Threats Without Borders - Issue 220
Cybercrime Investigation Newsletter, week ending February 2, 2025
Cyber and fraud investigators often become so focused on handling other people’s problems that they fail to address their own. Even worse, they neglect to consider that it could happen to them or their organization. We know what to do when a customer or citizen is victimized, but what do we do when it is us? How do we respond when our organization is the target of the attack?
Last week, I was reminded that figuring out how to extinguish a fire or even call 911 is before your house is on fire.
One of the most effective methods for testing and improving your organization’s response capabilities is through tabletop exercises. These simulated crisis scenarios allow security and investigation teams to practice their response procedures without the pressure of an actual incident while identifying gaps in processes and documentation before they become critical issues.
Tabletop exercises are different from full-scale incident simulations because of their focused, discussion-based approach. Participants walk through scenarios in a controlled environment, examining their decision-making processes and communication protocols. This methodology enables teams to thoroughly evaluate their incident response plans without disrupting production systems or daily operations.
And the best part is that they're pretty simple to do. In fact, they can involve nothing more than a pizza, some sodas, and running your procedures through common incident scenarios.
When designing a tabletop exercise, the controller creates a scenario that unfolds in stages. For instance, the scenario might start with detecting unusual network traffic patterns, escalate to discovering data exfiltration attempts, and culminate in the public disclosure of a breach. At each stage, you must describe your actions, justify the decisions, and document communication strategies.
Scenario development must be realistic and relevant to the organization's threat landscape. This requires research into industry-specific attacks and recent incident trends. The scenario should challenge participants while remaining plausible.
And make sure to throw some wrenches into the machine. Injects – new information or complications introduced during the exercise – test the team's ability to adapt their response strategy as situations evolve. These might include simulated media inquiries, regulatory requirements, technical complications, or even a sick employee that requires a rapid reassessment of the response approach.
Regular tabletop exercises offer advantages beyond just enhancing immediate incident response skills. They encourage collaborative efforts among technical teams, legal departments, communication personnel, and executive leadership.
Moreover, these exercises help identify resource gaps in tooling, staffing, or expertise. During these simulations, organizations often discover the need for specialized forensic tools, additional training, or revised service-level agreements with vendors.
Here are some resources for researching and planning a tabletop exercise for your organization:
CISA Tabletop Exercise Packages: https://www.cisa.gov/resources-tools/services/cisa-tabletop-exercise-packages
NACHA Alliance Cybersecurity Tabletop Exercise Kit: https://www.nacha.org/resources/alliance-cybersecurity-tabletop-exercise-kit
Six tabletop exercises from the Center for Internet Security: https://www.cisecurity.org/insights/white-papers/six-tabletop-exercises-prepare-cybersecurity-team
FS-ISAC hosts various exercises through their Global Resilience Services platform: https://www.fsisac.com/resilience
The best organizations know how to fight the fire before the fire starts.
The News…
Researchers from SentiLink, David Maimon’s group, analyzed 2,463 stolen bank accounts worth nearly $77 million sold on Telegram channels over six months. Scammers accessed these accounts through phishing or smishing campaigns, deceiving victims into providing their login credentials and personal information. The compromised accounts originated from 130 U.S. banks, with one bank accounting for 45.5% of the stolen accounts, valued at over $30 million. The analysis revealed that 87.8% of victims were individuals, with an average compromised balance of $72,152, while businesses had an average compromised balance of $192,595. https://resources.sentilink.com/blog/stolen-bank-account-analysis
A Europol-supported operation, led by German authorities and involving law enforcement from eight countries (including the U.S.) has led to the takedown of the two largest cybercrime forums in the world. https://www.europol.europa.eu/media-press/newsroom/news/law-enforcement-takes-down-two-largest-cybercrime-forums-in-world
There is nothing new here, but a good write-up by CoFense explains how threat actors exploit vulnerabilities in government websites to launch phishing campaigns, using open redirects and compromised email addresses as command and control (C2) servers. https://cofense.com/blog/threat-actors-exploit-government-website-vulnerabilities-for-phishing-campaigns
Remote Desktop tools are invaluable for criminals, especially when running tech support scams. The popular ones that come to mind are AnyDesk, TeamViewer, VNC, and Chrome Remote Desktop. However, for those criminals that prefer to LOL (Live off the Land), Microsoft has a remote tool integrated directly into Windows 10 and 11: Quick Assist. The Inversion6 team breaks down how criminals are using QuickAssist to run tech support scams and other social engineering attacks on Windows users. https://inversion6.com/resources/blog/january-2025/microsoft-quick-assist-an-it-security-primer
Talos Group Q4 Trends Report. https://blog.talosintelligence.com/talos-ir-trends-q4-2024/
Patrick Wardle of Objective-See breaks down all the malware that targeted us Mac users in 2024. https://objective-see.org/blog/blog_0x7D.html
Speaking of malware that targets Macs, researchers have discovered new side-channel vulnerabilities in Apple processors that could allow attackers to steal sensitive information from web browsers. These vulnerabilities, dubbed FLOP and SLAP, exploit flaws in Apple's speculative execution implementation, which aims to speed up processing by guessing future instructions. The attacks can be executed remotely through a malicious webpage, allowing attackers to bypass browser sandboxing and steal data from various services, including Gmail, Amazon, and Reddit. https://www.bleepingcomputer.com/news/security/new-apple-cpu-side-channel-attack-steals-data-from-browsers/
A former USPS employee admitted to stealing over $100,000 worth of sports memorabilia while working as a mail sorting clerk in Clifton, New Jersey. The man stole at least 10 parcels between September 2022 and December 2022, including trading cards and other sports memorabilia. https://www.cbsnews.com/news/usps-employee-steals-sports-memorabilia/
Oh, look, something shiny and new… You probably don’t want to start loading sensitive information from your business into that fancy new Chinese AI. A publicly accessible ClickHouse database belonging to DeepSeek was found to leak sensitive information, including chat history, secret keys, and backend details. This exposure allowed for complete database control and potential privilege escalation within the DeepSeek environment. https://www.wiz.io/blog/wiz-research-uncovers-exposed-deepseek-database-leak
The U.S. Department of Justice revealed a coordinated effort with the Dutch National Police to seize 39 domains and their related servers, disrupting a Pakistani network of online marketplaces that sell hacking and fraud-enabling tools managed by a group called Saim Raza, also known as HeartSender. https://www.justice.gov/opa/pr/justice-department-announces-seizure-cybercrime-websites-selling-hacking-tools-transnational
Learning
Free course from Google - Google Threat Intelligence. https://www.cloudskillsboost.google/course_templates/1152
Cool Job
Manager of Investigations - Urban Outfitters. https://homeoffice-na-urbn.icims.com/jobs/14146/urbn-manager-of-investigations/job?hub=15
Fraud Prevention and Detection Training Lead - USAA. https://www.usaajobs.com/job/san-antonio/fraud-prevention-and-detection-training-lead/1207/76793078000
Cool Tool
Parrot OS 6.3 has been released. https://www.parrotsec.org/blog/2025-01-31-parrot-6.3-release-notes
OSINT tool written in the Go language. From the Github repo:
GoSearch
is an efficient and reliable OSINT tool designed for uncovering digital footprints associated with a given username. It's fast, straightforward, and dependable, enabling users to track an individual's online presence across multiple platforms.GoSearch
also integrates data from HudsonRock's Cybercrime Intelligence Database to provide insights into cybercrime-related information. It also taps intoBreachDirectory.org
's database offering access to a comprehensive list of data breaches, plain-text and hashed passwords linked to the username. This tool is ideal for those needing accurate, no-frills results when investigating online identities.
Caveat: I have ’t used this tool yet, so please proceed cautiously. However, it looks great, and I plan to explore it soon.
https://github.com/ibnaleem/gosearch
DFIR
AboutDFIR updated its conference listing page. https://aboutdfir.com/the-community/conferences/
Irrelevant
Banning a dog breed is draining local police funding in England and Wales. The prohibition on large “bully” breed dogs has placed a heavy strain on police departments, escalating expenses and complicating kennel space and resources. https://www.bbc.com/news/articles/cyv4840lzmeo
Yes, you’ll look awesome with a rat-tail mullet. See for yourself. https://hair-style.ai/
Sign Off
I can’t remember where I first heard it, and a quick Google search didn’t help, but I frequently say, “our best is none too good.” I tend to use it self-deprecatingly, making light of an effort that didn’t turn out as we had hoped. It will draw some looks when appropriately dropped in conversation. Try it.
Thanks for sticking around another week. I appreciate your effort to stay with the program. Please consider sharing the newsletter with colleagues to help us grow.
Matt
Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.
cybersecurity cybercrime investigations fraud financial crime osint aml cyficrime