Threats Without Borders - Issue 140
Cyber-Financial Crime Investigation Newsletter, week ending July 23, 2023
And without fanfare, and only a simple press release - it’s here. The Federal Reserves new instant payment system, FedNow, is live. Investigators from financial institutions just got a collective bout of heartburn - FedNow is Live!
Law enforcement is like fed what? What is alive?
Oh, strap in friends. It’s going to be great. The Fed touts it’s newest money transfer service - designed to replace traditional ACH and Wire service, as:
Always on. With instant payments, transactions are processed 24x7x365, giving fraudsters an opportunity to act at any time of day, any day of the year.
Speed. Instant payments clear and settle immediately and on a transaction-by-transaction basis, not in batches on a predictable schedule.
Irrevocability. When an instant payment is made, it’s final and irrevocable, and the payee can withdraw the funds immediately.
That’s direct from the website of the Federal Reserve.
Catch that? Users can send money 24 hours a day, 7 days a week, and every day of the year. The transfers are instant and the receiving party can immediately withdraw the funds. And best of all, there’s no recalls. Done is done. All of the safeguards built into traditional transfer services are gone.
It’s almost like this was designed to facilitate fraud. I’m sure it wasn’t. It wasn’t right?
If you haven’t familiarized yourself with FraudNow, I mean FedNow, you probably should.
https://www.federalreserve.gov/newsevents/pressreleases/other20230720a.htm
Pay attention
I recently spoke at a business seminar where I met a senior executive of a CPA firm. He reacted to my surprise at the size of the firm by saying “we’re the biggest accounting firm you’ve never heard of”. I can say the exact same thing about dedicated denial of service attacks (DDOS); They are the the most frequent cyber-attacks you have never heard of. Or, if you have heard the term, you had no idea of the scope and impact.
Last week, Cloudflare released their 2023 2Q DDOS Threat Report. It’s well worth the read, particularly for those that aren’t familiar with the attack. The scary finding is that sustained attacks lasting more than three hours have increased by 103%. No small business can withstand an attack like that on their unprotected website. The report also highlights a new attack mechanism that can launch an assault consisting of 71 MILLION requests per second! Good grief.
https://blog.cloudflare.com/ddos-threat-report-2023-q2/
1 of 10,000
There are 10,000 possible combinations for the traditional four digit numeric code. While doing some research, I found this older post by data scientist Nick Berry where he examines the probabilities of these PIN code combinations on his Data Genetics blog. I’m sure you can quickly identify the top 20 PINs without much effort, but some of the least frequently used codes might surprise you. http://www.datagenetics.com/blog/september32012/
Taken down from the inside
We spend so much time coaching small businesses and non-profits to protect themselves from outside threats when they should be equally worried about the enemy within. A woman has been charged with stealing over $250,000 dollars from the San Francisco non-profit organization she worked for as the “Director of Operations”. Over the course of the fraud she issued herself 119 checks. Ah, internal controls went where? With who? https://www.justice.gov/usao-ndca/pr/east-bay-resident-charged-fraud-alleged-quarter-million-dollar-embezzlement-scheme
NCET is here to stay
Two years ago, the U.S. Department of Justice created the National Cryptocurrency Enforcement Team (NCET). Last week, the DOJ announced it will become a permanent team assigned to the criminal division. Business is booming. https://bitcoinist.com/us-doj-focus-on-crypto-crime-new-enforcement-team/
You’re hired, now buy your own supplies
This article in The Record expands on some research by Proofpoint examining a group of attackers targeting recent college graduates with science degrees. The attackers would conduct faux job hiring processes, including interviews, and background checks. Eventually the soon-to-be victim would be “hired” and provided a list of technical equipment they would need for the job. Yep, the new employee needed to pay the vendor for the equipment up-front and the company would make a reimbursement with the first paycheck. To bad the equipment never arrived, either did the first paycheck. https://therecord.media/scammers-are-targeting-college-kids
The Rest…
The FBI issues an alert concerning tech-support scammers using delivery services to collect cash from victims. https://www.ic3.gov/Media/Y2023/PSA230718
Visa believes they know the top five payment security trends. https://usa.visa.com/visa-everywhere/blog/bdp/2023/07/12/top-5-trends-1689206366692.html
INKY details a new Phish-Kit that will be coming to an inbox near you! https://www.inky.com/en/blog/fresh-phish-html-smuggling-made-easy-thanks-to-a-new-dark-web-phish-kit
Pennsylvania medical group lost the personal data of somewhere between 500 and 2000 patients. https://www.pennlive.com/news/2023/07/data-breach-affects-patients-from-central-pa-orthopedic-group.html
Cool Tool
Do some maths. https://calcforme.com/
What make was that car? https://car-logos.net/
Cool Job(s)
Director of Security - Sacramento Kings (Sorry - you must move to California) (https://kings.wd1.myworkdayjobs.com/KingsCareers/job/Sacramento-Office/Director--Security_R629
Head of Special Investigations Unit - Chubb (Sorry - Chicago or Jersey) https://careers.chubb.com/global/en/job/CIHIGLOBAL355497EXTERNALENGLOBAL/Vice-President-Head-of-Special-Investigations-Unit
Irrelevant
“Regrettable” is a sliding scale. A magical time for those of us who lived this. https://rarehistoricalphotos.com/ugly-fashion-trends-1980s/
There is a saying that goes something like “What is the definition of an expert? Someone 20 miles from home with a powerpoint show”. The gist of this is that you’re rarely recognized as an expert by your own people. I experienced this several times while in law enforcement, a lot actually, where those close to me would seek others advice over mine or claim “well so and so said this…and he’s really on it”. The worse was “I just read on the Internet…”. It was like the old Internet meme…I’m right here.
Maybe it was my fault because I was always so cautious with self promotion. A mentor once told me, “If someone calls themselves an expert…they’re probably not”. Evidence of this phenomena can be found around every LinkedIn corner. An updated version could probably be… a podcast does not an expert make.
Anyways, my point of all this, is that I recently saw a really smart friend get backdoored by some of his colleagues for another “expert”. Maybe the other guy is qualified, I don’t know him, but I know my friend absolutely is an expert and he was overlooked because he lives with the management and not 20 miles away. Sometimes we take for granted what is so easily accessible.
How about we start recognizing those close to us for the knowledge and expertise they possess. Give a hat-tip to your co-workers that work really hard at their craft. Let’s support home-grown talent before we go seeking someone claiming to be an expert because they have some ambiguous experience, a glamour shot profile pic, and a podcast.
Or a half-assed newsletter :)
Matt
“NOBODY IS TOO BUSY; IT’S JUST A MATTER OF PRIORITIES.” - Someone listening to me explain why I don’t exercise.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.