Threats Without Borders - Issue 196
Cybercrime Investigation Newsletter, week ending August 18, 2024
I recently read an online forum conversation where an investigator believed his victim was complicit in their account takeover because it was secured with multi-factor authentication. “How did the thieves know the MFA code if the account owner didn’t give it to them?”
Multi-factor authentication is good; we should use it to add an extra layer of security to our accounts whenever possible. BUT it can be defeated. And it is regularly defeated.
The most common scenario is that attackers have victims’ username and password but need the MFA code. They key up the login to the account and then call the victim by telephone.
Attacker: Mr. Victim, Hi, It’s Scott Scammer. I’m with the fraud team at Your Big Bank. Yeah, unfortunately, we see some irregular activities on your account. Can we review these with you?
Victim: OMG! For real? Yes, let’s look at this.
Attacker: OK, first, I must confirm I am speaking to the appropriate account holder. You’re going to get a code sent to your cell phone. Read the code to me when you get it so I can validate it you as the account holder.
The attacker then attempts to log in to the victim’s account, triggering the MFA mechanism.
Victim: I just got the code. It’s 26090.
Attacker: Great, thank you Mr. Victim. Bear with me here while I access your account. May I place you on a brief hold?
Victim: Of course.
The attacker enters the code, gaining access to the account. The account balance is quickly reduced to zero.
So, being aware this could happen, the investigator asked the victim if they had received any suspicious phone calls asking for the MFA code before the attack. The victim claimed NO.
How did the attackers get the code then? Well, other methods don’t involve personal contact, but let’s go with Ocam’s Razor and consider the simple answer, which is probably the answer.
The victim realizes their account is drained of money. They remember the phone call asking for the code, put one-and-one together, and understand what happened. But no one wants to look like a fool or admit they’ve been duped, so they conveniently leave that part out when reporting the missing money to the bank.
“My account has been hacked. No, I have no idea how this happened. It must be a problem on your end”. No, I don’t remember getting a phone call or a text message asking for the code. This is absolutely the bank’s fault and I want my money back”.
They have denied providing the MFA code to the attackers when speaking to the bank. They certainly aren’t going to admit it to a cop.
No matter how nice you ask.
Did they intentionally allow someone to access their account? No, probably not.
Are they being honest about how it happened? No, probably not.
Some News…
“Macs don’t get malware”…wrong. From January 2023 to July 2024, the Intel471 team has observed more than 40 threat actors targeting macOS devices. https://intel471.com/blog/macos-is-increasingly-targeted-by-threat-actors
Few threat research groups document their investigations as well as Check Point. The research team discovered a new malware called Styx Stealer, which can steal browser data, instant messenger sessions, and cryptocurrency. The developer of Styx Stealer is linked to a threat actor named Fucosreal, who was well-known to the Check Point team. The investigation reveals how a critical security lapse by the malware's developer exposed his identity and unveiled a network of cybercriminals, including a connection to the notorious Agent Tesla malware campaign. Pretty cool stuff. https://research.checkpoint.com/2024/unmasking-styx-stealer-how-a-hackers-slip-led-to-an-intelligence-treasure-trove/
I will look a lot better in my next Zoom meeting! Deep-Live-Cam, a new AI-powered software, enables real-time face swapping on webcams. The software requires only a single photo, making it alarmingly simple for individuals to impersonate others during video calls. https://arstechnica.com/information-technology/2024/08/new-ai-tool-enables-real-time-face-swapping-on-webcams-raising-fraud-concerns/
Ransomware attacks are surging, with criminals extorting over $459 million in the first half of 2024, marking a $10 million increase from the same period last year. This alarming trend indicates a potential record year for ransomware attacks, impacting various sectors, from large corporations to government bodies and healthcare institutions. On the bright side, while the frequency of attacks and ransom demands rise, fewer victims choose to pay, suggesting improved preparedness and recovery strategies. https://therecord.media/ransomware-gangs-set-record-for-money-extorted
If you don’t care about web skimmers installed on Prestashop sites, at least click into this article to learn about web sockets. https://blog.sucuri.net/2024/08/prestashop-gtag-websocket-skimmer.html
A lawsuit has been filed against Google for taking three months to remove a scam crypto app, Yobit Pro, from the Play Store. A Florida resident claims using the app resulted in a loss of over $5 million in cryptocurrency. The lawsuit alleges that the scam affected at least 12,759 other Android device users. Try hard not to victim shame here. https://www.theblock.co/post/311707/google-took-three-months-to-remove-scam-app-that-stole-over-5-million-in-crypto-lawsuit
She tried to steal one of the most famous homes in America. A Missouri woman has been arrested and charged with fraud and aggravated identity theft for an alleged scheme to defraud Elvis Presley's family of their ownership of Graceland. The woman allegedly posed as representatives of a fictitious lending company and claimed Elvis Presley's daughter had borrowed $3.8 million and used Graceland as collateral. You can’t do that. https://www.justice.gov/opa/pr/woman-charged-scheme-defraud-elvis-presleys-family
So, must casinos now conduct complete investigations on all high-rollers? Is that how this is going to play out? Resorts World Las Vegas is facing scrutiny for alleged anti-money laundering violations involving a high-dollar player. The Nevada Gaming Control Board (NGCB) filed a complaint against the casino, citing its failure to adhere to anti-money laundering protocols. The complaint centers around an illegal bookmaker who was able to gamble millions at the casino. The NGCB alleges that Resorts World allowed the player to make large deposits without verifying his source of funds and even provided him with perks such as promotional chips and flights. https://www.sportscasting.com/news/resorts-world-las-vegas-is-in-trouble-for-anti-money-laundering-violations/
All together now…
Where were the controls??? Pennsylvania township of 2200 people is missing $532K. Of course, an employee is a suspect, but how did the amount grow so large without anyone else saying, “huh, we seem to be short some money”. https://www.centredaily.com/news/local/community/penns-valley/article291085040.html
Cool Job
Senior Manager of Fraud Operations - TD. https://td.wd3.myworkdayjobs.com/fr-CA/TD_Bank_Careers/job/Mount-Laurel-New-Jersey/Sr-Mgr-Fraud-Operations--US-_R_1357217
Head of Digital Forensics and Incident Response - Apple. https://jobs.apple.com/en-us/details/200541873/head-of-digital-forensic-incident-response?team=SFTWR
Cool Tool
Eliminate all the junk and reduce any online article to just the text - https://txtify.it/
Apple now allows podcasts to be played through the browser. https://podcasts.apple.com/us/browse
Irrelevant
Stop making your life worse. https://www.psychologytoday.com/us/blog/the-neuroscience-of-personal-growth/202408/2-things-we-constantly-do-that-make-our-lives-worse
Sign Off
Last week’s issue had the lowest open rate in the past year. Some of these email services are doing their best to kill Substack, and I appreciate everyone who finds the Threats Without Borders newsletter each week, even when it doesn’t make it to their inbox.
I appreciate those who share it with their colleagues even more:)
Matt
“You will never meet a hater doing better than you, ever! - David Goggins
Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or preventing or investigating technology-enabled fraud, theft, or money laundering.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinion and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.
Keywords: Cybercrime Cybersecurity Fraud AML Investigations Cyber CyFiCrime Financial Crime