Threats Without Borders - Issue 134
Cyber-Financial Investigation Newsletter, Week ending June 11, 2023
The newsletter had nearly twice as many views as opens last week. More people are coming to the newsletter URL to read the issue than are are accessing it through email. I’m excited that readers are seeking out the newsletter, but it’s incredibly frustrating that I’m not able to convert them to subscribers. Why do subscribers matter? Because it matters to Substack, and a higher subscriber count will increase the ranking and status of the newsletter. Please consider subscribing!
… back to the normally scheduled broadcast.
Now that we know what an IP address is (see issue 133), let’s see how you get one assigned to your network.
The allocation of Internet Protocol Addresses is controlled by an international organization called the Internet Assigned Numbers Authority, or IANA for short. In addition to the management of IP addresses, IANA is also responsible for the Domain Name System (DNS) root domains. This organization pretty much makes the Internet run.
IANA distributes ranges of IP addresses to subgroups called Regional Internet Registries (RIRs). The RIR for North America is ARIN – American Registry for Internet Numbers. IP addresses are distributed in Europe by the Reseaux IP Europeans Network Coordination Center (RIPE NCC). India and Asia are covered by APNIC – Asia-Pacific Network Information Center. South America is LACNIC and Africa is AFRINIC.
The RIRs then distribute the IP addresses in blocks to the Local Internet Registries (LIRs). Most of us know LIRs as Internet Service Providers (ISPs). Examples of American ISPs are Comcast, Verizon, Cox, Charter, Frontier, AT&T, T-Mobile, etc.….
The ISP assigns a public IP address to its customer’s server or router, either a business or residential customer. It may also be a cell tower in the case of a tower-router.
The ISPs have two methods to assign IP addresses to customers – Statically or Dynamically.
A static address is permanently assigned and rarely, if ever, changes. These are usually for a business application such as a payment processing system or an information server that provides data to multiple end-points. The end-points, or nodes, need to always know the IP address of the server to maintain a connection. The calling node’s IP address doesn’t matter, but the server certainly does. You can call the bank from any phone and make a connection as long as the bank maintains the same number. Image if the bank's phone number continuously changed. What number do you call?
Dynamic IP addresses are assigned by the ISP as-needed, or on-the-fly, and are generally used for residential networks. The residential router will ping the ISP and ask for a public IP address.
The ISP will assign the router an available address from the public pool. The address will generally remain persistent, or constant, until the network disconnects from the ISP. This occur’s when there is a power outage, a manual reset of the router, or initiated by the ISP for performance issues. It can, and sometimes will, change at any moment.
Dynamic IP addresses are why the exact date and time needs to be provided to the ISP when seeking subscriber information. 97.128.225.13 might be assigned to 125 East Main Street, Anytown, PA at 4:25 pm but jump to 250 West Maple Avenue, Yourtown, PA at 4:30 pm. Providing only a date isn’t enough since an IP address can change several times during a single day. Usually, it doesn’t, but it can.
Come back next week as we see how to transition from an IP address to a user (or at least try).
Terrifying…for so many reasons
The FBI is warning us of the rising trend of malicious actors creating deepfake content to conduct sextortion attacks. From the Internet Crime Complaint Center (IC3) press release, “Based on recent victim reporting, the malicious actors typically demanded: 1. Payment (e.g., money, gift cards) with threats to share the images or videos with family members or social media friends if funds were not received; or 2. The victim send real sexually-themed images or videos.” Imagine that…gift cards. https://www.ic3.gov/Media/Y2023/PSA230605
Know your VCA’s
The Talos group at Cisco has observed an increase in attackers using compromised Vendor and Contractor Accounts (VCA’s). I feel like there has always been a focus on compromising these accounts, but the bad guys are just getting better at doing it. Why? Small vendors and contractors remain negligent in enacting meaningful security. If your organization allows third parties to access network resources you should continuously be evaluating who has access and why. https://blog.talosintelligence.com/vendor-contractor-account-abuse/
A charity for who?
I always point people towards the Charity Navigator website when discussing charitable giving and charity fraud. The site scores charities on multiple fronts including “Accountability and Finance”. This Ohio organization would get an F grade per the Ohio Attorney General’s finding that “the charity raised $141,000 from roughly 3,200 donors, but eventually spent more than $100,000 on fees and gave just $10,000 to the food bank.” https://www.pennlive.com/nation-world/2023/06/charity-falsely-claimed-to-help-ohio-train-derailment-victims-attorney-general-says.html
SAR’s are Surging
Financial institutions operating in the United States are filing soaring numbers of Suspicious Activity Reports (SARs), with the total number of SARs filed in 2022 surpassing 3.6 million filings - an increase of 57% from pre-pandemic 2019 levels. Does this indicate a rise in financial crime activity or are the FI’s just getting better at spotting it? Or maybe just becoming more complaint in reporting? https://www.thomsonreuters.com/en-us/posts/investigation-fraud-and-risk/special-report-suspicious-activity-reports/
The Rest…
Microsoft’s Outlook.com is being targeted by an obviously effective Sudanese DDOS group. https://www.bleepingcomputer.com/news/microsoft/outlookcom-hit-by-outages-as-hacktivists-claim-ddos-attacks/
Although this is a warning from the Pennsylvania Attorney General…it carries weight for every state in the country. Fake rental scams are prolific. And the supply of willing victims is endless. https://www.pennlive.com/news/2023/06/beware-fake-rental-listing-scams-attorney-general.html
Cool Job
Fraud Program Manager - Brightwell https://brightwell.applytojob.com/apply/nLX3FTv5yM/Fraud-Program-Director?source=Our%20Career%20Page%20Widget
Cool Tool
Find people - https://www.idcrawl.com/
Irrelevant
Don’t be Buridan’s Ass - make a decision.
Buridan’s Ass: A thirsty donkey is placed exactly midway between two pails of water. It dies because it can’t make a rational decision about which one to choose. A form of decision paralysis.
Long read of the week
Microsoft Defender Experts uncovered a multi-stage adversary-in-the-middle (AiTM) phishing and business email compromise (BEC) attack against banking and financial services organizations.
Homophones are hard
Masque - A dramatic entertainment, usually performed by masked players representing mythological or allegorical figures
Mask - a covering worn on the face to conceal ones identity
Thank you for being part of this journey. I know that free time is hard to come by and I appreciate that you found some for this newsletter.
Cheers,
Matt
“WHEN YOU LOVE LEARNING, WHAT YOU DON’T KNOW IS AN OPPORTUNITY, NOT A THREAT.” - depends on the teacher I guess…
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.
Substack also has a bad habit of slipping in a "support" button that goes to a payment portal requesting a "Pledge" of support. IF you got this button, DON'T PAY ME! The newsletter is free. I just want you to be a subscriber, not your money!