The accounting guy at an office I've worked for once got a spoofed email from the CEO asking for bank account info to initiate a wire transfer. Thankfully, the first thing he did was bring it to me to verify authenticity. "This doesn't sound like [our CEO]", he said. "It's not rude enough."
We've gotten them too. I think we would have caught it regardless but we've always had the bank require two officers to sign off on any transfers anyway. Seems like the hassle is definitely worth it compared to losing millions of dollars.
This has happened at two companies I worked at, that were caught at least. The first was "I thought he already booked his hotel" and the second was "The CEO wouldn't be writing in this [local] language, he'd probably be using English".
We get this daily. Another admin and myself tend to play around with them and waste their time. They do a very good job of spoofing us, buying domains very close to ours, etc.
> "We sent them a prepared PDF document pretending to be transaction confirmation and they opened it which led to Twitter handles, usernames, and identity information."
I'm glad to see that PDF is still a safe format....
Or other equivalent tech. We achieve something similar by activating hot standby VMs on remote servers to launch certain file formats. It was slow at first but now opening it is somewhere around 500ms-1s so it is not a burden on the end user and just fades into the background.
Without getting into too much detail, it is end-point driven. The user says "I want to continue doing this thing" and it proceeds in a more secure manner completely segregated from your desktop. If you had a generic mechanism to be able to open, say, a browser or Acrobat, or whatever else you felt like in this manner you could dream of the ways you might integrate it into the end-point.
UK,up to last year at least, requires Adobe Reader 9 for companies to submit accounts for standard tax and corporation tax. Doesn't work in Okular, etc., because there's an elaborate crypto signing process as part of the form. Not sure why it's not just a standard web form like much of the SME tax return system. A later version might work on other OS, but AR9 was most recent I could install on Ubuntu.
... actually now I'm wondering whether the new "real time" PAYE system has backdoors??
Does it? ElSter works with JS (and a local authenticator program that interfaces with your smartcard) nowadays, too. Java or ActiveX were only required many years ago.
Well at least the scammers got more savvy, the previous template they used was really bad, AKA:
"I am Prince/Ambassador/Prime Minister from <InsertRemoteCountryNameHere> and my funds <InsertBigAmount$$$> are locked in <BigForeignBank> (...)"
Also, taking down a scammer operation is quite a noteworthy endeavor! But, let's not forget the "reverse-scammers" are also doing a public service:
There's one where he gets the scammers to dress up and take pictures to proove who they are ... you can't make this stuff up :) I'll try to find the link.
> "We sent them a prepared PDF document pretending to be transaction confirmation and they opened it which led to Twitter handles, usernames, and identity information."
Wait a second? If you are doing a Wire Transfer, it means you have the Scammer bank account name, routing number and IBAN.
How, in hell, this is not enough to identify the fraudsters?
Receiving 3million USD in your account from a foreign account doesn't trigger any bells? I assume the false credentials account is, probably, brand new and the person in unknown to the agency/public.
There is a scam where a Nigerian prince says he needs your help, he will send money to your back account and needs you to withdraw that and send him cash. Of course he will let you keep a portion of the money for your trouble.
Only in this scam the prince actually sends you money, so you gladly send some to the prince and keep the rest.
Of course, the cops then want to know why the money from some poor guy's life savings ended up on your bank account...
Because in many countries, banks are poorly regulated and opening a fraudulent account or bribing someone at the bank is simple. This is why wire transfers to eastern Europe, Russia, and the Middle-East get mandatory 3+ day delays for fraud checks by most Western banks. At least for non-trivial amounts.
(Using a throwaway for obvious reasons here.) I couldn't agree more. Lately I've been taking down scammers left and right. For instance, my wife got a text recently trying to phish Bank of America accounts. She gave me the URL, and I emptied their database and took the site offline. These people are straight-up evil.
It may seem like I was doing something pretty obvious: preaching to the choir. But it takes intention, effort, skill and at least some passion or anger drive motivation to follow-through on something like this. It's worth saying out loud that it's an act of heroism.
When you do something like this, a mistake -- even a minor one -- can turn you from a heroic vigilante into the hunted.
The point of an indictment is to indict you, but people generally talk about accusations as if they're fact. That would give me pause before executing a plan like this, no matter how moral.
For example, ta_the_gray didn't use Tor, or else their comment would be marked dead. That means they're putting a lot of faith into HN to conceal their IP address. Hopefully they used Tor -> VPN -> HN, but even then, how did they pay for the VPN? Stuff like this takes a lot of training and preparation to pull off flawlessly.
Of course, if you live outside of America, your situation may be different.
I'm in the U.S. and I've never been a hero of any sort, just to clear the air on that. :-)
This is my last post of the night so I don't have to time right now to read all that you mentioned and maybe it's not necessary. You're saying that making a mistake going after a cracker or scammer or other douche bag of this sort can easily backfire on you if you make a mistake? The conclusion you make then is don't do it? I'm not even disagreeing if this what you're saying. If it's truly not so much heroism as I claimed but in fact reckless stupidity then I'll concede the match on this point.
Honest question: Are there many efforts made by domestic organisations which can seriously discourage this? e.g., if a megacorp gets screwed out of $10m, it's likely to attract police, FBI, etc interest. But if you're a small business, I imagine you have minimal protection and zero recourse, right?
What could be done in pursuing or discouraging this sort of thing?
IMHO, biggest issue is that attacks usually appear to be coming from 'not-so-cooperative' countries (eg, Russia, China). Even if the attack is not based there they can appear like it (eg, via proxy/VPN). That makes it difficult for US police to track down the criminals without involving Interpol or use some other means of cross-country police cooperation. And that usually means it has to be a really big fish to catch.
So best solution is still prevention and education.
So, is it effectively an unsolvable problem given the current situations with email and banking and so on?
As the other respondent indicated, you can lock down your domain but if the whaler registers yourbuslnessdomain.com, they'll catch someone. "Sorry, I've had some trouble with my email recently and IT haven't been able to get the authorised designation appearing, you know how they are! Anyway, I've been working on a contract with Penske for months as you probably heard and unfortunately their lawyers have accelerated the process to the first stage. I need you to organise the initial cash transfer..."
Susceptible to the same social engineering. "My PGP thingy isn't working right now. We could wait until IT have fixed that but I'm worried that we're going to run out of time."
I'm aware that Nigerian scammers supposedly fill emails with typos to eliminate clever marks, but if scammers could more accurately emulate emails/styles and write more convincingly in English, I think we'd see a lot more people scammed.
PGP prevents the user from overlooking the domain/email from where the message came. Educating users and introducing policies (mandatory PGP, etc) minimizes the possibility of someone performing these kind of social engineering tricks. After all, people are always the weakest link, and you cant fix people :)
If companies used tighter email authentication that would sure help. It'd at least make it harder to spoof from addresses. SPF, DKIM, DMARC, the basic stuff. Alas, the douche bags can find a domain name that's close enough to fool some people, though. Fully implementing email authentication at least makes the implementor a less desirable, harder target.
Jesus, no kidding. You'd think that at least a phone call to verify. Presumably, with that much money involved, it's worth a few minutes on the phone for each one.
I think a lot of businesses have this or something else coming. There is such a massive indifference to security around in certain companies that reporting legitimate issues will feel embarrassing.
I agree. Frankly, I think most people don't give a fuck about security. I can't explain why. If all this shit was happening at gun point, we'd have declared a massive national emergency by now. But because it's "cyber" it does not seem to freak the fuck out of people like it should. I wish I understood.
From my experience, it's a combination of "What's the worst that could happen", "It wouldn't happen to us", and "That's what we have insurance for". Not the most reassuring thing.
Yes, and the cost is born by the users. This point made a lot more sense when a credit union in my home state of Oregon sued a fucking noodle chain for a breach that ended up costing the credit union a lot of money as their customers were affected by the breach. The credit union is suing the noodle company. The noodle company probably didn't really worry too much but between the law suit and the bad publicity, I have a feeling they're going to place a higher value on security. I never went to that noodle place but it made me realize how many places our data lives. The fucking noodle house can turn your life upside down if they don't have their act together?!
http://www.scmagazine.com/class-action-lawsuit-filed-against...
> Those Windows 10 password hashes only last a few hours when subjected to tools like John the Ripper.
Is this on a single Xeon or high end GPU or some enormous equipment farm? How can Win 10 have such a fast hash? Let me guess, backwards compatibility with some ancient windows release?
Raw NTLM, and yeah, it's not terribly fast, but it's relatively simple to get up to gigahashes a second (I've got a box that churns out 21 GH/s on raw NTLM). Plus, it's not salted, so it's trivial to just grab every hash and crack them all at the same time. Just keep in mind that you are unlikely to get a raw NTLM unless you've pwned a machine. Network sniffing and spoofing will get you a NetNTLMv1 or v2, and they are much slower, and salted.
Are cops actually prepared for this sort of thing? If you handed them the information and was like "Here's a hacker, take them down." The cops have a division or something for cyber security enforcement or whatever? I'm just asking as I don't imagine police officers being the tech type regarding hacking.
Even if they were prepared for cyber crime, would they be prepared to act on information you give them? Sure, if you supply law enforcement with the location of your recently stolen electronic device they will go after it (as I've had them do twice now). That's pretty straightforward. On the other hand if you give them the details of some purported fraudster, of whom you are not even a victim, a thorough investigation would be necessary prior to any action on their part. At least I'd hope so, otherwise there's a whole new genre of swatting (i.e. framing unsuspecting victims as black hat hackers) that has yet to be exploited.
I'm just concerned if they have the technical know-how of doing it. I mean yeah what you said is right. The proof. Otherwise going after someobody who might be innocent.
You should go ahead and call your local police department. Chances are that they don't deal with cyber crimes unless you live in a large city (or if your city contracts with a larger police department).
There's also the issue of jurisdiction. If the crime is originating across some border (which more than likely it is), there's probably not much they're willing to do about it.
Ran an image hosting website, "hackers" uploaded some nasty content over Tor, I gave law enforcement the exit node IP addresses but really there wasn't much they could do. It depends on the amount of information available I guess.
What do you do for checking what is uploaded? Do you use a service like Amazon Mechanical Turk and have people go over the content or do you use something like computer vision?
Exit node ip, that's the last ip-address right? There was something in PHP I did recently that did that, gave you the last ip. Maybe I'm mistaken.
Are "cops" prepared for handling multi-million dollar frauds in general? The people reporting this sort of activity aren't wandering into their local police station, they will have the right contacts with the right parts of the state / national agency responsible. Fraud (almost) any form isn't dealt with by the police officers you interact with on a daily basis, just like other serious crime.
Like a lot of things, I'd imagine the capability varies tremendously among the different police departments. I wouldn't be surprised if New York or London police have sophisticated detectives dedicated to cyber-security. (I also wouldn't be surprised if they're still woefully outmatched, either)
Meanwhile, if I were to deliver this info to my local police department, I have very little faith they'd even know what I'm talking about.
That doesn't seem like something which'd make sense at the local police level though, as chances are high it's international, or at the very least interstate. I would think (when the local cops don't just decide to ignore it) this kind of things gets escalated to the feds.
The problem is those experienced police officers can earn more in the private sector and police forces tend to have difficulty keeping staff - also as the FBI has found recruiting cyber spooks is difficult
Sometimes you send money to the account of another victim. This other victim is told to withdraw that money and mail it (cash in an envelope) to the real hackers.
And the international banking systems in place, with all their power and money, are somehow unable to roll back transactions when it comes to multiple banks.
Someone pretending to be the CEO emails the CFO, CFO makes the payment. As mentioned they usually compromise the email system first and look for similar requests, this way they know what sort of format the CFO is expecting and the figures that they deal with, try to make it look as usual as possible.
> I wonder if there was a situation where a hacker fell for his own trap.
I once booby trapped the kitchen sink so the sprayer would shoot whoever turned on the water next... But then I forgot about it and went to wash a dish.
