Brett Johnson is the Bad-Guy-Turned-Good-Guy We’ve Been Wanting to Meet Transcript

Brett Johnson

Adam Levin:

So one of the most frustrating things that people have been dealing with of late is being shut out of their social media accounts.

Beau Friedlander:

Shut out because they’re idiots or shut out because a hacker hacks them out of it?

Adam Levin:

Shut out because a hacker hacks them out of it.

Beau Friedlander:

Oh. Which is a form of idiocy.

Adam Levin:

Yes.

Beau Friedlander:

But this is like call a spade a spade. I thought that … I had hacked myself out of an account the other day because I logged into Instagram from my computer and it just shut me down and was like, no. I was like, what do you mean no? You’re Instagram. You say, yes. At any rate …

Adam Levin:

It didn’t say, I just don’t like you?

Beau Friedlander:

No, no. And it didn’t say I would do this if you were in Turkey. But it just actually shut me down and then I got a note saying, are you trying to log in from … where I was. And I was. And so they seemed to have actually patched one of the main ways that people were hacking into accounts, which is with IP addresses that were nowhere near the target.

Travis Taylor:

That is a long overdue security feature.

Beau Friedlander:

I think it’s pretty cool.

Travis Taylor:

Yeah.

Beau Friedlander:

So I got that. That is good news. The bad news is that criminals are, I don’t know. Would you say, one step ahead of consumers and the people whose platforms are used for crime or a thousand?

Travis Taylor:

Probably about a thousand. But at the same time, the fact that with Instagram, in particular, that they didn’t have any kind of verification when people were logging in was just silly. We’ve spoken to a lot of folks who’ve had that problem.

Beau Friedlander:

Well, it’s just about time, right?

Adam Levin:

Oh, it’s way past midnight on this.

Beau Friedlander:

Yeah. And so that is a good sign. But the problem is this is not a bucket. This is a net.

Adam Levin:

Right.

Travis Taylor:

Well also, the more they secure their accounts, the harder it can be, too, to get access to your account again. That if a hacker manages to get into it and they can use those security settings against you, that can make it even more difficult to reclaim it.

Adam Levin:

Yeah. This is happening more and more these days, these takeovers of social media accounts. In fact, in the past two years, it’s jumped to an all-time high.

Travis Taylor:

The data that you have on your social media account is valuable. And that’s one of the reasons why it’s getting sold, bought and sold a lot more on the dark web these days.

Adam Levin:

Except for my social media account, which has basically two pictures.

Beau Friedlander:

I disagree. I actually, Travis, I bet you, if we were to hack into Adam’s social media account, first of all, we would hear about it. His Instagram, where he has two pictures, we’d hear about it in two seconds. And secondly, sorry, or Adam, but all your criminals out there, he’s going to pay good money to get it back.

Adam Levin:

So Beau, we did it. We finally did it.

Beau Friedlander:

I know.

Adam Levin:

We finally got somebody from the dark side who’s now come over to the bright side to tell us about what it was like in the beginning.

Beau Friedlander:

We got a criminal.

Adam Levin:

We did. We got somebody who is a criminal. Who’s now a reform criminal. Who’s actually doing really good things and helping lots of people.

Beau Friedlander:

Is a criminal always a criminal or do they become rehabilitated? Well, actually he proves that they do become rehabilitated.

Travis Taylor:

He’s certainly reformed.

Adam Levin:

He’s reformed as opposed to conservative or Orthodox. No. Welcome to What the Hack?, A show about hackers, scammers, and the people they go after. I’m Adam, cyber a thousand points of light.

Beau Friedlander:

I’m Beau, cyber magic mind.

Travis Taylor:

And I’m Travis, cyber a thousand points of utter darkness.

Adam Levin:

And today, we talk with cyber black hat turned cyber white hat, Brett Johnson. Here we go. Glad to have you.

Brett Johnson:

Thank God. And, and my apologies. I had a tree land on my home, so they finally got us in to a hotel. I’m broadcasting from a hotel right now; actually moved my entire studio in the room here and been setting it up over the past couple of days.

Beau Friedlander:

Wow. That’s impressive. Your studio. If, because you can’t see a studio on a podcast, but your studio has a logo and it has really good lighting. Wow. That’s something.

Brett Johnson:

Thank you.

Travis Taylor:

And a Skeletor statue.

Brett Johnson:

And a Skeletor.

Adam Levin:

Brett, usually Beau would tell us that a tree fell something and caused something since he’s out the middle of nowhere.

Brett Johnson:

Well, I’m in Birmingham, Alabama. That’s basically the middle of nowhere.

Adam Levin:

That could be the center of nowhere, actually.

Beau Friedlander:

Yeah. That could be the Gotham of nowhere.

Brett Johnson:

That’s it.

Beau Friedlander:

But no. Anyway, that’s spoken like a true yank. Sorry.

Adam Levin:

So Brett, one of the questions I’m dying to ask you is your title, Chief Criminal Officer at Arkose Labs. Now that’s pretty awesome. How did you get that one?

Brett Johnson:

You’re right, it is pretty awesome. I had met Kevin Gosschalk. He’s the CEO and founder of Arkose. I met him back in 2018. Went into his office. We spent a couple hours together, and just chit chatted, talked security, things like that. Fast forward to late last year, he and I ended up on the same webinar together that was hosted by about fraud. He liked what I was talking about. He got up with me after that and he was like, “We need to bring you on.” And I was like, “I’m all for that.”

Brett Johnson:

So the thing is that I’ve spent so much time in cybersecurity on the good guy side of things. And I’m fairly well trusted in this vertical now. And the insight and the knowledge that I have on how attackers work, and coupled with being able to see things from the good guy’s side. Now, it lends an ability to help customers, whether they’re existing clients, potential clients, or just people in general. It helps them avoid that type of person that I used to be. So I’m chief criminal officer. I talk about upcoming trends, pool of dark net Intel, just any number of things that would help any person or corporation that may or may not be a customer of Arkose.

Adam Levin:

So now you’re on the right side of the law by, by definition, here. How did you start on the not right side of the law?

Beau Friedlander:

So is there an origin story here, Brett?

Brett Johnson:

Yeah, I laugh about it, but man, it’s a long story. My first crime was 10-years-old and you’ve probably seen me talk about this on other podcasts or interviews and what have you. But I’m from Eastern Kentucky and Eastern Kentucky is one of these areas that if you don’t have a job, and a lot of people don’t have a job, these people that … we are a bunch that a lot of us, “We will resort to whatever we need to do.” That’s the bad quote is, we’re going to do whatever we need to do in order to make ends meet. My mom was basically the captain of the entire fraud industry. This is a woman that at one point, she steals a 108,000-pound Caterpillar D9 bulldozer. At another point she takes-

Adam Levin:

Oh!

Brett Johnson:

Oh, yeah. Oh yeah. Can you imagine this woman tramming a D9 down the road and that’s exactly what she did. Just …

Beau Friedlander:

I need her. I need her over here, Brett. I need, I would like, I would like that machine, but keep going.

Adam Levin:

He’s right. Beau has got his tractor.

Travis Taylor:

There you go.

Adam Levin:

He would love that one. Yeah.

Brett Johnson:

So that’s mom. She took a slip and fell in a convenient store. She acted as a pimp for a while. Traffic, drugs, all that kind of stuff. My dad wasn’t like that. My dad was a good guy, but my dad’s problem was he loved my mom so much he didn’t want her to leave. So she wanted to commit a crime, he would co-sign on to it. If she wanted to abuse someone, he wouldn’t step in the way.

Brett Johnson:

And my first crime was shoplifting food for me and my sister. My mom used to leave me and Denise home for days at a time. And this one time we didn’t have any food in the house. Denise, nine years old, she walks in, she’s got a pack of pork job in her hand. I’m like, “Where’d you get that?” She’s like, “I stole it.” And I was like, “Show me how you did that.” So she takes me over and she shows me how she steals food. And I’m like, “Great idea.”

Brett Johnson:

So we start stealing food. Look across the way. Kmart’s over there. Well, we start taking clothes and jewelry, music, toys, everything else. Mom comes home, sees everything we’ve stolen. “Where did this come from?” I stand up. “We found it.” She’s like, “You didn’t find that.” Denise stands up. “We stole it.” My mom’s like, “Show me how you did that.” Yeah. Yeah. And it gets worse. She calls her mom to join us as well. And we begin these trips shoplifting. And that’s the first crimes I committed. And that’s …

Adam Levin:

So your grandmother was part of this thing too?

Brett Johnson:

Oh dude. And my grandmother, my grandfather. We lived in a neighborhood in Eastern Kentucky. My grandfather used to sit on the porch downstairs and people would come up to him just off the street that have VCRs or what have you. And they’d start. “Now Paul, here’s where I got it.” And he was like, “Hey, I don’t want to know where you got it. I’m not an FBI agent. How much do you want for it?” That was my life growing up.

Adam Levin:

So it’s the family business. You went into the family business?

Brett Johnson:

It is. But I want you guys to realize, and I’m really adamant about saying this. I say that that’s where my life of crime started. But just because I did that as a child, that doesn’t mean I had to do that as an adult, I chose to break the law as an adult. My sister, she had the exact same upbringing that I did. Other than that one shoplifting experience, she doesn’t break the law anymore. She goes off, she’s a teacher. She’s a great parent, just a really good citizen. I’m the guy that kept on going, and didn’t stop. And as I got older, I got more involved in those types of scams that everyone on that side of the family was involved in.

Brett Johnson:

So I grew up knowing how to traffic drugs, knowing how to do insurance fraud, whether that be burning homes, faking accidents, faking stolen cars, whatever. I grew up knowing how to wildcat coal. Just all these … forged documents, charity fraud, everything that you could possibly imagine. Until I finally just branched off on my own and went into internet fraud. So that’s where my life of crime began.

Beau Friedlander:

Brad, could you tell us your online story, your first online crime story?

Brett Johnson:

Sure. So my first online crime story. I got married in the mid-nineties. I get the worst brush from my mom and my dad. My mom, the criminal mindset; my dad, that fear being abandoned. So I told my wife, I was like, hey, you worry about going to school. “I got the job.” I got the cooking. I got the cleaning and all that. Well, I didn’t have all that. Then what gave was the job. Well, you got to eat. Didn’t really know how I was going to eat until I found eBay. And man, I liked eBay. Didn’t really know how to make money on eBay.

Travis Taylor:

Were you a computer guy before that?

Brett Johnson:

I was. But it was really just games more than anything.

Travis Taylor:

Sure.

Brett Johnson:

And so I found eBay. And Bill O’Reilly, he was hosting Inside Edition, this 30-minute news tabloid show. The one they were doing was one on Beanie Babies and they were profiling Peanut, the Royal blue elephant, selling for $1,500. I’m sitting there watching the show. I need to find me a Peanut. Skipped class the next day, go around to all the Hallmark stores, looking for the thing. Figure out pretty, well, not pretty quickly. It took me three or four hours to figure out well, idiot. He’s not in the Hallmark stores. He’s on eBay for $1,500. But they had these gray beanie baby elephants for $8.

Brett Johnson:

Buy a gray beanie baby elephant for $8. Stopped by a Kroger on the way home. Picked up a pack of blue rit dye. Go home, tried to dye the little guy. Turns out they’re made out of polyester. Don’t hold dye very well. Get them out of the bath. Look like they’ve got the make. It’s true. It’s spotty. You get it out of there, and it’s like, don’t have trouble selling that.

Beau Friedlander:

Now I want to hear how handy you are. What’d you do next?

Brett Johnson:

Well, what happened was is I ripped the lady off of $1,500. I found a picture of a real one online, posted it. She thought I had the real thing. She wins the bid. As soon as she wins the bid, I don’t want to be on the defensive of that conversation. I want to put her on the defensive. So I sent her a message. I was like, hey, congratulations on winning. By the way, we’ve never done any business before. I don’t know if I can trust you. What I need you to do is go down to the US Postal Service, pick up a couple money orders totaling $1,500. Send those to me. When I get them, I’ll send you your animal. Hey look, those money orders are issued by the US government. They protect you and me in this transaction. She believed that she sent the money orders to me. I get them, send her the animal. Immediately get a phone call. “This is not what I ordered.” My response: “Lady, you ordered a blue elephant.” I sent you a blue-ish elephant.

Beau Friedlander:

Did you say, “ish?” Now, come on. Hold on.

Brett Johnson:

It was, hey look, if you knew me, you’d know I would, I said “blueish.”

Beau Friedlander:

Awesome. Awesome.

Travis Taylor:

And did eBay have any protections in place at this point or was it a still their early days?

Brett Johnson:

That is an excellent question. And the answer to that is absolutely no protections. So between me and then later on Counterfeit Library and ShadowCrew, we’re the reason that eBay put those protections in place. It used to be when eBay first came out, you could look up every bit of information on that buyer that you needed to look up: name, address, phone number. You could contact them and have them, you could get them offsite very easily to have these conversations because they didn’t have that internal messaging system set up or anything else like that. Because of what we were doing, eBay put all of those protections in place. So you could no longer see what that identity is or anything else at that point.

Travis Taylor:

Yeah. They used to be at least notoriously hands-off when it came to fraud, as I recall. Yeah.

Beau Friedlander:

Oh, and that’s why I was going to ask. And when you said that they were, they were totally hands-off and they still are to some extent.

Travis Taylor:

To an extent.

Beau Friedlander:

But less so. What was the strategy when you said, because I think it’s quite, it was a very smart move on your part. When you said, “Lady, this is to protect you and me.” Now, was that to instill confidence in her. What were you trying to do there?

Brett Johnson:

So when you’re scamming people, you have to understand that most online crime is successful because of social engineering. You know? You take ransomware, for example. You can build that ransomware product, but if you can’t get it deployed, you’re useless. And that requires some degree of social engineering to do that. So as a criminal, what I’ve noticed, especially on the good guy’s side now, is that most of your expert criminals become social engineers as children, typically to survive their environment. And then once they become an adult, they choose to use those tools to victimize people to be successful. And that’s exactly what … I was no different in that.

Brett Johnson:

The goal on that was to put that victim in a situation where they were responding to me. Not to let them gain control of that conversation. I wanted to be able to dictate everything because if I allowed her to reach out and try to put me on the defensive, I’m not in control at that point. I want to be able to control that. So the way I control that is, hey, I don’t know if I trust you. So that puts them on the defensive immediately. But I’ve got a solution for that.

Brett Johnson:

The United States government issues these money orders that not only protect you, but they also protect me because, hey, I don’t really trust you. So I want to make sure that this entire transaction is protected and that we have trust across the board at that point. That’s how you tend to gauge or define those conversations, construct that type of scam that’s going on. If you think about it, that particular type of scam, just that beanie baby story, is a microcosm of most internet scams that are going on: crypto scams, Zelle fraud scams, all these other things. It’s about that criminal building trust or getting that potential victim to trust them.

Brett Johnson:

So how do you do that as a criminal? Will you do that through a combination of technology tools and then social engineering. Today, that’s how that’s done. So we inherently trust the technology which is given to us. We trust our cell phones, our laptops, desktops. We don’t understand it a lot, but we trust it. It’s that mystery of technology. We inherently trust it. The people who built that, they’ve got us, they’re going to protect us. No, by God, they’re not. What people don’t understand is that criminals use a variety of tools to manipulate that technology. They use spoof phone calls, they use spoof browser fingerprints or SOCKS5 proxies, whatever. And then finally, once you have that base level of trust established, then you see how good of a con man or a liar, social engineer, that criminal is and manipulated you into giving up information, access, data or cash.

Adam Levin:

So let me ask you, after the beanie baby incident, did you just dive into cybercrime full-time?

Brett Johnson:

Yeah, pretty much. And it was a learning process. So Beanie Babies was the first occurrence. But then it went on to autographs of baseballs. And I did that under my own name, because I was very inexperienced. So Beanie Babies was the first instance. Autographed baseballs. I went and got a case of baseballs and signed Sammy Sosa, Mark McGuire’s name to them. Printed off my own certificates of authenticity. That prompted a visit from law enforcement. Because again, I was doing it under my own name.

Brett Johnson:

But as I kept going … and the thing about it is, and we still see that today, very little prosecution. A lot of that is because of jurisdictional issues or just manpower with law enforcement or just victims not complaining. You get a lot of these victims that simply will not file a police report or try to follow up on things. So it went from Beanie Babies to baseballs, to pirated software. Pirated software turned into mod chips on gaming systems, then into cable boxes, and into satellite DSS systems. And then finally, ShadowCrew and Counterfeit Library pop up. And that’s this advent of modern cybercrime as you see it today.

Adam Levin:

Counterfeit Library and then ShadowCrew. For the benefit of our listeners, explain what they were.

Brett Johnson:

So to explain what they are, what they were, you have to go back to what existed before that. So understand that cybercrime by necessity has to be organized. You can’t just be one individual and be really successful at online crime. So break it down into there being three necessities to successful cybercrime: gathering the data, committing the crime, and then cashing out. All three of those things have to work in conjunction. If they don’t, the crime fails. The problem is that one specific criminal, one guy, can’t do all three things. He can do one, sometimes two, but rarely all three. And that’s because of a skill gap problem that criminal simply doesn’t know how to do one of those things. Maybe he can’t lodge a man in the middle of attack. Maybe he doesn’t understand how to do a phishing attack, something like that. Or it’s because of a problem with geographic area. That criminal is in an area where he simply cannot fulfill one of those three necessities. Think laundering money, okay?

Brett Johnson:

Now, before Counterfeit Library and ShadowCrew, the only avenue you had to engage in online crime, together, was an IRC session, this internet relay chat. This chat session, rolling chat board, where you had no idea who you were talking to. If the person you were talking to knew what they were talking about, if you could trust them, if they had a product or service that they actually had it, if it worked, or if they were just going to rip you off, because everyone there was a crook.

Brett Johnson:

Counterfeit Library and ShadowCrew, ultimately, solved that issue. It gave a trust mechanism that criminals could use. Now you had a large communication channel in the form of a forum type structure where individuals from different time zones could reference conversations, days, weeks, months old. They could take part in those conversations. Learn from those conversations. You knew by looking at someone’s screen name what the skill level of that person was. If you could trust that person, if you could work with that person. We had vouching systems in place, review systems in place, escrow systems in place, all with that singular purpose of establishing trust with one criminal and another. When you wouldn’t know each other’s real name, wouldn’t ever meet each other in real life, wouldn’t know what each other looked like. Also, you could work together. So that was one. That was to me, that’s looking back, that’s the major aspect of what ShadowCrew and Counterfeit Library were.

Travis Taylor:

This was a pre-cryptocurrency, right?

Brett Johnson:

It was. So you had a couple of precursors to today’s crypto. You had eGold and you had Liberty Reserve. So think of eGold as basically today’s crypto without the blockchain, even though the founder of eGold at that point in time really had this idea of what blockchain was. If you read some of his writings and some of his interviews back in the day, he really started to understand what blockchain could be. It just wasn’t implemented in eGold at that point in time.

Beau Friedlander:

Now Travis, in the most user friendly terms possible, can you explain this to me?

Travis Taylor:

Sure. Well there’s Internet Relay Chat, which was, I think, the original dark web.

Beau Friedlander:

Did I use it or was it-

Travis Taylor:

Nope. Nope.

Beau Friedlander:

How do you I didn’t use it?

Travis Taylor:

I would’ve been shocked if you had used it, yeah.

Beau Friedlander:

Did Brett use it?

Brett Johnson:

Yeah.

Beau Friedlander:

Brett, you dog. So okay, so this is a communication channel for criminals and other-

Brett Johnson:

But not only criminals.

Beau Friedlander:

Also tech people I’m guessing or people who are developers.

Brett Johnson:

Right.

Beau Friedlander:

Got you.

Brett Johnson:

A whole slew of people. Anyone that was on the fringes of the internet.

Beau Friedlander:

Okay. And then how does that, I get that. And I think our listeners will understand that too now. How did being there facilitate doing crime?

Brett Johnson:

So if you’re on the fringes of the net, if you’re looking at the stuff that most people don’t really look at, you tend to see these things. Most people will visit Drudge Report. They’ll visit eBay, Twitter, Amazon, Linkedin things like that.

Beau Friedlander:

Yeah.

Brett Johnson:

But there are areas of the internet where most normal people don’t frequent. So if you find yourself-

Adam Levin:

So some naughty things are going there.

Brett Johnson:

Right.

Beau Friedlander:

No, no Adam, but he’s not talking about the ones that people do frequent but don’t talk about.

Adam Levin:

Yes. Right.

Beau Friedlander:

Right, exactly.

Brett Johnson:

But if you find yourself there, you’re exposed to things that the typical person would not be exposed to, and you become more well versed in that or better versed in that area. All right? If you’re going to these areas and you’ve already got a proclivity toward fraud or crime, then all of a sudden, you start to see how you could profit. All right? And that’s exactly what happened back in the day. But when you’re seeing that area, you start to see these issues that are popping up. For example, if you’re on IRC, anybody can be anybody. But if you look at today’s dark web, trust on the dark web is a necessity. So you have these channels like Dread or Alpha Bay or whatever the marketplace is, that’s alive today. And a lot of these channels, a person, especially on the dark web, it’s different on Telegram, but on the dark web trust is established by that username. And that username is a persistent name. That name becomes that user’s brand. So you know by looking at whatever channel or whatever platform that criminal is on, you know who that person is.

Beau Friedlander:

Okay.

Adam Levin:

So that’s getting verified by Instagram, for instance.

Brett Johnson:

Absolutely. It’s the same as that little blue check mark on Twitter. Absolutely, it is.

Adam Levin:

Gotcha. Now with ShadowCrew, there were members, right? You had a specific number of people that were part of it, correct?

Brett Johnson:

By the time the federal government shut us down, we ended with 4000 members. Which you look at things today, that’s a very small me membership. Back then, it was huge because we were the first ones on the block. You know? Today you’ve got … Back in 2017, you had Alpha Bay, which was the criminal network. It got shut down. 240,000 members. 2019, Black Market, a marketplace, gets shut down. 1.15 million members. Today you’ve got individual sites, marketplaces or forums that are millions of members large. But back then 4000 members, we thought it was big. Little did we know …

Adam Levin:

Now did this 4000 member club get you onto the US Most Wanted list?

Brett Johnson:

That’s a long story. But what you have to understand is that ShadowCrew is really the start of cybercrime as we know it today. Because we had this thing called the CVV1 hack. We were spamming all this information. And back then, when you were doing a phishing attack, you could ask 20 or 30 different questions and get answers to all of this. So we were getting complete identity profiles, just from a phishing attack. We were getting PINs, we were getting card numbers. In order for you, and that’s fine for online crime. But for you to be able to encode that on a counterfeit credit card or a debit card, you have to have complete track to data. So on the back of that credit or debit card, that mag Stripe has three data tracks. The first data track is the customer’s name. Second data track is the card number. There’s a forward slash. Then there’s a 16 digit algorithm out beside of that. Third data track is called indiscriminate data. No one uses it.

Brett Johnson:

What’s bought and sold is the second data track. For you to use that at an ATM, you have to have that complete track to data. We had the first part of that, the card number. We did not have that 16-digit algorithm. But here’s the interesting thing. Back then, none of the banks had implemented the hash, meaning that you could have the 16 digit card number, put a forward slash on there, and then any 16 digits out beside of it, it would encode. You could take it to the ATM and pull cash out because we had the PIN as well. So we found that out. Started, instead of stealing 30 to $40,000 a month, it became 30 to $40,000 a day. Started doing that. That attracted a lot of law enforcement attention.

Brett Johnson:

So we started to see, we had an individual that had intercepted text messages from the United States Secret Service about them investigating us. We had those text messages. We started to see IP numbers coming in from local state, federal law enforcement, started seeing all that. And got really worried. So I was top of the chain. I was the head guy at that point in time. I retired because I started to see that. Got worried. And at the same time, I had happened upon this thing called tax return identity theft. I was stealing a lot of money doing that. At the about the same time I-

Beau Friedlander:

Maybe this is Joe Bianco’s guy?

Brett Johnson:

But at the same time I was doing that, our forum techie, this guy named Albert Gonzalez, he’s in New Jersey, and he’s got a stack of white counterfeit ATM cards.

Adam Levin:

I was a Jersey guy. I get it.

Brett Johnson:

There you go. So he’s in New Jersey one day, broad daylight. And he stands at an ATM for over 40 minutes feeding in one counterfeit card after another, pulling out $20 bills, stuffing them in a backpack. Just so happens that across the street, a couple of New Jersey cops notice this kid standing there that long. One of them says the other, “Let me go over and ask what he’s doing.” He walks up to Albert. Albert’s got a wig on, wearing a disguise, everything else. Albert falls apart. Gets arrested. Flips, goes to work for the Secret Service. Well, no one tells us that. So, long story short, ShadowCrew makes the front cover of Forbes, August 2004 headline: Who’s Stealing Your Identity.

Brett Johnson:

October 26th, 2004, United States Secret Service arrest 33 people, six countries, six hours. I’m the only guy publicly mentioned as getting away. They pick me up four months later and they give me a job working for the Secret Service. And I’m the idiot that continues to break the law from inside Secret Service offices for the next 10 months, until they find out about it. I take off on a cross country crime spree, steal $600,000 in the space of four months. Wake up one morning on the United States Most Wanted list. Go to Disney world, get arrested, get sent to prison, escape from prison, get arrested again; and finally, serve out my time.

Travis Taylor:

I guess one of the questions is, why Disney World?

Brett Johnson:

Why? You know why?

Adam Levin:

Because you saw the commercial for the guys that won the Super Bowl, right?

Brett Johnson:

That’s it. That’s exactly what happened. I woke up, I had stolen $160,000. I was in Las Vegas. Had stolen 160K out of ATMs the night before. Woke up the next morning. I was on the United States Most Wanted list.

Adam Levin:

That’s a pretty impressive list to get on.

Brett Johnson:

It’s not a list you want to be on.

Adam Levin:

No.

Brett Johnson:

You know? So I sat there and said it out loud after about five or 10 minutes, just staring at it. “Well, Mr. Johnson, you’ve made the United States Most Wanted list. What are you going to do now?” And I sat out loud, “I’m going to Disney World.” That’s exactly what I did.

Beau Friedlander:

That’s awesome. All right.

Brett Johnson:

Yeah. Because I’m an idiot.

Beau Friedlander:

Now, but if no idiot gets to escape prison. Did you escape jail or prison?

Brett Johnson:

Prison.

Beau Friedlander:

Wow.

Adam Levin:

Can you tell us which prison?

Brett Johnson:

Sure. Ashland, Kentucky, Federal or FCI. So Ashland, Kentucky has a medium and they have a minimum security as well. Where I was sentenced under 10 years, I was sentenced to the minimum security. Think camp, I had a job.

Beau Friedlander:

So could you just walk right out?

Brett Johnson:

I had a job working outside of the fence and what happens was is my dad, my mom left my dad. I didn’t have a conversation with my dad for about 20 years. The man shows up at my sentencing. He stands up and he was like, “Your Honor, I want to make sure Brett has a good start when he gets out of prison. He’s welcome to come and live with me.” So my dad starts to visit once I get to prison. About the third visit in, he looks at me, he is like, “I’ve been reading about you online.” I’m like, “Yeah.” And he’s like, “Yeah. That’s a lot of money you made.” And I’m like, “Yeah.” And he was like, “Do you think you could teach somebody how to do that?”

Beau Friedlander:

I was thinking the same thing.

Brett Johnson:

Exactly, right? So when I first started to tell that story, I lied about it. And I said, “I thought my dad was back in my life and he just wanted to use me.” The truth of the matter is, is that my dad didn’t talk to me for over 20 years. And I think when he started to come visit, I think that the only way he viewed me was through that lens of my mother, that criminal mindset. So he thought that was the only way he could communicate with me. And I manipulated the man into helping me escape. So he had $4,000 cash to his name. He gave me that. He dropped me off a change of clothes, a cell phone, and a driver’s license. I taught him how to do tax return fraud. And I escaped. But there’s nothing romantic about it. It’s about me manipulating my father, at the end of the day.

Beau Friedlander:

I’m curious though. So you were captured again and you served your time, and when you served your time, while you’re in there, the second time around, it sounds like you were rehabilitated?

Brett Johnson:

Yeah. My rehabilitation comes from three different things. My sister had disowned me at one point because of a girl I was engaged to. That’s the first turnaround is when Denise comes back in my life. It was after the escape. It took me two and a half years to really accept responsibility for that. Two and a half years behind the fence. It took me to realize that, hey, I didn’t commit crime because of my family or my wife or my stripper girlfriend. I committed crime because I chose to.

Beau Friedlander:

And Denise is your sister who taught you how to steal in the first place.

Brett Johnson:

Right. Right. So, and she’s a … Make no mistake. Denise is an outstanding human being. Other than that one shoplifting thing, she doesn’t break the law anymore.

Beau Friedlander:

Got you.

Brett Johnson:

But that’s the first turnaround. The second turnaround is my wife now, Michelle. I had gotten out of prison. I couldn’t get a job at all. Couldn’t touch a computer or anything else like that. I couldn’t even work at fast food or anything like that because that was touching a computer. It got to the point that I couldn’t buy toilet paper, so I ended up shoplifting toilet paper. About the same time my wife, Michelle, finds me. I finally found a job in manual labor. That job ended and I recidivated. I ended up committing crime again. Got sent back to prison. And that’s when I found out that for the first time in my life, I had somebody that needed me for me, not what I could give them.

Brett Johnson:

That’s the second turnaround. And then when I got out of prison, I ended up reaching out to the FBI. This guy named Keith Mularski, an agent. He’s retired now, but I reached out to him and I sent him a message saying, hey, the work you did with all this cybercrime stuff, outstanding, nothing but respect for you. By the way, I’d like to be legal. The guy responded within two hours, took me under his wing, gave me references, advice, everything else. And that’s what finally got me off on this start of this legal path that I’m on now.

Adam Levin:

Now, was he FBI or Secret Service?

Brett Johnson:

He was. He was FBI working out of the Pittsburgh field office. He was involved in a lot of the people being arrested that I was associated with. And from there it’s just … My thing now is learning what it is to be a healthy, productive citizen, and also helping people instead of hurting people. I really take it seriously, this idea of helping to protect businesses and consumers against the type of person that I used to be.

Beau Friedlander:

Now, how do you do that as a consultant these days? What does it look like?

Brett Johnson:

Well, what it looks like is I speak across the planet. I’ve got my show, the Brett Johnson Show on YouTube, where I talk about cybercrime, security issues, personal stories, things like that. I’m Chief Criminal Officer of Arkose Labs working on a couple of TV shows. I’m a spokesperson for AARP. And I constantly help law enforcement and any individual or business that needs it to understand how cybercrime environments work, to understand the types of crimes that are out there, how they’re being targeted, and how they can protect themselves against these types of crimes. For example, just as an individual, there are basically three things that you need to do immediately. You need to freeze the credit of every single person in the house; including the kids, because children are the number one victims of identity theft.

Brett Johnson:

Understand that a credit freeze only stops new account fraud. So on top of that, you need to monitor your existing accounts and you need to place alerts on those accounts where you can. For example, Discover card is a $0 alert. So place the lowest dollar amount you can. That way, if somebody like me gets on the dark web, buys your Discover card info for 12 bucks, just pings it to see if it’s alive, you get that text message saying, hey, someone’s trying to take your card. You can have it shut down at that point. So those are the two first things. And then the third big things is, do you use the same password and log in across multiple websites? Well, 80% of the population does that. So use a password manager. I don’t really care which one you use. Personally, I’m an Android guy. I use the one that’s built into Chrome. All right? I don’t care which one you use. Those are the three big ones.

Brett Johnson:

Now we can talk about other things than that. We can talk about multifactor authentication, which I’m a big supporter of. But understand that, that’s just a tool. It needs to be used in conjunction with these other things as well. Think of an attacker as having a toolbox. And in his toolbox, he’s got a variety of tools with which to victimize you. As a defender, you need to have a toolbox as well, with a variety of tools with which to defend yourself and understand your place in that cybercrime environment. Have that situational awareness, not just when you’re in a bad neighborhood, but when you’re online, too. There are predators online as well as in the real world. And you need to be aware of your environment at all times.

Adam Levin:

What’s got you worried? What keeps you up at night when it comes to cybercrime?

Brett Johnson:

What’s got me worried? There are several things right now. What have me worried, the pandemic for one thing. During the pandemic, you had the government that basically gave away money for free to any criminal who wanted it. No security in place whatsoever for six months. And we saw the number of fraudsters and cyber criminals explode during that point in time. These are people that now that they’ve got a taste of that stolen money and how easy it is to get, they’re not going to go and flip burgers for a living. So they’re now looking at other ways to profit. And what we’re seeing now is that cybercrime, that platform, is becoming evolved enough that you’re seeing these more sophisticated types of tools being offered to the 98% of cyber criminals that are basically idiots. That wouldn’t know how to use these sophisticated tools if they could. But you’re seeing these platforms and these services being evolved where, hey, doesn’t matter if you don’t know how to use a bot, we’re going to have a bot marketplace where everything’s automated for you.

Beau Friedlander:

Oh, so it’s like ransomware as a service and other …

Brett Johnson:

It’s crazy. It’s absolutely crazy.

Beau Friedlander:

Yep.

Brett Johnson:

There’s a thing called Genesis Marketplace where it’s a bot marketplace. It delivers to a criminal any number of things that, that person needs to take over your account. And it’s so successful in doing that, that I’ve seen banks that the account has obviously been taken over, but because it’s using the exact same cookie and everything else, the bank says no, the actual account holder sent this money out. That worries me to no end right there, that type of the way cybercrime is being involved. These things like Zelle fraud, that worries me because you see the banks that simply refuse to have proper security or proper protections for the consumers. And they blame the fraud on the consumer. I think that’s a real problem that needs to be addressed.

Adam Levin:

In one sense, we’re almost going back to the not so good old days where the consumer was considered collateral damage.

Brett Johnson:

Right.

Adam Levin:

And the business was considered the victim.

Brett Johnson:

That’s insane. Absolutely insane. And it’s absolutely correct.

Travis Taylor:

Are there any platforms out there that you think are really just doing it right in terms of privacy and security?

Brett Johnson:

As we get into Web3, think of Web3 as we’re finally getting to that point where privacy is becoming important because it’s not really been. A lot of companies have placed that onus of privacy on the consumer. And I think that’s the wrong thing to do. And we’re reaping that whirlwind now. You’re seeing these news articles pop up of border protection, getting all the cell phone data of states, potentially getting cell phone data of people visiting abortion clinics, things like that. So people are finally starting to realize the importance of privacy. But even then, I think that it’s the point of the company and the platforms that are being built to really respect that privacy. Unfortunately, right now, there are a few companies that I think that are very good about doing that. Most companies are not.

Beau Friedlander:

One of the things that I was struck by today, I was telling Travis, Brett, you will not believe what I got via email today. I got it via email and via direct message at the same time. I was stunned. I got a message from Instagram asking me if I had logged on from a specific location. Now you know there are scams, a lot of them based out of Turkey, where for ages, Instagram was like, oh, look at that. There’s someone logging in on Turkey for this guy from Bakersfield, California.

Brett Johnson:

Right.

Beau Friedlander:

And they know damn well that, that’s not the user in question. But they didn’t flag it at all.

Brett Johnson:

Exactly.

Beau Friedlander:

That baseline incompetence.

Brett Johnson:

It gets worse though.

Beau Friedlander:

What’s driving across-

Brett Johnson:

I’ve dealt with people that have had their Instagram accounts taken over by Turkish people, by Ukraine, Russia, wherever the hell that the takeover’s happening. And then the legitimate account holder, which they’ve got the history of the IP, everything else, cannot get their account back because Instagram is horrible to try to deal with. And Instagram’s not the only one.

Adam Levin:

We’ve had a number of people on the show that have experienced that.

Beau Friedlander:

It’s a labyrinth. Yeah.

Adam Levin:

Can you tell us this a little bit about Genesis Market?

Brett Johnson:

So Genesis Marketplace, historically, the way account takeovers used to work is a criminal would go on the dark web. He’d buy your login credentials for say PayPal or your bank account or wherever that was. He’d get your pay. He’d get those log in credentials. He may get some personal information. He may get a browser fingerprint that’s associated with that account as well. And typically, that would run anywhere from say $15 up to maybe 150, something like that. Because he was getting data like that, the potential of that account takeover failing was pretty big because he didn’t have the cookie. He may have some things with the browser fingerprint failing. He didn’t have the correct IP range, anything else like that. What Genesis Marketplace does, it’s a marketplace of bots. Currently has 400,000 bots. These bots range anywhere from $3 up to $400 a piece. The bots sit on someone’s network.

Brett Johnson:

So networks, think of it like this. 41% of every single router on the planet has the default password. And that’s just one stat that’s out there. So the threat landscape, the ability to put bots into play is wide open pretty much. Okay? So the bot sits on someone’s network. You go to sign in to say your bank account. The bot captures your login credentials. It captures the cookie that you’re using to log in. It captures the browser fingerprint as well. So you log in, you’ve got multifactor authentication deployed. Your multifactor triggers when you log in. You go ahead and you sign into all that. Now you sign out because Genesis is sitting on your network and captures the cookie, captures the credentials and everything else. If the criminal comes in, in a timely manner and tries to log in right after you leave that session, guess what? Multifactor is bypassed at that point.

Adam Levin:

Oh, if it’s within a certain window?

Brett Johnson:

Exactly. So multifactor is bypassed. He logs into your account. He’s got the exact same cookie, everything else. He’s able to do whatever he wants to with your account at that point. Now I said before, Genesis and these platforms are becoming evolved because they’re marketing toward criminals that typically don’t know how to use those types of things. Genesis makes it even easier. It’s got a search function. So you can search for city or PayPal or Xbox or whatever account you’re trying to take over. Because these criminals typically wouldn’t know what to do with a cookie if they had it, Genesis has its own standalone browser or browser plugin that automates this entire thing for you. So you don’t have to know how to use it. You capture the credentials, all the data that’s needed to take over the account. Genesis plugs it in for you automatically, and then goes to the account for you, tries to sign in so you can do whatever damage you want to, to that victim.

Adam Levin:

So you may say that Genesis has lowered the barrier to injury big time?

Brett Johnson:

Very much so. And think of it like this. Most, the cybercrime criminal breakdown, that demographic, you’ve only got maybe one to 2% that are very sophisticated attackers. The 98% of criminals out there are not. They’re social engineers. They’re script kitties. They’re just reading tutorials. Because you’ve got things like Genesis that are becoming evolved like that, you’ve got a whole new demographic of cyber criminals that are now able to attack using these tools and services.

Beau Friedlander:

So you have script kitties, which is a great phrase. And you have these, probably like boiler rooms. Maybe they’re now located in people’s homes because of COVID. But the Genesis Market sells hacked personal accounts. Period. Right?

Brett Johnson:

Right.

Beau Friedlander:

You can scroll through the platform and see thousands of stolen credentials from Facebook.

Brett Johnson:

Well, you see thousands of bots that captures those credentials.

Beau Friedlander:

So when you see those bots, are you able to, while you’re in there, view the specific credentials of accounts?

Brett Johnson:

You can’t until you buy the bot. But the bot itself, so you’re doing a search-

Beau Friedlander:

Okay.

Brett Johnson:

And say, I want them to have Gmail accounts. So you’ll do the search. And it will give you a set of bots that have Gmail access, that are capturing those Gmail credentials.

Beau Friedlander:

Okay.

Brett Johnson:

But it will also list everything else that, that specific bot is capturing. So say you buy the bot for $50. The first set of credentials is free. Any new credentials that are delivered to you through that bot cost a dollar a piece.

Beau Friedlander:

So this is basically the cybercrime as a service, Microsoft Office Suite for the criminal.

Brett Johnson:

Absolutely.

Beau Friedlander:

Who’s looking to, they don’t want to code their own word processing program. Why do it when you can buy it?

Brett Johnson:

Right.

Beau Friedlander:

And just … Okay.

Brett Johnson:

Adam was asking, what do I worry about? That’s the type of stuff that I worry about.

Beau Friedlander:

Oh, I bet.

Adam Levin:

Now with these bots, do you get any exclusivity whatsoever if you’re paying for it? Or it’s a free for … everybody can buy the same information?

Beau Friedlander:

So the person buys that specific bot. No one else has access to that bot but you.

Adam Levin:

Gotcha.

Beau Friedlander:

But when you’re dealing with 400,000 bots on that platform …

Adam Levin:

You got a lot of bots to choose from.

Brett Johnson:

You got a lot to choose from.

Adam Levin:

So you mentioned earlier about password managers. Will that, in and of itself, keep our data from getting on Genesis or are there other things that consumers need to do?

Brett Johnson:

I don’t think that in itself. So as I said, it’s simply a tool. Those three things: the credit freeze, the password manager, monitoring accounts. I view those as tools. And the thing is, is that most people, you take credit freezes, for example. Credit freezes have been free since September 18th, 2018. Today there’s only 12% of the US population that has a credit freeze in place, which is insane. It’s one of the best tools that you could possibly use so that people like me don’t victimize you. But only 12% of the population have adopted that tool.

Brett Johnson:

Because of that, most cyber criminals, if you’re looking for motivation, there’s status, there’s cash, and there’s ideology. Most of it is cash-based motivation. Because it’s a cash-based motivation, you’re looking at lowest hanging fruit. So if you’re just doing the simple necessities, those three things, multifactor authentication added onto that, you’re not going to be that lowest hanging fruit. You’re much more protected than the 88% of the population that’s out there. So that’s what I basically advise all the time. You’re not going to ever be able to protect yourself 100% of the way. But if you’re practicing good security hygiene, the chances of you being victimized are much, much smaller than the people out there. The majority of people out there that simply are unaware or don’t care.

Adam Levin:

That’s like having the house with the dog versus the house with no dog.

Brett Johnson:

Exactly.

Beau Friedlander:

And the cyber, just for our listeners, a credit freeze is free.

Brett Johnson:

Right.

Beau Friedlander:

It is easy to set up. And if you have a service where you’re monitoring through Experian or Equifax or TransUnion, they also will have a lock that you can use, which is even faster. It’s not as effective, but it’s faster and it will give you some of the same features. The bottom line is: If you’re not using these features that are free and out there, you’re needlessly exposed.

Brett Johnson:

You are. A credit freeze is free. The Chrome, I don’t care if you’re an Apple or a Google user, they’ve got built-in password managers that are free.

Beau Friedlander:

Yep.

Brett Johnson:

At the end of the day, if you wanted to do, have a takeaway on this episode, it’s do something.

Adam Levin:

Yes.

Brett Johnson:

Do something. It’s doing nothing. Just do something.

Adam Levin:

It’s my favorite movie line. “You knew and you did nothing.”

Beau Friedlander:

There you go. There you go.

Adam Levin:

We’ve tried to get that message across and we appreciate you helping us, once again, highlight that message.

Brett Johnson:

And I know that you try to get the message across, but to put it in blunt terms, if you don’t do these things, somebody like me is going to get your ass. That’s just the truth. The only reason you’ve not been victimized now is, think of it as the worst lottery on the planet. There’s so much information out there. There’s just not enough criminals yet to get to you. But they’re coming.

Beau Friedlander:

Thank you, Brett. That was, you couldn’t have put it better. And we really appreciate your time today. I can’t even begin to tell you how lucky I feel to have gotten you on the What the Hack? Lottery.

Brett Johnson:

No. Hey, I’m just glad you guys invited me on, truly.

Adam Levin:

No. Yeah. And we are going to want you to come back.

Brett Johnson:

Outstanding.

Adam Levin:

So if people want to learn more about your work, where do they go?

Brett Johnson:

So you can find me on LinkedIn. Just look for Brett Johnson. I’m there. You can find me on YouTube. I’ve got the YouTube channel, the Brett Johnson Show, where I come in, I bitch, moan and complain. Talk about security as well. And hey, here’s the thing. I do work. But if you’re an individual, if you’ve got a problem or concern, reach out to me. It may take a couple of emails, but I respond. Okay. And I don’t charge people at all to talk about security or give advice on what you need to do. So feel free to reach out to me. I’m more than happy to talk to you and try to assist with anything.

Adam Levin:

That’s awesome. That’s awesome. Listen, on behalf of all of us, thank you so much.

Brett Johnson:

Thank you. I truly appreciate iy.

Beau Friedlander:

So Brett is basically Thomas Davis, this scammer who wouldn’t come on our show plus, now he’s a good guy.

Adam Levin:

Plus he’s way more fun than Thomas.

Beau Friedlander:

Thomas is a pill. And Brett is also like, no, but I was putting the emphasis on now he’s a good guy. It’s pretty cool.

Travis Taylor:

He’s a good guy now, but he still has a pretty rocking Skeletor sculpture right next to him, so.

Beau Friedlander:

I didn’t even see the Skeletor sculpture. Who is Skeletor?

Travis Taylor:

He was the bad guy in He-Man.

Skeletor:

But why can’t I join your gang?

Speaker 6:

Because you are a whip scientist and you could be a whip villain.

Beau Friedlander:

Not a He-Man. In my body or in my soul.

Travis Taylor:

I think it was probably before your time.

Beau Friedlander:

No, no, no, it was around. I remember seeing it. I just thought he looked like the kind of guy who would kick sand in my face. So I just avoided the whole thing.

Travis Taylor:

Yeah. All the toys had the exact same body and they all wore hairy underwear for whatever reason.

Beau Friedlander:

Adam is-

Adam Levin:

Aware. Very special. So look, if you want to protect yourself from bad guys like Skeletor.

Travis Taylor:

I love it, Skeletor.

Adam Levin:

It’s now time for the tin foil swan.

Beau Friedlander:

The tin foil swan. The paranoiacs takeaway, right? Basically. This week, Travis, what do you got to tell us about Facebook?

Travis Taylor:

Facebook can be a privacy nightmare.

Beau Friedlander:

Can be?

Adam Levin:

No.

Travis Taylor:

Yeah. it can. It has your pictures, your contacts, your communications, some of your messages. If you don’t lock it down properly, it can be a huge Achilles heel.

Beau Friedlander:

It also has your clothes size.

Adam Levin:

Your friends.

Beau Friedlander:

Remember, people buy stuff on Facebook. They know things you own.

Travis Taylor:

Phone number.

Beau Friedlander:

Credit card numbers.

Travis Taylor:

Yeah. There’s a lot of sensitive info there.

Beau Friedlander:

So they suck. I’m sorry. Suck is maybe the wrong word. They suck a lot of information into their corpus.

Travis Taylor:

When you’re logged into your account, there’s something called the privacy tab. And when you see all those options, you can just lock it down a little bit further, just to have people not be able to see your shares, your reposts, your photos, or your connections.

Beau Friedlander:

Okay. So then what’s the point of being on social media? I know I sound like a broken record, but social media and privacy are sworn enemies. They’re like Rikki-Tikki-Tavi and snake.

Travis Taylor:

If you want to share your photos with your friends or keep in touch with people that you went to college with, or what have you, that’s one thing. But you probably don’t want to have that show up on the first Google search someone does when they’re looking you up.

Adam Levin:

All right. So just to clarify, this doesn’t keep Facebook from accessing your data. It just keeps other people from accessing your data, correct?

Brett Johnson:

Correct.

Travis Taylor:

Yep.

Brett Johnson:

So if again, if you want to keep Facebook out of your business, get off of Facebook. That’s the old karate kid thing, right? Best way to avoid a punch.

Adam Levin:

Not be there.

Brett Johnson:

Correct.

Beau Friedlander:

Thanks for listening. If you like the show, rate and review. It helps people find it. And you may have noticed, Adam did not whine once about it. We’ll see you next week.

Adam Levin:

I’m being good.

Beau Friedlander:

What the Hack? With Adam Levin is a production of Loud Tree Media.

Adam Levin:

It’s produced by Andrew Steven, the man with two first names.

Travis Taylor:

You can find us online at: loudtreemedia.com and on Instagram, Twitter, and Facebook at: AdamKLevin.