Threats Without Borders - Issue 151
Cyber-Financial Crime Investigations Newsletter, Week ending October 8, 2023
Welcome to Issue 151 of the Threats Without Borders newsletter.
I was reviewing the syllabus for a "Cybercrime Investigation" class offered at a local university and found a "required reading" book was one that I had sitting on the bookshelf. I pulled the book off the shelf to see it was published in 2016. How time flies!
And that's the problem, time continues on - and fast. This particular book was cutting-edge when it was published seven years ago. It's certainly no longer sufficient.
For instance, it dedicates three short paragraphs for Dedicated Denial of Service Attacks (DDOS). Any cybercrime/cybersecurity book published today could easily devote an entire chapter to the subject.
Our world moves quickly, and the specifics of our chosen study change even faster. It takes a dedicated and diligent effort to stay on top of it.
On an aside, for those considering the academic study of cyber(ish) things: Research the instructors at your institution of higher learning. Are they active in the field outside of the classroom? Do they have industry experience? Will they make you read outdated textbooks because they don't know any better? And always choose the class of an adjunct who is actively working in the field over a pipeline Ph.D.
Some News…
The Federal Trade Commission (FTC) issued a “Data Spotlight” report revealing consumers had been scammed out of 2.7 BILLION dollars through social media platforms between January 2021 and June 2023. We know that most people don’t report their victimization to any governmental organization so the loss never makes it to the FTC’s calculations. The actual financial loss is much worse than this report shows. Ugh. Highlight from the report: 44% of the victims were trying to purchase something through a social media marketplace - with most starting through an advertisement on Facebook or Instagram. https://www.ftc.gov/news-events/data-visualizations/data-spotlight/2023/10/social-media-golden-goose-scammers
Business leaders who balk at the price of security should stop to consider the alternative. MGM Resorts International is learning that lesson the hard way as the company's recent cyber attack is expected to reach 100 million dollars in costs. Of course, the cause was the successful social engineering of the employee help desk so it’s hard to say if hardware or software solutions would have stopped the attack. But I wonder how much awareness training the help-desk staff received? Or didn’t receive because it was deemed too expensive. I’m sure the cost was way less than 100 Million Dollars! https://www.reuters.com/business/mgm-expects-cybersecurity-issue-negatively-impact-third-quarter-earnings-2023-10-05/
Data stolen from genetics firm 23andMe is being sold in underground markets but the company claims it’s systems has not been breached. The breach appears to be the result of successful credential stuffing attacks. The attackers are offering full names, usernames, profile photos, sex, date of birth, genetic ancestry results, and geographical location of the exposed individuals. https://www.bleepingcomputer.com/news/security/genetics-firm-23andme-says-user-data-stolen-in-credential-stuffing-attack/
Not every Pit Bull will bite you, but you need to be cautious when being introduced to one. Not every every email from Microsoft or PayPal is a phishing email but you still need to be cautious when receiving one. The two companies lead the category of most widely impersonated in phishing attacks. Abnormal Security examines the top-ten. https://intelligence.abnormalsecurity.com/blog/credential-phishing-trends-2023
This article is so poorly written that it leaves a lot to be desired… but the underlying premise is concerning. How are they hacking gas pumps with Bluetooth technology? Or was it done through some other hack and wrongly attributed to BT? Maybe with a FlipperZero? Regardless, it’s something to be watching for further information. https://www.fox2detroit.com/news/detroit-man-steals-800-gallons-using-bluetooth-to-hack-gas-pumps-at-station
The Pennsylvania Realtors Association warned of a scam where people are falsely representing themselves as the owners of vacant land in order to sell the land. I understand scams trying to lease the land, or rent a property on the land, but exactly how are you going to pull off selling a property that you don’t own? I guess it can happen but it seems a smart real estate agent and a thorough title search would stop this pretty quickly. But, I’m never surprised. https://www.parealtors.org/blog/land-scams-increase-as-criminals-pose-as-owners/
This investment advisor admitted to a federal court that we was involved in a “Cherry Picking Scheme”. What? Never heard of it! Luckily the U.S. Attorney’s Office explained the offense in their press release: “Cherry-picking is a fraudulent securities trading practice in which the responsible individual executes trades without assigning those trades to a particular trading account until the individual determines whether or not the trade has become profitable or suffered losses. The responsible individual then allocates the profitable trades to favored accounts – often the individual’s own accounts – and assigns unprofitable trades to disfavored client accounts.”. Now that we all know what it is…we can appreciate this guy netted 2.7 million dollars from it. https://www.justice.gov/usao-ct/pr/connecticut-investment-advisor-admits-defrauding-clients-27-million-through-cherry
Pro-tip for those that are supposed to refrain from the use of modern technology - know when FEMA is going to issue a National Alert test! https://www.complex.com/life/a/joshua-espinoza/amish-men-shunned-emergency-alert-test
Cool Tool
Let AI show you a different viewpoint. https://www.noecho.news/
Cool Job
Information Security Specialists 1 (entry-level) - Commonwealth of Pennsylvania. https://www.governmentjobs.com/careers/pabureau/jobs/4228048/information-security-specialist-1
Irrelevant
Boston Red Sox fan visits all 30 Major League Baseball parks ranks them based on his experience as a visitor. I’m happy to say we agree on the best ball park in America. https://bosoxinjection.com/posts/mlb-ballparks-ranked-where-does-fenway-park-stand-among-all-30-01hc1cby1ctg
Pray for the people of Israel.
Pray for the people of Ukraine.
Stay safe,
Matt
“Hours don't equal output.”
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.