Threats Without Borders - Issue 199
Cybercrime Investigation Newsletter, week ending September 8, 2024
I recently appeared as a guest on the 404PD Podcast, which is published by the Mechanicsburg (PA) Police Department. I had a great time, and our conversation covered topics ranging from identity theft prevention and cybersecurity for small businesses to old-fashioned check fraud. If you have an hour to spare, I recommend giving it a listen.
Of all the topics covered, the one thing that elicited a follow-up question from a listener was something I said towards the very end, almost as an aside.
Know Normal!
In terms of cybersecurity, the concept of knowing normal means that you must know what your computer system should look like in everyday situations so you can quickly recognize when something isn't normal. This concept has been popularized by the computer security training organization SANS Institute and is taught in several of their courses. The concept is not hard to grasp and is based on simple common sense. How can you know if an attacker is working and making changes in your computer network if you don't know what your computer network should look like? Is that login from Canada expected? Is that file part of the system, and why is it here? Is that a normal application running inside of Windows? Do we, as a business, use this software? If you don't know what should happen within your network, you will never know when something shouldn’t be happening.
This idea is not new in the field of policing, and it has been passed down from one generation of officers to the next. It's an early lesson taught during the field training program, although not in such a formalized way as SANS instructs. It's a lesson that quickly becomes reinforced by real-world application. I suspect that someone within the SANS organization adapted it, rightly so, to fit the computer network security field.
In general, police patrol officers are assigned areas of concern. This may be called a beat, zone, or sector, based on the agency, but in some geographic area where an officer is primarily responsible for patrolling and answering calls for service. An officer will spend a lot of time in that area. Usually eight and sometimes 12 hours per day, depending on the department's schedule. That is a lot of time to watch the everyday happenings of that small piece of the world. Officers learn how the area works as a functioning micro community set aside from the larger society. When the UPS driver comes every day. When the businesses open and close. The businesses that get early and late deliveries. The regular vagrants, beggars, and bums and where they like to be during the day and sleep at night.
It gets even more granular in the residential neighborhoods. Drive through the neighborhood with a good cop, and they can tell you who lives where, who stays up late, who leaves early for work, and who has marital problems. They know what cars people drive and when a vehicle is parked on a street that shouldn't be there. They even know the neighborhood dogs and what it means if one or all are barking.
Good patrol officers know what their beat looks like under normal conditions and quickly recognize when something is out of place. They notice when a vehicle is parked behind a business that shouldn't be, when a person is walking down an alley who is not from the area, and when a light is on inside a business that is normally dark at 1 am.
Citizens should also incorporate this concept into their lives. Know what your home's exterior, workplace parking lot, commute routes, bank records, credit report, etc., look like under everyday conditions so you know to be suspicious when something looks different.
Know normal so you can recognize when it isn't.
News
Malwarebytes identified a phishing campaign targeting Lowe's employees through malicious Google Ads. Cybercriminals impersonated the MyLowesLife employee portal, using Google Ads to display fraudulent links to phishing sites. These sites, disguised as legitimate portals, aimed to steal employees' login credentials. The article details the campaign's mechanics, including the use of AI-generated websites for concealment and the phishing page's design to mimic the real portal. https://www.malwarebytes.com/blog/news/2024/09/lowes-employees-phished-via-google-ads
This bakery owner fell for a counterfeit check scam and now blames her bank. Of course. Maybe banks should include fraud protection insurance with each account. The premium would be deducted each month directly from the account. https://finance.yahoo.com/news/la-bakery-owner-takes-big-102200672.html
Wynn Resorts Ltd. agreed to pay $130 million to federal authorities and admitted that it allowed unlicensed money transfer businesses to channel funds to gamblers at its Las Vegas Strip property. The Justice Department stated that the settlement was a result of a “decade-long” investigation into the casino's involvement in illegal money transfers. The case was investigated by the Las Vegas Financial Crimes Task Force. I imagine they have no shortage of work! https://www.justice.gov/usao-sdca/pr/wynn-las-vegas-forfeits-130-million-illegally-conspiring-unlicensed-money-transmitting
The U.S. Treasury Department imposed sanctions on nearly 400 entities and individuals to disrupt Russia's war efforts in Ukraine. The sanctions target Russia's military-industrial complex, financial technology sector, and metals and mining industry. Treasury claims its goal is to limit Russia's access to international finance and technology, hindering its ability to sustain the conflict. Whoever wrote the press release for Treasury gets an A+ for prompt and promotion. Well done on both parts, fighting Russians and self-aggrandizing. https://home.treasury.gov/news/press-releases/jy2546
The Securities and Exchanges Commission (SEC) charges six credit rating organizations with “record-keeping violations”. Aren’t these the companies that rate other businesses based on their record keeping? Ironic. https://www.sec.gov/newsroom/press-releases/2024-114
The Federal Trade Commission (FTC) has finally realized that Bitcoin ATMs are a bad idea and figured they better do something about it. So, they published a “consumer protection” report titled “Bitcoin ATMs: A payment portal for scammers”. Welcome to the party, better late than never. https://www.ftc.gov/news-events/data-visualizations/data-spotlight/2024/09/bitcoin-atms-payment-portal-scammers
Rent a car from Avis recently? Well, at least you’ll get another year of complimentary credit monitoring. https://news.yahoo.com/news/thousands-avis-car-rental-customers-114008921.html
Help us grow - forward the newsletter to a friend. Thank You.
File under WTF
I will walk softly on this because the newsletter has a few readers who are part of the Allegheny County law enforcement community. Where were the controls fam?
The Office of Attorney General investigation found that Osinski misappropriated $1,041,680 from the lodge between March 2019 and April 2024. When he received checks made payable to the lodge, he allegedly deposited them into accounts he opened in the name of the FOP at a separate financial institution, but for which he was the sole owner and authorized user. He also allegedly used the lodge’s credit card and official bank accounts for personal use without fellow members’ knowledge, a theft of more than $24,000. In all, the alleged theft totaled $1,067,057.82.
Cool Job
Director of Investigations and Security, East Coast - National Football League. https://job-boards.greenhouse.io/nflcareers/jobs/4112837008?gh_src=384ee6888us
Cool Tool
Open suspicious links in a sandbox. https://www.browserling.com/browser-sandbox
Reported UCR Part 1 crimes - per month. https://realtimecrimeindex.com/
Check for traps set using your domain as bait. https://haveibeensquatted.com/
Irrelevant
The founder of Basecamp and Hey shares some wise words about the assault on free speech. https://world.hey.com/dhh/free-speech-isn-t-guaranteed-to-be-forever-e7654685
In under the Wire
The Financial Crimes Enforcement Network (FinCEN) released a special Financial Trend Analysis (FTA) on mail-related check fraud. https://www.fincen.gov/sites/default/files/shared/FTA-Check-Fraud-FINAL508.pdf
Sign Off
Thank you for reading another newsletter issue and making it this far down the page! We picked up several new subscribers this week - Welcome!
A long-time reader I recently met in person commented, “I love the newsletter, but I miss the snark of the early days.” My response was “Well, I’m corporate now” but it made me think. I haven't intentionally gone snark-free; I guess I've softened over time. Thanks for the reset, Mark. I'll make a point to be a bit more snide.
Have a great week, and come back for next week’s issue - Issue 200!
Matt
“You can either build your dream or help someone build theirs” - someone smarter than me.
Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.
cybercrime cybersecurity cyber fraud investigation aml financial crime