Cybercrime architected by the Original Internet Godfather
Origins of Account Takeover
Cybercrime is continuously evolving, more so with the recent online shift due to many factors, including the COVID-19 pandemic, which forced many businesses, small or large, to take their operations mostly online, backed by the growth of social media, digital banking, and online service platforms like Airbnb, Uber and Twitter. How did we get here? And what lessons can we learn from the evolving world of fraud? From the Internet Godfather himself, Brett Johnson, who played a crucial role in setting up the foundation of identity theft, cybercrime, and account takeover.
The U.S. Secret Service first coined him as the “Original Internet Godfather” shortly after his organized cybercrime community, known as Shadowcrew, made the Forbes magazine cover in August 2004. Johnson’s initial reaction to this was positive. However, he stepped down from leading the site due to the amount of law enforcement attention the site was receiving. Brett says, “We knew the end was coming, but as with most criminals, we adopted a philosophy of Fatalism, whatever is going to happen, will,” and thus the operation continued, leading to his arrest — facing 39 felonies and serving a total of seven and half years.
But how did this happen? Let’s dive deeper to understand how such a strong and connected cybercriminal community was penetrated. From the Internet Godfather himself, Brett notes that this downturn was first caused by the capture of his forum technologist, who was arrested for cashing out Card and PIN at an ATM in New Jersey. The techie soon turned informant and set up a VPN to catch the Shadowcrew users. The VPN was run by the USSS, which led to the arrest of 33 people in 6 different countries within 6 hours. However, Brett was one of the few that got away and was the only individual publicly mentioned as getting away, only to be picked up a few months later.
Taking a look back at the origins of these forums, there are three prominent sites that shaped and continue to act as the foundation for cybercrime today. These three sites are counterfeit Library, Shadowcrew, and Crader Planet. The three sites provided cybercriminals with the ability to network and combine their skills, knowledge, and experience to refine fraud techniques ranging from identifying targets to sharing information. More importantly, they provided a safe environment for them to communicate. Brett notes that Counterfeit Library and Shadowcrew forums changed how cybercrime operates by giving criminals a trust mechanism they could use. Trust among cybercriminals is crucial as they must work together.
Why is trust important? And how did these forums strengthen and unite the cybercrime world? Brett tells us from his inner workings with these criminals that there are three necessities to successfully committing the online crime; 1) gathering data, 2) committing the crime and 3) cashing out. A single criminal cannot do all three due to a skill gap or a problem with geographic location. Thus, cybercriminals have to work with each other to achieve this objective. Section 2 will highlight the importance of trust and how it is facilitated in the cybercrime world while discussing some recent examples of the impact of account takeover.
Account Takeover Triangle
Over the last ten years, an exponential focus on the digital and online space has occurred. With META, aka Facebook, Twitter, and Instagram, our focus as a society has shifted entirely online, from finding the next viral video to following the move of celebrities and Hollywood stars. With that said, cybercriminals have evolved and continue to grow to take advantage of this new world while jeopardizing these entities that are not well protected. Research indicates that 2021 marked a record year for data breaches. More than 1.1 million compromised accounts were identified across 17 major companies such as Spotify, Instagram, Mastercard, etc. The office of the Attorney General (OAG) of New York reported that they had issued warnings to 17 companies, of which the stolen information was put to use in credential stuffing attacks against a variety of ‘well-known’ online retail, food and delivery businesses. The impact of account takeover also reaches the world of cryptocurrency, with some crypto platforms reporting a loss of 320 million dollars. Perhaps a more well-known platform for the average consumer is Instagram, a target of such account takeover attacks. The hackers often demand ransoms from companies and influencers to receive the accounts back.
To put things in perspective, let us look at the numbers and visualize the extent of data breaches and account takeovers. 65% of online users use the same password for some or all of their accounts online. Now, what does that mean exactly? Facebook has reported a breach of 533 million accounts, and statistics suggest that 346,450,000 accounts use the same password for some or all of their accounts.
But how does this all happen? Johnson notes the importance of collaboration. Like any established organization, cybercriminals come together to feed off each other’s skills and work together in what is known as the ATO triangle, 1) gathering data, 2) committing the crime, and 3) cashing out. A single attacker cannot do all three. Either they lack the knowledge in building bots or ransomware or face geographical areas. Thus, cybercriminals inherently understand this and share information such as techniques, tools needed, operational security, and information of the victims and the targeted entity across forums like Shadowcrew to coordinate attacks as fast as possible and stay under the radar long enough to cash out.
A question that I often wondered is how are these criminals coming to this agreement? How are the payments handled and determined? By going to the source, Johnson identifies that the amounts are market-driven, like a true capitalist environment. These payments are then run by a team of trusted cybercriminals who facilitate the sharing of information and sharing of payout, approving every single transaction. Johnson usually worked 12–16-hour days online, reviewing every transaction to indicate to these members that they were protected and brought on more trusted cybercriminals to aid him as the traffic continued to grow.
The Pandemic was a boon for online fraudsters. That shift to more online life meant a larger landscape for a criminal to profit. At the same time, companies and governments were rushed and made many desperate decisions, which meant terrible choices. And those bad choices meant profit for criminals. As a result, we saw a 10-fold increase in fraudsters from pre-pandemic numbers. Innovators and industry gatekeepers must Detect.Defend. And Defer.
Detect. Defend. Deter.
For us to understand what we need to do, we have to beg the question of how these fraudsters stay ahead and as mentioned in previous parts 1 and 2. Fraud teams are overwhelmed and overworked, often facing a backlog of cases, especially during peak seasons like Christmas and summer holidays. These times are a perfect time for fraudsters to attack to stay under the radar. The first step is to become well versed in the security of an organization. Cybercriminals are probably the only individuals that actually read the entirety of the Terms of Service of an organization, and this occurs because they must understand the person or organization they seek to victimize as their success relies on it. They understand how accounts are established, how accounts are recovered, and how that organization or others in the same vertical have been attacked before and how they responded because if an organization has previously failed to report or tackle an issue, chances are they will respond in the same manner if attacked again, thus posing a much larger risk to them.
Johnson indicates that the key to a successful attack is proper research, as the attackers only get one chance at success and need to optimize their opportunity to hit hard. Another entity that is at great risk is organizations that do not understand the potential of fraud and are solely focused on innovation, typically identified in the new financial product sector. Let’s not forget, what makes cybercrime and more specifically account takeover so achievable is the lack of attachment to the victim. Think about it this way, a criminal does not have to face his victim, know who they are, or deal with any sense of guilt due to that attachment.
Detect. Defend. Deter. What and how can institutions at risk detect, defend and deter fraud on their respective platforms? Johnson indicates that the first step in this problem is real-time data. Institutions need to be aware of what is happening on their platforms as it’s happening. Organizations around the world have deployed trained individuals in departments like Trust & Safety to continuously fight bad actors from their platforms. However, most of the SOPs in place tend to have a reactive approach to fraud and in dealing with victims. Thus, the emphasis is on prevention and detection at early stages, especially within the ATO lifecycle and that is achieved through pattern identification, identity verification, MFA and more importantly Biometrics. Identifying fraud trends and fraud rings at an early step through behavioural analysis is key to limiting if not eliminating fraudulent activity for your institution. Cybercriminals have created their toolbox to coordinate their attacks through collaboration and identifying weaknesses. Thus, it is important for institutions to create their defence toolbox with a variety of tools from the response level to the prevention level to fend off such attacks.
Our next blog post will continue to dive deep into the dark net and explore account takeover through a different geographical lens.