Last week, the FBI’s Internet Crime Complaint Center issued a PSA warning the public about criminal use of Traffic Distribution Systems (TDS) to redirect users to phishing pages, malware, and financial fraud schemes. The PSA does a surprisingly decent job explaining the concept. But let me give you a better one.

Think of a TDS as an air traffic controller for web traffic. Every time you click a link, the system takes a fraction of a second to analyze your connection, your operating system, your browser, your IP address, your geographic location, and then routes you to the most appropriate version of whatever resource you’re trying to reach. You click a link, the TDS profiles you, and sends you somewhere.

You’ve experienced this for most of your online life and never noticed. It’s how you land on a mobile-optimized page when you’re on your phone and the full desktop version when you’re on your laptop. It’s how the website knows to serve you content in English instead of French. The web publishing and digital marketing industries rely heavily on these systems.

And of course, the bad guys flip it.

When criminals gain access to TDS infrastructure or build their own, the same capability becomes a precision-targeting mechanism. A malicious TDS selectively redirects users to compromised or fake login sites hosting phishing pages designed for financial fraud, or prompts them to download malware disguised as software updates. The user thinks they followed a normal link. The TDS decides where they actually land.

This is also how the scammers get their payloads right. A Windows user receives a pop-up that impersonates Microsoft Defender. A Mac user gets a generic Apple security alert. Someone on a desktop trying to follow a link from an SMS message simply goes nowhere; the TDS drops them because the setup doesn’t fit the target profile. Same link. Different outcomes, based entirely on what the system learned about you in that invisible half-second before anything loaded.

The filtering capability is where this gets really insidious.

Malicious TDS operators collect your IP address, operating system, location, device type, and browser information to determine whether you’re worth attacking. They can display completely harmless content to unwanted visitors, like us security researchers, analysts, and investigators, while routing future victims to the fraud infrastructure.

Here’s roughly how that triage looks in practice:

• The connection is coming from a known VPN or Tor browser exit node? Drop it. This could be a researcher.

• The user is on a M5 MacBook Pro running Tahoe 26.5 and the Brave browser. Drop. They are an advanced user.

• The traffic originates from a Dell Latitude 5520 running Windows 10 and Chrome 111. PERFECT, send them on through!

The criminals aren’t spraying and praying. They’re running a filtering operation. They’re actively discarding sophisticated users and security professionals to concentrate their attacks on the most vulnerable, least-defended people in the pool.

So how does this affect us, the investigators and prevention professionals?

First, the bad guys professionals. They are using legitimate enterprise technology at its full capability, the same tools the digital marketing industry uses to optimize ad spend, and redirecting it toward fraud. This is not groundbreaking news, but we need to acknowledge it.

Second, non-technical users are completely outmatched by this. There is nothing for them to see. No warning. No obvious sign that something went wrong. The most dangerous part of the attack happens before a single pixel loads on their screen. They clicked a link. The system made a decision about them. And they went where they were sent.

I’d like to close with something uplifting other than the notion that the average user is absolutely cooked. But I think we all know where we’re at.

Instead, I’ll direct you to the PSA, which does offer helpful prevention tips.

https://www.ic3.gov/PSA/2026/PSA260618

Funny…not funny

The News

Rule 1: Revoke access before they leave the building. A former Iowa school district IT support specialist received a 21-month prison sentence for a cyberattack carried out over 21 months after retaining unauthorized credentials post-departure in April 2023. The individual disrupted classroom activities by deleting the district’s Facebook page, revoking employees’ access to platforms like Apple School Manager and Schoology, and erasing nine Gmail accounts, including those of the IT director and superintendent. This caused tens of thousands of dollars in damages and major educational disruptions. Holy DFIR failure! Why did it take 21 months to identify that the activity stemmed from a single account—belonging to a former employee? https://www.bleepingcomputer.com/news/security/ex-school-district-employee-jailed-for-hacks-on-former-employer/

I teach a class that demonstrates how to convert an IP address to binary (1s and 0s) using binary math. I also explain Network Address Translation (NAT), which is essential because IPv4 addresses are running out. A common question I get is whether this will become unnecessary once we transition to IPv6. Maybe, but I plan to be retired long before that happens. Currently, IPv6 usage is only about 50%. https://blog.apnic.net/2026/04/28/google-hits-50-ipv6/

The job market is already challenging! The U.S. Department of Justice and FBI confiscated 13 websites run by alleged Chinese agents. These sites targeted current and former U.S. security clearance holders with fake “consulting” job offers to obtain sensitive or classified information. The seized domains, including names like Centrik Global Consulting and SafeSec Group, appeared legitimate with fake contracts and confidentiality agreements, while they were actually used for international money laundering and identity theft. https://www.justice.gov/opa/pr/justice-department-fbi-disable-13-websites-backed-suspected-chinese-agents-sought-sensitive

The criminals need to come to America and eat some brisket. The FIFA World Cup 2026 is being exploited by cybercriminals through fraudulent domains, social media, and activity on crime forums. Threat actors are using fake ticket offers, VIP schemes, and unauthorized streaming platforms to lure victims into payment fraud and identity theft. https://cyble.com/blog/operation-fantrap-fifa-2026-fraud-ecosystem/

Vinnie Liu from Bishop Fox describes the progression of cyber offensive strategies across three distinct eras, asserting that we've recently entered a new, perilous stage fueled by artificial intelligence. The initial phase, “Low and Slow,” emphasized stealth and patience, with attackers such as Volt Typhoon remaining within networks for years to map environments unnoticed. The second phase, “Loud is the Point,” coincided with the rise of ransomware, where attackers adopted performative tactics, leveraging encryption and data leaks to negotiate extortion and industrialize their operations via Ransomware-as-a-Service. The current and emerging third phase, “Smash and Grab,” discards both patience and negotiation, focusing instead on rapid, parallel attacks. Liu also introduces the term “LLM-as-C2,” referring to command and control through Large Language Models (AI). https://bishopfox.com/blog/the-smash-and-grab-era

Feedback

For context, see the feedback section of Issue 290, where I challenged someone to turn on their LinkedIn “open to work” flag to see what happens at their current workplace.

“Good morning, Matt. Saw your newsletter this morning and I thought I’d share my experience. I’m currently employed with a state agency but I’m in a, let’s say, complicated situation, so it’s time to move on. I activated my “Open to Work” banner and initially got some nibbles from scammers, but so far, nothing from any co-workers I’m connected to. I should point out that one is within a few years of retirement, a second took an offer with a different agency, and the third is looking for a new job elsewhere. Two already knew I was looking and I’m sure it’s not surprising to anyone else in the office that I’m looking. I guess my point is that either no one cares or it’s obvious you’re looking so no one is surprised when you make it LinkedIn official. Take from that what you will.”

Yikes, unfortunately, it sounds like there is a management issue at this workplace. I hope you land somewhere better.

Send Feedback to matt(at)threatswithoutborders.com

dfir

This expert on deepfakes says we’ve reached the point where you can’t trust what you see on a screen. https://www.nytimes.com/2026/06/14/us/ai-deepfake-hany-farid.html

Sharing is caring.

Share Threats Without Borders

Cool Jobs

Digital Forensics Expert Witness, LevelBlue. https://jobs.dayforcehcm.com/en-US/twh/CANDIDATEPORTAL/jobs/3110

Cool Tools

Listen to radio stations from around the world. https://radio.garden/

Search various sanction lists for people and persons https://www.opensanctions.org/

Irrelevant

Learn something - 1700 online courses from top universities, for free. https://www.openculture.com/freeonlinecourses

Sign Off

I’ve enjoyed this year’s NCAA Baseball World Series. I know we’re currently in the throes of soccer mania, but baseball is still the greatest game. Congratulations to the Oklahoma Sooners on their win!

See you all next week.

Matt

“A LIFE SPENT MAKING MISTAKES IS NOT ONLY MORE HONORABLE, BUT MORE USEFUL THAN A LIFE SPENT DOING NOTHING.”

Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.

Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.