I discovered a new term this week while researching email-based attacks: "snowshoeing." I previously referred to this attack method as a Hailstorm attack, but snowshoeing appears slightly different.

In a hailstorm attack, the goal is to overwhelm email systems with a massive amount of spam in a very short period. Think of it like a sudden downpour of emails, all coming at once. These attacks usually happen within minutes, and the idea is to send so many emails so quickly that spam filters can’t react fast enough to block them. This can lead to overloading email servers, causing delays or even crashes. It also makes spam filters more likely to make mistakes, possibly flagging legitimate emails as spam.

Snowshoe attacks take a slower, more subtle approach. Instead of blasting out a huge volume of spam all at once, snowshoe attackers spread their emails over a longer period—sometimes days or weeks—and across multiple IP addresses. The goal here is to keep the volume low enough that it doesn’t trigger alarms in spam filters, making the attack more challenging to detect. While the impact is less immediate, the steady flow of spam can still clog up email systems over time. Spam filters might still flag legitimate emails as spam, and because the attack lasts longer, the chances of someone falling for a phishing attempt increase.

I don't see the need for a specific term for snowshoe attacks, as they seem like regular phishing campaigns. However, the term does exist, and there is actually quite a bit of literature on the subject once you go down the rabbit hole.

So, since the term exists, we should know it. Hailstorm attacks are all about quick, overwhelming bursts, while snowshoe attacks are more about staying under the radar and slowly building up over time.

The News…

Strise released its Anti-Money Laundering Megaminds report. 70% of AML professionals believe current AML measures are not working. Conversely, 30% of AML professionals sleep at their desks all day. Seriously, a good report that is worth your time. https://25206665.fs1.hubspotusercontent-eu1.net/hubfs/25206665/Anti-Money%20Laundering%20Megaminds%20Report.pdf

Fraudulent Disney+ activation pages are being created to redirect users to fake Microsoft support. The scam claims to have detected child abuse imagery and asks victims to call a phone number for assistance. The warning provides a phone number where fake Microsoft call center representatives work to gain remote access to victims' computers and steal money or information. https://www.malwarebytes.com/blog/scams/2024/10/fake-disney-activation-page-redirects-to-pornographic-scam

Paper checks can’t catch a break. More than 200 taxpayers have reported stolen IRS refund checks totaling $3.8 million, according to Rep. Nicole Malliotakis (R-NY). The thefts highlight the risks of receiving paper checks instead of direct deposit. The IRS encourages taxpayers to use direct deposit for the fastest and safest way to receive refunds. https://nypost.com/2024/10/04/business/millions-of-dollars-in-irs-refund-checks-sent-through-mail-are-being-stolen/

Most people learn from seeing others get punished for doing foolish things, but not banks. Banks are really slow learners. UK-based Starling Bank was fined £29 million by the Financial Conduct Authority (FCA) for inadequate financial crime controls from 2021 to 2023. The FCA discovered deficiencies in Starling's anti-money laundering processes, which allowed approximately 54,000 high-risk customers to open accounts. https://techcrunch.com/2024/10/02/starling-bank-fined-39-million-for-facilitating-financial-crime/

Interpol dismantled a cybercrime group in Côte d'Ivoire that targeted Swiss citizens with phishing scams involving QR codes. The scammers impersonated legitimate entities and stole over $1.4 million from victims. The operation, part of Interpol's Contender 2.0 initiative, arrested eight suspects and is ongoing to identify additional victims and recover stolen funds. https://www.interpol.int/en/News-and-Events/News/2024/Arrests-in-international-operation-targeting-cybercriminals-in-West-Africa

This guy breached Office365 accounts of executives at publicly traded companies to access confidential financial reports before their public release. This illegal information gave him an advantage in stock trading, resulting in millions of dollars in profit. Brilliant, unfortunately. https://arstechnica.com/security/2024/10/crook-made-millions-by-breaking-into-execs-office365-inboxes-feds-say/

Mmmmm. Everyone loves warm cookies. Right? The new cyberattack campaign targets users with fake browser and application updates that spread the WarmCookie backdoor. Researchers from Gen Threat Labs warn the campaign, dubbed 'FakeUpdate,' uses compromised websites to display fake update prompts for popular software like Google Chrome, Mozilla Firefox, and Java. When a user clicks the update prompt, a malicious file that installs the WarmCookie malware is downloaded, giving attackers remote access to the infected system. https://x.com/GenThreatLabs/status/1840762181668741130

It's the craziest story I have read all week: You must be mentally ill to think you can show up at a prison, pass yourself off as an FBI Special Agent, and then walk away with an inmate. You don’t think someone is gonna check up on that? https://www.pennlive.com/crime/2024/10/cumberland-county-woman-impersonated-fbi-agent-in-botched-prison-break-police.html

Cool Tool

https://www.scamadviser.com/

Cool Job

Pierogy Runner (2025 Season) - Pittsburgh Pirates. https://pirates.rec.pro.ukg.net/PIT1500PITA/JobBoard/1571bce9-cb30-4961-98da-07b26506146a/OpportunityDetail?opportunityId=30d13709-b2af-4460-b886-af3d9cb45f4a

Long technical read…you should read

This Trend Micro report highlights a spear-phishing attack that utilized a malicious .lnk file delivered through a resume sent to an HR representative. I have used the random resume in the phishing simulation tests at my organization. It’s always a hit, and, by the way, is why resumes should only be accepted through the official employment candidate portal. https://www.trendmicro.com/en_us/research/24/i/mdr-in-action--preventing-the-moreeggs-backdoor-from-hatching--.html

Irrelevant

The Earth now has two moons. For real. https://www.earth.com/news/its-official-earth-now-has-two-moons-captured-asteroid-2024-pt5/

Relevant

“In a nutshell, law enforcement has no farm team and there is only minimal, and often terrible, cybercrime training available in police academies.” - Will Gragido, Blackhatonomics: An Inside Look at the Economics of Cybercrime.

Sign Off

Thanks for turning out another week. I say this all the time, but your attention is really stretched thin, and I appreciate you giving Tw/oB a few minutes of it!

Please continue to support the storm clean-up efforts in Appalachia - https://saveourallies.org/

Pray for Florida.

Stay safe!

Matt

Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.

Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.

cybercrime cyber financial crime investigations fraud aml cybersecurity osint