Dr Rois Ni Thuama is head of cyber-governance at Red Sift. She recently had a conversation with consultant and cybercrime expert Brett Johnson about his career on the dark side of cybersecurity, and what lessons he learned from it for his current work.
Rois: Thanks for your time Brett, it is such a pleasure to chat to you again. So, COVID-19’s weird, how are you managing during lockdown?
Brett: You know it’s interesting, the cabin fever doesn’t really bother me, because I spent five-and-a-half years in a 6’x9’ cell. I’ve got a yard, a house, video games, books, my family, so you know I’m good to go!
Rois: As you know, COVID-19 is giving rise to a huge increase in scams, I read a BBC report that cited a statistic that would blow your socks off. A rise of 667% in phishing emails, making COVID-19 the biggest phishing topic in history. Are you surprised by this increase?
Brett: I am not. So fraudsters, and I don’t really care what level they’re at, are extremely good at gauging what makes people really scared. In the US, potentially 30 million people will lose their jobs, we’re looking at a GDP drop of 40%-50%, the word ‘depression’ is being bandied about, so there’s a lot of fear, a lot of desperation, a lot of people hurting, a lot of people in need.
Fraudsters are very good at identifying that source of pain and asking how they can benefit from it. You’re going to see stolen stimulus checks, you’re going to see people being phished out with various fake public service announcements, from testing schemes to PPE schemes, ‘origin of the coronavirus’ and ‘treatment’ schemes. You’ll see malware and ransomware being installed using COVID-19 as a subject. Stuff like that, so no it doesn’t surprise me, not at all.
Rois: So, for folks who are unfamiliar with your work history, would give us a bit of insight?
Brett: Sure, the US Intelligence Service called me the Original Internet Godfather. Not a proud title but it’s a title that opens doors. The way I got it? I was convicted of 39 felonies, placed on the US Most Wanted list, escaped from prison, and I built the first organized cybercrime community, called ShadowCrew. It was a precursor to today’s Darknet and Darknet markets and it laid the foundation for the way cybercrime channels operate today.
Brett explains that his chaotic childhood led to a number of encounters with the police but we agree that he really only exercised his choice to pursue a criminal career as an adult. Brett is disarmingly honest: “The first time I had a real job I stole from them, I worked for a telemarketing company. I stole a list of their contacts. I cold called them, ‘sold’ them hampers for food banks, took the money, didn’t deliver the hampers. I was caught, prosecuted, and spent three months in prison.”
Rois: When did your career as a cyber-criminal begin?
Brett: Honestly, as soon as I had access to a computer. I fell in love with eBay, then one night I’m watching Inside Edition, and had a light bulb moment. They profiled Beanie Babies. One rare Beanie Baby was blue, a high dollar collectible, it commanded a hefty sum. I bought a gray one, uploaded a picture of a blue one, sold it for $1500. The buyer complained, she wanted a blue one. I told her I sold you a blueish one and I learned the first lesson of cybercrime.
No one complains to law enforcement. One of the things I preach about today is that you need to alert the police. They need visibility on the scale of the problem. You need to be able to see a problem in order to fix it. The second thing I learned is if no one is complaining to the police, why send anything at all? I started marketing more lucrative products, delivering nothing, making even more money.
Rois: This is your cybercrime career with training wheels?
Brett: Right, and I gained in confidence. I learned about electronic payments, back then you could steal using PayPal all day long, but I was still doing this all under my own name. I figured I’d need a fake driver’s license to set a bank account up and launder the money out through that. I’d get online, find a guy, send him $200 and my photo, you know what, he ripped me off! People get a laugh out of that, but you know it hurts to be victimized and I was angry.
Rois: To remedy this injustice, what did you do?
Brett: Well I was angry, still needed the license but didn’t know where to get it. The only site that I could find was IRC (Internet Relay Chat), it’s still around today. Someone said they had something, it was a LIE. I kept looking around for a real website but there weren’t any. The closest I found was counterfeitlibrary.com and the only thing they dealt with was counterfeit degrees and certificates, like a degree mill: but they had a forum attached to it that was defunct.
So I started complaining about being ripped off. At the same time, two other guys joined the forum. The first, Mr Beelzebub was from Moose Jaw, Saskatchewan, and the other guy was Mr X from Los Angeles, California, and we became internet buddies. So, I’m bitching everyday, Mr Beelzebub is trying to sell marijuana and Mr X is trying to make money. We also talk on ICQ all the time, and one day Mr Beelzebub pings me on ICQ and says, “Hey Gollum I can make you a fake ID”. I told him to make it. Beelezebub wanted to charge me and said “if you’re going to be online you have to be able to trust. Trust is key. So I’m going to charge you $200 but I am going to send you the fake ID” and the more I work on the good side of things, the more I realize how true it is.
Two weeks after this conversation, my fake ID arrives, my picture with a real person’s details. The idea was Beelzebub’s. He wanted to be able to sell fake IDs online and I was his reference customer. Mr X made a passable social security card. I became the reviewer. This platform becomes a criminal’s Field of Dreams, if you build it, they will come.
Brett finds himself reviewing products and at the same time he’s posting tutorials on how to rip people off. This becomes the first site of its kind that dealt with organized cybercrime that allowed people to come in, learn, network with each other. CounterfeitLibrary transitioned to Shadowcrew. Brett built and ran both and eventually rose to the top.
These sites created a trust mechanism through a large communications channel that criminals could use, tutorials and postings remained relevant. There was a review system, voucher systems, and even an escrow system in place.
If you look now at the top credit card or identity thieves over the past 20 years, all those people began with CounterfeitLibrary and ShadowCrew. A Ukrainian associate of Brett’s, Dmitry Golubov, opened up CarderPlanet, the genesis of card theft. What began on those tree sites was the impetus for modern financial cybercrime as we know it.
Fortunes changed and in August 2004, ShadowCrew made the front cover of Forbes with the headline: Who’s stealing your identity? By October 2004, the US Secret Service arrested 33 people, in six countries in six hours. Unfortunately for Brett, he was the only guy publicly mentioned as getting away, which came as a surprise to his wife who thought he was an eBay reseller.
Rois: What do you consider to be the most important takeaways from how cyber criminals operate and what businesses and individuals should do.
Brett: There is categorically no way anyone on our ShadowCrew forum would have permitted another criminal to use their screen name. Each of us protected our identity because we understood its value. Our established identity was absolutely crucial to our business. So, I honestly don’t understand why businesses are still leaving themselves wide open to being phished via impersonation.
As I said earlier, we’re seeing this with COVID-19. What was that statistic you mentioned, a 667% rise? You and I have discussed these well-known stats before, 92% of cyber-attacks start with a known vulnerability, 92% of targeted attacks start with a phishing email. Businesses need to fix that.
If I have one other thing to add it would be Mr Beelzebub’s lesson about trust. You must trust, you cannot operate without trust but you don’t place it blindly. You place it judiciously, after enquiry. You have got to have a mechanism to make sure your contact is trusted or trustworthy.
It seems to me sometimes that our due diligence with ShadowCrew was just more diligent than some firms out there.