Never click on a link unless you know where it’s taking you! Easier said than done. I can’t tell you how many times I’ve intended to right-click>> copy link address, but actually clicked the link. Or try to highlight the URL string but accidentally activate it.

The darlings of every marketing team, shortlinks, are particularly dangerous because you really have no idea where they lead unless you make the effort to map the route. Even the “hover your cursor on the link” trick can be defeated by a motivated attacker.

Substack supports hot-linking, which means you can embed links in any text, such as THIS. However, I prefer to write out the complete URL for every resource I recommend in the newsletter. It doesn’t reflect well on me to advocate for link control and security while asking you to blindly click links in a newsletter posted online.

One of the most common requests made of investigators and security practitioners is “Hey, is this link safe?” I learned the hard way years ago not to make the joke “Click it and find out”. Undoubtedly, someone will take you up on the offer before you can finish your sentence.

So, what are some easy and free resources for investigating suspicious links and Uniform Resource Locators (URLs)?

Ideally, you should conduct these investigations in a virtual machine, sandbox, or on a dirty machine (a computer segmented from your main network designed to be burned and rebuilt). These tools will allow you to safely interact with the links and won’t result in damage to your systems, even if you make a mistake.

Sometimes you may not be in a position to conduct a full investigation, or time simply does not allow for it. Here are some online resources that can help you quickly and safely evaluate the safety of a link.

Most people recognize Virus Total, now operated by Google, as a place to research suspicious files, but it also allows you to investigate URLs. Not only does VT check the resources for malicious intent, but in the “Details” section, it provides a history listing that informs you if anyone else has submitted the link for review. https://www.virustotal.com/gui/home/upload

One of my favorite cybersecurity organizations, ANY.RUN provides an interactive malware analysis sandbox and threat intelligence services for real-time analysis and investigations of malware and phishing threats. Although they’ve gone “big time,” they still offer limited free access to many tools through their web app. https://app.any.run/

URL Scan is another great tool that has recently transitioned to a pricing model while still providing enough functionality to determine the safety of a link for free. https://urlscan.io/

Joe’s Sandbox enables users to explore websites or work with files in a virtualized operating system of Windows, Mac, Android, or Linux. However, caution is advised, as prominently stated on the site in red: “Your complete sample and analysis will be published on this website and accessible to anyone (including a download of the sample, screenshots, etc).” Therefore, refrain from uploading any files that may contain proprietary information or personal data, or at least your personal data. https://www.joesandbox.com/#windows

The Talos team at Cisco provides limited access to its Intelligence Center. Most of the time, it’s more than sufficient to determine the safety of a link. https://talosintelligence.com/reputation_center/

Recently, the resource that has become my go-to is Cloudflare. A large portion of internet traffic is now routed through Cloudflare's service, and they document everything beautifully on their Radar platform. Within that service is a free URL reputation checker, which provides all the information you need to assess the safety of a link, including a screenshot of the site's front page. https://radar.cloudflare.com/scan

Interesting take offered by this author who claims Know Your Customer (KYC) is to blame for all of these data breaches! If the company weren't forced to collect the information, they wouldn't have it, and that information wouldn't be stolen during a breach.

The writer examines the threats posed by KYC regulations, which mandate that financial institutions gather and retain sensitive personal information. Such data is vulnerable to hacking and can be exploited by criminals. In addition to the criminal use of collected data, the author also contends that KYC contributes to a surveillance framework that connects to government databases and empowers companies to gather sensitive information. The article suggests alternative solutions, including Zero-Knowledge Proofs and Decentralized Identity, that can authenticate identity without surveillance, urging a reassessment of the KYC framework. https://www.ludlowinstitute.org/articles/kyc-is-the-crime

The News

The Philadelphia City School District fell victim to a Business Email Compromise scheme and sent $700,000 to the perpetrators. Ugh. Even worse, they didn’t even know they had done it until the city controller conducted a routine audit of the school district’s finances. How did they not realize they had misplaced $ 700,000? https://www.phillyvoice.com/school-district-philadelphia-cyber-fraud-scheme/

A security researcher discovered a publicly exposed database containing tens of millions of account credentials, including login and password information for Facebook, Snapchat, Roblox, and other services. The owner of the database is unknown, but it appears it was used to collect data through infostealer malware and phishing emails. The exposed data poses a significant risk for credential stuffing attacks, account takeovers, and phishing scams. https://www.websiteplanet.com/news/infostealer-breach-report/

Four individuals, including two former U.S. Postal Service employees, face charges for their suspected involvement in a $63 million scheme. This operation involved checks that were stolen from the mail and subsequently resold. Among the stolen checks were IRS refunds issued by the U.S. Treasury. https://www.justice.gov/usao-edmi/pr/four-individuals-charged-63-million-mail-theft-conspiracy-including-two-postal

Not that he’ll ever be extradited, but the U.S. DOJ has indicted a Russian man for leading a global cybercrime ring that caused hundreds of millions of dollars in damage. The ring allegedly used malicious software, known as Qakbot, to infect hundreds of thousands of computers worldwide, resulting in damaging ransomware attacks on healthcare agencies and government agencies. https://www.cnn.com/2025/05/22/politics/us-indicts-russian-accused-cybercrime-ring

The Bee stung himself. U.S. federal prosecutors have dismantled the DanaBot malware and indicted its developers, including the suspected leader Aleksandr Stepanov, also known as "JimmBee." The malware, which infected over 300,000 computers worldwide, was utilized for both cybercrime and espionage, with the latter variant targeting sensitive data from diplomatic staff and government entities. Prosecutors claim DanaBot caused at least $50 million in damages and was sold to affiliates for between $3,000 and $4,000 per month. They state that the case was cracked wide open when “JimmBee” infected his own computer with the malware, which enabled an FBI agent to image his machine. https://www.bankinfosecurity.com/us-takes-down-danabot-malware-indicts-developers-a-28466

The FBI warns that criminals are using AI to impersonate senior U.S. officials. In other news, most people don’t trust senior U.S. officials anyway. https://www.malwarebytes.com/blog/news/2025/05/scammers-are-using-ai-to-impersonate-senior-officials-warns-fbi

I doubt that there are any lawyers still reading the newsletter, but I’ll put a good foot forward and share this bulletin from the FBI warning law firms that the Silent Ransomware Group is targeting them. https://www.ic3.gov/CSA/2025/250523.pdf

Must See TV

This is one of the best talks I’ve heard in a long time. Tim Pappa tells his audience at the BSides Charm conference how to bring sock puppet accounts to life using props found at local yard sales.

Cool Job

Intelligence Analyst (Entry Level) - NCFTA. https://www.ncfta.net/careers/intelligence-analyst---entry-level

Cool Tools

IP Address Query (lots of ads on search page, but geolocation seems accurate) https://www.iping.cc/

This tool requires a payment of $29 for a lifetime license, but it can be valuable if you utilize Reddit for OSINT. Reddit user profiler - https://r00m101.com/

Reader Mail

Matt, just as you wrote [issue 231], we had a business in our town hit with ransomware and they called us to get the phone number for the FBI. The Chief was put off that they only wanted our help as a phone book. I called the business back and helped them file a complaint with IC3 and they were more than appreciative of my effort. A little kindness does go a long way. KS

Awesome. Now strike while the iron is hot and hit the boss up for some cyber incident response training. For reference:

https://www.threatswithoutborders.com/p/threats-without-borders-issue-231

feedback: matt[@]threatswithoutborders[.]com

Irrelevant

How is your school district doing in terms of math, science, and reading proficiency? Someone created a dashboard that, unfortunately, shows the answer is “not well”. Click on a state to drill down on the data. https://timeback-world.vercel.app/

Sign Off

I had so much material for this week but there’s no way I can include it all in the newsletter. Unfortunately, longer issues seem to be more prone to being rejected as spam by email providers. It was suggested to me that I start a podcast. I joked, “yeah, it’s going to be called “Matt Runs His Mouth”.

I’d appreciate a referral to your colleague. The newsletter only grows with your supports.

See you next week.

Matt

“IF YOU AIM AT NOTHING, YOU WILL HIT IT EVERY TIME.”

Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.

Share Threats Without Borders

Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.

osint cybersecurity cyficrime financial crime investigations fraud aml cybercrime