Threats Without Borders - Issue 179
Cybercrime Investigation Newsletter, week ending April 21, 2024
For some time, my security awareness training has included phishing emails related to "callback fraud." However, the responses to a LinkedIn post I made last week have led me to believe it may not be as widely known as I thought.
Email providers such as Gmail, Yahoo, and Outlook have gotten good at blocking these messages, but attackers occasionally craft one well enough to get through the fences. Such was this email that I received to my Gmail account:
We’ve termed the attack “Callback Fraud” because the sender intends to get the receiver to call them, or at least the malicious call center. The attack abuses the psychological fear of being charged for a product you didn’t want and certainly didn’t need. The emails come in different flavors, but the most prevalent themes have been a purchase for an antivirus subscription, pest extermination services, or, in this case, cryptocurrency.
This bait email is written well enough on the front and back end to bypass Google's defenses and land in my inbox. Regardless, a detailed look at the message reveals several red flags:
Paypal would never send out invoices from a Gmail address.
Incorrect grammar and awkward sentences
Prominent display of the support phone number – a visual queue that you have an out
The salutation is “Dear (email address) and not Dear (customer name)
Paypal and Coinbase are wholly different companies. Paypal would only know the transaction price, not the product purchased, in this case, “BTC.”
Why would a merchant suggest you cancel an order and place the notice in such a prominent area in the email? Usually, this information is buried in the fine print. This is a psychological trigger that signals you to cancel the order easily.
The email ends with the phone number, so you don’t have to think twice about what number to call.
The message's composition is perfectly designed to trigger the recipient’s fear of being charged for an unwanted product and then provide an easy method to alleviate the stress.
When you call the phone number, a very polite customer service representative is all too willing to cancel the transaction. All you need to do is confirm your credit card information!
Some News…
The U.S. Department of Justice announced the seizure of domains linked to Lab-host.ru, a Russian internet infrastructure company. LabHost provided online infrastructure for subscription-based services, including spoofing websites that mimicked legitimate businesses such as Amazon and Wells Fargo. Customers of the cybercrime-as-a-service (CAAS) used these spoofed sites to trick individuals into disclosing personal information, which was then used for unauthorized financial transactions. Court documents indicate LabHost facilitated over 40,000 spoofed websites, storing over one million user credentials and nearly 500,000 compromised credit cards. Kudos to the FBI and Secret Service agents who led the investigation! https://www.justice.gov/usao-wdpa/pr/justice-department-seizes-four-web-domains-used-create-over-40000-spoofed-websites-and
Scammers are using two phones and the the face-swap app to run romance scams. https://9to5mac.com/2024/04/18/romance-scam-face-swap/
Security researchers found 30 fraudulent websites spoofing E-ZPass. Most of the sites were targeting users in New Jersey and Florida. https://therecord.media/researchers-find-dozens-of-ezpass-spoofs
PaloAlto Networks calls for a unified approach to tackle ransomware. https://www.paloaltonetworks.com/blog/2024/04/the-evolving-threat-of-ransomware/
Of all news outlets, USA Today conducted a thorough study of fraud. They examined data from the Federal Trade Commission and the U.S. Census Bureau and surveyed 1000 consumers to get a rather insightful view of fraud in the United States. Florida is a fraud hotspot. The Dakota’s are cold (pun intended). Take a few minutes to review the findings, as it’s surprisingly well done. https://www.usatoday.com/money/blueprint/business/credit-card-processing/credit-card-scams/
If you have a Wall Street Journal subscription, this article is about the more than 2 trillion dollars that gets laundered yearly. The article claims that human carriers move most of it as cash. And do so through air travel without a second look by the airline industry. https://www.wsj.com/business/airlines/heathrow-dubai-airports-billions-dirty-money-9f49cc7f
Cool Tool
In a previous issue, I suggested using Brave as a web browser. The service recently updated its search functionality to include the use of AI. https://brave.com/search/
Is your email system properly configured? https://dmarcian.com/domain-checker/
Cool Job
IT and Security Manager - NASA. https://apply.mottmac.com/job/Pensacola-IT-and-Security-Manager-NASA-FL-32502/793102802/
Reader Mail
“I’ll probably never ask another question out of fear of looking like conference question guy”. - Tim
“Matt, as a female, I’ve met my share of men who are overzealous to explain the world to me. My fear of publicly shaming them is that other men, of good intent, will be afraid to challenge women because they don’t want to come off as a mansplainer.” - Liz
Irrelevant
Why you can no longer get a pizza delivered in 30 minutes or less. https://thehustle.co/originals/the-failure-of-the-dominos-30-minute-delivery-guarantee
Avoid the Logical Fallacy: Argumentum Ad Populum - presumes that a proposition must be true because most/many believe it to be true.
Sign Off
Thanks for giving it another week.
Matt
“NEVER BUY SOMETHING JUST BECAUSE IT IS CHEAP.” - someone who’s seen my storage areas.
Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.
I received an email exactly like the one you show a few weeks back. Since I no longer have a Paypal account, I was just a bit suspicious. I logged in to my coinbase account (coincidentally from a different browser) and there were no transactions as expected.
I would never ever click a link or call a phone number in one of these, even if I thought it might be real. Paranoia is a good default setting when dealing with this stuff.
Thanks for spreading the word!