Threats Without Borders - Issue 138
Cyber-Financial Crime Investigation Newsletter, week ending July 9, 2023
The most frequent question I’ve been asked since the IP address investigation series is “Can an IP address be spoofed?”. Yes, but doing so significantly reduces the bad guy's options.
Computers communicate over a network through the exchange of data packets, each containing multiple headers used for routing and ensuring transmission continuity. One such header is the ‘Source IP Address’, which indicates the IP address of the packet’s sender.
The packet contains the sender's and recipient’s IP address and any port information.
[I was going to insert a hand-drawn image of a packet showing the data it contained - but it’s best that you just go to google images and search “Ethernet Frame”]
Some tools allow you to alter the data in the packets, including the source IP address. It can be made to look like the packets are coming from any public IP address . But here’s the catch…once done the receiver can’t send back return communications. The messages are sent to the spoofed address - not the actual IP address. You changed the house and street address on the return-to-sender portion of the envelope.
Spoofing an IP address works great for attacks where the packets only need to go one way. Think about a dedicated denial of service attack (DDOS). We just want to flood the target network with junk traffic and we don’t expect, or want, any return communication. In fact, most DDOS kits now spoof source IP addresses by default.
But any attack, or act of fraud, that requires computers to communicate back and forth, cannot utilize IP spoofing or the communication loop can’t be completed. The target computer would be sending the mail to the wrong address!
Most modern and secure networks use tools to prevent IP spoofing such as ingress filtering, egress filtering, and source address validation. Ingress filtering is a technique where packets are filtered based on their source IP address at the network edge, while egress filtering is a technique where packets are filtered based on their destination IP address at the network edge. Source address validation is a technique where packets are validated based on their source IP address at the network edge.
How do you overcome the “My IP address was spoofed” defense? Knowledge of the network infrastructure, the protocols in use, and what security tools are in place. And if the return message was successfully sent back to the sender and acknowledged.
Can an IP address be spoofed? Yes. Was it? Probably not. Unless it was a dedicated denial of service attack, or the suspect is being set up by a nation-state… it wasn’t.
It gets real…real quick
For law enforcement, the question is a non-question. “We don’t reward criminal behavior - never pay the ransom”. For everyone else, that sounds great until it’s your data about to be dumped online for the worlds leisure reading - or abuse by other bad actors. The decision to not pay the ransom makes things get real…real quick. The students, their families, and employees of Minneapolis Public Schools learned this the hard way when district officials refused to negotiate with their ransomers. The leaked data contained complete sexual assault case folios, medical records, discrimination complaints, Social Security numbers and contact information of district employees. https://www.pennlive.com/nation-world/2023/07/school-hackers-post-kids-private-files-and-no-one-has-to-be-alerted.html
Can’t help themselves
One of the main red flags of “insider threat” is a person living outside their financial means. So it was probably pretty telling when this Amazon manager moved into a million dollar home and rolled to work in a $250K Lamborghini. Unfortunately, she was able to steal 9.4 million dollars from the company during her 1.5 year tenure. Wait, 9.5 million in less than two years? She gets an A for work ethic. https://www.seattletimes.com/business/amazon/former-amazon-manager-sentenced-to-16-years-in-prison-in-9-million-theft-scheme/
Test much?
Payment service Revolut had a bug that allowed scammers to reap over 20 million dollars before the exploit was resolved. The attackers were able to abuse a system flaw concerning the differences between American and European payment systems. The system could be manipulated to pay refunds when transfers between U.S. and UK systems were canceled. It seems like some testing would have vetted this out before they lost 20 million dollars. https://www.pymnts.com/news/security-and-risk/2023/report-revolut-payments-flaw-leads-to-20-million-theft/
Don’t forget the Mules
This Security Intelligence article explores the rise of employment scams and lists all the forms of victimization. They don’t seem to mention one of the most prevalent results of job recruitment scams…money mules. https://securityintelligence.com/articles/beware-the-growing-scourge-of-job-recruitment-scams/
The Rest…
New York man indicted for running a 1.6 Million dollar investment scheme. https://www.justice.gov/usao-sdny/pr/former-partner-investment-management-firm-arrested-16-million-investment-fraud-scheme
Deep dive into a ransomware attack. https://www.thefinalhop.com/unmasking-the-blackbyte-ransomware-attack-a-comprehensive-case-study/
Cool Job
Director of Insider Threat - National Football League. https://hdmm.fa.us6.oraclecloud.com/hcmUI/CandidateExperience/en/sites/CX/requisitions/preview/230165
Cool Tool
Validate the cellular carrier - https://www.phonevalidator.com/
Irrelevant
Welcome to Florida! Literally. https://www.fox4now.com/news/state/mobil-meth-lab-discovered-at-florida-welcome-center?
I’ve been an Evernote user for years and even payed for the upgraded plan. I tried various note options over the years and always returned back to the green elephant, regardless of the ridiculous cost. About two years ago, however, things changed. The fees increased but the new features and usability didn’t. Last year it was revealed the company had been sold to the Italian developer group Bending Spoons. That news prompted me to plan my exit. Over the past few months I’ve moved all of my note taking and knowledge management to Obsidian and Bear Notes. Both applications are fantastic, and I’m upset that it took me this long to make the transition. I’ll consider writing a piece on my note taking workflow if there is community interest.
It is now being reported that Evernote has “laid off” it’s remaining American workforce and will locate to Italy entirely. The company claims their plans for the application are “as ambitious as ever”. Maybe, but I won’t be along for the ride, or funding it.
https://www.sfgate.com/tech/article/evernote-layoffs-moving-to-europe-18190083.php
Thank you for being a reading the newsletter. Please consider sharing it with friends, family, colleagues, even enemies. Feel free to send me comments - good or bad - by replying back to the email that delivered the newsletter or at cyfycrime@substack.com.
(Matt)
My favorite new Help Desk diagnosis - PICNIC - “Problem In Chair, Not In Computer”.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.