Slashdot Mirror
Hackers Track Down Banking Fraud
An anonymous reader writes "Noticing some commonalities in the spam flooding their email
in-boxes, a small group of hackers set out to track down who was
responsible. Along the way they uncovered a trail that led them to an
organized gang of criminals halfway around the world, and right back
to some of the largest financial institutions in the US, and their
customers, that became the gang's prey. See the SecurityFocus story for more details."
There will be a special on the discovery channel titled "full inbox" nov 28th at 7:00pm with this very topic as subject. I did some post production on the special, and it really is an interesting and well-filmed film.
...that most hackers are just out to do good. The stereotype that hackers have gotten is ridiculous, and largely due to a few notable individuals who do malicious things(steal credit card numbers, etc.), and I believe that hackers are a primary security measure of the society of the internet.
Think of them as citizen-cops, they find the bad things and patch them, report them, these are the guys who we should praise, not put down. God Bless the white hat hacker.
...why not pour some of the FBI budget into funding Linux training camps throughout the nation?
These hackers need to be prosecuted. This is unacceptable.
Its about time the "hacker" community gets some positive news, just one more step to remove the "cyber-terrorist" label the news/media has created
If computers ever fails you economically, welcome to law enforcement.
Seriously, law enforcement needs much more of this. I can't name the last time I met a cop who understood computers at all.
One would think that if you want to run a successful scam that looks like it came from a legitamate source, you wouldn't word e-mails like
"and PIN that you use on ATM."
"becaurse some of our members no longer have access to their email addresses and we must verify it" (misspelling / run on sentence)
This reminds me of Cliff Stoll- an astrophysicist who moonlighted as a sysadmin at UC Berkley, and noticed a discrepancy of a cent or less in the CPU time accounting system.
I won't spoil the story, but see if your local library has a copy of the Cuckoo's Egg(by Stoll). His more recent book, Silicon Snake Oil, discusses the falsities behind throwing technology(computers) at people- particularly in schools, for example...and was also quite good when it came out(and schools were dumping boatloads of $ into computer labs which sat mostly empty).
He's humble, intelligent, well educated, writes fun to read stuff...one of the computer scientists(and physicists) I respect the most- far above all the three-letter personalities.
Please help metamoderate.
Yeah, that is how some spammer involved my domain in their spam. http://www.disney.com:gotzthmas@www.slashdot.org
Recently I've been seen a marked increase in things like this for PayPal as well as the main UK banks including LLoyds and Barclays. People are definitly getting more aggressive to get your details.
Also the emails are getting "smarter" in that they look more like the place and making use of the old http://www.domain1.com@www.domain2.com which for a newbie can be very easily misread
Rus
Cheap UK and US VPS
Along the way they uncovered a trail that led ... right back to some of the largest financial institutions in the US
So have they been arrested and charged under the DMCA for divulging weaknesses in the financial system?
If I walk up to you, and say "Hi, I'm with Citibank, we have a problem with your account, we need to verify your account number and PIN, please write it down on this piece of paper and give it to me." I'll get a punch in the mouth. Yet when the average user sees gets a call or E-mail asking for this info, it's handed over.
You know who I think is crazy? All my ex-girlfriends!
...is that Citibank apparently didn't even care. When someone sent out spams attempting to scam people with accounts with Sony Financial Services, I contacted them about it and they promised they'd have someone call me first thing next day. They never did.
I don't like to say this, but if they are indifferent about this sort of crime now, they are going to have no chance of fighting it.
Honorary Member of Jackie Chan's Kung Fu Process Servers
I wouldn't call what they were doing exactly "hacking". They simply ran some lookups and other simple discovery tools a person would use as preperation for an attempted hack. They never performed any exploits though, like actually trying to access the web server in russia to see what information they actually had...
If you saw him on the petty thief, Larry King show, you'd also know Stoll to be the nerd's nerd.
.
SDINet Lead Coordinator
Yo Momma
the 419 fraud isn't a Ponzi scam.
A Ponzi scam is where you take money from new "investors" and use some of it to pay an apparently high return to your existing investors, grabbing the rest for yourself. Everybody's happy until (inevitably) you run out of new investors and the whole thing falls apart.
The 419 fraud involves a promise to transfer $millions into the victim's bank account, for some trumped up and obviously rather dubious reason. At the last minute you ask the victim to pay a "transfer fee" of perhaps a few $1000. You then vanish with the "transfer fee", never to be heard of again.
I'm going to make a showing of good faith and splay open all of ports like a pr0n star... ...not!
Slashdot "libertarians": Small government for me, big government for those I disagree with. -1, I disagree with you
We lost control of the word "hackers" a long long time ago. It has been more than 10 years since the horse left the barn, stop whining about the open gate.
...so here it is for the unlucky. There were a few pictures, and text examples I removed so it wouldn't get too big, but it's mostly intact.
----
1 Overview
Not all people that send undesirable email (spam) are the same. Their motives differ as greatly as their tools and technical abilities. This document uncovers a spam gang who seeks to acquire your banking information, and the response from one of the targeted victims: Citibank.
This document describes the unique bulk-mailing tool used for recent rash of financial email scams. These scams target financial entities such as Citibank, Wells Fargo, Halifax Bank, eBay, and Yahoo. Only one specific spam gang uses this tool for these financial scams. This spam gang started slow with only a few members, but has increased in both gang membership and spam volume.
All emails and headers are provided unmodified with the following exception: all personal information has been modified to protect the identity of the recipient. These modifications are denoted with bold and underlined typeset. Every effort has been made to retain the same data format without disclosing personal information. For data taken from the public domain, such as newsgroup postings and messages from open forums, no effort has been made to modify the data or protect the publicly disclosed recipient.
2 The Citibank Scam
With the growth of online banking comes online fraud. These schemes vary from web sites that "look" like the actual financial institution to email asking for personal banking information. At first glance, the email below (Fig. 1) looks like just another one of these simple bank fraud schemes.
At a quick glance, this email appears to be from Citibank, as it contains a Citibank URL. But a closer inspection indicates a financial scam:
* The email contains multiple misspellings and grammatical errors, such as "becaurse" and "This automatic email sent to:".
* The content contains hash-busters (unique characters in the contents that are used to bypass hash-based spam filters). For example, the "-t-" and "K" in the main paragraphs, and the "y" and "C" before the long lines of hyphens. Different recipients received the message with different hash-buster characters.
* Although the included URL begins with "www.citibank.com", it actually goes to "sd96v.pisem.net" [ref 1]. This server is hosted in Moscow, Russia and is not part of Citibank.
* The email header does not originate from Citibank. Instead, it originated from a DSL system in Italy. Network scans of this host (Appendix A) indicate that the system was likely compromised.
People who clicked on the link saw the Citibank web page and a popup that prompts for login information (Fig. 2, Fig. 3). Although the Citibank web page actually came from Citibank, the popup came from a non-Citibank server. Victims that entered banking information in the popup essentially gave their accounts to an unknown scam artist.
2.1 Mass Mailing Revisions
The 29-Sep-2003 mass mailing (Fig. 1, Fig. 2, and Fig. 3) is actually the second revision of the fraudulent bank emails. The first revision appeared on 16-Aug-2003 and asked the recipient to view new banking terms and conditions. Users who clicked on the link were redirected to a server in China. The first revision included the recipient's email address as a field in the URL. The second revision replaced the address field with a series of random characters. The popup for the second revision only asked for the user's Card and PIN numbers. The third release on 25-Oct-2003 (Fig. 4) was revised to prompt for the user's Card number, PIN number, and expiration date.
In nearly every case, a Russian server was used, either to host the requests, or to act as a web-bug and count the number of hits. For example, the web bug from the first revision can be found here. According to this web-log, there were 107,274 hits on 16-Aug-2003, and 91,573 hits on 17-Aug-2003 (Fig. 5). These were primarily due to responses to the first sp
If you haven't RTFA, I suggest you do. Here's why:
After nine years on the net, this is the first scam that I believe I might (though probably not, as I always show the address bar and look for the secure connection icon) have fell for.
Having your web browser load Citibank's home page, and then swiping the info via a rogue pop-up is the sneakiest tactic I've seen.
Even the link in the email appears to be from Citibank upon first glance.
A exceptionally clever and well-crafted scam.
__ Someday, but not this morning, I'll finally learn to use the preview button.
to see that not all h4ck0rz are bad ppl, i feel much safer now while reading /.
What happens if someone replying to one of these scams fills in the information but doesn't hit the submit button? Can the scammers still obtain the information?
In this scam a pop up with no navigation and no URL box was presented to the user on top of a genuine web page. This confused the user into thinking the pop up came from citibank. Advertisers like such pop ups because it locks the user into a path specified by the advertiser and obscures the source of the ad. Some web designers like the format because they think it's looks less cluttered.
Most modern web browser can be set will block pop up, force navigation, or always display the URL. Many advertisers whine that this is unfair. So what. What is even more amazing is that generally responsible companies, such as eBay, will create pop up screens with no URL and no navigation, thereby setting a precedence to allow such fraud.
The same is true from images from a third party server. It is useful for advertisers to set web bugs and large scale rotating campaigns. It is even useful for websites to distribute load. It also introduces security issues.
Which is just to say that may on /. would say that the luser should be more careful, and stupid people deserve to be swindled. But i have seen financial organizations use pop ups and third party ads to push product to their customers on the customers financial information page. This is a page that should only contains sensitive information, not irrelevant content The banks are willing to compromise security to push products. And then the banks complain that customers are to blame.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
Paying hackers to track down scammers and spammers.
They seem to be a lot better at it than law enforcement.
No, this is not a troll...
*sigh* whatever...
I don't know the meaning of the word 'don't' - J
..PC Plod is still trying to work out how to use his mouse. Heck, these scammers are becoming really blatent in their activities, and law enforcement seems comletely unable to act..
"You lied to me! There is a Swansea!"
The thing that makes this possible is the HTTP 303 error. Is there any way to detect the 303 when someone comes to your site to determine if it's legitimate or not?
Otherwise it seems there is NO way to protect against this (except smarter consumers... Like that's going to happen!).
Tell their customers that they will NEVER correspond with them via email and will NEVER ask for their ATM pin number over the internet in any shape or form. My bank did this when I signed up for online banking. This is of course obvious to 99.999999% of the /. crowd but to everyday common people (read stupid) this might not make sense or be obvious.
...because more stories like this would only help the word "Hacker" gain a better stand in the public at large.
:)
Stories like this would be serious eye openers to my family and friends who seem to know nothing about computer fraud.
I submited the story to a few local news agencies. Hopefully one of them picks up on it.
My work here is done
Life is like pants... fit in or you don't fit in.
Fair enough, but if your stink gets in my way, I really don't wish to smell it. Afterall, if we were to have a "stink contest", my stink would easily win. My stink is the stankiest stink that you've ever smelled.
It has won awards.
This stinks.
And not just because it comes from Japan.
I read the first line of the first header of this article and saw interbusiness.it. My advice: block or drop everything from interbusiness.it!
:-)
The 52 listings at Spamhouse tells enough about the hat colour of this company. Who want's to block interbuisiness.it complete, got to blackholes.us. Here you find all the netblocks tha belong to notorious Spam-Countries (China, Taiwan...) or Spam-ISPs (verio.net, interbusiness.it...).
This page is my mailserver's best firend
NoSuchGuy
Grundgesetz * 23. Mai 1949 - 30. November 2007 - http://www.vorratsdatenspeicherung.de/
...this seems like something that everybody should know. Modding it up would give it better visibility.
Take care...
Hackers should insist on being called Geek-Americans. That'll make them look much nicer, just like when the Chinese became Asian-Americans and blacks all over the world became known as African-Americans.
The Paypal scammers, with only your password, can literally take you for every cent you got AND every cent of credit availability.
And where is the mention of the origin of it all, the AOL phishers? I guess you only see it on AOL but it is a huge problem over there. The main purpose seems to use compromised accounts to spam AOL members from inside, it happened to my dad, who is still "not budging" from AOL.
The ideal solution would be a distributed deliberate response, using the form provided by the spammer, by the targetted companies, who could load predetermined user/pass combinations and disinformation (I have a script) into their database. When access is attempted using the provided login/password combinations, the criminal is detected in real time (he is not safe by proxying - he is still dead meat when seen in action. Logs will exist on the proxy servers to point right to him, the more the merrier.)
I believe that the word can be redeemed by doing good deeds under the label of being a hacker. Take for instance, "butcher". Technically, it just describes the profession of butchering meat. Yet, it is used negatively when describing killings. Yet, people understand what it means to be a butcher, & there are no significant negative perceptions of the profession.
I think that it can work out to be the same for the hackers.
Take care...
800-950-5114 is a working Citibank customer info phone number.
I just talked to a supervisor named Mr. Joseph, who said he does not work security, but that if there were any fraud perpetuated with the use of Citibank web servers that he would be aware of it, and that none such has been perpetuated. Essentially he is saying this story is fabricated, if I understand aright.
Any other citibank customers have any other results ? Does anyone know any more -- perhaps the story is a fabrication ?
I just read one of their articles, which sounded interesting:
http://www.securityfocus.com/guest/23028
but near the bottom I ran into a sentence that shocked me:
"Even when a Linux desktop system is properly configured with restricted accounts, there are simply so many local root exploits to pick between that the point becomes moot."
I can't imagine any respectible security person saying such a thing, or perhaps, I find it difficult to respect anyone who offers such a professional opinion. Essentially, the person does not believe in defense in depth, which frankly is a cornerstone of security, and has been for decades in respectable circles.
... TV movie?
-Valiss
...they should deliberately send out fake emails, asking the user to click around, which will bring up a page saying, "Tsk, tsk, tsk. You weren't supposed to do that. We could have been a criminal trying to get @ your information.". The company could keep sending out these fake emails until there are 3 in a row that aren't responded to.
It should be the company's responsibility to educate the user. If the user refuses to learn, then the company should reject the user, or prepared to be sued.
The idea is to burn them bad in a trusted environment, so that in the real world, they'll just delete & ignore.
Take care...
The article states several times that Europeans have are poor writers (spelling & grammatical errors) compared to Americans. Obviously this is a pure hoax. I know well: I read /.
Did you read the entire article? I did. Yes, there was a lot of good detective work done, but I'm sorry, the perpetrators were NOT tracked down. No positive identification of the persons involved was made. Just some good initial leads. How does that mean they were tracked down?
...Much worse than "Citibank didn't care". Look down lower on the SecurityFocus report and you'll see that Citibank's own fraud reporting webpage appears to be compromised, they know about it, and they hadn't (as of publication date) tried to correct it. The email reply from the fraud page is itself fraudulent, and directs users to a nonexistent toll-free number or a private AOL email address, although it appears to come from Citibank's own servers!
Also, there's a CNET article about the August 16 version of the scam, reported on August 18, 2003. The article is supposed to be here at http://news.com.com/2011-10173-5065394.html?tag=ma instry
(Link)
But when you check that link, it first comes up, then a second or two later gets redirected to a search page claiming that the article is "expired".
Strangely, the CNET search page (which searches on terms similar to the title) comes up with 2 flattering articles about Citibank's quality process, one dated 2002, the other dated 2000. Neither of those articles has "expired". Draw your own conclusions here.
For those who aren't too quick on the mouse, part of the text of the "expired" article is here:
SecurityFocus notes that Citibank should know the exact number of people who came to their website from the fraudulent redirection, although officials there claim not to know. It also seems unlikely that Citibank's systems were not compromised, considering the email replies that came from their "report fraud" webpage.Changes everything (adds spaces) so it isn;t the same when submitted. Sorry the second link is broken. Remove the space between % and 6f
2 E% 6f%72g
http://www.citibank.com:verify=@%73la%73hd%6ft%
I was recently (about 2 months ago) defrauded in the amount of $6000 in an Advance Fee Fraud. I realize most people will laugh at me for this, but some of these scammers can be particularly convincing. The scam in this case involved the purchase of my car (which was being sold online), and a cashier's check of an amount in excess of the agreed purchase price. This 'excess' was to be wired to the 'shipper', as the car was going overseas.
Anyhow, I decided to do something about it. I hacked into the email account used to defraud me, and followed a chain of emails and accounts that eventually led me to a handful of personal accounts. Each time I gained access to a new email account, I'd peek at all the emails inside and warn off any people who were being targeted from that particular account. After a month and a half of monitoring personal email, I gathered real names, relations, addresses and even resumes on those people involved. The particular 'ring' of scammers that got me is a family and friends affair, with the eldest brother of the family attending university in London, UK. His brothers and cousins (who live in Nigeria) work the fake email accounts and collect 'clients'. Once they have a deal made and personal information collected, they forward this to the ring leader in London, who contacts his sources to produce fake checks. He also takes over the email account, giving out a UK mobile phone number (changes often) to 'clients' who ask for one.
The money is sent in the name of one-time accomplices. These are people that the ring leader recruits to pick up money at Western Union counters. Once the money is picked up, he gives them a portion then splits the rest between himself, the cheque source and the relative who originally manned the email account.
Long story short: I have all this information, and don't know exactly what to do with it. I've tried to contact the London Metropolitan police anonymously (via email), several times, and have not heard back. I'm not sure if I should go to my own federal authority because what I've done to gather the information is illegal.
This particular scam has people involved in the US, Canada, the UK and Nigeria. I'm located in Canada. Any advice?
Surf with Javascript off. Stops spammers of all stripes from trying to exploit your browser to cover their tracks. Check e-mail with a mail client that isn't stupid (ie, outlook), and allows you to toggle HTML rendering on/off so you can examine the underlying code (even better, get a client that only displays plain text.) Get a Mac to really screw up malware.
Unfortunately, the essential element, common sense, is what is tripping people up. Would your bank really contact you via e-mail to get your personal info? Would your bank call you up and ask for your personal info? They're your bank for chrissakes, they can get a complete profile on you just by asking the credit bureau!
Last note - the best way to prevent any failure in mental processes is to keep the mail from reaching the user in the first place. Spamassassin has done incredibly well by me ever since I trained the bayesian feature on a backlog of scam mails. I rarely get financial scam mails, instead now I have to fight soft-pedal scams that trip none of SAs hard-coded rules, but still score a bayes_99 score. Oh well...
They never say that Europeans are poor spellers, but merely that the grammatical errors in English from the emails are ones that native europeans (other than the British, of course) would make. This reffers to differences in the placement of symbols such as the $ sign (apparently, Europeans place the Euro symbol after the number, whereas we place the dollar sign before), and common grammar mistakes made by non-native English speakers of European nationality (as opposed to different kinds of English grammar mistakes made by non-native English speakers from other regions). Here's a penny, go buy yourself a clue!
they all ought to setup several Honeypot savings and checking accounts just for busting thieves attempting to steal
... is currently being run by the U.S. Goverment. It's called Social Security.
that is not hacking, it is deductive reasoning..common sense gained from looking at logs, doing traceroutes and port scans.
still doesnt tell anyone who is doing what.
Mr. Joseph ????????
Sounds a lot like the 'Call Mr. Larry' ads to buy a car when you have no credit history.
Banks give me the creeps.
That's because you use the ignroamous definition of "hacking":
They never performed any exploits though, like actually trying to access the web server in russia to see what information they actually had...
instead of the nomral meaning, dissasemble and understand. The people who figured out what was going on with their spam did a better job of understanding a scam than the people being scammed. It was damn good hacking
Now run along and play with that scam site of your own and the Windoze crap that runs it. You, Bill Gates and Peter Tippett can fold that deffinition of yours till it's all sharp corners and stick it up each others declining sales.
Friends don't help friends install M$ junk.
Don't people realize that you are allowed to have multiple bank accounts, and multiple credit cards?
I don't really consider myself all that paranoid, but I'm not about to link the bank account that has all my savings up with Paypal. The account I linked up could be accurately described as my "spending money" account, which means that if I'm compromised, they aint getting much and I aint losing much. Since I can just walk across the street and deposit a check from my real account, I have no need to link a credit card to Paypal. If I did, I would simply get a new credit card with a low credit limit. It's not like it's difficult to get a credit card, is it?
actually if you read the entire report citibank didnt do anything at all. infact it says that the emails were from an employee that no longer worked there. They say that their was a cable modem in deleware that was behind a firewall, acted as a testing ground for this scam. Perhaps the former employee? still citibank clearly donesnt care very much. they redirect further inquiries to an aol account of all things.
from article:
"A few hours later, a response from Citibank was received (Fig. 11). Unfortunately, this reply has a significant number of questionable aspects. In particular:
The reply discusses fraudulent email content that differs from the submitted email. The submitted content did not discuss money transfers, include a virus, nor contain an attachment, as suggested by the response. This could be due to specific content in a generic form letter.
The reply concludes with a static string of odd characters. These appear to be a hash-buster (used by spam senders to bypass hash-based spam filters) but never change. Strings such as this have not been observed with other official Citibank email communications.
The content directs further questions to a toll-free number: 1-877-4-MYCITI. Unfortunately, this toll-free number is not correct. People who call this number receive the following short message: "The number you dialed is invalid." The correct number, according to the Citibank web site, is different than the invalid number provided in the automated reply.
The content directs future fraud emails to be sent to a non-Citibank email address: hatsu1@aol.com. The owner of this email address is unknown. In no other Citibank web page or official Citibank email is a non-Citibank email address provided. Editor's note: as of 12-Nov-03, this email address is still used in Citibank's response.
"Cleatis Hawkins" signed the email. According to an operator at Citibank?s correct toll-free number, Cleatis is a real person, but has not worked at Citibank for a few months. There is no evidence to suggest that "Cleatis Hawkins" is responsible or involved with the email scam or possible system compromise. It is unclear how his name became attached to the reply.
No aspect of the email headers appears forged. The reply from Citibank originated from the Citibank Development Center in Los Angeles, California (CDCLA). It is now left to the reader to draw his own conclusions from this email.
"
I'll just use my special getting high powers one more time...
No, he is NOT saying the story is fabricated, he is just saying "Citibank servers have not been compromised".
Citibanks servers are as secure as ever,
it's the gullible customers who have been compromised.
I got one of the fraud emails at work. I have a Citibank account, but never use my work email
for banking, so I knew it was bogus right away. They just "got lucky" that I happen to be a Citibank customer.
Citibank has notified customers with an online message using their internal messsaging to online
customers while they are logged in to Citibank's web site warning about these emails.
They also have a link on their homepage "about e-mail fraud" on the lower right
that opens a java pop-up window that is just like the ones the fraudsters use!
It does have some info on diferent versions of the letters and lots of "advice" for determining if you may be a victim.
To stop this phishing technique, browsers ought to
pop up a warning dialog for URLs with a username
field (especially if it contains one or more dots).
Something like:
| Alert -- Actual URL is:
|
| Domain Path: badpeople.hackedsite.ru/hahaha
| Username: www.citibank.com
| Password: verify=
This would at least highlight the real site the
link is pointing to.
>;k
They are just the old "Spanish Prisoner" scam, exact same thing.
Also note that a "Ponzi scam" is usually referred to as a "Ponzi scheme", not a Ponzi scam.
I said 'hacked into their email', because I spent a week finding an honest to goodness flaw in Yahoo! Mail. This flaw lets me send a malicious email. When the email is opened, it is read like normal. When the page is left, the user is redirected to a "Relogin" screen, but the URL is still within the Yahoo! domain. After collecting the password, the user is forwarded harmlessly back to reading the email. That actually involved 'hacking'... Plus, I gained access to the ring leaders computer through his BT DSL account.
I've reported the crime to the RCMP, but the criminals are in the UK and Nigeria. I don't want to tell the RCMP the info I have, because what I've done is illegal.
The parent is NOT a troll.
The answer would probably be "both." Most cable networks have a Pacific feed that runs three hours behind the regular feed. That's why a lot of them say in their promos "Tonight, at 8 Eastern and Pacific."
"Also the emails are getting "smarter" in that they look more like the place and making use of the old http://www.domain1.com@www.domain2.com which for a newbie can be very easily misread"
That'd be a case of the client being dumber, and supporting this without putting up HUGE WARNING DIALOGS or (much better) just not supporting those forms of URIs at all.
When was the last time you saw a raw hex encoded IP that was not in a misleading spam? How about the domain@domain form you mention?
If something is used so little, and so easy to abuse, it'd be better to just not have it at all. That's proper security design.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
This kind of infers that Citibank has ONE person dealing with this sort of thing, and that one person uses AOL. It would be funny if it wasn't so pathetic.
If I was a Citibank customer I'd be on the phone to the Financial Services watchdog about now...
Unbelievable.
Invoicing, Time Tracking, Reporting
Here is a discussion dating from July about the fraud/virus. Note that "c1sissy" claimed to have spoken with Citibank, and was given the same email address (hatsu1@aol.com).
Maybe, just maybe, the letter from Citibank was legit, and they (citibank) simply didn't want people sending virus-laden messages to a Citibank email address? Or maybe c1sissy was in on the scam? Unlikely, imvho, but...
I think this is why there aren't more computer people in law enforcement. Relax the ban!
Hello. My name is John Turner.... I am the customer of AURUM INVESTMENT
;)
What? Former Canada PM trying to scam me?
Montreal - Best city to live in!
This is a common troll.
"I did post production on movie."
"I work for XYZ corporation, and we will have press release soon"
"I am a staff writer for XYZ journal, and in our new issue..."
No evidence, no content, just an empty, poorly worded promise for something to come that gets modded up without CHECKING.
(hint, it's not on at 7 PDT or EDT, in fact, it's going to be all thanksgiving re-runs, all day)
Every moderator who modded this up should get SLAUGHTERED in M2 for such stupidity.
Jesus.
Fuck Beta. Fuck Dice
Sadly, the only thing that corporations care about today is bottom line. (This is the reason Microsoft antitrust was such a farce, by the way.) This story reminds me the story about Kevin Mitnick testifying against Sprint in Vice Hack Case:
Truely scary. Scary and sad.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
That depends on the vanilla level.
We need some type of email security protocol or system (such as the use of embedded digital certificates) to verify the source of emails. This type of thing might even prevent some of the spam. The only problem with this is that someone has to be trusted enough to be a central authority to issue the certificates. Who would that be? Say an international body or standards committee? In any case they would have to have some type of foolproof way of verifying that you are who you say you are before they could issue you a certificate.
It was as simple as changing the trailing l to a capital i. The domain name was PayPai (capital i to make it look like an L)-- PayPaI.com. It looked similar to PayPal.com in IE's font for the address bar. I believe it looked nearly identical in many e-mail clients though (so the fraudulent link in the e-mail lpassed the glance expection), since there are many common fonts that show those two letters nearly identical to each other. BTW, notice how a capital I is the only character in the AddressBar font that is serif? All other characters (and all lowercase characters) are sans-serif. I wonder why they changed that..... ;)
Cover your eyes and click this link!
It seems to look disturbingly familiar.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
They were contacted by email from a *nigerian* businessman. He purchased about $30,000.00 worth of goods using credit cards. In the beginning the Cards went through, but then they started to decline, and he'd find more credit card numbers. Though this had nothing to do with my IT department, at the executive's meeting before the transaction happened, I did express my concern about the business deal. Being all too familiar with scams and extremely paranoid about security (Systems admin what can I say) I told them that they should look more into the background of these people, whos email addresses ended with @scatepile.com. They laughed it out (literally) saying that they will not ship anything unless the cards went through. They were greedy. To teach them a lesson I opened an account with scatepile.com and pretended I wanted to do business with them. The sales idiot was ready to go. In short, a month later when they were preparing another shipment, I finally convinced the sales guy to check with the bank for one of the Master Cards. Sure enough the card had been reported stolen. The same went for all other cards we were provided with. They stopped the shipment in time. Master Card charged the money back. We, being a small company had to fire people who didn't diserve it to compensate. I also told them about my little test scam with the email. They were all embarrased. Now I have the role of security not only for the IT, but I have to consult them on business transactions and how to detect and prevent scam. That I didn't ask for. I think I should ask for a raise. I thought it would benefit someone (or make someone laugh) knowing how many stupid companies are out there that screw up big time.
The phaomnneil pweor of the hmuan mnid. Fcuknig amzanig eh!
The email requests that I navigate to "www.etrade.com" and enter passwords, email addresses, etc but the true URL is not an ETRADE site! I called ETRADE but their emergency service phone number tells me that no one is available after midnight. So I forwarded the email with a note. We'll see what happens.
- After using email blind-drops and malware, the group quickly progressed to impersonating web sites. The impersonation was done through web redirections. The hypertext transport protocol (HTTP) permits web servers to redirect requests to alternate sites (HTTP 303 return codes). In this case, the gang's web server returned an HTTP 303 return code redirecting browsers to the targeted financial institution. But, the HTTP response may also contain valid HTML code. The valid code usually tells the user that the page has been moved to a new location. This gang used the redirection response's HTML code to generate a popup requesting the victim's banking information. Thus, the main web page is the targeted financial institution, but the popup comes from a hostile server (Fig. 4). The hostile server acts as a blind-drop for victim information.
I already block unrequested popups of course - but I once spent some time tracking a spammer who bounced off MSN's site - there was no popup and so I ended up at the advertisement. It seems that rather than accepting redirects, browsers should warn you with a dialogue box akin to the a cookie request: "Site X wishes to redirect you to Site Y, do you wish to be redirected". Or do they already do that and I'm just not in the know? Anyway, looking at the screen shot, I could see lots of people being fooled. The popup was right in front of the citibank page - it looks quite authentic.What changed under Obama? Nothing Good
No, Mr. Joseph wouldn't know if he is not part of IT or Security/Investigations, but he is correct, there has not been a breach since Adrian Lano hacked the proxy servers a few years ago (I dont have a link to a previous story on that). But the story is not fabricated, and the response e-mail the author recieved from the fraud report was legitimate (although the aol account is questionable, it is indeed legitmate, hatsu1 stands for Home Access Tech Suport Unit 1).
>I don't think you can classify the hacker >mentality as generally good or generally bad. >It's about a knowledge and problem solving, >which can be either good or bad.
Just like a terrorist!
They either solve US problems or they become US problems....doesnt mean theyre all bad.
When Beaner was our main muslim fanatic in places like Afghanistan and Bosnia (if this country had balls, we have shot the whole Clinton administration for allowing him free access to him and his muhajeddins a few feets away from US troops.) he was solving our problems, now... actually, come to think off it, he's still solving our problems. Everyone needs a good poster boy to whip up the sheepies.
This country needs to get serious about terrorism, send the RIAA against them. That'll teach them!!
zack
That is not an article claimed to be factual. It's opinion. It's counterpoint.
Second, this statement is not entirely false. There are local root exploits for Linux. They're less important than the remote ones, but there are more of them. They get patched more quickly, but it is still strongly advised not to give random people shell accounts for this very reason.
I hereby place the above post in the public domain.
Here's the paper by Gabrilovich and Gontmakher on the Homograph Attack (unicode scam).
It's nice that they did that and all, but I feel duped. There was no hacking involved here! Just some analysis and scanning...
I wanted to hear a thrilling story of how the good guy hackers took on the evil bank robbing scammers single-handedly (...well really two-handedly unless they can type like boris from goldeneye)!
I wasn't expecting to hear a story about my routine when I get spam...sheesh. Does this really deserve front page of slashdot?
01100111 01100101 01110100 00100000 01101111 01110101 01110100 00100000 01101101 01101111 01110010 01100101 00101110
This isn't exactly someone who ran out and did something positive securitywise out of the goodness of his heart. It isn't even data from someone who works in security and ran out and did something on the side.
This entire linked-to-article is, frankly, an advertisement. It's an advertisement to try to get people to buy security consulting services from this company. Impressively, this company managed to get the story on Slashdot. It's a sample report (you can figure this out early because of the number of tables and screenshots). (Silly execs love tables and pictures -- be sure to include lots if you're ever in a vending situation, even if they provide little useful content.) Other red flags include the fact that it's aimed at financial services (folks who have lots of money), and focuses on flaws in what Citibank is doing (with the implicit suggestion that this company could help them). Especially notable is the fact that if focuses on flaws in Citibank's behavior even if said behavior is not particularly relevant to the scam, such as the format of Citibank's emails. Are customers going to notice or care whether Citibank emails contain unique identifiers -- *not* hashbusters? No, though a security consultant who focuses on spam would.
Then they have the nice little blurb at the bottom about the company.
Frankly, they missed one important aspect. You can't sell anything to a company unless you can provide a measure of how much the company can save. They should run out and get a ballpark estimate on how much Citibank could potentially, worst-case, lose from this. They subtract proposed consulting fees and end up with a nice fat number.
The reason I find this advertisement vaguely disturbing is because folks like this are just another leech feeding off of fat, stupid corporations. Lots of consultants already do so. However, what these folks do *sounds* good but has little point. It's not financially feasible for a company to pay a small private army of techies to try to track down random Russians so that legal nastygrams can be sent to them (keep in mind that the firm didn't actually *identify* who the spammers were). There are too many potential baddies out there. A financial services corporation would be *far* better served by developing secure communication policies and technology that are *easy* to use for the consumer, and then spending money educating their customers about these. Then they become difficult to attack. To go after individual bad guys is like plugging holes in a dyke -- very profitable for the guy being paid to plug holes, but ultimately ineffective.
May we never see th
Lets face it, you're not going to get any justice unless you hand over all the facts, logs, etc. of this international crime ring. If you're good enough you might even be able to prevent your identity from being known. Seeing as the head guy seems to be based in london, send a copy of your findings to the brits as well.
I agree with the others, though - if you can find a good cyber crimes reporter and sell your story to them, you would have a better chance of being both anonymous and having justice, or the equivilent thereof.
As a CitiBank customer (bcksp.. erm former customer as of 5 mins ago) I was concerned with this article.
I looked at the Citibank page for reporting fraudulent email (a stroke of genius to call it "/domain/spoof/report_abuse.htm".. boy does that make me think "official" and NOT "spoofed") and (a) it doesn't work in Mozilla (b) I'm not sure the form to report this stuff actually goes to anywhere that doesn't end in aol.com
Yes -- please be warned that this notorious crime ring definitely already has your vital information!
o m
Fortunately, I work for Citibank's fraud division, and will be able to protect your vital account information if you contact us immediately.
Please click on the link below, which will take you to our Fraud Division. In the form that pops up, you will need to enter your account number, your mother's maiden name, your social security number, your current PIN number (we will change the PIN for you and mail you the new PIN for security). It is important that you provide all of this information so that we can verify your identity and secure your account immediately.
Here is the link:
http://www.citibank.com/fraud@www.5ucK3R.c
Remember -- time is essential!
Sincerely,
jtheory
Citibank Fraud Investigation Unit
There are only 10 types of people: those who understand decimal, those who don't, and, uh, 8 other types I forget.
The article is controversial. It describes a well-known semantical attack on HTTP URLs, and how it's performed in this particular case against Citibank. It also shows you useless message ids, whois, nmap and nessus dumps, few words on what other attacks exist and such. No analysis, no nothing. Oh I forgot, there appears to be "a group" behind this and other attacks, possibly with Russian roots, possibly orchestrated from Delaware, and they use some server in Italy. SO WHAT ?
What new does it say ? Huge institutions like Citibank may be ignorant ? Users care not ? HTTP is vulnerable by definition ? Excuse me, but no news here.
I like my outfit, it's inexpensive, but cool -- April Ryan
Ten to one this story never reaches even the back page of the paper. Citibank refuses to even admit that anything happened (if I read the article correctly) and the average reporter would find most of this account incomprehensible. Until the Marines burst into the Russian Credit Card Theives' base and rescue the pretty blonde army woman they've been imprisoning there, this isn't "news" by a long shot, and the corporate media will continue to say hackers = criminals, because that's the story that is most easily sensationalized.
Freedom: "I won't!"
Ok, maybe this is a stretch, but look at the dates from the parent article and the dates of the press-release warnings from Citibank and other news items on Google News Search for "citibank" and draw you own conclusions. A little too prophetic for my tastes and almost like making a demand for new services (the spoofing thing that is -- also note none of the account info has been used for ill -- maybe it's just running around internally).
New service launched by Citibank on Oct 23: Citibank Aids ID-Fraud Victims
Mr Joeseph is indeed a CityBank representative. But seriously, do you think a Bank would go around saying they were subject to fraud and/or undetected theft? Banks are in business because people think their money is safe with them - either he genuinely doesn't know, or he's lying.
http://www.whitepages.com/search/Reverse_Phone?npa =800&phone=950-5114
Reviews can be read here: http://mostlyfiction.com/adventure/stoll.htm
yush
she's not cute she's fucking ugly and fat. get a life, fuckwad.
How do you make this assertion ? Seems very strange when you accept the email address is questionable.
If you are working for citibank and if know that you have been hacked, the decent thing you can do is accept it!
...I really hate the fuckers. There can't be a decent one amongst the lot. I'm not an advocate of genocide, but in their case, fuck it...nuke the cunts.
i do believe you've hit the proverbial nail on the head. of course, it doesn't reflect well on the editorial discretion or integrity of security focus either.
So does a nigerian scam get classified as a 419 then? It involves a promise of massive amounts of money being transferred... a cut for the account-holder, and then either a "transfer fee" that gets sucked off the account or an attempt at existing balances in the account itself...
There have been documentaries on 60 Minutes and 20/20 about how Citibank has hired hitmen to take out a New Zealander who accidentally know too much about it's activities. Perhaps they are involved in this as a way to make the peoples money 'disappear'?
Independent advisory: Parent may be accurate. There have been XSS (cross-site-scripting) attacks in Yahoo! Mail that would provide for this sort of attack. It seems realistic.
If you were in the US and hadn't gone through all that hacking, I'd tell you to contact the Secret Service. Seriously.
This is for those in the US who have actually lost money to one of these scams.
U.S. Secret Service
Financial Crimes Division
950 H Street, NW,
Washington, DC 20001.
(202) 406-5850
or email 419.fcd@usss.treas.gov
If you're in the US and haven't lost money, they'd still like to see a copy of the letter; fax it to (202) 406-5031.
But you're not in the US, and I'm not sure what you should do. They advise to report it to your local authorities and send documention via fax to the U.S. Secret Service.
I'm not sure I'd want to do ANY of that if I'd tracked them down to that extent via hacking, though.
First things first. Contact the administration at the University of London about the ringleader. You know exactly who he is. After that... I'm not sure, but they need to know.
i'd hit it
Now run along and play with that scam site of your own and the Windoze crap that runs it.
You just made my friends list.
Best. Putdown. Ever.
http://saveie6.com/
Unfortunately, the US financial system is balkanized, with only one-fifth of the banks regulated by the OCC,and the rest regulated by the Federal Reserve, FDIC, OTS, and others. I can't locate warnings from those regulators.
Warnings from bank regulators to their banks can only do so much. The scam targets the user, and no one is responsible for educating the user.
Scams like this are one of the reason I've told my 70+ mother not to use Internet banking. Unfortunately, she's now looking into Internet brokerage. No matter what I do to secure her system, she is the weak link in the security chain. Many other Internet users are in the same boat.
Any ideas from slashdot land on how to educate those users, and how to protect them?
Isn't it?
Just use the term "hacker" in it's positive meaning, or proper meaning if you like, and don't worry about people getting the wrong idea. It's easily fixed by telling them the meaning you appled to it, if it seems relevant/necessary.
A little backbone is all that's required. Be a leader, not a follower.
Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
Why do people add things about not being a troll at the end of a post.
Has anyone ever read a post, gone "troll". Then seen in the last sentance "This is not a troll." And then changed there mind and decided it was very informative?
I believe the phrase you're looking for is "vigilante justice".
I'm proud of my Northern Tibetian Heritage
Here is the URL I received (in one line):
The 10-cheapdesign.com site is now shut down.
The bad guys somehow have their web server set up to not URL encode the spaces as %20, so you don't see the spaces in your address bar. The real URL you are visiting, is truncated from the view of the browser's address bar. This combined with a well worded email (you can't rely on them making spelling mistakes to catch this), and a complete replica of the website, is a dangerous thing.
On top of that, the warnings in the news and on the bank websites are inaccurate. They say not to send user names and passwords in email. That isn't how the scam works. It appears to be a safe link to your real bank site, unless you check for the presense of spaces in the URL or the SSL certificate on the login page.
Something is very wrong.
It seems like the citibank website is designed not to give out any email addresses but here's some addresses I've found.
I'd recommend sending a polite e-mailthe following details:
- A link to the sercurityfocus article http://www.securityfocus.com/infocus/1745
- State that there was an fraud attack on citibank that may have affected over 100,000 clients.
- State that it seems likely that citibank should be able to identify which clients were affected by checking their web logs.
- Most importantly state that there seems to be something very wrong with their e-mail fraud reporting page, which may itself be compromised, and as such could the person you are contacting forward your e-mail to the appropriate Information Security department.
Please note that these people are not in departments related to IT or web development, so just ask them to forward your email to the appropriate person. Trust me, if enough people complain about this it will get resolved.citibank@shareholders-online.com, shareholderrelations@citigroup.com, investorrelations@citi.com, fixedincomeir@citigroup.com, louis.f.fortunato@citigroup.com, evelyn.kenvin@citicorp.com, mary.cosgrove@citicorp.com, joseph.g.eicheldinger@citicorp.com, valerie.kuhl@citicorp.com, mamie.chinn-hechter@citicorp.com, geoffrey.h.siedor@travelers.com, johnsonl@citigroup.com, prettoc@citigroup.com, kevin.j.heine@citigroup.com
The same scam can be pulled off using frames and normal html. The web can be avoided alltogether - the same scam can be pulled off by telephone call!
Which is just to say that may on /. would say that the luser should be more careful, and stupid people deserve to be swindled.
That's all you. I have a feeling that 99% of comments like that are paid for by M$. Still, common sense is the last line of defense. Any technology can be abused and the customer has to take care not to provide information to people who would already have it if they were who they said they were. An account number and a pid are not needed to verify an email address. No one deserves to be robbed. Stories like this get the word out to prevent further abuse. Only Microsofish people who think knowing details of Microsoft's holes, flaws and workarounds is useful would go around blaming and insulting their customers and friends.
Friends don't help friends install M$ junk.
It's like saying "I'm serious" at the end of a sentence.
It can be hard to gather intent from print.
And it seems to me that I've written some replies that I was dead serious about and had them get moderated troll because the person on the other end just though I was being flippant.
Oh wait, was that a troll you posted?
Damn...
I do work there, and I know which department uses that email address. And I know the technician who was "hasnt worked there for a few months" (which isnt true, hes is still an active, full time employee for the department in question. To the author and the operators credit, with a company of over 20,000 employees worldwide, one phone rep at one location is not going to know every single employee that works there. Even at the USCC, which is where the operator probally works at, it has a population of over 4000. So Im wondering if the line "he hasn't worked here in a few months" was just a standard response or if the phone rep was just BS the author.). The email is questionable because its not going through the corporate LAN, buts if you read the response message carefully and its so pitifully outdated (by the 877 number provided, by about 2 years). The reason its not going through the LAN is because its requesting copies of the fraudulant emails, which may or may not contain malicious code. Can't tell you much more than that, but the CBOnline web site wasn't compromised (although now that the story hit /., Im sure its only a matter of time :) ).
Citibank apparently was flip in a response to a slashdot poster trying to notify them of the possible comprimise of their fraud response page. This is no doubt due to the vagaries of the entrenched bureucracy at citibank. The person contacted probably did not understand what the poster told him, and most likely if he did understand, would not know who to notify to have the situation rectified. An email should be sent to the citibank webmaster, hopefully that account has not been comprimised as well.
What a bunch of pricks. If I was a customer of citibank I'd burn down their offices.
I'm not anti-microsoft. I'm anti-bullshit. Which means I'm anti-microsoft.
The real story is that Citibanks fraud report page seems to be compromised. I'd say that's more dangerous than the password stealing scheme.
This scam hit New Zealand a few weeks back and left this commentator asking why don't the banks seem to care?
Even though Australian customers of the bank concerned had been hit months earlier, it deliberately chose not to pre-warn its NZ customers that such scams existed and didn't actually send out any notification of the scam until 36 hours after the first scam-mails started arriving in people's mailboxes.
As a result, the bank admits that over 300 of its customers were duped.
Couldn't they have included a note to warn customers of such scams in one of the glossy magazines they sent them just a few weeks previous?
Is it that the banks don't care or is it that they're just totally incompetent?
This just kills me, it's such a no-brainer to defeat. Have a security setting in IE on URL's with an '@' in them. Use standard zone security policies of "allow/deny/ask", obviously using the site to the right of the @ as the principal for zone determination. Microsoft could issue this as a simple patch, and set it to "warn" by default (half the people will click "never show me this again" just to dismiss MS's incessant modal popups, but at least they were fairly warned). With some extra thought (perhaps falsely assuming the prerequisite of basic thought is met by Microsoft), one could include extra security and real nasty warnings using sophisticated textual analysis on the user/pass combo, i.e. it contains a dot.
I've finally had it: until slashdot gets article moderation, I am not coming back.
Class: Hacker
Level: 5
Alignment:True Neutral
Feats:
Persistence: I will solve the problem, even if it kills me.
Scientific approach: If I don't know how to solve the problem, I will make a theory, test it, make the neccessary changes (or a new theory), test that, and so on.
Comprehension: I can often get the piece of kwnoledge I require from technical documents whose full comprehension would really require a hacker several levels above me.
Web Surfing: I'm good at finding information from the Web.
Unix kwnoledge: I know how to use a Unix-based system and configure it to my liking.
Windows kwnoledge: I know how to use a Windows-based system and configure it to my liking.
DOS-kwnoledge: I know how to use a DOS based system and configure it to my liking.
Basic BASIC programming: I have some basic kwnoledgemnt of Basic programming.
Basic C programming: I have some basic kwnoledge of C programming.
Basic Java programming: I have some basic kwnoledge of C programming.
Basic Shell Scripting: I have some basic kwnoledge of making shell scripts.
General programming kwnoledge: I have general information about programming concepts.
Nethack variant: I have made a Nethack variant.
PC Building: I can make a PC from parts (and partition and format a hard drive and install an operating system).
Equiment:
1 GHz AMD Duron processor
512 MB of memory
200 GB of hard drive
Red Hat Linux 9
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
me too.
The problem was not specific to IE. I could view the same deceptive link in Mozilla, and using Thunderbird mail didn't provide much more of an alert when hovering over the link (it showed a tiny "..." on the far right bottom of the status line).
brian@liverpops.net