The Man Whose Mission Is to Stop Consumer Crime Online

Credit: Photograph by John Loomis

"Some people think I'm stupid for what I do, but I tend to think they overplay the risks," says Brian Krebs, the internet's most prolific computer-crime journalist. It's early fall in Virginia, and Krebs is in his home office, holding a 12-gauge shotgun. On his desk are five computer screens, one of which is dedicated to the security cameras monitoring the split-level house he shares with his wife. In a swift, practiced motion, Krebs pivots into the open doorway, raises the shotgun to his shoulder and points the barrel at the top of the stairs. He racks the slide — shack-chuck — and says, "If that's not the most frightening sound!"

As a former computer-crime reporter for the Washington Post and the author of the new book Spam Nation, Krebs has broken some of the decade's biggest cyber security stories. He was the first journalist to reveal the U.S. government's role in Stuxnet, the virus that attacked Iran's nuclear program. And he once identified a Russian hacking group responsible for sending about 75 percent of the world's spam. His blog, Krebs on Security, which he launched in 2009, is a leading source of cyber crime news for nearly a million readers.

Krebs, to all appearances a polite, Southern-born 42-year-old, can be obsessive about his beat and often approaches his work more like a spy than a reporter. He adopts online aliases to infiltrate criminals' Web forums, and he is just as likely to cultivate sources in the illegal hacker community as among law enforcement. "Krebs is definitely dancing with the devil," says Tom Kellermann, a former data-risk analyst at the World Bank. "He's walking a fine line between the righteous and the nonrighteous."

In the past year, there has been an unprecedented rise in consumer cyber crime, and Krebs has led the coverage of most of it. Last December, he reported that thieves had stolen 40 million credit card numbers from Target's database. In September, he noticed account numbers of Home Depot customers for sale in criminal forums, and within a week the company confirmed the theft of more than 56 million card numbers. A month later, JP Morgan, the largest bank in the United States, admitted that personal information associated with 83 million accounts had been captured this summer. "JP Morgan spends a quarter of a billion dollars a year on cyber security," says Krebs. "And not even they can keep the bad guys out."

According to Krebs, the problem is spam. A single spam email can give criminal hackers access to an entire system. Typically, cyber thieves send a target company's employees a barrage of bait emails, which at first glance look like a piece of internal correspondence. "Even the most low-tech hackers in the world are really good at this," Krebs says. "They send a spoof message from 'the boss' that reads, 'You have to read this now.' OK. Click." Krebs whistles like a bomb about to explode. That's all it takes for the world's largest companies to lose control of a network and the protected information of millions of people.

Every day, hundreds of thousands of new strains of malicious software, or malware, are uploaded to the internet. While users now spend about $70 billion a year on cyber-security, computer crime costs businesses and individuals around $400 billion a year. That's about a fifth of all the revenue generated on the Web. "Cyber crime has become a lot more organized than people think," Krebs says. Without more people exposing the culprits, he adds, the flood of malware could come to dominate traffic, forcing some to abandon the internet entirely: "People might perceive that it's too risky to be online."

In light of that, surprisingly few government resources are devoted to fighting consumer cyber crime, which is why many security experts find Krebs' work indispensable and why criminals attack his site on a daily basis. "Cyber security is not really about vulnerabilities in software or technological attacks," says Dmitri Alperovitch, who founded the cyber-security firm CrowdStrike. "It's about adversaries — individuals and groups. It's a personal crusade for Krebs, but these people need to be arrested."


Back in his office, Krebs has replaced the shotgun in its case, next to an old banjo. The screen on his desk displaying the security feed fades to black as Krebs recounts a recent showdown with a credit card scammer called the Fly. Last summer, after Krebs surreptitiously gained access to one of the Fly's chat forums, the Fly mailed a funeral arrangement of flowers with a condolence card to Krebs' wife, and a gram of heroin to Krebs as a setup. (Krebs called the police and avoided the sting.) "I was like, OK — who is this turd?" he says. After some searching, Krebs published the Fly's identity on his blog. "Hey, dickhead," Krebs emailed the Fly. "How about I send a package to your wife?" One faithful reader, a federal law enforcement agent, then sent Krebs a message: "The Fly has been swatted."

Cyber Self-Defense
Krebs says up to 20 percent of personal computers in the U.S. are infected with malware, which gives bad guys access to your computer and network. Here are three of the most important ways to stay vigilant and keep yourself secure.

1. Email
Your email account is like a skeleton key for your entire online existence. Criminals can use your hacked email account to get a reset password for your banking, social media, and online shopping accounts. Make sure that your email requires multilevel authentication, and use complex passwords to defend your inbox at all costs.

2. Passwords
If you have 15 accounts, you need 15 passwords. Mix upper- and lowercase letters with symbols and numbers. Also consider using an encrypted password manager, such as KeePass, RoboForm, or Password Safe, that stores and protects passwords for all of your accounts but requires you to remember only one log-in.

3. Downloads
The rules for downloads are simple: If you didn't go looking for it, don't install it. If you installed it, update it. If you don't need it, delete it. And never click on unknown links or pop-ups. "You wouldn't buy a product online without doing some basic research," Krebs writes. "Be certain you're not signing up for more than you bargained."