Threats Without Borders - Issue 193
Cybercrime Investigation Newsletter, week ending July 28, 2024
A Network Investigative Technique (NIT) is a method investigators use to gather information from individuals involved in (illegal) online activities, particularly those using anonymity networks like Tor or Virtual Private Networks (VPN). NITs are essentially malware deployed to obtain critical data such as IP addresses, MAC addresses, and other identifiers from suspects who believe they are operating anonymously.
The FBI effectively targeted the Playpen crime group using NITs, exposing their anonymity on the Tor network. Playpen, a notorious child exploitation site, believed it was untraceable due to Tor. In 2015, the FBI took over Playpen's servers, running the site for 13 more days to track users with a NIT. By exploiting browser vulnerabilities, the NIT gathered 1300 IP addresses that led to multiple arrests around the world, dismantling the network.
NITs function by exploiting vulnerabilities in software to gather data from target devices. The NIT is deployed when the target interacts with a compromised website, opens a file, or clicks an embedded link.
Compromised Websites: A website, like Playpen, is taken over and used to deliver the NIT to visitors.
Emails: Embedding NITs into emails involves attaching malicious files or links that, when clicked, execute the NIT. For example, an image that captures the host IP address when opened.
Malicious Attachments: An email might contain a seemingly innocent attachment, such as a PDF or Word document that opens remotely. The user’s session information is captured when the document is opened.
Phishing Links: An email might contain a link to a website that automatically deploys the NIT when visited.
The use of NITs by law enforcement raises significant legal and ethical questions. The Fourth Amendment protects citizens from unreasonable searches and seizures in the United States. The deployment of NITs can be seen as a search, and seizure, requiring a warrant. Courts are struggling to determine whether the use of NITs is justified under existing legal frameworks. Do they fall under the purview of California v. Riley, where the court rejected the third-party doctrine (and mandated LE to acquire a search warrant before searching a mobile device)? Are they applicable to the Fourth Amendment because the usage involves a “trespass” onto (or into) a person's personal property (U.S. v. Jones).
Another issue is their transcendence of jurisdictions. NITs can collect data from targets anywhere in the world, raising questions about jurisdiction and the scope of search warrants. Courts have struggled with whether a single warrant can authorize the use of NITs across multiple jurisdictions. Rule 41 is a federal rule in the United States that governs search and seizure procedures in criminal investigations. The rule outlines the requirements for obtaining a warrant, the scope of a warrant, and the procedures for executing a search and seizure.
In 2016, Rule 41 was updated to empower federal judges to issue warrants allowing the use of remote access tools to seize computer data beyond their jurisdiction. The amendment enhanced law enforcement’s capability to access electronic evidence, such as hacking accessing computers globally. It aimed to simplify warrant acquisition for electronic evidence and set criteria for seizing electronic storage media and data. This change aimed to aid the investigation and prosecution of crimes involving digital evidence while upholding Fourth Amendment protections against unlawful searches.
What to play with an NIT? Use Grabify (www.grabify (dot) link) to create a short link and trick someone into clicking it. Obviously, any link with the term “grabify” will be suspicious to your target, but you’ll get the point. Imagine using a link that appeared to be a link from a legitimate domain and business.
An even more insidious NIT is one that we are all attacked with almost every day—the “Tracking Pixel.” Come back next week as we discuss this tool used by almost every business that sends you an email.
Required reading: Playpen, the NIT, and Rule 41: Electronic Searches for Those Who Don’t Want to be Found”. https://digitalcommons.law.umaryland.edu/cgi/viewcontent.cgi?article=1285&context=jbtl
Some News…
Speaking of 4A issues, Customs and Border Protection (CBP) has been searching travelers' phones and laptops without warrants at the border since the beginning of portable electronic devices. A federal judge ruled that cellphone searches are "nonroutine" and require probable cause and a warrant. The judge noted that reviewing cellphone data is akin to "mindreading," hence the heavier privacy impact. https://reason.com/2024/07/26/courts-close-the-loophole-letting-the-feds-search-your-phone-at-the-border/
We’ll see how this goes; Maryland has passed the nation's first law mandating secure packaging for gift cards. The law, resulting from collaborative efforts between lawmakers, retailers, and payment companies, aims to protect consumers from financial losses. While the law specifically targets Maryland, its impact is expected to be nationwide, prompting changes in gift card packaging across the U.S.. https://www.propublica.org/article/maryland-gift-card-scams-prevention-act-walmart-incomm-retail
Perception Point has discovered a new phishing campaign in which attackers are exploiting Microsoft Office Forms to carry out two-step phishing attacks. These Forms, usually used for creating surveys and quizzes, are now being misused by cybercriminals to deceive specific users into revealing their Microsoft 365 credentials. https://perception-point.io/blog/two-step-phishing-campaign-exploits-microsoft-office-forms/
Evolve Bank & Trust filed a new breach notification with Maine’s Attorney General, declaring that 7,640,112 customers were exposed in the Lockbit ransomware attack. https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/a2e61e38-f78d-403d-9abb-3810771bb5d2.html
Business email compromise (BEC) and ransomware were the top threats observed by Cisco Talos Incident Response in the second quarter of 2024, accounting for 60 percent of engagements. Of course. https://blog.talosintelligence.com/ir-trends-ransomware-on-the-rise-q2-2024/
The Electronic Frontier Foundation (EFF) does not like the proposed UN Cybercrime Convention. https://www.eff.org/files/2024/07/29/eff-treaty-un-pagers.pdf
Cool Job(s)
Manager of Intelligence and Incident Response - Major League Baseball. https://www.mlb.com/careers/opportunities?gh_jid=6132462
Special Agent, Financial Crimes Section - Pennsylvania Attorney General’s Office. https://www.governmentjobs.com/careers/paoag/jobs/4596885/special-agent-i-ii
Cool Tool
Research that domain before you click. https://urldna.io/
Irrelevant
Is banning a social media application, say TikTok, unconstitutional? https://www.npr.org/2024/07/27/nx-s1-5053076/justice-department-defends-law-calling-for-tiktok-to-change-ownership-or-face-ban
Training Alert
Two-day financial crime investigation training event hosted by the Mid-Atlantic chapter of the IAFCI - September 24 & 25, 2024 in Laurel, Maryland. https://www.iafci.org/Public/Training_Events/2024/IAFCI_Mid-Atlantic_Chapter_Annual_2_Day_Training_Seminar_Sept._24-25.aspx
Sign Off
Thanks for coming back.
I’m running late this week so the grammar is iffy. You can send me hate mail by replying back to the email that delivered the newsletter (assuming you got the email).
Matt
“PEOPLE HAVE A RIGHT TO THEIR OPINION. AND YOU HAVE A RIGHT TO IGNORE IT.” - especially good advice when dealing with people who write newsletters.
Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.