Threats Without Borders - Issue 135
Cyber-Financial Crime Investigation Newsletter, week ending June 18, 2023
An IP Address is not a person. In fact, an IP address is not even a device.
The Media Access Control address, or MAC Address as most of us know it, is a twelve-character alpha-numeric string that is hard coded into the Network Interface Card of a computer device. Yes, even PCs running Windows have a MAC address. Some devices, like Apple iPhones, can present a virtualized MAC address for privacy purposes, but that’s a whole different conversation. The main idea here is that the unique identifier for a computer device is the MAC address and it's not synonymous with an IP address.
There are enough IPv6 addresses for every single Internet connective device in the world to be assigned its own, unique, IP address. The world isn’t there yet, so linking an IP address back to a specific device is not a sure thing – without some help.
The public IP address provided by the Internet Service Provider (ISP) will be assigned to the main network router. The network may have multiple switches and routers but the main device interfacing with the ISP is assigned the public IP address. That device then utilizes Network Address Translation (NAT) to deploy private IP addresses to each device connecting to the Local Area Network (LAN).
A public IP address may get you back to a router, but it still won’t get you to a specific device, or a person. The ISP will identify the router, or network, by customer. When you serve an ISP a legal demand for information related to the usage of an IP address they identify a customer. Remember, these requests must be very specific since most IP addresses are assigned dynamically and can change from minute to minute.
IP addresses themselves are not confidential or proprietary. It’s relatively easy to determine public IP addresses from connection logs. Websites, email servers, payment systems, chat application, and any other Internet resource that accepts connections from other devices records IP address information. They must know where to send the return mail!
Determining the ISP assigned the IP address by the Regional Internet Registry (RIR) is also relatively easy since they publicly release that information. The more difficult part is determining the geolocation of the assigned IP address.
Only the ISP can provide you with the exact address of the subscriber assigned the IP address, but many companies are getting really good at figuring it out. How?
Think about the personal information you provide when you purchase something from an online store, register for a service, or create a new account. You provide a name, address, phone number, and maybe even a date of birth and credit card number. What does the web service also collect? Yes, the IP address. That entity has now tied an actual person and a physical address to an IP address. Granular information like that is worth a lot of money.
But again, IP addresses assignments continuously change. People will also access the Internet from public WiFi and utilize IP address obfuscation tools like Virtual Private Networks and the TOR network.
Businesses that offer IP address “look-up” services will generally get you to the right town or city but can’t be trusted further than that. There are data aggregator services that are claiming to tie IP addresses back to specific individuals, but they are just buying data from unscrupulous websites and merchants willing to sell it. That connection information doesn’t mean anything until confirmed by the ISP.
The account information, or subscriber, provided by the ISP usually comes in the form of a name and address. There will be some additional information such as ISP account number and connection times, but the most important information is the physical address. The person who has the account with the ISP isn’t always the property owner, or even the person living at the property. The vital information is the physical address because that is the location of the network connection and ultimately the router that is interfacing with the public IP address.
Remember Network Address Translation? The router will assign a private, or internal, IP address to every connected device and then translate the connection to the public IP address.
So, getting you back to the router doesn’t directly get you to the bad guy. An Internet Protocol address is not a person.
Come back next week to see how we get from the Router to the users, and hopefully identify a suspect.
At least someone gets it
Organized retail theft is rampant and slowly strangling brick and mortar businesses - off all sizes. A group of federal politicians have proposed more legislation to address the problem. Alabama representative Barry Moore surmised, “You’ve got certain prosecutors who have just decided not to apply the law on the book," said Moore. 'Whether we change the law or not, if it’s not applied it’s very ineffective for us to pass law after law whether it be gun laws or drug laws or whatever the case if in fact they are not prosecuted”. In reality, it goes beyond just the act of prosecution…how about some actual accountability? A prosecution is really worthless without some effective punishment to act as a deterrent. https://katu.com/news/nation-world/congress-weighs-federal-response-to-high-rates-of-retail-crime-combating-organized-retail-crime-act-national-retail-federation-stolen-goods-rule-of-law-corporate-policy-cash-bond-progressive-prosecutors
Follow the money
Literally. A recent report suggest the Anti-Money Laundering software market will increase from a 3.1 Billion dollar business to a 8.9 Billion dollar effort within ten years. Is that good for those working in the AML space? Well, advanced software is certainly going to replace some human workers, but someone has to use the software and even more people are going to have to interpret the results. I suspect the need for technical AML specialists - those that truly understand and comprehend the space, have solid technical skills, and are capable of data anylytics, will only increase as the field transitions. Don’t understand AI and ML? Don’t even know what that means? You better learn quick. https://finance.yahoo.com/news/global-anti-money-laundering-software-113000810.html
Who’s who of product impersonation
The Bolster research team found a brand impersonation campaign that targeted over 100 different brands and involved over 3000 live domains. The list of attacked brands is a who’s-who of retail. The researchers traced all of the domains back to two host providers who have been hosting the malicious domains since June of 2022. https://bolster.ai/blog/brand-impersonation-scam
Every six minutes
That’s how often a vehicle is stolen in Canada. Who would have thought Canada would have a car theft epidemic? In fact, 9,606 vehicle were stolen from owners in Toronto in 2022. https://www.ctvnews.ca/canada/vehicle-theft-at-a-critical-point-in-canada-with-car-stolen-every-six-minutes-report-1.6443514
The Rest…
And speaking of Canada, this Canadian was convicted of a 175 Million Dollar mass mailing campaign in the Eastern District of New York. https://www.justice.gov/opa/pr/canadian-man-convicted-multimillion-dollar-psychic-mass-mailing-fraud-scheme
The cyber insurance market is valued at 16 billion dollars in 2023 and will balloon to 84 billion dollars by 2030. https://www.fortunebusinessinsights.com/cyber-insurance-market-106287
Cool Jobs
Director - Collections and Financial Crimes. Pennsylvania State Employee Credit Union. https://recruiting.ultipro.com/PEN1009PSECU/JobBoard/d519e9bb-ca06-4205-a2a0-7823c064145a/OpportunityDetail?opportunityId=199fd0d9-5f0e-4f01-a5f1-399ad62ec69e
Cool Tool
The GOAT audio and video tool. Don’t fear the command line! FFmpeg - https://ffmpeg.org/
Irrelevant
Listen to the radio - any radio - chose from from 12, 583 different stations. https://www.internet-radio.com/
Thank you for reading this Issue 135. It’s been a sad week for the Pennsylvania law enforcement community due to the shootings of Pennsylvania State Troopers Jaques Rougeau Jr. and Lt. James Wagner. Unfortunately, Trp. Rougeau made the ultimate sacrifice succumbing to his injuries. Please keep the PSP family in your thoughts and prayers.
https://www.troopershelpingtroopers.org/
Super techie long read
Team Cymru does a deep dive on the Vidar information-stealer malware. https://www.team-cymru.com/post/darth-vidar-the-aesir-strike-back
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.