asked goober. If they had gotten hacked data.
Legion eyes that they had to data breach and then, as I continued to reporting, spoke to these hackers, who said that They were accessing accounts, my kind of back to work. Besides, we found no evidence that there was a data breach actually at uber itself, and so I decided go on the dark web and just ass people like hey. Where are you getting these uber accounts and you'd be surprised to learn I'm sure you'll be shocked. They're, not super superstar. To talk to people who want to talk to. About their criminal activity, highly prized also back ass, but this one guy went by these an impasse. Man I sent him a message saying: did all of these goober accounts come from some huge hack of goober He told me the same thing that Joseph told me, which was he didn't, think that anything like that had happened, and I said interesting: can you do me a favor and see if any of these
no addresses are in your cache of hacked lubricants and you, even bunch of Alex's email addresses a couple? Yeah, ok and his that was- and I quote, will you give me bosses. Email addresses drive me to take a crack at, as other accounts that daring category. Them. So I went to all the local, muggers and show them a picture of you and your wallet, and these are Iranian, as you can see where you have a lot of money out, ok, look whatever it's done. I can't take it back. What regardless Joseph told me that he had a theory What might have happened, and it's this thing that hackers do that called credential stuffing without growth. It does sound. Pretty grouse Joseph told me how works
so companies websites are hacked every single day. Last year we had Linkedin Myspace, decayed or com. All of these breaches of tens, if not hundreds of millions of accounts. Email addresses and passwords being traded amongst hackers, but if you're a clever Are you not only going to use those details to break into account? now one site you can see if they work on something else. The problem there is the people using the same password or multiple website oh they're, doing is re using the password, but I'll have a special piece of software which can just change hundreds, if not thousands, very quickly. The more the me my colleague's report, on these data breaches every other day every week is password, reuse days, the main Fred
to ordinary users of the internet shop? So at this plan things like this might have been the thing that happened to you. Some got your password from some other account like your diaper sex Account- and it was the same password that you use for number- I mean who uses different password for every single online service they ve ever yet. I totally agree, I dont do it either, and I am definitely rethinking that now that I've reported the story and to that point Joseph had a piece of advice jet, a password management which is a piece software which will generate unique, strong passwords, so you don't have to remember them. But since I know you don't use a pattern manager, I wanted to know if someone had found your password in some hack that it made its way onto the internet and luckily there's a guy who can tell us
That happened. My name is Troy. Had I'm a security researcher and I am recording from my home on the Gulf Coast in Austria, which Troy makes kind of soundly What on earth sunny it's gonna, be thirty degrees celsius and not some warm. I think I'm a girl in the water was clear skies, trays and internet security researcher, so he knows that the more a person uses internet signs up for new services, new websites, the more vulnerable they become equal. Leave these little traces of yourself all over the internet and as time goes by those traces just get larger and larger and the chances of one of the places you left your data being breached. And that data then being late? It continues to grow up. So in twenty thirteen Troy started a website, that's called, have I been pound dot com p, W any de its away for people to find out whether there
Personal information has ended up on the internet, so when we see data breaches where a company like site Linkedin is hacked and they daughter is ultimately spread across the internet, I grab these data breaches. I I them into a service, and I make them searchable so that people can discover whether been exposed. So what did you find? What pda energy? What Urim at year, your personal email address into into this boy? That's! This is uncomfortable. Ok,. Oh no, why how I've been pound on how many from sites to that's crazy, Like these are its adobe and Tumblr, both of these are has I've had for ever. Oh, that kills horrible, your username and password is on the dark web right now, a really bad feel wild
Explain where would you like to look inside here? Have I've impound up up up up up? This is terrifying. To take the same good knows no porridge found how right Alex. I don't want to ruin and your parade, but try told me that just because the website shows that you have been Poland, that doesn't one hundred percent mean that your credentials have never been part of a dead, Each year there are a heap of unknown unknowns you'd how they're all these things that happen that we simply never hear about this stuff that has already happened come to light later on. And this also stuff that will never come to light so, for example, in twenty sixteen three hundred and sixty million myspace accounts were put up for sale on the dark web, but they had actually been taken in twenty
thirteen so for like three years, someone was sitting on them, maybe using them and try and put him in his database cause he didn't know they'd been hacked. So even though I got the message saying that I have not been pound, I may still be pound yeah somewhere. Three the super experts. Do a very quickly, as is no one on the origin of phoned yeah. It's very easy you're, any most people know it because in video James, when you meet someone very badly, you say that their owned red and the p is right. Next to the oh, so people frequently miss build it and they misspelled frequently enough that it just became a tone where gotcha, I could have told you that also. I didn't know that have I been poland- I come right so based on talking to Troy Anti Joseph. My working hypothesis has been that, like your friends, your account
act and it made its way onto the internet somewhere, and it's just never come to light, but then I got in touch with Goober and what they think happened actually might be a lot worse than that white, whether they tell you I'll, tell you after the break Haldeman. This episode is brought to you by better for it a new podcast from HTTP hosted by Francesca Ramsay. We all make mistakes better, for it looks at how stakes have shaped the lives and careers of visionaries and business leaders and helps them think differently about what their working for you'll hear from an entrepreneur who ventured out on his and so I went out. I took seven hundred dollars. I had in the bank, but my own pickup truck took some flyers business cards and Later I had a business and in aid our role, breaker, whose learned why we all care about work in the first place, you deprive the word the
Do you want to be able to tell your friends about it? You want to be able to feel like you're, making a different you'll hear how they work their way through their mistakes and came out better for him. The non Spotify or wherever you get your PA casts. This episode is brought to you by a Sana picture. There a world where you spend less time juggling email meetings and status, updates and more time doing the work that matters. The most your team, that's the world economy. Bill to create a saga is an app designed to help teams plan, organise and execute all the work they do together its built to give teams clarity. You can all understand your goals and how to achieve them together and whatever your next object is a sonnet can help reduce the busy work that waste your time from small companies to global enterprises, more than a million teams across a hundred and ninety five countries get work done with Sata, learn more and
I S, honor for free visit, assign a dot com to get started. That's a s. Dna, a dot com. Welcome back to the show. Ok, Alex? Let me explain what goober things happened? Ok, so you told me at the beginning of the show that your account just disappeared altogether, like goober did not recognise its existence, yes, executive and what they told me was when someone changes their account info, like their email address or their phone number, the support team he has access to the new information, so the way that they found your hacked account was the screenshot. That we sent them of your phones, lack screen which had driver names and drivers licence is on them and from
license plate numbers. They identified the rides that were taken in from those right. They identified your account and got it back for you, but once I got your account back, they took a look at it and they told me that they're pretty sure that not only was your uber account hacked, but your gmail account is hacked. What we saw on our end was some suspicious against for Alex's uber account, so whoever was trying to login did have his password, but we have systems that will detects elegans that look suspicious, that's Milly and sign, and she is the person whose job it is to talk about Idiot Goober and Melanie told me that when Goober saw your trips in Moscow, the ones that you didn't actually take,
They send you an email. That said, you have to click on this link to verify that you are actually now in Moscow, and so whoever had access to his email account was clicking on those links, verifying that was ham and then deleting the notification before he saw them oh and that licence Alex, doesn't have any memory of ever seeing the email. Why we believe that somebody had access to his email account first, because somebody was taking action on those emails deleting them. This is where my egg, ok, maybe, but does one thing that still does not make sense to me. I have to step verification and the deep. The purpose of this is that is to protect against just the thing that hubris thing happened to my account and theory. Even if hackers got my password information from a dark web, they go to their russian computers in the Russian Cyber CAFE they log in and then they're gonna get a message,
it says, please enter the code and so and I would be getting of a text on my phone sang. Here's. Your authentic haitian gardener be like what in the world is going on here and then I would like soundly alarms. So this that's what I don't. Stand like how, because I have just a verification, how did somebody managed youths from remote compete? I mean. Is the question you're really asking just issue her lying basically like. Are they saying that they sent suspicious activity emails that they didn't really sad and they're trying to cover their asses? I dont think numbers lying, but I want to find out. Can we determine there's got to be somebody that you could call in to make sure to tell me if my account has been hacked or not my gmail
and then yeah is it hacked still. Am I at this very moment, pound up up up up up up up up up our eight. Our train figured out right. Ok, so it's been a couple days, and I just sort of wanted to recap: whereat. Ok at first I thought that uber, it had some kind of data breach in your username and password had made it out into the world, and that does not appear to be the case, and then I thought that maybe
Another account of yours got hacked from somewhere else in people used that username and password for your goober, but that also seems unlikely and when I went to Ober Ober told me that your gmail account had probably been hacked, and so I, like I said I ve been looking into this, and I dont know what happened to your gmail up up up up up up Africa and in the past, when tech support problems have gotten bigger than me, or at least once we brought in a ringer. Ok, certainly a super AUS Goldman. He, yes, we brought in someone who is basically a super version of me. His name's Dave manner. He is a security researcher. He loosened Atlanta and I have him on the phone. How they are you guys doing good a dive? so Alex I've already brief Dave on. What's going on with you, so you can ask him any question you want, so that my question- is: did somebody take over my gmail account
and ass a many still have access to my gmail, because that would be scary and well. It doesn't seem possible because I had to factor out at an occasion the starboard questions first of all the possible yes, this happens all the time. The next chapter, two fellow narrowed down this mystery, is to take a look at the act of love for your gmail account and see if there is anything suspicion. I guess what I find the access lugs. So there is one was like this. My account dot, Google that count, flash device, dash activity, less device, sash activity, device, dash activity, I haven T a MAC got a bunch of NASA, the Bahamas windows, the Bahamas, we windows the Bahamas. It shows a windows machine which It does not have accessing his account from the Bahamas. Oh yeah, but
I did because my dad had as yes, no my dad is Microsoft Tablet, so try to log on that's right. I tried to log onto a Google docs thing, but countless covers three days or four days after access the surface it wasn't like it happened right away. So when your you're about guy in the credential harvesting business, you're getting a lot of information and at once you gotta, classifier red got it they never saw adopted somebody to make to you re right. So it's now. I guess Mesopotamia thing and how would they do that without him? Noticing malware works in Asturias, worse as I see it, the bad our right icy. So in the background is running in the back. Its mimicking its mimicking actual legitimate user accessing Je Ne accessing. Gmail, even though it not showing up on the screen or anything what gotcha as coming with us
higher it Alzheimer's Richard really come Mr Bloomberg naked Mr Richard, you think on which my colleague Mr Boulevard hello that how high mister Burke, Hey Mr Bloomberg. You guys both level Mr I told them. I told them to go Richard if you're gonna be our primary Richard. I dont have so Alex caught Richard up on everything that has happened so far and explained that we wanted to check his tablet to see. If that's, how hackers got into Alex's uber account, as there is one time when I logged into my account, that was on a computer people say could have been could have been compromised, and that is when I locked try to log into my gmail account from
Your tablet offers for yeah. Well, I will say that some time in the last few weeks- and it may have been when we were in the bahamas- I got an email from Google saying that someone had tried to log in to my my gmail account from a computer somewhere that I've ever been. I can't remember were it was, and so I D authorized
I said no, that's all unauthorized computer and then I went out and I changed my gmail password immediately. You know I have a duty to the surface pro since we got back from the Bahamas. Gonna do gotten so buggy gotten into flowed down so badly that I figured that I something was wrong with it give up do. Did you have any more aware, detecting software on there a lot of windows windows devices come with someone called Windows, defender Yeah kick. There is windows defender on that. Ok, Is there any way to look at windows defender and see if there s anything here? Let me let me get the surface pro and are about up. Ok Windows defender up
I'm gonna ask you to do a full scan if you can do a full scan. The problem is that a full scan takes a while, it's ok. So what the verdict didn't find anything after. I have waited on eleven hundred eighty one item No were detected on your pc during this can mean bursting. I'm legitimately show angry so frustrated by because it's just unanswerable son. Answer, obviously cannot solve revised and their blaming it. On me and my dad's, my dad servers proudly founded on a scapegoat Bloomberg family with Windows defender
have definitely found the spyware. I mean this is like the default windows antivirus Barrymore talking about so it totally. Could I miss something I don't know it like. The tablet still just feels, like the most likely suspect me, this stuff's hard to actually say with any certainty. It's like trying to figure out who got you sick kind of I mean the virus analogy is actually very apt. He can its way and from a million different places, but if we were, if we were just back up some distance and look at this like big picture goober a Multi billion dollar company in playing I'm sure, gazillion of cyber security experts to keep his day save for the Bloomberg family word sharp guys, but not very suspicious in general.
Yeah. They're. Probably I guess like that does seem to be probably where the breach occurred. Much as I hate to admit it, and- and we can't and it is, it is troubling that we cannot find it exactly it's in fury where it came through. Now, I'm not mad at you, yeah, I'm mad at myself, Ike. I came here to super tech support you know and at the end of this, I've got like a lot of best practices like it's like use. A different password on every website check it out. Have I've been Poland to see if your gear data's out there? always be super super diligent body body, bloody blah still at the end of it. I have no idea what happened to you can't tell you a story sure my dad's, like a variant If we in the former baseball coach Andy, but we will pay cash emollient, our, how bad a ball I threw, she would always catch up like crazy, bad rose, and I got him I had to do. Was invincible
and then one day I took my favorite toy. Owing to the upstairs bathroom house, I threw out the window at him pretty good like down the valley of Low and when it was like three fevers dad catch any general way. My two I broke this her. How I feel about you right now, like we asked you to answer a question that is very hard to completely a hundred percent answer, and you did your best and that's just really too bad. I thought this was going to be a story that would be somehow make me feel like not an abject failure, you're part of the human rights and you didn't catch the toy even get to die. It shattered now, listen Richard. Thank you for indulging us subpoenas that do yeah thanks dad. I couldn't be more, but I'm going to bed.
That's the guy I derive thanks. I out, but I love you Let me deal raw later. Ok, bye. So I'm pretty sure that we got this one right. That Richards Tablet is probably how hackers got access to Alex's you work out, but I'm willing to bet that there are people out there who think that I am dead wrong. So if you are a person who believes that you have a better theory as to how this happened or even just a different theory, email us at reply economic media, dotcom uses, subject land theory, and we will take a look at it and, if at all,
now that you're right I'll send you a personal pan, Peter also When I read about password managers or you want go to have I been pounds dot com check out the description for this episode. Reply all hosted by Peter, vote and me Alex Goldman, are shows produced. Should have been in any fear, Bannon, Coy persicos and damietta more kitty. We're edited by TIM, Howard and Jorge just we were mixed by required The music is by the mysterious break. Cylinder are add, music is by build buildings, and this at the end of the episode this week is simplicity by MAC. Reform are low. Is by met with Transkei fact, checking by Tom Cody Matt Labour is for extra bit, in the fridge that you forgot or even their you can our website reply, although diamonds and you can find
episodes of the show on Itunes or Spotify or wherever you personally decide. You would like those in a pot guests. Thanks for listening, we'll see you next week. This provides is produced by great master cylinder My friend behaves as the internet's taken and hug Schneider. There's won't stay out, Scoldin, happy Jack. I want to find that puppy. Ok, let's get to work yet there. He is was hiding in the internet, he small and
reply was hosted by Pga Boat in the schoolroom and replaced by Greek Minister cylinder. We're edited by Greek Minister cylinder that labour is Routemaster. Cylinder
Transcript generated on 2020-02-13.