Threats Without Borders - Issue 213
Cybercrime Investigation Newsletter, week ending December 15, 2025
Welcome, new subscribers! To get you up to speed, we're launching a new series about domains and their value in your investigations.
To understand domains, we must first remember that computers communicate over a network using the Internet Protocol. In simple terms, this is the postal delivery service of the Internet. Every resource on the network is assigned a numeric address called an Internet Protocol Address, or IP address. These addresses function just like the location designated by the U.S. Postal Service for your home or business.
Because nothing is ever simple, we’ve exhausted the initial allotment of IP addresses issued under Internet Protocol version four or IPv4. These were 32-bit addresses that appeared as 171.87.121.2. To overcome this shortage, we’re moving onto a new version of IP addresses called IPv6. These are 128-bit addresses and utilize an alphanumeric scheme separated by colons and appear like 2001:0db8:0000:0000:0000:ff00:0042:8329. Luckily, rules are built into the protocol that allows us to remove consecutive groups of zeros, reducing that long address to a representation of 2001:0db8:ff00:0042:8329. IPv4 is still widely used, so you will likely see representations of both IP addresses during your investigations.
Long sets of random numbers are hard for humans to remember. Enter the web domain.
Domains serve as intuitive shortcuts for humans to access online resources efficiently. By using Domains, we can avoid the need to memorize numerical IP addresses for every website or service we access on the Internet. For instance, typing reddit.com into your browser is significantly easier than entering 151.101.193.140 or 2a04:4e42:400::396
The engine that powers the protocol is the Domain Name System (DNS), which performs the behind-the-scenes translation of domain names from letters and words to IP addresses. For instance, when you enter “google.com” into your web browser, DNS translates it into the corresponding IP address, 142.250.65.238.
Every domain is assigned a unique IP address, which is not permanent. A domain registrar or hosting provider assigns the numeric address, which is documented and shared through DNS Records. These records can be updated when the domain is transferred between registrars or repurposed for different uses. Its also important to know that although a domain is assigned a single IP address, DNS records can be created to map multiple different IP addresses back to a single domain. This aims to balance the traffic received by popular domains and to establish failover servers in case the main server fails.
The full DNS process and technology stack are beyond the scope of this series; however, Cloudflare provides an excellent explanation in its Learning Center, which can be found at https://www.cloudflare.com/learning/dns/what-is-dns/.
For our purposes, the following points are important:
Domains are human-readable identifiers associated with a data resource available online.
Domains are linked one-to-one to an IP address, although the association can and will change over time. And multiple IP addresses may map to a single domain.
IP addresses are assigned to a domain through the domain registrar or web hosting service
The engine that keeps the system running is a protocol known as the Domain Name System
The domain and IP address connection is made known to the DNS records (zone files) and published to nameservers. These records are partially open for inspection.
Next week, we’ll see how you can research the ownership and history of a domain.
The News
Speaking of domains, Cloudflare's developer domains, 'pages.dev' and 'workers.dev', are being increasingly abused by cybercriminals for phishing and other malicious activities, with a significant rise in incidents reported in 2024 compared to 2023. https://www.bleepingcomputer.com/news/security/cloudflares-developer-domains-increasingly-abused-by-threat-actors/
Speaking of Cloudflare, the company released one of my favorite reports of the year, its annual “Year in Review” for 2024. Highlights include:
Global Internet traffic grew by 17.2% in 2024
Starlink traffic increased by a factor of 3
41% of all global traffic is a now coming from mobile devices
Gaming/Games is the most attacked industry, only slightly ahead of Finance.
The few minutes it takes to read the report are well worth your time this week. https://blog.cloudflare.com/radar-2024-year-in-review/
Spanish and Peruvian police have busted a large-scale voice phishing scam ring that defrauded at least 10,000 bank customers, resulting in €3,000,000 ($3.15M) in proceeds. The scammers used stolen databases, pre-written social engineering scripts, and caller spoofing technology to trick victims into giving away their sensitive banking information. https://www.bleepingcomputer.com/news/security/spain-busts-voice-phishing-ring-for-defrauding-10-000-bank-customers/
The FCC's Enforcement Bureau has ordered 2,411 non-compliant voice service providers to show cause why they should not be removed from the Robocall Mitigation Database (RMD) for failing to file properly. This is the most significant action taken by the FCC, emphasizing the importance of providers' obligations to mitigate unwanted robocalls. The FCC also proposed new rules to tighten filing requirements further, increase accountability, and improve the reliability and security of the database. https://docs.fcc.gov/public/attachments/DOC-408083A1.pdf
Selling or buying on Poshmark? It’s a den of thieves too, explains TrendMicro. https://news.trendmicro.com/2024/12/08/is-poshmark-legit-scams/
Regular readers know of my contempt for the Yahoo email service. Recent reports reveal that they cut 25% of their cybersecurity team over the past year and lost even more to attrition. They also eliminated their red team. https://techcrunch.com/2024/12/12/yahoo-cybersecurity-team-sees-layoffs-outsourcing-of-red-team-under-new-cto/
Dammit, they’ve gone too far! Krispy Kreme filed an 8K with the SEC declaring a cyber incident that has affected online ordering. Leave the donuts alone!!! https://www.sec.gov/Archives/edgar/data/1857154/000185715424000123/dnut-20241211.htm
Cool Job
Director of Information Security, Saint Joseph’s University. https://sju.wd1.myworkdayjobs.com/en-US/sju/details/Director--Information-Security_JR100241?q=security
Cool Tool
Search for IP addresses, usernames, names, emails, VINs, well, search for just about everything: https://dehashed.com/
Find unsecured surveillance cameras online. http://insecam.org/
Verify that email address. https://tools.emailhippo.com/
DFIR
There is still time to vote in the Sumuri Gives Back 2024 event. The winning agency gets a monster forensic machine! https://sumuri.com/sumuri-gives-back-2024/
Relevant
The Pew Research Center released a report on a recent survey to measure the Internet usage of U.S. teens between the ages of 13 and 17. The survey found that nearly half (46%) of US teens are online almost constantly, with YouTube being their most used platform (90% of teens use it daily). TikTok, Instagram, and Snapchat are also popular among teens, with 60% using TikTok and Instagram, and 55% using Snapchat.
The survey also measured how teens interact with online content, finding that 95% of all respondents possess a smartphone.
https://www.pewresearch.org/internet/2024/12/12/teens-social-media-and-technology-2024/
Irrelevant
Please don’t shoot bullets at drones. https://www.cnn.com/2024/12/16/us/shooting-flying-drones-us-sky/index.html
Closing
A special note of appreciation goes to blogger and content creator Jordan Snapper for featuring Threats Without Borders in his list of “Thirty Cybersecurity Newsletters You Must Subscribe To.” in a LinkedIn article. https://www.linkedin.com/feed/update/urn:li:activity:7274423055991328769/
I sincerely appreciate everyone who stops by each week to spend a few minutes reading the newsletter.
Have a great week and we’ll see you next Tuesday!
Matt
“LIFE HAS MANY CHAPTERS. JUST BECAUSE YOU’RE AT A BAD CHAPTER, IT DOESN’T MEAN IT’S THE END OF THE BOOK.”
Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.