Ways to make fraud less lucrative.
Brett Johnson: Back then, you had to know everything. These days, a criminal doesn't need to know anything. And because of that, the numbers of cybercriminals continue to explode.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast where each week, we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner. And joining me is Joe Carrigan from Harbor Labs and the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Got some good stories to share this week. And later in the show, my conversation with Brett Johnson. He's chief criminal officer at Arkose Labs.
Dave Bittner: All right, Joe, before we jump into our stories this week, got a little bit of follow-up here. What do we got?
Joe Carrigan: Yeah. Before we get to this letter here, I want to ask - I want to follow up on our comments last week from the Twitter check mark comments.
Dave Bittner: Yeah.
Joe Carrigan: What a mess that has become (laughter).
Dave Bittner: Oh, my gosh.
Joe Carrigan: That has gone so sideways...
Dave Bittner: Yeah.
Joe Carrigan: ...In ways that I had no idea it was going to do that. And actually you probably - I probably should have been able to see that coming.
Dave Bittner: (Laughter) Right. Last one who leaves, turn out the lights.
Joe Carrigan: Right. Exactly.
Dave Bittner: I'm waiting for fail whales to come back. Do you remember the fail whales?
Joe Carrigan: I do not. What are the fail whales?
Dave Bittner: The early days of Twitter, they didn't have enough server capacity to handle the traffic. And so sometimes you'd go to try to use Twitter, and this picture of a whale would come up being - like, this whale was being carried by a bunch of birds. It was a stock photo, but it got to be known as the fail whale when Twitter wasn't working. So I'm just counting down the days for the return of the fail whale because, you know, whatever engineers got fired, on their way out, you know, they pull the plug on a bunch of servers or something. Who knows? But yes, you're correct. It is a bit chaotic over at Twitter these days.
Joe Carrigan: Yes.
Dave Bittner: (Laughter).
Joe Carrigan: So we do have a letter from someone who was listening and they said, hi, Dave and Joe, your advice about bookmarking URLs to avoid typos, I find that adding them to my password safe is the best answer. And I kind of agree with that, if that's an option for you. I don't have a password safe that's integrated with my web browser. Mine is independent of the web browser. It's actually called Password Safe. And I'm moving to KeePassXC, I believe, because I now have a Linux laptop that I use.
Dave Bittner: OK.
Joe Carrigan: And it's a similar thing. It lets you use Yubikey on Linux.
Dave Bittner: OK.
Joe Carrigan: But I digress again. Anyway, so this listener, whose name, by the way, is Graham - I should've mentioned that earlier - says that there's three advantages to using your password manager. One, you sync across all browsers and devices, which is true with a lot of these browser-integrated password managers.
Dave Bittner: Right.
Joe Carrigan: It's more controlled. Unless you put effort into your bookmark management, you could end up clicking on the wrong one, right? That's correct. And most importantly, it integrates with the user credential management and encourages further use of the password manager, which is correct. Also, it won't - if you rely on that heavily, it won't let you enter a password into a domain that isn't correct.
Dave Bittner: Yes, I was just going to say that, which is important.
Joe Carrigan: Another benefit. So if you're using a browser-integrated password manager, that's really the best option.
Dave Bittner: Yeah. And just to clarify on that, what we're talking about is that if you go to a domain that looks very, very close to the actual domain you're trying to go to - in other words, someone is trying to spoof a legitimate domain...
Joe Carrigan: Right, with typosquatting or something.
Dave Bittner: ...Yeah - and you try to use your password manager to put in your credentials, your password manager will say, hold on a second here, cowboy.
Joe Carrigan: Right.
Dave Bittner: This is not the domain you think it is. Are you sure? And so it's just a nice additional little level of basically your password manager watching your back for you.
Joe Carrigan: Right.
Dave Bittner: Yeah.
Joe Carrigan: Graham goes on to say, with respect to multiple jobs, one of the engineers working for me used to work for a consultancy firm. And when he started, he said he continued to want to do some work with them, which is kind of a lot like what I'm doing with Harbor Labs and Hopkins, I guess.
Dave Bittner: Yeah.
Joe Carrigan: He's doing it out of core hours and in return - how I got the company to agree to it - he still has access to mentors and experience that come with the consultancy instead of working for a single financial company, which is where he works, where Graham works. Yes, we have to trust that he won't give the consultancy firm any of our data or information, but that's a risk I feel is justified and - for his and, indirectly, our benefit as well. I - you know, I generally believe that people are ethical.
Dave Bittner: Yeah.
Joe Carrigan: And, you know, in a professional setting, yeah, that is a risk that you run, but if these businesses are different enough, I think it's a really low risk. And you can make it explicit in the employment contract as well.
Dave Bittner: Yeah. We got a number of responses to our conversation about people taking on multiple jobs.
Joe Carrigan: Yeah.
Dave Bittner: Some people were quite fired up about it...
Joe Carrigan: Right.
Dave Bittner: ...Saying, you know, what's the problem? And so just to clarify, I mean, I think if you're on the up and up with both employers and you let them know what's going on and they're OK with it, then I don't see their any problem - being any problem with it. However, I can't think of many employers who would be OK with you having two full-time jobs.
Joe Carrigan: Right.
Dave Bittner: Right? It's one thing to have a full-time job and, you know, deliver pizzas on the weekend or do some consulting or pick up some extra work. You know, lots of people do that, and I don't think there's any problem, again, as long as you're straight with your employer, run it by them, and they say, yeah, that's there's no conflict there.
Joe Carrigan: Right.
Dave Bittner: But I think a lot of what we were talking about was people who are not being honest about it, who are taking multiple jobs either to try to have multiple full-time jobs or just outright fraud.
Joe Carrigan: Yeah, outright fraud is indefensible, right?
Dave Bittner: Yeah.
Joe Carrigan: And if anybody thought that I was endorsing that, no, I'm not.
Dave Bittner: Yeah. No, no, I don't think anybody was. I think...
Joe Carrigan: Right.
Dave Bittner: I mean, more of the steamy feedback we got was from folks who were saying there's nothing wrong with this, that, you know, - that disagreed with us that there could be any problem with someone working multiple jobs. And so...
Joe Carrigan: Yeah, I'm kind of falling in that camp. I mean, I understand their position on it...
Dave Bittner: Yeah.
Joe Carrigan: ...That - yeah, as long as you are performing up to the standards of both jobs to an acceptable level.
Dave Bittner: Yes, but I would add, and as long as both jobs are OK with it.
Joe Carrigan: Right.
Dave Bittner: You know, I think you should be on the up and up and be straight with both of them so that they can evaluate you with that in mind.
Joe Carrigan: Right.
Dave Bittner: So...
Joe Carrigan: It might help.
Dave Bittner: Yeah. Yeah. All right, well, our thanks to Graham for writing in to us. We do appreciate that. We would love to hear from you. Our email address is hackinghumans@thecyberwire.com.
Dave Bittner: All right, Joe. Let's jump into our stories this week. I am going to kick things off for us. I actually got a note from our friend, Dr. Christopher Pierson. He is the CEO of the organization called BlackCloak. I'm pretty sure we've had him on this show. I know he's been a regular guest over on the CyberWire. And Chris's company provides concierge services for high-net-worth individuals and high-profile individuals.
Joe Carrigan: Right.
Dave Bittner: So, in other words, if you're a a sports star or you're a CEO of a big company, they come in and take care of the - kind of the unique problems that you face as someone who's in that situation because, you know, their problems are not like yours and mine...
Joe Carrigan: Right.
Dave Bittner: ...When it comes to people, you know, coming after them and trying to get on their home network and, I mean, even as far as things like kidnapping, which happens, you know?
Joe Carrigan: Right.
Dave Bittner: So anyway, their company specializes in that sort of stuff. And Chris was listening to one of our recent episodes and sent over a report that kind of follows up on something we were talking about. And this is about registration bombing email attacks. There's an article over on the BlackCloak website. We'll have a link to it. It was written by Daniel Floyd. And basically what this involves is - let's say I'm going to do a bit of fraud with you, Joe.
Joe Carrigan: Right.
Dave Bittner: Let's say that I have gotten my hand - in the example they use here, I have gotten my hands on your walmart.com account information, right?
Joe Carrigan: OK.
Dave Bittner: So I'm going to log in as you, and I'm going to log in to walmart.com, and I'm going to buy something, right? I'm going to buy myself a new toaster.
Joe Carrigan: A new toaster.
Dave Bittner: Right - going to have it shipped to me. Well, when I buy that toaster, Walmart's going to send an email out that says, good news. Your new toaster is on the way. Right? And it's likely that you will see that and go, I didn't go - I didn't buy a toaster.
Joe Carrigan: Right.
Dave Bittner: Wait a minute.
Joe Carrigan: Of course.
Dave Bittner: So you could get in there and, you know, maybe stop it or whatever. So what this registration bombing is, is the bad guys use bots to flood your inbox with registration verification emails.
Joe Carrigan: Right.
Dave Bittner: So they will set these bots out, registering you for hundreds, if not thousands of things. They could be newsletters. They could be, you know, websites. Who knows what they could be right?
Joe Carrigan: But they're all like, please click here to confirm that you signed up for this.
Dave Bittner: Right. And so the plan is, hidden within all of these hundreds of nuisance emails that are flooding your box...
Joe Carrigan: Right.
Dave Bittner: ...Is the message from Walmart.
Joe Carrigan: Right.
Dave Bittner: And you're much more likely to miss it when it's in the midst of all of this noise that they're throwing at you...
Joe Carrigan: Yes.
Dave Bittner: ...Over and over again. So I thought this was interesting. It's an interesting report. We'll have a link to it here in the show notes. In terms of, you know, fighting something like this, I guess, first of all, be vigilant that if you find yourself being flooded by this sort of thing, just know that it may be...
Joe Carrigan: Right.
Dave Bittner: ...An attempt to misdirect you...
Joe Carrigan: Right.
Dave Bittner: ...Because something else is going on.
Joe Carrigan: Dave, I think I'm going to implement something to mitigate against these kind of attacks 'cause I've been thinking about this for a while.
Dave Bittner: Yeah.
Joe Carrigan: I have a number of emails, and if anybody does any amount of cursory research on me, they can probably find these emails.
Dave Bittner: OK.
Joe Carrigan: And the thing about these emails is they're very old, and I love them very much because it's six characters, Dave.
Dave Bittner: (Laughter) OK.
Joe Carrigan: It's so awesome having a six-character email address.
Dave Bittner: OK.
Joe Carrigan: But at the same point in time, I've signed up with all kinds of crap with these email addresses.
Dave Bittner: Sure.
Joe Carrigan: And I have a Yahoo email address and a Gmail address. But I think it's going to be time very soon for me to just start doing email addresses for my own kind of business. Like, all the credit cards that I have, I'm going to have, like, a credit card email address, or maybe, like, all the bills I have to pay, I'll have a bill email address...
Dave Bittner: Right.
Joe Carrigan: ...And put the credit cards in there with that - you know, banking as well. And then I don't use that for anything other than correspondence with these institutions.
Dave Bittner: I see.
Joe Carrigan: Right?
Dave Bittner: Yeah. Yeah.
Joe Carrigan: That way - and I don't publish that, and I don't say, hey, here's my email for you to contact me. That's not the email for you to contact me. That's the email for my bank to contact me.
Dave Bittner: Right.
Joe Carrigan: And I think that's probably a good idea. I don't know if - you know what? I'll try it, and I'll let you know how it works.
Dave Bittner: You know, there's another method I've seen folks use with Gmail. You can append your email address with a...
Joe Carrigan: Yeah.
Dave Bittner: ...Like, is it a plus sign you put after your name or something like that?
Joe Carrigan: Something like that.
Dave Bittner: Yeah.
Joe Carrigan: Maybe a - no, no, it is a plus sign. A dot is something different with Gmail.
Dave Bittner: Yeah, I think it's a plus sign. So in other words, if your email address at Gmail was joe@gmail.com...
Joe Carrigan: Right.
Dave Bittner: You could say Joe and then plus sign banking...
Dave Bittner: Right.
Dave Bittner: ...At gmail.com, and you could sign up for all your banking things using that. They would send a message to joe+banking@gmail.com, and...
Joe Carrigan: Right.
Dave Bittner: You would get that in your Joe email box, but it makes it very easy for you to filter.
Joe Carrigan: Right. It makes it easy for me to filter, but anybody that sees my email address will know what my email address is. And the idea is...
Dave Bittner: Yeah, that's true. Then they could strip it out.
Joe Carrigan: Yeah, they could strip it out.
Dave Bittner: Yeah. No, it's true - good point.
Joe Carrigan: I think the best thing to do is have - just have a different Gmail address. They're all free.
Dave Bittner: Yeah.
Joe Carrigan: Remember back in the days when you had to get recommended to Gmail?
Dave Bittner: (Laughter) You had to know someone.
Joe Carrigan: You had to know someone. Yeah, you did. That's how I got my Gmail account.
Dave Bittner: Yeah.
Joe Carrigan: Thank you, Nancy Debnam...
Dave Bittner: Times have changed.
Joe Carrigan: ...For sending my invite.
Dave Bittner: That's right. All right. Well, we will have a link to this report from our friends over at BlackCloak - again, our thanks to Dr. Christopher Pearson for sending this over. We do appreciate it. Joe, what do you got for us this week?
Joe Carrigan: Dave, I know we've talked about these kind of things before...
Dave Bittner: Yeah.
Joe Carrigan: ...A lot. But the FBI is now talking about a really big step up in tech support scams, and they're targeting financial accounts using remote desktop software, which is kind of what the scam is.
Dave Bittner: OK.
Joe Carrigan: The Boston division of the FBI is warning about an emerging trend. I don't know that I'd call this an emerging trend except for these guys are just getting more sophisticated, that what they're doing is the same thing that they've always done, where they put a pop-up on your screen somehow with, like, a website. They have either tricked you into going to someplace you shouldn't have gone...
Dave Bittner: Right.
Joe Carrigan: ...Or they've compromised some website that you go to anyway, like a watering hole attack.
Dave Bittner: Yeah.
Joe Carrigan: And they say, your computer is infected. Please call Microsoft Tech support. Or they'll call you, and they'll say, you know, we've - this is Microsoft Tech support. We found the virus on your computer.
Dave Bittner: Sure.
Joe Carrigan: Right, which should be the first red flag for anybody.
Dave Bittner: Yeah.
Joe Carrigan: Right? Tech support never calls you. It just doesn't happen.
Dave Bittner: Right.
Joe Carrigan: Wouldn't it be great if that was the way it worked? It would be nice.
Dave Bittner: Yeah.
Joe Carrigan: My computer's not working. Ring, ring - oh, we notice your computer's not working. No, that's not how it works.
Dave Bittner: It would go right to voicemail.
Joe Carrigan: Right. It would.
Dave Bittner: (Laughter).
Joe Carrigan: So in 2001, nation - I'm sorry. I said 2001. It's 2022. So in 2021, the FBI says that 23,903 people reported losing more than a third of a billion dollars due to tech support scams...
Dave Bittner: Wow.
Joe Carrigan: ...Which was a 137% increase over the losses in the previous year. Sixty percent reported to be over 60 years old. So this is a scam that older people fall for...
Dave Bittner: Yeah.
Joe Carrigan: ...At a higher rate, probably because they're not digital natives.
Dave Bittner: Could be. Yeah.
Joe Carrigan: And I saw a news report on this where they had an agent from the FBI on. And she was saying that it's something that definitely targets older users. Now, we've seen other data that says that older users are less likely to fall for scams. But I think in this scam, they're the ones that are more likely to fall for it - right? - because younger users have grown up in this world. They know tech support doesn't call you or reach out to you.
Dave Bittner: Oh, OK.
Joe Carrigan: Right. They know that. Older users might not know this. But get this, Dave. There was a couple from Maine that lost $1.1 million in a tech support scam.
Dave Bittner: Wow.
Joe Carrigan: You blinked really slowly there.
Dave Bittner: (Laughter).
Joe Carrigan: That was - I saw that number, and I had the same reaction. This was after receiving a pop-up alert advising them that their computer had been breached...
Dave Bittner: Yeah.
Joe Carrigan: ...And that there was an attempt to compromise their banking information. So they were urged to call Microsoft, who then put them on the - Microsoft in quotes. And this is in the FBI report, by the way. This is all coming from fbi.gov, and we'll put a link in the show notes. But I love this. I love the quotes - the use of the quotes here. They got a call from Microsoft, who then put them in touch with somebody from Fidelity so that they could transfer their money to Coinbase for safekeeping.
Dave Bittner: Oh.
Joe Carrigan: And these people got away with $1.1 million of these people's money, which is absolutely infuriating. There was a New Hampshire resident who lost approximately $1 million after receiving a pop-up alert that she had been hacked. After calling the tech support number, a man with a foreign accent advised her that several bank accounts had been compromised and CSAM had been found on her computer. So there is nothing that will short-circuit your thinking faster than that, right?
Dave Bittner: Right.
Joe Carrigan: If you're somebody who doesn't understand how computers work; you just understand how to use them, and somebody goes, wow, you got some terrible, terrible, terrible stuff on your computer, and, you know, we're looking at this; let me help you - remember; this is what I call the social engineering one-two punch. You have a problem. I have a solution. So that resident of New Hampshire lost almost a million dollars. There is a Rhode Island woman who lost $200,000. These - another Massachusetts woman lost $200,000. These are tech support scams that are costing people orders of magnitude more than they used to.
Dave Bittner: Yeah.
Joe Carrigan: I mean many orders of magnitude more. You would - we would get tech support scam stories, and it'd be like, somebody lost $1,000. Somebody lost $2,000. These people are now losing hundreds of thousands and millions of dollars.
Dave Bittner: It's amazing.
Joe Carrigan: It is.
Dave Bittner: You know, just about a week ago, I was at my local CVS drugstore, and I was buying a gift card for a family member's birthday. And so I went up to the register to buy my gift card. And I was impressed that on the little, you know, device where you put in your credit card information, a message popped up with a warning about gift card scams.
Joe Carrigan: Good.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: Nice.
Dave Bittner: I had to, you know, click through. And it was just an extra screen that said, you know, we see you're buying a gift card. Just in case (laughter), you know, here you go.
Joe Carrigan: Do you have somebody on the phone telling you to buy the gift card?
Dave Bittner: Right. And it asked a bunch of questions. It pointed out things. So, you know, I think that's good that the retailers are doing - taking that extra effort to try to, you know...
Joe Carrigan: Yeah.
Dave Bittner: ...Help people understand what may be going on here.
Joe Carrigan: Right.
Dave Bittner: Yeah. All right. Well, gosh, word to the wise, right? - millions of dollars lost on these sorts of scams.
Joe Carrigan: That's probably their retirement savings.
Dave Bittner: I'm sure it is.
Joe Carrigan: Yeah. And it's probably gone.
Dave Bittner: Yeah. Oh, sure.
Joe Carrigan: It's absolutely heartbreaking.
Dave Bittner: Yeah. No, it's awful. All right. Well, we will have a link to that story in the show notes. Joe, it's time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes from a listener. It's a story that was written by the listener. He's got an interesting story about a Steam account takeover attempt. So I'm going to let you just go ahead and read Norman's story.
Dave Bittner: OK. He writes in and says, my name is Norman. I'm from Germany, and I study computer science. I really enjoy listening to your podcast. Last week, someone tried to steal my Steam account. I was contacted via Discord by a user that sent me a screenshot of my Steam profile and asked me if this was me. After I confirmed that, he told me that he accidentally reported me to Steam, and now my account will be permanently banned. Supposedly, he was scammed on Steam for $450 on a sale, and the scammer had the same profile picture, and that's how he ended up reporting me to Steam. Now to prevent my account from being banned, I should please contact a Steam or Valve developer via Discord or Steam Chat who can fix it. This alleged Steam employee sent me a fake certificate saying that he works at Steam.
Joe Carrigan: (Laughter).
Dave Bittner: After that, he said he would have to search my account to verify I am not the scammer. After this, he will send me an email, and I should send him the link back so he will be able to perform the verification. The email was a recovery link that would allow my account to be taken over. In the mail was also that the request comes from the Philippines. On my question whether he does not work in the U.S., he answered, but he was disconnected via VPN. The text seemed very good, and I couldn't find any serious errors, but I'm not a native English speaker, so maybe I just didn't notice them.
Joe Carrigan: Ah.
Dave Bittner: Thanks for your podcast, and please keep up the good work. Best regards, Norman. All right, what do we got here, Joe?
Joe Carrigan: So that is a very good point. I want to focus on that point first. Did Norman - did he say was from Germany?
Dave Bittner: Yes.
Joe Carrigan: So not a native English speaker, but can write and speak English pretty well, probably.
Dave Bittner: Yeah...
Joe Carrigan: Most Germans can.
Dave Bittner: ...Better than most of the scam...
Joe Carrigan: Yeah.
Dave Bittner: ...Most of the Catches of the Day that we get here, right? So...
Joe Carrigan: Right. But Norman makes an excellent point. Not being a native English speaker, being communicated to in English, you might miss what a native English speaker would catch.
Dave Bittner: Sure.
Joe Carrigan: I think that's worthy of note. What's going on here is - we've had stories like this before - they're just trying to steal your Steam account because you can do the, reset my password, I've lost access to my Steam account. Here's the thing about a Steam account, Dave.
Dave Bittner: Yeah.
Joe Carrigan: I've spent a good amount of money on games on Steam.
Dave Bittner: OK.
Joe Carrigan: Not tons of money, but over the years, it's probably been more than $1,000.
Dave Bittner: OK.
Joe Carrigan: Right? If I lost that, I would lose a significant - access to a significant amount of things I purchased.
Dave Bittner: Right.
Joe Carrigan: So people know that these things have value. Now, fortunately for me, I don't have a lot of games that people want on my - they're all older games...
Dave Bittner: (Laughter) OK.
Joe Carrigan: ...Right? First off, I don't have time to play games anymore.
Dave Bittner: Yeah.
Joe Carrigan: It just doesn't happen. I used to love playing like Fortnite and things when - during the pandemic, but...
Dave Bittner: Sure.
Joe Carrigan: ...It's just - now we're back to normal, and I've - just haven't been on the gaming system.
Dave Bittner: Yeah.
Joe Carrigan: But...
Dave Bittner: But is that what they're after here? I mean, are they after your games? Are they after your...
Joe Carrigan: They're after your account because it has games in it, and your games might have items that they could then sell...
Dave Bittner: I see.
Joe Carrigan: ...To other people.
Dave Bittner: OK.
Joe Carrigan: So they can monetize your account and sell that. They can sell off your items in any game that you have that are tradeable. I don't play any of those games, so I'm not exactly sure how those work.
Dave Bittner: OK.
Joe Carrigan: There's other trading things that you get in Steam, and I don't know if you can trade and buy - there's gems. I don't know what that is. I just ignore it. I don't even know why it's there. I look at Steam like, I want to play a video game. Let me get the video game.
Dave Bittner: Right.
Joe Carrigan: And maybe I'm being the grumpy old man here, but (imitating old man) why can't I just play my video games?
Dave Bittner: That's right.
Joe Carrigan: Right.
Dave Bittner: Go to the arcade with my pocket full of quarters.
Joe Carrigan: Pocket full of quarters.
Dave Bittner: (Laughter).
Joe Carrigan: That's right. So, yeah, they're coming with the scam. The red flag of the scam should be that, oh, I accidentally reported your account, and now you're going to get perma-banned, which is the fear, right? That's the artificial pretext with the artificial time horizon. And the ask is you need to call the guy from tech support - who isn't a guy from tech support. It's probably the same guy...
Dave Bittner: Right.
Joe Carrigan: ...With two accounts. You know that you can have the Discord app open, and then you can open a web browser and log in to Discord as a different user and talk. Or even in Discord now you can have two accounts logged in and switch between them on the app.
Dave Bittner: OK.
Joe Carrigan: I think that's a relatively new feature. I don't know. Maybe it's old, and I just missed it until recently.
Dave Bittner: Yeah. Yeah. I am famously not on Discord because - at one point I was because of - "Grumpy Old Geeks" has a Discord area.
Joe Carrigan: Right.
Dave Bittner: And I just had a lot of trouble logging in to Discord, to the point where I just gave up.
Joe Carrigan: (Laughter) Right.
Dave Bittner: OK. You know, you don't want me here, fine.
Joe Carrigan: Right.
Dave Bittner: So...
Joe Carrigan: I'm done.
Dave Bittner: Yeah. It's fine.
Joe Carrigan: I get it.
Dave Bittner: You know, my life goes on, you know?
Joe Carrigan: Right.
Dave Bittner: All right. Well, again, our thanks to Norman for writing in to us. We do appreciate him. And we would love to hear from you. Our email address is hackinghumans@thecyberwire.com.
Dave Bittner: All right, Joe, I recently had the pleasure of speaking with Brett Johnson. He is the chief criminal officer at Arkose Labs - really interesting guy, interesting interview. Here's my conversation with Brett Johnson.
Brett Johnson: The United States Secret Service referred to me as the original internet Godfather. Now, the way I got the title was 39 felonies - because 38 just ain't enough - a place on the United States Most Wanted list. I escaped from prison, and I built and ran the first organized cybercrime community. It was called ShadowCrew. It was a precursor to today's darknet. Darknet markets laid the foundation for the way modern cybercrime channels operate today. The 39 felonies had to do with refining modern financial cybercrime as we now know it. And, yes, that does get one sent to prison, deservedly so. And usually that's where the story ends.
Brett Johnson: If the bad guy gets out of prison, he is soon to go back to prison, and he stays the rest of his life there. I was very fortunate with the help of my wife, my sister and then, finally, the FBI. I was given the opportunity to turn my life around. I took it, and today, I - I lead a very blessed life today. I'm a spokesperson for AARP, and I speak across the planet. I'm chief criminal officer for Arkose Labs. Life is good. Life is good.
Dave Bittner: Well, good for you. And I suppose - I mean, that really gives you a unique insight into both sides of these things that we're facing here today. I mean, what drew you to - when you were on the dark side, what was the appeal there?
Brett Johnson: You know, I come by crime somewhat naturally. I'm from eastern Kentucky. My mother was a fraudster, and I grew up in that type of environment. From the age of 10 forward, I was always committing some sort of crime - frauds, scams, stuff like that - until I branched off into the internet age. And what you find with online crime is the way to develop trust with a potential victim is much easier than it is if you're in person. But not only that, you don't have to see the consequences of your actions, so you don't have to see the harm that you're causing that person that you're victimizing or that company that you're victimizing. So you're able to compartmentalize your life.
Brett Johnson: At the same time, it's almost like a puzzle-type mentality, and I love puzzles. So it's, how do you get past this security system? What tools do you need to use? What do you need to do to get access, information, data or cash? So that was very appealing. At the same time, I was very good about it. And what you see is if you're able to do something that no one else in your criminal community can do, you gain the respect of every single person in that environment. And that respect equates to cash, of course, but it also is one hell of an ego boost. So all that rolled in together is internet crime.
Dave Bittner: And you were successful, I guess, for many years, right up until the moment when you weren't, right?
Brett Johnson: (Laughter).
Dave Bittner: ...When the consequences came, yes?
Brett Johnson: Well, that's a very good way to put it. I was doing just fine until I wasn't. I mean, we - the group that I ran - as I said, it was a first organized community that did this. We had 4,000 members. And the way we got caught, one of our members got picked up. He goes to work for the United States Secret Service, and it ends up getting the site busted. We made the front cover of Forbes August of 2004 with the headline, "Who's Stealing Your Identity?" October 26, 2004, the United States Secret Service - they swoop in, arrest 33 people in six countries in 6 hours. I'm the only person publicly mentioned as getting away.
Brett Johnson: You're right. It was very successful until it wasn't. But at the same time, it's - leading a life of crime, whether you're caught or not, is a - it's a very stressful, anxiety-ridden existence where you lie to every single person that you know and don't know. And you lose yourself pretty quickly in that type of environment. So it's - most people don't realize that. Most people think that, you know, if you're committing crime, as long as you're not caught, you're good to go. But that's not true at all.
Dave Bittner: As you look at the state of things today, I mean, compared to how it was when you were operating, have things changed very much?
Brett Johnson: They have. When I was operating, the sophistication was in the criminal themselves. So the - whoever the attacker was - back then, you had to know every single aspect or dynamic of everything that you were doing. You had to understand the security system of the companies. You had to understand your own operational security so that you weren't identified. You had to understand the way the tools and the processes and the techniques that you were using to attack - you had to understand how those things worked. You had to understand drop addresses, so every single thing along the way. You had to know how to launder money.
Brett Johnson: These days, the sophistication is no longer in the criminal. The sophistication is in the platform. Now we have cybercrime as a service. And we continue to see these products and services that are developed - like Caffeine or EvilProxy or Genesis Bot Marketplace - you see these products and services that are developed understanding that the 98 percentile of cybercriminals are not sophisticated. They don't really understand much of anything, but they don't need to anymore because it's done for them. Everything is off the shelf - products, services.
Brett Johnson: You can buy a tutorial for $10 that will walk you through how to commit one specific type of fraud. You can take live instruction classes. It runs anywhere from $300 up to $3,000. Or if you don't want to spend any money at all, you can simply go to a forum, start asking some questions, and usually, you'll get the help that you need in order to defraud some individual or some organization. So that's the difference now - is back then you had to know everything. These days, a criminal doesn't need to know anything. And because of that, the numbers of cybercriminals continue to explode.
Dave Bittner: And as you look at it, you know, the situation that we're faced with today, do you have any thoughts on what it might take to tamp down some of this? Are there areas that frustrates you where, you know, if only law enforcement did this or if only this would happen, we'd have a better chance of shutting some of these things down?
Brett Johnson: Well, I want to be fair to law enforcement. I think that law enforcement does an outstanding job. The problem is - and I'll give a the - my view of that right now. So across across the United States, you've got 37,000 FBI field agents spread across 56 field offices. Of those 37,000 field agents, you've only got about 200 that concentrate on cybercrime. Of those 200, a lot of them concentrate on nation-state attacks. So you're dealing with less than 200 agents that are trying to fight millions of cybercriminals across the planet, trying to worry about jurisdictional boundaries, companies - countries that are protecting these criminals. The internet itself is - it lends itself toward anonymity. So you've got all these issues that go on. It's not just the FBI. For example, we had a lot of stimulus fraud. Well, the Small Business Association has a total of 29 investigators across all 50 states. So all these issues - you don't have enough law enforcement to take care of the problem. So that's that's issue number one.
Brett Johnson: Another issue is that cybercriminals are very good about sharing and exchanging information. We - and I say we 'cause I used to be one - we are very open source. The good guys are not. The good guys have privacy concerns. They have regulations, and they have competitive edges. A lot of the times, a company will not share how they're being attacked because they want that attack to go to their competitors. That's a problem because it really makes things easier for a criminal to come in and victimize you. At the same time, that threat landscape tends to be developed. And I'll quote a few statistic statistics here - 90% of every single attack uses known exploits. So it's not zero-day attacks. It's not unknown vulnerabilities. It's the things we know about, that we've potentially been told about for years, that we're not doing anything about that causes the problem. Fifty-six percent of companies have experienced a breach because of third-party access. Your system, your network is only as strong as the weakest device which accesses it. Most companies have no idea how many third parties are accessing their systems. Of those third parties, none of them have been vetted. So that's another stat - 41% of every single router on the planet has the default password. That's your - you at your house. That's your financial institution. Ninety-two percent of every breach begins with a phishing attack.
Brett Johnson: So you think of things like this. This establishes that threat landscape that criminals come in, and they just find where the holes are. And at the same time, you know, you've got - you don't have enough manpower with law enforcement. You've not practiced proper cybersecurity hygiene. And let's be honest - a lot of security companies out there are snake oil salesmen. They will tell you, hey, our product is the only one that you need - complete lies. Or they'll come up with a good product and never innovate on that product. So you've got a lot of issues out there that open the door for a criminal to come in and victimize you or your organization.
Dave Bittner: You know, you're walking down the street in any big city, and you might come across some folks doing a three-card monte kind of thing, you know, your street-level fraud. And I think a lot of people will see that, and they'll know - they'll say right away, oh, you know, there's no way to win that. But there are enough people out there who don't know that that the fraudsters get away with it. To what part of - in the cyber domain do you think educating our users plays a part in this?
Brett Johnson: I think that it's not only about educating users. It's also about educating everyone across the board. So you're - this - I've talked - I've been to conferences, and I've talked to the salespeople on the floor for different companies. And the salespeople know the talking points of the product that they're selling, but they have no idea what cybercrime, identity theft, online fraud or anything else looks like, what cybersecurity - those issues are. They just know the talking points. So they've not been educated. And I see that across the board. It's - I think what we're dealing with is we have to - you educate your customers. You educate your employees. You educate management. You educate the people who are selling the products and services to you. And that's a huge, huge effort to do that. But I think it's an absolute necessity.
Brett Johnson: At the same time, you have to get to the point where you're sharing and exchanging information. On the criminal side, we understood years ago that by educating everyone across the board, everyone becomes more knowledgeable, but everyone becomes more profitable. On the good guys' side, they have to start to understand, hey, by educating everyone, everyone becomes more knowledgeable and more safe at the end of the day. That's what we have to do. We have to get to the point where we're not hiding the breaches that are going on, that we're reporting to law enforcement, that we're not only reporting to law enforcement, but we're following up with prosecution. A lot of the times, you see companies that are scared to prosecute because it sends a bad message to their existing customers. And that message tends to be, well, you can't trust our environment. We're past that now. Most companies have already been breached. People worldwide understand that, hey, cybersecurity is an issue. Most companies - my information is out there - everything else like that. So we have to be willing to prosecute. And when you send the message that, hey, we will send you to prison, it does - I can tell you for a fact, it does have an effect on cybercrime communities. These communities share this information - this company prosecutes. So those criminals tend to try to find different targets other than those.
Dave Bittner: I'm curious, Brett, you know, just from your own life, how do you go about protecting yourself and your loved ones from these sorts of things? Obviously, you know, you have a high level of knowledge, and I'm sure you can see a scam coming a mile away, but not everyone in your family probably can.
Brett Johnson: Well, you say that, but there was one year, about three years ago, I was hit four times in one year. So it can happen to anyone. And sometimes I'm in an audience and someone says, well, that would never happen to me. I think that's a blindside that you have, and that's the type of person that I would want to talk to if I were still a criminal, someone who has those blinders on. It's important to practice - to be situationally aware online as well as you are offline. You know, when we're in our physical world, we are well-aware if we go into a bad neighborhood or if something is wrong in our environment. Our situational awareness is pretty high. Online, it's not. Online, it's like, you know, we have no clue what's going on. We don't understand that there are predators in our environment, in any environment that we're on. I don't care what the website is. I don't care if it's social media, if it's a retail or merchant. There are predators everywhere that are trying to get you. Now, that doesn't mean you need to be scared or paranoid. It just means that you need to be aware that there are sharks in that ocean.
Brett Johnson: What I say is that, you know, cybercrime, to commit it, is not really sophisticated. It's not rocket science. It's not really rocket science to protect yourself, either. As an individual, the things that you can do is you can put a credit freeze on every single person in the house - that's free. Credit freezes stop all new account fraud. Works great for kids. So, yes, you need to put a credit freeze on your children, too. But start there, monitor accounts, and place alerts because a credit freeze stops new account fraud; it doesn't stop fraud on existing accounts. So freeze your credit, monitor accounts, place alerts on those accounts, and then finally, use a password manager, because 70-, 80% of everyone on the planet uses the same or similar logins across multiple websites. So that takes care of that issue. Those, I think, are the three big things to do. From there, you can use multifactor authentication, you can add other things on to it, the idea being to take a multilayered approach to your security. Understand your place in the cybercrime spectrum. Understand how a criminal will attack you. What is that criminal looking for from you? Is he looking for information, access, data, cash, a combination of those things? Design your security around the way that you will be attacked. For a company, it's still a multilayered approach.
Brett Johnson: Understanding that a criminal has a toolbox and he has a variety of tools with which to attack you, you need a toolbox as well, with a variety of tools to defend yourself. So you need identity verification processes. You need to be looking at the biometrics on the site, the device info. You need something to combat the automated attacks because over 50% of all internet traffic is bot-driven, so you need that. And these tools are not - they're not complicated. They're - they can be very effective when used in a multilayered approach to security. So I think that that tends to be the answer. And we have to get to the point also where we're sharing this information, where we're not blaming the victim for the crimes that are perpetrated upon them. So we - there are tons of issues out there that we need to address.
Dave Bittner: You know, when you look back to the time in your life when you were a criminal, how do you think about that time? I mean, do you try to stay positive - that there were positive lessons that came away from it? Do you have regret? How do you look back on it?
Brett Johnson: I have a (laughter) - I have a lot of regret, a lot of regret. I usually say that I lead a blessed life today that I don't deserve but I'm damn grateful to have. And there's a lot of truth to that. I don't see any benefit at all from leading a criminal lifestyle. I think that it's a despicable life. I think that it's a despicable behavior. You victimize everyone. You hurt everyone. You hurt people you knew, people you don't know. You hurt yourself. I mean, it's - there's absolutely no benefit to leading a criminal lifestyle at all. And I think about that every single day, every day. And I work hard every single day to protect businesses and consumers from that type of person that I used to be.
Dave Bittner: Joe, what do you think?
Joe Carrigan: That was an interesting story, Dave.
Dave Bittner: (Laughter) So you think he's an interesting guy?
Joe Carrigan: Yes.
Dave Bittner: Yeah, yeah.
Joe Carrigan: Yeah.
Dave Bittner: I mean, talk about a, you know, a colorful, interesting life...
Joe Carrigan: Right.
Dave Bittner: ...Yeah.
Joe Carrigan: Brett makes two points early on. One, it's easier to get someone to trust you over the internet, which is probably true. And I think - I've been thinking about this for a while. Why is that? Why does that work? And I think it's because people don't understand what's going on behind the scenes in their computer. You know, they've never had to understand how to connect things, right?
Dave Bittner: Yeah.
Joe Carrigan: Remember when you and I were on bulletin board services back in the '80s and '90s?
Dave Bittner: Yeah. Yeah.
Joe Carrigan: We had to know how to do all that stuff.
Dave Bittner: Yeah...
Joe Carrigan: Now you get a computer...
Dave Bittner: I love modems, yeah.
Joe Carrigan: Right. Now you get a computer and the hardest question about connectivity is what's the Wi-Fi password?
Dave Bittner: (Laughter) Right...
Joe Carrigan: Right?
Dave Bittner: ...Right, right.
Joe Carrigan: That's it. It's not, what's the baud rate, what's the stop bits?
Dave Bittner: Yeah.
Joe Carrigan: What client do I use? None of that, right? So I think the fact that all that stuff is abstracted away from the user kind of makes it mysterious. Or, I know it does, right? But I think that that mystery is what makes it easier to trust somebody when they say, hey, I know what's going on, right?
Dave Bittner: Right. So you're already - I don't want to say suspending disbelief, but you're already accepting a certain level of technological magic.
Joe Carrigan: Yes.
Dave Bittner: So what's a little bit more?
Joe Carrigan: Exactly. That's my point.
Dave Bittner: OK.
Joe Carrigan: The other thing is that bad guys don't have to witness the consequences of their actions.
Dave Bittner: Yeah.
Joe Carrigan: Which means if you're doing something terrible to people and you get to see what happens, that's going to have an impact on you. Not seeing it, you can walk away. You don't have to deal with it. It's easier to sleep at night. Interesting that he says that a life of crime is a stressful existence. Kind of glad to hear that.
Dave Bittner: (Laughter) Yes, yes.
Joe Carrigan: And it's also the reason why I'm not a criminal because I know - it's one of the many reasons I'm not a criminal, Dave, there's a lot of reasons why I'm not a criminal, one, because I tend not to be a bad guy.
Dave Bittner: Right.
Joe Carrigan: Or at least I think I'm not a bad guy. But I couldn't handle the stress. The stress would absolutely kill me. That would be it.
Dave Bittner: Right.
Joe Carrigan: I'd always be looking over my shoulder.
Dave Bittner: I just imagine a life looking over your shoulder all the time.
Joe Carrigan: Exactly.
Dave Bittner: Yeah.
Joe Carrigan: Going through the various defenses of a system that's been put to stop you from getting access is like a puzzle to these guys. That's 100% correct. That's why they do it, right? It's really attractive to them. And now there's big rewards at the end of it.
Dave Bittner: Yeah.
Joe Carrigan: So why not? It's fun and it's profitable.
Dave Bittner: Right. Right up until the moment you get caught.
Joe Carrigan: Right up to the moment - yeah - you go to prison.
Dave Bittner: Right, right.
Joe Carrigan: That's when it stops being fun and...
Dave Bittner: Yeah...
Joe Carrigan: ...Profitable.
Dave Bittner: ...Yeah.
Joe Carrigan: It's interesting about his observations on the specialization in the criminal world. This is almost like - it's almost like buying - using QuickBooks or buying some other software that - and this is the way - we've been watching it. You and I have been watching this go on for a number of years now, and we've been talking about it, that there's - it's commercial, off-the-shelf software, essentially, and commercial, off-the-shelf processes.
Dave Bittner: Right.
Joe Carrigan: You can get trained up in how to do this quickly. And these guys are very open about sharing their techniques and their practices and their tools. That - you can just go get them. And one of the things he points out is that the people that they're fighting against or working against don't do that. Like, law enforcement has certain requirements on them. They can't make everything public in an ongoing investigation. They can't share information. Corporations don't want to share information because, in his estimation, it's because they don't - they would rather the bad guys attack their competition.
Dave Bittner: Right.
Joe Carrigan: I would imagine there's some of that that goes on. But there are ISACs where people share information about this. I think the bigger concern there is that they don't want litigation. Corporations don't share information because then that becomes actionable in court.
Dave Bittner: Yeah, I agree. I think that's a big part of it. And I also think they just don't want the PR of...
Joe Carrigan: Right.
Dave Bittner: ...People knowing that they fell victim to something.
Joe Carrigan: Yeah. And actually, Brett talks about that in this interview. He goes, it's normal now.
Dave Bittner: Yeah.
Joe Carrigan: And he says - he goes on to talk about that people should be prosecuting these criminals when they can. Because if you start prosecuting, they - then you get a reputation for being prosecutorial - having a prosecutorial nature and the bad guys leave you alone.
Dave Bittner: Right.
Joe Carrigan: Yeah, take the reputational hit a couple of times, but put a couple of people in prison. And maybe they stop attacking you. You know, be the quiet guy - the quiet kid that gets beat up. It's like...
Dave Bittner: Right (laughter).
Joe Carrigan: ...You know, you're on the schoolyard - right? - and the bully comes up to you and starts hitting you. Just punch him in - you know, punch him in the face a couple of times...
Dave Bittner: They put one of...
Joe Carrigan: ...You're going to get suspended.
Dave Bittner: ...Your men in the hospital, you put one of theirs in the morgue.
Joe Carrigan: Right.
(LAUGHTER)
Joe Carrigan: Exactly. Don't listen to me, kids. I'm a terrible giver of advice for modern schools.
Dave Bittner: OK.
Joe Carrigan: The stats he rattles off at the - towards the end of the interview seemed pretty accurate to me. I can't remember them off the top of my head. You know, that's the way stats are, they go out of your head almost immediately. But if they seem shocking, don't be shocked by those. Those are probably accurate.
Dave Bittner: Right.
Joe Carrigan: I like his recommendations for keeping yourself safe. And these are things we don't normally say. He does say password manager and multifactor authentication...
Dave Bittner: Right.
Joe Carrigan: ...Which are my two big ones. But he says credit freeze and alerts on your existing accounts. You know, Dave, I was talking with my wife today. We have a credit card that will not send me text messages when a purchase is made. It only sends me a summary email every day to the email account that I was just complaining about I never check, right? So I think I've made a decision, I'm just going to get rid of that credit card.
Dave Bittner: Yeah.
Joe Carrigan: I'm going to close it and be done with it and not have to worry about it anymore. I like the other credit cards that all say, hey - so, you know, like, my son has a card that he uses when I want him to go out and do something that I need him to do. Last night, he - we had Chinese. I got an alert when he picked up the Chinese, right?
Dave Bittner: Right, right. Yeah. I've seen that.
Joe Carrigan: There it was.
Dave Bittner: Yeah.
Joe Carrigan: And I knew when it was spent.
Dave Bittner: Yeah. Yeah, Why not?
Joe Carrigan: Yeah.
Dave Bittner: It seems like table stakes these days.
Joe Carrigan: It is.
Dave Bittner: Yeah.
Joe Carrigan: It's basic.
Dave Bittner: Yeah.
Joe Carrigan: And this other company can't do it.
Dave Bittner: Yeah. And - yeah. There you go. All right. Well, our thanks to Brett Johnson for joining us. Again, he is the chief criminal officer at Arkose Labs. We do appreciate him taking the time.
Dave Bittner: That is our show. We want to thank all of you for listening. Our thanks to Harbor Labs and the Johns Hopkins University Information Security Institute for their participation. You can learn more at harborlabs.com and isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
