Threats Without Borders - Issue 197
Cybercrime Investigation Newsletter, week ending August 25, 2024
TD Bank Group is allocating an additional $2.6 billion dollars for penalties related to U.S. regulatory probes into deficiencies in its anti-money laundering program. To mitigate the financial impact, the company must sell part of its stake in Charles Schwab. In total, the bank has set aside over $3 billion, which includes a $450 million provision made in April.
I could write 5000 words here and never adequately explain how stupid TD Bank is for finding itself in this situation. In fact, those not in banking will never understand it, and those in banking don’t need an explanation.
So for allowing (allegedly) Chinese drug traffickers to use the bank to launder at least $650 million from 2016 through 2021 (allegedly) they will now pay over three billion dollars in fines. Three Billion Dollars!
It seems like following the law is a much better and less expensive option.
This is the "I told you so" moment that all the BSA/AML Excel spreadsheet junkies have been waiting for. Take a break from filing SARs and pay attention. Incorporate this story into every presentation and ensure that everyone at the bank comprehends the risk of not establishing a solid, comprehensive, and robust program. Every conversation you have with every senior manager should begin with “Hey, did you see what is going on with TD…”
Some News
ESET has warned about a new phishing technique targeting iOS and Android users. This technique uses web applications disguised as legitimate banking software to steal login credentials. The attackers use Progressive Web Applications (PWAs) on both iOS and Android, and WebAPKs on Android, to trick users into installing malicious apps that mimic real banking apps. These fake apps then steal user credentials and send them to the attackers' servers. https://www.securityweek.com/new-phishing-technique-bypasses-security-on-ios-and-android-to-steal-bank-credentials/
The Security and Exchanges Commission is doing its best to crack down on public businesses that fail at cybersecurity. Equiniti Trust Company was fined $850,000 by the SEC for mishandling two cybersecurity incidents in 2022 and 2023. The first incident involved hackers stealing $4.78 million by impersonating a client and requesting share issuance and liquidation. The second incident involved a hacker stealing Social Security numbers to create fake accounts and transfer $1.9 million. https://therecord.media/financial-firm-fined-for-sec-violation
This bank CEO stole $47 million to participate in a scheme to get "wildly rich." Wouldn't keeping the $47 million for himself have made him wildly rich? Instead, he sent the money to scammers and went to jail instead. Shan Hanes, the former bank CEO, was sentenced to over 24 years in prison for embezzling $47 million after falling for a cryptocurrency scam. Scammers targeted Hanes in late 2022 and made 11 wire transfers using bank funds between May 2023 and July 2023. His actions caused the collapse of Heartland Tri-State Bank (HTSB) in Elkhart, Kansas, and the FDIC absorbed the $47.1 million loss. https://arstechnica.com/tech-policy/2024/08/ex-bank-ceo-gets-24-years-after-falling-for-crypto-scam-causing-bank-collapse/
A 39-year-old man from Kentucky was sentenced to 81 months in prison for computer fraud and aggravated identity theft. He illegally accessed the Hawaii Death Registry System, created a fake death certificate for himself to avoid paying child support, and tried to sell access to compromised networks on the dark net. He admitted to faking his death in an attempt to avoid paying child support. Hopefully, the federal prison will have a labor program where he can work, and all the pay goes to child support. https://www.justice.gov/usao-edky/pr/pulaski-county-man-sentenced-cyber-intrusion-and-aggravated-identity-theft
Get a sticker maker, get paid. Redondo Beach Police Department issued a warning about fraudulent QR codes found on parking meters in popular areas. The codes directed users to a fake website designed to steal payment information. https://www.latimes.com/california/story/2024-08-25/fake-qr-codes-posted-on-redondo-beach-parking-meters-to-scam-people-police-say
Holy One-Million-Dollar payment! The American Radio Relay League, an amateur radio group, admitted to paying a ransomware group one million dollars to recover their network. In reality, their insurance company footed the bill, but it's still surprising that they agreed to pay such a hefty amount. What kind of network did they have that warranted such a large payment? https://www.arrl.org/news/arrl-it-security-incident-report-to-members
Reader Mail
“Matt, I caught your talk at the Harrisburg B Sides event in May, where you showed how the ransomware groups pressure their victims into making payments. I was catching up on some reading while on vacation last week and found this article on the Sophos blog. It’s pretty close.” - Josh
Thanks for the link Josh. Although the author’s points mirror mine, I think there’s just too much distance between us for it to be a case of pilfered content. Great minds think alike!
Unlike the group teaching a contract class for the Northeast Counterdrug Training Center and using direct screen grabs of some TwoB content. Two subscribers told me they immediately recognized the material while taking the class. The newsletter is free, and I don't ask for any payment, but if you're using the content to teach a class that you're getting paid for, at least throw up a link to the newsletter and get me some new subs!
Cool Tools
Know where that sketchy URL goes before you click the link. https://www.redirectcheck.org/
Remove the watermark from those images you stole. https://unwatermark.ai/
Strip the text out of a PDF. https://pdfxt.com/
Cool Job
Ship Investigations Manager - Disney Cruise Line. https://www.disneycareers.com/en/job/-/-/391/63683838272
For mac users (or those that support mac users)
Cado Security has identified a malware-as-a-service (MaaS) targeting macOS users named “Cthulhu Stealer”. The malware targets macOS systems and steals login credentials and cryptocurrency wallets. https://www.cadosecurity.com/blog/from-the-depths-analyzing-the-cthulhu-stealer-malware-for-macos
Irrelevant
The Simpsons’ writers have the script of this crazy life. They have known the future 34 different times. https://www.hollywoodreporter.com/tv/tv-news/simpsons-future-predictions-accurate-1140775/
Sign Off
After dropping off our youngest at college, I officially became an empty nester. Well, at least until Friday when everyone comes home for the Labor Day holiday. So, how did I spend my first weekend? I cleaned off all the countertops in the kitchen and watched them stay clutter-free. It is amazing.
Thanks for reading another issue. See you next Tuesday!
Matt
“DON’T CONTINUE WITH A MISTAKE JUST BECAUSE YOU SPENT A LOT OF TIME MAKING IT.”
Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.
cybercrime cybersecurity cyficrime aml investigations cyber infosec