Threats Without Borders - Issue 133
Cyber-Financial Crime Investigation Newsletter - Week ending June 4, 2023
In Issue 131, I initiated a conversation about Internet protocol (IP) addresses. I received some follow-up questions and an organization requested an in-person training on the topic. It’s great to see people engaging with such a non-sexy topic. Investigating Internet-facilitated crime is really hard if you don’t understand how electronic devices communicate across a network.
I figured I’d continue with the core concept – where does the IP address come from? Yes, it’s assigned by the Internet Service provider, a router, or software like domain host control protocol (DCHP), but where do the numbers come from? What does 192.85.123.1 actually mean?
Computers only read electronic signals and they recognize the digital pulses as on or off. Computers turn this on/off view into a human-readable format using Binary Code or Binary language. It’s represented by a 1 or 0 with Zero meaning OFF and One meaning ON. This is how the computer turns an electric signal into something we understand. These on or off entities are known as Bits.
A collection of eight Bits makes a Byte. Each Bit is either ON or Off so it is represented as 1 for on or 0 off.
Bytes hold value and we calculate this through Binary Math. The value starts with a potential of 1 (value of an ON bit) and then doubles as we move to the left. It looks like this:
Please note that any number to the power of 0 equals 1. So 2 to the 0 power equals 1 for the first bit. Don’t ask me, I took business math to get through college.
Each bit has the potential of 2 to the X power if the bit is turned on.
So each Byte (8 bits) has a potential value of 255. Actually 256 since it mathematically starts with a 0 but lets not get too deep in the weeds.
1+2+4+8+16+32+64+128 = 255
IP addresses are represented in bits. IPv4 addresses are 32-bit numbers grouped into 4 bytes for ease of use. Each byte is separated by a dot, aka period(.).
For example, 128.24.123.8
How do we get that number?
Using Binary math, we know that each IP address breaks down into 4 bytes, each containing 8 bits. So at its base level, an IPv4 IP address will be represented as:
0000000.0000000.0000000.00000000 or just as easily 11111111.1111111.11111111.11111111
But how do we get the numbers that make it easy for humans to read and use IP addresses?
If every bit is turned off, then the byte will have a value of 0. If every bit is turned off for the entire 32-bit IP address then it will be represented as 0.0.0.0
If every bit is turned on for the byte, then it will hold a value of 255 (remember 128+64+32+16+8+4+2+1).
So, if every bit is turned on for a 32-bit IP address then it will be represented as 255.255.255.255
Every bit can’t be turned off or turned on or we’d only have two addresses. We have billions of them (4,294,967296 IPv4 addresses to be exact).
How do we get to an address like 185.64.115.23?
We need to start with how the computer processor sees the number. It is going to see the collection of 32 bits as: 10111001010000000111001100010111
Breaking that string into 8-bit bytes we get: 10111001.01000000.01110011.00010111
But where did those number come from?
What about IPv6 addresses? Well, they’re 128 bit addresses written in hexadecimal so they look something like this: 2335:0425:2GA1:0000:0000:0587:5673:23b4. I don’t have that much math in me.
Next week I’ll explore how IP addresses are assigned and how they can be used to further our investigations.
Scammer or Hacker?
Was I hacked? No. Maybe I was? No, couldn’t have been. Wait, was I? This is the line of reasoning a lot of people have been struggling through after getting an email from an alleged hacker demanding payment to not distribute stolen personal files. While not a new scam, the current purveyors have fine tuned the language and emotional triggering social engineering to near perfection. Trend Micro details the scam and outlines an appropriate response. https://news.trendmicro.com/2023/05/30/you-got-owned-email-scam/
Why not do it?
Malicious insider steals over $250,000 from her employer and gets… drum roll please…9 months in county prison. Oh, and has to pay full restitution. Seriously, you can steal a quarter of a million dollars and not even serve a year in prison. Of course people are going to risk it. https://www.pennlive.com/news/2023/06/ex-official-of-pa-company-must-repay-the-nearly-250k-she-admitted-stealing.html
The good fight.
I dislike articles that are written as a drama-mentary, but this one is done well enough for inclusion in the newsletter. I’m sure those who aren’t involved in fraud fighting everyday are sucked in by this style of narrative, but for those of us that are.. meh. Grandma got scammed and now she’s mad as hell and taking it to the streets. Best of luck to her and keep fighting the good fight. https://www.thedailybeast.com/ruth-grover-and-scamhaters-united-volunteers-are-taking-on-international-romance-scammers
You better MOVE-it
If your business uses the file transfer service MOVEit.. you better get moving. The service is being attacked through a 0-day exploit and researchers have identified over 3,000 vulnerable hosts connected to the open Internet. Threat Intelligence firm Censys believes that most vulnerable hosts are being exploited and have written up notes to help affected users deal with the situation. And as always, TrustedSec has authored a fantastic report containing complete indicators of compromise.
https://censys.io/moveit-transfer/
The Rest…
Check your statement if you’re a Chase customer. https://www.pennlive.com/news/2023/06/chase-says-online-banking-issue-now-resolved-after-bug-causes-double-transactions-and-fees.html
Maryland man pleads guilty to fraudulently obtaining 1.5 million dollars in CARES Act funding AND unrelated business email compromise fraud. He did it all! https://www.justice.gov/usao-md/pr/maryland-man-sentenced-over-five-years-federal-prison-covid-19-fraud-and-aggravated
Cool Job
Senior Program Manager, Fraud and Risk Management. DraftKings. https://careers.draftkings.com/jobs/job/senior-program-manager-fraud-risk-management-boston-ma-jr06682/
Cool Tool
Find all the usernames - https://blackbird-osint.herokuapp.com/
Convert any webpage into plaintext - works as an excellent ladder also. https://txtify.it/
Irrelevant
Maintain those domains! The URL printed on the bottom of 800,000 Maryland vehicle registration plates now links to a Filipino online casino. Brilliant. https://www.vice.com/en/article/4a3xe9/maryland-license-plates-now-inadvertently-advertising-filipino-online-casino
Thanks for coming back after last weeks lackluster issue. I appreciate the support and everyone who puts themselves out there to share the newsletter with others.
Matt
“BE THE PERSON A YOUNGER YOU COULD HAVE USED IN THEIR LIFE”
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space are my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.