Threats Without Borders - Issue 118
Matt's Cyber-Financial Crime Newsletter, Week ending February 19, 2023
Years ago, before most of us had ever heard the term DDOS, I investigated a case of someone continuously calling a restaurant to tie-up their order line for hours on end. It was hundreds of calls per-day which completely exhausted the employees. Imagine the phone ringing minute after minute with just dead air when answered. And you had to answer every call because you didn’t know which call was a legitimate customer trying to place an order and which was the hoax. The customers were equally exasperated by the continuous old-school busy signal when trying to order their favorite Lo Mein.
A Trac phone with a few hundred pre-paid minutes - the original Dedicated Denial of Service attack. So simple. So effective.
I recognized the power of the denial-of-service tactic because of that incident and became an early forecaster of the DDoS cyber attack. “Want to lose an hour? Ask Matt about DDoS” became a workplace joke. Someone in the office would usually shout out “DDoS them” when one of us would become frustrated on a phone call.
Unfortunately, I was correct as DDoS attacks have become a particularly devastating cyber-offensive. Small and medium businesses that can’t afford mitigation protections are notably tormented and damaged.
FS-ISAC and Akamai released a must-read report titled “The Evolution of DDoS: Return of the Hacktivists”. The method has been commoditized, of course, so anyone can use a DDoS-as-a-Service to target an adversary…or competitor.
https://www.fsisac.com/hubfs/Reports/EvolutionOfDDoS-ReturnOfTheHacktivists.pdf
Why no controls
It’s a regular occurrence that I write about an insider theft case and ask “why no controls?”. I know why there weren’t any controls, but it still rattles my mind. Every-single-time. In this case, two separate church parishes shared the a business manager. She stole from both to the tune of $153K. Why no controls? https://www.justice.gov/usao-sdil/pr/former-account-manager-two-churches-belleville-sentenced-embezzling-funds
Not Just Venmo (probably)
The SANS Storm center published a post recognizing the increase in phishing attacks targeting Venmo credentials. I’m sure it’s not just Venmo being targeted considering the explosive use of cash transfer services. Paypal has always been a top target, but Cash App, Zelle, and WorldRemit users are surely being targeted also. https://isc.sans.edu/diary/rss/29542
If you can get one…
I have been trying to get a Flipper Zero for months but the devices are hotter than Cabbage Patch Kid dolls circa 1984. The device is a sub-200 dollar hacking pen-testing tool that does all kinds of magic. In fact, as these researchers found out, the device paired with an old security camera can make your commute more tolerable by manipulating traffic signals. Yes, it’s probably illegal. Maybe? https://www.thedrive.com/news/hacker-uncovers-how-to-turn-traffic-lights-green-with-flipper-zero
Easier said than done…
Now that I’m separated from law enforcement, I can slightly step-back from the official “Don’t pay the ransome” dictate that we were all obligated to uphold. “We strongly, strongly discourage paying the ransome,” said FBI Chris Way to an audience at Christopher Newport University last week. I’m sure that Mr. Wray has never had to personally tell that to a small business owner whose companies computer network is completely destroyed. Or had to see the mental and physical anguish these small business owners go through watching everything they have spent a lifetime building be threatened because of one mouse click.
Technically, politically, and as a law enforcement policy he is correct. We should not be feeding the beast. But it’s really, really, hard to explain that to a ransomware victim and makes you look like a tone-deaf, heartless asshole when thats the only direction you give to someone who is so vulnerable and hurting. And really has no other option.
This is why awareness and prevention is so crucial. We need to keep these businesses left of bang so the decision doesn’t need to be made.
The Rest…
The town of Hillard, Ohio fell victim to a Business Email Compromise scam and lost $218 thousand dollars. https://abc6onyourside.com/news/local/city-of-hilliard-investigating-following-phishing-incident-money-lost-hilliard-police-investigation-email-phishing-scam-finance-department
Help Wanted! Criminal organizations need skilled talent too. https://www.dice.com/career-advice/cybercriminals-increase-recruiting-tech-and-it-pros-across-the-darknet
Microsoft is doing what you should have done years ago. Ripping Internet Explorer from your computer. https://www.wired.com/story/microsoft-removing-internet-explorer-from-pcs/
Cool Job
Director of Investigations - Organized Retail Crime, Walmart (you might have to move to Arkansas) https://careers.walmart.com/us/jobs/WD1383959-director-investigations-organized-retail-crime
Head of Fraud (Remote) - Hopper https://jobs.lever.co/hopper/85db6903-ac67-4fce-99a3-e525adbc00aa
Cool Tools
Search within Youtube subtitles - https://filmot.com/
Forget copy and past - extract the data from any website. https://simplescraper.io/
Irrelevant
A new study shows what happens to stolen bicycles. https://news.mit.edu/2023/where-do-stolen-bikes-go-0215
I wanted to be a carnival worker and travel with the County Fair when I was younger. The Tampa Bay Times looked at the life of some carnival workers. Maybe I should have stuck with the plan. https://www.tampabay.com/life-culture/2023/02/17/carny-carnival-workers-pay-jobs-lifestyle-travel-florida-state-fair/
Thanks for opening this weeks email and giving me a few minutes of your time. I appreciate your support! Please considering sharing the newsletter with friends, family and colleagues. Or enemies.
Yahoo mail regularly drops the newsletter. I have a Yahoo email test account and it doesn’t get the newsletter more than it gets it. If you are subscribed with a Yahoo mail account please consider changing or using the Substack app.
Matt
“STUBBORNNESS WHEN WELL APPLIED BECOMES PERSEVERANCE.” - or makes you write a newsletter.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space are my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.