Threats Without Borders - Issue 217
Cybercrime Investigations Newsletter, week ending January 12, 2025
My heart goes out to the victims of the devastating LA fires and to the residents of the affected areas who have endured unimaginable loss and hardship. I have nothing but respect for the resilience and courage demonstrated by the community and first responders. The bravery of the firefighters on the ground and the pilots in the air leaves me completely humbled.
Please consider donating to the California Wildfire Association to assist in the recovery effort.
https://www.cafirefoundation.org/what-we-do/for-communities/disaster-relief
Now that we know a bit more about domains and the Domain Name System (DNS), let’s look at some of the ways cybercriminals exploit weaknesses within the protocol to mislead users, steal information, and spread malware.
The most popular is domain spoofing. This occurs when an attacker purchases a domain that appears legitimately registered and used — for instance, buying exaample(dot)com to spoof example(dot)com.
A more accurate example, especially for those in the banking industry, let’s say, hypothetically, a core services provider owns the domain olbanking(dot)com and assigns its customers a subdomain combining the bank name and the domain. For instance, Insolvent Bank might be assigned the domain insolventbank.olbanking(dot)com. Customers wishing to conduct online banking would access resources at that web URL.
But what if a malicious attacker purchases a domain name that is nearly identical like insolventbank-olbanking(dot)com? The hyphen is incorporated and recognized as a character, not a separator, so the entire string of characters is recognized as the domain.
Would an unsuspected bank customer recognize they were being directed to log into insolventbank-olbanking(dot)com rather than insolventbank.olbanking(dot)com?
Hopefully, but probably not.
And that brings us to our next attack, website spoofing. This occurs when the attackers copy the website wholesale, directly from the code, and publish a look-a-like website. Then, link it to the maliciously spoofed domain.
This is a highly effective attack launched from a phishing email.
The customer receives an email from Security@insolvantbank(dot)com reporting a problem with their account. Unfortunately, they didn’t notice the email address was from the domain insolvantbank(dot)com (with an A) instead of the actual domain insolventbank(dot)com (with an E).
The email advises them to log in to their account to check some unauthorized purchases and directs them to the site insolventbank-olbanking(dot)com. In their panic to protect their money, they again fail to recognize the spoofed address.
The link takes them to a website that appears exactly as the actual site, even down to the images. The only difference is the domain name; even in that, the only difference comes down to a hyphen, not a dot. They enter their username and password into the log-in form but only pass their credentials to the attackers.
The attackers then use the stolen credentials to log in to the bank’s actual access portal. They quickly change the password and transfer funds out of the account.
Such an attack can be executed and supported from anywhere globally, costing less than fifty dollars, probably less than twenty-five, depending on the top-level domain of the spoofed sites.
Some News…
My local school district uses Power School, and yours probably does too. PowerSchool, a cloud-based software provider for K-12 schools, has confirmed a cybersecurity incident that allowed a threat actor to steal the personal information of students and teachers from school districts using its PowerSchool SIS platform. The breach occurred through the PowerSource customer support platform, where the attacker used compromised credentials to access and export sensitive data, including names, addresses, Social Security numbers, and grades, from the "Students" and "Teachers" database tables. https://www.bleepingcomputer.com/news/security/powerschool-hack-exposes-student-teacher-data-from-k-12-districts/
It’s probably safe to say that you shouldn’t take investing advice from your church pastor, particularly if he’s encouraging you to invest in risky cryptocurrencies. A Washington state pastor has been indicted for running a multi-million dollar cryptocurrency scam that defrauded investors between November 2021 and October 2023. The indictment alleges that Pinillo used his position as a pastor to convince members of his congregation and others to invest in a cryptocurrency business called "Solano Fi," promising guaranteed returns of 35%. https://www.justice.gov/usao-edwa/pr/former-tri-cities-pastor-indicted-multi-million-dollar-cryptocurrency-scam
Speaking of crypto-fraud…Travis Ford, CEO of Wolf Capital Crypto Trading LLC, pleaded guilty to orchestrating a cryptocurrency investment fraud scheme that defrauded nearly 2,800 investors out of $9.4 million. Ford falsely claimed to be a sophisticated trader capable of delivering extraordinary daily returns. Unfortunately, for the victims, he wasn’t. https://crypto.news/wolf-capital-ceo-pleads-guilty-in-9-4m-crypto-fraud-case/
Attackers are pretending to be Crowdstrike HR and infecting job seekers with crypto-mining malware. https://www.crowdstrike.com/en-us/blog/recruitment-phishing-scam-imitates-crowdstrike-hiring-process/
Sublime Security breaks down a Business Email Compromise attack. https://sublime.security/blog/hiding-a-50-000-bec-financial-fraud-in-a-fake-email-thread/
Yeah, I know—lame duck. However, the White House has unveiled a new labeling scheme, the Cyber Trust Mark, to help consumers identify Internet of Things (IoT) devices that meet specific government-vetted cybersecurity standards. The label, which is designed to be similar to the Energy Star label, will be displayed on devices certified by the National Institute of Standards and Technology (NIST). https://www.nextgov.com/cybersecurity/2025/01/white-house-unveils-cyber-trust-mark-program-consumer-devices/401991/
Funny or not, this story highlights how much people are completely dependent on online resources like Google Maps. Someone managed to get an Aldi store listed at an address in a remote Welsh village on Google Maps, and it’s causing a traffic headache for the town's residents. Because, of course, people don’t ask themselves why they would put an Aldi store in the middle of nowhere before driving there. https://www.bbc.com/news/articles/c9wlw1r0j84o
A mother and daughter fraud tag team have been arrested and charged with theft from the estate of a Pennsylvania beverage company CEO. The pair stole $4.4 million from the estate, using the money to purchase homes and a vehicle. https://triblive.com/local/westmoreland/mother-daughter-accused-of-stealing-4-4m-from-greensburg-beverage-ceos-estate/
This is an interesting ruling by the FDIC indicating that CBW Bank of Kansas had an ineffective BSA/AML program. It’s concerning when the BSA/AML Officer admits he isn’t qualified for the job. According to the order, “Respondent’s BSA Officer A admitted to the FDIC he was not qualified for the role when hired.” The agency also found the bank’s training to be inadequate. https://www.consumerfinanceandfintechblog.com/wp-content/uploads/sites/58/2025/01/Notice-of-Assessment-of-a-civil-money-penalty.pdf
Reader Mail
“I appreciate the educational aspect of the newsletter, but the first section I check each week is the Irrelevant link to start my day with something a little different.” - Rachel
DFIR
No introduction is needed; Dr. Brian Carrier penned a post concerning “information artifacts.” https://www.cybertriage.com/blog/information-artifacts-simplify-dfir-analysis/
Cool Job
Director - Police Academy, Elizabethtown College. https://etown.peopleadmin.com/postings/6264
Cool Tool
Save complete web pages in different formats. https://savepage.online/en-us
A “reasonably secure” operating system you can boot from a USB thumb drive. https://www.qubes-os.org/
Python tool that attempts to discover the real IP addresses of web applications protected by Cloudflare. https://github.com/musana/CF-Hero
Irrelevant
Say it ain’t so, Sonic. Britain has lost over a third of its hedgehog population since 2000. https://reasonstobecheerful.world/hedgehog-highways-conservation-uk/
Sign Off
I recently had a discussion with someone about their “IPTV.” Eventually, I asked, "Are you referring to streaming?" They responded, “No, it’s IPTV. It’s different because it’s TV via the Internet." I countered, “You mean streaming, like Netflix." They insisted it was not the same.
My day quickly sidetracked as I tried to understand the difference between streaming services and Internet Protocol Television (IPTV). After 30 minutes of wasted time, I realize there is a distinction—at least, that's what writers on a bunch of B-list websites assert. However, I still can’t articulate what that difference actually is.
Google it to follow me down the rabbit hole.
Thanks for coming back another week and reading this issue of the newsletter.
Matt
“EVEN THE GENIUS ASKS QUESTIONS”
Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.