Threats Without Borders - Issue 147
Cyber-Financial Crime Newsletter, Week ending September 10, 2023
A slogan within the computer and network forensics world is the phrase "Know Normal". You must know what your computer system looks like in a normal state so you will be able to quickly recognize when something is abnormal. This concept has been popularized by the computer security training organization SANS Institute and instructed in several of their courses. The concept is not hard to grasp and is based on simple common sense. How can you know if an attacker is making changes in your computer network if you don't know what your computer network should look like? Is that an authorized user? Is that file part of the system and why is it here? Is that a normal application running inside of Windows? Do we as a business use this software? If you don't know what should be going on within your network, you will never know when something bad is going on within your network.
This concept is nothing new within the science of policing and has been passed down from one generation of patrol officers to the next. It's an early lesson taught during the field training program. Maybe not in such a formalized way as SANS instructs it, but a lesson that quickly becomes reinforced by real-world application. I suspect that someone within the SANS organization adapted it, rightly so, to fit the computer network security field.
In general, police patrol officers are given areas of concern. Whether called a beat, zone, or sector, it's a geographic area of primary responsibility. An officer will spend a lot of time in that area. Usually eight and sometimes 12 hours per day depending on the scheduling of the agency. That is a lot of time to watch the regular happenings of a small piece of the world. Officers get to know how the area works as a functioning micro community set aside from the larger society as a whole. When the UPS driver comes every day. What time do the businesses open and close? What businesses get early or late deliveries? Who are the vagrants, beggars, and bums, and where do they like to be during the day and sleep at night?
It gets even more granular in the residential neighborhoods. Drive through any neighborhood with a good cop and they can tell you who lives where, who is having marital problems, who stays up late, and who leaves early for work. They know what cars people drive and likewise when a strange vehicle is parked on a given street.
Good patrol officers know what their beat looks like under normal conditions and quickly recognize when something is out of time and place. A vehicle is parked behind a business when it shouldn't be. A person walking down an alley who is not from the area. When a light is on inside a business that normally is dark at 1 am.
This can easily be adapted to fraud prevention at any organization. The person in control of the finances should know how much gets spent each month. What vendors are being used and how they are paid? Abnormalities and excesses should quickly be spotted. Someone should be asking, “We usually send large cash transfers through ACH wire, why did we just send a Western Union?” Someone should be reviewing employees' purchases to know who buys what. Sam only charged $350 to his corporate credit last year, what did he just purchase for $3000?
As fraud prevention and cybersecurity practitioners, we should all be working within this framework. And for law enforcement - take the time to educate small businesses and nonprofit organizations as you interact with them daily. Hopefully, pre-victimization so you don’t have to meet them post-victimization.
Know normal - so you recognize when it isn't.
Email attack vector identified
Researchers at the University of California - San Diego have released their findings that attackers can utilize a flaw on how email forwards to another recipient to impersonate domains. They call the attack “forwarding-based spoofing”. The researchers found they can send email messages impersonating well known organizations and bypass the security deployed by email providers such as Gmail and Outlook. The research shows that “more than 12 percent of the Alexa 100K most popular email domains–the most popular domains on the Internet– are vulnerable to this attack”. https://today.ucsd.edu/story/forwarding_based_spoofing
FTC gaps Turbotax
An administrative law judge of the Federal Trade Commission has ruled Intuit misled consumers when it advertised it’s Turbotax service as “free”. The judge ruled “Intuit “deceived consumers” and “engaged in deceptive advertising.” I guess I’m going to do a bit of victim blaming here…but how far do we go to protect the stupid? Did you really think a company was going to give you their entire service for free? How long would a tax-preparation company stay in business if they gave you their software, and filing service, for absolutely no payment in return? Of course, you have to pay for something! I don’t like when companies play marekting games and engage in shady advertising, but if you thought this service was actually FREE… https://www.theverge.com/2023/9/8/23864538/turbotax-intuit-ftc-deceptive-practices-free-tax-filing
Gone Phishing
GroupIB has identified a phishkit that targets Microsoft O365 credentials and has the ability to bypass multi-factor authentication. Group-IB investigators believe the phishkit has been used to target over 56,000 corporate Microsoft 365 accounts in the USA, Australia and Europe between October 2022 and July 2023. https://www.group-ib.com/media-center/press-releases/w3ll-phishing-report/
Your car knows what you do
Mozilla, the web browser company, has released a new report on how vehicles abuse their owners privacy. The report titled “Privacy Not Included” examines how 25 different car manufacturers abuse their customers privacy through the infotainment systems. Mozilla refers to the vehicles as “Privacy Nightmares on Wheels”. https://foundation.mozilla.org/en/blog/privacy-nightmare-on-wheels-every-car-brand-reviewed-by-mozilla-including-ford-volkswagen-and-toyota-flunks-privacy-test/
The Rest…
ATM Jacking with a Raspberry Pi in Texas. https://www.tripwire.com/state-of-security/thousands-dollars-stolen-texas-atms-using-raspberry-pi
NIST released it’s first public draft of the Cybersecurity Framework 2.0. https://www.nist.gov/system/files/documents/2023/08/07/CSF%202.0%20Core%20with%20Examples%20Discussion%20Draft%5B74%5D.pdf
YES, Apple computers get malware! Stop saying macOS is safer because it doesn’t get viruses. https://www.reliaquest.com/blog/5-macos-infostealers/
Cool Job
Manager of Financial Fraud and Security - The Walt Disney Company. https://jobs.disneycareers.com/job/-/-/391/53655069008
Cool Tool
A comprehensive toolkit for conducting web reconnaissance with precision and efficiency. https://github.com/spyboy-productions/omnisci3nt
Free and Open-Source web based video calling. Talk - https://tlk.li/
Irrelevant
Photographer captures giant jets of lighting shooting out of a tropical storm. https://petapixel.com/2023/09/11/photographer-captures-gigantic-jets-of-lightning-shooting-above-tropical-storm/
Thanks for opening the email and reading this weeks issue. Feel free to reply back to the delivery email to give feedback. Good or bad - I’ll take it.
See you next week!
Matt
“WE OFTEN TAKE FOR GRANTED THE THINGS THAT MOST DESERVE OUR GRATITUDE.”
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.