Everything old is new again. Skimmers, or shimmers, have been making a profound comeback recently,

Last week, I conducted an awareness training for a state agency that has been dealing with a sudden influx of skimmer-related cases. And the local news is filled with reports of skimming, including this article about a skimmer found on a terminal in a Dollar General store.

https://www.abc27.com/local-news/card-skimmer-found-at-dauphin-county-retailer-police-investigating/

Skimmers capture the data from the magnetic stripe on the back of the card as it slides through the point-of-sale terminal reader. Shimmers, on the other hand, capture the track date from the chip as the card and POS terminal go through the tokenization process.

But they can’t recreate the chip, right?

You don't need to. Once the track data is captured, it can be written onto any magnetic stripe.

But the point-of-sale terminal needs the chip, right?

Nope, not if you trick the terminal into believing there is an issue with the chip, or the card is merely a standard stripe card not equipped with a chip. Quickly inserting and removing the card from the terminal three times can activate the fallback mechanisms, permitting a swipe transaction. Additionally, the pros are using a technique called Service Code Manipulation.

We previously explored Service Code Manipulation in Issue 218:

https://www.threatswithoutborders.com/p/threats-without-borders-issue-218

Of course, not all of these skimming cases are related to physical devices. Web skimming is rampant, mainly attacking webstores using the Wordpress or Magento e-commerce platforms.

In this most recent incident, the cybercrime group B1ack Stash released a million card numbers for free. Why do they do this? Well, why does 7-Eleven give away free Slurpees on July 11th? It’s for publicity and the hope that you’ll enjoy the product and return as a paying customer. The skimming crew hopes that once these free accounts are all shut down, you’ll return and pay $25 each for high-quality accounts.

https://www.d3lab.net/b1acks-stash-releases-1-million-credit-cards-on-a-deep-web-forum/

The News…

While we’re obsessed with AI; they’re robbing trains like it’s 1870! A series of organized freight train robberies across California and Arizona deserts has resulted in the theft of over $2 million worth of Nike sneakers, including many unreleased models. A two-million-dollar haul without involving a single large language model. Imagine that! https://www.newsweek.com/nike-heist-network-executes-train-robberies-millions-sneaker-2035644

And in even more non-AI crime news, U.S. Customs and Border Protection (CBP) seized 200,000 counterfeit U.S. Forever Stamps carrying a potential retail cost of $146,000. Stamps, paper stamps! https://www.upi.com/Top_News/US/2025/02/21/ala-border-patrol-seizes-forever-stamps/4021740166411/

Malwarebytes Labs warns about a new PayPal scam that uses Docusign's API to send phishing emails that appear legitimate. The scam involves creating a Docusign account and using templates to impersonate PayPal, sending emails that bypass security filters and trick users into revealing sensitive information. https://www.malwarebytes.com/blog/news/2025/03/paypal-scam-abuses-docusign-api-to-spread-phishy-emails

According to a recent study by Fastly, organizations anticipate that social engineering attacks (34%) will pose the greatest cybersecurity threat in the upcoming year, with a shortage of relevant technical skills (29%) following closely behind. Fastly published their 2025 Global Security Report. https://learn.fastly.com/rs/025-XKO-469/images/USA%20%20Deck%20-%20Global%20Report%202024%20.pdf?version=0

The U.S. Secret Service and international law enforcement agencies have taken down and seized the website of Garantex, a Russian cryptocurrency exchange accused of being associated with darknet markets and ransomware hackers. https://techcrunch.com/2025/03/06/russian-crypto-exchange-garantex-seized-by-law-enforcement-operation/

Scammers in Chicago are approaching individuals on the street, posing as charity collectors and using sad stories to lure victims into paying them thousands of dollars through Apple Pay, PayPal, or tap-to-pay credit card transactions. The scammers take the victim's phone to complete the transaction, showing them the screen to confirm the charge, which results in large unauthorized charges on their credit card. Strangely, no mention of AI in this scam either. https://www.yahoo.com/news/chicago-victims-credit-card-scam-110000934.html

A recent survey by Bankrate showed that a notable number of Americans have encountered financial fraud or scams over the last year. According to the study, 34% of U.S. adults reported experiencing financial fraud or scams in the past year, with about 37% incurring financial losses. The findings reveal various scams, from text messages offering cash prizes to investment schemes and threats against family members. Over 61% of those who fell victim to fraud fear encountering another scam within the next year, reflecting an ongoing sense of vulnerability and apprehension. Additionally, the survey indicated that 68% of Americans have faced financial fraud at some point, with 30% experiencing more than one type of scam. https://www.bankrate.com/credit-cards/news/financial-fraud-survey/?es_id=b246835614

The U.S. Department of State announced a reward of up to ten million dollars for information leading to the capture of 12 Chinese nationals charged with widespread hacking and espionage targeting U.S.-based critics of the Chinese government, U.S. religious organizations, and several U.S. government entities. https://flashpoint.io/blog/justice-department-charges-12-chinese-contract-hackers-and-law-enforcement-officers-in-global-computer-intrusion-campaigns/

A cybercrime crew stole and resold hundreds of tickets to Taylor Swift concerts and other events on StubHub, generating over $600,000 in profits. The group illegally acquired over 900 digital tickets for events such as Taylor Swift's Eras Tour, Adele and Ed Sheeran concerts, NBA games, and the U.S. Open Tennis Championships. https://www.npr.org/2025/03/05/nx-s1-5318561/taylor-swift-cybercrime-eras-tour

If you’re in the Philadelphia, PA area on April 9th, check out Barcode Security’s “End of the World Cyber Happy Hour” event at City Works in King of Prussia. https://www.eventbrite.com/e/barcode-securitys-annual-end-of-the-world-happy-hour-tickets-1267261034869

DFIR

Cado Security suggests some methods to strengthen your incident response plan. https://www.cadosecurity.com/blog/evolving-your-incident-response-best-practices-to-continuously-improve

Cool Job

Director of Payment Fraud - Caesars Entertainment. https://edmn.fa.us2.oraclecloud.com/hcmUI/CandidateExperience/en/sites/CX_1/job/64789/

Cool Tool

Significant offering of IP and DNS tools. https://www.ipvoid.com/

Considering free online tools, the FBI’s Denver Field Office has warned that attackers are using online file converter services to inject malware onto computers. https://www.fbi.gov/contact-us/field-offices/denver/news/fbi-denver-warns-of-online-file-converter-scam

Irrelevant

Is ranch dressing a liquid or a solid? A professor of biophysics attempts to answer. https://theconversation.com/is-ranch-dressing-a-liquid-or-a-solid-a-physicist-explains-249435

Sign-Off

Yesterday, I felt the sun's warmth for the first time in what seemed like ages, making me aware of how long winter has lasted. It’s incredible how a bit of direct sunlight can uplift your spirits. If the sun is shining today, take a moment to step outside and refresh yourself.

Thank you for reading another issue of the newsletter, and we’ll see you next Tuesday.

Matt

CONFIDENCE IS NOT “THEY’LL LIKE ME.” CONFIDENCE IS “I’LL BE FINE IF THEY DON’T.”

Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.

Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.