Threats Without Borders - Issue 136
Cyber-Financial Crime Investigation Newsletter, Week ending June 25, 2023
So many times I've heard an investigator say ” We got his IP address” while claiming to have identified the suspect of a criminal act. Identifying the subscriber of a public IP address is only a starting point and not sufficient for the required “proof beyond a reasonable doubt”. Is the subscriber the only person living in the home? Is the WiFi network unsecured and being used by network squatters? Is a device compromised and being utilized by a malicious actor through a remote access service? There are so many questions that need to be answered.
Of course, it’s generally accepted that linking a public IP address to a criminal act is sufficient for a search warrant to further examine the network assigned the address by the Internet Service Provider. This is completed through a search of the physical structure of a residential subscriber or small business operating a private WiFi network. You cannot search the entire Marriot hotel because someone used the guest WiFI network to make a fraudulent credit card purchase. You might, however, search 125 East Maple Street after that residential network was used to commit the same type of fraud. Hundreds or even thousands of people are connecting to the Internet through the WiFi network of a big business while maybe only three or four have the access needed to connect to a private network.
The question to answer when investigating a criminal act committed through the use of Internet technology is: Who had their hands on the keyboard?
The immediate need is to identify everyone with access to the network and all the devices that can connect and interact with the Internet. This is done through an on-scene investigation. You can show up and ask nicely to enter the home, don’t laugh this works, but most of the time a search warrant issued by the court with applicable authority is required.
There are multiple ways to identify the users of the network but the most efficient way is to interview those on the scene (if they will talk) and through an inspection of the collected Internet-connected devices. An inspection of the devices will usually require a more thorough, forensically sound, analysis that can take weeks or months to complete. A good investigator will know who the real suspect is within five minutes of talking to those on-scene, but gut feelings and investigator intuition alone won’t get you to a positive jury verdict.
Examining the router itself, an act called “Router Interrogation” provides the raw connection logs. Remember the MAC address? The router holds a table, aptly called the Routing Table, that details usage and connections made by specific devices. This table will connect the MAC address to specific Internet usage. The sticky point, however, is that for most routers, this is dynamic content so it’s deleted when the device loses power. This MUST be obtained on-scene and before the device is powered off for collection. Don’t worry, 99% of people never change the default password of their router so it’s an easy task. Unfortunately, 99.5% of investigators never bother to collect this data.
An on-scene interview with everyone who uses the network will also yield invaluable information. I have found this is the time to collect statements and information that will later be used to break alibi’s and overcome defense arguments. It’s funny how bad guys always “remember” things after speaking with an attorney.
Over the years I have collected a list of questions for interviewing suspects of cybercrime. I’ll probably never be doing such an interview again, so here it is for those that do.
Thanks for being a subscriber.
More than Half
Do you know the difference between created, compromised, and abused domains? Do you even know what a domain is? Cofense knows and found that compromised domains are the most dangerous, accounting for more than half of all the URLs in active phishing campaigns. https://cofense.com/blog/compromised-abused-domains-in-malware-phishing-campaigns/
Losing your package wasn’t so bad…
FedEx has been accused of running one of the largest odometer fraud schemes ever. Apparently rolling back the milage on used package delivery trucks is a big business and FedEx has been caught with their hands on the wrench. The lawsuit holds both Fedex and it’s commercial vehicle reseller responsible and accuses the couple of “not only resetting the odometers of the vehicles that sold, but also not disclosing which vehicles had their odometers replaced. Holman, which managed FedEx’s commercial fleet, is accused of selling the vehicles for more than they’re worth due to the incorrect odometers”. https://jalopnik.com/fedex-named-in-what-could-be-one-of-the-largest-odomete-1850570768
Count me as a victim
The Federal Trade Commission has filed a lawsuit against Amazon for their shady manipulations tricking people into signing up for a Prime subscription. The complaint alleges Amazon “knowingly” deceived millions of customers into subscribing to Amazon Prime through the use of “dark patterns.” I’ve fallen victim to this myself, more than once! https://www.theverge.com/2023/6/21/23768372/ftc-amazon-lawsuit-prime-dark-patterns-subscriptions
ORC is an epidemic
Organized Retail Crime may seem like a completely physical-world crime but a lot of the product is being sold through online outlets - name the Internet marketplace of your choice. The CEO of The Home Depot has been one of the more outspoken retail executives about the topic and is pleading for help. He rightly points out that ORC affects everyone because we all pay higher prices to help the merchant cover the shrink. https://finance.yahoo.com/news/were-investing-more-security-guards-133000754.html
The Rest…
Google decides to tackle money laundering through the use of AI. https://mpost.io/google-cloud-launches-anti-money-laundering-ai-for-financial-institutions/
Principal of a Pennsylvania charter school pleads guilty to running a tuition reimbursement fraud scheme. https://www.pennlive.com/crime/2023/06/former-central-pa-school-principal-sentenced-in-tuition-fraud-case.html
Why are companies still paying ransoms? Why would they not? https://securityintelligence.com/articles/paying-ransomswares-ransom-why-its-time-to-reconsider/
Cool Job
Manager of Fraud Strategy, Sallie Mae. https://sallie-mae.wd5.myworkdayjobs.com/Careers/job/Newark-DE/Manager--Fraud-Strategy_R23_000259
Cool Tool
DorkGPT - Use AI to generate the most effective Google search parameters. https://www.dorkgpt.com/
Irrelevant
The Complete Guide to Coffee - from the people responsible for Coffee. https://www.ncausa.org/About-Coffee
Thank You for making it to this point in the newsletter. Please consider sharing with your colleagues to help the newsletter grow.
Matt
“IF YOU DON’T LIKE THE ROAD YOU’RE WALKING, PAVE ANOTHER ONE” - I only seem to make dirt trails
Bonus - long technical geeky read
Check Point Research provides you more reason to block USB storage drives from your network. https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.