Threats Without Borders - Issue 186
Cybercrime Investigation Newsletter, week ending June 9, 2024
I received a question about the payment transfer service WorldRemit, which I had never dealt with before but sent me down the rabbit hole.
WorldRemit is a digital cross-border remittance business that provides international money transfer and remittance services in more than 130 countries and over 70 currencies. It allows users to send money internationally through its website or mobile app, with options for bank deposits, mobile money, cash pickups, and other payout methods.
The business is headquartered in London, United Kingdom, but claims a domestic business address in Delaware. The claim is listed in several documents, including its privacy policy.
“WorldRemit Corp is a Delaware corporation with its business address at 2093 Philadelphia Pike #1016, Claymont, DE 19703”
The problem, of course, is the address appears to be a back-alley warehouse. Google it.
The company publishes a Law Enforcement assistance page at https://www.worldremit.com/en-us/about-us/law-enforcement.
They also publish a privacy policy. Always read the privacy policy before authoring a search warrant, so you know what data is collected and, therefore, what data you can seize.
The privacy policy declares they collect the following information on users of the service:
Your name;
Your contact information such as Your email address, postal address and telephone number or any telephone number used to call us;
Your demographic information such as age, education, gender, and interests;
Evidence of Your identity, (for example passport information, social security number; and driver’s license)
Unique identifiers such as Your username, account number and password;
Your profiles and postings on any other social media applications and services that we provide or that You make available to us;
Your payment details and other financial data (for example, Your bank or payment method provider’s name and Your account number and sort code) and salary details; and
Information about Your visit to our website, including the full Uniform Resource Locators (URL), clickstream to, through and from our website (including date and time), length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs) and methods used to browse away from the page.
Ensure your warrants request this specific information. If they tell you they collect it – they have it. Get it!
Also, include language to collect the information they obtain from tracking cookies. This statement is included in their Cookie policy:
When you visit our site or use a Mobile App, we may place cookies, SDKs or similar trackers (“Cookies”) onto your device or read Cookies already on your device, subject to obtaining your consent through our Preference and Consent Management banner. We use Cookies to record information about your device, browser and, in some cases, your preferences and browsing habits. We use your personal information through these Cookies and similar technologies,
Cookies can be used to collect and track a multitude of web metrics, including:
Unique Identifiers: Cookies can store a unique identifier, such as a user ID, to track user behavior and preferences.
User Behavior: Cookies can collect information about your browsing behavior, such as the pages you visit, the time spent on each page, and the links you click.
Device Information: Cookies can collect information about your device, such as the operating system, browser type, screen resolution, and language.
Location Data: Cookies can collect location data, such as your IP address, to track your geographic location.
Purchase History: Cookies can collect information about your purchase history, including items purchased and payment methods.
Login Information: Cookies can store login information, such as usernames and passwords, to authenticate users.
Preferences: Cookies can store user preferences, such as language, font size, and layout.
So they advertise that they are using cookies to collect and save this information - demand it.
Specifically, ask for information that identifies user devices such as “Device Identification Numbers, Serial Numbers, IMEI, ISDN, Wi-Fi addresses, MAC Addresses, EID, MEID, and any metrics and measurements consistent with attempts to identify or fingerprint a device based on the web browser and other utilized technologies.” This information can be cross-referenced with data seized from other sources like email accounts and bank records.
Some News
Bryan Vorndran, assistant director of the FBI’s cyber division, discusses “victim engagement” and announces the release of 7,000 encryption keys for Lockbit ransomware. https://www.fbi.gov/news/speeches/fbi-cyber-assistant-director-bryan-vorndran-s-remarks-at-the-2024-boston-conference-on-cyber-security
Massachusetts town falls victim to a Business Email Compromise attack and loses $445K. The report reveals that four monthly payments were transferred before it was realized they were sending the funds to the wrong account. Good Grief! https://www.wcvb.com/article/arlington-massachusetts-cybercrime-business-email-compromise/61039057
The former senior executive and a sales manager of Epsilon Data Management LLC has been found guilty of federal criminal charges related to the targeting of millions of senior citizens for mass-mailing fraud schemes. The company sold the names and addresses of millions to fraudsters, knowing elderly and vulnerable people would be targeted. https://www.justice.gov/opa/pr/former-senior-executive-and-former-sales-manager-convicted-selling-data-millions-us
The Snowflake breach keeps getting worse. https://www.wired.com/story/snowflake-breach-advanced-auto-parts-lendingtree/
The Electronic Frontier Foundation (EFF) claims the United Nations’ proposed Cybercrime Convention is “too flawed to adopt”. I agree that it’s flawed, but so is the EFF. https://www.eff.org/deeplinks/2024/06/un-cybercrime-draft-convention-remains-too-flawed-adopt
Do you think there isn’t an effort by foreign governments to influence American politics? “We terminated 1,320 YouTube channels and 1,177 Blogger blogs as part of our ongoing investigation into coordinated influence operations linked to the People’s Republic of China (PRC).” The Google Threat Analysis Group (TAG) released their Q2 actions bulletin. https://blog.google/threat-analysis-group/tag-bulletin-q2-2024/
The Brooklyn District Attorney’s office has seized 70 domains connected to investment scams that stole millions of dollars through bogus cryptocurrency investments. The DA’s Office began receiving complaints in October 2023 from the borough’s Russian-speaking community. Investigators discovered a “shared narrative” that lured in victims, beginning with Facebook advertisements for cryptocurrency investments. Many of these advertisements included a deepfake video of Elon Musk encouraging people to invest. The victims were eventually connected with a Russian-speaking “investment advisor” who helped them set up accounts on fraudulent cryptocurrency trading platforms. https://therecord.media/feds-seize-crypto-scam-domains-brooklyn
The Federal Communications Commission has adopted a 200 million-dollar pilot program to improve the cybersecurity of schools and libraries. Awesome. One of the initiatives within the program is the installation of high-speed WiFi on school buses. Wait, What? Do the kids really need WiFi on the bus? How is that going to increase cybersecurity? https://docs.fcc.gov/public/attachments/DOC-403037A1.pdf
Cleveland rocks… but not right now because they are being ransomed. Cleveland City Hall announced a temporary closure on Monday after a significant "cyber incident" impacted the city's systems. https://www.cleveland.com/news/2024/06/what-we-dont-know-about-cyber-incident-at-cleveland-city-hall.html
Late Add
Tuesday was the Apple World Wide Developer Conference, or WWDC to us, Apple nerds. Everything that Apple announced - https://techcrunch.com/2024/06/10/everything-apple-announced-wwdc-2024/
And everything specific to MacOS https://www.apple.com/macos/macos-sequoia-preview/
Cool Job
Intelligence Analysis - Pennsylvania State Police (PA Criminal Intelligence Center). https://www.governmentjobs.com/careers/pabureau/jobs/4526321/intelligence-analyst-1
Cool Tool
Website reputation checker - detect potentially malicious website before you click. https://www.urlvoid.com/
Sticky Note app for MacOs - https://quicknoteapp.com/
irrelevant
Mount Vesuvius didn’t get everyone in Pompeii. What happened to the survivors? The story is being told. https://theconversation.com/records-of-pompeiis-survivors-have-been-found-and-archaeologists-are-starting-to-understand-how-they-rebuilt-their-lives-230641
Sign Off
Thanks for showing up. I received some reader suggestions for helpful browser extensions. I plan to include those in an upcoming issue. I also plan to release a summer reading list. See you next Tuesday!
Matt
“IT’S OKAY TO DO SOMETHING BEFORE YOU’RE AN EXPERT AT IT. AND IT’S OKAY TO DO SOMETHING EVEN IF YOU THINK YOU’LL NEVER BE AN EXPERT AT IT.” - like writing a newsletter on the Internet
Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or preventing or investigating technology-enabled fraud, theft, or money laundering.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.