1 00:00:04,240 --> 00:00:07,240 Speaker 1: Welcome to tech Stuff, a production of I Heart Radios 2 00:00:07,320 --> 00:00:13,840 Speaker 1: How Stuff Works. Hey there, and welcome to tech Stuff. 3 00:00:13,880 --> 00:00:17,319 Speaker 1: I'm your host, Jonathan Strickland. I'm an executive producer with 4 00:00:17,360 --> 00:00:19,800 Speaker 1: How Stuff Works and iHeart Radio and I love all 5 00:00:19,960 --> 00:00:22,800 Speaker 1: things tech, and it is time for another tech Stuff 6 00:00:22,880 --> 00:00:28,880 Speaker 1: classic episode. This episode originally published on May two thousand twelve, 7 00:00:29,280 --> 00:00:32,400 Speaker 1: and my former co host and editor Chris Pallette and 8 00:00:32,479 --> 00:00:36,360 Speaker 1: I sat down to talk about operation ghost Click and 9 00:00:36,520 --> 00:00:41,360 Speaker 1: domain name servers and this issue that was going on 10 00:00:41,479 --> 00:00:43,360 Speaker 1: at the time, and I think it's pretty fascinating. It 11 00:00:43,360 --> 00:00:45,680 Speaker 1: also gives you an idea of how d n S works. 12 00:00:46,320 --> 00:00:50,520 Speaker 1: So I hope you enjoy this classic episode. To get there, 13 00:00:50,600 --> 00:00:53,560 Speaker 1: you follow Highway fifty eight going northeast out of the city, 14 00:00:53,600 --> 00:00:57,639 Speaker 1: and it is a good highway and new all right, 15 00:00:57,960 --> 00:01:00,400 Speaker 1: we're talking about numbers today, yes we are. We're talking 16 00:01:00,440 --> 00:01:03,840 Speaker 1: about getting to where you're going and getting diverted along 17 00:01:03,840 --> 00:01:07,399 Speaker 1: the way. So, as of the recording of this podcast, 18 00:01:07,440 --> 00:01:11,840 Speaker 1: which is in April, there is a story that's actually 19 00:01:11,840 --> 00:01:15,520 Speaker 1: not a news story necessarily. It first started to kind 20 00:01:15,520 --> 00:01:18,760 Speaker 1: of make the news way back in November of but 21 00:01:18,840 --> 00:01:22,000 Speaker 1: it's kind of sort of bubbled up and It's an 22 00:01:22,000 --> 00:01:26,000 Speaker 1: operation that the FBI, the Federal Bureau of Investigations, has 23 00:01:26,040 --> 00:01:31,360 Speaker 1: headed up, and it all involves hacking into the Internet 24 00:01:31,680 --> 00:01:35,920 Speaker 1: and uh and and messing around with Internet traffic. It's 25 00:01:36,040 --> 00:01:42,040 Speaker 1: called Operation Ghost Click. That's a nice name. I always 26 00:01:42,120 --> 00:01:48,360 Speaker 1: love hearing the operation names. It is a wacky doctors game. So, um, 27 00:01:48,400 --> 00:01:50,800 Speaker 1: I think first, before we get into too much detail, 28 00:01:50,840 --> 00:01:54,000 Speaker 1: we should probably talk about how internet traffic works. We've 29 00:01:54,040 --> 00:01:57,640 Speaker 1: mentioned that on the podcast on a handful of occasions. 30 00:01:57,680 --> 00:01:59,920 Speaker 1: I think when in fact we got into the domain 31 00:02:00,080 --> 00:02:05,000 Speaker 1: name system DNS system or sorry that was redundant, the 32 00:02:05,080 --> 00:02:08,720 Speaker 1: d N s uh no servers um well are both 33 00:02:08,960 --> 00:02:11,520 Speaker 1: because DNS can can mean both, but right, right, right, 34 00:02:11,720 --> 00:02:14,359 Speaker 1: So yeah, we talked about it before. And basically every 35 00:02:14,400 --> 00:02:20,280 Speaker 1: website has a is um as an address, a physical address, 36 00:02:20,320 --> 00:02:23,680 Speaker 1: well physical address on on a hard drive, a physical 37 00:02:23,680 --> 00:02:26,880 Speaker 1: hard drive somewhere, and these numbers, there are are four 38 00:02:26,919 --> 00:02:31,000 Speaker 1: sets of numbers separated by periods, and that address is 39 00:02:31,120 --> 00:02:36,639 Speaker 1: unique to that UM space on that physical hard drive somewhere. 40 00:02:36,720 --> 00:02:39,600 Speaker 1: And so if you typed in UM h T T 41 00:02:39,760 --> 00:02:43,079 Speaker 1: P colon slash slash and these this number, you will 42 00:02:43,080 --> 00:02:46,040 Speaker 1: get to a website. Of course, that's very inconvenient because 43 00:02:46,040 --> 00:02:47,959 Speaker 1: then you neither have to write down these numbers or 44 00:02:47,960 --> 00:02:50,960 Speaker 1: bookmark them, or you know, you have to have some 45 00:02:51,040 --> 00:02:54,960 Speaker 1: sort of weird total recall thing going on where you 46 00:02:55,000 --> 00:02:59,600 Speaker 1: can just easily remember any series of numbers, which would 47 00:03:00,240 --> 00:03:05,680 Speaker 1: would would make you incredibly useful, but it would also 48 00:03:05,720 --> 00:03:07,400 Speaker 1: make you very rare. Most of us, most of us 49 00:03:07,400 --> 00:03:11,359 Speaker 1: are just not It's not something humans are particularly good 50 00:03:11,400 --> 00:03:14,880 Speaker 1: at doing on average. So that is what kind of 51 00:03:14,919 --> 00:03:18,960 Speaker 1: gave rise to the idea of having this domain name system. Yes, now, 52 00:03:19,120 --> 00:03:21,840 Speaker 1: domain name system, what it does is it allows you 53 00:03:21,919 --> 00:03:27,560 Speaker 1: to create a domain name as in words that correspond 54 00:03:27,639 --> 00:03:31,160 Speaker 1: to whatever your site is, and then that itself is 55 00:03:31,240 --> 00:03:36,480 Speaker 1: mapped to this series of numbers, this i P address right, 56 00:03:36,680 --> 00:03:40,280 Speaker 1: the i P being Internet protocols UM, which is the 57 00:03:40,280 --> 00:03:43,760 Speaker 1: the language that gets uh, you know, you from one 58 00:03:43,760 --> 00:03:45,960 Speaker 1: place to another on the Internet, regardless of whether you're 59 00:03:46,040 --> 00:03:49,880 Speaker 1: using a Windows machine, Mac or Linux or mobile thing. 60 00:03:49,960 --> 00:03:51,960 Speaker 1: It gets you to the same place. And what allows 61 00:03:51,960 --> 00:03:55,200 Speaker 1: you to type in how stuff works dot com and 62 00:03:55,560 --> 00:03:57,760 Speaker 1: get to our website. Yes, so if you were to 63 00:03:57,800 --> 00:04:01,119 Speaker 1: type how stuff works dot com, what have is that request? 64 00:04:01,520 --> 00:04:03,680 Speaker 1: You know, you know, what you're essentially doing is you're 65 00:04:03,720 --> 00:04:06,800 Speaker 1: telling your browser, I want access to this particular website. 66 00:04:07,720 --> 00:04:11,840 Speaker 1: Your browser sends this message along up a chain of command, 67 00:04:12,600 --> 00:04:15,560 Speaker 1: and uh, you know, it has to go out to 68 00:04:15,720 --> 00:04:19,400 Speaker 1: the right computer that has the website living on it 69 00:04:20,040 --> 00:04:22,640 Speaker 1: and retrieve that so that you get an instance of 70 00:04:22,680 --> 00:04:25,960 Speaker 1: it back at your machine. In order to do that, 71 00:04:26,120 --> 00:04:29,479 Speaker 1: it has to first map that one needs to have 72 00:04:29,560 --> 00:04:31,359 Speaker 1: is the name that you're typing. It has to be 73 00:04:31,440 --> 00:04:36,400 Speaker 1: mapped to that physical machine, that physical drive. Uh, and 74 00:04:36,480 --> 00:04:39,480 Speaker 1: it does this by going through domain name servers. A 75 00:04:39,600 --> 00:04:42,200 Speaker 1: domain name server is essentially like think of it kind 76 00:04:42,240 --> 00:04:45,760 Speaker 1: of like a phone book. Yeah, so that all the 77 00:04:45,760 --> 00:04:48,520 Speaker 1: different u r l s you could type in are 78 00:04:48,640 --> 00:04:54,640 Speaker 1: indexed against these number numerical addresses. And then that way, 79 00:04:54,720 --> 00:04:57,080 Speaker 1: once you type in the u r L, it looks 80 00:04:57,120 --> 00:05:02,400 Speaker 1: for the corresponding numeric address, owls information from that that 81 00:05:02,440 --> 00:05:06,800 Speaker 1: particular source, and then serves it back to you so 82 00:05:06,839 --> 00:05:10,080 Speaker 1: that you get what you asked for. Well that you 83 00:05:10,160 --> 00:05:15,760 Speaker 1: asked for it, you got it anyway. So, um, the 84 00:05:15,920 --> 00:05:19,000 Speaker 1: whole deal here is that you are going to get 85 00:05:19,040 --> 00:05:23,039 Speaker 1: the right information. Yeah, assuming that everything's working correctly, and 86 00:05:23,080 --> 00:05:26,839 Speaker 1: occasionally stuff messes up. There might be uh, the computer 87 00:05:26,920 --> 00:05:29,640 Speaker 1: that hosts, the site might be down, in which case 88 00:05:29,640 --> 00:05:31,240 Speaker 1: you're going to get something like a four or four 89 00:05:31,360 --> 00:05:35,400 Speaker 1: error because the Internet is not going to be able 90 00:05:35,400 --> 00:05:38,039 Speaker 1: to find the file that you've requested. We're very sorry. 91 00:05:38,120 --> 00:05:41,200 Speaker 1: The Internet is broken. The elders of the Internet called 92 00:05:41,279 --> 00:05:45,400 Speaker 1: and they said, no more Internet for you. But most 93 00:05:45,440 --> 00:05:48,919 Speaker 1: of the time it's gonna work just fine. However, what 94 00:05:49,120 --> 00:05:53,400 Speaker 1: happened in the case of Operation ghost Click is that, uh, 95 00:05:53,640 --> 00:05:58,920 Speaker 1: the FBI discovered there were some people who had created 96 00:05:59,000 --> 00:06:03,599 Speaker 1: some rogue DNS servers. So, in other words, these get 97 00:06:03,640 --> 00:06:08,880 Speaker 1: these folks, six Estonian nationals, according to the FBI, um 98 00:06:09,120 --> 00:06:13,880 Speaker 1: got together and created these servers that acted just as 99 00:06:13,920 --> 00:06:17,039 Speaker 1: a domain named server would. So in other words, it 100 00:06:17,160 --> 00:06:19,560 Speaker 1: had a collection of u r l s and index 101 00:06:19,600 --> 00:06:22,920 Speaker 1: of u r l s and an index of addresses 102 00:06:23,279 --> 00:06:26,240 Speaker 1: numeric addresses. So it was like a fake phone book, 103 00:06:26,360 --> 00:06:30,200 Speaker 1: right Exactly. Some of the entries in this fake phone 104 00:06:30,200 --> 00:06:35,239 Speaker 1: book went to different phone numbers, so instead literally yeah, 105 00:06:35,640 --> 00:06:38,480 Speaker 1: but we're we're sticking with the analogy, sticking with that analogy, 106 00:06:38,560 --> 00:06:41,760 Speaker 1: just making so instead of the official phone number for 107 00:06:41,960 --> 00:06:44,920 Speaker 1: a particular website, you would get a fake one, and 108 00:06:44,920 --> 00:06:46,960 Speaker 1: it would in other words, that you would go to 109 00:06:47,000 --> 00:06:50,240 Speaker 1: a fake numeric address for a real site. So you 110 00:06:50,320 --> 00:06:53,520 Speaker 1: might type in the address perfect in your u r 111 00:06:53,680 --> 00:06:58,520 Speaker 1: L bar. Right, So let's take a random example. Let's 112 00:06:58,520 --> 00:07:02,280 Speaker 1: just say Yahoo. So you do www dot Yahoo dot com. 113 00:07:02,360 --> 00:07:05,560 Speaker 1: You hit enter. Now, normally, in a regular DNS server, 114 00:07:05,680 --> 00:07:08,320 Speaker 1: it would look up that you are L, look to 115 00:07:08,360 --> 00:07:11,800 Speaker 1: see what the numeric address is for that you are L, 116 00:07:12,120 --> 00:07:14,920 Speaker 1: send that information out, retrieve the website, and serve it 117 00:07:15,000 --> 00:07:18,640 Speaker 1: up to you. A rogue DNS server would look up 118 00:07:18,680 --> 00:07:22,000 Speaker 1: that u r L, look at the numeric address that 119 00:07:22,120 --> 00:07:25,120 Speaker 1: was created for that u r L, But it isn't 120 00:07:25,320 --> 00:07:28,320 Speaker 1: actually the address for Yahoo. It's an address for something else, 121 00:07:29,200 --> 00:07:32,400 Speaker 1: and it serves that up to you. Now, why would 122 00:07:32,440 --> 00:07:35,000 Speaker 1: anyone do this? There are a couple of different reasons. Now, 123 00:07:35,040 --> 00:07:38,200 Speaker 1: in the case of the Estonians, and they were doing 124 00:07:38,240 --> 00:07:43,000 Speaker 1: something I think that was kind of uh deviously clever. 125 00:07:43,920 --> 00:07:47,480 Speaker 1: They were doing this in order to reroute traffic to 126 00:07:48,240 --> 00:07:52,120 Speaker 1: break in advertising money. So in other words, what they 127 00:07:52,120 --> 00:07:55,119 Speaker 1: wanted to do was the way advertising on the Internet 128 00:07:55,160 --> 00:07:57,600 Speaker 1: works in general is that you get paid for a 129 00:07:57,640 --> 00:08:01,400 Speaker 1: certain number of views of the ad. It's called impressions. 130 00:08:01,720 --> 00:08:05,960 Speaker 1: The number of impressions and ad gets that translates to money. 131 00:08:06,040 --> 00:08:08,720 Speaker 1: And if you get lots and lots and lots of impressions, 132 00:08:08,720 --> 00:08:11,360 Speaker 1: you get lots of money. Um. Then in general a 133 00:08:11,440 --> 00:08:15,160 Speaker 1: single impression is worth a fraction of assent. Yeah, but 134 00:08:15,240 --> 00:08:17,600 Speaker 1: if you can say, hey, you know, I can promise 135 00:08:17,680 --> 00:08:20,840 Speaker 1: you that five million people are going to say your ad, 136 00:08:21,000 --> 00:08:25,440 Speaker 1: then you can command a good price for your services. Right, So, 137 00:08:25,640 --> 00:08:30,040 Speaker 1: very popular websites can tend to charge more than sites 138 00:08:30,120 --> 00:08:32,800 Speaker 1: that don't get a lot of traffic. Makes makes sense. Right. 139 00:08:33,120 --> 00:08:35,000 Speaker 1: Let's say that you have a billboard next to a 140 00:08:35,000 --> 00:08:39,360 Speaker 1: busy highway. The price for that billboard to to to 141 00:08:39,400 --> 00:08:41,520 Speaker 1: put it out on that billboard's probably gonna be higher 142 00:08:41,840 --> 00:08:44,079 Speaker 1: than a billboard that's next to a rural road that 143 00:08:44,120 --> 00:08:47,080 Speaker 1: doesn't get a lot of traffic. So anyway, the same 144 00:08:47,120 --> 00:08:50,320 Speaker 1: sort of logic applies on on the web. So what 145 00:08:50,480 --> 00:08:53,640 Speaker 1: these guys were doing, I say guys, what these Estonians 146 00:08:53,679 --> 00:08:56,000 Speaker 1: were doing because I don't know their gender, Uh, they 147 00:08:56,040 --> 00:08:59,480 Speaker 1: were they were using these rogue DNS servers to reroute 148 00:08:59,480 --> 00:09:03,880 Speaker 1: traffic to go to different websites and that had specific 149 00:09:03,920 --> 00:09:07,440 Speaker 1: ads on them that the Estonians were administering, and then 150 00:09:07,480 --> 00:09:10,440 Speaker 1: they were pulling in the money. So they were redirecting traffic. 151 00:09:10,480 --> 00:09:14,080 Speaker 1: It's like putting in a detour in your route. And 152 00:09:14,200 --> 00:09:16,160 Speaker 1: so you're going down your normal route to get to 153 00:09:16,160 --> 00:09:18,839 Speaker 1: wherever you're going, and you see a sign that says, oh, nope, 154 00:09:18,840 --> 00:09:21,320 Speaker 1: the road is out. Up ahead, take a right instead 155 00:09:21,360 --> 00:09:24,400 Speaker 1: of going straight, and you will go through a different route. 156 00:09:24,559 --> 00:09:26,880 Speaker 1: And along that route you decided to stop and eat. 157 00:09:27,080 --> 00:09:29,240 Speaker 1: And normally you would stop and eat at your favorite restaurant, 158 00:09:29,280 --> 00:09:30,960 Speaker 1: but you can't get to that one because it's on 159 00:09:31,000 --> 00:09:32,960 Speaker 1: the road that's been closed. So you go to this 160 00:09:33,000 --> 00:09:35,560 Speaker 1: other restaurant and it all turns out that it was 161 00:09:35,600 --> 00:09:38,000 Speaker 1: employed by the other restaurant in the first place. They 162 00:09:38,000 --> 00:09:40,840 Speaker 1: put that detour sign up because they wanted to get 163 00:09:40,880 --> 00:09:43,959 Speaker 1: some more foot traffic or some more some more diners 164 00:09:44,160 --> 00:09:47,880 Speaker 1: to come in. That was the general plan. Now, the 165 00:09:47,960 --> 00:09:52,040 Speaker 1: question is how do you get that rogue DNS server 166 00:09:52,440 --> 00:09:55,240 Speaker 1: to get in the line of traffic so that people 167 00:09:55,240 --> 00:09:57,640 Speaker 1: will visit it in the first place. Yeah, because if 168 00:09:57,640 --> 00:10:00,720 Speaker 1: you're typing in an address that you already know, say 169 00:10:00,760 --> 00:10:04,800 Speaker 1: Discovery dot com, you should theoretically be routed to the 170 00:10:04,880 --> 00:10:07,240 Speaker 1: right place. As long as your computer is configured correctly 171 00:10:07,600 --> 00:10:09,280 Speaker 1: and the Internet is working. The way it's supposed to. 172 00:10:09,320 --> 00:10:10,679 Speaker 1: I mean, what are they gonna do. Are they gonna 173 00:10:10,720 --> 00:10:14,920 Speaker 1: go in and kick out the legitimate DNS machine and 174 00:10:15,000 --> 00:10:18,600 Speaker 1: replace it. No, it was very clever. They created a 175 00:10:18,679 --> 00:10:22,319 Speaker 1: kind of malware and the malware is essentially called d 176 00:10:22,520 --> 00:10:27,280 Speaker 1: n s changer, and so DNS changer would change the 177 00:10:27,400 --> 00:10:31,880 Speaker 1: DNS settings on your computer or other device or even router, 178 00:10:32,200 --> 00:10:35,800 Speaker 1: which was particularly nasty because if it changed on the router, 179 00:10:36,320 --> 00:10:40,000 Speaker 1: then any device that connects through that router would be affected. Also, 180 00:10:40,720 --> 00:10:43,760 Speaker 1: it's unlikely that you're going to have anti virus software 181 00:10:44,240 --> 00:10:47,320 Speaker 1: on your router, although you might on your computer now. 182 00:10:47,440 --> 00:10:49,200 Speaker 1: The way that they did this with the router was 183 00:10:49,240 --> 00:10:52,400 Speaker 1: the easiest way, and it's the easiest way for someone 184 00:10:52,440 --> 00:10:54,880 Speaker 1: to prevent it from happening to them. The way that 185 00:10:54,920 --> 00:10:57,320 Speaker 1: worked on the router was that they just ended up 186 00:10:57,400 --> 00:11:01,000 Speaker 1: using a list of generic user and names and passwords 187 00:11:01,040 --> 00:11:05,960 Speaker 1: that are that tend to be um UH administered over 188 00:11:06,040 --> 00:11:09,840 Speaker 1: various routers. So you pick pick a router, like whatever 189 00:11:09,960 --> 00:11:13,520 Speaker 1: router you you happen to use, that router tends to 190 00:11:13,559 --> 00:11:16,400 Speaker 1: have a standard user name and standard password that you 191 00:11:16,480 --> 00:11:19,160 Speaker 1: are supposed to change once you install it into your 192 00:11:19,200 --> 00:11:22,960 Speaker 1: home network. But a lot of people never get around 193 00:11:22,960 --> 00:11:26,560 Speaker 1: to doing that. They install the the the router and 194 00:11:26,600 --> 00:11:29,520 Speaker 1: then they don't bother changing the user name and password, 195 00:11:29,559 --> 00:11:33,360 Speaker 1: which means that anyone who knows what the standard user 196 00:11:33,400 --> 00:11:36,000 Speaker 1: name and password is for that brand of router could 197 00:11:36,000 --> 00:11:39,200 Speaker 1: get access to that network. That's what they were doing 198 00:11:39,240 --> 00:11:42,199 Speaker 1: in this case. But in order to change the computers themselves, 199 00:11:42,600 --> 00:11:45,079 Speaker 1: not the router, what they had to do was convince 200 00:11:45,160 --> 00:11:50,480 Speaker 1: people to download some malware and execute that. Now, social engineering, yeah, 201 00:11:50,559 --> 00:11:53,000 Speaker 1: lots of different ways of doing that. You know. There's 202 00:11:53,000 --> 00:11:57,839 Speaker 1: the very standard way where they include some uh they 203 00:11:57,880 --> 00:12:00,120 Speaker 1: put on on a website that you might encounter, or 204 00:12:00,400 --> 00:12:04,200 Speaker 1: a little pop up that says, hey, your antivirus software 205 00:12:04,240 --> 00:12:06,360 Speaker 1: is out of date. Install this and we will scan 206 00:12:06,480 --> 00:12:10,440 Speaker 1: your computer for viruses and free, yeah, for free. And 207 00:12:10,480 --> 00:12:14,160 Speaker 1: in fact it really is a virus itself that installs 208 00:12:14,200 --> 00:12:16,240 Speaker 1: to your computer. You know, you think you are trying 209 00:12:16,280 --> 00:12:19,480 Speaker 1: to head off some sort of malware and in fact 210 00:12:19,480 --> 00:12:22,320 Speaker 1: you're actually installing malware to your computer at the time, 211 00:12:23,200 --> 00:12:26,040 Speaker 1: or it can be through email attachments, you know, all 212 00:12:26,080 --> 00:12:30,400 Speaker 1: the standard ways that malware propagates across the web. Any 213 00:12:30,480 --> 00:12:33,000 Speaker 1: of that would work to get this this particular kind 214 00:12:33,000 --> 00:12:36,720 Speaker 1: of malware onto your machine. Once you installed it, whether 215 00:12:36,760 --> 00:12:40,160 Speaker 1: it was through a trojan program or whatever, it would 216 00:12:40,160 --> 00:12:44,640 Speaker 1: go and reset the DNS settings on your computer, and 217 00:12:44,760 --> 00:12:47,320 Speaker 1: it would direct your computer to go to these rogue 218 00:12:47,440 --> 00:12:52,560 Speaker 1: DNS servers as opposed to your Internet Service providers DNS servers, 219 00:12:52,920 --> 00:12:55,760 Speaker 1: because h I SP has its own right that passes 220 00:12:55,800 --> 00:13:00,440 Speaker 1: the information up along the chain of command, so you 221 00:13:00,440 --> 00:13:03,040 Speaker 1: would bypass your I s P S servers. You would 222 00:13:03,040 --> 00:13:04,920 Speaker 1: go to these rogue servers, and then you would be 223 00:13:04,960 --> 00:13:08,400 Speaker 1: directed to whatever website they wanted to direct YouTube for 224 00:13:08,480 --> 00:13:11,200 Speaker 1: any particular u r L. For some u r l s, 225 00:13:11,400 --> 00:13:14,120 Speaker 1: you might just get the regular website you you're sent 226 00:13:14,160 --> 00:13:17,719 Speaker 1: along and nothing bad happens. For other u r l s, 227 00:13:17,760 --> 00:13:20,319 Speaker 1: you might be directed to a site that looks very 228 00:13:20,360 --> 00:13:23,480 Speaker 1: similar to the one you wanted, but something isn't quite right, 229 00:13:23,600 --> 00:13:25,640 Speaker 1: and it tends that again, they were just doing it 230 00:13:25,679 --> 00:13:28,200 Speaker 1: for the advertising money. The scary thing is they could 231 00:13:28,240 --> 00:13:31,120 Speaker 1: have done this for any other reason and actually tried 232 00:13:31,160 --> 00:13:35,360 Speaker 1: to steal stuff directly from the user. Now in this case, 233 00:13:35,559 --> 00:13:37,560 Speaker 1: that doesn't seem to be what they were up to. 234 00:13:37,679 --> 00:13:41,240 Speaker 1: They were up to just redirecting that traffic. So you 235 00:13:41,320 --> 00:13:43,680 Speaker 1: might think, well, that's annoying. I mean, I'm not going 236 00:13:43,760 --> 00:13:45,200 Speaker 1: to get to the website I want to go to 237 00:13:45,320 --> 00:13:49,680 Speaker 1: unless I type in the actual uh numeric address physically, 238 00:13:49,920 --> 00:13:52,679 Speaker 1: then I would go to it. But Uh, while it's 239 00:13:52,679 --> 00:13:54,200 Speaker 1: annoying that I wouldn't go to the site that I 240 00:13:54,200 --> 00:13:56,200 Speaker 1: wanted to go to, at least they're not stealing from me. 241 00:13:56,880 --> 00:13:59,400 Speaker 1: But they could have. They could have directed things so 242 00:13:59,440 --> 00:14:02,480 Speaker 1: that you would go to dummy websites that look similar 243 00:14:02,520 --> 00:14:06,320 Speaker 1: to official ones and put in a system where you 244 00:14:06,360 --> 00:14:08,640 Speaker 1: type in your user name and password and they would 245 00:14:08,720 --> 00:14:11,480 Speaker 1: log it. They could have logged it, they didn't. They 246 00:14:11,520 --> 00:14:14,960 Speaker 1: could have logged that information, thus getting access to various 247 00:14:15,000 --> 00:14:17,360 Speaker 1: accounts across the Internet. They could have gotten access to 248 00:14:17,400 --> 00:14:21,400 Speaker 1: email accounts, bank accounts, you know, any other sort of 249 00:14:22,080 --> 00:14:26,360 Speaker 1: anything that would require authorization. They could have done that. Uh, 250 00:14:26,800 --> 00:14:28,760 Speaker 1: And what would probably have happened is that you would 251 00:14:28,800 --> 00:14:30,320 Speaker 1: have logged in. Let's say that you try to go 252 00:14:30,400 --> 00:14:34,560 Speaker 1: to your banks online banking site and you might get 253 00:14:34,760 --> 00:14:37,960 Speaker 1: a site that looks very much like your banks site. 254 00:14:38,000 --> 00:14:40,960 Speaker 1: In fact, it might even look almost identical. Um, the 255 00:14:41,000 --> 00:14:43,520 Speaker 1: address might look a little hinky, but if you were 256 00:14:43,560 --> 00:14:45,400 Speaker 1: the type of you use the name and password. Likely 257 00:14:45,440 --> 00:14:48,840 Speaker 1: you would get a response saying, oh, sites down for maintenance. 258 00:14:49,800 --> 00:14:52,480 Speaker 1: But what's really happened is that that information has been 259 00:14:52,520 --> 00:14:56,000 Speaker 1: logged by hackers. That could have happened, or they could 260 00:14:56,000 --> 00:14:58,760 Speaker 1: have directed you to a site where you would have 261 00:14:58,880 --> 00:15:02,960 Speaker 1: been encouraged to download even more malware, perhaps a back 262 00:15:03,000 --> 00:15:06,480 Speaker 1: door access programs that you are your computer would become 263 00:15:06,480 --> 00:15:10,120 Speaker 1: part of a bot net or any other kind of 264 00:15:10,120 --> 00:15:14,440 Speaker 1: of hacking tool. It's it's really the options are pretty 265 00:15:14,520 --> 00:15:16,400 Speaker 1: much unlimited. Now. In this case, again it was just 266 00:15:16,480 --> 00:15:21,320 Speaker 1: to redirect traffic. However, there were some other problems that 267 00:15:21,600 --> 00:15:24,160 Speaker 1: would happen if you were affected by this virus. You 268 00:15:24,240 --> 00:15:27,640 Speaker 1: might not you know, you might not have anyone stealing 269 00:15:27,720 --> 00:15:30,400 Speaker 1: from your bank account or anything. But one of the 270 00:15:30,440 --> 00:15:33,040 Speaker 1: things the virus does, which is pretty much standard operating 271 00:15:33,040 --> 00:15:37,880 Speaker 1: procedure for viruses, is it turned off the features on 272 00:15:37,920 --> 00:15:41,840 Speaker 1: your operating system and your anti virus from updating so 273 00:15:41,880 --> 00:15:45,400 Speaker 1: that you wouldn't be able to get the latest security 274 00:15:45,440 --> 00:15:49,640 Speaker 1: patches that would prevent this this UH program from working. 275 00:15:50,320 --> 00:15:53,880 Speaker 1: So first step pretty much of any malware is let's 276 00:15:53,920 --> 00:15:58,360 Speaker 1: disable the stuff that can turn this off. So anything 277 00:15:58,360 --> 00:16:02,239 Speaker 1: that would automatically turn the the malware off was disabled. 278 00:16:02,560 --> 00:16:04,800 Speaker 1: So that's a problem because it means that even if 279 00:16:04,880 --> 00:16:12,160 Speaker 1: you aren't being actively preyed upon by these particular hackers, uh, 280 00:16:12,440 --> 00:16:15,080 Speaker 1: future attacks could hit you much more easily because you 281 00:16:15,080 --> 00:16:19,000 Speaker 1: are no longer protected, which is pretty bad. That's what 282 00:16:19,080 --> 00:16:22,200 Speaker 1: we call a bad thing and Internet security. And there 283 00:16:22,240 --> 00:16:24,800 Speaker 1: were about what four million people around the world and 284 00:16:25,320 --> 00:16:28,240 Speaker 1: about a hundred countries that were affected by this, and 285 00:16:28,240 --> 00:16:31,880 Speaker 1: then thousand in the United States. And it wasn't just uh, 286 00:16:31,920 --> 00:16:36,440 Speaker 1: you know, citizen users, it was also businesses, government, government computers. UM. 287 00:16:36,480 --> 00:16:38,440 Speaker 1: I think there were even like a couple of computers 288 00:16:38,440 --> 00:16:41,880 Speaker 1: over at NASA that were affected to this. And uh. 289 00:16:42,080 --> 00:16:45,080 Speaker 1: And the good news that we have is that the 290 00:16:45,160 --> 00:16:49,960 Speaker 1: FBI arrested these six Estonian nationals that were identified as 291 00:16:49,960 --> 00:16:53,200 Speaker 1: being part of this running actually running this ring. Yeah, 292 00:16:53,200 --> 00:16:54,880 Speaker 1: they were going to try to have them extraditedto the 293 00:16:54,920 --> 00:16:59,160 Speaker 1: United States. Yeah. And they've also taken over the rogue 294 00:16:59,240 --> 00:17:01,960 Speaker 1: DNS servers they have identified as being part of this, 295 00:17:02,640 --> 00:17:06,480 Speaker 1: and those rogue DNS servers are now acting like legitimate 296 00:17:06,600 --> 00:17:09,879 Speaker 1: DNS servers, which is great. That means that as a user, 297 00:17:10,160 --> 00:17:12,320 Speaker 1: when you try to visit a website, you should get 298 00:17:12,359 --> 00:17:16,240 Speaker 1: what you're supposed to get. However, there's a problem because 299 00:17:16,600 --> 00:17:20,439 Speaker 1: your computers still have if you're affected, your computer still 300 00:17:20,520 --> 00:17:23,560 Speaker 1: is directing you to the wrong set of servers. You're 301 00:17:23,560 --> 00:17:26,480 Speaker 1: still getting the right result, but you're going and you're 302 00:17:26,480 --> 00:17:29,000 Speaker 1: not going to the regular chain of command that you 303 00:17:29,040 --> 00:17:31,439 Speaker 1: should go to. And the FBI is not going to 304 00:17:31,480 --> 00:17:35,399 Speaker 1: be running these servers forever, and in fact, in in July, 305 00:17:36,320 --> 00:17:40,280 Speaker 1: they're going to turn them off. And once those turn off, 306 00:17:40,320 --> 00:17:43,000 Speaker 1: if your computer is being directed to those DNS servers, 307 00:17:43,040 --> 00:17:46,920 Speaker 1: you may not have any more Web access, at least 308 00:17:46,920 --> 00:17:49,800 Speaker 1: not through typing in a normal U r L, because 309 00:17:49,840 --> 00:17:51,679 Speaker 1: your computer is going to try and go through a 310 00:17:51,720 --> 00:17:54,480 Speaker 1: pathway that doesn't exist anymore. Chris and I have more 311 00:17:54,520 --> 00:17:57,760 Speaker 1: to say about Operation Ghost Click, but before we get there, 312 00:17:57,840 --> 00:18:08,399 Speaker 1: let's take a quick break to thank our spawn, sir. So, 313 00:18:08,840 --> 00:18:11,520 Speaker 1: the important thing to do is to determine whether or 314 00:18:11,560 --> 00:18:16,240 Speaker 1: not your computer has this infection, and if it does 315 00:18:16,280 --> 00:18:19,960 Speaker 1: have the infection, to clear it up. And uh, it's 316 00:18:20,160 --> 00:18:22,720 Speaker 1: the first one is easier than the second one. The 317 00:18:22,760 --> 00:18:26,840 Speaker 1: FBI actually set up a website designed to help you 318 00:18:26,920 --> 00:18:30,520 Speaker 1: identify whether or not you have been affected. Yes, um, 319 00:18:30,600 --> 00:18:33,520 Speaker 1: you can go to the FBI's website and follow the 320 00:18:33,560 --> 00:18:38,680 Speaker 1: links to find out about whether or not your computer 321 00:18:39,440 --> 00:18:42,760 Speaker 1: has this problem. And there's actually a couple different ways 322 00:18:42,760 --> 00:18:44,720 Speaker 1: of doing it. There's they've they've set up a u 323 00:18:44,800 --> 00:18:47,240 Speaker 1: r L where what it does is it pings a 324 00:18:47,359 --> 00:18:49,760 Speaker 1: server and if it gets a positive result saying that 325 00:18:49,920 --> 00:18:52,639 Speaker 1: you're fine, uh, you get a screen that has this 326 00:18:52,680 --> 00:18:55,760 Speaker 1: big green icon on it and says you're good. Um. 327 00:18:55,800 --> 00:18:58,280 Speaker 1: If you're not fine, you get a big red icon 328 00:18:58,359 --> 00:19:00,720 Speaker 1: which says this is saying that you're you know, it's 329 00:19:00,760 --> 00:19:04,240 Speaker 1: going through one of the rogue DNS servers. They've also 330 00:19:04,280 --> 00:19:09,800 Speaker 1: identified a range of the IP addresses that you know. 331 00:19:09,840 --> 00:19:12,280 Speaker 1: You can check your DNS settings on your computer yourself. 332 00:19:12,320 --> 00:19:14,960 Speaker 1: If you're using a Windows machine, you go to a 333 00:19:15,040 --> 00:19:18,760 Speaker 1: run command and you type an IP configured slash all uh, 334 00:19:18,800 --> 00:19:22,040 Speaker 1: and then that'll pull up your DNS settings and you 335 00:19:22,080 --> 00:19:26,080 Speaker 1: can see what the what the numeric address is for 336 00:19:26,119 --> 00:19:28,600 Speaker 1: the server that you go to, and if it falls 337 00:19:28,600 --> 00:19:31,399 Speaker 1: within the range that's been identified by the FBI, you 338 00:19:31,520 --> 00:19:35,320 Speaker 1: know that your DNS settings are wrong. Clearing this up 339 00:19:35,680 --> 00:19:38,440 Speaker 1: and getting rid of the malware is a little tricky. Uh. 340 00:19:38,480 --> 00:19:40,960 Speaker 1: The easiest way I can think of to do it 341 00:19:41,000 --> 00:19:43,040 Speaker 1: if I were doing it myself. Is going to a 342 00:19:43,040 --> 00:19:48,040 Speaker 1: computer that I know has not been affected and downloading 343 00:19:48,160 --> 00:19:52,480 Speaker 1: the latest antivirus software I can find and putting Most 344 00:19:52,520 --> 00:19:55,880 Speaker 1: of them have an option where you can put a 345 00:19:56,000 --> 00:19:59,880 Speaker 1: version of that onto a thumb drive. Do that, then 346 00:20:00,000 --> 00:20:03,399 Speaker 1: take the thumb drive over to the infective machine and 347 00:20:03,440 --> 00:20:06,520 Speaker 1: booted into safe mode, and load up the anti virus 348 00:20:06,560 --> 00:20:09,520 Speaker 1: software from the thumb drive, and that should be able. 349 00:20:09,600 --> 00:20:12,600 Speaker 1: Depending upon the anti virus software, it should be able 350 00:20:12,640 --> 00:20:16,159 Speaker 1: to scan it and remove it. Um. The FBI also 351 00:20:16,240 --> 00:20:20,800 Speaker 1: points to several web assets that can help you if 352 00:20:20,920 --> 00:20:23,320 Speaker 1: your computer does appear to be one of the ones 353 00:20:23,359 --> 00:20:25,840 Speaker 1: that infected, and those may work very well for you. 354 00:20:26,240 --> 00:20:28,959 Speaker 1: I tend to go with the anti virus approach whenever 355 00:20:29,000 --> 00:20:33,800 Speaker 1: I can. UM it just I don't know, I don't 356 00:20:33,800 --> 00:20:36,399 Speaker 1: know it is. I just have a preference for that 357 00:20:36,440 --> 00:20:40,920 Speaker 1: as opposed to going like a web based route. Yeah. Yeah, um, 358 00:20:40,960 --> 00:20:44,040 Speaker 1: but it is. It is fairly easy to uh to 359 00:20:44,080 --> 00:20:46,280 Speaker 1: get rid of the problem in this case. It's not 360 00:20:46,359 --> 00:20:48,960 Speaker 1: like some of the others where you have to UH 361 00:20:49,040 --> 00:20:51,439 Speaker 1: reformat your hard drive to get it back. Yeah. I mean, 362 00:20:52,080 --> 00:20:56,600 Speaker 1: there's there's something depending on how tech savvy you are, 363 00:20:57,200 --> 00:20:59,840 Speaker 1: it's pretty easy. If you're not terribly tech savvy, it 364 00:21:00,040 --> 00:21:02,199 Speaker 1: maybe it may be worth it to take it to 365 00:21:02,440 --> 00:21:05,800 Speaker 1: a computer professional to have them scan it and remove 366 00:21:05,800 --> 00:21:08,560 Speaker 1: it and take care of it for you, because the 367 00:21:08,600 --> 00:21:11,360 Speaker 1: more you mess with your computer settings, the more you 368 00:21:11,520 --> 00:21:17,560 Speaker 1: may inadvertently cause some problems that can turn your machine 369 00:21:17,640 --> 00:21:21,760 Speaker 1: into a nightmare. Um and and sometimes depending on the malware, 370 00:21:21,800 --> 00:21:23,960 Speaker 1: like if you've had this on your computer for a while, 371 00:21:24,480 --> 00:21:26,879 Speaker 1: that might not be the only malware that's affecting you. 372 00:21:27,640 --> 00:21:30,679 Speaker 1: You might have other problems, in which case, uh, you know, 373 00:21:30,720 --> 00:21:34,359 Speaker 1: a simple scan and remove may not be enough. In 374 00:21:34,400 --> 00:21:37,240 Speaker 1: a worst case scenario, you might have to do something 375 00:21:37,280 --> 00:21:40,560 Speaker 1: like wipe your computer and reinstall the operating system, in 376 00:21:40,600 --> 00:21:42,200 Speaker 1: which case the first thing you want to do is 377 00:21:42,240 --> 00:21:44,400 Speaker 1: back up as much of your data as you possibly 378 00:21:44,440 --> 00:21:48,600 Speaker 1: can and then you do the wipe. But that even 379 00:21:48,640 --> 00:21:51,360 Speaker 1: that is I mean, that's that's like a worst case 380 00:21:51,359 --> 00:21:55,640 Speaker 1: scenario type of thing, and hopefully none of our listeners 381 00:21:55,640 --> 00:21:57,080 Speaker 1: are in that well. First of all, hopefully none of 382 00:21:57,080 --> 00:21:59,840 Speaker 1: our listeners have been affected by this malware, but if 383 00:21:59,840 --> 00:22:02,600 Speaker 1: they have, hopefully it's not so severe. Letting they don't 384 00:22:02,600 --> 00:22:06,760 Speaker 1: have other forms of malware that they can't you know, uh, 385 00:22:06,880 --> 00:22:10,560 Speaker 1: take care of it themselves. Yeah. Um, and of course 386 00:22:10,600 --> 00:22:12,160 Speaker 1: it's always a good idea to back up your hard 387 00:22:12,200 --> 00:22:15,040 Speaker 1: drive on a regular basis anyway, just to make sure 388 00:22:15,040 --> 00:22:17,600 Speaker 1: they always back up your hard drive to h to 389 00:22:17,680 --> 00:22:20,400 Speaker 1: make sure that you have a version of your operating 390 00:22:20,400 --> 00:22:23,320 Speaker 1: system uh installed on there that you can go back 391 00:22:23,320 --> 00:22:27,679 Speaker 1: to that you know is not infected at least hopefully. Yeah. 392 00:22:28,160 --> 00:22:30,439 Speaker 1: But that's that's that's pretty impressive. I mean, the FBI 393 00:22:30,520 --> 00:22:33,840 Speaker 1: has really been promoting the fact that they they had 394 00:22:33,840 --> 00:22:37,040 Speaker 1: this success in taking down or apparent success I should say, 395 00:22:37,080 --> 00:22:40,520 Speaker 1: and taking down this uh this ring, this ring, because um, 396 00:22:41,280 --> 00:22:43,200 Speaker 1: you know this is this is pretty significant. They took 397 00:22:43,200 --> 00:22:48,680 Speaker 1: away traffic from uh legitimate websites in addition to making 398 00:22:48,720 --> 00:22:53,359 Speaker 1: money for themselves with the the alternate fake websites. Um. 399 00:22:53,400 --> 00:22:57,040 Speaker 1: And it does expose the fact that most people are 400 00:22:57,080 --> 00:23:00,760 Speaker 1: are you know, still having to to think about what 401 00:23:00,840 --> 00:23:04,399 Speaker 1: they do because they they may very well be letting 402 00:23:04,440 --> 00:23:06,520 Speaker 1: somebody in. It could have been a lot worse than 403 00:23:06,560 --> 00:23:11,800 Speaker 1: it was. Yeah, exploiting the DNS system, which again I know, redundant, 404 00:23:11,920 --> 00:23:16,320 Speaker 1: a t M machine, uh, exploiting that pin number, Um, 405 00:23:16,400 --> 00:23:19,280 Speaker 1: it was pretty ingenious, you know, Essentially, it just shows 406 00:23:19,280 --> 00:23:23,719 Speaker 1: that understanding how the Internet works and building this parallel 407 00:23:23,880 --> 00:23:30,320 Speaker 1: system that exploits the way Internet works was very clever. Now, 408 00:23:30,440 --> 00:23:34,280 Speaker 1: of course, it's still depended upon user behavior to work, 409 00:23:34,680 --> 00:23:37,040 Speaker 1: because if no one had downloaded the malware, if no 410 00:23:37,080 --> 00:23:42,000 Speaker 1: one had installed the malware, it wouldn't have um nothing 411 00:23:42,000 --> 00:23:44,480 Speaker 1: would have happened. You would have had these DNS, these 412 00:23:44,560 --> 00:23:47,399 Speaker 1: rogue DNS servers that would be online and would be 413 00:23:47,440 --> 00:23:50,280 Speaker 1: ready to redirect traffic to wherever they wanted it to go. 414 00:23:50,800 --> 00:23:53,480 Speaker 1: But if no one downloaded the malware, the traffic would 415 00:23:53,480 --> 00:23:57,679 Speaker 1: never have been redirected. So really, the other lesson to 416 00:23:57,720 --> 00:24:02,119 Speaker 1: take away from this is just practice good Internet security 417 00:24:02,280 --> 00:24:07,240 Speaker 1: rules of thumb, things like don't open strange attachments from 418 00:24:07,280 --> 00:24:10,879 Speaker 1: you know, in random emails, make sure you ask people 419 00:24:10,960 --> 00:24:13,000 Speaker 1: if they've sent you an attachment, asked them like, did 420 00:24:13,000 --> 00:24:16,280 Speaker 1: you really send this to me? Because sometimes people their 421 00:24:16,320 --> 00:24:21,400 Speaker 1: email address gets compromised and they randomly start sending out 422 00:24:21,560 --> 00:24:28,359 Speaker 1: files to people, often in uncharacteristically uh worded ways, Like 423 00:24:28,440 --> 00:24:32,080 Speaker 1: you might read a message and think, either my friend 424 00:24:32,240 --> 00:24:37,800 Speaker 1: is taking a terrible fall and decided to email me 425 00:24:37,840 --> 00:24:43,800 Speaker 1: immediately afterward, or is under the influence of some powerful 426 00:24:44,200 --> 00:24:47,320 Speaker 1: alcohol or you know, it just doesn't make any sense. 427 00:24:47,320 --> 00:24:49,200 Speaker 1: Like you read it and you're like, this doesn't sound 428 00:24:49,240 --> 00:24:53,720 Speaker 1: like Chris. Chris never emails me in all caps with 429 00:24:53,840 --> 00:24:56,679 Speaker 1: lots of letters missing. Um, you know, send this to 430 00:24:56,760 --> 00:25:00,280 Speaker 1: everyone you know. Um, Bill Gates will give you twenty 431 00:25:00,320 --> 00:25:04,720 Speaker 1: five cents for every email that you've forard anyway, don't 432 00:25:04,760 --> 00:25:07,679 Speaker 1: don't open those email attachments. Yeah, and you know what 433 00:25:07,720 --> 00:25:11,000 Speaker 1: I recently realized. Um, every once in a while, I 434 00:25:11,160 --> 00:25:13,400 Speaker 1: find a story that I want to send to somebody, 435 00:25:13,800 --> 00:25:17,120 Speaker 1: and I've I've realized that I was sending it. I'd say, hey, 436 00:25:17,200 --> 00:25:19,359 Speaker 1: I just saw this, you should check it out. You 437 00:25:19,359 --> 00:25:21,800 Speaker 1: know what. That sounds just like something a spam or 438 00:25:21,800 --> 00:25:24,280 Speaker 1: would writ right, So I try to make it a 439 00:25:24,320 --> 00:25:27,560 Speaker 1: little more personally personal so that the well, for one thing, 440 00:25:27,560 --> 00:25:30,800 Speaker 1: the spam filter will on a lot of these uh 441 00:25:30,640 --> 00:25:32,800 Speaker 1: uh services will we'll pull it right out of there 442 00:25:32,840 --> 00:25:36,280 Speaker 1: if you if it's something that that minimal. So if 443 00:25:36,320 --> 00:25:40,000 Speaker 1: it fits that pattern of hey I saw this, check 444 00:25:40,000 --> 00:25:43,119 Speaker 1: it out, and then yeah, it can fall into the 445 00:25:43,160 --> 00:25:46,359 Speaker 1: spam filter pretty easily. Also, And it doesn't just go 446 00:25:46,440 --> 00:25:50,679 Speaker 1: with attachments like I mean, or links. There are links, 447 00:25:50,720 --> 00:25:54,280 Speaker 1: plenty of links are problems, but think about gosh, I've 448 00:25:54,320 --> 00:25:57,640 Speaker 1: seen this so many times on Facebook. Click jacking on Facebook. 449 00:25:57,720 --> 00:26:01,240 Speaker 1: We're in the home stretch for Operation Click. But before 450 00:26:01,280 --> 00:26:03,480 Speaker 1: we click on any more ghosts, we're gonna take a 451 00:26:03,560 --> 00:26:15,040 Speaker 1: quick break to thank our sponsor. So if you've ever gone, 452 00:26:15,280 --> 00:26:17,679 Speaker 1: I'm sure most of you have. Anyone who's had a 453 00:26:17,680 --> 00:26:21,080 Speaker 1: Facebook account long enough has seen this happen with their friends. 454 00:26:22,160 --> 00:26:27,399 Speaker 1: You'll look and there'll be some video link. You know, 455 00:26:27,440 --> 00:26:30,000 Speaker 1: it'll say. It won't be an embedded video, so it's 456 00:26:30,040 --> 00:26:33,000 Speaker 1: not something that plays within Facebook, but you'll see like 457 00:26:33,040 --> 00:26:36,400 Speaker 1: a link to some incredible video and it usually has 458 00:26:36,440 --> 00:26:38,840 Speaker 1: to do with either violence or sex. Those tend to 459 00:26:38,840 --> 00:26:42,199 Speaker 1: be the two big ones. Yeah. Yeah, you go for 460 00:26:42,240 --> 00:26:45,680 Speaker 1: those base instincts that we humans have and uh and 461 00:26:46,080 --> 00:26:48,040 Speaker 1: you get a lot of results, which is kind of 462 00:26:48,359 --> 00:26:52,119 Speaker 1: a sad commentary, but that's a different podcast. Anyway, there's 463 00:26:52,160 --> 00:26:54,600 Speaker 1: a you know, you'll you'll see this link And I 464 00:26:54,600 --> 00:26:58,760 Speaker 1: saw one recently and immediately I was like, my red 465 00:26:58,760 --> 00:27:00,760 Speaker 1: flag went up as soon as I thought. First of all, 466 00:27:01,000 --> 00:27:02,720 Speaker 1: I was like, this doesn't seem like the kind of 467 00:27:02,760 --> 00:27:05,600 Speaker 1: thing this person would have shared, Like they might have 468 00:27:05,640 --> 00:27:07,760 Speaker 1: clicked on a link but it doesn't seem like something 469 00:27:07,800 --> 00:27:10,679 Speaker 1: they would have themselves shared. And it was a supposedly 470 00:27:10,680 --> 00:27:14,280 Speaker 1: a video about Justin Bieber being stabbed at a concert, 471 00:27:15,080 --> 00:27:18,240 Speaker 1: and as soon as I saw it, I thought, uh, 472 00:27:18,280 --> 00:27:22,680 Speaker 1: this has click clickjacking written all over it, And immediately 473 00:27:22,680 --> 00:27:25,600 Speaker 1: I went to one of my favorite references for this 474 00:27:25,640 --> 00:27:29,159 Speaker 1: sort of thing, snopes dot com. So Snopes is all 475 00:27:29,200 --> 00:27:31,919 Speaker 1: about urban legends, but they also look at things like 476 00:27:32,080 --> 00:27:35,919 Speaker 1: internet hoaxes and and click jacking. And I did a 477 00:27:35,960 --> 00:27:38,040 Speaker 1: quick search and sure enough, this is something that's been 478 00:27:38,040 --> 00:27:40,159 Speaker 1: around for a while, and it just it's just like 479 00:27:40,200 --> 00:27:42,920 Speaker 1: a lot of other clickjacking. It has these cycles that 480 00:27:43,040 --> 00:27:47,040 Speaker 1: goes through where you'll have an initial pop up of 481 00:27:47,119 --> 00:27:49,600 Speaker 1: this and then it dies down, and then it'll pop 482 00:27:49,680 --> 00:27:51,879 Speaker 1: up again, and I'll do that three or four times. 483 00:27:52,320 --> 00:27:55,080 Speaker 1: Current events are often yeah, and I mean it's it's 484 00:27:55,280 --> 00:27:57,159 Speaker 1: you'll find some of these that are that have lasted 485 00:27:57,160 --> 00:28:00,440 Speaker 1: for years that basically they don't necessarily you have to 486 00:28:00,480 --> 00:28:04,600 Speaker 1: be about Justin Bieber, for example, that maybe the uh 487 00:28:04,920 --> 00:28:08,239 Speaker 1: the click jack to jure, Yeah exactly, or you know, 488 00:28:08,760 --> 00:28:11,000 Speaker 1: five years ago it could have been about for example, 489 00:28:11,000 --> 00:28:13,119 Speaker 1: Britney Spear. Yeah, that would be a very popular one 490 00:28:13,200 --> 00:28:16,000 Speaker 1: and Jennifer Anniston or somebody somebody that's in the news 491 00:28:16,119 --> 00:28:18,240 Speaker 1: right that moment. Yeah, and it tends to be like 492 00:28:18,680 --> 00:28:22,000 Speaker 1: or or it'll be like this this this news anchor 493 00:28:22,040 --> 00:28:26,000 Speaker 1: had an embarrassing moment on the news. Click to find 494 00:28:26,080 --> 00:28:29,080 Speaker 1: out that sort of stuff. And what happens is if 495 00:28:29,119 --> 00:28:31,879 Speaker 1: you do click that, you'll get a message that essentially 496 00:28:31,920 --> 00:28:35,840 Speaker 1: says usually something like, uh, your your you need to 497 00:28:35,880 --> 00:28:39,080 Speaker 1: install this extension or you need to install this video 498 00:28:39,120 --> 00:28:41,640 Speaker 1: player in order to watch this video. And if you 499 00:28:41,800 --> 00:28:45,479 Speaker 1: allow it, then it gets access to things like your 500 00:28:45,520 --> 00:28:49,000 Speaker 1: Facebook feed and as well as possibly other stuff. It 501 00:28:49,160 --> 00:28:54,440 Speaker 1: may involve other, you know, kinds of malware, but in general, 502 00:28:54,560 --> 00:28:58,600 Speaker 1: you've seen see this get propagated across Facebook where someone 503 00:28:58,640 --> 00:29:01,280 Speaker 1: who has fallen from the trick agrees to it, and 504 00:29:01,320 --> 00:29:05,080 Speaker 1: then it continues to go across Facebook because it starts 505 00:29:05,080 --> 00:29:07,840 Speaker 1: to use that person's feed. So whenever I see one 506 00:29:07,840 --> 00:29:11,240 Speaker 1: of these, here's what I do, guys. I immediately, you know, 507 00:29:11,280 --> 00:29:13,800 Speaker 1: I see something that that raises a red flag like that, 508 00:29:14,520 --> 00:29:16,840 Speaker 1: first way I do is I do a search on 509 00:29:16,840 --> 00:29:22,480 Speaker 1: on Google for whatever the video supposedly shows, because nine 510 00:29:22,520 --> 00:29:25,160 Speaker 1: times out of ten, it's just completely made up, and 511 00:29:25,240 --> 00:29:27,960 Speaker 1: you can usually find up I find an article written 512 00:29:28,000 --> 00:29:29,800 Speaker 1: on it, or it'll be on Snopes or something like 513 00:29:29,840 --> 00:29:32,920 Speaker 1: that where I'll say, you know, this new Facebook scam 514 00:29:33,000 --> 00:29:35,600 Speaker 1: is going around, so watch out for it. Once I 515 00:29:35,600 --> 00:29:37,920 Speaker 1: have confirmed that it's a scam, I go back to 516 00:29:37,960 --> 00:29:42,160 Speaker 1: Facebook and I comment on the entry and I say, Hey, 517 00:29:42,240 --> 00:29:45,800 Speaker 1: it looks like this is a clickjacking attempt. You may 518 00:29:45,840 --> 00:29:49,040 Speaker 1: want to go and and change your Facebook password and 519 00:29:49,120 --> 00:29:52,680 Speaker 1: delete this post because by deleting the post, you're going 520 00:29:52,760 --> 00:29:56,720 Speaker 1: to help remove that that step for other people to 521 00:29:56,760 --> 00:30:00,760 Speaker 1: fall victim to that same problem. So I that fairly 522 00:30:00,800 --> 00:30:03,160 Speaker 1: regularly because I've got a lot of friends on Facebook, 523 00:30:03,600 --> 00:30:06,160 Speaker 1: and this sort of thing can happen to anyone. It's 524 00:30:06,280 --> 00:30:10,320 Speaker 1: uh and it's not necessarily something that's that's sort of 525 00:30:10,760 --> 00:30:15,560 Speaker 1: either appealing to violence or sex. Sometimes it's something that's 526 00:30:15,560 --> 00:30:18,800 Speaker 1: just interesting and it has nothing to do with any 527 00:30:18,880 --> 00:30:23,680 Speaker 1: of those uh uh kind of more base subject matter. 528 00:30:24,640 --> 00:30:27,240 Speaker 1: And also, I mean in general, when there's a link 529 00:30:27,280 --> 00:30:30,040 Speaker 1: in Facebook, if it's a link in Facebook, I tend 530 00:30:30,120 --> 00:30:32,840 Speaker 1: to go to Google anyway and try and get to 531 00:30:32,920 --> 00:30:35,600 Speaker 1: that link without going through Facebook, because you never know 532 00:30:36,040 --> 00:30:39,120 Speaker 1: when it's a clickjacking attempt. If it's an embedded video 533 00:30:39,200 --> 00:30:41,560 Speaker 1: within Facebook, like a YouTube video that's been embedded in 534 00:30:41,560 --> 00:30:44,160 Speaker 1: Facebook something like that, I'm all right with that. I'll 535 00:30:44,200 --> 00:30:47,640 Speaker 1: watch it that way. But for links, I tend to 536 00:30:47,680 --> 00:30:49,520 Speaker 1: go outside of Facebook to do it, just to be 537 00:30:49,560 --> 00:30:53,640 Speaker 1: on the safe side, which I'm sure Facebook hates. That's 538 00:30:53,640 --> 00:30:56,320 Speaker 1: not what Facebook wants to hear. But until they want 539 00:30:56,400 --> 00:30:59,240 Speaker 1: to track you, right, until there's better security around that 540 00:30:59,400 --> 00:31:02,560 Speaker 1: so that I'm not throwing caution to the wind and 541 00:31:02,600 --> 00:31:06,640 Speaker 1: infecting my computer, I just I can't justify it. So 542 00:31:07,160 --> 00:31:09,880 Speaker 1: that's just my own personal approach. Guys. I'm sure all 543 00:31:09,920 --> 00:31:11,960 Speaker 1: of you probably have your own sort of way of 544 00:31:12,000 --> 00:31:15,520 Speaker 1: dealing with this and avoiding problems, but it's always something 545 00:31:15,520 --> 00:31:18,360 Speaker 1: that's good to keep in mind. Uh and UM. Anyway, 546 00:31:18,400 --> 00:31:21,120 Speaker 1: So if you guys, suspect that you might have this 547 00:31:21,240 --> 00:31:23,640 Speaker 1: DNS change your malware on your computer, go to the 548 00:31:23,680 --> 00:31:27,680 Speaker 1: FBI's website. Use their tool first of all to see 549 00:31:27,800 --> 00:31:30,400 Speaker 1: if you get a result back. If you don't get 550 00:31:30,400 --> 00:31:35,200 Speaker 1: a result back, you're probably okay, not necessarily okay. You 551 00:31:35,240 --> 00:31:39,640 Speaker 1: can pull up that list of addresses that do map 552 00:31:39,760 --> 00:31:43,280 Speaker 1: to these rogue servers and go through your computer settings 553 00:31:43,320 --> 00:31:49,560 Speaker 1: and confirm it that way warning rogue servers, So just 554 00:31:49,800 --> 00:31:53,120 Speaker 1: check your computers, make sure you're you're fine, because if 555 00:31:53,120 --> 00:31:57,080 Speaker 1: you're not fine, then once the FBI turns these servers off, 556 00:31:57,120 --> 00:31:59,760 Speaker 1: you may have some problems accessing stuff over the web. 557 00:32:00,080 --> 00:32:02,840 Speaker 1: And then you're thinking, what the heck happened? And that 558 00:32:02,880 --> 00:32:05,400 Speaker 1: wraps up another classic episode of tech Stuff. Hope you 559 00:32:05,400 --> 00:32:07,600 Speaker 1: guys enjoyed. It gives you a little bit of a 560 00:32:07,600 --> 00:32:12,920 Speaker 1: glimpse into the past and this operation Ghost Click problem 561 00:32:13,000 --> 00:32:18,320 Speaker 1: that was plaguing us in the spring of If you 562 00:32:18,360 --> 00:32:21,640 Speaker 1: guys have any questions or maybe suggestions for future episodes, 563 00:32:21,680 --> 00:32:24,160 Speaker 1: you can send me an email the addresses tech Stuff 564 00:32:24,320 --> 00:32:27,480 Speaker 1: at how stuff works dot com, or pop on over 565 00:32:27,520 --> 00:32:30,560 Speaker 1: to our website that's text stuff podcast dot com. That's 566 00:32:30,560 --> 00:32:34,560 Speaker 1: where you're going to find links to all our classic episodes, 567 00:32:34,560 --> 00:32:38,160 Speaker 1: including all of our new episodes. You'll also find links 568 00:32:38,200 --> 00:32:42,000 Speaker 1: to our social media presence and a link to our 569 00:32:42,040 --> 00:32:45,760 Speaker 1: online merchandise store, and every purchase you make there and 570 00:32:45,760 --> 00:32:48,240 Speaker 1: goes to help the show, and we greatly appreciate it, 571 00:32:48,720 --> 00:32:56,760 Speaker 1: and I'll talk to you again really soon. Text Stuff 572 00:32:56,800 --> 00:32:59,240 Speaker 1: is a production of I Heart Radio's How Stuff Works. 573 00:32:59,280 --> 00:33:02,000 Speaker 1: For more pod casts from my Heart Radio visit the 574 00:33:02,040 --> 00:33:05,320 Speaker 1: I heart Radio app, Apple podcasts, or wherever you listen 575 00:33:05,360 --> 00:33:11,000 Speaker 1: to your favorite shows. H