Threats Without Borders - Issue 149
Cyber-Financial Crime Investigation Newsletter, week ending September 24, 2023
My organization investigated an account compromise this week that led us to believe the customer's computer was infected by “infostealer” malware. Our primary goal is to ensure the customer's account is secure from tampering and unauthorized financial transfers. This is accomplished by removing access to the account from the Internet and limiting functionality until we are sure the compromise is controlled. We are not an incident response firm, so we do not perform digital forensics or remediation on the victim’s computers. Although, we do communicate with the customer’s IT or DFIR provider in most cases.
An infostealer is a type of malware designed to steal sensitive information from a computer, including login credentials, banking information, and other personal data. They are spread through malicious attachments, infected websites, and loaded browser add-ons. Once the infostealer infects a computer, it will collect data from web browsers, email services, social media platforms, and gaming apps.
In this incident, it appeared the victim's credentials were obtained through an attack on the web browser. When the infostealer targets a web browser, it will steal login credentials, browsing history, and cookies. The theft of session cookies is particularly dangerous since it allows the attacker to gain access to the victim's online accounts, including banking and social media accounts.
One of the main targets of an infostealer is authentication cookies. The threat actors can utilize stolen authentication cookies through a technique called a "pass-the-cookie" attack. When a user logs into a website, a session cookie is created and stored in the web browser. This cookie contains information that allows the user to stay logged in to the website without having to enter their username and password every time they return to the site. When a hacker obtains this session cookie, they can use it to impersonate the user and gain access to their account without needing to provide the username and password.
Unfortunately, I can’t provide specifics of the attack, but it seems likely, based on the victim's observations, that their system was compromised by an infostealer. This infection allowed the attackers to obtain various session cookies, including authentication cookies,
What about strong anti-virus, won’t that detect and stop infostealer malware? Like everything in cybersecurity…maybe.
Here are some helpful links providing additional information about infostealer malware:
https://www.secureworks.com/research/the-growing-threat-from-infostealers
https://www.axios.com/2023/05/19/infostealer-malware-cybersecurity
Sorry Apple fanboys, macOS is a target also!
And it’s probably best that you not use your web browser as a password manager!
Some news…
In last week’s issue, I wrote that not much time would be spent covering the MGM Casino attack..but it’s so rich. The ALPHV/Blackcat threat group took credit for the attack by issuing a series of press releases. Wait, what? Yes, the attackers are running their own media operations and they did a bang-up job at spinning the narrative to place the blame on the victim! And don’t worry, the group promised “if” they stole any data that could be considered Personal Identifiable Information (PII) they would provide it to HaveIBeenPwned.com to be “responsibly disclosed”. Double - wait, what? Jonathan Munshaw summarizes the craziness in the most recent Talos ThreatSource Newsletter. https://blog.talosintelligence.com/threat-source-newsletter-sept-21-23/
Who says crime doesn’t pay? This mother and daughter fraud team stole 339K from a central Pennsylvania credit union and the most severe penalty imposed was one year and one day in prison. Yes, only 366 days in prison for stealing $339,000 dollars. Let me do the math… thats 926 dollars gained, per day in prison. And the daughter received “time served” even though she never sat a day in prison. https://www.pennlive.com/news/2023/09/mother-daughter-asked-what-they-did-with-the-almost-339k-they-stole-from-pa-credit-union.html
Slightly better… this southern California man received a six-year sentence for the leading a check fraud ring that netted the group over 1.7 MILLION dollars. As described “the group used fraudulent documents to obtain other identity documents in order to open bank accounts. Once the accounts were secured, they wrote bad checks to other fraudulently obtained bank accounts while exploiting bank rules that allowed them to transfer money from one account to another.” https://ktla.com/news/local-news/man-stole-over-1-7-million-from-socal-banks-in-check-fraud-scheme/
Vice explores the “epidemic” theft of Kia and Hyundai vehicles. From the article, “Equipped with only a screwdriver and a USB cord and watching one or two tutorials, pretty much anyone can steal a Kia or Hyundai”. The statistics are astounding really. https://www.vice.com/en/article/pkaq9z/us-cities-have-a-staggering-problem-of-kia-and-hyundai-thefts-this-data-shows-it
ZeroFox published their 2023 Phishing Trends Report. I gave up my personal information to a sales person so you don’t have to. https://get.zerofox.com/rs/143-DHV-007/images/ZeroFox-Intelligence-Assessment-2023-Phishing-Trends-Report.pdf
And even more future sales calls for me. Coalition released their mid-year 2023 Cyber-Claims Report. The company makes great use of graphics and charts in their reports. They present the information so well that even a dunce like me understands. https://info.coalitioninc.com/rs/566-KWJ-784/images/Coalition_2023-Claims-Mid-Year-Update.pdf
Say it all with me: “Where were the controls?”. How can a nurse practitioner fraudulently bill Medicare for more than $200 million dollars in orthotic braces and genetic tests that were medically unnecessary??? How does the fraud reach 200 million dollars before someone started to pay attention? Good grief. Thankfully, someone did finally catch on and this week the fraudster was convicted in Florida. https://www.cnbc.com/2023/09/21/florida-nurse-practitioner-convicted-in-200-million-medicare-fraud-scheme.html
Cool Jobs
Director of Fraud Prevention - Bilt Rewards. https://boards.greenhouse.io/biltrewards/jobs/4737768004
Cool Tools
Username search - https://www.idcrawl.com/username
A better online dictionary - https://www.wordnik.com/
MAC address look-up tool - https://maclookup.app/search
Irrelevant
A throw-back to when Sam Altman told us all how to be successful. https://blog.samaltman.com/how-to-be-successful
Substack released an updated version of their smart device application (Reader 2.0) and its really good. In fact, I find using the app on my iPad is the most enjoyable way to digest the daily posts from my subscription list. And the best thing about using the app - there’s no need to worry about your crappy free email service dropping the newsletter email. Get the app today and see all that the Substack platform has to offer! https://substack.com/app
Thank you for reading this weeks issue. Please considering sharing with colleagues!
See you next Tuesday.
Matt
Hofstadter's Law: It always takes longer than you expect, even when you take into account Hofstadter's Law
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.