Brett Johnson Helped Invent Cyber Crime; Now He Helps Fight Fraud

Brett Johnson is a former criminal who helped invent the cyber-crime industry. He was instrumental in designing and implementing modern identity theft, account takeover fraud, IRS tax fraud and other online attacks. Johnson created ShadowCrew, the precursor to today’s darknet markets, which led the U.S. Secret Service to dub him “The Original Internet Godfather” and earned him a spot on the FBI’s most wanted list. Today he works as a security consultant and is one of the world’s foremost authorities on cybercrime and identity theft. He offers an insider’s perspective on the growth of identity fraud targeting government agencies.

How did the pandemic impact identity fraud?

Before the pandemic, certainly you had some government fraud, but it was typically tax fraud. The pandemic changed that. News stories came out about unemployment systems getting hit. Washington State was a big one. California was a big one. When I was a criminal, one of the things that we taught — and it still goes on today — is you scan the news, indictments, government websites and things like that to see what type of fraud is happening. People share that information on Telegram [an encrypted messaging service often used by cybercriminals] and then someone tests it out to see if it’s as easy as the news article says. We know it was.

The government instituted these stimulus programs out of desperation. They were afraid the economy was going to tank. When you do something in desperation, you tend to make poor choices. Some of these programs had absolutely no security in place for at least six months.

The issue was a lot of these states had never seen this type of fraud at that scale. But the normal online fraudster knows how to commit credit card fraud and steal identities. Those skills translate beautifully to committing government benefit fraud — and it ate states alive.

What do agencies need to know about how cybercriminals think?

When these attacks hit, governments started to institute security piecemeal. But you need to take a layered approach. I don’t care what the security service or product is — knowledge-based authentication, liveness detection [technology to determine if a facial image is a live person or a fake] or anything else. An attacker can overcome any single tool you put in place. The idea is to make them jump through so many hoops that it becomes difficult, time-consuming and costly for them to hit your organization.

A cybercriminal can probably get through all the layers of security if they really want to, but this is typically a lowest-hanging-fruit type of attack. Criminals are looking for the easiest access that gives the largest return on that criminal investment. If you have just a modicum of security in place, the chances of them finding an easier target are almost 100%.

Cybercrime networks, a concept you invented, have grown dramatically. What’s the impact of that?

When I was a criminal, we had to understand every dynamic of the fraud we were committing — how to overcome security systems, how to create fake driver’s licenses, how to steal identities, how to launder money. That’s not the case these days. The skill and the sophistication are in the platform itself. The fraudster is plug and play. You can buy a tutorial on Telegram for $5 that will tell you how to answer questions to get a $36,000 FEMA grant. There are SNAP fraud tutorials. There are live classes where someone will take you by the hand and lead you through how to commit a specific type of fraud.

When I ran ShadowCrew, we had 4,000 members when we were shut down in 2004. Now you have cybercrime environments where you have hundreds of thousands — sometimes millions — of members, all of them looking at how to steal or profit from a person or an organization. Unfortunately, a lot of the time the easier targets are government benefits. Successful cybercrime requires three things: gathering data, committing the crime and cashing out. A single attacker usually can’t do all three. But a group of skilled criminals working together with each person concentrating on their area of expertise is very effective.

I also don’t think government agencies respect or understand the amount of information sharing that goes on in cybercrime environments. Once someone finds a workaround for some security service, everyone is looking for companies and organizations that use that same service. Certainly, you have upper-tier hackers, but their numbers are extremely small. More than 90% of attacks use known exploits. It’s not zero-day attacks; it’s not unknown vulnerabilities; it’s not computer geniuses. It’s a threat landscape where organizations know what the problems are, but they haven’t filled those security holes. That makes it easy for criminals to scan the landscape and find targets. It’s the vulnerabilities we know about — and we’re not doing anything about — that cause these issues.

How will cybercriminals use AI?

There’s no doubt criminals will use AI, but I don’t think we’re really seeing it yet. AI is being used on dark-web marketplaces for customer support. We’re starting to see it used in scams that involve building trust — romance schemes, things like that — and to create phishing emails. I think we’ll reach the point where AI is used for real-time deep fakes. Instead of using a recording, which is what usually happens today, this technology will be able to carry on a real-time conversation using audio, video or both. That will cause a hell of a lot of damage.