Threats Without Borders - Issue 205
Cybercrime Investigation Newsletter, week ending October 20, 2024
The uptick in database breaches, resulting in the substantial exposure of most Americans' personally identifiable information (PII), has provoked interesting dialogue regarding identity theft, frequently conflated with identity fraud.
This may seem like a small detail, but it truly matters. There is a distinction between Identity Theft and Identity Fraud.
Identity theft happens when someone unlawfully acquires your personal information without permission. This may involve your Social Security number, name and birth date, or bank account details. The main objective of identity theft is to obtain sensitive data, often through techniques such as phishing, hacking, or even the physical theft of documents. At this point, the stolen information has not necessarily been used for fraudulent activities; the crime is the intentional act of stealing the data.
Conversely, identity fraud occurs when that stolen PII is utilized to commit fraud or engage in other illegal activities. This often includes opening new credit accounts, applying for loans, or making unauthorized purchases. Essentially, identity fraud is the crime of using another person's personal information for personal or financial gain.
Identity theft is the acquisition of personal information, whereas identity fraud is using that information for criminal activities.
Identity fraud victims are always victims of identity theft; however, just because your personally identifiable information has been stolen does not necessarily mean it will be utilized for fraud.
Many state criminal statutes also get this wrong. Let’s look at the Pennsylvania Identity Theft statute for reference:
Title 18- Section 4120. Identity theft.
(a) Offense defined.--A person commits the offense of identity theft of another person if he possesses or uses, through any means, identifying information of another person without the consent of that other person to further any unlawful purpose.
The critical necessity there is “to further any unlawful purpose.”
Is possessing someone else's PII without consent a crime, regardless of how it is obtained? If I send you an intentionally deceptive phishing email and you give me your name, date of birth, and social security number, which I then save to my computer, am I guilty of identity theft? What about if I break into a database and steal the company's Human Resources records?
I’m probably guilty of 18-7611 Unauthorized Use of a Computer, 18-7613 Computer Theft, and 18-7615 Computer Tresspass, but not Identity Theft under Section 4120. At least not until I utilize the stolen PII to “further an unlawful purpose.”
So it’s an Identity Fraud statute, right?
Check the law of your state and see how it’s written.
*Disclaimer: I’m not an attorney - don’t believe anything I say about the law
The News…
The team at Egress has identified a new obfuscation technique to circumvent natural language processing (NLP) detection in email security, where additional characters, break lines, and legitimate links are added to phishing emails to disguise malicious payloads. https://www.egress.com/blog/phishing/the-emerging-obfuscation-technique-designed-to-evade-email-security-nlp-detection-capabilities
A new phishing scam targeting Starbucks customers is circulating, using emails that appear to be from Starbucks and promising a free "Starbucks Coffee Lovers Box." The emails contain malicious links designed to steal personal and financial information or download malware onto personal devices. Starbucks coffee…meh. https://www.infosecurity-magazine.com/news/coffee-lovers-warned-of-starbucks/
Artificial Intelligence serves as a double-edged sword in cybersecurity. It not only generates new job opportunities but also risks displacing existing positions. While AI enhances automation and efficiency, it simultaneously introduces new challenges and prospects for cybersecurity experts. Additionally, cybercriminals are adopting AI in their operations to conduct more targeted and impactful attacks. This article explores some of AI's ethical considerations to the cybersecurity discussion. https://securityintelligence.com/articles/navigating-ethics-ai-cybersecurity/
Russia, China, and Iran are increasingly relying on criminal networks to lead cyber espionage and hacking operations against adversaries, according to a report on digital threats published by Microsoft. This trend represents the increasingly blurred lines between actions directed by these nations to undermine geo-political adversaries and the illicit activities of groups typically more interested in financial gain. "We’re seeing in each of these countries this trend towards combining nation-state and cybercriminal activities," Ahh…is this something new? https://www.euronews.com/next/2024/10/16/russia-increasingly-using-cybercriminals-to-target-adversaries-microsoft-says
Speaking of Russia… now Russian intelligence services are taking the next logical step and are directly acquiring “contractors” from the criminal talent pool. Russia's GRU (main military intelligence service) is increasingly recruiting cybercriminals for its war efforts in Ukraine, shifting from opportunistic to more deliberate and structured recruitment, according to several strands of evidence. https://www.lawfaremedia.org/article/russia's-gru-thugs-double-down-on-recruiting-cybercrooks
The FBI arrested an Alabama man for his role in hacking the SEC's X account to make a fake announcement that Bitcoin ETFs were approved. The man and conspirators conducted a SIM-swap attack to take over the identity of the person in charge of SEC's X account. Funny thing…Bitcoin ETFs were eventually approved anyway—literally, crime for nothing. https://www.bleepingcomputer.com/news/security/fbi-arrest-alabama-man-suspected-of-hacking-secs-x-account/
The Federal Trade Commission (FTC) takes action against Marriot Hotels for three separate data breaches involving over 340 million customers. https://www.ftc.gov/news-events/news/press-releases/2024/10/ftc-takes-action-against-marriott-starwood-over-multiple-data-breaches
Two Sudanese nationals have been charged for running a Distributed Denial of Service (DDoS) operation under the name Anonymous Sudan, which targeted some of the world's biggest technology companies, critical infrastructure, and government agencies, including Microsoft, OpenAI, PayPal, and Cloudflare. Oh, and the US DOJ, Defense and State, and the FBI. The operation, which ran from January 2023 to March 2024, utilized a cloud-based DDoS tool to take down or seriously degrade the performance of online targets, performing over 35,000 attacks. https://arstechnica.com/information-technology/2024/10/us-prosecutors-take-down-operation-accused-of-35000-ddoses-over-14-months/
Cool Job
Senior Manager, Fraud Governance and Oversight - Varo Bank. https://jobs.lever.co/varomoney/abcaf514-7fee-4bb0-a455-c8d1a1bdfdfc
Cool Tools
Tools, plural. This is a nice list of applications if you’re a Mac user. (scroll down the GitHub page) https://github.com/jaywcjlove/awesome-mac
Save videos from Bluesky - https://savebsky.com/
Github dorks - https://github-dorks.vercel.app/
Irrelevant
Something so little that makes life so much more convenient. The history of the barcode. https://www.bbc.com/future/article/20241018-barcodes-at-75-how-black-and-white-lines-went-into-space-and-stoked-fears-of-the-antichrist
RIP
Philip Zimbardo, infamous psychologist and head-warden of the Standford Prison. https://news.stanford.edu/stories/2024/10/philip-zimbardo-the-psychologist-behind-stanford-prison-experiment-dies-at-age-91
Sign Off
October is such a month of conflict. Cybersecurity Awareness Month - Ugh. Raking up leaves - Ugh. Halloween - Ugh. Marzen - Hallelujah! Yes, Marzen, or what most beer drinkers call “Oktoberfest”. And no, your crappy Pumpkin Beer doesn’t count, and I don’t want it! The Oktoberfest starts in September in Germany, but the cooler weather of October here in the Northeast USA is perfect for Marzen consumption.
Thanks for opening another issue. Please consider sharing the newsletter with a colleague to help us grow.
See you next Tuesday!
Matt
Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.
cybercrime cybersecurity cyficrime fraud investigation aml osint