Apr 7, 2023

Into the Dark Web with Brett Johnson

Host: Hi, everyone. Thanks for tuning into another episode of Scale to Zero. I’m Purusottam, Co-founder and CTO of Cloudanix. For today’s episode, we have Brett Johnson with us. Brett is a former US Most Wanted cybercriminal. The United States Secret Service called Mr.Johnson the original Internet godfather, and that’s because of his role in redefining modern financial cybercrime. Or put it another way, Brett was convicted of 39 felonies placed on US Most Wanted list, escaped from prison, and he built the first organized cybercrime community, shadow Crew. Shadow Crew was a precursor to today’s darknet and darkened markets, and it laid out the foundation for the way modern cybercrime channels operate today. That’s not the end. Today, Brett is considered as one of the leading authorities on cybercrime, identity theft, and cybersecurity on the planet. I’m not sure if I did justice to his introduction by sharing his backstory maybe. Brett, do you want to briefly share about your journey with our viewers and listeners?

Brett: I think you got it all. So, as you said, the United States Secret Service called me the original Internet godfather. The way I got the title, I’m kind of the father of modern cybercrime as we know it. I was convicted of 39 felonies placed on the United States Most Wanted list. I escaped from prison. Yeah, you heard that right. This old dude escaped from prison. And I built and ran that first cybercrime community called Shadow Crew. Now, those 39 felonies had to do with refining modern financial cybercrime as we now know it. So account takeovers, credit card theft, phishing schemes, man in the middle attacks, synthetic fraud, all these different types of things, if you name it. I was on the ground floor of developing, refining, just outright doing it. And yes, that does land one in prison, as you mentioned. And I was very fortunate. Honestly, I was very fortunate. I had help from my sister, my wife, and then finally the FBI. They gave me altogether. They presented this opportunity for me to turn my life around, and I was smart enough to take it. And today, I work in cybersecurity. I was the first chief criminal officer on the planet. I’m an ambassador for AARP. I speak and consult with Fortune 500, Fortune 50 companies, and I work hard every single day to protect businesses and consumers from that type of person or attacker that I used to be.

Host: That’s an impressive resume, I would say, like the pivot right, that you had because of the help of your family, now you’re able to help others. So that from a security perspective, everybody gets better, right? Right.

Brett: It was a long trip, to be honest with you. It’s been a long journey.

Host: Yeah, I can imagine. So the way we do the show is we have two sections. The first section focuses on security questions, and the second section focused on fun, like rapid fire section.

Sure. So let’s start with the security part. Right.

Before I get into any security questions, like, you run a podcast called The Brett Johnson Show, right? What made you decide to start a video podcast of your own?

Brett: Well, I just like to complain a lot. The truth of the matter is that cybersecurity right now, I’m a bit apathetic sometimes, because we’ve got an entire industry where people are scared to speak up, that they’re scared if they say that something is being done wrong, that they’ll lose a contract, a client, a job, that they’ll upset someone. And we have to get to the point where we’re saying the things that need to be said. So a lot of my show is about that, hey, I’m going to say the stuff that needs to be said about criminals and about the good guys that may not be doing every single thing that they need to be doing correctly, but it’s more than that. As I mentioned just a couple of minutes ago, it’s been a long journey for me. It’s been a long journey. My life of crime began when I was ten years old. Ten years old, and I was a criminal for a couple of three decades. So that transition from being that toxic bad person to trying to become a better person, to trying to lead a healthy, productive life, that’s not overnight. It takes time to do that. So my show also talks about that type of recovery that I’m going through. That transition to understanding what a healthy relationship is, to understanding or trying to help people instead of spending a few decades hurting people. So that show encompasses that it encompasses cybersecurity. That’s why I call it the Brett Johnson Show. I say the stuff that needs to be said, but I also look at understanding myself and trying to treat people the way that I would like to be treated.

Host: Makes a lot of sense. I have a follow up question on that. How did you start your journey and any wisdom that you want to share for somebody who wants to start or who has just started their podcast?

Brett: Sure. So starting your podcast, a lot of people will say, look at what’s being done out there right now and do something similar. I don’t agree with that. I think that if you’re going to start your podcast, it needs to be your podcast. It doesn’t need to be someone else. You don’t need to look at Joe Rogan or somebody like that and try to mimic what they’re doing. Do what you want to do. Do what makes you happy and understand. I said happy. You need to be having fun with this. It doesn’t need to be a job or a chore or something that you dread doing every single time you sit down to record. Do something that’s important to you.

If it’s important to you, that will translate to the audience, to the people who listen to you, but always be yourself. Always be truthful. Always be truthful. This is the important thing. Never hide the truth. Never try to lie or embellish or brag or anything else like that. Just be truthful because that also will translate to your listeners. So no matter what it is, be yourself. Be truthful. Make it your show. Don’t mimic or make it somebody else’s show. Okay?

Host: Yeah, that’s a great advice because most of the times for somebody who is starting, they look at some podcasts and they try to mimic that, hey, this is how Joe Rogan does, or this is how Brett does. So maybe he’s successful, so maybe I should emulate that so that my audience will feel that, hey, I’m a pro. Right? But you don’t feel comfortable sometimes in that.

So, yeah, that makes a lot of sense.

Brett: Well, yeah, I’m not Joe Rogan and you’re not Brett Johnson, so you can’t do my show. I mean, you’re not the guy that’s going to go out and pay somebody a couple of make a puppet of yourself, all right? So it’s not going to happen. So just be you and whoever’s coming up with a show out there, make it your show and have fun doing it, but be truthful to yourself and to others the entire time.

Host: Yeah, that’s a great advice. Thank you for sharing that. So the first question around security is, like, you initially built the community, right, Shadow Crew, which is mostly around Dark net and Dark Web.

So it’s known like, what is Dark Web, but as a concept, but not everyone understands what it is or who they are. Could you describe a little bit about

What Dark Web is?

What happens there? and

How it has evolved throughout the years?

Brett: Dude, that’s a question and a half right there. So the Dark Web actually starts with the United States military. The US. Navy creates this thing so that intelligence operatives can communicate with each other without being identified by other countries. And that was the Tor browser, the Onion router. That’s what Tor stands for.

So think of your IP being wrapped in layers of onions, different things, so that that initial IP is obscured. So it started for intelligence operatives. The United States Navy then decides they’re going to make it open source, and they make it open source so that people from different countries that are behind, say, a country’s firewall can access the real Internet, get real true information that’s out there. And they also did it so that whistleblowers could disclose things without being identified as well. Really good idea, a really good plan. But when they did that, they forgot that the first adoptees to tech, if that tech can be used to make someone anonymous or to effectively launder money, the first adoptees tend to be criminals. And that’s exactly what happened. You had these criminal actors come in and they started to use Tor, and over time, they found out that, hey, not only can we use it to communicate with each other, but we can host websites on tour. Now, think of the dark web. Now that I’ve explained that, think of the Internet as having basically three parts. You’ve got the surface web. The Surface Web is really anything that Google can find, all right? That’s about 4% of the overall Internet. The other 95, 96% is called the deep web. That’s stuff that you can’t find doing an Internet search or it’s behind a Paywall or it’s emails, bank statements, stuff like that, that’s the deep web. That’s 95 96% of the overall internet.

Now, somewhere within that deep Web, we’ve got the dark web, all right? And the Dark web, how big is it? Well, no one really knows. Some estimates have it up to 15% the size of the entire Internet. So we don’t really know because there’s no search engine. You have to know exactly where you’re going to go. You have to use a special browser, the Tor browser or something similar to access the dark web. Now, here’s the thing. A lot of people say, well, the Dark Web is all criminal actors. No, it’s not. There are legal services that are available on the dark web. I just talked about some of those intelligence operatives communicating with each other, the use of it so that people can get behind outside of their country’s firewalls or for whistleblowers to use, things like that. There are legal things there. The problem is that, again, there are criminal actors there. So typically what happens, and to understand this, you have to understand the necessities of cybercrime.

So there are three necessities to successfully committing online crime. You have to gather data, commit a crime, and then cash it out. So typically what happens is the criminals that are out there, they go and buy their products and services, whether it’s stolen personal information, credit card numbers, bank account details, what have you to do. That a lot of the times they’ll go down to the dark web and find a marketplace and they’ll buy that, and then they’ll come back up to the surface Web and commit whatever crime they want to commit. Account takeovers, credit card fraud, what have you. All right? That’s the way it used to work. Nowadays, the definition of the Dark Web has evolved over years because law enforcement has gotten really good about shutting down dark web markets and forums. At the same time, you’ve got criminal actors on the dark Web that are launching DDoS attacks against other criminal actors, either because of ideology or because they’re trying to extort these marketplaces and websites. So a lot of that traffic has been shut down. At the same time, you have to know how to use Tor properly. It has a lot of friction involved to it. So you have to know where you’re going. You have to have it configured properly, everything else, or the chances of you going to prison are pretty darn good. Because of that, we’ve seen this transition as to what the Dark Web actually is. So now you’ve got smaller and smaller encrypted messaging services. You’ve got Wicker, you’ve got Telegram, you’ve got places like that. Telegram right now is really the Wild West of the Dark Web. It’s really where a lot of action takes place. And over the past few years, really, if you were a newbie, just somebody starting out in online crime, wanting to be a criminal, you would start on Telegram. And the sophistication level, the expertise level on Telegram was very low. But because of the Ukrainian war, the expertise level on Telegram is starting to grow dramatically.

We’re seeing more and more skill levels and more and more sophisticated actors that are starting to use Telegram. And it adds into it that a lot of those Dark Web channels, those traditional Dark Web channels, are DDoS out of existence right now. So they have to have someplace to go and communicate with each other. And right now, that’s a telegram. Telegram is trusted. It’s owned by a Russian who is very anti law enforcement. As a matter of fact, the Ukraine military uses Telegram. And if it’s good enough for them, a lot of criminal actors think that it’s good enough for those people as well. So you’ve got not only the new players that are on Telegram, but you’ve got the sophisticated players that are starting to enter the Telegram environment as well. At the same time, you’ve got a lot of the non-English speaking forums and channels are dying out because of Ukraine and Russian conflict. Well, those criminals, those non English speaking criminals, they’re not stopping. They’re not giving up their careers. They’re transitioning over to the English-speaking environment. So you’ve got an entire renaissance of English speaking cybercrime right now.

We’re going to see a lot of damage being done over the next few years because of everything that’s going on right now. But that’s the state of play, and that’s basically what the Dark Web looks like today.

Host: I love how you put them into buckets, right, like starting with the surface web, deep web, Dark Web, and how they have evolved throughout the years, and how they have adapted to, let’s say, English speaking, like moving to English speaking tools or English based tools. So that depending on the time we are in and the evolution that has happened. So I love how you put that. One of the things that you highlighted is that criminals take the data from maybe Dark Web and use that in the surface Web to maybe, let’s say, exploit financial data and get benefit out of it, right?

So there was a recent survey and that showed that average cost of a data breach worldwide is around four and a half million dollars. And US, it’s even close to double, like around nine and a half million dollars. And while there are many ways a hacker can gain access not just to consumer data, but also to enterprise data. One of the things that comes out very clearly is having security practices or cyber hygiene reduces some of these attacks, right?

Brett: What would my 2023 predictions be? It’s funny you should ask that, because I actually posted that on LinkedIn a few months ago, and my 2023 predictions were the exact same thing as 2022, only more. That’s a joke, but there’s a lot of truth to that as well. We talked just a second ago about the evolution of the dark Web, how we’ve got a renaissance among English-speaking communication channels, and criminal channels. All right? So that’s certainly one of the trends.

One of the other trends that we’re actually seeing right now is the way that account takeovers are taking place. It used to be. And here’s the secret for everybody out there to listen to. Good guys are not the only people who read white papers. They’re not they’re not the only people who pay attention to what security people are talking about. Bad guys pay attention to that too. And one of the things they’ve been paying attention to is all this chatter over the years talking about, well, we need to get rid of passwords. We need to go passwordless, we need to take care of this because passwords are the problem. Well, we’re starting to see right now the criminal solution for that. And the criminal solution are things like Genesis Marketplace or evil proxy. Evil proxy, for example, is a reverse proxy attack. It actually sits in the middle of a login session. So if you’re going to log into your financial institution, you’ve got multifactor deployed. Evil proxy sits right in the middle of that transaction. It captures the cookie from that session. So you go ahead and you go through your multifactor authentication, and then you go in your session, do whatever banking information transaction you want to do, and you leave the session. Evil proxy has captured the token for that. The criminal actor comes in, they just inject the cookie into their own browser, they come in, they bypass multi-factor authentication. They don’t have to have your password or anything else. They come in and do whatever they want to in your banking institution or whatever type of account they’re trying to take over. So we’re seeing that movement toward not worrying so much about the credentials. And to be honest, credentials are still a huge problem. Credential stuffing is a massive problem for everyone across the planet right now.

But we’re seeing that transition to stealing the tokens of the sessions in anticipation of, hey, we won’t worry about password managers and things like that. We’ll just go ahead and bypass all that and steal the session token. We’re absolutely seeing that. Other than that, that’s what I was saying about the other trends are basically the same as the existing trends, only worse. And if you want my prediction for next year, that’ll be my prediction for next year as well.

Host: So the evil proxy example that you gave, that sounds very sophisticated, right? Because a lot of organizations are moving away are saying that, hey, we want to add an additional layer on top of passwords by MFA, but there is already a workaround which attackers know of or have figured out to sort of get around it and still have access to your bank data or any PII or health data and stuff like that. Right.

Brett: And you’re right. It’s important to realize that that is a very sophisticated attack. It is. And it’s also important to realize that the 98, 99% of cybercriminals that are out there, they are not sophisticated. They don’t know what that is. They don’t know how that operates or how to build something like that. But the Sophistication these days in cybercrime is not with the individual, the criminal. The Sophistication is with the cybercrime platform itself. You continue to see that evolve as well. So that products and services, sophisticated products and services are developed and marketed toward those unsophisticated players. And that’s a lot of dangerous activity right there.

Host: That makes sense. So since you highlighted your predictions,

Do you have top five checklist items which everyone should follow? Like as a basic?

Brett: As a basic, I do. Where to start? And hey, these are not in any specific order except maybe number one. Number one is understanding your place in the cybercrime spectrum. Because you have one. Whether you want it or not, you have one. The way that I will victimize you, the way a cybercriminal will victimize you absolutely depends on who you are and what you do that’s as an individual or as an organization. So think of it as an individual. If you’re CEO or work as payroll, the way that I’ll tend to attack you differs from if you’ve worked in food service for 20 years, I’ll still get you CEO or payroll. I’m going to try to do business, email compromise, or get you to send me the W two S for your employees, something like that. Food service, I’ll set up new accounts, open up bank accounts in your name. Maybe heloc fraud, student loan fraud, whatever. But I’m still going to get you the same thing for an organization. Do you have data that I can breach into the company, steal the data, resell on the black market? Or do you have data that I can lock down with ransomware and profit by that? Or do you have both? So understand your place in the cybercrime spectrum.

Understand what a criminal is looking for, why they’re going to attack you. Is it because of status, cash, or ideology? Who the attackers are? There are only seven attackers that are online. You’ve got criminals like I used to be. You’ve got terrorists, nation-states, hacktivists, insiders, hackers for hire, script kiddies. Understand who the attacker is, why they’re attacking you, what they’re looking for, information access, data cache. And then you’ll understand the persistence of the attack. You’ll understand what you need to do to design security to deter that type of attack.

It is not a one fits all solution. You need to understand your environment and how a criminal will target and what they’re looking for in your environment. I will tell you this. If you have a company that has a product or service that makes money, a criminal will absolutely make money off that same product or service. You are a target. There is no doubt about that. So that’s number one.

Number two, we’ve got all kinds of things and we’ll just throw some out. Think of an update as a broadcast to every single criminal on the planet telling them which door to knock on, because that’s exactly what it is. Most people don’t install updates immediately. We need to understand that an update is a security hole that needs to be plugged immediately. So updates do that. You need to practice good password management. Now, I like the pass keys that are out there right now. I really like that kind of stuff. I used to be an evangelist for password managers, but I’ll tell you, I am feeling a little iffy on that right now. With a lot of the breaches and talks that have been going on pass keys. We need to continue to move past the use of passwords and getting used to more secure types of type of things. Maybe hardware plugins, something like that. I think those are important.

I think it’s important to train not only yourself, but your employees to live secure lives overall, not just at work, but throughout their entire online lives because it absolutely translates. We’ve got a lot of remote workers right now, and it’s very easy for an attacker to compromise that remote environment. So we need to make sure that we’re on point all the way. We need to make sure we’ve got situational awareness in our physical lives. We know if something in our environment is not right. We understand that. We know if something is going awry.

We need to develop that same type of situational awareness online. Understanding that there are predators there. That whole idea of trusting but verifying, understanding that the human is the weak link. Without social engineering, cybercrime will ultimately fail. You have to be able to deploy that stuff, get people to install that stuff, get people to send you money, give you access, everything else. And that’s notice. I keep saying, people.

So social engineering is absolutely the key to a lot of this. So you need to train your employees about social engineering effects, have them always on point, always expecting that, on knowing how those types of things operate and what a criminal is looking for. Okay, I think that may be five, it may be six. It may be three. I don’t know.

Host: No, that’s a good list. The last point that you highlighted, right, on the training and the people aspect that you highlighted, I totally agree. What we have seen with some of the recent attacks, it’s not always about your enterprise account, but rather sometimes attackers sort of get access to your personal account and through that they get into your business account and then sort of exfiltrate and get data out of the system. Right.

So in that, one of the things that I understand is for proper security hygiene, the organization, all the teams need to work together, right? It’s not about just the CEO doing the job and then rest of the team, they don’t even need to be part of the security journey. Right. So it has to be a relationship between the execs and also all the teams. So,

Brett: You mentioned something that I think is really overlooked a lot of time when we’re talking about security, and that’s the relationships within those organizations. All right.

I’ve seen companies that have been very open that someone in customer service, the fraud team, welcomes that insight. But I’ve also seen these companies where the fraud team, hey, we know it all. We don’t need to hear anything else. And not only that, but the management of the fraud team doesn’t want to hear from the fraud team. You’ve got to have that type of open environment where people are free to speak up, where people are encouraged to speak up, where people are encouraged to brainstorm.

I don’t want to be the guy that says something in a team meeting and everyone looks at me like, that’s the stupidest idea I’ve ever heard. No, I don’t want to hear that because that right there develops a culture of, well, I don’t want to speak up because somebody’s going to think that I’m ignorant or that I’m dumb and they’re going to start to sound stupid. Yeah, right. I want that environment where people are just throwing stuff out. I don’t care what it is, I don’t care, I don’t care. Just throw it out there, start banging things around. Because I’ll tell you, that’s exactly what happens in criminal environments.

Criminals are very good about, hey, we’re just going to start throwing a bunch of stuff up against a wall and we’re going to see what sticks. And some of it, hey, some of it may be dumb, some of it may be outlandish, some of it won’t work whatsoever. But you know what? If we keep throwing enough stuff up there, it’s going to give somebody else an idea that will work that is successful and that is profitable. So we need to make sure that we’re developing that type of culture in companies, but also within other companies. Talking to each other. And I understand we’ve got privacy concerns, we’ve got regulations, but we’ve got these competitive edges too, that a company is like, I’m not going to share with my competitor because, hey, profit is most important. At the end of the day, we’ve got to get past that because right now the way that cybersecurity operates is we are reactive.

We are not proactive. We are always reacting to whatever bad actors out there are doing. So we got to get past that. Cybersecurity hygiene, it’s this process of making sure that your system and your security is healthy and good throughout. So it’s not just the fraud team, it’s not just the engineering team. It’s not just customer service. It’s not just management at the sea level.

All these people need to work together. Everything needs to be done. You need to make sure that a lot of the problem that you see with security, because I really advocate a multilayered approach to security. One security tool is not going to solve every issue that you’ve got. You’ve got to use a variety of tools. But a good cybersecurity hygiene approach makes sure that those tools mesh well with each other, that they communicate with each other, that they work together with each other. Because a lot of the time you see that one tool does not mesh well, does not work together, does not communicate with each other.

So you’ve got to make sure that you’re doing that. We spoke before we started to record today and you’ve got this thing attacks. 90% of attacks out there use known exploits. It’s not unknown vulnerabilities. It’s not zero day attacks. It’s the stuff that we know about, the stuff that we’ve been told about for years that causes the problem. We’ve got to start to address that.

Think about outward facing SMBs, that remote access. The cybersecurity industry has been preaching about that for years, yet still there’s millions of computers out there that have those ports open. All right, business email compromise. The number one way that it’s done is using a Unicode domain. How long have we known about the unicode domain problem? At least 2010. A good decade and it’s still a very viable attack method. So if we start to plug these things that we know are the problems, guess what? Cybercriminals 98, 99% of them, they are not sophisticated.

They are not computer geniuses. They are relying on those known exploits that develop that massive threat landscape that’s out there. So you take away the threat landscape by taking away the stuff that we know we need to solve. We know the problems. Do that, you’re going to get rid of a lot of the problems that are out there.

Host: I love the last piece that you highlighted is that sometimes we try to look for zero days or unknown vulnerabilities, but we have not even covered the basic ones right. So I think the first focus should be to fix the. Basics. Get the basics right, and then maybe think about edge cases or these extreme cases. Right.

Brett: I want to be honest with you. The reason that there’s a focus on zero days and unknown vulnerabilities is that’s sexy. The stuff that we already know about. Well, I mean, that’s boring. We don’t want to talk about that. Media companies the news doesn’t want to talk about that. Media companies in the news wants to talk about those zero days attack.

And security companies you’ve got a lot of security companies out there that they want to sell a product. And the way they sell a product is through fud, fear, uncertainty, and doubt. And you can’t do that if it’s stuff you already know about. So you have to come up with unknown. It’s the unknown. You got to worry about this. No, you got to worry about the stuff that’s out there that we know about.

Solve that, and then start concentrating on this other stuff.

Host: It helps you market in a way right. That we have some unique fixing, a unique challenge. I see where you’re coming from. So in the earlier answer, one of the things that you highlighted is the social engineering attacks, right? The people aspect of it. And many security analysts claim that human error is, like, the biggest factor to data privacy or data stealing and stuff like that. And there have been many social engineering and phishing attacks recently with Twilio Cloudflare many. Right.

Rapid Fire

Host: I have some fun questions for you now, hopefully.

So the first question in the rapid fire section is if you were a superhero of cybersecurity, which power would you choose to have in you?

Brett: Which power? Invisibility that way I could listen to the lies coming out of the sea level invisibility. So I could be that fly on the wall listening to these conversations. But also invisibility so that when I’m listening to one of these vendors, that’s not being truthful, that I could just disappear and not have to be there. So I would say invisibility on them.

Host: I love that. The second question is, what’s the biggest lie you have heard in cybersecurity?

Brett: We can solve all your problems. We can stop all the crime that’s going on out there.

No, you can’t. You can’t. I mean, you can mitigate a lot of it, but you’re not going to stop or solve all the issues that are out there. At the end of the day, you can have the best security products out there, the best policies and procedures, the best people in your environment, and you’ll have some newbie criminal that’s out there that’s never committed crime in his life before and just roll of the dice, luck of the moment, he’s able to get in and victimize your company. You’re not going to plug every single thing, but you can mitigate a lot of it. Anybody that says that, hey, we can solve all your problems, or hey, this is the only tool that you need, that’s what you call cybersecurity pillow talk. That’s the only thing that it is.

You need to run for the door immediately at that point.

Host: Yeah, that makes a lot of sense. The last question is any blogs or books or websites that you go to to stay up to date?

Brett: Any blogs? Books or websites. So a blog, frank on fraud. Frank McKenna does a blog that talks about all the different types of fraud that is out there. He is outstanding. I trust the guy.

He knows what he’s talking about. Books. Anything by Neil Stevenson. I’ve read Cryptonomicon probably four times, so anything by Neil Stevenson and websites. I am a reddit addict, so I love reddit. There you go.

Host: Okay, lovely. So thank you for sharing those. So what we’ll do is when we publish the video, we’ll tag these so that our viewers can go there and learn as well. So I want to say a huge thank you for coming to the show and it was fun recording with you and learning as part of this process.

Brett: So thank you so much for coming. Thank you. And I had a blast. Stay safe out there and remember, at the end of the day, just do the right damn thing.

Host: Absolutely. And to our viewers, thank you for watching. Hope you learned something new. If you have any questions around security, share those at scaletozero.com and we’ll get those answered by an expert in the security space. See you in the next episode. Thank you.