Threats Without Borders - Issue 219
Cybercrime Investigation Newsletter, week ending January 27, 2025
In my conference talk, "DARVO: The Psychological Manipulation of Ransomware Victims," I demonstrate how ransomware groups employ leak sites to intimidate, coerce, and bully their victims into paying ransoms. This presentation originated from my regular monitoring of these websites, and even though I’m retiring the talk, I continue to monitor the sites.
In recent weeks, I’ve noticed a trend in the increased number of small—to medium-sized manufacturing companies listed. It could be that phishing campaigns heavily target these groups or all use compromised software applications or services. Only time will tell.
-
File, don’t file, file, just wait, don’t file, O.K., now file. After every small business owner in the U.S. has been left shell-shocked and confused… the Supreme Court says, "Yeah, now you should file.” The U.S. Supreme Court has allowed the anti-money laundering law, known as the Corporate Transparency Act, to take effect. The law requires corporate entities to disclose the identities of their beneficial owners to the Treasury Department. A federal judge in Texas had previously blocked the law's enforcement, but the Supreme Court has canceled the injunction. https://www.cnbc.com/2025/01/23/supreme-court-allows-anti-money-laundering-law-to-take-effect.html
-
Although I occasionally let my contempt for big government slip, I generally keep the newsletter free of politics. While I agree with some of the new President’s early actions, there are others with which I disagree. Pardoning Ross Ulbricht is an absolute fool's move that I just can’t wrap my head around. I suspect many of the Dread Pirate Roberts' current fans are too young to remember the true exploits of the Silk Road founder. And I split with my Libertarian comrades in celebrating him as a hero. A commutation, maybe. Full pardon, hard no.
Charles Lehman sums the issue up nicely in this Free Press article.
The News…
GhostGPT is a chatbot specifically designed for cybercriminals, allowing them to access uncensored AI capabilities for harmful activities. It uses a wrapper to connect to a modified version of ChatGPT or an open-source large language model, removing safeguards and providing direct, unfiltered answers to sensitive or dangerous queries. GhostGPT can be used for coding, malware development, business email compromise scams, and other malicious purposes, making it a convenient tool for cybercrime. This significantly lowers the barrier to entry for new cybercriminals and enhances the capabilities of attackers, enabling them to launch attacks with increased speed and efficiency. https://abnormalsecurity.com/blog/ghostgpt-uncensored-ai-chatbot
Trustwave reviews key players, including some new ones, in the ransomware landscape of 2024. https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-new-face-of-ransomware-key-players-and-emerging-tactics-of-2024/
This one hits home, as I actively use Homebrew to manage my Mac. Attackers use fake Homebrew ads on Google to spread malware that steals credentials, browser data, and cryptocurrency wallets. The malware, known as AmosStealer, is designed for macOS systems and sold to cyber criminals as a subscription service. https://www.bleepingcomputer.com/news/security/fake-homebrew-google-ads-target-mac-users-with-malware/
Cloudflare's 20th DDoS Threat Report highlights the evolving threat landscape of Distributed Denial of Service (DDoS) attacks. In 2024 Q4, Cloudflare blocked 21.3 million DDoS attacks, a 53% increase from 2023, with an average of 4,870 attacks per hour. Notably, a 5.6 Tbps DDoS attack, the largest ever reported, was detected and blocked during the Halloween week. The report also reveals that 51% of the attacks were HTTP DDoS attacks, with 73% of those launched by known botnets. https://blog.cloudflare.com/ddos-threat-report-for-2024-q4/
While not cyber or financial, cases like this impact everyone involved in criminal investigations. A former Colorado Bureau of Investigation DNA scientist is facing 52 counts of forgery and other charges for allegedly tampering with DNA data in over 500 cases from 2008 to 2023. This tampering raises questions about the validity of cases she worked on, including homicide, sexual assault, robbery, and other crimes. Woods reportedly altered data to expedite case completion and deleted information that indicated she did not troubleshoot issues in the testing process. https://apnews.com/article/colorado-dna-crime-scientist-misconduct-charges-68bb57173327cbd3425a4e58c4a5b23f
Take your terminations seriously—every former employee or contractor who is no longer with your organization due to an employment action should be considered a potential threat to your network. A recently terminated contractor returned to the British Museum and gained access to the internal computer network. The individual shut down several systems, which disrupted the museum's operations for a period of time. https://www.pennlive.com/nation-world/2025/01/fired-employee-shut-down-computer-systems-british-museum-says.html
Drive a Subaru? Security researchers discovered vulnerabilities in Subaru's web portal that allowed them to track the location of a 2023 Impreza for a year, including its exact parking space and doctor visits. They found that Subaru employees could access location data for customers, including a year's worth of historical data, and that hackers could potentially target any Subaru vehicle equipped with the Starlink digital features. Fortunately, Subaru patched and corrected the flaw within 24 hours of being notified. https://www.wired.com/story/subaru-location-tracking-vulnerabilities
Maryland man gets 72 months in federal prison for stealing over 1.5 millions dollars by abusing the Internal Revenue Service’s Modernized Internet Employer Identification Number (MODIEIN) system. The “modernized” thing didn’t work too well to prevent fraud. https://www.justice.gov/usao-md/pr/harford-county-man-sentenced-aggravated-identity-theft-and-bank-fraud-scheme
The Security and Exchanges Commission (SEC) has launched a “Crypto” task force, whatever that means. https://www.sec.gov/newsroom/press-releases/2025-30
Cool Tool
Secure your camera system so it doesn’t get listed on this live camera directory - http://www.insecam.org/en/
Do you suffer from idk wtf he jus sed? Look it up here: https://www.noslang.com/
Cool Job
Financial Crime Compliance Risk Specialist - TikTok. (Speaking of risk, take it -maybe you have a job in ninety days, maybe you don’t) https://lifeattiktok.com/search/7419417666814839091
Card Fraud Analyst - Pennsylvania State Employee Credit Union. https://psecu.wd12.myworkdayjobs.com/PSECU/job/Harrisburg-PA/Card-Fraud-Analyst_JR100321
Reader Mail
Hey Matt, I just wanted to check in on you. I didn’t receive issue 218 this week. Hope all is well with you and your family. Hoping that I didn’t get 218 because my work email filtered it out or some other technical issue. - Brian
I receive some version of this message several times a month. It’s great that readers notice they didn’t get the newsletter and care enough to check in on me, but it’s frustrating and disheartening that the popular email services are consistently dropping the newsletter.
You can always read the newsletter directly at www.threatswithoutborders.com.
Installing the Substack iOS or Android application is a great way to ensure you always receive your favorite Substack newsletters.
DFIR
The Cyber Triage blog gives you the jump on Jump Lists. https://www.cybertriage.com/blog/what-is-jump-list-cache/
Irrelevant
Because we might confuse a brown dog for the brown beaver, Buc-ee’s sues for copyright infringement. “Similarities that Buc-ee's points out in the suit include a smiling, cartoon-style animal they argue closely resembles a beaver, as well as its brown fur and the use of red as a secondary color.” https://www.wfaa.com/article/news/local/buc-ees-suing-north-texas-gas-station-trademark-infringement/287-7c94f57c-d1f5-4157-a3bc-b324a3e0ebf0
Sign Off
Even though I’m based in central Pennsylvania, I’m the farthest thing from a Philadelphia Eagles fan. Usually, hearing every conversation during the NFL season end with “Go Birds” makes me want to stick a fork in my face. But for the next two weeks, Go Birds! Being a referee in the NFL must be one of the most challenging jobs in the world; no matter what call you make you’re enraging a massive amount of people. It’s a hated and disrespected job. I get that. But when you have the benefit of video replay, and you still get it wrong, and every wrong call always benefits the same team? I believe that is called corruption.
Fly Eagles Fly.
Have a great week,
Matt
Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.