In 2016, Dr. Zinaida Benenson of Friedrich-Alexander University (Bavaria, Germany) conducted a study to measure the rate at which students clicked links in messages from unknown senders. Naturally, they clicked links, but that finding has little value. The actual value of the study lies in the reasons why they clicked links.

Dr. Benenson’s study involved 1,700 university students who were interviewed to assess their self-rated security awareness and understanding of phishing attacks. Seventy-eight percent of the students indicated that they recognized the dangers of clicking links received from unknown senders

The students later received emails and messages via Facebook from sender names they certainly could not have known, as the accounts were fictitious. The messages referenced a New Year’s Eve party, and the link supposedly led to an online photo album featuring pictures taken during the event.

The students had previously informed researchers that they understood the dangers of clicking links in messages. They recognized that such links could direct them to malicious websites and release harmful viruses onto their computers. Nevertheless, 56% of the test subjects who received emails clicked on the links, while 40% of the recipients of Facebook messages did the same

Why?

Perhaps the same reason you would. The same reason we open an unmarked envelope found in the street, or a nondescript box discovered in grandma’s attic, or why you read your sister’s diary: curiosity. During the follow-up interviews, most of the study participants admitted they clicked on the link simply out of curiosity to see the photos from the party.

And this is where cybersecurity professionals get stuck. How do we overcome human curiosity? What hardware or software tools can address this desire? How can we train employees to resist such temptations?

Criminals excel at psychological manipulation and exploiting human emotions. Your million-dollar security software may be useless if the attacker can connect with a human.

Security must prioritize the human element, but that’s a much tougher challenge than just implementing a software solution.

https://www.fau.eu/2016/08/news/research/one-in-two-users-click-on-links-from-unknown-senders/

The News…

File this under “Criminals with poor OpSec.” Three individuals from Bethlehem, Pennsylvania, have been arrested and charged with hundreds of counts related to identity theft and fraud. Investigators are now searching for more victims. “A notebook filled with names, birth dates and social security numbers was also found in the home, along with other evidence Baratta said was used to create "fraudulent accounts to make purchases across the Commonwealth." https://www.cbsnews.com/philadelphia/news/bethlehem-pennsylvania-identity-theft-charges/

Invictus Incident Respons details a recent Business Email Compromise (BEC) attack that involved an Adversary-In-The-Middle (AiTM) attack. In this attack, a threat actor accessed a professional services organization's Microsoft 365 environment and used the victim's email address to register legitimate Dropbox and WeTransfer accounts to continue the phishing campaign. We are dealing with this at my organization, also. How do you block Dropbox without impacting legitimate business activity? https://www.invictus-ir.com/news/locked-out-dropboxed-in-when-bec-threats-innovate

The dangers of using default credentials: a computer science student finds a security vulnerability in MESH by Viscount access control systems, allowing unauthorized access to apartment buildings due to default credentials and exposed web interfaces. https://www.ericdaigle.ca/posts/breaking-into-dozens-of-apartments-in-five-minutes/

Trustwave examines how fraudsters now employ email marketing platforms in their BEC campaigns. https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-rise-of-email-marketing-platforms-for-business-email-compromise-attacks/

Group-IB discusses a campaign targeting Magento websites to collect browser fingerprints of unsuspecting users. The campaign, dubbed ScreamedJungle, injects a script into compromised websites to extract unique digital identifiers associated with user online activity. The attackers use this information to mimic legitimate user behavior, evade security measures, and conduct fraudulent activities, such as credential-stuffing attacks. https://www.group-ib.com/blog/fingerprint-heists/

Suspected Russian attackers have been employing a phishing technique known as device code phishing to hijack Microsoft 365 accounts since last August. This method exploits the "device code flow" authentication process, which is typically used for logging devices such as printers and smart TVs into accounts. Threat actors impersonate trusted officials and deceive users into entering a device code, thereby granting them access to the account. https://arstechnica.com/information-technology/2025/02/russian-spies-use-device-code-phishing-to-hijack-microsoft-accounts/

A volunteer fire department is requesting additional community donations after their accounts were emptied of “hundreds of thousands of dollars.” The president can only assume it has been stolen. Say what? Oh, you're investigating? How nice. Let’s hope that law enforcement begins to explore as well. https://www.wivb.com/news/local-news/erie-county/tonawanda/sheridan-park-fire-company-asks-for-community-support-after-hundreds-of-thousands-of-dollars-allegedly-stolen/

There is no cyber nexus here, just a stupid criminal story. Using cocaine is unwise, especially for a 67-year-old attorney serving as a borough solicitor. Taking your stash to the juvenile justice center is even more foolish. https://www.pennlive.com/crime/2025/02/eastern-pa-borough-solicitor-accused-of-possessing-cocaine-at-juvenile-center.html

Harmonic studied the AI prompts submitted to the most popular AI models and found that, indeed, your employees are leaking your organization’s data.

https://www.harmonic.security/resources/from-payrolls-to-patents-the-spectrum-of-data-leaked-into-genai

The Darcula phishing-as-a-service (PhaaS) platform has released a new version, Darcula Suite, which features a DIY phishing kit generator that enables anyone to create phishing campaigns targeting any brand. This new version also comes with tools that simplify the creation and management of phishing campaigns for cybercriminals, including a user-friendly admin dashboard, IP and bot filtering, campaign performance measurement, and automated credit card theft/digital wallet loading. https://www.bleepingcomputer.com/news/security/darcula-phaas-can-now-auto-generate-phishing-kits-for-any-brand/

DFIR

Malwr4n6 shares a nifty trick for analyzing the Chrome browser history, but it also works on any Chromium-based browser. https://www.malwr4n6.com/post/browser-history-forensics-trick

Reader Mail

“I see that periods and commas were optional this week.” DR in VA

Well, DR, at least you know AI doesn’t write the newsletter.

Cool Job

Director of Investigations and Security Services - The National Football League. https://job-boards.greenhouse.io/nflcareers/jobs/4550151008

Security Specialist, Forensic Investigations - PNC. https://careers.pnc.com/global/en/job/R180080/Security-Specialist-Forensic-Investigations

Cool Tool

Find matching faces across the Internet using AI. https://www.facesearchai.com/

Chrome extension that searches Youtube videos for specific words. https://chromewebstore.google.com/detail/youtube-word-searcher/jichoejagacnbcinlgncghhdegdlhbcj?pli=1

Irrelevant

And for the next MTV series, KittenFished! https://www.yahoo.com/lifestyle/kittenfishing-163100573.html

Sign Off

I spent four days in Buffalo, New York, over the past week. Snow fell from the sky on three of those days. On the one sunny day, a stiff wind blew the already fallen snow at a near-horizontal angle, making it feel like it was snowing again. You continuously walk through a dirty gray slurry of snowmelt and rock salt that almost instantly deteriorates non-rubber shoes.

Not even hot wings, beef on weck, or Tim Horton’s coffee can make it worth enduring that weather.

After experiencing a few days of Buffalo winter, I want nothing more than the Buffalo Bills to win the next Super Bowl. A successful sports team is the only fitting reward for the wonderful people inhabiting that inhospitable land.

Matt

RIP Patrolman Duarte. Hero. https://www.odmp.org/officer/27336-patrolman-andrew-william-duarte

Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.

Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinion and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.

fraud financial crime cybersecurity cybercrime aml cyficrime investigations osint