Insights from a Reformed Cybercriminal in the Social Era
Posted November 29, 2018
In this episode Frank is joined by Brett Johnson, Former U.S. Most Wanted Cybercriminal. They explore social engineering, phishing and other cybercriminal tactics.
Frank: Hey everybody. Welcome to another edition of Digital Identity 360. We are honored today to have Brett Johnson with us. Brett is a reformed cybercriminal, subject matter expert, is doing a ton of conferences. And in fact, did our Terranea conference at our Digital Identity Summit this year. So, Brett, good to have you.
Brett: Hey, thank you for having me. I appreciate it.
Frank: It’s great to have you. You know Brett, it’s interesting, as we got prepared for this, we were talking about some of the stuff you talked about at the Digital Identity Summit, especially as it relates to the social impact of cybercrime. Maybe speak a little bit to your experience, and in your view of how the social networks and social information helps cybercriminals find vulnerabilities and exploit them.
Brett: Sure. So, if we’re talking about just identity theft, one of the things that cybercriminals are very good about is harvesting data. So typically, it’s not very difficult for a cybercriminal to buy someone’s Social Security number and date of birth, usually that’s about $3.00. From there they go, they pull a background check. And to pull a background check they use legal services. I mean, there are legal background check services that you can sign on for, that cost $20.00 a month. You can do unlimited background checks on whoever you want to. The person you’re running them on has no idea you’re pulling a background check whatsoever. From there you pull the credit report, it doesn’t take very long to do that. And the followup stuff is the stuff that really hurts, it’s where we hit social media. So when I used to be a cybercriminal, we didn’t have Facebook, we had MySpace. But now you’ve got Facebook, you’ve got LinkedIn, so you can find out where someone works pretty easily. Facebook has a plethora of information. I mean, people tend to share too much information. Nowadays you’ve got physical crime mixing with cybercrime as well. So if you’re on your Facebook page and you’re broadcasting where you’re going on vacation, well now, criminals know exactly when you’re leaving the house. Especially if your taking pictures of what’s inside of the home. They know exactly what’s in the home. If someone has your credit card information, it’s easy enough for them to look you up on Facebook, figure out how rich you are, how poor you are, your status in life. Find out your mother’s maiden name, your date of birth on Facebook, all these other things. It’s pretty bad. And it’s a problem that … I’m asked all the time, should we not use social media? And I think that’s a question that shouldn’t even be asked. We do use social media. We’re a social media generation. So you have to be careful what you share is the problem. Do you just … anyone that sends a friend request, do you accept it?
Frank: That’s true.
Brett: Is your profile wide open? That’s just on Facebook. On LinkedIn, I mean, LinkedIn is the tool to use for criminals committing business email compromise. It is the-
Frank: It is interesting Brett, and to your point, if you look … sorry to interject … but if you look at our Cybercrime Report this last quarter, identity spoofing was the number one risk that we see. And I think as you just said it, the identity is so informed today by so many sources of data, that you’re right. LinkedIn, Facebook, I’m traveling, my geolocation, all those things that are easily accessible to anybody, help a very good social engineer kind of figure out where people are going. But once you’ve got that information, we’re seeing a ton of bot traffic using those exploits. What’s the next step? Once you’ve harvested the information, where do the criminals go then to exploit that information?
Brett: Well, so harvesting information, say you’re phishing data. Phishing, especially spear phishing, tends to be about 86% successful. Overall phishing, it’s a numbers game. The more phishing emails you send out, the more people you have that will just input credentials. So let’s use a phishing email, say from Bank of America. Someone that has received that email, their level of awareness may be high enough that they realize immediately, “Hey, that’s a phishing email. No way in the world I’m going to fall for that whatsoever.” But, are they going to have the same level of awareness for their streaming programs? Whether it be Netflix or Hulu, or something like that. The answer is no they’re not. So when the receive a phishing email that looks like it comes from there, the chances of them falling for that, clicking through, entering credentials is pretty high at that point. The problem is, is that we as a people, we tend to use the exact same passwords across multiple platforms. Criminals understand that. Over 80% of every person uses the same password. So you phish one of these low-level accounts, it’s an automated program. You’re talking about bots, it’s not even a legal program, it’s a free … I forgot what the name of it is, but it’s a free program, so you can download. And little Billy goes to sleep at night, he’s got all the credential stuff entered in there, and it’s an automated program, he just starts plugging them into different website, banking sites, email sites, and everything else to see what works. He wakes up the next morning and sees what he has access to. That’s the power of these bots these days. It’s one of these things where, when I was committing crime, we didn’t have a lot of bots that were running around. So it was all by hand. But when you have things automated, it’s the same for the good guys, once you automate things, you take a lot of the work out, a lot of the stress out, you become streamlined and more efficient. Criminals do the exact same thing.
Frank: Yeah, it’s a big force multiplier, because you’re right. Little Bobby goes to sleep at night, has loaded up a bunch of credentials, and those credentials are hammered against certain sites. And it’s, listen, it’s no surprise in our network, we seen the bot traffic so closely correlated to then the identity spoofing. Because you’re testing credentials, they’re seeing where there’s vulnerability. And here’s what’s interesting, and something that you talked about at the Summit a little bit Brett, is the patience of cybercriminals. Because, in the old days the exploitation would happen immediately, you know, I’m going to into that account and grab as much. Now it seems that they’re very patient, and they may have to as I said, harvest the credentials and hang onto them for a while, and then come back over time.
Brett: It’s that degree of patience that’s going to define cybercrime as it moves forward. A beginning guy, someone who is just starting out in cybercrime, they don’t understand the amount of patience that successful crime takes. So when a guy starts, say he buys a credit card, stolen credit card details. He’s wanted to use those immediately, so it doesn’t matter what day of the week he’s ordering, or whatever, he’ll use them as soon as he gets it. As he becomes a more proficient criminal, as he becomes experienced, he started to understand, well, “Hey, you know. If I buy credit card data on Thursday, I’m an idiot if I order Thursday or Friday. And the reason being is, if I order Thursday or Friday, that package is going to sit in a warehouse someplace over the weekend, giving it more time to be flagged as fraud. And I won’t get my package.” So he learns that patience, he learns that proper credit card fraud is committed Monday through Wednesday. He learns that there’s a time of day that you need to order. He learns all these things. And it’s not just with CNP fraud, it’s with every single aspect of financial cybercrime you can imagine. From setting up bank accounts, to laundering money, to synthetic fraud. All that requires a degree of patience. And we’re starting to see now that more and more cybercriminals are starting to embrace that. You look at synthetic fraud for example. So synthetic fraud, you can actually cash out someone, a new identity, in about 60 days. But, if you take your time, if the criminal really takes his time, if he takes six months to do that, he’s looking at a potential 200,000 all of a sudden. Not only that, but criminals are starting to understand that security companies are getting better, and better, and better. So simply by delaying, by just taking their time and moving things along slowly, they look more legitimate within whatever system they’re using, and can defraud the company or the security company, whatever’s going on from that point.
Frank: Sure. And it’s interesting. Think of the behavior Brett. So you’re right, so, there’s a breach, credentials are compromised, but nothing happens to that user. The likelihood of that user, that end user not doing something is great. Because now it’s been six months, I haven’t seen anything.
Frank: And they kind of relax their guard. You know, one of the things that was very interesting, again, as we went through our Summit, and salient to this conversation, is the idea that many of the cybercriminals are better at knowledge based answered than the consumers are. And so the idea of KBA as a mitigating factor is really kind of compromised. Speak to that if you wouldn’t mind for a minute, on how you harvest those knowledge based answers.
Brett: Well, I mean you’re right. The United States is based on knowledge, based on authentication questions. If you have the answers to the questions, you can take over any accounts you want to take over. So it’s the process, and you’re right about that, a lot of the times the criminals know the answers better than the actual person does. And it’s that process of, you pull the credit report, which takes, you know, you go to Quizzle, you go to Annual Credit Report, something like that. It takes 10 or 15 minutes to pull the credit report. The background check runs you $16.00 a month for unlimited checks. You get the Social, the date of birth for $3.00. You scan someone’s social media account, their Facebook, their LinkedIn. What I used to do, and we still see that today among cybercriminals, is you have a notepad. You wouldn’t even worry about having it on laptop. You’d have a physical notepad, and you’d write down all the information. So that when the questions came up, you could just rifle through the pages pretty quickly, and answer the questions. Or if you’re talking to someone over the phone, if you spoof someone’s phone number and you’re trying to ATO the account over the phone, you’ve got the answers right there. What’s the cross streets? What’s the mother’s maiden name? Last four of Social, driver’s license number, everything else. You’ve got all of that there ready to go. And a lot of the times, I mean with my own accounts, I’ll call in, I bank with USAA. So I’ll call and they’ll ask mother’s maiden name. Why, I don’t give my mother’s maiden name, the real one. So I remember the last time I called, they asked me, “What’s your mother’s maiden name,? And I’m like, “Hell, I don’t know.”
Frank: Which one did I use? That’s right.
Brett: I gave them some name. They’re like, “That’s not the name we have on file.” And I’m like, “I’m aware it’s not, so what do I need to do now?” Even with that, they ask two other security questions, which are KBA questions. You get those right and they change the mother’s maiden name to whatever you want them to change it to, you take over the account from there, and you’re good to go as a criminal.
Frank: Yeah, it’s so interesting. I think people’s inherent kind of a conflict avoidance on the call centers also plays into that. Because look, if you get one or two out of them, okay, you forgot the other one, they’re okay with it. You know, you’re such an expert in this field. What would you say is the number one vulnerability? If you could talk to the enterprise today and say, “Guys the most important thing you could do to prevent or at least mitigate the impact,” what would it be?
Brett: It’s raising awareness. It’s always going to be raising awareness. Too often, it’s not a question of hacking a computer from a cybercriminal point of view. So you don’t hack the computer, you hack the person behind the computer.
Frank: That’s interesting.
Brett: You can potentially spend years, trying to brute force your way through an industrial firewall. But why would a criminal do that, if he can just send a phishing email to the person behind using the firewall? We saw that with the Russian election, I mean, with the election hacked by the Russians. I mean, you’ve got the higher tier upper, you know, these extremely good hackers or computer people. And they, instead of using shell attacks or side sequel attacks, or anything else like that, the only thing they did was they sent out phishing emails. Because they understand that, why waste your time doing all that stuff, if the only thing you have to do is compromise the person.
Frank: Right. And as you said Brett, it’s a numbers game. At some point somebody, somewhere is going to click on the thing-
Frank: and then you got them. It’s really interesting. I mean, if you look at our world, obviously we are risk-based on the authentication approach to digital identities. And it’s so interesting to me that you’re so right that you know, you’ve got to look at the entire behavior, the entire footprint of someone’s internet journey. Otherwise you’re so susceptible, especially with patient, well-educated cybercriminals that are sitting on things, and understand kind of the technologies that are in place that prevent their exploits. So, it is so fascinating as you drill into this world. I think there’s a miscomprehension on the part of most people, that cybercriminals are people with Masters in software engineering, electrical engineering, and they can jump in and as you said, brute force your way in. And in fact, it’s always low-hanging fruit and the human element that really provides the compromise.
Brett: Yes, that’s always what it is, always.
Frank: So you know, listen, I think Brett, fantastic conversation. We’re delighted to have you join us. And again, thank you so much for Terranea and the Digital Identity Summit keynote that you gave.
Brett: No, no. Thank you all. And I just want to say, keep up the great work. You guys are an outstanding company, and keep doing everything you’re doing.