Account takeover fraud, card-not-present (CNP) fraud, tax fraud, selling stolen financials, selling fake bank accounts, the Dark Web: If security experts are fighting it today, chances are that Brett Johnson was there when it started. In fact, chances are that he helped create it.
Johnson is one of the good guys now, but once upon a time, he was one of the baddest bad guys out there — a star of the most-wanted list. As such, he knows a few things about how the fraud industry works — and yes, it is an industry. Johnson said that’s the main thing most organizations don’t understand about fraud when they try to fight it.
“Banks and merchants know they have a fraud problem, but they don’t understand how organized it is,” he said.
“There are three things you need to do to commit a cybercrime successfully: You need to gather info, you need to commit the crime and you need to cash out. If you can’t do all three, the crime fails. It’s hard to find one person who’s good at all three. The Dark Web communities allow people to network.”
Wait, why does that sound familiar…?
Oh — it’s like a criminal version of LinkedIn. And Johnson claims it has 240,000 members.
Or rather, “had” — AlphaBay, the primary Dark Web marketplace and community, was shut down by law enforcement early last summer. Still, those 240,000 people aren’t just going to close up shop. If anything, the next Dark Web community will be even bigger and more organized.
And 240,000 is a whole lot more than 4,000, which is how many people Johnson said were in his original Dark Web community, ShadowCrew.
Like the criminal community he built, Johnson’s fraudulent activity started small. The former fraudster shared his story with PYMNTS and passed along the insights it’s given him in his new life as a good guy.
The Fraudster Starter Kit
It all began with some pork chops his younger sister stole so the two of them wouldn’t starve while their mother was who-knew-where for who-knew-how-long.
She disappeared often, said Johnson, leaving for days at a time with no notice, no explanation and no promise to return soon — or at all. Their parents divorced when he was 10 and his sister was nine, leaving the children to fend for themselves in their mother’s extended absences.
The family lived in eastern Kentucky, an area Johnson describes as “fraud central.”
“If you’re not mining coal or growing marijuana, you’re in fraud,” he said. When she was around, his mother was often involved in schemes like food stamp fraud. His dad knew about it, but he was never involved.
By the time their mom came home, Johnson and his sister had graduated from shoplifting dinner to shoplifting entertainment items, and their mother wanted in on it. Eventually, even Johnson’s grandmother got involved, and the enterprise grew.
If someone had intervened in his childhood, might Johnson have avoided a life of crime? Maybe, he says — if they’d caught him early enough. Instead, he spent his early years surrounded by fraudsters — and, for a long time, he blamed that for his behavior.
“I didn’t meet the first decent person in my life until I was 16,” Johnson said.
She was his teacher. She pushed him to join the academic team, of which he eventually became captain, and drama, in which he went on to earn an award for best actor in the state. But Johnson said it was too late by then. He’d needed that helping hand years before.
Nurture Beats Nature
After the rest of his family got caught (but Johnson didn’t), he moved north to go to school (but not before faking a car accident to collect insurance money to finance his first marriage).
When the funds ran out, Johnson relied on his old fraudulent ways. He discovered eBay. This was the 1990s, and Beanie Babies were selling for hundreds of dollars on the site.
Johnson made a DIY version of Peanut the royal blue elephant, posted it with a photo he lifted from someone else’s listing and made off with the $1,500. Of course, the buyer knew right away that she’d been scammed. That’s when he learned his first big lesson about cybercrime: If you wait people out long enough, sooner or later they give up.
From there, Johnson got into modifying cable boxes and game machines. He would buy a system at Best Buy for $99, reprogram the card inside and resell it for $500. As order volume increased, Johnson realized he could get away with accepting payments without delivering an actual product.
It made him a lot of money in not a lot of time, which scared him into looking for a fake ID — and that’s when he got involved with the online fraud forum that he would eventually take over and transform into ShadowCrew.
Johnson only pulled out of his role as head admin when ShadowCrew started getting IP hits from law enforcement — and just in time, too, since Albert Gonzalez got arrested around that same time for doing the exact same thing Johnson was doing: encoding white plastic cards with debit information and using them to cash out at ATMs.
Luckily for Johnson, he’d discovered tax fraud by then. He was pulling in a cushy $160,000 per week filing one tax return every six minutes. In case you ever wondered why your tax returns are delayed every year: This is why.
But he found himself in a corner when tax season ended. He couldn’t access his funds offshore, and he was afraid to mess around with credit cards, as police grew savvy to that type of activity. He was picked up by the Charleston police department soon after that, and they knew exactly who they’d caught.
Second Chances
The police handed him over to the Secret Service. Johnson swore he’d do anything they wanted as long as they let him go back to his girlfriend, a cocaine-addicted stripper whose rehabilitation Johnson was funding with his fraud. And he did indeed do what they asked — sort of.
Johnson spent a short time working for the Secret Service, even while continuing to commit credit card fraud on the side. By day, he taught agents about cybercrime and how Dark Web communities operated. By night, he was still churning out prepaid cards loaded with stolen debit data.
“They were good guys who wanted to help me,” Johnson said in hindsight. “They tried, but I wouldn’t listen.”
Johnson was in and out of prison after that (and by “out,” we mean he escaped). He was sent to West Texas, to a maximum-security facility where, he said, prisoners had nothing to do but sit around and think about what they’d done.
It was that time apart from his family, and particularly from his sister, that turned him around. Johnson believes any adult cybercriminal should serve time for that exact reason.
In prison, he came to terms with the fact that he hadn’t committed those crimes because of his upbringing or because he needed to provide for the long string of women whose love Johnson believed he could buy. He did it because he chose to. Not everyone comes to that conclusion, Johnson said; if they did, every cybercriminal would eventually reform.
In 2011, he was released under three years’ probation, during which he couldn’t touch a computer. He walked the straight and narrow, taking odd jobs like mowing lawns — because it turns out that even fast food jobs require touching a computer, as well as countless credit cards, on any given day.
Landscaping season ended, and Johnson couldn’t get any more work. His girlfriend (a different one) was the only one making money, and he felt he had to contribute, so he got some stolen credit cards and ordered food online.
He got caught.
Third Time Is the Charm
Johnson went back to prison. His girlfriend stuck by him, and he finally figured out what the Beatles had been saying for years: You can’t buy love. She loved him for him, not for what he could buy her. They got married shortly after his release, and Johnson turned over a new leaf — with a bit of help.
He reached out to an FBI agent who had been involved in all the major cybercrime busts and asked for guidance. The agent took him under his wing. People finally gave him the chance to do right.
Today, Johnson works with Microsoft, Next Caller, Emailage and public banks, among others, and speaks to banking, security, academic and merchant groups about the true nature of fraud.
Lessons Learned
Fraud is too easy these days.
Account takeover fraud, said Johnson, is easy. Fraudsters pay $2.90 to acquire a victim’s Social Security number and date of birth. That’s all they need to put into a background check or Credit Karma report. Even without AlphaBay, this is still an organized community furnishing a near-infinite supply of that information.
Taking over a bank account is easy. All fraudsters have to do, said Johnson, is spoof a call to the lowest-paid, lowest-educated member of the organization — typically someone on the customer service team — and convince them to change the phone number on the account.
And thanks to forums like AlphaBay, once someone discovers an exploit, it goes viral.
But it’s not just that victims are low-hanging fruit. Fraudsters do have to work at their craft.
In 2011, security companies started browser fingerprinting, a process that identifies the browser a legitimate customer is using, which plug-ins they have installed, the font and language displayed and 30 other tags that outline a unique identity, which can be used to confirm that a transaction is truly coming from that customer and not a fraudster.
But fraudsters saw it coming, and by the time browser fingerprinting went mainstream, they already knew how to get around it by using strategies like remote desktops, virtual IPs and iPhones with the SIM card replaced. There’s an illegal anti-detect program that can make any device look like any other device. For between $500 and $2,500, fraudsters can acquire the top-of-the-line tool for simulating any browser fingerprint in the system.
They also do a ton of research, Johnson said. They might be the only people on earth who read the terms of service, because from that, they can learn what types of security are in place, shipping policies and who the organization partners with for security and processing.
So, while it’s getting easier, fraud still isn’t “easy” — and until banks and merchants give fraudsters credit for being as smart as they are, defenses will continue to fall short.