Threats Without Borders - Issue 165
Cybercrime Investigation Newsletter, Week ending January 14, 2024
In last week’s newsletter (Issue 164), I mentioned a report by security vendor Emsisoft that called for an international ban on ransomware payments.
Those calling for these bans do so from a place of luxury. It makes sense if you only look at the data - the security analyst who never leaves the office, the academic who never leaves the classroom, or the law enforcement manager who sits three layers backstage and only knows what they read from finalized reports.
Those who have experienced this event from the front lines know the truth. Those who have seen the pain in the face of a small business owner as they realize their life’s work is burning down. As they realize, their options are few - no data backups, no incident response team, no disaster recovery plan, and no insurance. How do you look that guy in the face and say…”well, whatever you do, don’t pay the ransom.”
In some cases, businesses face the difficult decision to either pay the ransom or shut down.
So, why is paying the ransom so bad? Why are law enforcement and security professionals so adamant that ransom demands never get satisfied, even if it’s in the victim's best interest?
On the face of it, paying the ransom rewards the bad guys for engaging in deviant anti-social behavior.
On a deeper level, paying the ransom perpetuates the problem. Ransomware operators are no different than Skinner’s rats. In the late 1930s, psychologist B.F. Skinner proposed his theory of Operant Condition. This has become a method of learning that occurs through rewards and punishment for behavior. The process results in an individual (or animal) associating a particular behavior and a consequence. Skinner famously demonstrated this through an experiment using rats and a specially designed box that later became the Skinner Box. The box had a level that a rat could push. When the lever was pushed, the rat was rewarded with food. The rats quickly learned to associate pushing the lever with food. The more they pushed the lever, the more they were fed.
Rats push the lever to get the reward. Ransomware actors attack innocent organizations to get the reward. I believe it's a suitable analogy.
There is no doubt that small and medium business owners are caught between the proverbial rock and a hard place when confronting a ransomware attack on their network. Unlike large businesses and expansive corporations, they are unlikely to have a dedicated security team. In fact, they are lucky to have a single person there to keep the Internet connected and the printers online. A dedicated IT security person is an unthinkable comfort. And back-ups? The Office Manager copied an Excel spreadsheet of the client listing to a USB thumb drive a few months ago. It is on his desk. Or maybe his winter coat pocket.
It is entirely understandable why a business leader makes the ransom payment. In most cases, they are out of options and desperate. They wouldn’t pay thousands or hundreds of thousands of dollars if they had some choice. But they don’t, so there they are.
I agree that we shouldn’t be financially rewarding the ransomware criminals. However, the surrender will remain an unfortunate reality until we can get all our organizations, particularly SMBs and non-profits, engaged in proactive ransomware prevention efforts.
Outlawing ransomware payments will only turn small business owners into criminals as they have to choose between paying or going out of business.
Some News…
A New Jersey man has been charged after he stole (allegedly) $3 million from an elderly couple who hired him as a “personal assistant”. “Prosecutors allege that between March 2022 and March 2023, Gallo misappropriated $2.9 million of the couples’ funds by making credit card purchases, withdrawing money from ATMs with their debit cards, cashing checks made payable to himself from their bank accounts and opening a line of credit in their names”. Where was the watcher - family, banker, financial advisor, social group? That’s three million dollars pulled from their account in one year! Someone had to notice. https://www.pennlive.com/crime/2024/01/personal-assistant-stole-nearly-3m-from-elderly-nj-couple-prosecutors.html
The industry has grossly underestimated the capability of “Info-Stealer” style malware. Even at my place of work, there is division on using the web browser as a password manager - ah, no. Atomic Stealer has been updated, and it’s more dangerous than ever. Malwarebytes goes full in to describe how this stealer attacks macOS. https://www.malwarebytes.com/blog/threat-intelligence/2024/01/atomic-stealer-rings-in-the-new-year-with-updated-version
I suspect this isn’t just a Texas problem. The City of Houston has warned residents of an ongoing scam involving fraudulent “pay to park” websites disguised as the city’s parking application. The fake websites spoof the legitimate Park Houston and Park Mobile services. The city of Austin has also been attacked. https://www.houstonpublicmedia.org/articles/news/city-of-houston/2024/01/12/474427/city-of-houston-warns-residents-of-parkhouston-scam-websites/
The “2023 NSA Cybersecurity Year in Review” report has been released. Meh. Nice report, but it seems more like a sales pitch. I have trust issues with the agency, but the report is worth a 2-minute review. https://media.defense.gov/2023/Dec/19/2003362479/-1/-1/0/NSA%202023%20Cybersecurity%20Year%20In%20Review.PDF
In November, Fidelity National Financial suffered a security incident consisting of a network intrusion and exfiltration of data. Last week, they filed an updated 8-K with the SEC, which noted, “The Company has identified and analyzed the nature and scope of the affected systems and data. The Company has notified its affected customers and applicable state attorneys general and regulators, and approximately 1.3 million potentially impacted consumers”. 1.3 MILLION customers affected. Wow. https://www.investor.fnf.com/static-files/09cb8680-8080-4e57-9253-fb83687705c5
They also exploited the Chattr.ai application and all of your favorite fast-food restaurants in the process. Luckily, these hackers wear the right colored hat. https://mrbruh.com/chattr/
Cool Tool
They claim to be the “biggest database of scams”. Maybe. https://www.scamadviser.com/
Cool Job
Director, Global Fraud Risk - Rippling. https://ats.rippling.com/rippling/jobs/50fd5776-1df6-466f-8e41-4a5a3e5ad0f1?
Senior Security Analyst - PGA Tour. https://pgatour.wd5.myworkdayjobs.com/PGATOURExternal/job/PGA-TOUR-Global-Home---Ponte-Vedra-Beach-FL/Senior-Security-Analyst_R009812
Homophones are hard
Wane - To decrease gradually in size, number, strength, or intensity
Wain - A large open farm wagon
*Gamers (and parents of gamers)
The Federal Trade Commission has extended the deadline for Fortnite gamers and their parents or guardians to submit a claim for compensation from the agency’s 2023 settlement with Epic Games over allegations that the video game maker used dark patterns and other deceptive practices to trick players into making unwanted purchases. The new deadline is February 29, 2024. https://www.ftc.gov/news-events/news/press-releases/2024/01/ftc-extends-deadline-fortnite-players-request-refunds-unwanted-items
Yes, I’d love to speak at your event. My calendar fills quickly, so contact me sooner rather than later. Last year, I had to decline several offers due to scheduling conflicts.
Thank you for being a reader!
Matt
Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinion and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.