The SEC says its X account was taken over with a SIM swap attack

The Securities and Exchange Commission has provided more details about how its official X account was compromised earlier this month. In a statement, the regulator confirmed that it had been the victim of a SIM swapping attack and that its X account was not secured with multi-factor authentication (MFA) at the time it was accessed.

“The SEC determined that the unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent 'SIM swap' attack," it said, referring to a common scam in which attackers persuade customer service representatives to transfer phone numbers to new devices. “Once in control of the phone number, the unauthorized party reset the password for the @SECGov account.”

The hack of its X account, which was taken over in order to falsely claim that bitcoin ETFs had been approved, has raised questions about SEC’s security practices. Government-run social media accounts are typically required to have MFA enabled. The fact that one as high-profile and with potentially market-moving abilities like @SECGiv would not be using the extra layer of security has already prompted questions from Congress.

In its statement, the SEC said that it asked X’s support staff to disable MFA last July following “issues” with its account access. “Once access was reestablished, MFA remained disabled until staff reenabled it after the account was compromised on January 9,” it said. “MFA currently is enabled for all SEC social media accounts that offer it.”

While the lack of MFA likely made it much easier to take over the SEC’s account, there are still numerous questions about the exploit, including how those responsible knew which phone was associated with the X account, how the unnamed telecom carrier fell for the scam and, of course, who was behind it. The regulator said it’s investigating these questions, along with the Department of Justice, FBI, Homeland Security and its own Inspector General.

This article originally appeared on Engadget at https://www.engadget.com/the-sec-says-its-x-account-was-taken-over-with-a-sim-swap-attack-004542771.html?src=rss

What is credential stuffing and how do you keep your accounts safe from it

Credential stuffing, or using compromised login information to take over accounts, has been around as long as we’ve used passwords to secure our accounts. But, perhaps in part because it's gotten easier for hackers to perform this type of attack, credential stuffing made headlines in recent months.

Look at the 23andMe breach affecting nearly 7 million users. While not every account was compromised via credential stuffing, it was how the hackers initially got in, and then they used a social feature called DNA Relatives to keep going. Hackers gained access to sensitive information like full names and locations, specifically targeting groups like Ashkenazi people, offering the data for sale in bulk online.

Hacking conjures an image of sophisticated, high tech break-ins, but what makes credential stuffing so lucrative is that it's surprisingly “pretty unsophisticated,” Rob Shavell, CEO of online personal information removal service DeleteMe, told Engadget. Hackers will use educated guesses to figure out your password, or just buy old passwords from leaks online to see if they work for different accounts. Tactics used by hackers include using personal information found online to guess passwords or asking a generative AI program to come up with usable variations on a password to get into an account.

Companies frequently fail to protect your data, sticking you with the burden of preventing credential stuffing accounts to the best of your ability. In fact, credential stuffing has become so prevalent, that you’ve likely already fallen victim. Nearly a quarter of all login attempts last year met the criteria for credential stuffing, according to security company Okta’s 2023 State of Secure Identity Report that surveyed more than 800 IT and security decision-makers across fields. Verizon's 2023 analysis of data breaches found that about half of breaches involved stolen credentials. Checking an email address on sites like Have I Been Pwned can show you which passwords may have been compromised, meaning if you’ve reused it on another account, it could be a matter of time until hackers try to use it to get in.

Credential stuffing works because we tend to stick to certain patterns when creating passwords, like using your mother’s maiden name or a childhood address, with small variations to make them easier to remember. “Because we’re lazy, and because we have 50 passwords now, it is the default to just pick one password and use it many places,” chief information security officer at cloud company Akamai Steve Winterfeld said. “The problem is you then are not taking appropriate risk measures.”

That level of risk varies widely. The one-off account you used to try out World of Warcraft years ago and doesn’t have any personal or financial information attached to it probably doesn’t concern you. But hackers are betting you’ve reused an email, username and password for a more lucrative account, like your bank or social media, and they will use credential stuffing to get in. “I have one username and password that I use for things that I’m okay if they’re compromised … that would not financially or brand impact me,” Winterfeld said.

Minimizing the risks you’re taking online by using strong passwords will make it a lot more manageable to start protecting yourself against credential stuffing. Changing passwords frequently, or making the switch to passkeys, can also help. There are other ways you can protect yourself, too, as companies have made it clear that they’ll do anything in their power to shirk responsibility for protecting your information.

First, understand that once a credential is leaked, it can be used to gain access to other accounts, Frank Teruel, CFO at bot prevention firm Arkose Labs, said. So, change passwords for any accounts where you may have repeated it, especially high-profile targets linked to financial or other sensitive institutions. This is where a password manager comes in handy, because some will even flag if a password has been found in a breach and suggest that you change it to a stronger option.

Taking some time to purge accounts you no longer use will greatly reduce the number of password leaks to worry about, too, Teruel said. In the meantime, make it a habit not to reuse passwords or small variations on them, and to change passwords frequently to limit risk.

This article originally appeared on Engadget at https://www.engadget.com/what-is-credential-stuffing-and-how-do-you-keep-your-accounts-safe-from-it-190044846.html?src=rss

Here’s everything you should do to up your security before next year

Be honest: How many times this year have you skipped or scrolled past a much-needed update? Maybe you just wanted to log into Twitter, er, X without setting up multifactor authentication. Putting off these minor inconveniences adds up, and it could lead to an insecure tech setup just waiting to be exploited by an attacker.

So, now you're probably spending a few days sleeping in your childhood bed, and wondering when Uncle Dave will stop talking to you about buying gold stocks. There's never been a better time to take care of the less-than-riveting admin work of locking down your digital life. Here's a quick holiday checklist you and your loved ones (including Dave) can spend an hour doing during your holiday downtime to set up for a more secure year.

Update all your apps and devices

For the most current patches and options, you’ll need to start this security check up by updating all your devices and apps. The companies behind the tech have already done a lot of the work to keep you safe, but it’s your job to make sure that you’re taking full advantage of those updates. I’d recommend starting with operating system updates then apps second because there’s usually some new features reliant on the latest OS within other software. While you’re there, set up automatic updates so that you don’t have to worry about doing this manually in the future.

An attendee interacts with a display at the 23andMe booth at the RootsTech annual genealogical event in Salt Lake City, Utah, U.S., February 28, 2019.  REUTERS/George Frey
REUTERS / Reuters

Sign up for or update your password manager

Strong passwords are your first line of defense to keep your accounts safe, but they’re almost impossible to memorize and keep track of. Download a password manager to store this information for you, so that your passwords can be unguessable gibberish that you’ll actually use. Long term, it’s important to change these passwords every 90 days or so, and never to repeat across accounts. A password manager will help remind you of that, and even generate new password ideas for you. Unique and regularly-changing passwords help prevent attacks like credential stuffing, as we’ve seen make headlines in the recent 23andMe data breach.

Make sure you’re using MFA or, ideally, passkeys

Strong passwords are important, but it's well-known that they aren’t enough to keep unauthorized actors out of your account. Most people are familiar with using a text message code to grant access to an account. If you’re taking time out of your day to set this up, however, I would recommend using a third-party authenticator app or a hardware key for more secure options. Or, for companies that have switched to allowing passkeys at login, that’s usually your best bet.

This will be one of the more tedious parts of the checklist, so if you can’t sit down and knock out your major logins now, at least push yourself to make these changes each time you log into a website over the next couple of weeks. Being stuck with family for the holiday might not be your preferred opportunity to make this change, but there's sure to be an upcoming major snowstorm or bout seasonal depression just screaming to be harnessed for your technological well-being.

Consider a VPN, or at least a more secure browser

A strong VPN will keep your web browsing private. Whether it’s free or paid for, defaulting to using a VPN adds an extra layer of security to the work you’re doing online. Most have options to use it across different devices, or to run automatically on startup so that you can set it up once and forget about it. I would also recommend switching over to a secure browser like Tor that runs on a privacy-first platform for more sensitive online matters. Of course there’s a catch: VPNs and Tor can both slow down your browsing, or break certain website features. Updates to the services have helped over time, but even if you use it for just a portion of web browsing, some protection is better than none.

A blue glass globe-shaped paperweight rests on print headlines covering  aspects of Internet and computer-related crime.
RapidEye via Getty Images

Get up to date on the latest hacks and attack vectors

Keeping up with security news will help you determine what accounts need special attention versus where you can go on autopilot. Once you know whether a breach may have occurred or a password has been leaked, you can quickly make changes to accommodate. Websites already exist to see if you’ve been in a data breach, and most companies have an obligation to tell you if they’ve been impacted. When you also stay up to date on the latest scams and attacks, you know what red flags to look out for in your own inbox to stay proactive.

Tell brokers to stop selling your data

It’s surprisingly easy to stop companies from trading your privacy for cash. On top of getting in the habit of not sharing your cookies or granting location data, you can opt out of working with the top three major data brokers. Axiom, Oracle and Epsilon all have slightly different variations of the same form to fill out so that information like your home address and relatives’ names aren’t being sold for profit. This is a good start to getting your online privacy back, however, it can be more of a headache than just one opt out form.

You have to do this frequently to make sure your information hasn’t been readded to any of the broker sites, and if your information has already been sold to marketing companies, it’s too late to undo it. There are subscription service sites that can help track and continuously delete whatever information pops up for you, but starting with just Axiom, Oracle and Epsilon will still be a free, worthwhile step toward more privacy.

A Samsung rugged SSD
Samsung

Back up everything

Get an external hard drive or connect to the cloud and keep all of your data backed up. Do this regularly, so that even if your device quits or gets ransomed by an attacker, you aren't completely screwed. I’d recommend opting for something that can be set up automatically, so that you don’t have to keep constant track of it. That could look like spending the 99 cents per month on extra iCloud storage (or Google Drive or another in-house cloud tool) so that your phone gets backed up each night while you’re asleep. Windows and Mac also both do auto updates to an external drive on desktop, so you can set it and forget it.

Alternatively, you could install backup software onto a device so that it’s taken care of by a third party, but that may be less intuitive to set up. Just don’t forget to clean up your data storage every once in a while, too, so that you’re not holding onto useless screenshots or pictures of your ex from years ago that are taking up valuable space.

Make a plan to check in on your security settings more frequently

It’s overwhelming to play catch up. Going through a list like this can seem intimidating if you haven’t worried about it before. If you set up automatic updates and backups, it’ll take some of those repeat tasks off your plate. But since you’ll already, hopefully, be setting new passwords once a quarter, you can do a quick check up on your other security measures too. See if you’ve been a victim of a breach or identity theft, keep telling data brokers to get their hands off your information and find out if new VPNs or other software has been released that could make your security setup more seamless. Making it a part of the routine is much easier than annual sprees, and can help you catch a cybersecurity problem before it becomes unmanageable.

This article originally appeared on Engadget at https://www.engadget.com/heres-everything-you-should-do-to-up-your-security-before-next-year-143009276.html?src=rss

Zelle may refund your money if you were scammed

Zelle recently made a huge change to its policy that would give victims of certain scams the chance to get their money back. The payment processor has confirmed to Engadget that it started reimbursing customers for impostor scams, such as those perpetrated by bad actors pretending to be banks, businesses and government agencies, as of June 30 this year. Its parent company Early Warning Services, LLC, said this "goes beyond legal requirements." 

As Reuters noted when it reported Zelle's policy change, federal laws can only compel banks to reimburse customers if payments were made without their authorization, but not when they made the transfer themselves. The payment processor, which is run by seven US banks that include Bank of America, JP Morgan Chase and Wells Fargo, explained that it defines scams as instances wherein a customer made payment but didn't get what they were promised. It had anti-fraud policy from the time it was launched in 2017, but it only started returning money to customers who were scammed, possibly due to increasing scrutiny and pressure from authorities. 

"As the operator of Zelle, we continuously review and update our operating rules and technology practices to improve the consumer experience and address the dynamic nature of fraud and scams," Early Warning Services, LLC, told Engadget. "As of June 30, 2023, our bank and credit union participants must reimburse consumers for qualifying imposter scams, like when a scammer impersonates a bank to trick a consumer into sending them money with Zelle. The change ensures consistency across our network and goes beyond legal requirements.

Zelle has driven down fraud and scam rates as a result of these prevention and mitigation efforts consistently from 2022 to 2023, with increasingly more than 99.9% of Zelle transactions are without any reported fraud or scams," it added.

A series of stories published by The New York Times in 2022 put a spotlight on the growing number of scams and fraud schemes on Zelle. The publication had interviewed customers who were tricked into sending money to scammers but were denied reimbursement, because they had authorized the transactions. Senator Elizabeth Warren also conducted an investigation last year and found that "fraud and scams [jumped] more than 250 percent from over $90 million in 2020 to a pace exceeding $255 million in 2022." In November 2022, The Times reported that the seven banks that own Zelle were gearing up for a policy change that will reimburse scam victims. 

In Zelle's "Report a Scam" information page, users can submit the scammer's details, including what they were claiming to be, their name, website and their phone number. They also have to provide the payment ID for the transfer, the date it was made and a description of what the transaction was supposed to be about. Zelle said it will report the information provided to the recipient’s bank or credit union to help prevent others from falling victim to their schemes, but it's unclear how Zelle determines whether a scam refund claim is legitimate or not. 

"Zelle's platform changes are long overdue,” Senator Warren told Reuters. "The CFPB (Consumer Financial Protection Bureau) is standing with consumers, and I urge the agency to keep the pressure on Zelle to protect consumers from bad actors." 

This article originally appeared on Engadget at https://www.engadget.com/zelle-may-refund-your-money-if-you-were-scammed-062826335.html?src=rss

Data breach of Michigan healthcare giant exposes millions of records

Michigan-based healthcare nonprofit McLaren Health Care notified more than 2 million people about a data breach exposing personal information on Thursday, according to a data breach notification report. Unauthorized access to McLaren systems began on July 28 and lasted through August, but the individual impact varies from person to person. 

According to a notice on the McLaren website, the company learned of the breach on August 31. An investigation into the impacted files concluded on October 10, and if you'll take a look at today's date, it took an additional month for the company to let the public know about the incident.

"Potentially affected current and former patients of McLaren are encouraged to remain vigilant against incidents of identity theft by reviewing account statements and explanations of benefits for unusual activity and to report any suspicious activity promptly to your insurance company, health care provider, or financial institution," the nonprofit said in a statement.

While McLaren hasn't released any details about the attack, such as who is behind it or possible motivations, the ALPHV/BlackCat ransomware group claimed responsibility for the attack, according to Bleeping Computer. Ransomware groups are known to do this for publicity, but the actor behind an attack usually can't be confirmed until a third-party security researcher independently verifies it.

McLaren encompasses 13 hospitals and employs 490 physicians across Michigan and Indiana, with an annual revenue of $6.6 billion. Its offering identity protection services to affected people that enroll by February 9. There's currently no evidence that data leaked in the breach has been misused, according to McLaren. 

This article originally appeared on Engadget at https://www.engadget.com/data-breach-of-michigan-healthcare-giant-exposes-millions-of-records-153450209.html?src=rss

FTX founder Sam Bankman-Fried found guilty of fraud, faces up to 110 years in prison

A federal jury has found FTX founder Sam Bankman-Fried guilty on all seven counts of fraud and conspiracy, which he was charged with following the downfall of his cryptocurrency exchange. According to The New York Times, he faces a maximum sentence of 110 years in federal prison. SBF, as he's now infamously known, was arrested in the Bahamas back in December 2022 after the Department of Justice took a close look at his role in the rapid collapse of FTX. The agency examined whether he transferred hundreds of millions of dollars when the exchange filed for bankruptcy. (The company claimed it was hacked after around $600 million disappeared from its funds.) The DoJ also investigated whether FTX broke the law when it moved funds to its sister company, Alameda Research.

During SBF's trial, which took place over the past month, prosecutors argued that he used FTX funds to keep Alameda Research running. The fallen entrepreneur also founded the cryptocurrency hedge fund, which was ran by his girlfriend Caroline Ellison, who was aware that he used FTX customers' money to help Alameda meet its liabilities. Bankman-Fried previously denied that he deliberately misused FTX's funds. 

The Times says his lawyers tried to portray him as a math nerd who had to grapple with "forces largely outside of his control," but the jury clearly disagreed after the prosecution called Ellison and three of Bankman-Fried's former top advisers to the witness stand. Ellison and all of those advisers had pleaded guilty, with the Alameda Research chief admitting that she committed fraud at Bankman-Fried's direction. The FTX founder himself took the stand and said that he "deeply regret not taking a deeper look into" the $8 billion his hedge fund had borrowed from the cryptocurrency exchange. 

Bankman-Fried was charged with committing wire fraud against FTX customers; wire fraud on Alameda Research lenders; conspiracy to commit wire fraud against both; conspiracy to commit securities and commodities fraud on FTX customers; as well as conspiracy to commit money laundering. He is scheduled to be sentenced on March 28, 2024 by US District Judge Lewis A. Kaplan, who also presided over the FTX trial. 

This article originally appeared on Engadget at https://www.engadget.com/ftx-founder-sam-bankman-fried-found-guilty-on-seven-charges-of-fraud-and-conspiracy-012316105.html?src=rss

UK citizen pleads guilty to 2020 Twitter hack and other cybercrimes

Joseph James O'Connor has pleaded guilty to playing a role in various cybercrime activities, including the July 2020 hack that took over hundreds of high-profile Twitter accounts. O'Connor, who's known by the name PlugwalkJoe online, was originally from Liverpool, but he was extradited from Spain to the US in April. If you'll recall, the perpetrators of the 2020 Twitter hack hijacked accounts owned by popular personalities, including Bill Gates, Barack Obama and Elon Musk, and promoted crypto scams under their names. In 2021, Graham Ivan Clark, the supposed teenage mastermind behind the breach, pleaded guilty in return for a three-year prison sentence. 

According to the Justice Department, O'Connor communicated with his co-conspirators in that Twitter breach regarding purchasing unauthorized access to Twitter accounts. He allegedly purchased access to at least one Twitter account himself for $10,000. In addition, he was also apparently involved in the hack of a TikTok account with millions of followers, as well as a Snapchat account, via SIM swapping. In both cases, O'Connor and his co-conspirators stole sensitive personal information from the victims and then threatened to release them to the public. While the DOJ didn't identify victims in those cases, The Guardian says they were named in press reports as TikTok star Addison Rae and actor Bella Thorne.

From March 2019 until May 2019, O'Connor was also allegedly involved in the infiltration of a Manhattan-based crypto company to steal $794,000 worth of cryptocurrency. They used SIM swapping to target three of the company's executives and successfully pulled it off with one of them. Using the compromised executive's credentials, they were able to gain unauthorized access to the company's accounts and computer systems. They then laundered the stolen cryptocurrency by transferring them multiple times and using crypto exchanges. 

O'Connor has pleaded guilty to a lengthy list of charges, including conspiracy to commit wire fraud and conspiracy to commit money laundering, both of which carry a maximum penalty of 20 years in prison. He is now scheduled for sentencing on June 23rd. 

This article originally appeared on Engadget at https://www.engadget.com/uk-citizen-pleads-guilty-to-2020-twitter-hack-and-other-cybercrimes-102634567.html?src=rss

Hitting the Books: How the ‘Godfather of Cybercrime’ got his start on eBay

The internet has connected nearly everybody on the planet to a global network of information and influence, enabling humanity's best and brightest minds unparalleled collaborative capabilities. At least that was the idea, more often than not these days, it serves as a popular medium for scamming your more terminally-online relatives out of large sums of money. Just ask Brett Johnson, a reformed scam artist who at his rube-bilking pinnacle, was good at separating fools from their cash that he founded an entire online learning forum to train a new generation of digital scam artist.

Johnson's cautionary tale in one of many in the new book, Fool Me Once: Scams, Stories, and Secrets from the Trillion-Dollar Fraud Industry, from Harvard Business Review Press. In it, Professor of Forensic Accounting at DePaul University, Dr. Kelly Richmond Pope, chronicles some of the 20th and 21st century's most heinous financial misdeeds — from Bernie Madoff's pyramid schemes to Enron and VW, and all the Nigerian Princes in between — exploring how the grifts worked and why they often left their marks none the wiser.

birght green background with black block lettering
Harvard Business Review Press

Reprinted by permission of Harvard Business Review Press. Excerpted from Fool Me Once: Scams, Stories, and Secrets from the Trillion-Dollar Fraud Industry by Kelly Richmond Pope. Copyright 2023 Kelly Richmond Pope. All rights reserved.


Cyber Monday

I was doing my morning reading before class, and a story about a reformed cybercriminal caught my attention. I always wanted to learn more about cybercrime, but I’d never interacted with a convicted cyber offender. Here was my chance.

I did a quick Google search and found his personal website. I reached out, explained my interest in his story, and waited. By evening, I had an email from gollum@anglerphish.com. I was immediately suspicious, but it was a legit address of Brett Johnson, the man from the article.

After a few email exchanges, we got on a call. He was super friendly and had the voice of a radio DJ. I invited him to come speak to my class at DePaul.

“I teach on Monday nights for the next eight weeks, so whatever works for you will work for me,” I said.

“How about I hop in my car and come visit your class this coming Monday?” he said.

I was a little shocked—Birmingham, Alabama was a long drive— but I immediately took him up on his offer.

Brett was born and raised in Hazard, Kentucky, “one of these areas like the Florida Panhandle and parts of Louisiana, where if you’re not fortunate enough to have a job, you may be involved in some sort of scam, hustle, fraud, whatever you want to call it,” he said.

Maybe there was something in the water because his entire family engaged in fraud. Insurance fraud, document forgery, drug trafficking, mining illegal coal. You name it, Brett’s family did it.

Young Brett was a natural liar. As he grew up, he participated in the family scams.

Eventually, he branched out on his own. His first scam: in 1994, he faked his own car accident. Second scam: eBay fraud.

He reached his peak in the mid-’90s, during the Beanie Baby heyday. The Royal Blue Peanut, essentially a cobalt stuffed elephant toy, sold for as much as $1,700. Only five hundred of the dolls were manufactured, making it one of the most valuable Beanie Babies.

Brett was trying to earn some extra money. A Beanie Baby scam seemed easy and quick.

He advertised on eBay that he was selling Royal Blue Peanut for $1,500. Except he was actually selling a gray Beanie Baby that he dipped in blue dye to look like Royal Blue Peanut for $1,500.

He accepted a bid and instructed the winner to send a US postal money order. “It protects us both,” he said via email. “As soon as I get that and it clears, I’ll send you your elephant.”

The bidder sent Brett the money order; Brett cashed it and sent her his version of the blue Beanie Baby. The phone rang almost immediately.

“This is not what I ordered!” yelled a voice on the other line.

Brett’s response was swift. “Lady, you ordered a blue elephant. I sent you a blue-ish elephant.”

Brett gave her the runaround for a few weeks until she finally disappeared.

This experience taught Brett two very important lessons about cybercrime:

  • Delay the victim as long as possible.

  • Victims rarely report the crime and eventually go away.

Brett continued to perfect his skills and graduated to selling pirated software. From pirated software, he moved to install mod chips (a small electronic device used to disable artificial restrictions of computers or entertainment devices) into gaming systems so owners could play the pirated games. Then he began installing mod chips in the cable boxes that would turn on all the pay-per-view on clients’ TV channels for free. Then it was programming satellite DSS cards (the satellite DSS card allows access to tv channels).

He was getting requests for his cable boxes from customers all over the United States and Canada. He was on a roll. Finally, it occurred to him: Why even fulfill the cable box order? Just take the money and run. He knew that no customer would complain about losing money in an illegal transaction. He stole even more money with this updated version of his cable box scam but soon worried that he’d get flagged for money laundering. He decided he needed a fake driver’s license so he could open up a bank account and launder the money through cash taken out of the ATM.

He found a person online who sold fake licenses. He sent a picture, $200, and waited. He waited and waited. Then reality punched him in the face: He’d been scammed. The nerve.

No one hates being deceived more than someone who deceives for a living. Brett was so frustrated he started ShadowCrew.com, an online forum where people could learn the ins and outs of cybercrime. Forbes called it “a one-stop marketplace for identity theft.” The ShadowCrew operated from August 2002 through November 2004, attracting as many as four thousand criminals or aspiring criminals. It’s considered the forerunner of today’s cybercrime forums and marketplaces; Brett is known as the Godfather of Cybercrime.

“Before ShadowCrew, the only avenue you had to commit online crime was a rolling chat board,” he told my students. “It’s called a IRC chat session and stands for Internet Relay Chat.” The problem with these rolling chat screens was that you had no idea if you were talking to a cop or a crook. Either was possible.

ShadowCrew gave criminals a trust mechanism. It was a large communication channel where people in different time zones could reference conversations. “By looking at someone’s screen name, you could tell if you could trust that person, if you could network with that person, or if you could learn from that person,” he said. The screen name on the dark web became the criminal’s brand name. They keep this brand name throughout their entire criminal tenure and it helps establish trust with others, so the screen name matters.

When Brett was in class, he showed my students how information ended up on the dark web. “You can find social security numbers, home addresses, driver’s license numbers, credit card numbers on the dark web for $3,” he explained. All the information is there, practically begging to be taken.

In 2004, authorities arrested twenty-eight men in six countries, claiming they had swapped 1.7 million stolen card numbers and caused $4.3 million in losses. But Brett escaped. He was placed on the Secret Service’s Most Wanted list. After four months on the run, he was arrested.

Brett has been in and out of prison five times and spent 7.5 years in federal prison. Today he considers himself a reformed white-collar offender.

This article originally appeared on Engadget at https://www.engadget.com/hitting-the-books-fool-me-once-kelly-richmond-pope-harvard-business-review-press-143031129.html?src=rss

Hitting the Books: How the ‘Godfather of Cybercrime’ got his start on eBay

The internet has connected nearly everybody on the planet to a global network of information and influence, enabling humanity's best and brightest minds unparalleled collaborative capabilities. At least that was the idea, more often than not these days, it serves as a popular medium for scamming your more terminally-online relatives out of large sums of money. Just ask Brett Johnson, a reformed scam artist who at his rube-bilking pinnacle, was good at separating fools from their cash that he founded an entire online learning forum to train a new generation of digital scam artist.

Johnson's cautionary tale in one of many in the new book, Fool Me Once: Scams, Stories, and Secrets from the Trillion-Dollar Fraud Industry, from Harvard Business Review Press. In it, Professor of Forensic Accounting at DePaul University, Dr. Kelly Richmond Pope, chronicles some of the 20th and 21st century's most heinous financial misdeeds — from Bernie Madoff's pyramid schemes to Enron and VW, and all the Nigerian Princes in between — exploring how the grifts worked and why they often left their marks none the wiser.

birght green background with black block lettering
Harvard Business Review Press

Reprinted by permission of Harvard Business Review Press. Excerpted from Fool Me Once: Scams, Stories, and Secrets from the Trillion-Dollar Fraud Industry by Kelly Richmond Pope. Copyright 2023 Kelly Richmond Pope. All rights reserved.


Cyber Monday

I was doing my morning reading before class, and a story about a reformed cybercriminal caught my attention. I always wanted to learn more about cybercrime, but I’d never interacted with a convicted cyber offender. Here was my chance.

I did a quick Google search and found his personal website. I reached out, explained my interest in his story, and waited. By evening, I had an email from gollum@anglerphish.com. I was immediately suspicious, but it was a legit address of Brett Johnson, the man from the article.

After a few email exchanges, we got on a call. He was super friendly and had the voice of a radio DJ. I invited him to come speak to my class at DePaul.

“I teach on Monday nights for the next eight weeks, so whatever works for you will work for me,” I said.

“How about I hop in my car and come visit your class this coming Monday?” he said.

I was a little shocked—Birmingham, Alabama was a long drive— but I immediately took him up on his offer.

Brett was born and raised in Hazard, Kentucky, “one of these areas like the Florida Panhandle and parts of Louisiana, where if you’re not fortunate enough to have a job, you may be involved in some sort of scam, hustle, fraud, whatever you want to call it,” he said.

Maybe there was something in the water because his entire family engaged in fraud. Insurance fraud, document forgery, drug trafficking, mining illegal coal. You name it, Brett’s family did it.

Young Brett was a natural liar. As he grew up, he participated in the family scams.

Eventually, he branched out on his own. His first scam: in 1994, he faked his own car accident. Second scam: eBay fraud.

He reached his peak in the mid-’90s, during the Beanie Baby heyday. The Royal Blue Peanut, essentially a cobalt stuffed elephant toy, sold for as much as $1,700. Only five hundred of the dolls were manufactured, making it one of the most valuable Beanie Babies.

Brett was trying to earn some extra money. A Beanie Baby scam seemed easy and quick.

He advertised on eBay that he was selling Royal Blue Peanut for $1,500. Except he was actually selling a gray Beanie Baby that he dipped in blue dye to look like Royal Blue Peanut for $1,500.

He accepted a bid and instructed the winner to send a US postal money order. “It protects us both,” he said via email. “As soon as I get that and it clears, I’ll send you your elephant.”

The bidder sent Brett the money order; Brett cashed it and sent her his version of the blue Beanie Baby. The phone rang almost immediately.

“This is not what I ordered!” yelled a voice on the other line.

Brett’s response was swift. “Lady, you ordered a blue elephant. I sent you a blue-ish elephant.”

Brett gave her the runaround for a few weeks until she finally disappeared.

This experience taught Brett two very important lessons about cybercrime:

  • Delay the victim as long as possible.

  • Victims rarely report the crime and eventually go away.

Brett continued to perfect his skills and graduated to selling pirated software. From pirated software, he moved to install mod chips (a small electronic device used to disable artificial restrictions of computers or entertainment devices) into gaming systems so owners could play the pirated games. Then he began installing mod chips in the cable boxes that would turn on all the pay-per-view on clients’ TV channels for free. Then it was programming satellite DSS cards (the satellite DSS card allows access to tv channels).

He was getting requests for his cable boxes from customers all over the United States and Canada. He was on a roll. Finally, it occurred to him: Why even fulfill the cable box order? Just take the money and run. He knew that no customer would complain about losing money in an illegal transaction. He stole even more money with this updated version of his cable box scam but soon worried that he’d get flagged for money laundering. He decided he needed a fake driver’s license so he could open up a bank account and launder the money through cash taken out of the ATM.

He found a person online who sold fake licenses. He sent a picture, $200, and waited. He waited and waited. Then reality punched him in the face: He’d been scammed. The nerve.

No one hates being deceived more than someone who deceives for a living. Brett was so frustrated he started ShadowCrew.com, an online forum where people could learn the ins and outs of cybercrime. Forbes called it “a one-stop marketplace for identity theft.” The ShadowCrew operated from August 2002 through November 2004, attracting as many as four thousand criminals or aspiring criminals. It’s considered the forerunner of today’s cybercrime forums and marketplaces; Brett is known as the Godfather of Cybercrime.

“Before ShadowCrew, the only avenue you had to commit online crime was a rolling chat board,” he told my students. “It’s called a IRC chat session and stands for Internet Relay Chat.” The problem with these rolling chat screens was that you had no idea if you were talking to a cop or a crook. Either was possible.

ShadowCrew gave criminals a trust mechanism. It was a large communication channel where people in different time zones could reference conversations. “By looking at someone’s screen name, you could tell if you could trust that person, if you could network with that person, or if you could learn from that person,” he said. The screen name on the dark web became the criminal’s brand name. They keep this brand name throughout their entire criminal tenure and it helps establish trust with others, so the screen name matters.

When Brett was in class, he showed my students how information ended up on the dark web. “You can find social security numbers, home addresses, driver’s license numbers, credit card numbers on the dark web for $3,” he explained. All the information is there, practically begging to be taken.

In 2004, authorities arrested twenty-eight men in six countries, claiming they had swapped 1.7 million stolen card numbers and caused $4.3 million in losses. But Brett escaped. He was placed on the Secret Service’s Most Wanted list. After four months on the run, he was arrested.

Brett has been in and out of prison five times and spent 7.5 years in federal prison. Today he considers himself a reformed white-collar offender.

This article originally appeared on Engadget at https://www.engadget.com/hitting-the-books-fool-me-once-kelly-richmond-pope-harvard-business-review-press-143031129.html?src=rss

FBI says Americans lost $10.3 billion to internet scammers in 2022

If you know someone who fell for an online scam last year, you're far from alone. The FBI reports that Americans submitting incidents to the agency lost $10.3 billion to internet scams in 2022, a steep jump from $6.9 billion in 2021. While there were fewer complaints (800,944), certain ripoffs were still very problematic. Investment scams were the most common and costliest schemes. Related fraud losses jumped from nearly $1.5 billion in 2021 to $3.3 billion, and most of that value came from cryptocurrency scams — losses surged from $907 million to almost $2.6 billion in 2022.

There were some bright spots. While investment scams were the on the rise, ransomware complaints fell sharply. There were just 2,385 complaints about these digital extortion attempts versus 3,729 the year before, and they led to a relatively modest $34.3 million in losses. And while phishing was the most prevalent scam type with over 300,000 complaints, the damages were limited to $52.1 million.

The FBI warns that its figures don't represent the entirety of online scams in the US. Not everyone who was the victim of a ransomware attack reported it to the bureau, Executive Assistant Director Timothy Langan says. However, he says the reports help law enforcement spot trends and otherwise deal with threats. The Investigators have better sense of what they need to address, even if they don't have the full picture.

This article originally appeared on Engadget at https://www.engadget.com/fbi-says-americans-lost-10-billion-to-scammers-in-2022-144514762.html?src=rss