Threats Without Borders - Issue 190
Cybercrime Investigation Newsletter, week ending July 7, 2024
I’m regularly asked, “I’m a new investigator, and I’ve just been assigned to the financial crime section. Where should I start?”
1) Review and understand your jurisdiction’s financial and cyber-associated criminal statutes. What are the elements, and what are possible exceptions? Familiarize yourself with the pertinent case law also. Do you understand Carpenter V. United States' restrictions on the government seeking data from third parties? Have you read the Van Buren ruling to see if computer trespass is to be applied under the Computer Fraud and Abuse Act?
2) What are your agency's policies concerning what cases get assigned for investigation and what don’t? You can’t investigate every theft, fraud, or scam that gets reported. If you don’t have loss limits written in the policy - ask to create some. Be able to explain to victims why you aren’t investigating their case and have the policy to back it up so you aren’t accused of favoritism or prejudice. “Yes sir, I understand your credit card was used to purchase a case of beer in Texas while you were in Pennsylvania. And I agree that it’s absolutely a crime, but we won’t be conducting an investigation. AND HERE IS WHY….”.
3) Contact your prosecutor's office to clarify what cases they will accept. There is no use investing effort into a case where the suspect is on the other coast if your prosecutor won’t extradite. When will they approve extradition? Is it based on the grading of the violated statute or the amount of financial loss?
4) Identify the financial institutions in your jurisdiction and make some new friends. Introduce yourself to the security and fraud teams. Explain your agency's policies and learn theirs. Host a meeting and bring everyone into your house for a meet-and-greet. A box of donuts and an hour of your time will pay 10X dividends. Building and maintaining relations is key to being a successful cyber-financial crime investigator.
5) Learn how money flows through national and worldwide financial systems. Understand the difference between an ACH and a Wire. How does a bank recall these transfers, and when is it too late? What is Swift? Have you heard about FedNow?
6) Master the basics of computer networking. Understanding how digital devices talk to each other is essential. You must explain these concepts to others, specifically in search and arrest warrant affidavits. Additionally, it will help you know when a suspect is bullshitting you.
7) Learn how to use a spreadsheet. Everything is coming to you in CSV - Comma Separated Value. Your life will be much easier if you are proficient with Excel and/or Google Sheets.
8) Develop a note-taking method and document everything. If someone shares contact information for an attorney at Google, save it. If someone shares a search warrant for an Internet Service Provider, copy out the affidavit language and save it. Read an insightful article about examining evidence from a mobile phone, save it.
9) Dress the part. You may be a cop, but you’ll be spending significant time in the business world. Your polo shirt, BDU pants, and 5.11 tactical shoes won’t cut it. Neither will a pastel-colored shirt, matching paisley tie, and non-altered pants. Buy a nice suit or two and some fashionable “business casual” attire.
10) And finally, NEVER STOP LEARNING. Continuous education and training is essential. The technology is ever-changing. The bad guys are changing their TTPs (tactics, techniques, and procedures) daily to remain a step ahead. Be intentional in your learning. Read every day. Watch videos every day. Ask questions of those more experienced than you every day.
And if you’re the crusty ol’pro that’s been around for a while, be nice to the new kid and share this newsletter.
What if someone breaks into my home and steals my tax and financial records only to realize I have nothing and then discards the records in a field? You find the records while walking your dog, take them home, and read through them. Instead of returning them to me, you write an article about my terrible choices while investing in the stock market. Wouldn't you be in possession of stolen property while you possess the documents? And doesn’t writing about the content of the records show your intent to convert the property to your own use?
Probably.
I’ve seen several cybersecurity “experts” and “journalists” comment about the specific content of data stolen from Evolve Bank & Trust and leaked onto a ransomware group leak site. How do you know what the files contain? Have you seen them? Have you downloaded them?
Why are digital files different from the paper documents stolen from my house?
A leak site is no different than an open field, and those digital files have been stolen and posted without the rightful owner's permission. I’m not an attorney, but it seems logical that downloading those files puts you in possession of stolen property.
Maybe calling yourself a journalist or cybersecurity researcher grants you magic immunity.
Some News…
Well, at least something good comes from malware. Recorded Future claims to have identified 3,300 unique users who have accessed child sexual assault material (CSAM), AKA child pornography, by reviewing the leaked data of information stealer malware. Wow. Read this report > > > https://go.recordedfuture.com/hubfs/reports/cta-2024-0702.pdf
You must be so proud. US law enforcement officials allege that drug traffickers, specifically those linked to the Sinaloa cartel, favored Citigroup for laundering money due to the bank's perceived lax fraud controls. The officials claim these criminals exploited Citibank ATMs by making numerous small deposits to avoid triggering reporting requirements. https://www.ft.com/content/0187827b-f755-47fd-91ff-c3e755548097
A large password compilation file called “RockYou2024” was discovered, containing nearly 10 billion unique passwords. This poses a significant risk because of credential stuffing attacks, which take advantage of the widespread practice of reusing passwords. https://cybernews.com/security/rockyou2024-largest-password-compilation-leak/
File this under “Not even trying” - The Securities and Exchange Commission (SEC) has filed a lawsuit against Silvergate Bank, alleging that the bank defrauded investors by misrepresenting its anti-money laundering controls and the impact of the FTX collapse on its financial health. The SEC claims Silvergate failed to adequately monitor approximately $1 trillion in crypto transactions, including nearly $9 billion in suspicious transfers by FTX entities. Silvergate has agreed to pay $50 million to settle the charges without admitting or denying wrongdoing. https://www.theverge.com/2024/7/1/24190255/silvergate-sec-fraud-ftx-crypto-bank
Authy, a two-factor authentication app developed by Twilio, experienced a security breach resulting in the theft of 33 million user phone numbers. The company claims the hack was limited to phone numbers and that no other sensitive data was compromised. I’m sure there will be more to this. Stay tuned. https://appleinsider.com/articles/24/07/04/authy-got-hacked-and-33-million-user-phone-numbers-were-stolen
Associated Press headline: “Scammers are swiping billions from Americans every year. Worse, most crooks are getting away with it”. Yeah, No Shit, Welcome to the party. The Justice Department replied to a request for comment by saying the industry needs to do more. “Private industry — including the tech, retail, banking, fintech, and telecommunications sectors — must make it harder for fraudsters to defraud victims and harder to launder victim proceeds.” WTF? So out of touch. https://www.yahoo.com/news/scammers-swiping-billions-americans-every-040329024.html
Cool Tool
Social media for Lego lovers. https://getbrickd.com/
Search Usernames across 2000 sites. https://www.user-searcher.com/
Cool Job
Senior Director of Fraud - Grubhub. https://wd3.myworkdaysite.com/en-US/recruiting/takeaway/grubhubcareers/details/Sr-Director--Fraud_R_039452
Head of Insider Risk Management - TD. https://td.wd3.myworkdayjobs.com/fr-CA/TD_Bank_Careers/job/Cherry-Hill-New-Jersey/Head-of-Insider-Risk-Management--US-_R_1354433
Irrelevant
Senior citizens are being ravaged by STDs. Yes, those STDs. Patients aged 65 years and older have seen the largest increase in diagnoses. Yikes. Time to talk to Grammy about safe sex. https://www.axios.com/2024/07/08/stds-rise-among-seniors-syphilis-hpv-hiv-aids-gonorrhea
Sign Off
Thanks for investing your time into another issue of the newsletter. You can always contact me by replying to the email that delivered it. For you non-subscribers, subscribe to the newsletter and reply to the email that delivered it. Or, use your super OSINT skills and find me.
Matt
“TAKE CARE OF YOUR THOUGHTS WHEN YOU ARE ALONE, AND TAKE CARE OF YOUR WORDS WHEN YOU ARE NOT.” - what about when you write on the Internet?
Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or preventing or investigating technology-enabled fraud, theft, or money laundering.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.