Slashdot Mirror
Hackers Track Down Banking Fraud
An anonymous reader writes "Noticing some commonalities in the spam flooding their email
in-boxes, a small group of hackers set out to track down who was
responsible. Along the way they uncovered a trail that led them to an
organized gang of criminals halfway around the world, and right back
to some of the largest financial institutions in the US, and their
customers, that became the gang's prey. See the SecurityFocus story for more details."
Its about time the "hacker" community gets some positive news, just one more step to remove the "cyber-terrorist" label the news/media has created
This reminds me of Cliff Stoll- an astrophysicist who moonlighted as a sysadmin at UC Berkley, and noticed a discrepancy of a cent or less in the CPU time accounting system.
I won't spoil the story, but see if your local library has a copy of the Cuckoo's Egg(by Stoll). His more recent book, Silicon Snake Oil, discusses the falsities behind throwing technology(computers) at people- particularly in schools, for example...and was also quite good when it came out(and schools were dumping boatloads of $ into computer labs which sat mostly empty).
He's humble, intelligent, well educated, writes fun to read stuff...one of the computer scientists(and physicists) I respect the most- far above all the three-letter personalities.
Please help metamoderate.
"It takes one to know one". Any sucessfull hacker knows how a hacker goes about caseing/looking at a prospective system. So, such an individual knows the ways to make a system less appealing/suseptable to such attacks. Some of the best network security experts are 14y olds with nothing better to do (yea, I mean no life). The good majority of them know more than the high payed 'security consultants' who were born 'pre-internet'.
Atrox
-Beware of he who would deny you access to information, for in his heart, he dreams himself your master.
Well, you're assuming that the average person understands their native language and speaks it well. That assumption couldn't be farther from the truth.
Average people are (wait for the surprise) average. That can be correctly interpreted as "stupid", which is why spam persists in the first place. If no one was stupid enough to buy from spam, spam would cease to exist.
Stupid people fund spam. Period. And if they are dumb enough to fall for this scam, they deserve everything they get.
Sshhh, you read the article and realized that the Slashdot summary was much more sensational. The only proof that it was a single gang is that the mis-spelling were the same. The best "proof" provided was from Cleatis.
Dacels Jewelers can't be trusted.
...so here it is for the unlucky. There were a few pictures, and text examples I removed so it wouldn't get too big, but it's mostly intact.
----
1 Overview
Not all people that send undesirable email (spam) are the same. Their motives differ as greatly as their tools and technical abilities. This document uncovers a spam gang who seeks to acquire your banking information, and the response from one of the targeted victims: Citibank.
This document describes the unique bulk-mailing tool used for recent rash of financial email scams. These scams target financial entities such as Citibank, Wells Fargo, Halifax Bank, eBay, and Yahoo. Only one specific spam gang uses this tool for these financial scams. This spam gang started slow with only a few members, but has increased in both gang membership and spam volume.
All emails and headers are provided unmodified with the following exception: all personal information has been modified to protect the identity of the recipient. These modifications are denoted with bold and underlined typeset. Every effort has been made to retain the same data format without disclosing personal information. For data taken from the public domain, such as newsgroup postings and messages from open forums, no effort has been made to modify the data or protect the publicly disclosed recipient.
2 The Citibank Scam
With the growth of online banking comes online fraud. These schemes vary from web sites that "look" like the actual financial institution to email asking for personal banking information. At first glance, the email below (Fig. 1) looks like just another one of these simple bank fraud schemes.
At a quick glance, this email appears to be from Citibank, as it contains a Citibank URL. But a closer inspection indicates a financial scam:
* The email contains multiple misspellings and grammatical errors, such as "becaurse" and "This automatic email sent to:".
* The content contains hash-busters (unique characters in the contents that are used to bypass hash-based spam filters). For example, the "-t-" and "K" in the main paragraphs, and the "y" and "C" before the long lines of hyphens. Different recipients received the message with different hash-buster characters.
* Although the included URL begins with "www.citibank.com", it actually goes to "sd96v.pisem.net" [ref 1]. This server is hosted in Moscow, Russia and is not part of Citibank.
* The email header does not originate from Citibank. Instead, it originated from a DSL system in Italy. Network scans of this host (Appendix A) indicate that the system was likely compromised.
People who clicked on the link saw the Citibank web page and a popup that prompts for login information (Fig. 2, Fig. 3). Although the Citibank web page actually came from Citibank, the popup came from a non-Citibank server. Victims that entered banking information in the popup essentially gave their accounts to an unknown scam artist.
2.1 Mass Mailing Revisions
The 29-Sep-2003 mass mailing (Fig. 1, Fig. 2, and Fig. 3) is actually the second revision of the fraudulent bank emails. The first revision appeared on 16-Aug-2003 and asked the recipient to view new banking terms and conditions. Users who clicked on the link were redirected to a server in China. The first revision included the recipient's email address as a field in the URL. The second revision replaced the address field with a series of random characters. The popup for the second revision only asked for the user's Card and PIN numbers. The third release on 25-Oct-2003 (Fig. 4) was revised to prompt for the user's Card number, PIN number, and expiration date.
In nearly every case, a Russian server was used, either to host the requests, or to act as a web-bug and count the number of hits. For example, the web bug from the first revision can be found here. According to this web-log, there were 107,274 hits on 16-Aug-2003, and 91,573 hits on 17-Aug-2003 (Fig. 5). These were primarily due to responses to the first sp
In this scam a pop up with no navigation and no URL box was presented to the user on top of a genuine web page. This confused the user into thinking the pop up came from citibank. Advertisers like such pop ups because it locks the user into a path specified by the advertiser and obscures the source of the ad. Some web designers like the format because they think it's looks less cluttered.
Most modern web browser can be set will block pop up, force navigation, or always display the URL. Many advertisers whine that this is unfair. So what. What is even more amazing is that generally responsible companies, such as eBay, will create pop up screens with no URL and no navigation, thereby setting a precedence to allow such fraud.
The same is true from images from a third party server. It is useful for advertisers to set web bugs and large scale rotating campaigns. It is even useful for websites to distribute load. It also introduces security issues.
Which is just to say that may on /. would say that the luser should be more careful, and stupid people deserve to be swindled. But i have seen financial organizations use pop ups and third party ads to push product to their customers on the customers financial information page. This is a page that should only contains sensitive information, not irrelevant content The banks are willing to compromise security to push products. And then the banks complain that customers are to blame.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
Paying hackers to track down scammers and spammers.
They seem to be a lot better at it than law enforcement.
No, this is not a troll...
*sigh* whatever...
I don't know the meaning of the word 'don't' - J
The thing that makes this possible is the HTTP 303 error. Is there any way to detect the 303 when someone comes to your site to determine if it's legitimate or not?
Otherwise it seems there is NO way to protect against this (except smarter consumers... Like that's going to happen!).
I believe that the word can be redeemed by doing good deeds under the label of being a hacker. Take for instance, "butcher". Technically, it just describes the profession of butchering meat. Yet, it is used negatively when describing killings. Yet, people understand what it means to be a butcher, & there are no significant negative perceptions of the profession.
I think that it can work out to be the same for the hackers.
Take care...
I just read one of their articles, which sounded interesting:
http://www.securityfocus.com/guest/23028
but near the bottom I ran into a sentence that shocked me:
"Even when a Linux desktop system is properly configured with restricted accounts, there are simply so many local root exploits to pick between that the point becomes moot."
I can't imagine any respectible security person saying such a thing, or perhaps, I find it difficult to respect anyone who offers such a professional opinion. Essentially, the person does not believe in defense in depth, which frankly is a cornerstone of security, and has been for decades in respectable circles.
rest of header removed
Dear PayPal member,
PayPal would like to inform you about some important information regarding your PayPal account. This account, which is associated with the email address
********@aol.com
will be expiring within five business days. We apologize for any inconvenience that this may cause, but this is occurring because all of our customers are required to update their account settings with their personal information.
We are taking these actions because we are implementing a new security policy on our website to insure everyone's absolute privacy. To avoid any interruption in PayPal services then you will need to run the application that we have sent with this email (see attachment) and follow the instructions. Please do not send your personal information through email, as it will not be as secure.
IMPORTANT! If you do not update your information with our secure application within the next five business days then we will be forced to deactivate your account and you will not be able to use your PayPal account any longer. It is strongly recommended that you take a few minutes out of your busy day and complete this now.
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This mail is sent by an automated message system and the reply will not be received.
Thank you for using PayPal.
fcofbvub
end of message
There was a 13KB file attached named "www.paypal.com.scr". I can't wait to see the pretty screen saver paypal has sent me! Well, I'm not sure what I should do with it. I could open it up in a hex editor, but I wouldn't know what to look for. Does anyone have any suggestions on how to find out what this file does exactly?
The problem with monolithic government agencies is that they can only respond to problems as fast as a monolithic government agency can.
These people un-compromise the systems after they're done - and with such a small window of opportunity our agencies are just starting to look into the matter by the time the group has finished cleaning up it's traces.
The fun thing is that if everyone had proper backup systems in place (by which I mean *daily* backups of anything and everything that changs on a server - most importantly done via a server that is not internet-addressable), they would be able to piece together the puzzle more readily.
Unfortunately, most companies are run by idiots who don't comprehend the importance of proper backups until they spend $20K or more on data recovery (or at least that much recreating the lost work), so our agencies usually have no ability to uncover who was doing what.
I was recently (about 2 months ago) defrauded in the amount of $6000 in an Advance Fee Fraud. I realize most people will laugh at me for this, but some of these scammers can be particularly convincing. The scam in this case involved the purchase of my car (which was being sold online), and a cashier's check of an amount in excess of the agreed purchase price. This 'excess' was to be wired to the 'shipper', as the car was going overseas.
Anyhow, I decided to do something about it. I hacked into the email account used to defraud me, and followed a chain of emails and accounts that eventually led me to a handful of personal accounts. Each time I gained access to a new email account, I'd peek at all the emails inside and warn off any people who were being targeted from that particular account. After a month and a half of monitoring personal email, I gathered real names, relations, addresses and even resumes on those people involved. The particular 'ring' of scammers that got me is a family and friends affair, with the eldest brother of the family attending university in London, UK. His brothers and cousins (who live in Nigeria) work the fake email accounts and collect 'clients'. Once they have a deal made and personal information collected, they forward this to the ring leader in London, who contacts his sources to produce fake checks. He also takes over the email account, giving out a UK mobile phone number (changes often) to 'clients' who ask for one.
The money is sent in the name of one-time accomplices. These are people that the ring leader recruits to pick up money at Western Union counters. Once the money is picked up, he gives them a portion then splits the rest between himself, the cheque source and the relative who originally manned the email account.
Long story short: I have all this information, and don't know exactly what to do with it. I've tried to contact the London Metropolitan police anonymously (via email), several times, and have not heard back. I'm not sure if I should go to my own federal authority because what I've done to gather the information is illegal.
This particular scam has people involved in the US, Canada, the UK and Nigeria. I'm located in Canada. Any advice?
That reminds me of a story about a guy who would walk down the street, and any good-looking woman he saw, he would as her if she wants to have sex. He said, "sure, you get slapped several times in a day, but eventually someone says yes".
To stop this phishing technique, browsers ought to
pop up a warning dialog for URLs with a username
field (especially if it contains one or more dots).
Something like:
| Alert -- Actual URL is:
|
| Domain Path: badpeople.hackedsite.ru/hahaha
| Username: www.citibank.com
| Password: verify=
This would at least highlight the real site the
link is pointing to.
>;k
I said 'hacked into their email', because I spent a week finding an honest to goodness flaw in Yahoo! Mail. This flaw lets me send a malicious email. When the email is opened, it is read like normal. When the page is left, the user is redirected to a "Relogin" screen, but the URL is still within the Yahoo! domain. After collecting the password, the user is forwarded harmlessly back to reading the email. That actually involved 'hacking'... Plus, I gained access to the ring leaders computer through his BT DSL account.
I've reported the crime to the RCMP, but the criminals are in the UK and Nigeria. I don't want to tell the RCMP the info I have, because what I've done is illegal.
The parent is NOT a troll.
Adjust the score of bayes_99. Every few months or so, I increase the scores of the bayesian tests by 10% or so, as the training from an expanded corpus makes the bayesian scores more reliable.
I've been thinking about implementing my own spamassassin derivative that, rather than assign scores to distinct regexps and then run through a bayesian scanner, uses the regexps matched as extra tokens for the bayesian scanner to chew on. Because the regexps would be crafted to look at certain non-tokenized data (such as a gap of more than 6-12 hours in the Received: headers, or similar domains in the To: or Cc: addresses, or indications of a dictionary attack, etc.) this would undoubtedly be more effective than a simple bayesian scanner. But I'd actually have to learn perl before doing that...
This is a common troll.
"I did post production on movie."
"I work for XYZ corporation, and we will have press release soon"
"I am a staff writer for XYZ journal, and in our new issue..."
No evidence, no content, just an empty, poorly worded promise for something to come that gets modded up without CHECKING.
(hint, it's not on at 7 PDT or EDT, in fact, it's going to be all thanksgiving re-runs, all day)
Every moderator who modded this up should get SLAUGHTERED in M2 for such stupidity.
Jesus.
Fuck Beta. Fuck Dice
Most large banks probably look at these things with a wink and a nod. The amount of money laundering that goes on by drug dealers, arms dealers, terrorists and other criminals must be staggering compared to spammers.
If the banks profit they will find a way to look away. Also there is a "legal" need for corporations to shuttle vast amounts of money to and from overseas accounts to hide profits from the tax collectors all over the world. I imagine it's probably realively easy to ride that wave without being noticed too much.
War is necrophilia.
Sadly, the only thing that corporations care about today is bottom line. (This is the reason Microsoft antitrust was such a farce, by the way.) This story reminds me the story about Kevin Mitnick testifying against Sprint in Vice Hack Case:
Truely scary. Scary and sad.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Honestly, I doubt that type of fraud is too prevalent any more. Ebay cancels accounts on shill bidding, though you can probably get past it by proxying carefully. In shilling, you also take the risk of overdoing it, that you end up winning it, and are stuck with paying Ebay's cut (a percentage of the winning bid). If you have to have a price, the best way is to set a reserve price.
To get back on topic, I would bet a good percentage of people have multiple ebay accounts, much like they have multiple Hotmail addresses.
People can and do flip thru your feedback and look at what you bid. FOr 90 days at least your bids are waving in the wind. Yahoo! auctions, your bidding record is permanent and publicly associated with your Yahoo! ID - bet you regret bidding on those worn panties now!!!
Because your bidding is public record, many people have one acct for pr0n sleaze and filth, one for gear (good idea to keep that one w/ an immaculate rating), and one bad guy when they want to do damage to a shitty seller.
Additional accounts aren't a bad idea when bidding in specialty circles (for example, antique silverware or Frida prints). You get known especially after acing out other bidders with a snipe, and this affects prices positively (bad for bidders) after the other bidders raise their conventional bids to block your snipe.
Due to the anonymity of the internet, you can avoid the bidding wars that occur at live auctions.
This isn't exactly someone who ran out and did something positive securitywise out of the goodness of his heart. It isn't even data from someone who works in security and ran out and did something on the side.
This entire linked-to-article is, frankly, an advertisement. It's an advertisement to try to get people to buy security consulting services from this company. Impressively, this company managed to get the story on Slashdot. It's a sample report (you can figure this out early because of the number of tables and screenshots). (Silly execs love tables and pictures -- be sure to include lots if you're ever in a vending situation, even if they provide little useful content.) Other red flags include the fact that it's aimed at financial services (folks who have lots of money), and focuses on flaws in what Citibank is doing (with the implicit suggestion that this company could help them). Especially notable is the fact that if focuses on flaws in Citibank's behavior even if said behavior is not particularly relevant to the scam, such as the format of Citibank's emails. Are customers going to notice or care whether Citibank emails contain unique identifiers -- *not* hashbusters? No, though a security consultant who focuses on spam would.
Then they have the nice little blurb at the bottom about the company.
Frankly, they missed one important aspect. You can't sell anything to a company unless you can provide a measure of how much the company can save. They should run out and get a ballpark estimate on how much Citibank could potentially, worst-case, lose from this. They subtract proposed consulting fees and end up with a nice fat number.
The reason I find this advertisement vaguely disturbing is because folks like this are just another leech feeding off of fat, stupid corporations. Lots of consultants already do so. However, what these folks do *sounds* good but has little point. It's not financially feasible for a company to pay a small private army of techies to try to track down random Russians so that legal nastygrams can be sent to them (keep in mind that the firm didn't actually *identify* who the spammers were). There are too many potential baddies out there. A financial services corporation would be *far* better served by developing secure communication policies and technology that are *easy* to use for the consumer, and then spending money educating their customers about these. Then they become difficult to attack. To go after individual bad guys is like plugging holes in a dyke -- very profitable for the guy being paid to plug holes, but ultimately ineffective.
May we never see th
Hey, most of the web people browse /., we should be arguing:
:)
.htaccess so you only need to put two files in your directory to sign.
Stop using JavaScript completely!
Of course that will break Mozilla's plans for XUL. The best thing you could do is re-invent how JavaScript works. What if pages with JavaScript required a signature? Then we could set up trust levels per site/coder. A significant enough people use Mozilla such that people would fix their sites if they wanted to use JavaScript. If you ran into a site that didn't have signatures, and ran JavaScript you could have an automated email webmaster@domain to let the user complain, and I'm sure that will get some attention!
Just make a new header for it, and you could have apache implement auto-signing using
It would also be cool if there was a non-profit signature authority that used postal addresses and publicly appointed (and paid) members to track down both spam and crackers to reject their keys. It would also be cool to only return your key to an increasing subset of the population as time goes without complaint. (ex. only 1/10 people see your site for the first 100 viewers and day, then it bumps up to 1/2 for the next week, then you get full priveleges unless your key is signed by another as a voucher). Complaints need speedy verification, and require an account so you can get blacklisted for bad complaints. I think this would also be cool for normal certs too, but have the spam stream configurable (spam.opencertification.org and opencertification.org) then put it in e-mail too.
Kill all the net-scum in one attack. Maybe we can even make it so that programs reject running if they aren't signed. That'll take care of executable viruses and I could also make it impossible for my clients to install gatorized software. (They just don't know when they are installing something bad, and they can't bother me everytime they run across something neat online).
I'm sure at least some of my ideas are good. Pick some out and maybe we can get enough following to get something done for good about IT abuse, which I'm betting just all of us have to deal with from scams, cleaning viruses, pop-up porn, spam, etc. It may not fix it all, but I think certs would put a dent in it, and has much less of a chance of getting abused like SPEWS was (massive amounts of people not being able to function in the IT world because someone hosts their DNS entry on the same ISP as you, or the 6 month aftermath that doesn't seem to have died with the SPEWS DB).
Karma Clown