'The Original Internet Godfather' on How to Stay Safe from Swindlers

(MUSIC SEGUE)

[00:00:02] Bob: Welcome Perfect Scam listeners. This is our bonus episode. You probably remember this from past seasons. This episode's a little bit different, a little bit more relaxed, a little bit more fun, and for today we have a really, really special guest. We have Brett Johnson who the US Secret Service once called, The Original Internet Godfather because he did a lot of things, including founding the notorious Shadow Crew which a lot of folks think of basically as the early Dark Web. It was one of the first places that credit card thieves and other fraudsters swapped secrets and swapped money. And that was until the Secret Service shut it down and shut down Brett way back in 2004. Also here today, our producers Julie Getz and Megan DeMagnus. You don't hear from them often, but they work really hard to bring you these podcasts, so we're letting them in on the fun today. Brett, we're very glad to have you here today, and I know you've done a lot of things since all that happened, so why don't you just tell our listeners what you are up to now.

[00:01:03] Brett Johnson: Sure, so uh fortunately I'm not breaking the law anymore. It turns out that when you stop breaking the law, law enforcement turns out to be pretty good people, but what am I doing these days? I, today I work hard to protect people and businesses from the type of person I used to be. So I, I speak across the planet, I consult with individuals, with businesses, with uh nonprofit organizations. Is it hard? It is difficult. When you make the decision, it's not. Uh, and the reason is is because cybercrime, especially, is an addiction. When you commit a crime online, you don't have to look at your victim, so you don't have to see the, the harm that you're causing the people that you're victimizing. That lady that I ripped off of $1500, never had to see her face, I did talk to her on the phone a couple of times, but never had to look at the damage that I had caused her by stealing $1500 from her. I never had to see the consequences of my actions. Instead, the only thing I had to see was the $1500 US Postal Money Orders that she sent to me. That was it. So I profited and I didn't have to see the consequences of my actions. And I think that's a lot of the reason that you see cybercrime continue to explode. Like when I was in the Shadow Crew, when the Secret Service busted us, we ended with 4000 members. Today, you've got these websites, these forums like Shadow Crew used to be, you've got these forums that are a million members strong.

[00:02:31] Bob: So let me make a leap here. A lot of what you're talking about is this sort of awesome power when you’re invisible. And I'm wondering if that has something to do with, and I want you to tell me where you came up with uh the nickname Gollum Fun.

[00:02:43] Brett Johnson: (chuckle) You know, the, the invisibility is huge when it comes to committing crime. You know, a lot of people, they grew up and they've seen "The Invisible Man," they read the book, you know, whatever they're doing, and they start to think, oh what would I do if I were invisible? Well, it's a lot of power, it's a lot of power. Would you do good things, would you do bad things? It turns out a lot of people would do a lot of bad things. The name Gollum Fun, it comes from "The Lord of the Rings." Oddly enough, I went to university for literature, big J.R.R. Tolkien fan, and um, it became time, you know, when I came up with my quote unquote hacker name, I was moving over from selling a, uh pirated satellite VSS cards, and that name was Bagginstad, another uh reference to uh, "The Hobbit," so I was like, okay, can't use that, because I don't want to be connected, so I'll use Gollum. Well it can't just be Gollum. Let's put a fun to it, so it became Gollum Fun, it became this, you know, I didn't expect it was going to be this huge name that was going to run everything at the end of the day, but that's what happened.

[00:03:40] Bob: And what does, what does Gollum mean to you?

[00:03:42] Brett Johnson: It means a lot of damage, a lot of harm. You know it's, it's weird when you think about it. It's, that, that, that name is weird, and because, you know I look back at the damage that I caused with that name, and uh, I do that every day. I really, I regret every single day, everything that I've done on that, but at the same time you look at the character in Lit and the character at, at the end of the day, he's kind of a saving grace, you know, he's, they're there on Mt. Doom, and if not for Gollum, you know the, the one true ring would have went back to the, the guy, you know, Sauron. So it's, it's, it's this complicated character. So I, I say that because maybe that Gollum name, maybe subconsciously comes in, you know, you think it's because you're a bad guy, but you understand too that hey, the guy at the end, he was...(choked up)... he did something good at the end. So excuse me, sorry about that.

[00:04:43] Bob: That Gollum's my favorite character in all of literature, he's the most complicated character you could, you could design, I think.

[00:04:50] Brett Johnson: Yeah.

[00:04:52] Bob: Okay, we're going to switch to something hopefully a little bit fun and lighthearted here. We're going to play a quick came called "Inside the Con Artist's Playbook." Here's a very brief intro. I was at a bar in DC the other day, and this poor guy comes in, and he says, middle of the day. "My bike was stolen. Do you guys have ca--, just happened, do you guys have cameras so I can see?" And the bartender kind of gruffly said, "No, we don't have cameras. Check next-door." And as soon as the guy left the place, the bartender went on this rant about how, "Holy cow, what an idiot. He didn't lock his bike, he deserved to have his bike stolen. It was terrible," and uh, and the people next to me are nodding. And I, I was just shocked by this att--, first of all he didn't even know whether the bike was locked or not, but he just enjoyed immediately blaming the victim for having his bike stolen.

            And a big part of what we're doing on this podcast, and AARP in general, is to stop people from this blaming the victim mentality. Anyone can have their bike stolen by a professional bike thief, right, and we even had a guest on last week who said, "If you haven't been scammed yet, it just means you haven't met the right scam. Anyone's vulnerable." So, I'm going to talk you through just a couple of situations where scammers have attempted to scam me, and I want you to kind of interrupt and narrate if you will. I'm going to start with an easy one. So Brett, I frequently get friend requests from very good looking young women who all seem to be single and many of them don't have very many friends. Unfortunately, uh my guess is that they don't really want to date me. What, what do they want?

[00:06:22] Brett Johnson: Well they, they are very pretty though, aren't they? (laugh)

[00:06:26] Bob: They are remarkably pretty, yes.

[00:06:28] Brett Johnson: They're remarkably pretty. Yes, and they don't have very many friends. You would think that, that one of these, and I get the, the exact same, same requests probably from the exact same pictures of girls that you're getting. It's, so what are they looking for? Well if you, if you're looking at crime online, you're looking for one of four things as a criminal. You're looking for information, access, data, or cash. That's what you're looking for. So to get that, you have to get the potential victim to trust you. So a friend request seems pretty innocuous. You know, you're on Facebook maybe you’ve already got 10,000 friends, and another request comes in, so it's innocuous enough that a lot of people would accept the request.

            All right. Now, you accept the request on Facebook, what happens when you accept a friend request? If you've got your profile private or restricted or whatever, a lot of the times the other people there cannot see, you know, the people that are outside your friend zone cannot see who your other contacts are. But once you allow someone into that friend zone, once you accept the friend request, at that point in time, they could see you, your other contacts. Then they send a friend request to, to every single contact in your network, except the next friend request then says, "Hey, I know Bob." Well that lends legitimacy to that friend request. Well, I mean she knows Bob, so Bob, she's friends with Bob, it's okay. I'll click it. And that continues to build that legitimacy the more friend requests that are sent, until finally, everything's looking good across the board for that fake profile. What are they looking for? They're looking for ultimately one of those four things; information, access, data, or cash. If it's information, what can you get from someone's Facebook profile? Well you can get the mother's maiden name; you can get when you're going on vacation. I can get the color of your cars, I can get where you live, I can get, I can get all kinds of data that I may not be able to get from a background check.

[00:08:26] Bob: So, okay. Here's another scenario. One time, and I'm going to say this was a long time ago and let everyone wonder how long ago it was, um, I lost my password to my work computer, and I was desperate and embarrassed, and googled how to recover a Windows login. Let me, uh, let me intercede here by saying, don't ever try this at home. But of course, I found a site that was more than happy to help me gain temporary access to my Windows machine through a series of steps which I dutifully followed and the first few seemed really simple; name, email, tech machine operating system, last update, and then finally it asked for my best guess at the correct password, which I entered. Which wasn't a great idea, but what do you think they were trying to do to me there, Brett?

[00:09:10] Brett Johnson: Well they're getting credentials is, is what they're doing. So when you sign onto a, a site like that, if you've lost your password, and you've got some technical support site that says we can get them back for you, or follow these steps or whatever, you could be allowing the attacker remote access to your system. So remote access means that they get access to all of your passwords, they get to not only to do that, but they get to run your system. So imagine that. Imagine you've got, you've got a criminal that you've inadvertently let have access to your machine, that they can control it remotely. So what can they do at that point?

            Well, they can sign onto your bank account. When they sign onto your bank account using your machine, the bank doesn’t know any different, and then they have everything cashed out, or they go to where you have your stock portfolio, retirement funds, they cash all that out, have it sent to them. You don't know about it. The bank thinks it's legitimate because it's coming from the actual machine that's always signed onto the system, so that's one of the things, it could be that. It could just be harvesting credentials.

[00:10:09] Bob: And just to be clear, even if I entered the wrong password through this process, well I've just given the criminals a pretty good guess at my password, and almost certainly a password that works on some other site, like Amazon or something like that. So never do this at home. I regretted it, and then had to run around changing all my passwords afterwards.

[00:10:26] Brett Johnson: Absolutely.

[00:10:26] Bob: All right, Megan and Julie, this is your chance to jump in with questions. Julie, you first.

[00:10:32] Julie: Brett, it's so great to hear from you and everything that you've been up to. My question is, I think a lot of people right now are really concerned about bitcoin. Can you tell us what this means for the world of fraud and bitcoin. Are people's money safe?

[00:10:46] Brett Johnson: Boy oh boy. (laugh) Now I, I laugh because there’s a lot of money, a lot of money going toward cryptocurrency. And probably my opinion is going to upset some people, but I'm of the belief that I don't really care. If it upsets you, I'm sorry. Cryptocurrency, as far as I'm concerned is, especially bitcoin, is good for one thing, and that's paying off ransoms, laundering money, criminal activity. That's what bitcoin is good for right now. It, you know, I know there's a big push for cryptocurrency to be used as a legitimate type of currency, and I'm fortunate that I've worked with, you know, a lot of Fortune 500 companies. I can tell you that the largest merchant that started to accept bitcoin as payment on their site, the transactions, not over $300 a month for payments with bitcoins, total throughout the entire system. So bitcoin's not used to really buy a lot of stuff, it's used for criminals to launder money, to collect ransom, to store the stolen funds. That's what it's used for.

            Now that being said, there's a lot of investors that also invest in cryptocurrency. And there's a lot of people making a lot of money. What that means is, what that actually translates to is that there's also a lot of victims out there that are being scammed with different type of cryptocurrency scams, and that's something you have to be extremely, extremely careful about.

[00:12:13] Julie: Brett, you touched on something that we talk about often on the podcast, victim blaming, and the criminals, we know they're the ones to blame, and so coming out of the pandemic, we understand that the con artists are getting smarter and they're pivoting, but my question is, do you have any specific examples of how has the landscape changed for criminal activity and what are the biggest scams we're about to see, and how can we best protect ourselves?

[00:12:38] Brett Johnson: Actually you're, you're seeing it right now. So PII, personal information, has tripled in price because of the pandemic. So before COVID hit, before the United States economy goes belly up because of the pandemic, you could buy someone's Social Security number and date of birth for $2.90. That same social and date of birth right now is $6.70. So the price has tripled. Okay, now not only that, but what happened is, is you had all of these fraudsters that were schooled in credit card theft, and that's typically where you start as a, as a cybercriminal is in credit card theft. So you had all these fraudsters that were schooled in credit card theft, the tools, the education that, that they had acquired in committing that type of fraud pivots very nicely to stimulus fraud, especially unemployment fraud. The exact same things that you do to commit credit card theft are the exact same things that you need to do to commit unemployment fraud and profit.

[00:13:35] Bob: Okay, Megan, it's your turn now.

[00:13:36] Megan: Sure, so hi, Brett. Nice to meet you. So a lot of our victims or guests on our show lost a lot of money through gift cards. So I just wanted to see if you could kind of break that down. Why do scammers request gift cards?

[00:13:50] Brett Johnson: Well, gift cards are pretty easy. There are several... several... there's dozens of websites where you can sell gift card information. Or you can go to the Dark Web and sell gift card information. So it's very easy to launder those types of funds. And that's typically why you see fraudsters use gift cards. It's because they're unable, either because of their location, they're in a different country, or because the laundering mechanism which is either going to be a prepaid card or a bank account, they're unable to do that and get the money out, so they resort to gift cards, and that's why you get criminals that use gift cards all the time.

[00:14:27] Bob: Okay, Brett. So we're almost at the end of our hour here, so I would just like to express right to uh, the punchline which is, what is the most important message that you have for people who, like the folks who are Perfect Scam Podcast listeners, what haven't I asked you that you really want people to hear about?

[00:14:42] Bob: I think it's important, I talk a lot about how scammers build trust in order to victimize people, and they build trust using technology, tools, social engineering. So what I mean by that is we inherently trust our technology. You know we trust our cellphone, we trust our laptop, our desktop computers. We don't understand the tech, but we inherently trust it. We trust the phone numbers that show up on caller ID to be the person that it says that's calling, whether it be our financial institution or a friend next-door or local law enforcement agency. We don't verify anything. That's one of the reasons that scams are so successful. We trust it without verifying it.

            We have to get to the point where we're not living in fear. I do believe in trusting things but also verifying everything. I think that's the best thing that Ronald Reagan ever said, "Trust but verify." So that's what I would say. If you're, if you're doing that, if you're just taking the time to verify everything that's going on, you get that phone call, and the phone call, you know, you’ve got somebody that's on a bad connection that says, "Hey, uh we've got your son. Your son is in prison. We need the bail to get him out of prison. You pay $500. You go down you, you wire money with Western Union to us." Instead of immediately doing that, start to verify it. You know, hang up the phone. Call your daughter, call your son. Hey, what's going on? Try to verify everything. If you can't verify it, don't do it. So take your time. Pause, pause on all these things. You don't have to react immediately to anything that's going on.

[00:16:19] Bob: Pause, pause, just pause. I think that's the best, simplest message of all. Before you take any action when it comes to spending money or sharing information, just pause. Okay, thanks very much, Brett Johnson, and Megan, and Julie, and Julio and Hector for all your work this season. We'll be back soon with all new Perfect Scam episodes.

(MUSIC SEGUE)

END OF TRANSCRIPT