Threats Without Borders - Issue 215
Cybercrime Investigation Newsletter, week ending December 29, 2025
A domain name is your digital address on the Internet, much like a physical street address. At the same time, a URL (Uniform Resource Locator) is a complete set of directions to a specific resource at that location. Think of a domain as your home's spot on earth, with a URL containing that address and the additional information needed to find something specific within the confines of your property. Every URL that directs to a web resource includes both a protocol (such as "https://") and usually a domain name. Still, it can also have other components like file paths, query parameters, or specific section identifiers. In essence, while all URLs include a domain, a domain itself is just one part of the larger URL structure that helps users navigate to precise locations on the internet.
The last part of the domain name, after the last period, is referred to as the top-level domain. Examples include .com, .edu, .us, .net, and hundreds of others.
Just as each zip code accommodates only one specific street address, each top-level domain allows for just one unique domain name. For instance, while 200 West Main Street can be found in zip code 17111, the same street address may exist in zip code 16830. Here, zip codes represent top-level domains. Thus, only one example.com is possible, yet example.net and example.us can coexist simultaneously. Essentially, top-level domains operate similarly to zip codes.
Everything to the right of the top-level domain, after the /, is a resource locator. These are usually a website's “pages” or folders and files saved to the web server.
Consider your home address is 123 Main Street in the zip code 17022. The correlating web domain would be 123mainstreet.17022. Let’s create a URL to a resource, say a hammer, at that address.
www.garage.123mainstreet.17022/redtoolbox/topdrawer
To find the hammer, go to 123 Main Street in zip code 17022. The subdomain indicates that it’s not located in the main building but rather in an outbuilding, specifically in the garage. Once you’re in the garage, look for the red toolbox. After locating the red toolbox, check the top drawer.
Putting it all together, let’s look at the example of https://blog.example.com/resources/posts/June2024/blogpost7
(Well, at least you know I’m not using AI to write the newsletter)
A webmaster can also provide all resources from the root of the server space and not use a subdomain. This would look like https://example.com/blog/posts/June2024/blogpost7
Using subdomains is a personal choice for the resource manager, but it greatly enhances organization, especially for larger websites that handle multiple resources.
Because URLs point to specific content within the domain spaces, we can use them to find information even if it is not immediately linked to anywhere else on the website.
Google Dorking is a search method that employs advanced search operators on Google. While there are numerous "dorks," two specific ones enable us to find words included in a URL.
inurl: - This dork allows us to search for specific words within a URL. For example, “inurl:dorking” would search URLs containing the word dorking. It might find something like www.example.com/blog/dorking-for-osint.
allinurl: - This dork searches for URLs that contain a phrase or multiple different words. For example, “allinurl:dorking hacking GitHub”. This search would locate URLs that contained the words dorking, hacking, and GitHub and might find a webpage with the URL www.example.com/blog/hacking-github-google-dorking.
Try it for yourself with this example:
These searches hold significant value since organizations want information accessible on their website while avoiding general availability or promotion through menus or recognizable links. For example, they may want to share a page detailing a specific policy only with select individuals who receive a shared link. The page, however, will eventually be indexed by the Google crawler and can be located through a very specific search.
Understanding the distinction between a domain and a URL helps clarify how the internet organizes and delivers content. While domains are the foundation of online navigation, URLs provide the precise pathways to resources. Leveraging techniques like Google Dorking reveals how much information is accessible—often beyond what is immediately visible.
Response to Issue 214 editorial.
Last week, I outlined my opposition to using the term “pig-butchering” to describe financial crimes involving the exploitation of victims. I held my breath after hitting the publish button, expecting a more severe backlash than what was received. While three subscribers to the newsletter did find the unsubscribe button, I received several more letters of support, including these two:
Craig wrote:
Matt, I support your war against the term pig butchering. One of the first opponents of the word that I can remember is Gary Warner. He published an article on his blog back in 2022 not only calling for the discontinued use of the term but also debunking its association with current fraud tactics. Not only are those who continue to use it ethically wrong, but they are also factually wrong. Here is the link to Gary’s blog post: https://garwarner.blogspot.com/2022/08/please-stop-calling-all-crypto-scams.html
Chris wrote:
Agree with your stance on the term "pig-butchering." The other side reveals their guilt through how they defend using the term. Rather than justifying the use of the term, they deflect by saying things like, “Imagine if we put all this energy into educating the public” and “Instead of bickering on the Internet, why don’t we all write a letter to a senator?” They completely miss the main concern about the victim and how hurtful the language is. I believe that anyone who continues to use the term at this point is exposed.
As always, please feel free to send your feedback by replying to the email that delivered the newsletter or DM me on LinkedIn. If anyone wishes to defend the term, I’ll also print your response.
The News…
Scammers are impersonating property owners and selling vacant land in rural Georgia, targeting property owners and real estate agents. At least seven cases of fraudulent property listings have been reported since August, with scammers using fake out-of-state driver's licenses and other false information to deceive agents. I’m sure it will spread to other areas outside of Georgia. https://www.atlantanewsfirst.com/2024/12/19/scammers-target-rural-georgia-county-with-property-fraud/
The team at Cyble outlines their top ten observations on ransomware trends for 2024. https://cyble.com/blog/top-10-ransomware-trends-observed-in-2024/
Have you bought any products from Zagg recently? Your credit card may be compromised. “We learned that an unknown actor injected into the FreshClick app malicious code designed to scrape credit card data entered as part of the checkout process for certain ZAGG.com customer transactions between October 26, 2024 and November 7, 2024.” https://www.techradar.com/pro/security/zagg-warns-customers-their-data-may-have-been-stolen-in-third-party-cyberattack
A ransomware attack has caused disruptions to public transportation in the Pittsburgh area, with Pittsburgh Regional Transit (PRT) detecting the attack on December 19. https://therecord.media/pittsburgh-regional-transit-attributes-disruptions-to-ransomware-attack
The Biden administration has proposed new cybersecurity rules for healthcare organizations to prevent sensitive information from being leaked by cyberattacks. The proposed rules include encrypting data and requiring compliance checks to ensure networks meet cybersecurity standards. These measures are intended to address the increasing number of healthcare data breaches. https://www.reuters.com/technology/cybersecurity/biden-administration-proposes-new-cybersecurity-rules-limit-impact-healthcare-2024-12-27/
This will probably change between when I write this and when you read it…A U.S. appeals court has halted enforcement of its beneficial ownership anti-money laundering law that requires corporations to disclose the identities of their actual owners to the U.S. Treasury Department. The court reinstated a nationwide injunction issued by a federal judge in Texas who concluded that the Corporate Transparency Act was unconstitutional. https://www.reuters.com/legal/us-appeals-court-halts-enforcement-anti-money-laundering-law-2024-12-27/
Do these organizations not have internal auditors…or does senior management really not care? Bank of America (BOA) has received a cease-and-desist order from the Office of the Comptroller of the Currency (OCC) due to violations of the Bank Secrecy Act and sanctions compliance programs. The order requires the bank to implement remedial measures to improve its BSA/anti-money laundering and sanctions compliance programs. Additionally, BAC is facing a lawsuit from the U.S. Consumer Financial Protection Bureau (CFPB) for failing to protect consumers from widespread fraud on Zelle, and has also been sued by UBS Group AG for $200 million over indemnification obligations related to risky mortgages issued before the 2008 financial crisis. https://finance.yahoo.com/news/bank-america-settles-occ-over-153100438.html
DFIR
Forensafe looks at the forensic analysis of the Uber application on iOS devices. https://forensafe.com/blogs/iOSuber.html
Cool Job
Team Lead - Malware and Cyber Threats, National Cyber Forensics Training Alliance. https://www.ncfta.net/careers/team-lead---malware-cyber-threats
Cool Tool
IP Address intelligence (not as good as Maxmind, but seems pretty good). https://www.iplocate.com/en/
Irrelevant
At some point, we took a wrong turn, and the majority of our young people now support cold-blooded murder.
The younger the voter, the greater the level of support for political killings. Sixty-seven percent of voters aged 18 to 29 were ambivalent about or supportive of Mangione’s actions, with only 33 percent finding those actions completely unacceptable. Fifty-seven percent of voters aged 30 to 39 were unwilling to condemn the killing unequivocally, with only 43 percent finding it “completely unacceptable.” Democrats were nearly twice as likely as Republicans to find it either somewhat or completely acceptable.
https://www.city-journal.org/article/luigi-mangione-unitedhealthcare-ceo-brian-thompson
Sign Off
Thank you for reading this week’s issue of the newsletter. Let’s do it again next year!
Seriously, Happy New Year! Wishing all of you the best for 2025.
Matt
“The book is called Opportunity, and its first chapter is ‘New Year’s Day.'” —Edith Lovejoy Pierce, poet
Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.
Matt..........Thanks for your continued work and educating us with your newsletters. I find them very insightful and easy to read. Happy New Year to you and your family!