Threats Without Borders - Issue 181
Cybercrime Investigation Newsletter, week ending May 5, 2024
The 2024 Verizon Data Breach Investigation Report (DBIR) has been released, and you can’t swing a bank vice president without hitting someone giving their interpretation of the numbers. So I won’t. But I’ll take a moment to highlight one finding that supports an observation of mine.
A few weeks ago, I presented at the BSides Harrisburg cybersecurity conference. My session was titled “DARVO: The Psychological Manipulation of Ransomware Victims.” It seemed well received, and those of you attending the IAFCI Keystone conference will have the opportunity to see an encore performance.
In my presentation, I suggested that ransomware attackers are shifting their focus from encrypting data to only stealing and exposing it to demand an extortion payment. Why bother with the overhead of encryption and decryption when you can simply take the data and threaten to release it publicly unless paid a ransom? Ransomware attackers are becoming high-tech [traditional] extortionists, stealing data and skipping the encryption process altogether.
The Verizon investigations team observed the same and documented their findings in the DBIR.
Roughly one-third of all breaches involved Ransomware or some other Extortion technique. Pure Extortion attacks have risen over the past year and are now a component of 9% of all breaches. The shift of traditional ransomware actors toward these newer techniques resulted in a bit of a decline in Ransomware to 23%. However, when combined, given that they share threat actors, they represent a strong growth to 32% of breaches. Ransomware was a top threat across 92% of industries.
Verizon has been publishing the report for the past 17 years, and it is mandatory for reading at this point.
Whats DARVO? Come to my session at Keystone and find out!
Some News…
Dropbox acknowledges unauthorized access to Dropbox Sign’s infrastructure. They claim no regular Dropbox accounts or data was compromised. Let’s hope that’s the whole story. https://therecord.media/dropbox-data-breach-notification
Inky examines how attackers embed RTF files (Rich Text File) in phishing emails to launch credential harvesting attacks. https://www.inky.com/en/blog/fresh-phish-weaponizing-text-files-in-a-personalized-credential-harvesting-scheme
Delivering more than just the mail…A former U.S. Postal Service was sentenced to 4 1/2-to-10 years in prison on Friday morning after helping deliver over 2,000 grams of cocaine while on duty. https://www.pennlive.com/news/2024/05/former-lancaster-county-postal-worker-sentenced-for-delivering-pounds-of-cocaine.html
Learn how to detect deep fakes. https://www.media.mit.edu/projects/detect-fakes/overview/
The FBI, the U.S. Department of State, and the NSA are working together to warn people about attempts by cyber actors from North Korea to exploit vulnerabilities in Domain-based Message Authentication, Reporting and Conformance (DMARC) record policies. These actors are using social engineering tactics to conceal their attempts to hack into computer systems. https://www.ic3.gov/Media/News/2024/240502.pdf
An investigation by the US Justice Department is underway into allegations of Chinese drug traffickers laundering a minimum of $653 million through TD Bank and bribing TD employees to help them do so. Analysts predict that if the allegations are proven to be true, fines of up to $2 billion could be imposed. https://ca.finance.yahoo.com/news/td-penalties-expected-higher-alleged-151810058.html
Researchers from Elliptic, MIT, and IBM have conducted a new study that focuses on using AI tools to detect money laundering on the Bitcoin blockchain. The researchers collected patterns of transactions leading from known criminal entities to cryptocurrency exchanges to train an AI model to spot similar money movements indicating possible money laundering. They have released a large dataset of 200 million tagged and classified transactions for training the AI model, which is a significant increase from previous efforts. The AI model was tested on a cryptocurrency exchange and successfully identified suspicious transactions that the exchange had also flagged for illicit activity. https://www.wired.com/story/ai-crypto-tracing-model-money-laundering/
A masterclass in social engineering
This guy is joining landlord and real-estate management groups on Nextdoor and Facebook and intentionally directing the conversations to be more tenant-supportive. His words:
So, about a year ago I joined a bunch of a landlord groups on Facebook and Nextdoor. I’ve worked diligently to manipulate them into taking pro-tenant actions, and it actually has kind of worked.
He has gained influence within communities by creating valuable content and using it to further his beliefs. A true lesson in human hacking.
Cool Job
Senior Financial Crimes Investigator - Members 1st Federal Credit Union. https://recruiting.ultipro.com/MEM1003MFCU/JobBoard/07ce95a9-7cc1-4159-a8e6-dcd9c4547c9f/OpportunityDetail?opportunityId=398bdbb9-6520-47aa-b746-163b73dc4d8d
Director of Financial Crimes Advisory (Remote) - AML Rightsource. https://amlrightsource.wd1.myworkdayjobs.com/en-US/amlrightsource/job/Remote---Ohio/Director--Financial-Crimes-Advisory--FCA----Remote--US_R-100716
Cool Tool
Before you purchase anything from someone on Reddit - check the Universal Scammer List for their username. https://www.universalscammerlist.com/
Tinder…but to make music instead. https://bandmatch.app/
Irrelevant
Should you sit or stand while you work? These researchers believe they have figured out the optimum time you should sit, stand, and sleep. https://theconversation.com/how-much-time-should-you-spend-sitting-versus-standing-new-research-reveals-the-perfect-mix-for-optimal-health-228894
Training Alert
Two days with Micah Hoffman and Griffin Glynn for $30 bucks??? If you’re not a member of the IAFCI - it’s worth joining so that you can get this class. Seriously, these guys are the OG’s of OSINT. Unbelievable offer. https://www.iafci.org/Public/Training_Events/2024/OSINT_Virtual_2_Day_Training_Event_for_Investigators_June_26___27.aspx
Are you going to Keystone Connection? Find me and say Hey! I’m a volunteer, so you can see me out and about, and I speak on Tuesday.
Thanks for reading another issue. Even bigger thanks to those who go out of your way to find the issue each week.
Matt
“DON’T BURN A BRIDGE UNTIL YOU ARE SURE YOU ARE NEVER CROSSING IT.” - the reason why I’m usually swimming in a river
Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.