Threats Without Border - Issue 212
Cybercrime Investigation Newsletter, week ending December 8, 2024
Most people will say they are web addresses when asked what "google.com” or “threatswithoutborders.com" are. Yes, but more accurately, they are domains. There is much more to a domain than just an address that directs you to a specific location on the Internet.
When someone asks, "What is 142.250.138.113?" many will respond that it’s an IP address. While that is correct, it also represents much more. This IP address is an alias for google.com. Test it yourself—type it into your browser's address bar and press enter.
What happens when we add a prefix to the left of a domain name, such as blog.cloudflare.com? This creates a subdomain. A subdomain is a subsection of a larger domain name, like a branch of the main website. They aid in organizing content, establishing distinct sections, enhancing SEO, and even hosting separate websites, all within the main domain's structure. Subdomains are valuable resources for investigators because they are often excluded from web crawlers' indexing. They can be information goldmines if you know how to find them.
I will begin a multi-week series next week focusing on the value of domains in investigations.
The News…
The FBI warns the public about criminals using generative AI to commit financial fraud on a larger scale, making their schemes more believable and reducing the effort required to deceive victims. Yeah, no shit. Thanks for showing up, Bu. https://www.ic3.gov/PSA/2024/PSA241203
Funksec is a new ransomware group that has emerged in the threat landscape, with at least 11 victims across various sectors. The group uses a double extortion method, encrypting and exfiltrating files from victim devices, and operates a Tor-based data leak site (DLS) that lists successful attacks and provides links to download leaked data. Funksec has also developed a free DDoS tool, available for download on their site, indicating significant technical capability. https://www.cyjax.com/resources/blog/take-me-down-to-funksec-town-funksec-ransomware-dls-emergence/
Former township secretary steals half-a-mil of taxpayer money. “Between March 2019 and May 2024, Hackenburg allegedly took advantage of this total control over township finances and made unauthorized, personal charges totaling $532,747.67 using township credit cards.”. So this is a rural township in the middle of the Pennsylvania woods, and one person was able to rack up half a million dollars on credit cards without anyone noticing? None of the township supervisors, solicitor, auditor, or even anyone at their bank? How does this even happen in 2024? https://www.spotlightpa.org/statecollege/2024/12/rural-pennsylvania-gregg-township-public-money-centre-county-theft-gambling-identity-fraud-draftkings/
The team at Any.Run discusses research into a recently identified zero-day attack that quickly bypassed static threat detection and antivirus. https://any.run/cybersecurity-blog/corrupted-files-attack/
While not cyber, your humble editor always takes pies seriously. A British chef's plea for the return of 2,500 stolen pies ended in disappointment when police found the van abandoned, with the pies too damaged to eat. The Chef had offered to let the thieves drop the pies at a community center, but the van was found badly damaged, and the pies were beyond salvageable and had to be discarded. https://apnews.com/article/uk-chef-pies-stolen-christmas-appeal-009d0db2c524ac4fc7b3df45c5fac79a
Moonlock Labs from the MacPaw group has released their 2024 macOS threat report. “For decades, Apple devices have enjoyed a reputation for being mostly malware-free. However, with a 60 percent increase in market share in the last 3 years alone, macOS has become a prime target for cybercriminals, and the tide is turning.” Mandatory reading is required if you’re a Mac user or support Macs within your organization. https://moonlock.com/moonlock-2024-macos-threat-report
The FBI and CISA believe the Chinese hacking group Salt Typhoon is still inside the networks of major American phone and internet providers, potentially accessing real-time communications and metadata, raising concerns about a wide-ranging spying operation targeting U.S. officials and senior Americans. You should probably be using Signal. https://techcrunch.com/2024/12/04/fbi-recommends-encrypted-messaging-apps-combat-chinese-hackers/
Six former Apple employees have been charged with defrauding the company's matching gifts program by falsely claiming donations to children's charities. They manipulated donations through a third-party platform, resulting in the employees receiving reimbursements while the CEO of one of the charities kept Apple's matching funds. They should have worked this hard trying to figure out how not to put the charging on the bottom of the Magic Mouse. https://da.santaclaracounty.gov/former-apple-employees-charged-charity-fraud-scheme
Cofense found that the Finance and Insurance vertical received the most credential phishing attacks across its customer footprint. The most used attachments are .htm and .html. Pro Tip: Train your people to understand these file extensions and question why they would ever receive a webpage as an attachment from a colleague. https://cofense.com/blog/wolves-in-sheep-s-clothing-industry-specific-targeted-phishing-attacks
DFIR
Paraben discusses drone forensics. https://paraben.com/drone-forensics-navigating-the-new-frontier-of-digital-evidence/
Cool Tool
Free online image tools (be judicious about what photos you upload to any free site) https://quickimagetools.com/
Phone number lookup potentially provides carrier ID and subscriber. (free, but requires an account) https://calleridtest.com/
cupidcr4wl is an Open-Source Intelligence username search tool that crawls adult content platforms to see if a targeted account or person is present. https://github.com/OSINTI4L/cupidcr4wl
Cool Job
Fraud Domain Expert - Socure. https://socure.wd1.myworkdayjobs.com/en-US/SocureCareers/details/Fraud-Domain-Expert_JR390
Semi-Relevant
Watch what you say, or you might be “debanked.” The article discusses the growing phenomenon of debanking, where banks and financial institutions sever ties with customers deemed politically incorrect, extreme, or dangerous, often without explanation. This practice has become increasingly common in recent years, affecting individuals and organizations across the political spectrum, from Muslim charities to Trump supporters to social conservatives.
And a long, really long rebuttal: Debanking and Debunking. https://www.bitsaboutmoney.com/archive/debanking-and-debunking/
Irrelevant
The Chucky Cheese robot band is set to play its final gig at most locations. https://spectrum.ieee.org/chuck-e-cheese-animatronics
Sign Off
Thank you for reading this week’s issue.
Matt
Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or preventing or investigating technology-enabled fraud, theft, or money laundering.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.