Slashdot Mirror
Hackers Track Down Banking Fraud
An anonymous reader writes "Noticing some commonalities in the spam flooding their email
in-boxes, a small group of hackers set out to track down who was
responsible. Along the way they uncovered a trail that led them to an
organized gang of criminals halfway around the world, and right back
to some of the largest financial institutions in the US, and their
customers, that became the gang's prey. See the SecurityFocus story for more details."
...that most hackers are just out to do good. The stereotype that hackers have gotten is ridiculous, and largely due to a few notable individuals who do malicious things(steal credit card numbers, etc.), and I believe that hackers are a primary security measure of the society of the internet.
Think of them as citizen-cops, they find the bad things and patch them, report them, these are the guys who we should praise, not put down. God Bless the white hat hacker.
If computers ever fails you economically, welcome to law enforcement.
Seriously, law enforcement needs much more of this. I can't name the last time I met a cop who understood computers at all.
If I walk up to you, and say "Hi, I'm with Citibank, we have a problem with your account, we need to verify your account number and PIN, please write it down on this piece of paper and give it to me." I'll get a punch in the mouth. Yet when the average user sees gets a call or E-mail asking for this info, it's handed over.
You know who I think is crazy? All my ex-girlfriends!
...is that Citibank apparently didn't even care. When someone sent out spams attempting to scam people with accounts with Sony Financial Services, I contacted them about it and they promised they'd have someone call me first thing next day. They never did.
I don't like to say this, but if they are indifferent about this sort of crime now, they are going to have no chance of fighting it.
Honorary Member of Jackie Chan's Kung Fu Process Servers
I wouldn't call what they were doing exactly "hacking". They simply ran some lookups and other simple discovery tools a person would use as preperation for an attempted hack. They never performed any exploits though, like actually trying to access the web server in russia to see what information they actually had...
We lost control of the word "hackers" a long long time ago. It has been more than 10 years since the horse left the barn, stop whining about the open gate.
If you haven't RTFA, I suggest you do. Here's why:
After nine years on the net, this is the first scam that I believe I might (though probably not, as I always show the address bar and look for the secure connection icon) have fell for.
Having your web browser load Citibank's home page, and then swiping the info via a rogue pop-up is the sneakiest tactic I've seen.
Even the link in the email appears to be from Citibank upon first glance.
A exceptionally clever and well-crafted scam.
__ Someday, but not this morning, I'll finally learn to use the preview button.
Tell their customers that they will NEVER correspond with them via email and will NEVER ask for their ATM pin number over the internet in any shape or form. My bank did this when I signed up for online banking. This is of course obvious to 99.999999% of the /. crowd but to everyday common people (read stupid) this might not make sense or be obvious.
...because more stories like this would only help the word "Hacker" gain a better stand in the public at large.
:)
Stories like this would be serious eye openers to my family and friends who seem to know nothing about computer fraud.
I submited the story to a few local news agencies. Hopefully one of them picks up on it.
My work here is done
Life is like pants... fit in or you don't fit in.
The Paypal scammers, with only your password, can literally take you for every cent you got AND every cent of credit availability.
And where is the mention of the origin of it all, the AOL phishers? I guess you only see it on AOL but it is a huge problem over there. The main purpose seems to use compromised accounts to spam AOL members from inside, it happened to my dad, who is still "not budging" from AOL.
The ideal solution would be a distributed deliberate response, using the form provided by the spammer, by the targetted companies, who could load predetermined user/pass combinations and disinformation (I have a script) into their database. When access is attempted using the provided login/password combinations, the criminal is detected in real time (he is not safe by proxying - he is still dead meat when seen in action. Logs will exist on the proxy servers to point right to him, the more the merrier.)
I don't know if you can teach Common Sense.
...Much worse than "Citibank didn't care". Look down lower on the SecurityFocus report and you'll see that Citibank's own fraud reporting webpage appears to be compromised, they know about it, and they hadn't (as of publication date) tried to correct it. The email reply from the fraud page is itself fraudulent, and directs users to a nonexistent toll-free number or a private AOL email address, although it appears to come from Citibank's own servers!
Also, there's a CNET article about the August 16 version of the scam, reported on August 18, 2003. The article is supposed to be here at http://news.com.com/2011-10173-5065394.html?tag=ma instry
(Link)
But when you check that link, it first comes up, then a second or two later gets redirected to a search page claiming that the article is "expired".
Strangely, the CNET search page (which searches on terms similar to the title) comes up with 2 flattering articles about Citibank's quality process, one dated 2002, the other dated 2000. Neither of those articles has "expired". Draw your own conclusions here.
For those who aren't too quick on the mouse, part of the text of the "expired" article is here:
SecurityFocus notes that Citibank should know the exact number of people who came to their website from the fraudulent redirection, although officials there claim not to know. It also seems unlikely that Citibank's systems were not compromised, considering the email replies that came from their "report fraud" webpage.Surf with Javascript off. Stops spammers of all stripes from trying to exploit your browser to cover their tracks. Check e-mail with a mail client that isn't stupid (ie, outlook), and allows you to toggle HTML rendering on/off so you can examine the underlying code (even better, get a client that only displays plain text.) Get a Mac to really screw up malware.
Unfortunately, the essential element, common sense, is what is tripping people up. Would your bank really contact you via e-mail to get your personal info? Would your bank call you up and ask for your personal info? They're your bank for chrissakes, they can get a complete profile on you just by asking the credit bureau!
Last note - the best way to prevent any failure in mental processes is to keep the mail from reaching the user in the first place. Spamassassin has done incredibly well by me ever since I trained the bayesian feature on a backlog of scam mails. I rarely get financial scam mails, instead now I have to fight soft-pedal scams that trip none of SAs hard-coded rules, but still score a bayes_99 score. Oh well...
How about contacting a reporter? He or she should be able to shield you as a source, and if you pick one with a background in cyber-crime reporting would be likely to have useful contacts in law enforcement.
Mitnick groupies might have a hissy fit for this suggestion, but John Markoff of the New York Times comes to mind as one possibility.
Don't people realize that you are allowed to have multiple bank accounts, and multiple credit cards?
I don't really consider myself all that paranoid, but I'm not about to link the bank account that has all my savings up with Paypal. The account I linked up could be accurately described as my "spending money" account, which means that if I'm compromised, they aint getting much and I aint losing much. Since I can just walk across the street and deposit a check from my real account, I have no need to link a credit card to Paypal. If I did, I would simply get a new credit card with a low credit limit. It's not like it's difficult to get a credit card, is it?
I suspect an arrest would only occur if there was a sting. This means a lot of work for the police. You should come up with the simplest plan that would allow the Police to catch at least one of the criminals. For example, once the police agree, you could tell them where the money was to be wired to (and who) and who the victim is so that they could be there to arrest an accomplice. This requires 2 way communication which might be difficult for you. Anyway, you should have someone walk into the police station of the appropriate district with appropriate information in hand to start a dialog (some kind of blind email drop?). I know someone who lives in England (happens to be involved in the news business) who, if I emailed, would probably take the email seriously and deliver it by hand for you although he does live 200 miles from London. You should be able to find someone else like me who knows someone closer to London, but you can contact me if you want at: gr77-frog8438@mailblocks.com That email will expire when I start getting spam on it.
If this was me, i might forward this info(anonymously)to a major metro rag, ie the Toronto Sun..first maybe determine which writer might be interested in following up.
That is not an article claimed to be factual. It's opinion. It's counterpoint.
Second, this statement is not entirely false. There are local root exploits for Linux. They're less important than the remote ones, but there are more of them. They get patched more quickly, but it is still strongly advised not to give random people shell accounts for this very reason.
I hereby place the above post in the public domain.
Ten to one this story never reaches even the back page of the paper. Citibank refuses to even admit that anything happened (if I read the article correctly) and the average reporter would find most of this account incomprehensible. Until the Marines burst into the Russian Credit Card Theives' base and rescue the pretty blonde army woman they've been imprisoning there, this isn't "news" by a long shot, and the corporate media will continue to say hackers = criminals, because that's the story that is most easily sensationalized.
Freedom: "I won't!"
Just use the term "hacker" in it's positive meaning, or proper meaning if you like, and don't worry about people getting the wrong idea. It's easily fixed by telling them the meaning you appled to it, if it seems relevant/necessary.
A little backbone is all that's required. Be a leader, not a follower.
Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce