Cops don’t understand cybercriminal mindset – ex-cyber fraudster
Digital technology continues to bring unprecedented opportunities into our lives, but it also opens up new doors for crime. What is the life of a cybercriminal like and what hidden dangers lurk out there? We asked the ‘Original Internet Godfather’, former notorious cybercriminal-turned digital security expert, Brett Johnson.
Sophie Shevardnadze: Brett Johnson, welcome, it’s great to have you on our program. So, Brett, you’ve been called the ‘Original Internet Godfather’ and a pioneer of online crime. You’ve been quite notorious for some time, but in the end they got you. How did you get caught, I mean, where did you slip up or drop your guard?
Brett Johnson: Well, where I slipped up was breaking the law to begin with. I ran a group called “ShadowCrew” which is the forerunner of today’s darknet markets, today’s cyber crime markets. We made the front cover of Forbes in August, 2004. On October 26, 2004 the secret service arrested 33 people in 6 countries in 6 hours. I was the guy who got away. The way I got caught - I continued to break the law, I was running kind of cashier’s checks. A gentleman by the name of Albert Gonzalez who was our forum techie, handled software on the forum. He had been arrested by the secret service and was working undercover and that is what ended up getting the entire group busted.
SS: So our lives are becoming intertwined with the Internet more every year. Its capabilities grow, new gadgets come out and we all become even more connected. Does that open new avenues for cyber criminals as well?
BJ: Absolutely! The problem is that people tend to trust technology inherently. Just because it’s the Internet people tend to lend it to much trusted type of mechanism. They don’t really understand that criminals loved operate using Internet, it lends itself to anonymity, and the criminal doesn’t have to face the victim or the person he is trying to rip off or steal money from either. So it also lends itself to that separation, so when I broke the law, it was all about me stealing from people that I’ve never met and never would meet. And that allowed me the opportunity to be anonymous and also not have to face the people that I was ripping off.
SS: Now I’ve heard that the most damaging cyber attacks that companies can face come in a form of bogus emails. How come that after millions of dollars spent on sophisticated firewalls, on workshops being held on elementary cyber security skills it still takes a single click on a bad link to send the whole enterprise down the river?
BJ: Well, the reason is the human factor. The reason that 92% of every single breach begins with a phishing attack. And a phishing attack is simply a form of social engineering. As a criminal you know that it is much easier to ask someone’s permission than it is to try break into a system. So the only thing you have to do is you have to send an email that looks legitimate enough to get someone to click on it. Once that happens, it’s a game-over for the company or the person or the government, or whatever that is that you are trying to break into.
SS: Can you purchase a firewall to help prevent the human curiosity?
BJ: What I do these days, I do a lot of consulting with companies, groups, law enforcement. For individuals I recommend that they use a software firewall, but for businesses it’s important to use a physical firewall. Now that being said, even if you are using physical firewalls, the human is still the weakest link in that cyber security chain. So if a company is using that physical firewall, if they still receive a phishing email that looks like it comes from the company itself or something that looks legitimate and that employee clicks on that link, it’s still game-over for that company.
SS: You’ve talked about working with a phone since it might be easier to get where you want inside the corporations with a phone call than with technical tools. Is social engineering more important in cyber crime than the actual cyber part?
BJ: The most important thing is to get information. Now it’s easier to get information, as I said before, by simply asking a person for that access and you do that by social engineering. Talking about phone calls, for example, I can bypass every piece of internet security that a company or a government has simply by picking up the phone, spoofing the phone number which is when I call it will appear on the opposite side as someone else’s number. So I can spoof that phone call, make it appear as if I am a customer or a boss or anything else, and convince that person that “hey, send me the money or give me access to your system”. And when that happens, again, it’s a game-over. The weakest link is always the human being behind the software that you are using.
SS:But, I mean how do you deal with that? You can’t really fix the human error, can you?
BJ: No, you cannot fix the human error. One of the things I say in a lot of presentations is that there is no patch for human stupidity. Now that being said, you can do a lot of training for people, so I advise companies to do simulated phishing attacks. I advise companies to have people come in and constantly train not just the higher-ups of the company, but from the ground floor up. It is important for a company these days that security is part of the entire structure of the company. So the person who is sweeping the floor, the lowest paid employee, the lowest educated employee, all the way up to the CEO of the company - they need to know about all the breaches that are going on, about the avenues of attack, about phishing, about the dangers that lurk from cyber criminals like I used to be.
SS: Companies often refuse to report a cyber crime because they don’t want to be compromised, they don’t want to compromise their reputation. A shop owner wouldn’t think twice before calling the police if his place was broken into. Why don’t businesses treat data theft the same way?
BJ: That is the question of the day right there. Why don’t large businesses share information and tell exactly what’s going on? And a lot of it has to do with liability. They don’t want to lose business, they don’t want to be sued, they don’t want their customers to think that they are not doing appropriate job with security. So what we see across the board with these larger companies, whether it be Equifax or Target or anything else, what we see with the companies like that is they will be breached and first they try to hide it. And then when it comes out in the news, they try to minimise it. And it continues to go on like that until maybe year or year and a half later you start to see these news stories popping up: “Well, you know, this breach was much worse that we initially thought”. And the thing is that nowadays breaches are so common, that most people have gotten used to the idea of their information already being out there online for sale or to be used by criminals.
SS: So individuals are also less likely to go to the police after online crime, not just corporations. Why is that? ‘Cause if you are not physically killing someone or physically stealing money from someone’s pocket?
BJ: When I was breaking the law, one of the first lessons that I learned was that people or companies really don’t report the crime. Now some of them do, but a lot of companies and a lot of individuals, once they are ripped off, whether it’s an embarrassment or they just think that the law enforcement won’t do anything about it, that nothing is going to come out of the investigation. A lot of companies, a lot of individuals tend not to report it to law enforcement. The problem is that when you don’t report it to the law enforcement, law enforcement doesn’t know what is going on and it doesn’t aid in any kind of ongoing investigations that they have got going at that time. So it’s important, it’s really important that individuals report to law enforcement, that companies report to law enforcement, that way this database that law enforcement keeps with all these breaches, with all these crimes that are going on they get more information, more data and it will ultimately result in a group like Infraud being shut down or a group like I used to run, ShadowCrew, being shut down and people going to prison. Because that is really what it is going to take is more investigations, more legislation, companies actually reporting, and security as a whole being increased, not only with companies, but individuals.
SS: Do you feel less responsibility for committing a crime in cyberspace and so do victims feel less hurt by them as well? I mean, in essence, does cyber crime feel unreal because it’s in a virtual world?
BJ: I think it feels unreal in a virtual world for both, the criminals and the people that are victims or the companies that are victims. And the reason is that because of that separation you don’t have to look your victim in the face, and the victim doesn’t see the criminal’s face either. So it’s that separation that takes place. For example, the criminals that I know, when AlphaBay was shut down July of last year, that was the largest online criminal network, they had a membership of 240 000 members. So there were 240 000 people that were trying to rip people off every single day. Now, if that were in a real world, if there were 240 000 people, if AlphaBay were a group that you had to rip people off face to face, you had to steal money from them by pointing gun at them or whatever, you would not have that type of number. But because it’s online, because the criminal can hide behind that mask of anonymity, you have these people that are joining up and they don’t even think about it. They consider “well, I am not ripping off the person, the bank will pay for it, or the government is who I am ripping off and they can afford it”. But the truth of the matter is that everyone is a victim. If a cyber criminal hits a bank or a government those costs are just passed on to the citizens or the customers of the business.
SS: You’vesaid that cyber criminals often sideline the negative consequences of their actions. So is everyone just too sure they are too good to be caught? I mean when you were jailed for your online fraud schemes, did you see it coming?
BJ: Yes, in our case we did see it coming. We were so sophisticated at that point in time that we had actually hacked into the secret service cell phone accounts and we had text messages about them investigating us. On a service site we were noticing that law enforcement was visiting our site, we knew exactly what was going on and we knew that things are going to end up badly for us. Most criminals (and I did the same thing), we compartmentalise everything, so we justify our crimes by saying, “I didn’t rip off people, I ripped off businesses and governments”. And not only that but we also say, you know, “whatever is going to happen, is going to happen”. So we tend to adopt this philosophy of fatalism, that in order to keep operating, in order to keep breaking the law, we know that it is going to be a bad end, but we continue on anyway, thinking that “ok, it is already too late, we need to go and continue and maybe something will work in a favor of the criminal”. The point is that for any cyber criminal it always ends badly, always. I’ve got friends, associates that were engaged in those types of crimes and they ended up with life in prison imprisonment, or 30 years in prison, one guy ended up committing suicide instead of going to prison. It always ends badly for a criminal.
SS: Brett, I’ve read a story about how you were teaching fraud to the “Aryan Brotherhood” when you were in prison. I mean, do you think the cyber criminals and real-life criminals are going to merge eventually and, you know, there will be no difference?
BJ: Actually, I think we are seeing that. Now when I taught fraud and how to commit fraud when I was in prison, that was to remain safe, I had to do that in order to not be killed while I was in prison by the “Aryan Brotherhood” or these other gangs that were around. But what we see these days in cyber crime, when I was so engaged in cyber crime, you had this clear line that separated physical crime from online crime. You didn’t have gentlemen that were engaged in both. Now that’s pretty much gone. Crimes today, especially in the United States, are a mix of two. So today we’ve got people that would steal mail from people’s mailboxes, ones that mail is stolen they’ll go ahead and go online and they’ll try to pull the social security numbers, date of birth and mother’s maiden name – the complete identity profile of that person they’ve stolen the mail from. Once that’s done they add an address onto the credit report what is called the drop address, so that they can receive new account cards, the replacement cards or order physical items and cash out like that. And as we continue to grow online with our online identities and personas, you will continue to see this mixture of physical crime and internet crime, and the two will melt to the point where it is almost indistinguishable, and you can’t really distinguish them at all.
SS:So what is cyber crime mean for more dangerous stuff like terrorism financing or laundering drug money for cartels? Does the Internet make doing that a walk in the park?
BJ: It makes it much easier. Before, if you were a group that needed to raise money, without the Internet it was very difficult, you had to engage in drug trafficking or anything else like that. But these new terrorist organisations that are around, now they can engage in online crime. They don’t have to worry about brutal forcing or attacking or using violence to steal money, they can engage in Bitcoin laundering, cryptocurrency stealing net. You have got several governments and terrorist organisations that try to steal cryptocurrency because of the value of it. And they use that to finance their terrorist operations. Or if there are sanctions against the government, the government will try to steal Bitcoin or launder money with Bitcoin. We are going to continue to see that. That’s not going anywhere anytime soon, because it’s a much easier and more profitable avenue for terrorist groups or who have you to make money.
SS: So let’s talk a bit of samurai codex here. I mean we are used to the fact that real organised crime around has, for all its law-breaking, its own internal set of rules. What about cyber crimes? Does it have its own Bushido Code of Honor, I mean, certain taboos like the mafia?
BJ: You do have taboos in cyber crimes. Realise that to engage in financial cyber crime there are three motivations: it’s either ideology, it’s status or it’s cash. Most people do it for cash, they do it to make money. Now, when you start as a cyber criminal, you don’t really know a lot of how to commit a crime, you don’t know or understand the dynamics of cyber crime, so you start at the lowest rank possible. You start by ripping off people. Now as you advance your craft, as you become better in that career fraud, you get to the point where you are ripping off governments or organisations, companies and things like that. So what you see with cyber criminals is there is this clear hierarchy of who thinks they are better than someone else. So if you are a beginning criminal you are looked down upon by these upper-class people that are only ripping off governments. Because they view themselves as better and that is a part of this entire online business or persona or ideology that takes place. The criminals have to justify - and I did the same thing - I had to justify my crimes by saying “at least I am better than these people”. So you will see them engage in crime, you won’t see a financial cyber criminal... I’ve never met a financial cyber criminal that is engaged in child pornography. They all look down on that, they all tend to look down on drug trafficking. Even though today if you are looking at financial cyber crime, it is necessarily mixed with drug trafficking as well because you’ve got so much profit in there. But even as such, the guys who are stealing money, still look down on the guys who are dealing drugs. So there is always that hierarchy of who thinks they are better than someone else. And at the end of the day, everyone is still criminals.
SS: So seeing how hackers don’t go around busting kneecaps on the streets or mugging anyone at gunpoint, does it make them less tough when facing the law?
BJ: It certainly does. When I ran ShadowCrew and when we were caught, everyone told everything they knew as soon as they were arrested and I did the exact same thing. And the reason was that we were not used to crime. We were used to internet crime, but not physical world crime. Now, as ShadowCrew ended, we started to see more mafia-type of groups being engaged in cyber crime. And with that they brought violence with them. As ShadowCrew ended, there was one gentleman that posted pictures of a guy who owed him money and he had the guy kidnapped and he was torturing the individual. So he posted that. You start to see more of that coming into the cybercrime world, because the profit potential is so high that that threat of violence has to be there. And we will continue to see that advance. You are seeing now that people who have Bitcoin are being kidnapped and threatened with their lives for ransom or for money.
SS: I know that when you first started working for the federal government you also managed to moonlight as a scammer at the same time, all the while being under surveillance and supposedly under control of the Feds. So how many hackers are double agents so to speak? And how many play both teams at the same time?
BJ: I think you are right. When the secret service got me out of jail to work for them I started breaking the law the exact same day that I got out. And I continued doing that for 10 months until they found out about it. How many people do the exact same thing? Most, if not all, until they reach a point that they understand that it’s not going to end well and it usually takes a lot of prison time. In my case it took being sentenced to 7,5 years in prison, escaping prison and being caught again and sent back to prison.
SS: There was a story a little while back about the director of the FBI complaining about a staff shortage in the cyber crime unit, saying that all those who are capable of working there smoke marijuana and therefore are banned from a federal law enforcement job. So does the law enforcement mostly force attackers into cooperation - like, ‘either you serve time or you work for us’, because it can’t attract talents to come into a firm voluntarily?
BJ: For the United States there is a stigma with law enforcement of hiring ex-criminals or ex-hackers. Corporations and companies - there is not as much of a stigma but still it’s there. Even today I consult with fortune of one hundred companies, with security companies. I even consult today with the FBI. There is still that mistrust because I was the guy that used to rip off a lot of people with a lot of money, I even continued to commit crime when I worked for the federal government before. The thing is that for a criminal law enforcement security people really don’t understand that criminal mindset, they don’t understand the links that even I would go to to break the law. And until you start to understand the human factor it’s like with cyber criminals. Cyber criminals know that the most important part of breaking the law and getting money is the human being, that’s why phishing is so popular. It’s the same thing for law enforcement and companies. They need to get to the point where they understand that we need to understand this criminal mindset, so when we find someone that has reformed – and that took me a lot of time to reform – but when you find someone that is reformed, but still has that ability to think as a criminal does, to explain that type of mindset to law enforcement groups, organisations, companies – it has a lot of value to it. When I give the presentation today, most companies and groups know that fraud is a problem, but they don’t understand the face of fraud until you actually talk to the guy that used to rip them off.
SS: So the Feds run a network of recruiters and informants in the hacker community, but I’ve heard about the game called “Spot the Feds” during the hacker conferences. Is it really that easy to spot an undercover cop at a hacker convention? I mean, what gives it away?
BJ: It is, it’s not just “Spot the Feds” at a hacker convention, it’s “Spot the Feds” on online criminal groups and communities – it’s everywhere. And it’s extremely easy to spot a law enforcement official; it’s easy to spot a security pro and a number of things. For example, online you’ve got several online carding forums or fraud forums. And you will have law enforcement people that will try to integrate themselves into these forums. And what usually happens is they will come on and they will act like they are criminal, but they will ask the wrong type of questions, or they will want too much information too soon. There are these telltale signs that criminals know that something is wrong, they may not know that the guy is a law enforcement officer or a security pro, but they know he is not a criminal and they have this bad feeling. Criminals are very good with intuition of being able to know that something is wrong, they may not know that he is a cop, but they automatically pick him as someone that’s not like them. And that becomes a huge problem for law enforcement. And that is why law enforcement tends to use a lot of informants and stuff like that in order to gain access to these communities.
SS: Now, in one of your articles you wrote that purchasing someone’s credit card number along with their full identity information will set you back just about $200. I mean, how come it’s so cheap? Is everyone’s identity absolutely unsafe?
BJ: The way I talk about it today and I use Aquafax as an example. So everyone is scared to death of the Aquafax bridge, but the truth of the matter is that all of that information, everyone’s information has been out there. There have been so many breaches that your information is already for sale. And because of that use of the information there is so much of information out there, it’s pretty cheap. For example, I can buy a credit card from anywhere from 6 to 20 dollars, and with that credit card I get the card number, I get the card owner’s name, address, phone number, expiration date, 3-digits security code on the back. Now that gives me the ability to start buying things online. But I can also pull that card owner’s complete identity information. And what I do is - there is the website I can go to and pull the social security number and date-of-birth and address history for another $2.90. Once I do that I go over and I start pulling background checks. Background checks run for $16. So all of the sudden I’ve got a complete background check, and I’ve got the social, the date-of-birth for a total of $20. Then I pull the credit report. The credit report is free. Once I have that I have enough information to really do whatever I want to commit whatever type of financial crime I want to with that victim’s information. And that’s a part of the ease of cyber crime, it’s not rocket science anymore. Things are so easy for criminals these days, that it doesn’t take much money to get started, it doesn’t take much knowledge to get started, you could buy a tutorial, you could take a class of how to commit crime. All of this stuff is pretty automated these days.
SS: So just to wrap this up briefly, what can an ordinary person do about all this? I mean, you can tell a government registries or big companies to beef up security, yes, but what can I personally do about my identity being traded on the Internet? Nothing?
BJ: Sure. There are things you can do, and what I am trying to tell people to do is make sure you are not a low hanging fruit. And the way to do that is first freeze your credit, all right? And not just freeze your credit of you but every single person in the house, because children are the number one victims of identity theft. You could use the child’s information to create entirely new identity. So freeze the credit of everyone in the house, monitor every single account you’ve got. And what I mean by that is bank accounts, email accounts, credit cards – everything – monitor everything, place alerts on every single account as well. That way if a thief does have your information and they try to charge your credit card, you get an alert to your phone that says: “Hey, something is going on”. So those are two things. The third thing is to use the password manager. We, as humans, we simply don’t know how to best pick a secure password, so we tend to use the exact same passwords across multiple websites. It’s important that we don’t do that. You do those three things, those three easy things, and the chances of you being ripped off or becoming a victim online is really minimised for that point of time. Criminals tend to go for the easiest targets and you’ve just make yourself more difficult than 80% of populace.
SS:Brett, that you so much for this wonderful insight and for this interview. We were talking to Brett Johnson, the Original Internet Godfather, former notorious cyber criminal, turned digital security expert about the dark side of cyberspace. Well, that’s it for this edition of SophieCo. I will see you next time.
BJ: Thank you.