Inside the Smishing Triad

All it takes is once. And that's what these actors are counting on. It's a numbers game. For the last two years or so. Ford Merrill has been investigating a sprawling criminal enterprise. It is so sprawling, Scott, as to be kind of hard to find a way into explaining. So to start. I wanna talk about tap to pay on mobile phones. Okay.

I'm assuming you use Tap to Pay on your phone, Scott. I do. NFC is great. I love having a credit card link to a phone. I forget my wallet all the time because I am old and forgetful. Me too, but I always have my phone because I'm addicted to it. It's very useful. Tap to pay is interesting.

When you tap your phone on a payment terminal, the device isn't sending your real credit card information. Instead, it's basically like proving to your bank that this specific phone is authorized to act as your card. The phone and the terminal do a little handshake over NFC, and then your phone sends two pieces of information.

First is a token. Token looks just like a normal credit card number, 16 digits, uh it's not your real number. It's a device account number created when you first add your card to Apple Pay or Google Wallet. It only works on that device. The merchant never sees the real number. They just see that token. And if someone steals just the token, uh it's useless on any other phone. The token is bound to the device and validated using keys stored inside of the phone's secure hardware.

This was the whole pitch when they brought this stuff out was your your credit card number will be protected in these NFC transactions. It'll be more secure, even online payments using something like Apple Pay or Google Pay. It will it will be more secure because we are not using your credit card number. If there's a compromise to their payment database, it won't affect you. Exactly. Because the second thing your phone sends is this little piece of cryptographic data.

That's created inside of your phone's secure hardware. Um and that little cryptogram is like it's it's unique to the actual transaction. It's time limited and it's mathematically tied to the device's secret keys. Those secret keys are issued to the device during this process. We're going to be talking about a lot this episode called wallet provisioning. That's when you add the card to your phone. and they're stored in hardware that the operating system can't even really access.

So the phone sends the info to the terminal when you when you tap it to pay and that sends these two little bits of information through the normal payment rails like the processor, the card network, and finally it all gets to your bank. The bank checks whether the token belongs to the cardholder and whether the cryptographic code matches what the device should have produced based on those secret keys. If all of this lines up, the bank says cool and it approves the transaction.

This all happens super fast. And during this process, no credit card number, as you mentioned, Scott, is ever exposed. And that one-time code can't be reused. That's tap to pay. Tap to pay. Next. As I understand it, and as you said, in basically every way that matters, this is a lot more secure than a traditional credit card.

Even if someone skims all the info from that transaction, they can't really do anything with it. They don't have the phone. The code was time sensitive. Therefore, it's all more secure. That's not really the case with a normal credit card number. They need all these extra layers of fraud detection and prevention in case you were to lose it. If the number gets used on like a different continent 30 minutes after you last used it where you live, a bunch of alarms go off.

The insecurity of the classic credit card is so bad that they use probabilistic modeling and behavior modeling. to try and make them moderately secure. But there's nothing going on there. that's actually making them secure. They added three extra digits, what, twenty years ago to the back of the card. That really locked it down. Yeah, really but but you can't use the card without those three digits. So every payment database has those three digits in it as well. So it's

It's not really a thing. Fraud systems with Tap2Pay still watch for weird device and spending patterns, but the cryptography of all that does way more of the heavy lifting than it does for like MagStripe or just like the plain card number payment. Cap to pay can afford to be a little more loose.

So, we get to our subject this episode, and maybe as an exercise. We're gonna imagine exactly what you would have to do to compromise mobile wallet tap to pay at any kind of scale. First, you would need a system for stealing the credit card info, like the original number in the first place. Uh there's a whole world of solutions for how to steal credit card numbers. Uh traditionally like a very common one has been smishing, like spam text messages that trick people into

going to a fake site, filling in their credit card info. If you really want to get nasty with it, you could spoof an e-commerce site that people might willingly go to on their own. And then I don't know, maybe promote your fake version of a real e-commerce site on just to pick a random example, Facebook. Mm-hmm. Mm-hmm. You can listen to our episode about

what percentage of Facebook's revenue is the kind of scam ads I'm describing right now. Not to mention some physical tactics like skimmers. Yep. They have massive issues with skimmers at like gas stations and ATMs that are in public. You know, the classic old school way of stealing credit card information. That mobile top to pay uh prevents against with all that cryptography. Then this is where you'd have to get really innovative.

Because as we mentioned, traditional credit cards have a robust security layer for fraud detection, but TAP to pay is less so. But getting someone's credit card number that you've stolen added to your mobile wallet on a phone you're controlling? Without their consent, they would require uh custom-built automated software that works in concert with the spoofed e-commerce site. Auto-add that credit card to a phone wallet you control.

You might for example do this by uh displaying the credit card number on a fake credit card on one screen and then having a phone with its camera open over here scan that fake credit card to upload the information basically instantaneously. At which point.

Two-factor authentication is gonna occur. The fake e-commerce site that they're staring at that they think they've uploaded their real credit card information to might tell them a lie, like your bank requires a code to approve this transaction. They get the two factor authentication code to add their credit card to a new wallet.

Maybe it auto-fills on the fake e-commerce site, and boom, they have then unknowingly verified someone else's phone to be able to spend money on their credit card. It's quite Ingenious. It's elaborate. Yes, elaborate. The idea of setting up all of this physical infrastructure, having a virtual card simulator, because chances are like I know

When I add cards to my phone, it wants the card to match the style of card it is. So I wonder if they don't have fraud preventions in there to be like, well, this doesn't actually look right. You know, the numbers and stuff check out, but the card doesn't match the aesthetic that we would expect.

You know, there's probably catches like that in there that they've had to deal with. So when they read your card in, they're gonna have to look up and find out what kind of card it is and immediately render something out that then a phone scans in and adds to a wallet. It's clever. It's very clever. This wallet provisioning process.

Is an innovation that kind of like traditional smishing and credit card fraud never really had cracked. And I'm letting this all sound as complicated as it is to give a sense of the scale. of the enterprise that are subject this episode, Ford Merrill has been researching. And I have to kind of give them a bit of a compliment. They have been so innovative and so creative

Over the years and months that we've been tracking them, that they've continued to adapt and and pivot. It's called the Smishing Triad. and a main player within that, a phishing as a service developer, called Lighthouse. To me, Lighthouse looks a lot like a vertically integrated business. Specifically like enterprise grade software. Because that whole software stack that I described from thousands of fake e-commerce site templates.

through to this never been done before wallet provisioning process. All of it, that stack, they license it out to people. Wallet provisioning is one of a handful of features inside of Lighthouse that have never really been done at scale in these kits. Lighthouse is innovating in weird new ways that as we discuss this episode are just getting weird.

This is the second recent story in which a giant Google lawsuit plays a role. They issued a lawsuit against 25 unnamed John Does. They highlighted more than 1 million victims across 120 countries, between 12 and 115 million US payment cards compromised. 200,000 fraudulent websites linked to activity of Lighthouse, with about 25,000 fishing domains, and an estimated 1 billion US dollars in fraud losses tied to Lighthouse enterprises.

In Google's own words, the lawsuit described Lighthouse as a fishing for dummies kit powering a quote relentless smishing operation. The population of the USA is, you know, roughly three hundred and forty, three hundred and forty five million. So when you start talking about upwards of a hundred and fifteen million credit card details, it's insane. Yeah, you're talking about a third of the country.

And if you assume a third of the country is children that don't have credit cards, you're actually talking about like half of the country. That's that's that's wild. Yeah. It's enterprise great software is what it is. And we talk about this in the interview. I love I love You know, we've we've talked about this a few times in multiple episodes, just how cybercrime is becoming its own enterprise and its own market niche. A hundred percent.

And this is this is one of those things where you've got a business that's now spending in research and development, developing new products and services to bring to their market. The real question that I have though Do you think they bill? Like a monthly flat, or do you think it's a percentage of take?

Sure, is it a commission or is it? Like is it w we take fifteen or twenty percent of like all revenue generated or is it something like just give us twelve thousand dollars a month? I'm sure they'll take your money if you want some tools for smishing people. Yeah. Yeah. Ready to jump in? We are, but I think there's one last thing we have to do. I think this is our last episode that comes out before the holiday season. You are correct. So I think we just gotta wish a big happy holidays.

To all of the fans and listeners of the show, we thank you so much for your your time and the attention. And we hope we keep you company when you do all the fun things in life that we all listen to podcasts when we do. And we love to see the comments of people washing their dishes and mowing their grass. A lots of commuting. I think aside from that, uh there's been some requests for a hotline hack.

Mm-hmm. So stay tuned. That's gonna come out sooner than you might think. It will. Thank you so much for spending this year with us. It means a lot to us. We really appreciate it. We're excited for uh one last one this year. This is a wild one. I got on the horn with Ford Merrill, Senior Director of Research and Innovation at Sec Alliance, part of CSIS Security Group, to talk about Lighthouse and the Smishing Triad here on Hack.

Ford, good to get to talk to you. This is a wild story. We have enterprise grade software, an organized crime operation. I have to think even with all of your experience in this, the years of research, you must still get struck by this feeling of like Wow, this is pretty out.

Yeah. I mean, when we started looking into this, um when I started looking at it around August twenty twenty three Uh, we really had a huge revelation and we were shocked that this was the first group we had ever seen using digital wallets for fraud, uh like uh Apple Wallet and uh Google Pay. Uh but at every turn uh there have been sort of innovations that also just kinda leave us a little bit flabbergasted or just impressed uh at the ingenuity and creativity of these uh these threat actors.

I want to start super high level. You've been researching this organized crime syndicate built around these phishing scams for years now, long before any of us in the public had a name like Lighthouse to kind of point towards. Super high level, what is Lighthouse and where did it come from? Take me through.

Yeah. Uh well, maybe you even zoom out before uh above Lighthouse at a higher level, right? Um what we've been looking at is sort of Chinese smishing and and what that is is like all these package delivery or re-delivery messages people have been getting, all the toll road scams that have been prevalent in North America. Uh they've also done things like government impersonation, tax refund scams.

Uh and various other lures, but it starts with a text message or an iMessage or an RCS that you receive telling you to, you know, click this link to have a package re-delivered or pay a small toll fine, something along those lines. Mm-hmm. And subsequently the victim will lose their personal information. uh their credit card information, and a uh the most important and interesting uh sort of innovation from them was the ability to do real-time uh two-factor or multi-factor authentication bypass.

So they'll also recover the victim's text message or SMS based OTP code and that will be used for other the types of fraud that require multifactor authentication bypass. Um and so Lighthouse is a phishing as a service developer effectively that makes software to enable people to do this. Google in their uh complaint, I guess that we'll talk about in a bit, called it sort of fishing for dummies.

You pay a couple hundred dollars a month. You get the software to run these smishing and fishing sites. uh they're all templated and skinnable so you can just pick whichever country and whichever organization you want to impersonate whether it be United States Postal Service or you know DHL or FedEx or whatever it is Um and then you point a domain at the thing and start spamming out uh and that

All you have to do. I mean, you alluded to this, but the thing that struck me about this is just how industrial it feels. There's this enterprisey quality to it. I think Google says lighthouses it they hit a about a million people, a hundred and twenty countries. Up to one hundred and fifteen million credit card numbers.

Um the you know, profits in the billions. I guess my question is like again, super high level, like where does a cybercrime operation end as and not legal but basically just a software as a service industry project begin? And is that

Is that boundary, that binary, even real at this point? Uh well, I mean, I'm not sure uh I I really have a great answer for that, other than just to say, I mean, definitely we've been sort of shocked by the scale of these operations and sort of Um, I totally agree. They're industrialized, they're automated, they operate like a business, this whole ecosystem. um i sort of evolved just like it would in a capitalist society in the sense that

certain actors in this ecosystem specialize in very s uh specific things. So the phishing as a service developers, all they do is make the software that you run on the website. There are people that do nothing but specialize in spam operations for text messages, um, iMessages, so on and so forth. There are people that specialize in the money laundering side of things. um just so many different aspects that um

that yes, this is organized crime. It is um sufficiently advanced uh at this point and and where it really starts and when it transitions to become like you know, at that level where you now determine it as organized, I'm not sure kind of the inflection point, but It's there and it has been for some time. I wanna dig into the tech, but just one last little thing.

Just for you personally, like what was the thing or moment that pulled you into all of this? Like what did you see that made you realize this wasn't just Spam text messaging. As we're used to it. Kinda take me through that personal story for you. At my at my day job, I've been involved in a in a lot of um work around anti fishing. I developed uh an anti fishing platform where we basically track all the fishing sites in the world and we do

um mitigations and and takedowns and stuff like that for customers. But Uh we were tracking in twenty twenty three just this massive spike in package delivery fraud. Uh all of a sudden we were just seeing tens of thousands of domains targeting United States Postal Service. And we were like, you know, this is the largest single campaign we've ever observed, right? Um and

We started looking into it and we ultimately kind of got lucky because some of the threat actors left some of their fishing kit source code behind. That was um Wang Duo Yu, or uh also known as Lao Wang, who would later go on to create Lighthouse. Um and so we had this very early version of his fishing kit. We're able to identify him, identify his telegram channel, and start to kind of look into peek behind the curtain into this whole Ecosystem.

And from there it just kinda snowballed. I mean, we saw that they were involved in the digital wallet uh fraud, that that part of what these fishing kits w enabled was the bypass of two factor and then subsequently taking the victim's card and putting it into a wallet. And that for me was the point. I was like, okay, this is something really big.

Um, and I started putting putting together a presentation deck about it and started talking to some of our customers about it and you know, over the years it it just continued to snowball and grow and grow.

I wanna know more about the digital wallet, that wallet provisioning layer. I think most of us think of like, Okay, what is phishing? Someone sends a text, they trick you into giving them your credit card and they go buy uh sneakers with it or whatever. When did you first realize that the there's like there is a meaningful innovation here, this wallet provisioning layer. Explain that kind of whole cost I mean kind of from the start, like when you click on this link to begin with.

Um the actors already do some pretty important controls to make sure you're not like a security industry scraper or something like that. So it's gonna be geofenced to the IP. uh the geolocation. So if they're targeting United States Postal Service, you'll need to come from an American IP. But even more than that, they also require you to be on a mobile user agent. So you have to be on a phone to get the real phishing page.

Um and then once you do, it'll be an incredibly uh authentic looking version of the site. They'll ask you for the personal information, you know, in this case to make sure your delivery can be scheduled or something. They'll ask you for a small payment of like 30 cents.

And this payment is actually never gonna be charged to your card at the time. It's just a reason for you to input the card information. And then subsequently, once you put your uh name and and card number and expiration and C V V, you're gonna start spinning and presumably you think that you're waiting for like the card to be processed or something like that. But on the back end, the threat actors have like a visual representation of your card, literally like an unbranded

Um imagine like a black credit card that has no branding or anything. It just has your name and your phone number on it. And what they do with it is they have a c uh a phone ready to go on the back end with like Apple Wallet or Google Wallet open, ready to add a card. And when you add a new card to your wallet, the first thing the device does is say, Okay, can I use the camera? Show me the card. And so they would scan the picture of this card that they've automatically generated in the kit.

off the screen with the camera and the phone doesn't know it's just like a a a computer screen version of the card and this rapidly provisions the card number into their phone so they don't need to type the numbers in. which is important because you, the victim, are waiting and spinning

And then immediately Apple will prompt them or Google will prompt them and say, okay, if you want to add this card, you need to complete a two-factor step. Select do you want email or phone? And they'll pick phone. And then you, the victim, will get advanced. to the MFA bypass page where uh now they'll ask you, okay, we just sent you a two-factor code, please input it here.

And uh you will also have just received that message with the code on the same device, most likely. This is part of the reason that they require you to be on a mobile user agent. They want you to be on the phone when you visit the site. because you're most likely to be on the same device that will receive it. And then on top of that.

If you've ever used the feature on like an iPhone or a Google phone where it can automatically populate the two factor code you just received from the message in the background to whatever form. You're on. Victims also use that, right? So they're on that page, on the phishing page that's asking for your code. As soon as you receive it, your iPhone will tell you, hey, autofill from messages. And you just click that button, it inputs the code. And

you know, th that's it. They're able to complete the provisioning of your card in their digital wallet and you've effectively told your b uh your financial institution that you trust that device to spend that card anywhere.

and no M FA will ever be needed again. So that was kind of the genius. Unreal. Yeah. Of the of the digital wallet angle. So they do all of this while you're waiting. You input the two factor authentication. Yep. They you have basically verified their device as being your device and they can go spend money on that device. Do you have a sense of and I appreciate the scale of this is so significant that there isn't any one answer, but

Now that they have a device loaded up with your card, w what happens immediately after that? Where does that device go? What do they do to try and juice as much money out of this as humanly possible? Mm-hmm. So yeah, we we know a lot about how this works. Um so i in in the beginning, when we first started seeing this, what was really interesting is actually they would wait almost two to three months before they did anything. Oh wow.

Um, and part of this we believe is they were worried about sort of the risk control signals that it would give to a bank if suddenly a random device added a card and then just started spending right away. So in the in the very early days they would add these cards and they would wait a long time to spend them. Uh, but nowadays you'll be lucky if they wait like a couple of da you know, one to two days, maybe three days or seven.

But then they have a lot of different ways to launder the money and get the money out of the card. Cause if you can imagine when you have a card in a digital wallet and you're just a legitimate user, I mean there's a lot of ways you can use it. You can tap to pay for things, you can buy things online in apps. Um, you can also w tap to withdraw from ATMs in some countries and with some banks. So there's a lot of immediate options available.

And one of the things that you might think of doing is just go to the store and tap to pay for something and That did work a lot in the early days. But as time goes on, uh the banks get better and better about their risk controls and all this kind of stuff. So imagine if you're a threat actor sitting in China and you have a lot of American victims cards on your device. if you go to the store and just try to buy something traditionally

probably the geo controls are gonna block you because you're not in the right country. But even if that purchase did go through, you're on camera, right? And eventually that transaction will be reported for fraud. There will be a chargeback of some sort and that merchant now has you on camera. Which is probably not a good look. So one of the first things they started to do was look to what we call merchant account laundering.

And the way this works in the online version of it is you will create or the threat actor will create A fraudulent account with something like Stripe or PayPal or Zettel or one of these online sort of credit card acceptance or payment provider solutions. And then with their fraudulent Stripe account, they will generate a fraudulent invoice. for something like, let's say a short term room rental on Airbnb, five hundred dollars or whatever.

And then they will go to that invoice with the device that they have with the victim's card loaded and they'll use the pay with Apple Pay function to pay themselves the Stripe invoice. And then that'll go to their merchant account and then That is an interesting angle, but it's not without its challenges because merchants are used to credit card fraud, so they withhold money for a long time and it's not the ideal way to launder, but it is a way.

The other thing we've seen is that some of the threat actors will obtain physical point of sale card terminals. So just like if you run a business and you need to accept credit cards in person or tap to pay in person, you just get like a square device or some other kind of like physical terminal. they would obtain and collect a lot of terminals. And then they would have, you know, a hundred phones with five cards loaded on each one. So they got like five hundred credit cards.

and they would generate fake invoices on like a little point of sale terminal machine and they would just tap to pay with the victim's cards over and over again. Um and this was another form of merchant laundering, physical merchant laundering. Um but the most interesting ones and probably the ones that have driven the most losses and been most impactful.

are uh physical goods purchases uh through the use generally of mules. Yeah. Um and then the other one is gift card purchases. And why those are so dangerous is because once those physical goods or those gift cards have left the building. somebody is guaranteed to take the loss. It's either the merchant that sold the product, the bank that issued the card, or the victim who had the card with the bank, but somebody is going to lose their money. And you can't really put it back in the bottle. Um

So those are are are are sort of like some of the key ways they do it. Um Before I jump into like the the mule thing and the NFC relay, I mean Uh do you have any questions or should we talk a little bit more about that and maybe something's not clear? Yeah. Because as I was reading through this, there's something that hit very emotionally different for that mule layer than the other ways that they're laundering this money. These are real people who think they're doing like a temporary job.

Um and I guess I'm curious, help people understand how that whole process works. Do you have any insight into how the people behind us see those mules? Um like tell me about them. Yeah, so our our visibility into this sort of mule process is a little bit limited because we we don't actually go through the process of like trying to become a mule ourselves and get involved in it. We just observe and see.

um kind of from the discussions and the advertisements that they have. But we generally believe that they advertise on various platforms. um TikTok, Facebook, you know, AdSense, uh other kind of social media, probably uh on like WeChat and and other forms. And they're just basically looking for people who want to make extra money. by doing sort of, you know, s small tasks or whatever.

And uh what they'll ultimately be signing up to do is uh buying things in physical stores, mainly gift cards, uh, but also sometimes luxury physical goods or other products that are easily resellable. And the way that they'll do this is they will be instructed to to have a certain type of phone. Usually it'll be a Samsung Galaxy phone. It's necessary to support the NFC relay story. and they will be uh given like an APK or an Android app to download.

And when they open this app, it will basically just provide them credit cards to use that work for Tap2Pay. So um The way this kinda is a works uh fully is uh they will usually be in close coordination with their mule handler or the operator. And that person will be operating, I like to say, behind the curtain, right? They might be in China, they might be in Southeast Asia, they might be somewhere else.

But effectively they're they're sitting somewhere else with um stolen cards that have already been up loaded onto digital wallets. So they have a lot of iPhones or Androids or whatever with these cards on them. And they will have another device, an Android device that is running uh generally I think it's gonna be rooted and it's running uh the server version of this NFC relay software.

And when they touch those two devices together, the wallet device with the card on it and their Samsung running this custom software. It will relay that NFC card to the mule that has the client side version of that software running on their Android phone in the field. And so now the the mule can basically just walk up to the point of sale terminal and tap to pay for whatever it is using the card from behind the curtain from like ten thousand miles away.

Um and it works just like a real tap-to-pay transaction because actually effectively it is a real tap-to-pay transaction. It's a perfect relay. Um And yeah, it it's Uh that's basically what they do. They just take stolen cards, they add'em to wallets all day long. They hire mules to go out into the physical places to buy the things that they want. And the mules go up there and just buy gift cards.

uh are so on from like automated kiosk or self checkout kiosks. And they will generally then scratch the codes off of the gift cards, take pictures of them, and then send them back to their mule handler who will cut them in on some of the money. Unreal. Running a small business ain't easy. When it's time to get a loan, it can feel impossible to find a lender you actually trust.

Big banks say no. Internet's full of high sky high rates, fine print you can barely read. Whether you need help covering payroll, managing cash flow or investing in growth, you deserve just a little bit better. Small business marketplace Fundera, powered by NerdWallet. That's why we recommend it. It's a free, easy-to-use platform that lets you compare real financing offers with trusted lenders all in one place.

There's no spam, no bay and switch, just personalized options that fit your business needs. Uh for a limited time when you visit nerdwallet.com slash hacked and fill out the no obligation form, you're gonna get VIP treatment and talk with a real person who knows all the ins and outs of small business lending. Don't risk your business on unreliable lenders. Go to nerdwallet.com slash hacked to find the funding you deserve. Fundera Inc., NMLS number ID one two four-0038.

IKEA presenterar ljud av förändring. Slut! Jag har inte det tänkt. Vida. Skången går från vänner till revangen.

Welcome into Likia. So much of this seems as though I can imagine it being automated. There's stages to this process that I have more questions about that seem like you could have this running in the background on a on a computer somewhere. That seems like it would require a ton of human labor. Like you are just coordinating with a small army of people running around doing these transactions, running these these fake cards.

I also saw a a number, it was Lighthouse boasting lighthouse boasting like three hundred plus front desk staff worldwide. I'm not sure what that means. What does the scale of this mean to you operationally? Like What should we visually be picturing? Is there are there call centers full of people running this? Is this decentralized? Like what does this workforce look like? Well, um We we don't know exactly uh in terms of visually what it looks like, but um

Some of the things we do. Uh we know the spam centers or the spam uh operations. You know, we've seen racks of iPhones and Androids as like a hundred to two hundred phones deep on like a rack that will have let's say twenty phones wide and and five phones deep and one operator is sort of just visually managing like one hundred phones at a time.

And those are all being automated to blast out like iMessages or RCS and maybe at some point one of the phones will get like banned by Apple or something and he'll need to pull it out of the rack, reset it. um, you know, set up a new iCloud account on it, put it back into the automation and keep it going. Um so that's you know, imagine there's there's many actors like that on the spamming side.

Uh on on the fishing side, I mean, and just in this ecosystem as a whole, I mean just individual channels for just for instance Lao Wang who sold lighthouse Um his telegram channel had something like twenty one thousand uh impressions or views and almost like five or six thousand people in it by the time it was the first one was shut down. uh by telegram. And we believe, you know, we track ten major fishing as a service a actors just like uh Lao Wang.

And so if he has six thousand in his channel, we know some that have ten and twelve thousand in their channel. I mean it's tens of thousands of Chinese speaking individuals that are in these um groups. And so yeah, we believe there's easily tens of thousands of people involved in in every aspect.

of this fraud. And some of them are gonna be smaller operators that they just buy access to the software, they pay a spammer to send their messages, and maybe they target um, you know, the US or Canada or whatever their little geographic region is.

Um, and they may do it for their own gain. And collectively when you start to add up all these small actors, it's a tremendous amount. And then we've also seen evidence to support there are some groups that are truly organized crime in the sense that they're just openly advertising that we do it all, from spamming to mule operations to point of sale laundering to, you know, fishing platforms to giving you data to target your fish like everything is

So it's pretty big. Um Yeah. W when I was first reading about it, it I I mentioned this earlier, but it kind of drew a parallel with like software as a service. But it the more you look at it, the more it's like, yes, there's software as a service and enterprise grade software. when there already exists a marketplace.

There's this much larger marketplace of of people that are trying to spin up these types of operations. Someone can say, Oh, I'm gonna target this part of the world with this type of messaging. Oh, I'm gonna target this group with these types of lures. Um How does that How does that fester? Like where does that come from? Is this all just growing on Discord channels on the internet? Like is there a top-down way of thinking about this? Like how did this grow in the first place?

Well, um, I mean when there's money to be made, people are interested in in making more. Um I think, you know, uh Lao Wang, who who authored uh Lighthouse and then subsequently or or also Darcula were kind of some of the OGs uh when it comes to Chinese mission operators. And they developed probably some of the first really sophisticated kits that could do these real time SMS um OTP bypasses and be used for digital wallets. And so we're not exactly sure who really invented

um this sort of recipe with the digital wallet cash out angle and the real time uh OTP bypass. But it was probably one of them or somebody that they were close to or inspired by. And then, you know, once they started having a little bit of success doing this, I think one of the things they quickly ran into or realized, at least at that time before a lot of it was automated, was

Well, I mean, one person can only sort of put so many cards in wallets at a time, right? Like y if you send out a if you send out a blast of spam and you have a thousand victims rolling in and you know, let's say let's say fifty of them are putting their cards in at the same time and then you need to provision those while it's like one person can't do all that. So there's a lot of uh uh of loss that, you know, um fish

uh basically fish catch that you're losing by not being able to have enough hands on the the problem. And so they were like, hey, this is free money that we can't monetize. We could sell this software to a service and sort of like advertise it so that other people can get in on this action and we can happen to profit from from that activity too. And what was really interesting is in the early days, we believe almost all of these kits were backdoored.

So their customers would pay them a fee every month to use the software and the service, but they could then come behind and just scoop up all the card information and the victim information anyway. Now, granted granted

They couldn't tokenize it once the victim's no longer on the hook and they don't have the MFA anymore, right? But they could still use that card data for like card not present, fraud, or follow up vishing or social engineering, things like that. And so it was just really interesting. They were like double dipping by selling the software to their customers and stealing. And why would their customers assume privacy when they're purchasing privacy infringing software in a sense? Correct.

Huh. You you you mentioned them a couple of times, La Wang, uh the like the author of Lighthouse. What do we know about them? Tell me about them. Um well what we know is is uh kind of limited in terms of r real term uh personal attribution, but we know they've been around since February twenty twenty three.

He uh originally provided sort of tuition, uh, not just the software as a service, which he certainly did, but he also offered people an ability to be under his apprenticeship and learn how to create and modify these kits. And we believe he was uh he apprenticed somebody who he called the young lady, which we believe later went on to become an actor uh that was known as Chen Lun.

uh and she created what he called one of the most advanced kits his students had ever made and it was a gov.uk uh tax based uh fishing kit at the time. Uh but he uh was uh sort of, like I said, a visionary, an OG. He had around seventeen brands that he targeted with his uh targeted with his original kit that we call version one, but his most prolific victim

uh was the United States Postal Service and the American people through the use of United States Postal Service package delivery lures. By far his his most popular kit. The other thing that he specialized in and still does specialize in to this day is fake shops. So y he supports a workflow that instead of sort of uh uh getting a message and needing to log in and do something and lose your data.

Uh he will allow you to set up a fake shop, an e-commerce site selling anything you want. It could be, you know, toilet paper or dish detergent or d electronics. and it looks just like a real e-commerce site. And when the victim goes to check out for this uh product that they think they're buying, they literally just lose their personal information, they lose their card information, and then they lose their OTP again because they think they're doing that for the payment validation.

Um and these are a lot more sinister in some ways because they have a lot more staying power because no messages are sent out, not a lot of people report them. They also don't require you to receive a message and click on something to be victimized. You can just be searching for something you want to buy online and see this e-commerce shop that looks to have a good deal.

And they advertise these sites on AdSense, like on Google AdSense, on meta platforms, on TikTok. You know, I'm sure you've seen the news that Facebook had like eighteen billion dollars in revenue from scam advertisements like things like that are driving people towards these fake shops, uh, where they then self-victimize. Um, so that was another big part. He was kind of a pioneer in that fake shops space as well.

And he went on in August of 2024. He would later he would launch the kit that was would be known as Lighthouse. Uh, and for a number of reasons. He wanted to modernize the code base, he wanted to make it more modular, uh, basically just improve functionality across the board. Um and when Lighthouse originally launched, he only targeted 17 brands with the old kit. Within a month, he targeted twenty nine brands, and a month later, uh, he started targeting sixty-three countries.

Um, and each of those countries would often have multiple brands. So it just kind of like the new kit skyrocketed his ability to scale the brands for his customers. And yeah, we believe he was very successful for, you know, since early twenty twenty three. And finally Google released this civil action, this lawsuit against um DOES one through twenty five related to Lighthouse and he's

uh subsequently shut most of his telegram stuff down, uh gone dark. It looks like a lot of his infrastructure got knocked offline. And so he's probably licking his wounds and and rebuilding, uh, would be my guess. Yeah, since you brought it up, this is the second story in as many months about Google being involved in a lawsuit with alleged cyber criminals. Uh we reported on their lawsuit against a group installing malware on these cheap consumer electronics.

This lawsuit, it, you know, kind of frames Lighthouse under Rico, basically saying like this is an organized criminal enterprise. Y you alluded to this a second ago in terms of him kind of going off and licking his wounds, but like from a researcher's perspective, Why does Google do these lawsuits? And what role does legal action play in disrupting stuff like this? Like is this just whack-a-mole or do these lawsuits have an impact?

Well, I mean first off the disclaimer, obviously I don't work for Google and I'm not a lawyer, so it's it's hard for me to kind of do anything but speculate, but I I can do a little bit of informed speculation anyway because of of my knowledge on sort of this subject. this action or this type of action, taking civil action against a cyber criminal actor, is really interesting.

Obviously we also saw it in the past with Microsoft using it to obtain default judgments and then go after like C2s of known malware or botnets that were causing a lot of problems for Windows users and things like that. And I think one of the more uh interesting parts of it or or ingenious parts of doing it in a civil way is that in a criminal case you really have a high barrier uh like a uh for proof

that, you know, you need a lot of proof and it all has to be proper chain of custody and everything. There's a really a high bar to prove somebody is guilty and then you have the jurisdictional problem

where if these actors are sitting somewhere you can't really reach them or you don't have jurisdiction over them, uh, that becomes hard to do a criminal thing. And then like you said with whack a mole, well, if you do get a a criminal action against somebody and you arrest some folks I mean, there's plenty more people that are gonna pop up.

And so you're gonna have to rinse and repeat that more expensive process over again. Whereas with the civil action, you can file uh a suit against these folks in a jurisdiction that's relevant for you. and almost 100% chance they're never gonna come to defend themselves. So you will win by default, obtaining a default judgment. And then you can take that thing to hosting providers, domain registries, domain registrars.

all that sort of stuff and say, hey, we obtained a judgment. These actors are on your platform doing bad things and we would like you to take them down. And most legal departments are gonna say, Hey, to avoid any extra liability or any chance that we get caught up in this thing, it's you know, they they have a court order, uh we need to take this stuff down.

Um, so I think at least in terms of disruption, even though it might be temporary, it does uh cause pain and and impose costs for these threat actors. And to some extent it sorts uh it starts to limit their horizons, right? If they know that they can no longer use a hosting provider that used to be friendly, then they'll need to look for another one. And as these things continue, uh, to come and they get shut down from place after place and get

uh run from provider to provider, eventually they'll be left with sort of no other option other than the bulletproof hosters, the bottom of the barrel stuff that has zero reputation. Um and those become easier to block. uh and automatically list uh stuff as suspicious from. So it I do think it has a positive impact and it is and it is a good approach. Um there are trade offs with it, right? Ten cent, I mean on that note. It seems like a pretty large percentage of these like

The domains linked to this were coming from Tencent and Alibaba Networks. Those are two of, I believe, the first and largest listed companies in China. If big tech companies in China ever did cooperate with, say, US takedowns, lawsuits like this, how much of this ecosystem actually would collapse? And how much of it is, again, just to use that metaphor, is just m whack mold that's gonna pop back up somewhere.

Well, as far as I know, Alibaba and Tencent at least do respond to some complaints and do take some action on them, although they tend uh I don't wanna say malicious compliance, uh but they tend to do it in a way that's sort of if you could drag your feet as much as possible and require as much information and make the pain the process as painful as possible for a reporter to actually get something done, it seems the way to be the way they handle these complaints. Um at least that's been

what I've heard uh from folks who who actually try to get these taken down. And we also submit data to clearing houses that try to get these things taken down. So we've had sort of some of that experience as well. Um yeah, I mean a vast majority is hosted, or so many of them are hosted at Alibaba on Tencent, that's for sure.

Um and oftentimes, I mean so many of them are also protected uh behind Cloudflare free accounts. Right? Uh so there's you know, there's a a bit of a tech enabler uh a as well with Cloudflare. Um But that being said, you know, if Cloudflare was to stop offering protection for these proactively, and they can make a good argument that, hey, you know, we w potentially it's not always possible for us to identify these things proactively. Um

And I do know that they they are responsive to abuse requests. They have an API for that kind of stuff. So I don't want to, you know, I'm not trying to throw them under the bus here. Um but You know, I think if Alibaba and Tencent did something about this, it would make a meaningful impact. Again, you know, the actors probably would just shift somewhere else to another hosting provider and and just continue to do that until they've been chased to the bottom of the barrel.

I'm curious to go back to the groups themselves a little bit and this feeling I got in reading through this story of like growing ambition. You know, this starts out and it it's feels kind of familiar. It's the you know, the postal service lure, it's familiar stuff. And there seems to be this escalation of like you've got card theft kind of moving into like even bank logins. There was stuff about brokerage accounts.

Yes. There's a real sense of like we are climbing the ladder that is the Western international financial system. Um What should we take from that? Are they just truly ambitious? Are they learning? Like what's what's going on? I think it's a combination. I mean they they're they're ambitious for sure. They they want money, right? They

They are financially motivated. Um, and they've been to their credit, and I have to kinda give them a bit of a compliment, they have been so innovative and so creative over the years and months that we've been tracking them that they've continued to adapt and and pivot. You know, when they started with NFC relay, I mean, first off, they invented digital wallet fraud. I mean, it's crazy enough, right? and real time uh OTP and and SMS uh bypass to be able to facilitate. That's crazy enough.

But then they basically invented NFC relay, the ability to relay an NFC payment, a tap to pay payment around the world. And that's like mind blowing levels of nobody thought that was possible. until they invented it. And then they learned how to scale it and use it. And then even on top of that, now they've got technology that allows them to do NFC relay multicasting. So a single user behind the curtain with one device that's operating as a relay server and cards that he touches to that device.

can now support not just one mule operating in the field, but it can support twenty or thirty or fifty or however many mules simultaneously. And because it's it's so clever how they've created it, because Tap to Pay is a one time token transaction where you can't replay the token

if one of those fifty actors that's receiving that card taps to pay for something, all the other actors temporarily lose the card on their app and then as soon as that transaction is completed, all the other actors receive the card again. So it's ready to go.

And so, you know, things like this, I mean, y first they hit you with NFC relay and then they come with multicasting and it's not even a couple of months after they just invented this tech. And then to your point about banking and brokerages, As the banks have gotten better at protecting against digital wallet provisioning, so in other words, the the process of them adding your card to their device.

that has gotten harder for them because the banks do receive some interesting controls and data from Apple and from Google that give them some ideas about risk levels of that device and all sort of stuff. And uh they're starting to get better at preventing these malicious wallet provisionings.

So the actors have also built in a system that will automatically tell them which cards uh they should automatically reject and which cards they should bubble up to the top uh and prioritize because those will be the ones with weaker controls like smaller credit unions or smaller banks instead of the mega banks.

And then as provisioning continues to get harder and harder and they scrape the bottom of the barrel, they start using these tools that are perfect for real-time fishing and MFA bypass. to do things like account takeovers, where they'll take over the victim's PayPal account, or More interestingly lately and and uh more saddening lately is uh brokerage account takeovers.

So the way this works is you'll you'll get a text message that like, hey, your Charles Schwab account has had some suspicious activity. You need to log in and do something about it. And it will be a phishing site that looks exactly like Charles Schwab. They'll take your login information, you'll give them your two-factor or your multi-factor, and they will log in and now they own your uh your brokerage account.

Now, you might have a million dollars in there or whatever uh investments you have in there. And they can't take the money out in terms of wiring it out of the account'cause the controls are too good for that. But what they can do is effectively liquidate all your positions. and buy Chinese penny stocks or Chinese IPO stocks that they already own in their own personal accounts or their own criminal accounts offshore. And as

As you are p uh as you are buying those penny stocks, they're selling against your order flow. So it's like a oh my god a twist on a classic pump and dump where they used to have to convince you to buy a penny stock. Now they just take your account, they control it, and they buy whatever's they want. Yeah. Wow. The penny stock one, that's nuts. I hadn't caught that. That's that's crazy.

Yeah, and it's very I mean, it's really sad and it's really damaging. We know some people that have lost their entire life savings, they're retired, they're on pension or w or whatever, right? And they lose everything. And when you lose four hundred dollars I mean, you know, this is kind of saying like i i if you owe the bank four hundred dollars, it's your problem. If you owe the bank four million dollars, it's the bank's problem. Sure.

Um but if you lose your entire brokerage account, it's unlikely, depending on where you are and how much it was worth, I mean it's much less likely that you'll be reimbursed. Um So those are really uh saddening, but you know, uh again, like I said, they're financially motivated and so at every turn they've sort of increased their ability to do this, to scale it, to steal greater amounts. We believe that well, we know that some of them are also involved in pig butchering uh type of scams. Um

You name it. They're involved. I'm curious and innovation feels like such a weird word for this because of the kind of harms we're talking about, but like I'm curious to understand where this innovation is coming from.

I feel like here when we talk about people developing really complicated software, the two stories are either like The the Wonder Kind in a basement that hacks it together themselves, or increasingly often, like the person who gets ungodly gobs of like venture capital money and then poaches talent and points it at a problem like a machine. And I'm curious.

What does this look more like? Is it the individual author creating all of this? Is it more of the investor business model? Is it a crowdsourced software project where it's wisdom of the crowd and people working together to come up with NFC relays and wallet layers like How where is that innovation coming from? I think wisdom is uh wisdom of the crowd is probably the closest one. to the truth in in at least just from what I observe.

Um, we believe a lot of these developers are, you know, students or people who have recently graduated, uh, you know, maybe in twenties, thirties kind of age. They have computer science degrees and backgrounds. They are developers. Some of them we believe did, you know, had a real day job when they started working on this stuff and ultimately went on to kind of do this as a side hustle that became their main hustle. Um But in a lot of these channels there is You know, that you'll see

There are so many people offering their own services, willing to work, uh, pitching ideas or, hey, does anybody have something that could work with this card or whatever? And so there seems to be a collaborative nature to, hey, I want to get some money, you want to get some money, how can we figure out to to do this?

And then all also, at least in the the Chinese fraud ecosystem as we've seen it, there has not really been much um shame around copying other people's work. So If one fishing actor came with a new feature, uh, for instance, i in early twenty twenty five, uh we saw this massive rotation in the US and North America to toll road scams.

Whereas before that everything was pretty much United States Postal Service package delivery scams. But people had gotten so tired of it, so fatigued. I mean, how how many of these package messages did you get every day? And you kinda knew it was a scam at that point, so people weren't falling for it.

So one of the actors decided to try a a p a playbook that had worked in another part of the world, in Australia and New Zealand. These toll road scams had been very popular in Australia and New Zealand from 2023 onwards. And so they decided, hey, why don't we try these in the US?

And they apparently had massive success. And within just two or three days of one actor adding uh uh basically US toll roads to their kit, almost all the other major fishing as a service actors also supported toll roads.

And so I think part of that innovation is kind of like when one person figures out something that works, they all that's the new baseline. And then everybody's looking for the new thing that will improve that, right? Um So they went from manually inputting uh card details to provision these wallets to automating it. And we've seen some of the actors use like LLMs and AI to help a customer create like a very convincing

uh brand impersonation. So imagine if you have a particular brand you want to impersonate and the kit doesn't yet support it. there are features within the kit that are like AI enabled or AI powered that allow like a user who has no technical skill to say, Okay, I wanna impersonate this website And it'll go out and like make a capture, scrape it all down, put things in the right format uh for like creating a skin for the fishing site.

And then that becomes a new template. So they've really been smart about how they kind of automate things, about how they approach development, um, and treat all of this like a real business.

This is a I maybe an unfair question, or maybe more just a putting you on the spot, but I am curious with everything everything that you know about this. If you could redesign any part of the financial ecosystem, how card issuers work and mobile wallets and telco messaging systems. If you could redesign some part of the financial system to try and shut down a big chunk of this fraud overnight, like where would you intervene? What's that bottleneck?

Yeah, this is always a tough one'cause everybody wants a silver bullet and and and there there is no silver bullet. There's a lot of things that need to come together. But I think one one thing that would have a massive uh impact in general is if we would move away from SMS for second factor because Uh A it's clearly one of the easiest forms of MFA to bypass, even if we don't talk about sim swapping, but of course sim swapping does exist.

SMS is unencrypted. Um it's, you know, an aging protocol, uh very old at this point. It was really just a hack to begin with. Um and and one of the biggest sort of things that I see against SMS at least as a as a second factor is that a lot of times when the victim receives that uh that two-factor code from their issuing authority There's not a lot of context about what it's for. It's just at at best, it's like, hey, this is Chase, and here's your code. Don't give it to anyone. And

You know, we at least with app-based authorizations, uh, like let's say bank app based authorizations, you will get some information that's like, hey, somebody is trying to add your card to an Apple wallet device. Are you sure you want to allow this?

And that becomes a lot harder for these threat actors to overcome because even if the victim fell for the fish and they put all their information, their card information in and the actor says, Okay, now you need to open your banking app and approve When they see what it's for I bet you a a a high percentage of people actually bail out at that point. So I think there's something to be said for getting red or getting onto stronger forms of multi-factor authentication, either app based, um

Generator based is is obviously a little better than text, but still it's kinda weak because it's just a time based code and there's no context there. You just have to provide your code for something. Um things like FIDO and pass keys and so on. Uh also really interesting. I we're not aware that these actors are able to bypass uh pass keys because of sort of the nature

uh of them. Uh of course I have some misgivings about some of the other things that PASKI's enable, which is a lot of centralized lock-in to big players. Um but uh the other thing uh I mean I know you asked for a single thing. The other thing that is happening and we are getting much better at is we're we're so good at filtering spam messages from email and we have been for many, many years now, but we're terrible at it when it comes to text messaging.

But that is changing, right? Android released an uh uh an awesome feature related to like scam detection and possible scam detection. for messages. They also do things like call screening. IOS now twenty six apparently has a lot of anti scam or or sort of anti spam message features as well as call screening. Unfortunately it's not available anywhere except the US as far as I'm aware. Maybe that's changed, but we don't have access to it where I live in Europe.

Um so if we can prevent people from seeing these messages and clicking on them and going to them, that's a big, you know, impact as well.

I'm curious. where this goes next. Like they they have truly embraced the move fast and break things philosophy. They are iterating and coming up with new like templates and lures and ways of doing this. What's that next adaptation? Where does this go, say in twenty twenty six? I think it's uh yeah, I think it's really gonna be towards more account takeover type activity.

Um, whether that's brokerages, I'm not sure. Maybe the brokerages will will probably, due to the amount of money involved, probably pretty quickly kind of shut that down, I would assume. Uh could be wrong about that, but other forms of account takeover that allow them to monetize and do things useful, uh whether that might be stealing like, you know, Amazon accounts or PayPal accounts or Stripe accounts.

These kind of things that often have some sort of a payment um like a payment channel associated with them or a card associated with them and allow you to buy things or transfer money. I think that's an area that so far, um, we know that certain threat actors go after those type of things, but the digital wallets was such a low hanging fruit that it just seemed like everything gravitated there for a long time because of all the advantages.

Um, but yeah, I would think probably more targeted spear phishing, more account takeover, more kind of social engineering backed stuff. We know that they also have the po the capability to bypass KYC controls. There's a lot of stuff in the ecosystem about providing fake documents, fake passports, fake social security numbers, uh ID cards. And we believe that they're also starting to leverage like uh generative AI for videos.

to bypass these type of controls that when you open, for instance, a crypto account and you need to have your phone's camera pointed at your face with a selfie and holding a passport next to it and move it in and out and all these kind of things. we believe they're also able to bypass those kind of controls. Um so yeah, uh it it's hard to say exactly because I could have never predicted NFC relay or or some of the other things that they've rotated to.

Um but whatever it is, I have a feeling it will be effective, uh for sure. To wrap up, because you've been super generous with your time, um you've spent years researching and unraveling and like trying to paint a picture of this. What is it about this topic that kind of keeps you curious and engaged? Like what is the thread that you feel like you haven't pulled all the way on? I mean...

Unfortunately it has been uh my feeling has been since I started looking into this that I wanted some closure before I was done. Right. And and I say unfortunately because I I can see now that that is probably never going to happen. Um, but I I really initially thought like, wow, we've learned a lot about this. We understand how it works. If we just talk to the right people, like we can make a difference and solve this problem.

And the reality is, while we've had I've had and a number of other people that are really close to this, uh have had good impact here. At the end of the day, like it's a never ending battle, right? This tale is as old as time, you know, that if you can convince somebody to give you your password or you can social engineer somebody into defeating the controls

then no matter how sophisticated the controls get, it never matters, right? Like you can always just convince a human to defeat the controls for you. So in that sense, I don't think this will ever really be resolved. But my hope was that through our research and what we shared, we could really like shut it down to a significant extent.

Um, so that's kind of what keeps me going. And the other thing is, as long as people have an interest in this, and as long as people are losing money to this and want to talk about how it works. I'm happy to share that, right? Because I think there needs to be more visibility, more understanding of what's going on. And when I talk to people about how it works.

No matter if they're technical or not technical, they always love to hear the story and learn how it works because we've all seen these messages and we all have kind of, I've guessed subconsciously wondered, like, what's that about? Or how are they even making money from this? And when you show somebody that and their eyes kind of light up and and that light bulb goes off in their brain, they're like, oh, that's how it works.

You know, then they can go and tell their family and be like, hey, I understand how that works. You need to be really careful about this. Or let's look at our opsec or let's look at how we address how we handle security. Because it is a very You know, it's not only a personal responsibility, it's also a societal and sort of government regulatory uh responsibility. It's a responsibility of these companies, but it's a responsibility of all of us. to sort of lift the the the the level.

Or the security level, let's say. So I I guess that's really what keeps me going. The hope that we can really make a difference in this kind of thing. And the fact that people are interested in learning more about it and understanding more about it. Just as an aside. I I think that people I think that we all have this feeling.

that we are on a daily basis, even in something as innocuous as a text message, you know, the bad fat like Facebook ad, scam ad that you try to avoid clicking on, the the link to the e commerce site that seems Seems right. Right? Like it it seems like it's the real thing.

We all have this feeling that like you are kind of, in order to exist online, you sort of have to consent to just being lied to with the potential for very real harm all of the time. There's this feeling of like when I wade into this world, I'm wading into a space. where people are gonna lie to me to try and steal from

All of the time. And that feeling, even if people aren't technical, doesn't go unnoticed. People, it sort of builds up on you like a residue that there's there's someone always trying to tell me a lie. Um so even for non technical folks I get why this would be a really compelling Yeah. And you know, to your point, I mean It's unrealistic for anybody to have their guard at like, you know, the highest level at all time.

Right. So even if you don't fall for ninety nine out of a hundred text messages, the one time that you're busy or stressed or you've had something to drink or it's just early in the morning and you just woke up or you're tired All it takes is one. And that's what these actors are counting on. It's a numbers game. Uh we bel we we know from the numbers that they only

one to three out of every one thousand victims that receives these messages actually goes through with clicking the link and losing their information and getting their card information provision. So that's less than one percent of everybody that receives it. But it's clearly enough for them to to make money at scale. Ford, thank you so much for your time. It was really good to get to talk to you. Uh I appreciate it. Yeah, absolutely. Thanks so much for the time.

Pappa, hur kom jag in i mammas mage? Oj, nu börjar reklamen här, den måste pappa lyssna på. Tanka hos Ingo. Lågt pris till alla. Ingo, kom längre för pengarna. Lågt pris. Jag vet ju att jag kommer ut i snan, men hur kom jag in? Oj, nu börjar nästa reklamer. På väg någonstans. En polarklämma håller humöret uppe.