Threats Without Borders - Issue 211
Cybercrime Investigation Newsletter, Week ending December 1, 2024
I frequently see the web attack Pharming grouped with pure social engineering attacks. This may be due to the similarity in spelling, using 'Ph' instead of 'f' like in phishing versus fishing. However, Pharming is primarily a technical attack on Internet technology rather than a personal manipulation of the victim. While a social engineering effort like phishing may set the table, pharming does not rely on human intervention.
Pharming is a cyberattack that alters internet traffic, steering users to fake websites that closely imitate genuine ones. Unlike phishing, which tricks victims into visiting fraudulent sites via misleading emails or messages, pharming occurs behind the scene, or the screen as it may be. Victims think they are accessing their actual bank, a trusted online store, or another reliable service, only to engage with a deceptive replica. This tactic collects sensitive information, including login credentials, credit card numbers, or personal details, exposing users to identity theft and financial loss fraud risks.
Pharming exploits vulnerabilities in the Domain Name System (DNS), the internet’s address book. Computers don’t understand www.google.com, but they do know what 142.251.46.174 means. When you type a web address into your browser, DNS translates it into a numeric IP address to connect you to the site. In a pharming attack, the bad guys intercept this translation and return a malicious IP address. The browser is directed to the attacker’s malicious server instead of the legitimate one. The counterfeit site often appears indistinguishable from the real one and any information entered on it goes straight to the attackers.
Pharming attacks can occur in various ways. One common method involves installing malware on the victim's computer or server to modify DNS settings, redirecting users to a malicious DNS server, which then points to fake websites. Another approach is establishing a rogue DNS server that integrates with the existing DNS infrastructure. Additionally, attackers may target individuals through their home routers if they do not change the default login credentials, making it easier to compromise the router
Pharming attacks are particularly dangerous because they do not require user interaction, such as clicking a suspicious link, to succeed. Even security-minded users who diligently avoid phishing scams can fall victim.
Some News…
Should the U.S. Secret Service be restructured? This opinion piece in The Hill suggests that the agency's dual roles of safeguarding personnel and investigating financial crimes have left it disoriented and overextended. It’s theorized that by juggling both protection and investigation, the Secret Service struggles to excel in either function, leading to operational shortcomings and missed chances to bolster its core mission of safeguarding the president. The author proposes shifting the agency's investigative duties on financial crime to other federal bodies, such as the FBI or Homeland Security Investigations, enabling the Secret Service to concentrate solely on its protective responsibilities. https://thehill.com/opinion/5013384-secret-service-dual-mission/
Once upon a time, there was a smartphone app called Yik Yak. Just reading that line sent chills down the spines of law enforcement and school administrators active from 2015 to 2017. The app was relaunched in 2021 with previously absent security features. The original app enabled anonymous communication among users, but with geographical restrictions. This meant that everyone within the school's vicinity would receive the message while those further away would not. A single message sent through the app could entirely disrupt a school, sporting event, or any entertainment venue. And if the account was set up correctly, it truly was anonymous. Well, what goes around comes around. Welcome to Unstag - “The anonymous campus app”. Available for both Android and iOS. https://play.google.com/store/apps/details?id=com.app.unstag https://apps.apple.com/in/app/unstag/id6737087170
Netcraft highlights the alarming rise of fake online stores, particularly during the Black Friday shopping season. Between August and October 2024, 110% more fake stores were identified. These fake stores, often powered by the e-commerce platform SHOPYY, utilize large language models (LLMs) to generate convincing product descriptions and listings, making it difficult for consumers to distinguish between legitimate and fraudulent websites. https://www.netcraft.com/blog/2024-llm-powered-fake-online-shopping-site-surge/
This article from International Banker suggests that TD Bank's $3 billion penalty exposes the deficiencies in the American banking industry's anti-money-laundering measures, which unveil systematic flaws in recognizing and averting money laundering operations. The author emphasizes that this case highlights the necessity for a more efficient, risk-oriented strategy for AML compliance, prioritizing the detection and interruption of illicit financial activities instead of merely adhering to technical standards. https://internationalbanker.com/banking/td-banks-3-billion-fine-reveals-the-shortcomings-of-the-banking-sectors-anti-money-laundering-safeguards/
It’s funny anytime American politicians are “concerned” about others committing fraud. US lawmakers are concerned that Hong Kong has become a hub for financial crime, including money laundering and sanctions evasion, and are calling for a reassessment of US ties with the city's banking sector. https://www.reuters.com/world/us-lawmakers-say-hong-kong-is-becoming-hub-financial-crime-wsj-reports-2024-11-25/
I’m sure the recent national elections blew up the numbers presented in this report; The Federal Trade Commission claims that reports of “unwanted” telemarketer phone calls are down 50% since 2021. Aren’t all telemarketer calls unwanted? https://www.ftc.gov/news-events/news/press-releases/2024/11/reports-unwanted-telemarketing-calls-down-more-50-percent-2021
The Layer 8 Conference is returning to a live format in Boston this June. The conference centers on social engineering and OSINT. https://layer8conference.com/
Reader Mail
Several readers offered suggestions to get over the paywall:
Patrick suggests - “Throwing this method out there while it still works…
Copy the article’s URL and add this prefix to the beginning: https://facebook.com/l.php?u= Paste the modified link into your browser, hit enter, and you’ll be redirected to a Facebook page. Click “Follow Link,” and you’ll access the article without the paywall.”
Steve suggests using the site: https://www.archivebuttons.com/
J.K. offered, “Run the site through https://txtify.it/ to pull the text out of the paywalled article.”
DFIR
Eric Wise explains the anti-forensics tactic of “time stomping”. https://wise-forensics.com/2024/11/27/combating-anti-forensics-timestomping/
Cool Job
Director of Security Threat and Risk Analysis - Johns Hopkins University. https://jobs.jhu.edu/job/Baltimore-Director%2C-Security-Threat-and-Risk-Analysis-MD-21218/1215709300
Information Technology Security Manager - Houston Texans. https://www.teamworkonline.com/football-jobs/texans/houston-texans/information-technology-security-manager-2100044
Cool Tool
Favicorn: Python tool to search Favicons through ten major search platforms. https://github.com/sharsil/favicorn
Irrelevant
I have long argued that training and education providers should not distribute printed copies of slideshow resources, such as PowerPoint presentations. If we want students to learn effectively, they need to pay attention. This engagement comes from actively processing the material rather than relying on printed handouts.
A new study supports this belief by showing that handwriting notes lead to “widespread brain connectivity”. https://www.openread.academy/en/paper/reading?corpusId=503252214
Really irrelevant
Weight loss drugs remove your appetite for alcohol. Blah. https://www.npr.org/sections/shots-health-news/2024/12/02/nx-s1-5205478/alcohol-weight-loss-medication-ozempic-wegovy
Sign Off
I truly appreciate those of you who manage to locate the newsletter each week, even when your email service fails to deliver it to your inbox. If your email provider frequently drops the newsletter—I'm looking at you, Yahoo—consider using the Substack app on your smart device. It’s a well-designed application that ensures your subscriptions are always delivered.
Thank you for spending a few minutes with me this week. I hope to see you again next Tuesday!
Matt
Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.