Threats Without Borders - Issue 192
Cybercrime Investigation Newsletter, week ending July 21, 2024
Can you identify a suspect’s IP address from an email header? Much like the answer to most technical questions, it depends. Is the suspect running their own email server, connected to their home or business Internet—then yes—or using a hosted or webmail service—then no.
Over the past week, I saw the same question posted on two different forums: a privately run email listserve and Reddit. I suspect it was a cross-post. Unfortunately, the answers provided on Reddit were the most appropriate.
The sender’s computer device does not include the sender's IP address, but the initial mail server adds it to the header data. You will find this in the first “Received” header field, usually the bottom or last “Received” field in the header. The IP address collected using webmail platforms like Gmail, Outlook, Proton, or Yahoo belongs to the service's server. Some email clients, like Thunderbird, act as SMTP clients, revealing their IP addresses in the headers, only to be stripped out by privacy-focused webmail platforms.
At this point, who is still running their own email server? Not many. Businesses even use hosted options like Microsoft Office 365 or Google Workspace.
Due to the widespread use of email services, obtaining the public IP address of the sender's network in an email is highly improbable. The email header includes only the IP addresses of the email provider's servers.
Can you trick a person into revealing their client-side IP address through an email? Absolutely. These handy little hacks are called Network Investigative Techniques or NITs for short.
Come back next week as we explore some NITs and their legality.
Kudos to Greenwich PD
Tw/oB counts several Greenwich PD investigators as subscribers. Congratulations on your good work! Greenwich police see financial crime cases drop, charges have doubled (greenwichtime.com)
News…
According to research by Recorded Future, there has been a significant increase in QR code and AI-generated phishing attacks between Q4 2023 and Q1 2024. Cybercriminals are using QR codes to bypass security measures, capture MFA tokens, and target executives. Notably, AI tools like ChatGPT are being used to create believable phishing emails, contributing to a 1,265% rise in phishing attacks. https://www.recordedfuture.com/research/qr-code-and-ai-generated-phishing-proliferate
Four men have admitted guilt to a money laundering conspiracy involving a scheme to defraud a global financial services company of over two million dollars. They achieved this by manipulating "Instant Deposit" transactions and stock options. They utilized a network of fraudulent accounts to steal funds, resulting in the accounts having negative balances. The defendants opened hundreds of fraudulent accounts known as "Losing Accounts" to access "Instant Deposits," short-term cash advances for investors. They then used these deposits to purchase overpriced stock options. Subsequently, they matched these bids with "Winning Accounts" that they also controlled, effectively transferring the funds. https://www.justice.gov/usao-edny/pr/four-men-plead-guilty-defrauding-global-financial-services-company-over-two-million
Have you ever heard of the 5/5 Rule? I hadn't until I read this article. AI phishing uses artificial intelligence to create personalized and convincing phishing emails. Traditional phishing attacks rely on social engineering, while AI phishing uses machine learning techniques to trick victims. The IBM 5/5 rule states that AI can create a phishing campaign nearly as successfully as humans in 5 minutes and 5 prompts. https://www.mailgun.com/blog/email/ai-phishing/
Nothing about cyber, but anything involving Horsey Sauce will always make the newsletter. These two Pennsylvania women have been charged with stealing nearly $3,500 worth of roast beef and other food items from the Arby’s restaurant where they worked. Some are asking, “Where’s the crime?”. https://www.pennlive.com/crime/2024/07/pa-women-charged-with-stealing-nearly-35k-in-roast-beef-drinks-from-arbys.html
“Experts” conclude the fight against cybercrime isn’t going so well. https://www.meritalk.com/articles/experts-call-for-new-strategic-approach-to-fight-cybercrime/
Deep Fake News
How do you tell an AI-created deep fake video? The eyes show the truth. https://ras.ac.uk/news-and-press/news/want-spot-deepfake-look-stars-their-eyes
Cool Job
Manager of Information Security Governance and Compliance - National Football League https://boards.greenhouse.io/nflcareers/jobs/4061745008
Cool Tool
Check the reputation of IP Addresses and web domains. https://cybergordon.com/
Irrelevant
Imagine if the Romans would have had Toyota trucks? https://medium.com/war-is-boring/the-toyota-pickup-truck-is-the-war-chariot-of-the-third-world-ea4a121e948b
Tw/oB readers are so kind
Long-time readers of the newsletter know that its humble editor is NOT OK with snakes. Horrified might be an apt description. So, every once in a while, someone finds it humorous to send in a snake-related link. Thanks for the nightmares, Stu.
Sign Off
Thanks for reading the newsletter this week. It’s finally raining here in Central PA. The reprieve from mowing has been nice, but seeing brown dead grass around my home is just as depressing as winter.
Matt
“BEING PROVEN WRONG IS A GOOD THING. YOU’RE LEARNING SOMETHING NEW.” - Never been proven wrong? Write a newsletter.
The George Foreman Grill is forever.
Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or preventing or investigating technology-enabled fraud, theft, or money laundering.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.