Slashdot Mirror
Hackers Track Down Banking Fraud
An anonymous reader writes "Noticing some commonalities in the spam flooding their email
in-boxes, a small group of hackers set out to track down who was
responsible. Along the way they uncovered a trail that led them to an
organized gang of criminals halfway around the world, and right back
to some of the largest financial institutions in the US, and their
customers, that became the gang's prey. See the SecurityFocus story for more details."
Recently I've been seen a marked increase in things like this for PayPal as well as the main UK banks including LLoyds and Barclays. People are definitly getting more aggressive to get your details.
Also the emails are getting "smarter" in that they look more like the place and making use of the old http://www.domain1.com@www.domain2.com which for a newbie can be very easily misread
Rus
Cheap UK and US VPS
the 419 fraud isn't a Ponzi scam.
A Ponzi scam is where you take money from new "investors" and use some of it to pay an apparently high return to your existing investors, grabbing the rest for yourself. Everybody's happy until (inevitably) you run out of new investors and the whole thing falls apart.
The 419 fraud involves a promise to transfer $millions into the victim's bank account, for some trumped up and obviously rather dubious reason. At the last minute you ask the victim to pay a "transfer fee" of perhaps a few $1000. You then vanish with the "transfer fee", never to be heard of again.
Interesting. This happened in my town. A guy was posing as a security guard at an ATM and told people that it was out of order and that if they left their deposits with him he'd take care of it for them. Apparently he got a lot of people and was never caught.
This reminds me of the scam using unicode (if I remember right) in URLs, so what you think is www.PayPal.com is actually www.PayPal.com (can't tell the difference? That is the point, one of the a's isn't an "a" at all, it is another character in another language that just happens to look identical, but the ascii / unicode is very different, and of course takes you to a completely different site (though it ~looks~ like you're at www.PayPal.com the entire time)).
Scary!
I read the first line of the first header of this article and saw interbusiness.it. My advice: block or drop everything from interbusiness.it!
:-)
The 52 listings at Spamhouse tells enough about the hat colour of this company. Who want's to block interbuisiness.it complete, got to blackholes.us. Here you find all the netblocks tha belong to notorious Spam-Countries (China, Taiwan...) or Spam-ISPs (verio.net, interbusiness.it...).
This page is my mailserver's best firend
NoSuchGuy
Grundgesetz * 23. Mai 1949 - 30. November 2007 - http://www.vorratsdatenspeicherung.de/
you must remember a lot of people dont read user agreements and policies, which subjects them to these problems. if the "common people" would take the time to do this a lot of things like this would not happen. i can almost bet you one thing though, people that have been toyed with in this experience learned the hard way to read the important information. its just too bad many people do not have the common sense to not give out that kind of info in the first place. it might be a good idea to give a "quiz" over important infromation like that when signing up for online banking and other things that involve personal information. i know that inorder to get a student loan you have to take a short quiz about paying your loans back and etc. not only does something like that take the liability away from the business when problems like this occur, but the user can not come back and go no one ever told me about this what are you going to do about it.
More than a few hundred suckers if you ask me!
If you mod me down, I *will* introduce you to my sister!
800-950-5114 is a working Citibank customer info phone number.
I just talked to a supervisor named Mr. Joseph, who said he does not work security, but that if there were any fraud perpetuated with the use of Citibank web servers that he would be aware of it, and that none such has been perpetuated. Essentially he is saying this story is fabricated, if I understand aright.
Any other citibank customers have any other results ? Does anyone know any more -- perhaps the story is a fabrication ?
This reminds me of Cliff Stoll- an astrophysicist who moonlighted as a sysadmin at UC Berkley, and noticed a discrepancy of a cent or less in the CPU time accounting system.
1) HE didn't notice it, it was handed to him as an assignment to0 get him poke around and get him used to the way their computers worked because he switched jobs to the computer department recently.
2) It was 75 cents of computer time, not "a cent or less".
3) He refered to the the hacker less than nicely for using computer time, but used some of the same tactics to catch him ("borrowing" printers and monitors from other people's desks, etc).
Incorrect, shades are colours you obtain by adding black to a colour, tints are colours you obtain by adding white to a colour. So, black is a shade of grey, but white is a tint of gray. Both black and grey are shades of white, however.
Black and grey are both shades of white.
No, he is NOT saying the story is fabricated, he is just saying "Citibank servers have not been compromised".
Citibanks servers are as secure as ever,
it's the gullible customers who have been compromised.
I got one of the fraud emails at work. I have a Citibank account, but never use my work email
for banking, so I knew it was bogus right away. They just "got lucky" that I happen to be a Citibank customer.
Citibank has notified customers with an online message using their internal messsaging to online
customers while they are logged in to Citibank's web site warning about these emails.
They also have a link on their homepage "about e-mail fraud" on the lower right
that opens a java pop-up window that is just like the ones the fraudsters use!
It does have some info on diferent versions of the letters and lots of "advice" for determining if you may be a victim.
They do tell you. If the customer doesn't read the agreement, then thats their problem. Usually, it is a prominent warning. I've never had to "look" for it. It was always one of the first things I read.
Thanks,
Leabre
No, Mr. Joseph wouldn't know if he is not part of IT or Security/Investigations, but he is correct, there has not been a breach since Adrian Lano hacked the proxy servers a few years ago (I dont have a link to a previous story on that). But the story is not fabricated, and the response e-mail the author recieved from the fraud report was legitimate (although the aol account is questionable, it is indeed legitmate, hatsu1 stands for Home Access Tech Suport Unit 1).
If it were in the states, you're fucked. Completely. And runaway and hide or something. Reason is, the law can't use the information because it was collected without due process (warrants and stuff).
You should have redeemed those cereal box tops for something other than a law degree. The police in the US can most certainly use the information. The restrictions on unlawful search apply only to the government. The police can't perform an illegal search, and they can't encourage a private citizen to perform a search that they could not perform. But if the private citizen made a search on his own initiative, the evidence is most certainly admissable.
The citizen in question here may have commited crimes himself in the course of his investigation, however, so he should probably contact an attorney who can contact the authorities and work out an immunity deal.
Here is the URL I received (in one line):
The 10-cheapdesign.com site is now shut down.
The bad guys somehow have their web server set up to not URL encode the spaces as %20, so you don't see the spaces in your address bar. The real URL you are visiting, is truncated from the view of the browser's address bar. This combined with a well worded email (you can't rely on them making spelling mistakes to catch this), and a complete replica of the website, is a dangerous thing.
On top of that, the warnings in the news and on the bank websites are inaccurate. They say not to send user names and passwords in email. That isn't how the scam works. It appears to be a safe link to your real bank site, unless you check for the presense of spaces in the URL or the SSL certificate on the login page.
Something is very wrong.
It seems like the citibank website is designed not to give out any email addresses but here's some addresses I've found.
I'd recommend sending a polite e-mailthe following details:
- A link to the sercurityfocus article http://www.securityfocus.com/infocus/1745
- State that there was an fraud attack on citibank that may have affected over 100,000 clients.
- State that it seems likely that citibank should be able to identify which clients were affected by checking their web logs.
- Most importantly state that there seems to be something very wrong with their e-mail fraud reporting page, which may itself be compromised, and as such could the person you are contacting forward your e-mail to the appropriate Information Security department.
Please note that these people are not in departments related to IT or web development, so just ask them to forward your email to the appropriate person. Trust me, if enough people complain about this it will get resolved.citibank@shareholders-online.com, shareholderrelations@citigroup.com, investorrelations@citi.com, fixedincomeir@citigroup.com, louis.f.fortunato@citigroup.com, evelyn.kenvin@citicorp.com, mary.cosgrove@citicorp.com, joseph.g.eicheldinger@citicorp.com, valerie.kuhl@citicorp.com, mamie.chinn-hechter@citicorp.com, geoffrey.h.siedor@travelers.com, johnsonl@citigroup.com, prettoc@citigroup.com, kevin.j.heine@citigroup.com