Threats Without Borders - Issue 73
Matt's Newsletter, Week ending April 10, 2022
Hi, I’m Matt and welcome to the Threats Without Borders Newsletter. A subscriber recently asked where I get the content to fill the newsletter each week. I’ve read it! I spend 10-15 hours (or more) each week reading and keeping up to date (seriously, I’ve tracked it). Items that I find the most interesting are saved to a note that becomes the newsletter. I joke with my co-workers “I read the Internet so you don’t have to!”.
Substack has released an IOS application that makes it easier to consume newsletters on your iPhone or iPad. (Android application is allegedly coming soon).
Get me the info
Every so often I’m inspired by the mechanics of a brilliant fraud scheme. Of course, that means the investigation that brought it to an end must have been even smarter. This is such a case. Two men have been sentenced to over 13 years in federal prison for a scheme that netted over 1.5 million dollars from Apple. Part of the scheme involved one of the actors “stealing Apple point-of-sale devices, known as “Isaacs,” from an Apple store in Southlake, Texas. He then sat outside the store, logged onto the store’s Wi-Fi network. From there, he loaded thousands of dollars worth of store credit onto Apple gift cards.” How did he steal the devices? How did he hack into the stores secured WiFi system? How did the FBI make the case against them? Please contact me if you know, or know any of the agents involved. https://www.macobserver.com/news/two-men-sentenced-to-a-combined-13-years-imprisonment-for-the-1-5-million-apple-gift-card-fraud/
Cash App looses customer data
Cash App notified the SEC that a former employee returned to the network and exfiltrated the personal data of over 8.2 million U.S. customers. "While this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended”. HOW DID THEY GET BACK IN? So many organizations are horrible at policing former employees and their access to company networks. By-the-way, Cash App is completely uncooperative with law enforcement. Well, maybe not uncooperative, but assisting law enforcement certainly isn’t a priority. It is well known within LE that the return time for legal demands is measured in months. I recently waited four months for information demanded through a search warrant and have heard from other investigators who have waited as long as six months. Is it ironic that they now need law enforcement assistance to clean this mess up. https://mashable.com/article/cash-app-security-breach
The Payment Card Industry council (PCI) has released updated Digital Security Standards (DSS) which is being referred to as Version 4.0. The important component of the new standard us that PCI DSS 4.0 aligns with the NIST guidance on digital identities for authentication and life cycle management. It also calls for a greater utilization of Multi-Factor Authorization (MFA). We’ll see. https://www.darkreading.com/edge-articles/what-s-new-in-pci-dss-4-0-for-authentication-requirements-
But what was his score
You have to give the guy some credit, he was hustling to make almost $250,000 by taking the SAT and ACT or others. Literally, a professional test taker. Using fake ID cards the guy would sit in for the students who registered for the exam. In some cases, he got hired to be the actual proctor of the exam and would change answers. The indictment is for mail fraud but who was actually defrauded, the school? How? Because they eventually, enrolled a sub-standard student and a cheater? Or the person paying him to take the test if he didn’t get the agreed upon score? https://www.justice.gov/usao-ma/pr/test-taker-college-admissions-case-sentenced
They created over 36 different Youtube channels to run a cryptocurrency scam that netted over 1.7 million dollars. https://www.infosecurity-magazine.com/news/youtube-fraudsters-crypto-giveaway/
RiskOps business Feedzai claims to have observed a 202% increase of in-store credit card fraud in the state of Florida. I’d like to read the details but don’t feel like giving away my information to their marketing team. Maybe you will. https://feedzai.com/blog/q2-2022-financial-crime-report-the-riskops-age/
Unsure if it’s a slow news day or if synthetic identity fraud is really just hitting the Detroit area but this article claims it to be novel. https://www.detroitnews.com/story/news/nation/2022/04/09/thieves-hit-new-scam-synthetic-identity-fraud/9511165002/
Business Email Compromise (BEC) is the costliest of all cybercrime (of course Tw/oB readers already know this). https://fortune.com/2022/04/09/accounts-deceivable-email-scam-costliest-type-cybercrime-fbi/
Senior Director of Investigations - International Rescue Committee
Senior Manager of Fraud - Uplift
LinkedIn OSINT Techniques - https://github.com/sinwindie/OSINT/blob/master/LinkedIn/LinkedIn%20OSINT%20Techniques%20Part%20I%20and%20II.pdf
Paul Graham (Y Combinator founder) compares heresy to cancel-culture: http://paulgraham.com/heresy.html
Thank you for reading. Please consider sharing with a colleague to help the newsletter grow.
Shank’s Law – “There is no idea so batshit insane that you can’t find at least one PhD scientist to support it.”
Before you go - Phishlabs shared the 67 page “2022 Cyber Threat Defense Report” published by the Cyberegde Group. It’s well worth the time to read for those of you in security or DFIR.