Threats Without Borders - Issue 208
Cybercrime Investigation Newsletter, week ending November 10, 2024
This issue marks the fourth anniversary of this Substack newsletter. Not only is it four years, but more importantly, it also marks the 208th consecutive week I've published an issue.
Before 2020, I provided news summaries about cyber investigations and case law to my colleagues through conversation. One often remarked that Matt reads the Internet, so I don't have to. In fact, I continue to use the tagline for the newsletter, "I read the internet, so you don't have to."
When COVID-19 arrived, I continued going to work, but all of our external in-person meetings and training sessions stopped. To adapt, I started publishing my news summaries through an email newsletter. This was a creative way to share my knowledge with others and expand my reach while staying connected with those I couldn't see in person.
So Matt's Newsletter was born.
Around week 25, while enjoying a well-crafted Old Fashioned, the phrase "Threats Without Borders" came to me as an apt description of cybercrime. The Internet allows criminal actors to victimize individuals anywhere in the world, regardless of their physical location or geopolitical nationality. The physical borders of your country are irrelevant!
So, what have I learned over the past four years?
People are quite protective of their email addresses, making it challenging to gain subscribers. Each subscriber requires effort to secure. The newsletter attracts as many website visits each week as the number of emails sent to subscribers. The typical interaction goes like this:
I love your newsletter. Thanks. Do you subscribe? No, I just read it online. Can you please subscribe? It helps me with the Substack promotion algorithm. Oh, um, I don't like to clog up my email; I'll just read it on the web. Ok, thanks for being a reader.
Readers appreciate my original writing much more than the shared links.
The most popular links are the cool tools, which have significantly higher click rates. While news articles typically see a click rate of about 4% to 10%, the tools attract clicks from at least 40% of readers. Job listings also receive high click rates; for example, one link for a job at Tesla had an impressive click rate of 55%.
Readers value original writing that offers useful information rather than generic, AI-generated content or bland opinions meant to avoid offending anyone. They also enjoy clever, snarky commentary.
Attorneys don’t like jokes about attorneys.
I want to express my heartfelt gratitude for joining me on this incredible journey over the past four years. I promise to continue writing as long as you keep reading. Your engagement and feedback inspire me every day, and I can't thank you enough for being part of this adventure!
Thank you. Truly and sincerely, thank you.
The News…
Two brothers have been accused of stealing $25 million in Ethereum cryptocurrency in a 12-second heist. The brothers, who studied at MIT, allegedly exploited Ethereum's transaction validation process using their specialized mathematics and computer science skills. https://www.bbc.com/news/world-us-canada-69018575
More bad news for TD as a former employee has been indicted for stealing personal information from customers and distributing it on Telegram. This incident follows TD Bank's recent guilty plea to violating a U.S. law aimed at preventing money laundering, resulting in a record $3 billion fine. https://globalnews.ca/news/10858905/td-bank-money-laundering-employee-criminal-charge-us/
A data breach at fashion retailer Hot Topic has exposed the personal information of millions of customers, including credit card details, email addresses, and phone numbers. The stolen database allegedly contains information on 54 million users, including 25 million credit card numbers. https://www.pcmag.com/news/hot-topic-breach-confirmed-millions-of-credit-cards-email-addresses-exposed
A racist thief gets caught; hopefully, he gets what he deserves! A bartender and steward for the Friendship Fire Company's social club in Swatara Township was arrested for stealing $80,940.65 from the club while employed there. He is also accused of falsifying financial records submitted to the Pennsylvania Liquor Control Enforcement. The fire company had been shut down due to allegations of racial discrimination, and during the investigation, it was discovered that the man had sent away a Black individual who inquired about joining the fire department. This revelation led to further investigation, uncovering financial discrepancies and ultimately arresting the subject. Say it all together now…where were the controls? https://www.pennlive.com/crime/2024/11/dauphin-county-fire-company-member-stole-81k-from-social-club-police.html
A Nigerian man was sentenced to 10 years in prison for his role in a phishing scam that stole over $20 million from over 400 home buyers in the US. The scam involved sending phishing emails to title companies, real estate agents, and attorneys, which allowed the hackers to intercept wire transfers intended for down payments on homes. The stolen funds were then converted into Bitcoin on Coinbase. https://www.justice.gov/usao-sdal/pr/nigerian-national-sentenced-ten-years-20-million-cyber-fraud-scheme
HTTP status codes, which are three-digit numbers used by servers to communicate request outcomes, are being exploited by attackers. These error codes provide information about the success or failure of a client's request, making them valuable to malicious users. https://semaphoreci.com/blog/http-status-codes
SpyAgent is a new Android malware that uses optical character recognition (OCR) technology to steal cryptocurrency wallet recovery phrases from screenshots stored on the mobile device. The malware is distributed through APKs outside of Google Play and targets users in South Korea, the UK, and the United States. It can also steal other sensitive information, such as contact lists, SMS messages, and device information. https://www.bleepingcomputer.com/news/security/spyagent-android-malware-steals-your-crypto-recovery-phrases-from-images/
Something funny with updated iPhones
DFIR investigators need to be aware of a new security feature in iOS 18 that causes iPhones to spontaneously reboot when stored for forensic examination, making it harder to unlock them.
As usual, the team at Magnet Forensics was on top of it.
See also…
https://www.androidauthority.com/iphone-reboot-explained-3498168/
What Frank says…
There is a direct and immediate connection between the level of mail theft and the prevalence of financial and cybercrime, particularly with the recent increase in paper check theft and fraud.
Frank Albergo is the National President of the U.S. Postal Police Officers Association. This week, he posted a summary of a recent Office of Inspector General report to his LinkedIn feed.
Please see attached [OIG Report] just released an audit report on “Mitigating Internal Mail Theft” showing a 47% increase in internal mail theft cases from Fiscal Years 2020 to 2023. The Office of Inspector General also found:
“Lack of Management Oversight on the Workroom Floor.”
“Lack of ISIP Camera Visibility.”
“U.S. Postal Inspection Service officials did not actively monitor the operational status of remotely accessible ISIP cameras that are used to monitor operations on the workroom floor.”
“Postal Service employees brought personal belongings onto the workroom floor, which were used to conceal stolen mail and packages.”
The de-policing of the postal service: Postal Police Officer staffing complements drastically dwindling. A 23% decrease from FY2019 to FY2024 and a 66% decrease from 2002 to 2024.
1974: 2648 Postal Police Officers
1977: 2700 Postal Police Officers
1986: 1745 Postal Police Officers
1999: 1446 Postal Police Officers
2002: 1341 Postal Police Officers
2008: 869 Postal Police Officers 2019: 581 Postal Police Officers
2024: 450 Postal Police Officers
What will it take for the Postal Service to admit that dismantling the Postal Police Force was a colossal mistake?
https://www.uspsoig.gov/reports/audit-reports/mitigating-internal-mail-theft
Cool Jobs
Manager of Fraud Analytics, Seat Geeks. https://boards.greenhouse.io/embed/job_app?token=6088201&gh
Risk and Fraud Manager, Adyen. https://job-boards.greenhouse.io/adyen/jobs/6300229
Cool Tool
Investigate those domains - https://subdomainradar.io/
Download images and videos from Instagram -https://instasnapper.netlify.app/dist/final.html
Relevant
The price of Bitcoin is at an all-time high, so I expect to see some movement within crime-related wallets.
Irrelevant
The kids aren’t alright; they can’t read. This Atlantic article examines “Elite College Students Who Can’t Read Books”. (archive.today short link) https://archive.ph/9NlT0
Sign Off
Thank you, veterans! I appreciate your sacrifices and service to our country.
Next week, we push into year five. How crazy does that sound? Come back, and bring a few friends to help us grow!
And as always, send feedback by replying to the email that delivered the newsletter.
Matt
“IF IT’S A SHITTY BOOK, DON’T FEEL OBLIGATED TO FINISH IT.”
Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.
cybercrime cybersecurity cyfycrime aml osint fraud investigations financial crime