Threats Without Borders - Issue 229
Cybercrime Investigation Newsletter, week ending April 6, 2025
I recently heard someone get corrected for conflating the terms Skimmer and Shimmer.
What is it about our field that we need to make everything so hard?
They are different, not really.
While both are devices designed to steal your card information, they differ in approach and sophistication. Skimmers are external devices criminals attach to the outside of card readers at ATMs, gas pumps, or point-of-sale terminals. These larger, sometimes detectable devices read information from the card's magnetic stripe and often work in conjunction with cameras or keypad overlays to capture your PIN. Shimmers are thin devices inserted inside card slots, making them virtually impossible to detect from the outside. Skimmers specifically target newer EMV chip cards by sitting between the chip and the terminal's reader, capturing data when the chip is activated during the transaction.
Yes, they are technically different. But does the public care? Should they be acting differently to protect themselves depending on whether the device is going to capture the tract data or the token data?
It’s fine to make a distinction, and being technically accurate is always a good thing. However, it’s acceptable to refer to a shimmer as a skimmer, and we shouldn’t criticize colleagues for choosing to keep it simple when trying to educate the public.
You still have time to secure tickets for the BSides Harrisburg cybersecurity conference. The event is on Friday, April 25th. We have moved to a larger location, and lunch is included. Not to mention, there is a stellar line-up of speakers.
I’ve often been asked by young people what the best way is to break into the cybersecurity field. There is no single best way, but one sure way to advance is to attend events and start networking. You never know who you’ll meet; it might be your next manager.
Casa Chief Security Officer Jameson Lopp went deep into Bitcoin “address poisoning” attacks. At first read, it kind of makes your eyes glaze over. But digging in a little deeper it’s not that difficult to understand. It’s just a social engineering attack that plays on the complicated nature of the wallet system.
Attackers deceive users into sending cryptocurrency to the wrong address by exploiting how wallet interfaces display and store addresses. They generate a Bitcoin address that resembles the victim's recently used addresses, deposit a small amount of cryptocurrency. The attackers depend on human error, such as relying on partial address matches or copying addresses from past transaction lists without verification, to mislead victims into sending funds to the wrong address.
https://blog.lopp.net/bitcoin-address-poisoning-attacks/
The News…
Legislation has been introduced to update current laws and enable the Secret Service to investigate all new criminal activities involving digital assets. The Combating Money Laundering in Cyber Crime Act addresses limitations on the Secret Service's jurisdiction over unlicensed money-transmitting businesses, which cybercriminals exploit to launder illicit funds. Some of the best investigators I’ve worked with are from the U.S. Secret Service. However, they encounter a recurring issue: every few years, they all disappear during the election cycle, and by the time they return to working cases, everyone else has moved on. The agency needs to split into an investigation branch and a protection branch. https://therecord.media/lawmakers-seek-to-close-secret-service-cyber-money-laundering-loophole
Hacker claims to have breached the cybersecurity firm Check Point and offers the stolen data to anyone willing to pay them 5 BTC. Check Point advises not to waste your money, stating that it's old news and the data they took isn’t worth anything. Maybe, maybe not. But it is an important reminder that anyone can be breached, and most of us live on borrowed time. https://hackread.com/hacker-breach-check-point-cybersecurity-firm-access/
The FBI was kind enough to remind us all that bad guys are using your personal information to commit tax fraud. The IRS recommends setting up an IP PIN - Identity Protection Personal Identification Number. https://www.ic3.gov/PSA/2025/PSA250402
This write-up by the Ontinue team is one of the most thorough and well-written posts on an attack I’ve read recently. The team observed a sophisticated multi-stage attack using vishing, remote access, and living-off-the-land techniques. The attackers exploited exposed communication channels, delivering a malicious PowerShell payload and deploying signed binaries along with a C2 backdoor. Take a few minutes to read it; it’ll be worth your time. https://www.ontinue.com/resource/blog-signed-sideloaded-compromised/
Security researcher Evan Connelly discovered a vulnerability in the Verizon Call Filter iOS app, allowing unauthorized access to call history logs of Verizon Wireless customers. Any Verizon Wireless customer. This issue, which Verizon has resolved, stemmed from a server failing to validate the requested phone number, enabling the lookup of call history logs for any number. https://evanconnelly.github.io/post/hacking-call-records/
This article by Unit 42 is timely, given that my workplace has been reevaluating the use of QR codes and short links. Unit 42 researchers have observed new phishing tactics in documents with QR codes. Attackers conceal the final destination using legitimate websites’ redirection mechanisms or adopt Cloudflare Turnstile for user verification to evade security crawlers. https://unit42.paloaltonetworks.com/qr-code-phishing/
The Pennsylvania Attorney General’s Office has charged two former FedEx employees with stealing at least 181 smartphones — worth approximately $173,000 — and recruiting people to sell them at EcoATM stations. Sales of the phones netted the organization $57,000 in profit. Kudos to the team that ran this investigation! https://www.attorneygeneral.gov/taking-action/attorney-general-sundays-organized-crime-section-stops-173k-cellphone-theft-scheme-with-arrests-of-2-fedex-workers-and-7-co-conspirators/
Mail theft is an “epidemic” in California, they say. https://www.sacbee.com/news/local/article303498291.html
The Electronic Frontier Foundation (EFF) opposes AI-enabled traffic networks and presents a compelling argument against them, asserting that no amount of “guardrails” will prevent the police from abusing the system and violating citizens' rights. And every crash investigator is screaming…it’s guide rail! https://www.eff.org/deeplinks/2025/03/guardrails-wont-protect-nashville-residents-against-ai-enabled-camera-networks
DFIR
Chris Ray at Cyber Triage looks at the current line-up of tools to examine the Windows Registry. https://www.cybertriage.com/blog/2025-guide-to-registry-forensics-tools/
Cool Job
Manager - Youth Flag Football, The National Football League. https://job-boards.greenhouse.io/nflcareers/jobs/4552954008
Cool Tool
One search submission - multiple AI models: https://internet.io/
Exif reader with a mapping function. https://www.pic2map.com/
Make your data look good. https://flourish.studio/ (there is a free tier)
Irrelevant
They dumped millions of gallons of liquid fire retardant across southern California during the LA wildfires. Someone finally thought to see what exactly was being poured on them. https://laist.com/news/climate-environment/how-much-toxic-heavy-metal-is-in-that-bright-red-fire-retardant-we-had-it-tested-to-find-out
Really Irrelevant
I asked an AI model to create artwork showing a patriotic porcupine eating a donut. Not bad.
Sign Off
Honestly, the pure amount of cyber(security)(fraud)(crime) content being published every week has become overwhelming. Of course, the quality varies greatly, but the choices of newsletters, blogs, YouTube channels, and voices on LinkedIn have become voluminous. Every day, new resources come online and there is only so much topic to cover.
I don’t say this as a complaint but to note my appreciation for you reading the Threats Without Borders Newsletter each week. Clearly, you have other choices.
Thank you. Seriously.
Matt
“DON’T EXPECT TO MATTER TO OTHER PEOPLE IF OTHER PEOPLE DON’T MATTER TO YOU.”
Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.