Stories and Perspectives from a Former Cyber Criminal | Intel Technology
(bright music) - [Announcer] You're watching "Cyber Security Inside" a video cast where you can discover what you need to know about cyber security. Here are your hosts, Tom Garrison and Camille Morhardt. - Today, we have a very special guest, Brett Johnson. He is an expert in cybersecurity and cyber crime as the former US most wanted cyber criminal and consultant. Whoo, we got stories to tell there.
He also hosts the "Brett Johnson Show" on YouTube. He's a keynote speaker and he operates AnglerPhish Security. So welcome to the podcast, Brett. - Hey, thank you. I'm humbled to be on here, thank you for inviting me. - So first things first, AnglerPhish, are you a fisherman? - No, no, I'm not.
So AnglerPhish is spelled with a PH as a phishing attack, and that that name comes from the investigation that I was involved in. So the group that I started was called Shadow Crew, was a precursor of today's dark net and dark net markets, makes the front cover of Forbes August of 04, October 26th of 04, United States Secret Service arrest 33 people, six countries in six hours. I'm the only guy that gets away. They pick me up four months later, they give me a job.
My job was as a consultant and an informant for the United States Secret Service and that investigation was called Operation AnglerPhish. So I continued to break the law from inside Secret Service offices for the next 10 months until they found out about it. I took off on a cross country crime spree, stole $600,000 in the space of four months.
Wake up one morning, I'm on the United States most wanted list, go to Disney World, get arrested, sent to prison, escape from prison, get arrested again and served out my time. So when I got out and I turned my life around, I was given the opportunity to turn my life around. I adopted the name of an AnglerPhish, long story short. - I'm curious, was that job offer from the Secret Service after you had been arrested four months later than everybody else that was arrested, was that like a job offer that you could refuse or was that a job offer you could not refuse? - Oh no, I could have refused, but I would've remained in jail. The thing was, is I was arrested February 8th, 2005, three weeks before my scheduled marriage. So I got arrested.
My fiance had no idea what I did for a living. So once she found out I was a criminal, I was like, hey, I'll do whatever it takes in order to get back with her and that was working for the United States Secret Service. - Our listeners will be happy that you spelled phish with a PH and not an F because the rest of the podcast would've been you and I talking about actual fishing, but- - I know, right? - We'll save that for a different day. But today we wanted to talk about the dark web and I know basically everybody has heard the term dark web and probably a few at least have a decent idea of what it is, but I think we should start, a good place to start is, can you help describe what is the dark web? - So sure, and the reason I'm a little hesitant about that is the definition of the dark web has been changing over the years. You see, the United States Navy, they developed this thing called the Tor browser, the onion router, and they developed that so that intelligence operatives could communicate with each other without being identified.
It then goes open source with the idea that whistleblowers could use it or that someone behind a country's firewall would be able to use that to access the real internet. What they forgot to understand is that adoptees of technology, if the technology can be used to remain somewhat anonymous or to launder money, the first adoptees tend to be criminals. So as soon as Tor gets out there, we see all these criminals start to use Tor to communicate in order to commit crimes, in order to work together, to network. So that's basically the genesis of the dark web. After a while you find out that you can build websites and hide the box, things like that.
Well, over the years, the problem is is that in order for you to use Tor properly, you kind of have to know how to use it. If you don't, you can be identified and you end up going to prison and typically that's what we see a lot of. You see somebody that thinks they're protected, that they're anonymous, they're not and they make some sort of silly mistake or they've got Java turned on or something like that. Law enforcement identifies them, goes and arrests them, gives 'em 20 years in prison because of that and because of the paranoia, because law enforcement has gotten so good about shutting down dark web websites, we see that a lot of different services have started to pop up and a lot of criminals are starting to look at smaller and smaller encrypted messaging services in order to network together, to sell wares, commit crimes, what have you. The big one on the block right now is Telegram.
So that's really the wild west of cyber crime. So this definition of the dark web has changed over the years where it's not just Tor and those Tor based sites anymore, it's things like Wicker it's things like Telegram, it's things like Discord, WhatsApp, Signal, all these other services work together so that criminals can work together, exchange, share information, collaborate, profit. - Is it sort of like the LinkedIn of the dark web where although are people anonymous or disassociated from their identities on it? - They are, you take Telegram for example, Telegram is owned by a Russian and Telegram is very anti law enforcement, which is pretty interesting when you think about it. Telegram does not answer to United States courts, yet it's still allowed to operate within the United States, personally I'm against that. The problem is, is that you've got these people that are not tech savvy and Telegram is very low friction from a criminal point of view basically you only have to have a phone number to register an account on Telegram.
Telegram Doesn't answer subpoenas. It doesn't give up any information at all. It allows crime and fraud to flourish on that particular platform.
So it's a very conducive environment for criminals who are not really tech savvy to go in and be able to profit and start to learn how to be successful at online crime. - So obviously our mission here is not to try to teach people how to break the law, but at a rudimentary level, can you walk us through, let's say you had some sort of nefarious intent, but you really aren't that tech savvy, like, how do you go about doing this? Again, this is not a how-to video, but it's more about under understanding the evolution of the dark web and where we're at today. Like the current world class of the dark web.
What does it look like? - When I was committing crime, when Shadow Crew comes into play, so there's three sites that really kind of start the genesis of modern cyber crime. There's Counterfeit Library, Shadow Crew and then ultimately, Carter Planet which was opened by Dmitry Golubov, Ukrainian national, those individuals who were part of those sites, the platform of cyber crime itself was not established enough. So if you were a member, an expert on those sites, you typically had to understand most dynamics of online crime.
You had to know what the security of the target was that you were hitting, how to bypass the security, how those tools operated, how to run a drop address, how to have proper operational security so that you weren't identified and you were made anonymous. You had to know every single aspect of that. Today, the cyber crime platform is refined enough that a newbie, a cyber criminal who has absolutely no experience or no understanding of any of those dynamics, they don't have to know all that. You can go in, you can simply ask questions within those channels, whether it be a forum, whether it be an IRC, not an IRC, but a Telegram session or a Discord channel or anything else, you could start asking questions and it's an open source environment. You typically will get someone that will start to educate you, start to tell you what you need to do.
So you can do that. You can buy tutorials on how to commit one specific type of fraud. Tutorials can be purchased for as low as $10.
Sometimes they run a few hundred dollars. If you're not comfortable enough with a tutorial, you can buy or take live instruction classes. To really understand it, you have to kind of understand the three necessities of cyber crime.
For cyber crime to be successful, three things have to take place. You have to gather data, you have to commit the crime and then you have to be able to cash it out. All three of those necessities have to work in conjunction.
The problem is, is that a single criminal, one person, can't do all three things. They can do one, sometimes two but rarely can they do all three and the reason for that is there's two reasons. Either it's a skill gap, that specific criminal simply doesn't know how to do one of those aspects. So he doesn't know how to do a man in the middle attack, or doesn't understand the intricacies of a phishing attack, what have you, or it's a problem with the geographic location, that criminal is simply in a geographic area where they're not able to do one of those three necessities, typically, put money in pocket, launder the funds out. We saw that during the pandemic with unemployment fraud.
So you had people in the Ukraine, in Russia, in Brazil, in the EU that were hitting states unemployment offices. They had all the data in the world. They were able to commit the crime because there was absolutely no security in place for six months but because they were in an area outside of the United States, they had to rely on money mules state side to cash out for them. That way no flags were raised and that they were able to continue withdrawing funds.
So because of those three necessities, you have dark web marketplaces, you have the forums, you have Telegram, Discord, channels like that, that work and operate so that one criminal can work and network with other criminals who are good in areas where he, sometimes she is not. - I had a question about trust because you've talked about that in previous interviews you've done. You always say like in the criminal world, you need to first establish trust and then you can profit from somebody or take advantage of somebody and, you know, it's funny because we're looking in the non-criminal world at one of the most important things in business is to establish trust and then particularly around cybersecurity, how can you assure that the computer or the device is trustworthy? How can you assure the network is trustworthy or the person that's logging in? So do you see trust as like, is it dual sided? Is it different in sort of the criminal world? Or is it actually the same? And how do we navigate that on either side of the equation? - What's interesting to me and I quoted this several times in different presentations in webinars as well. Ronald Reagan said trust but verify. So taking that from a criminal point of view, if I'm looking to defraud or victimize an individual or a company, I'm going to anticipate that they're going to trust and they're going to verify but my question is from a criminal standpoint, my question is, is how far are they going to verify? How many levels deep are they going to go to try to determine whether I'm who I say I am or that I'm a fraudster. So I try to anticipate that.
So say I'm doing, say I'm hitting a retail merchant using stolen credit card data, I have the stolen credit card data. That's one tool to establish trust. I may have an email address. So that email address, what am I going anticipate with that? Is the company going to be able, are they using some service like Emailage that is trying to determine the age of the email? So I need to try to anticipate that.
Most of the time they're not gonna do that. So I can use just a simply a Gmail address that is created on the fly most of the time but if it's a company where I figured that they are using a service like that, I may try to go and buy a domain that has been registered in the past. That way it looks like the email address has been established for a long time or I may try to age out the email by having data or any, or, you know, some sort of history registering with reward systems or a PayPal account or what have you.
So I'll try to anticipate how many levels deep that potential victim will try to verify who I am. Typically, it's no more than two to three levels and that's one of the reasons that synthetic fraud is so successful from a criminal point of view. Synthetic fraud works by me defrauding the Social Security Administration by using their own tools against them, by going into the credit bureau and being able to put that ghost in the system and then using that information to establish credit and what I understand from a criminal point of view on that point is that any creditor that I try to defraud, they're not going to look past the credit bureau and that credit score that I've established, they're only gonna go that deep and only that deep. So understanding that from a criminal point of view and how trust works is important on the victim, when you go to victimize someone but from the criminal point of view, I have to be able to trust my criminal associates because I know that law enforcement is in those areas. I know that fraud analysts are on those channels as well. So there's an entire system that's set up on the criminal side that tries to establish trust between criminals, that tries to make sure that you're dealing with somebody that is a criminal and that knows what they're talking about.
So you have vouches and the vouches go back to that old age of the, you know, the Italian Mafia. You know, I vouch for this guy, he is who he says he is and that means something. When you vouch for someone, you're then responsible for whatever that person does, if that person then rips someone off, they come back to you and you have to make that person, you know, solid at that point. So you've got vouching systems, you've got review systems, you've got escrow systems all with that idea of establishing trust with one criminal and another and that's really important. You take some of these cyber crime environments now, these environments, some of them are hundreds of thousands, maybe a million members large and you've got all of these humans working together, sharing, exchanging information in real time, it becomes a really nice platform to know who to trust. What's going wrong with a vendor, an individual, a criminal, an associate, what have you.
So trust plays a really important part on the criminal side. - In the past you've profiled cyber criminals motivations as three different categories, cash, low hanging fruit, status, which I guess is sort of the equivalent of fame and ideology and you say that, you know, these people operate very differently. These different motivations have all kinds of different levels of tenacity as well. I'm wondering if the effect of whoever it is means that a company or a person, individual needs to protect themselves against each kind of criminal motive or if it's just the motive behind the attack and the attack is, it doesn't matter what the motive behind it is, the attack would look the same. - I don't think the attack looks the same at all.
So, as we said, if the motivation is cash based, that criminal's simply looking to steal cash, that criminal's going to look for the easiest target that gives the largest return on investment, that lowest hanging fruit, as you said, but if it's fame based, that's status, if that criminal's able to do something that no one else within his criminal community can do, it doesn't really matter about the security, that criminal's looking for the high security, something that he can do that no one else can and that gains him respect, which equates to profit within those criminal communities and then finally, ideology, have you pissed someone off? Does someone have a different belief than you do? Understand the motivation and you'll understand the persistence of the attack, someone who's attacking you because of an ideological basis, that's an attacker who is not going to stop. They're looking at you specifically, and yes, as a company, you could be targeted for all three things. For example, I gave a keynote speech for Chanel about a year and a half ago and the interesting thing about Chanel is that they hit all three motivations. You're looking at attackers who are looking to steal money.
You're looking at attackers who can hit Chanel because of the brand name. They go back to their community and say, "Hey, I got Chanel." And then you're looking at attackers who, Hey, Chanel, huh? Is that a French company? I just don't like, you know, the French mindset or their political beliefs.
So you got all three things hit there. You have to design your defenses to address all three of those types of attackers because when you think about it, there are only really seven types of attackers. You've got criminals, like I used to be, you've got hacktivists, you've got insiders, you've got terrorists, you've got the script kiddies, the nation state attacks. You've got the vendors that sell the types of tools. So those seven different attackers are there and all seven have a different type of motivation.
So depending on your company, I've talked about that before, too, you need to understand your place in the cyber crime spectrum. Why are you being attacked? Is it because of cash? Is it because of, you know, you're that brand name and I can get fame in my environment, or is it because of your political stance or the ideology that's going on, understand that design security and go from there. - What do you see as the future? Like, you've kind of described where we've been, you've kind of described where we're at today. You know, how should we expect the dark web to evolve? - It's interesting and it's really scary at the same time. So Shadow Crew gets shut down, 2004. We ended with 4,000 members.
Fast forward to 2017, Alpha Bay's the largest criminal network on the planet. 240,000 members when law enforcement shuts it down. Two years later, 2019, a dark web marketplace called Black Markets shut down, 1.15 million members, all of that pre-pandemic. During the pandemic, the fraud numbers exploded because you had stimulus packages in place, and there was no securities so you had massive amounts of fraudsters coming in committing fraud.
Those people, now that the stimulus programs have ended, they're not really going to go and flip burgers or go to school or anything else like that because they've gotten a taste of how profitable online crime is. The problem is, is that 98% of those criminals are not skilled. You know, we have this perception, a lot of us because of the media, because of these, you've got a lot of these security companies out there that are snake oil salesmen and they try to sell product by fear, uncertainty and doubt and they paint the attacker as this hacker, this upper tier computer genius that is untouchable. That's not really the truth. You have those types of attackers out there, but 98% of cyber criminals, they're just good social engineers. They don't really understand the dynamics or the security or anything else, but they don't have to, the more sophisticated tools that cyber crime has like bots, ransomware, things like that, typically, the 98 percentile of cyber criminals have never experienced those, they wouldn't know what to do with them.
What we're seeing now is that vendors have almost, it's almost been subconscious. They're starting to understand that, hey, we've got an entire demographic of criminals that we've never marketed to. So now we're starting to see these services being offered and developed to where that unskilled criminal can now use them. You see marketplaces like Genesis, Genesis Marketplace is a bot marketplace. They've got 400,000 bots on there. The bots range anywhere from $3 and 75 cents up to $400 and then the bot sits on someone's network, that person then goes to sign into their bank account or a retail merchant, or email, where have you, the bot captures the cookie.
It captures the browser fingerprint, their credentials, every single thing that the attacker then needs to take over that specific account but the marketplace also, the developers also understand that, hey, these people wouldn't know what to do with a cookie if they had it. So in order to help them out, that marketplace has a standalone browser or a browser plugin that then automates everything for that person who buys that bot. Plugs it all in so you don't have to know anything at all, lets you come in, bypass multifactor authentication, take over the account, do whatever you want to and that's just one aspect of how cyber crime is continuing to be refined. We're seeing that across all these different cyber crime verticals about how these products are being developed and marketed toward that unskilled cyber criminal that's out there and that, that's really scary. - Well, Brett, this has been very, very interesting set of conversations we've been having here. Before we let you go though, we like to do a segment we call fun facts and so I wonder, do you have a fun fact you'd like to share with our audience? - You know, I do.
You had mentioned that before I came on the show and I really didn't know what I was going to talk about until eastern Kentucky got hit with these devastating floods. I'm from Hazard, Kentucky, you know, that center of where all the floods have hit and I've had friends, relatives that have died and that have also lost every single thing that they've had. We're very poor people.
I was very fortunate that I was able to get out of that environment, but my heart is still in eastern Kentucky and what I read was is evidently there's been some people that have been, you know, historically, hillbillies have been kind of disparaged and looked down upon. Someone was kind enough to post the origin of the word hillbilly and I would just like to read that 'cause I thought it was interesting. Hillbilly, the word originates from Scott's Irish, the Ulster Scots in Northern Ireland who moved into the Appalachian mountains in the 1700s, billy or billy's was the term meaning brother, friend or comrade. Billy boys was the term used referring to the Ulster Protestants who supported William of Orange, AKA Billy, in invading England. They were also known to wear sashes around their necks coining the term rednecks and once the Scott's Irish moved or migrated in droves to the United States, they quickly moved into the mountains and hills of Appalachia.
The Billies, now were comrades of the hills and mountains, therefore, became known as hillbillies. So I just thought I'd share that. - That is fascinating actually and the redneck thing too, I had a totally different- - I did too. - Backstory on redneck in mind. And Camille, I think for your benefit, you're actually technically on vacation. So are you gonna take a vacation from- - Oh, I should, I should (indistinct) my fun fact, you know, my fun fact is gonna be simple.
I think it's very interesting that there is only one kind of tea plant that exists. I mean, of course you can drink, you know, peppermint tea or chamomile tea, but if you're going to drink just tea, green tea or black tea, it's one kind of camellia and it just depends on how you treat the leaves. How much oxidization you use whether it's green or black in the end. - I had no idea. - I did not know that either. That's very cool.
So my fun fact is gonna be in honor of the summer because we are finally having the summer in the Northwest and it has to do with sunglasses. So of course we think about sunglasses as a way to protect your eyes from bright sunlight or a fashion accessory but sunglasses were originally made out of smokey quarts in the 12th century, China, where they were used by judges to mask their emotions when they were questioning witnesses. - I guess that's why cops wear the mirrored glasses sometimes too, is to mask their emotions. - They're all trying to look like Ponch and Jon from the Chips. Brett, thanks so much for coming in and talking to us today, it was a really interesting and lightning conversation on the dark web. - Thank you so much for having me.
I appreciate it. - [Narrator] Thanks for joining us for Cyber Security Inside. You can follow us here on YouTube or wherever you get your audio podcasts.
- [Announcer] The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation. (gentle upbeat music)
2022-09-21 10:42
