Brett Johnson on the Cybercriminal Mindset
In the world of online fraud prevention, Brett Johnson sits in a category all his own. With support from his wife, sister, Karisse Hendrick, and the FBI, Mr. Johnson has synthesized a career that would have been unimaginable from inside of a 7.5-year prison sentence. Today, the man is still running; not from law enforcement, but from keynotes to consulting engagements to interviews with the mainstream press. During CNP Expo, About-Fraud.com met with Brett Johnson to discuss the cybercriminal mindset, current events on the dark web, how companies paint targets on their backs, and how one rises the ranks of the dark web to become an internet godfather.
MR: What’s the general response on dark web fora to fraud prevention strategies powered by machine learning?
BJ: It reminds me of browser-based fingerprints. Back in 2011, fraudsters who had read white papers about it were scared. By 2013, they’d found a way around their ‘problem.’
Similarly, machine learning had them worried until Christmas, 2018. Someone realized that the first order had to go through correctly. The fraudster was fine with the order reaching the recipient. That successful order led the vendor’s machine learning models to whitelist the information provided in the order. Since the vendor was a part of a consortium, that whitelisted account information propogates to other members. The fraudster could make and redirect future orders until a fraud analyst noticed the anomalous behavior.
Now, machine learning is a bar that moves much more frequently, but it’s still susceptible to the same behavior: fraudsters find an opening and hit the vendor as hard as they can, then human analysts come in and tune the model to close that opening.
MR: Once Europe’s PSD2 goes into effect, how do you expect the requirement for Strong Customer Authentication (SCA) to influence fraud trends?
BJ: I think it will push more fraud onto the phone channel. That’s where the business is. Once you try the phone, you never go back. It’s just so much easier. You don’t have to worry about your device being fingerprinted. You don’t have to worry about rotating your IP address. You don’t have to worry about anything.
This attitude comes with experience. New guys are scared of having their voices recorded. Fraudsters who’ve been around for a while know that there’s no central repository of voice signatures, so voice biometrics isn’t a concern just yet.
So, they buy prepaid devices that work on the same network as the victim’s device, and register their device in the name of the person whose credit card they’re going to use. That helps them to get around two-factor authentication using SMS messages. Some brands will send the SMS to an alternate phone number as long as it’s registered in the name of the account holder.
That’s the basis for a lot of the active techniques right now. Security tends to be good, but brands don’t want to shut out their customers, so they provide a backdoor. Criminals find that backdoor and exploit it.
MR: That sounds like the story of information security. Historically, it has been treated as an afterthought.
BJ: Yessir. In the rush to get the product to market, security and fraud are afterthoughts. Almost as soon as a new product appears on the market, sub-forums dedicated to exploiting it will spring up on the dark web.
For example, when some of the big digital wallet services came online, it took the providers a year to lock down the fraud. During that year, you could add anyone’s credit card data through an enabled device and buy the brands’ high-value electronics. Once fraudsters’ devices were flagged, they could perform a factory reset, add a new SIM card, and use another set of stolen credit card data. They didn’t have to use a different device for every order.
Something similar happened with a popular online payment processor. Fraudsters set up bank accounts using stolen PII, then let those accounts age for 30 days. Then, they’d create an account with this payment processor, and connect it to an online storefront. They’d behave well until their hold period for payments lowered to two days, then they’d start running stolen credit card data through their storefront as fast as they could enter it.
What does the payment processor do? They announce that they’re instituting artificial intelligence. When I read that news, I could just about hear the dark web rejoice. Fraudsters knew it was going to take a while for that AI to start blocking them. During that time, they experimented with ways to work around the AI. They settled on creating business entities with stolen identities, then business bank accounts, and online stores once again. Then, they could continue on as usual.
That lasted until about January, 2019 when a major bank partnered with the payment processor. Only at that point did the fraud stop.
MR: You’ve said that, by and large, fraudsters aren’t very sophisticated. However, earlier in this conversation you described someone or some group who’d figured a way around machine learning. Can you describe the different tiers of sophistication on the dark web?
BJ: Let me begin with some interesting parallels from the world of information security. 90% of attacks use known exploits; not 0days, known exploits. 56% of all company data breaches occur through third-party vendors.
Behind both of these stats, you have pretty unsophisticated attackers. They’re adding known exploits to vulnerability scanners, and then waiting for those scanners to return attractive targets that haven’t been patched yet. They recognize third-party vendors as weak links with privileged access to large companies. These aren’t sophisticated teams of researchers, they’re opportunists patiently sniffing out weak points.
The same group exists in fraud. These people spend $50 on a step-by-step tutorial to defraud a big company known on the dark web as an easy target. That’s the only thing they’re able to do.
A small group of those folks will use those tutorials to learn about operational security and the principles of the attack methods. They’ll learn complementary skills: how to cash out, how to run drop addresses, and commit credit card fraud. Most importantly, they’ll recognize what they’re good at, and meet others with complementary skillsets to make up the difference. That need for cooperation is understood within that entire community.
However, there’s a small percentage who are developing the tutorials and trainings. They skew the average of sophistication upwards. They’re professionals. They apply something approaching the scientific method to find the exploits. They’ll keep notes, and keep silent about their progress because they want to exploit their targets themselves. Then, once they start to see diminishing returns on their effort, they may create one of those $50 tutorials or $600 seminars for the n00bs.
This mindset gets to be a part of your personality. For example, recently I ordered some podcasting equipment from a boutique e-commerce site. After I’d finished placing the order, I realized that it’d be better to have it shipped to me at CNP expo. Even though I was a first-time customer, I used some principles of social engineering to convince the company’s call center agent to change the shipping address. That had never happened in the company’s history. I genuinely wanted the change, but I was also curious to see if it would work.
That’s a good analogy for how sophisticated criminals research their targets. First, they’ll read the terms of service for clues about the company’s fraud stack. If they don’t get what they need there, they’ll attempt to take over their own account with the company. They’re not going to report on themselves, and they will get to see the company’s security questions and processes up close. That way, they’re much more aware of the defenses. It’s reconnaissance.
MR: How do you defend against that?
BJ: You don’t. Social engineering is convincing someone to break the rules and give up some combination of information, access, data, or cash. If you can talk someone into breaking the rules, then you can access any of those four.
Just like criminals study their targets, companies and providers should study criminals. That’s why I published the fraud encyclopedia. A lot of the techniques are old, but it gives an idea of the mindset and the research they go through; how they find targets, how they test, and things like that. I encourage all fraud professionals to study the criminal—his way of thinking, what he’s looking for, his motivations for attacking—and then design defenses accordingly.
MR: What motivates fraudsters?
BJ: Cash is by far the most common motivation, but ideology and status are other drivers.
In the case of ideology, I’ve heard of a carder hounding a company because they froze his account with $100,000 of value in it. He has set up fake websites and Facebook accounts to say horrible things about this company’s employees. There’s no financial angle for him, so he’s much more difficult to deflect.
As for status, if you’re able to defraud a top-tier company, when no one else can, then you gain the respect of everyone in the community. Once you prove your accomplishment (with screenshots, tracking information, or by walking someone else through your process), you get into closed circles, access to more valuable information, and opportunities to collaborate on more lucrative jobs.
Not only that, but all the underlings come to you, fawn over you, ask questions, and everything else. You see, crime is addicting. A lot is tied to ego feeding. You start as a bottom feeder. Then, you gain some knowledge and share it. That improves your stature. People start coming to you, sharing access to even better knowledge. That’s how I rose up higher and higher to the point that no one ran a scam without me approving it.