Threats Without Borders - Issue 183
Cybercrime Investigation Newsletter, week ending May 19, 2024
I completed my graduate degree in 2017, and my thesis project was titled “Policing a High Crime Cyberspace: Does a Police Presence Affect Online Criminality?” My thesis proposed that a visible law enforcement presence will affect behavior within an internet forum with persistent criminal activity.
For those newer to cybercrime investigation, Backpage was the alter-ego to Craigslist. In fact, it appeared to be the same in design and functionality, but instead of people selling used clothes and bikes, the services offered were check fraud and prostitution. Mostly prostitution. Law enforcement dismantled the site in 2018. https://www.wired.com/story/inside-backpage-vicious-battle-feds/
To test my thesis, I monitored the “adult services” section of Backpage for the Harrisburg (PA), York (PA), and Reading (PA) editions for thirty days. Each day, I counted the number of new prostitution-related ads posted. The numbers were tabulated and calculated for various statistical measurements.
After that monitoring period, to calculate a baseline, I published an advertisement on the Harrisburg page every morning for thirty consecutive days. The text of the ad noted it was created by law enforcement and declared the site was actively monitored. Each day, a new ad was posted with varying content to show they were not auto-posted. I alternated between claiming to be "Harrisburg area law enforcement," "Dauphin County law enforcement," and "A task force of law enforcement investigators." Some posts called out specific users who had posted ads the previous day, for example, "Rosielips9090, please be careful at the Red Roof Inn, we have had multiple incidents of assaults at that location - Local law enforcement is looking out for you."
No ads were placed on the York or Reading pages during that period, but they were monitored for use as controls.
After the thirty-day test period, all three pages were monitored for an additional thirty-day period.
Did a visible law enforcement presence in a high crime cyberspace affect user activity? Nope! My efforts had zero impact on the number of prostitution advertisements posted during the 30-day test period or in the time afterward.
Even though my theory was disproved, my work offered significant insight into the field, and I was invited to discuss my research at the state conference of the Pennsylvania Association of Criminal Justice Educators. Failing isn’t always a bad thing!
I tell you all of that to discuss this: Law enforcement's continuous cat-and-mouse game of taking down criminal websites such as ransomware leak sites and forums.
A coalition of international law enforcement agencies, including the FBI, recently took down the Breach Forums site, where users sold and bought malware, hacks, and data stolen during breaches. The site was previously called Raid Forums until law enforcement removed it from the Internet, only to reappear as Breach Forums.
Law enforcement has been playing chess with the Lockbit group for weeks. The site goes down and then up again—just at a different hosting location.
The text posted on the Internet is only the end result. Law enforcement will never succeed until they 1) eliminate the demand, 2) eliminate the incentive/reward, 3) eliminate the actors. As long as there is demand, there will be a reward; as long as there is a reward, there will be someone willing to step up to collect.
Attempting to police an Internet space with a prevalence of criminal activity will be limited in effectiveness. You have to reach out and touch them—physically, in the real world!
Side Note
Backpage ads were paid for with Bitcoin, which was priced at less than $1,000 at the time of my project. Today, it’s priced at over $66K. Imagine how much money I blew on Backpage ads!
Some News
Slow news week…
Speaking of the Lockbit ransomware group…U.S. officials have indicted a man they claim to be the “Mastermind”. It looks great on paper, but now the hard part is taking him into custody and bringing him to justice here in the States. The Department of State issued a 10 Million Dollar reward for his capture. Good luck hunters! https://www.justice.gov/opa/pr/us-charges-russian-national-developing-and-operating-lockbit-ransomware
The Security and Exchange Commission issued rule enhancements to Rule S-P, which broadened cybersecurity reporting requirements for financial institutions. It’s a great time to be in the incident response business! https://www.sec.gov/files/34-100155-fact-sheet.pdf
Back in the day, every job ad for positions related to malware analysis required candidates to be familiar with YARA. YARA is a tool primarily used for identifying and classifying malware. It is widely utilized in the cybersecurity field to help analysts detect and analyze malware samples. The name "YARA" is an acronym for "Yet Another Ridiculous Acronym." Although still widely used, the tool has lost some of its prominence to other investigative and preventive tools. Until now - Welcome to YARA-X! https://virustotal.github.io/yara-x/blog/yara-is-dead-long-live-yara-x/
Lancaster (PA) police arrest a man with a “master key” for a city hotel. To the article, “Officers were dispatched to a Holiday Inn on the first block of East Chestnut Street at about 10 p.m. after multiple guests reported to hotel management that they were missing cash, medications, clothing, and other items. Hotel staff told police the suspect had somehow obtained a master key and was using it to enter rooms without permission to steal the items”. Unfortunately, the article doesn’t provide details on the master key or how it operated. https://www.fox43.com/article/news/local/lancaster-county/arrest-burglary-theft-lancaster-holiday-inn/521-d868ccbe-19f2-403a-bb57-2451053404af
A self-serving effort, but Proton provides a method to de-Google your life. https://proton.me/blog/how-to-de-google
Cool Job
Manager of Fraud Operations - Appfolio. https://www.appfolio.com/open-roles?p=job%2FoyaPsfwJ
Cool Tool
Calculate the distance you can travel from a given point in a given time on foot, by car, by bicycle, or by train. https://www.smappen.com/app/
Irrelevant
Much to my kid’s enjoyment, I’m terrified of snakes. Needless to say, I will not be attending the Rattlesnake Class. https://www.npr.org/2024/05/17/1251422933/rattlesnake-class-arizona-snake-bites-venomous
Sign Off
I had a great time at the Keystone Connection Conference last week. I met some new people and caught up with some old friends. The International Association of Financial Crime Investigators is such a great organization. Hopefully, they can resolve the conflicts at the national level.
In the meantime, please consider attending one of the upcoming regional training conferences for the local chapters. IAFCI Regional Training Events & Webinars
Thanks for reading another issue. See you next Tuesday!
Matt
“YOU DON’T HAVE TO SHOW UP TO EVERY ARGUMENT YOU’RE INVITED TO” - I’m usually sending the invites
Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinion and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.