[00:00:00] Tom Garrison: Hi, and welcome to the Cyber Security Inside podcast. I’m your host, Tom Garrison and with me as always is my co-host Camille Morhardt. And today we have a very special guest, Brett Johnson. He is an expert in cybersecurity and cyber crime as the former US Most Wanted cyber criminal and consultant. Woo, we got stories to tell there. He also hosts The Brett Johnson Show on YouTube. He’s a keynote speaker and he operates AnglerPhish Security. So welcome to the podcast, Brett.
[00:00:35] Brett Johnson: Hey, thank you. I’m humbled to be on here. Thank you for inviting me.
[00:00:39] Tom Garrison: So first thing’s first, AnglerPhish. Are you a fisherman?
[00:00:44] Brett Johnson: No, no, I’m not. So an AnglerPhish is spelled with a “ph” as a phishing attack and that name comes from the investigation that I was involved in. The group that I started was called Shadowcre;, it was a precursor of today’s dark net and dark net markets. October 26th of ’04, United States secret service arrests 33 people, six countries in six hours. I’m the only guy that gets away. They pick me up four months later; they give me a job. My job was as a consultant and an informant for the United States Secret Service and that investigation was called operation AnglerPhish.
I continued to break the law from inside Secret Service offices for the next 10 months until they found out about it. I took off on a cross-country crime spree, stealed $600,000 in the space of four months. Wake up one morning on the United States Most Wanted list, go to Disney World, get arrested, sent to prison, escape from prison, get arrested again, and served out my time. When I got out, I was given the opportunity to turn my life around. I adopted the name of AnglerPhish.
[00:01:48] Tom Garrison: Wow.
[00:01:49] Brett Johnson: Long story short.
[00:01:50] Camille Morhardt: Was that job offer, I’m curious, was that job offer from the Secret Service after you had been arrested, was that like a job offer that you could refuse or was that a job offer you could not refuse?
[00:02:02] Brett Johnson: Oh no, I could have refused, but I would’ve remained in jail. The thing was, is I was arrested February 8th of 2005, three weeks before my scheduled marriage. My fiance had no idea what I did for a living so once she found out I was a criminal, I was like, “Hey, I’ll do whatever it takes in order to get back with her,” and that was working for the United States Secret Service.
[00:02:24] Tom Garrison: Wow. Well, our listeners will be happy that you spelled Phish with a “ph” and not an “f” because the rest of the podcast would’ve been you and I talking about actual fishing; but so we’ll save that for a different day.
[00:02:35] Brett Johnson: I know, right?
[00:02:37] Tom Garrison: But today we wanted to talk about the dark web. Basically everybody has heard the term dark web, probably a few at least have a decent idea of what it is but I think a good place to start is describe what is the dark web.
[00:02:55] Brett Johnson: So sure. The reason I’m a little hesitant about that is the definition of the dark web has been changing over the years. You see, the United States Navy, they developed this thing called the Tor browser, the onion router, and they developed that so that intelligence operatives could communicate with each other without being identified. It then goes open source with the idea that whistle blowers could use it, or that someone behind a country’s firewall would be able to use that to access the real internet.
What they forgot to understand is that adoptees of technology, if the technology can be used to remain somewhat anonymous or to launder money, the first adoptees tend to be criminals. As soon as Tor gets out there, we see all these criminals start to use Tor to communicate in order to commit crimes, in order to work together to network. That’s basically the genesis of the dark web.
Well, over the years, the problem is in order for you to use Tor properly, you kind of have to know how to use it. If you don’t, you can be identified, and you end up going to prison, and typically that’s what we see a lot of. You see somebody that thinks they’re protected, that they’re anonymous, they’re not, and they make some sort of silly mistake or they’ve got Java turned on or something like that. Law enforcement identifies them, goes arrests them, gives them 20 years in prison.
Because of that and because of the paranoia, because law enforcement has gotten so good about shutting down dark web websites, we see that a lot of different services have started to pop up and a lot of criminals are starting to look at smaller and smaller encrypted messaging services in order to network together to sell wares, commit crimes, what have you? The big one on the block right now is Telegram. That’s really the wild west of cyber crime. This definition of the dark web has changed over the years where it’s not just Tor and those Tor-based sites anymore. It’s things like Wicker, it’s things like Telegram, it’s things like Discord, WhatsApp, Signal, all these other services work together so that criminals can work together, exchange, share information, collaborate, profit.
[00:05:09] Camille Morhardt: Are people anonymous or disassociated from their identities on it?
[00:05:13] Brett Johnson: They are. You take Telegram, for example. Telegram is owned by a Russian and Telegram is very anti-law enforcement, which is pretty interesting when you think about it. Telegram does not answer to United States courts, yet it’s still allowed to operate within the United States. Personally, I’m against that. The problem is is that you’ve got these people that are not tech savvy and Telegram is very low friction from a criminal point of view. Basically you only have to have a phone number to register an account on Telegram. Telegram doesn’t answer subpoenas, it doesn’t give up any information at all, it allows crime and fraud to flourish on that particular platform so it’s a very conducive environment for criminals who are not really tech savvy to go in and be able to profit and start to learn how to be successful at online crime.
[00:06:06] Tom Garrison: Obviously our mission here is not to try to teach people how to break the law, but at a rudimentary level, can you walk us through, let’s say you had some sort of nefarious intent, but you really aren’t that tech savvy. How do you go about doing this? Again, this is not a how-to video-
[00:06:25] Brett Johnson: Sure.
[00:06:26] Tom Garrison: … but it’s more about understanding the evolution of the dark web and where we’re at today. The current world class of the dark web, what does it look like?
[00:06:36] Brett Johnson: There’s three sites that really kind of start the genesis of modern cyber crime. There’s Counterfeit Library, Shadowcrew, and then ultimately Carder Planet, which was opened by Dmitry Golubov, Ukrainian national. Those individuals who were part of those sites, the platform of cyber crime itself was not established enough so if you were a member, an expert on those sites, you typically had to understand most dynamics of online crime. You had to know what the security of the target was that you were hitting, how to bypass the security, how those tools operated, how to run a drop address, how to have proper operational security so that you weren’t identified and you were made anonymous. You had to know every single aspect of that. Today the cyber crime platform is refined enough that a cyber criminal who has absolutely no experience or no understanding of any of those dynamics, they don’t have to know all that.
You can simply ask questions within those channels, whether it be a forum, whether it be a Telegram session or a Discord channel or anything else, you could start asking questions and it’s an open source environment. You typically will get someone that will start to educate you, start to tell you what you need to do so you can do that. You can buy tutorials on how to commit one specific type of fraud. Tutorials can be purchased for as low as $10, sometimes they run a few hundred dollars. If you’re not comfortable enough with the tutorial you can buy or take live instruction classes.
To really understand it, you have to kind of understand the three necessities of cyber crime for cyber crime to be successful you have to gather data, you have to commit the crime, and then you have to be able to cash it out. All three of those necessities have to work in conjunction. The problem is is that a single criminal, one person, can’t do all three things. They can do one, sometimes two, but rarely can they do all three. The reason for that is, there’s two reasons. Either it’s a skill gap, that specific criminal simply doesn’t know how to do one of those aspects, so he doesn’t know how to do a man in the middle attack or doesn’t understand the intricacies of a phishing attack what have you, or it’s a problem with the geographic location. That criminal is simply in a geographic area where they’re not able to do one of those three necessities, typically put money in pocket and launder the funds out.
We saw that during the pandemic with unemployment fraud. You had people in the Ukraine and Russia, in Brazil, in the EU that were hitting states’ unemployment offices, they had all the data in the world, they were able to commit the crime because there was absolutely no security in place for six months, but because they were in an area outside of the United States, they had to rely on money mule state side to cash out for them. That way no flags were raised and that they were able to continue withdrawing funds.
Because of those three necessities, you have dark web marketplaces, you have the forums, you have Telegram, Discord channels like that that work and operate so that one criminal can work and network with other criminals who are good in areas where he, sometimes she, is not.
[00:09:44] Camille Morhardt: I had a question about trust.
[00:09:47] Brett Johnson: Ah.
[00:09:48] Camille Morhardt: Because you’ve talked about that in previous interviews you’ve done and you always say in the criminal world, you need to first establish trust, and then you can profit from somebody or take advantage of somebody. It’s funny because we’re looking in the non-criminal world at one of the most important things in business is to establish trust and then particularly around cyber security, how can you assure that the computer or the device is trustworthy? How can you assure the network is trustworthy? Do you see trust as, is it dual sided? Is it different in sort of the criminal world or is it actually the same and how do we navigate that on either side of the equation?
[00:10:31] Brett Johnson: What’s interesting to me and I’ve quoted this several times in different presentations in webinars as well. Ronald Reagan said, “Trust but verify.” Taking that from a criminal point of view, if I’m looking to defraud or victimize an individual or a company, I’m going to anticipate that they’re going to trust and they’re going to verify, but my question is from a criminal standpoint, my question is is how far are they going to verify? How many levels deep are they going to go to try to determine whether I’m who I say I am or that I’m a fraudster. I try to anticipate that.
Say I’m hitting a retail merchant using stolen credit card data. I have the stolen credit card data, that’s one tool to establish trust. I may have an email address. That email address, what am I going to anticipate with that? Is the company going to be able, are they using some service like Emailage that is trying to determine the age of the email? I need to try to anticipate that. Most of the time they’re not going to do that so I can use just as simply a Gmail address that is created on the fly most of the time. But if it’s a company where I figure that they are using a service like that, I may try to go and buy a domain that has been registered in the past that way it looks like the email address has been established for a long time, or I may try to age out the email by having data or some sort of history registering with reward systems or a PayPal account or what have you. I’ll try to anticipate how many levels deep that potential victim will try to verify who I am. Typically it’s no more than two to three levels and that’s one of the reasons that synthetic fraud is so successful from a criminal point of view.
Synthetic fraud works by me defrauding the Social Security Administration by using their own tools against them, by going into the Credit Bureau and being able to put that ghost in the system and then using that information to establish credit. What I understand from a criminal point of view on that point is that any creditor that I try to defraud, they’re not going to look past the Credit Bureau and that credit score that I’ve established. They’re only going to go that deep and only that deep. Understanding that from criminal point of view and how trust works is important when you go to victimize someone.
But from the criminal point of view, I have to be able to trust my criminal associates, because I know that law enforcement is in those areas. I know that fraud analysts are on those channels as well. There’s an entire system that’s set up on the criminal side that tries to establish trust between criminals, that tries to make sure that you’re dealing with somebody that is a criminal and that knows what they’re talking about. You have vouchers and the vouchers go back to that old age of the Italian mafia. I vouch for this guy, he is who he says he is and that means something. When you vouch for someone, you’re then responsible for whatever that person does. If that person then rips someone off, they come back to you and you have to make that person solid at that point. You’ve got vouching systems, you’ve got review systems, you’ve got escrow systems, all with that idea of establishing trust with one criminal and another and that’s really important.
You take some of these cyber crime environments now, some of them are hundreds of thousands, maybe a million members large, and you’ve got all of these humans working together, sharing, exchanging information in real time, it becomes a really nice platform to know who to trust, what’s going wrong with a vendor, an individual, a criminal, an associate, and what have you, so trust plays a really important part on the criminal side.
[00:14:30] Camille Morhardt: In the past you’ve profiled cyber criminals’ motivations as three different categories, either cash, low hanging fruit, status, which I guess is sort of the equivalent of fame, and ideology.
[00:14:39] Brett Johnson: Right.
[00:14:39] Camille Morhardt: You say that these different motivations have all kinds of different levels of tenacity as well. I’m wondering if the effect of whoever it is means that a company or a person, individual needs to protect themselves against each kind of criminal motive or if it’s just the motive behind the attack and the attack is it doesn’t matter what the motive behind it is, the attack would look the same.
[00:15:11] Brett Johnson: No, no, I don’t think the attack looks the same at all. As we said, if the motivation is cash based, that criminal’s simply looking to steal cash, that criminal is going to look for the easiest target that gives the largest return on investment, that lowest hanging fruit, as you said. But if it’s fame based, that’s status, if that criminal’s able to do something that no one else within his criminal community can do, it doesn’t really matter about the security. That criminal’s looking for the high security, something that he can do that no one else can and that gains him respect, which equates to profit within those criminal communities.
Then finally ideology. Have you pissed someone off? Does someone have a different belief than you do? Understand the motivation and you’ll understand the persistence of the attack, someone who’s attacking you because of an ideological basis, that’s an attacker who is not going to stop. They’re looking at you specifically and yes, as a company, you could be targeted for all three things.
For example, I gave a keynote speech for Chanel about a year and a half ago. The interesting thing about Chanel is that they hit all three motivations. You’re looking at attackers who are looking to steal money, you’re looking at attackers who can hit Chanel because of the brand name. They go back to their community and say, “Hey, I got Chanel,” and then you’re looking at attackers who, “Hey, Chanel. Huh. Is that a French company? Why I just don’t like the French mindset or their political beliefs.” You got all three things hit there. You have to design your defenses to address all three of those types of attackers.
Because when you think about it, there are only really seven types of attackers. You’ve got criminals like I used to be, you’ve got hacktivists, you’ve got insiders, you’ve got terrorists, you’ve got the script kiddies, the nation state attacks, you’ve got the vendors that sell the types of tools. Those seven different attackers are there and all seven have a different type of motivation. Depending on your company, I’ve talked about that before too. You need to understand your place in the cyber crime spectrum. Why are you being attacked? Is it because of cash? Is it because you’re that brand name and I can get fame in my environment or is it because of your political stance or the ideology that’s going on? Understand that, design security, and go from there.
[00:17:38] Tom Garrison: What do you see as the future? You’ve kind of described-
[00:17:43] Brett Johnson: Oh.
[00:17:43] Tom Garrison: … where we’ve been, you kind of described where we’re at today, how should we expect the dark web to evolve?
[00:17:50] Brett Johnson: It’s interesting and it’s really scary at the same time. ShadowCrew gets shut down 2004. We ended with 4,000 members. Fast forward to 2017, Alpha Bay’s the largest criminal network on the planet. 240,000 members when law enforcement shuts it down. Two years later, 2019, a dark web marketplace called Black Market’s shut down 1.15 million members, all of that pre-pandemic. During the pandemic, the fraud numbers exploded because you had stimulus packages in place and there was no security so you had massive amounts of fraudsters coming in, committing fraud. Those people, now that the stimulus programs have ended, they’re not really going to go and flip burgers or go to school or anything else like that because they’ve gotten a taste of how profitable online crime is.
The problem is is that 98% of those criminals are not skilled. We have this perception, a lot of it’s because of the media, because of these security companies out there that are snake oil salesman, and they try to sell product by FUD, fear, uncertainty, and doubt, and they paint the attacker as this hacker, this upper tier computer genius that is untouchable. That’s not really the truth. You have those types of attackers out there, but 98% of cyber criminals, they’re just good social engineers. They don’t really understand the dynamics or the security or anything else, but they don’t have to. The more sophisticated tools cyber crime has like bots, ransomware, things like that, typically the 98 percentile of cyber criminals have never experienced those and they wouldn’t know what to do with them.
What we’re seeing now is that vendors have almost–it’s almost been subconscious–they’re starting to understand that, “Hey, we’ve got an entire demographic of criminals that we’ve never marketed to.” Now we’re starting to see these services being offered and developed to where that unskilled criminal can now use them. You see marketplaces like Genesis. Genesis Marketplace is a bot marketplace. They’ve got 400,000 bots on there. The bots range anywhere from $3.75 up to $400 and the bot sits on someone’s network. That person then goes to sign into their bank account or a retail merchant or email, where have you, the bot captures the cookie, it captures the browser fingerprint, their credentials, every single thing that the attacker then needs to take over that specific account.
But the developers also understand that, “Hey, these people wouldn’t know what to do with a cookie if they had it.” In order to help them out, that marketplace has a standalone browser or a browser plugin that then automates everything for that person who buys that bot, plugs it all in so you don’t have to know anything at all, lets you come in, bypass multifactor authentication, take over the account, do whatever you want to. That’s just one aspect of how cyber crime is continuing to be refined. We’re seeing that across all these different cyber crime verticals about how these products are being developed and marketed toward that unskilled cyber criminal that’s out there and that, that’s really scary.
[00:21:10] Tom Garrison: Well, Brett, this has been a very interesting set of conversations we’ve been having. Here before we let you go, though, we like to do a segment we call Fun Facts. I wonder, do you have a fun fact you’d like to share with our audience?
[00:21:27] Brett Johnson: I do. You had mentioned that before I came on the show and I really didn’t know what I was going to talk about until Eastern Kentucky got hit with these devastating floods. I’m from Hazard, Kentucky, that’s center of where all the floods have hit and I’ve had friends, relatives that have died and that have also lost every single thing that they’ve had. We’re very poor people. I was very fortunate that I was able to get out of that environment, but my heart is still in Eastern Kentucky. What I read was, you know, historically hillbillies have kind of disparaged and looked down up. And someone was kind enough to post the origin of the word “hillbilly” and I would just like to read that, because I thought it was interesting. “Hillbilly, the word originates from Scott’s Irish, the Ulster Scots in Northern Ireland who moved into the Appalachian Mountains in the 1700s.
Billy or Billies was the term meaning brother, friend, or comrade. Billy boys was the term used referring to the Ulster Protestants who supported William of Orange, AKA Billy, in invading England. They were also known to wear sashes around their necks, coining the term rednecks. Once the Scott’s Irish moved or migrated in droves to the United States, they quickly moved into the mountains and hills of Appalachia. The Billys now were comrades of the hills and mountains, therefore became known as hillbillies. I just thought I’d share that.
[00:23:01] Tom Garrison: That is fascinating actually, and the redneck thing too. I had a totally different back story-
[00:23:07] Brett Johnson: I did too.
[00:23:08] Tom Garrison: …on redneck in mind, and Camille, I think for your benefit, you’re actually technically on vacation. Are you going to take a vacation from the fun facts?
[00:23:17] Camille Morhardt: Well, I should. I should cede my fun fact. My fun fact is going to be simple. I think it’s very interesting that there is only one kind of tea plant that exists. Of course you can drink peppermint tea or chamomile tea, but if you’re going to drink just tea, green tea or black tea, it’s one kind of camellia and it just depends on how you treat the leaves, how much oxidization you use, whether it’s green or black in the end.
[00:23:47] Brett Johnson: I had no idea.
[00:23:48] Tom Garrison: I did not know that either. That’s very cool. My fun fact is going to be in honor of the summer and it has to do with sunglasses. Of course we think about sunglasses as a way to protect your eyes from bright sunlight or a fashion accessory. But sunglasses were originally made out of smokey quartz in the 12th century China, where they were used by judges to mask their emotions when they were questioning witnesses.
[00:24:20] Brett Johnson: Oh, wow.
[00:24:22] Tom Garrison: Isn’t that cool.
[00:24:24] Brett Johnson: That is. I guess that’s why cops wear the mirrored glasses sometimes too is to mask their emotions.
[00:24:30] Tom Garrison: They’re all trying to look like Paunch and John from “Chips.”
[00:24:33] Camille Morhardt: Next time I’m on jury duty.
[00:24:36] Tom Garrison: There you go.
[00:24:37] Brett Johnson: There you go. I don’t do jury duty. They don’t let me.
[00:24:45] Tom Garrison: Yeah. Brett thanks so much for coming in and talking to us today, is a really interesting and enlightening conversation on the dark web.
[00:24:52] Brett Johnson: Thank you so much for having me. I appreciate it.