Slashdot Mirror
Hackers Track Down Banking Fraud
An anonymous reader writes "Noticing some commonalities in the spam flooding their email
in-boxes, a small group of hackers set out to track down who was
responsible. Along the way they uncovered a trail that led them to an
organized gang of criminals halfway around the world, and right back
to some of the largest financial institutions in the US, and their
customers, that became the gang's prey. See the SecurityFocus story for more details."
...that most hackers are just out to do good. The stereotype that hackers have gotten is ridiculous, and largely due to a few notable individuals who do malicious things(steal credit card numbers, etc.), and I believe that hackers are a primary security measure of the society of the internet.
Think of them as citizen-cops, they find the bad things and patch them, report them, these are the guys who we should praise, not put down. God Bless the white hat hacker.
These hackers need to be prosecuted. This is unacceptable.
Its about time the "hacker" community gets some positive news, just one more step to remove the "cyber-terrorist" label the news/media has created
If computers ever fails you economically, welcome to law enforcement.
Seriously, law enforcement needs much more of this. I can't name the last time I met a cop who understood computers at all.
One would think that if you want to run a successful scam that looks like it came from a legitamate source, you wouldn't word e-mails like
"and PIN that you use on ATM."
"becaurse some of our members no longer have access to their email addresses and we must verify it" (misspelling / run on sentence)
This reminds me of Cliff Stoll- an astrophysicist who moonlighted as a sysadmin at UC Berkley, and noticed a discrepancy of a cent or less in the CPU time accounting system.
I won't spoil the story, but see if your local library has a copy of the Cuckoo's Egg(by Stoll). His more recent book, Silicon Snake Oil, discusses the falsities behind throwing technology(computers) at people- particularly in schools, for example...and was also quite good when it came out(and schools were dumping boatloads of $ into computer labs which sat mostly empty).
He's humble, intelligent, well educated, writes fun to read stuff...one of the computer scientists(and physicists) I respect the most- far above all the three-letter personalities.
Please help metamoderate.
Recently I've been seen a marked increase in things like this for PayPal as well as the main UK banks including LLoyds and Barclays. People are definitly getting more aggressive to get your details.
Also the emails are getting "smarter" in that they look more like the place and making use of the old http://www.domain1.com@www.domain2.com which for a newbie can be very easily misread
Rus
Cheap UK and US VPS
Along the way they uncovered a trail that led ... right back to some of the largest financial institutions in the US
So have they been arrested and charged under the DMCA for divulging weaknesses in the financial system?
If I walk up to you, and say "Hi, I'm with Citibank, we have a problem with your account, we need to verify your account number and PIN, please write it down on this piece of paper and give it to me." I'll get a punch in the mouth. Yet when the average user sees gets a call or E-mail asking for this info, it's handed over.
You know who I think is crazy? All my ex-girlfriends!
...is that Citibank apparently didn't even care. When someone sent out spams attempting to scam people with accounts with Sony Financial Services, I contacted them about it and they promised they'd have someone call me first thing next day. They never did.
I don't like to say this, but if they are indifferent about this sort of crime now, they are going to have no chance of fighting it.
Honorary Member of Jackie Chan's Kung Fu Process Servers
I wouldn't call what they were doing exactly "hacking". They simply ran some lookups and other simple discovery tools a person would use as preperation for an attempted hack. They never performed any exploits though, like actually trying to access the web server in russia to see what information they actually had...
the 419 fraud isn't a Ponzi scam.
A Ponzi scam is where you take money from new "investors" and use some of it to pay an apparently high return to your existing investors, grabbing the rest for yourself. Everybody's happy until (inevitably) you run out of new investors and the whole thing falls apart.
The 419 fraud involves a promise to transfer $millions into the victim's bank account, for some trumped up and obviously rather dubious reason. At the last minute you ask the victim to pay a "transfer fee" of perhaps a few $1000. You then vanish with the "transfer fee", never to be heard of again.
We lost control of the word "hackers" a long long time ago. It has been more than 10 years since the horse left the barn, stop whining about the open gate.
...so here it is for the unlucky. There were a few pictures, and text examples I removed so it wouldn't get too big, but it's mostly intact.
----
1 Overview
Not all people that send undesirable email (spam) are the same. Their motives differ as greatly as their tools and technical abilities. This document uncovers a spam gang who seeks to acquire your banking information, and the response from one of the targeted victims: Citibank.
This document describes the unique bulk-mailing tool used for recent rash of financial email scams. These scams target financial entities such as Citibank, Wells Fargo, Halifax Bank, eBay, and Yahoo. Only one specific spam gang uses this tool for these financial scams. This spam gang started slow with only a few members, but has increased in both gang membership and spam volume.
All emails and headers are provided unmodified with the following exception: all personal information has been modified to protect the identity of the recipient. These modifications are denoted with bold and underlined typeset. Every effort has been made to retain the same data format without disclosing personal information. For data taken from the public domain, such as newsgroup postings and messages from open forums, no effort has been made to modify the data or protect the publicly disclosed recipient.
2 The Citibank Scam
With the growth of online banking comes online fraud. These schemes vary from web sites that "look" like the actual financial institution to email asking for personal banking information. At first glance, the email below (Fig. 1) looks like just another one of these simple bank fraud schemes.
At a quick glance, this email appears to be from Citibank, as it contains a Citibank URL. But a closer inspection indicates a financial scam:
* The email contains multiple misspellings and grammatical errors, such as "becaurse" and "This automatic email sent to:".
* The content contains hash-busters (unique characters in the contents that are used to bypass hash-based spam filters). For example, the "-t-" and "K" in the main paragraphs, and the "y" and "C" before the long lines of hyphens. Different recipients received the message with different hash-buster characters.
* Although the included URL begins with "www.citibank.com", it actually goes to "sd96v.pisem.net" [ref 1]. This server is hosted in Moscow, Russia and is not part of Citibank.
* The email header does not originate from Citibank. Instead, it originated from a DSL system in Italy. Network scans of this host (Appendix A) indicate that the system was likely compromised.
People who clicked on the link saw the Citibank web page and a popup that prompts for login information (Fig. 2, Fig. 3). Although the Citibank web page actually came from Citibank, the popup came from a non-Citibank server. Victims that entered banking information in the popup essentially gave their accounts to an unknown scam artist.
2.1 Mass Mailing Revisions
The 29-Sep-2003 mass mailing (Fig. 1, Fig. 2, and Fig. 3) is actually the second revision of the fraudulent bank emails. The first revision appeared on 16-Aug-2003 and asked the recipient to view new banking terms and conditions. Users who clicked on the link were redirected to a server in China. The first revision included the recipient's email address as a field in the URL. The second revision replaced the address field with a series of random characters. The popup for the second revision only asked for the user's Card and PIN numbers. The third release on 25-Oct-2003 (Fig. 4) was revised to prompt for the user's Card number, PIN number, and expiration date.
In nearly every case, a Russian server was used, either to host the requests, or to act as a web-bug and count the number of hits. For example, the web bug from the first revision can be found here. According to this web-log, there were 107,274 hits on 16-Aug-2003, and 91,573 hits on 17-Aug-2003 (Fig. 5). These were primarily due to responses to the first sp
If you haven't RTFA, I suggest you do. Here's why:
After nine years on the net, this is the first scam that I believe I might (though probably not, as I always show the address bar and look for the secure connection icon) have fell for.
Having your web browser load Citibank's home page, and then swiping the info via a rogue pop-up is the sneakiest tactic I've seen.
Even the link in the email appears to be from Citibank upon first glance.
A exceptionally clever and well-crafted scam.
__ Someday, but not this morning, I'll finally learn to use the preview button.
In this scam a pop up with no navigation and no URL box was presented to the user on top of a genuine web page. This confused the user into thinking the pop up came from citibank. Advertisers like such pop ups because it locks the user into a path specified by the advertiser and obscures the source of the ad. Some web designers like the format because they think it's looks less cluttered.
Most modern web browser can be set will block pop up, force navigation, or always display the URL. Many advertisers whine that this is unfair. So what. What is even more amazing is that generally responsible companies, such as eBay, will create pop up screens with no URL and no navigation, thereby setting a precedence to allow such fraud.
The same is true from images from a third party server. It is useful for advertisers to set web bugs and large scale rotating campaigns. It is even useful for websites to distribute load. It also introduces security issues.
Which is just to say that may on /. would say that the luser should be more careful, and stupid people deserve to be swindled. But i have seen financial organizations use pop ups and third party ads to push product to their customers on the customers financial information page. This is a page that should only contains sensitive information, not irrelevant content The banks are willing to compromise security to push products. And then the banks complain that customers are to blame.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
Paying hackers to track down scammers and spammers.
They seem to be a lot better at it than law enforcement.
No, this is not a troll...
*sigh* whatever...
I don't know the meaning of the word 'don't' - J
The thing that makes this possible is the HTTP 303 error. Is there any way to detect the 303 when someone comes to your site to determine if it's legitimate or not?
Otherwise it seems there is NO way to protect against this (except smarter consumers... Like that's going to happen!).
Tell their customers that they will NEVER correspond with them via email and will NEVER ask for their ATM pin number over the internet in any shape or form. My bank did this when I signed up for online banking. This is of course obvious to 99.999999% of the /. crowd but to everyday common people (read stupid) this might not make sense or be obvious.
...because more stories like this would only help the word "Hacker" gain a better stand in the public at large.
:)
Stories like this would be serious eye openers to my family and friends who seem to know nothing about computer fraud.
I submited the story to a few local news agencies. Hopefully one of them picks up on it.
My work here is done
Life is like pants... fit in or you don't fit in.
The Paypal scammers, with only your password, can literally take you for every cent you got AND every cent of credit availability.
And where is the mention of the origin of it all, the AOL phishers? I guess you only see it on AOL but it is a huge problem over there. The main purpose seems to use compromised accounts to spam AOL members from inside, it happened to my dad, who is still "not budging" from AOL.
The ideal solution would be a distributed deliberate response, using the form provided by the spammer, by the targetted companies, who could load predetermined user/pass combinations and disinformation (I have a script) into their database. When access is attempted using the provided login/password combinations, the criminal is detected in real time (he is not safe by proxying - he is still dead meat when seen in action. Logs will exist on the proxy servers to point right to him, the more the merrier.)
...Much worse than "Citibank didn't care". Look down lower on the SecurityFocus report and you'll see that Citibank's own fraud reporting webpage appears to be compromised, they know about it, and they hadn't (as of publication date) tried to correct it. The email reply from the fraud page is itself fraudulent, and directs users to a nonexistent toll-free number or a private AOL email address, although it appears to come from Citibank's own servers!
Also, there's a CNET article about the August 16 version of the scam, reported on August 18, 2003. The article is supposed to be here at http://news.com.com/2011-10173-5065394.html?tag=ma instry
(Link)
But when you check that link, it first comes up, then a second or two later gets redirected to a search page claiming that the article is "expired".
Strangely, the CNET search page (which searches on terms similar to the title) comes up with 2 flattering articles about Citibank's quality process, one dated 2002, the other dated 2000. Neither of those articles has "expired". Draw your own conclusions here.
For those who aren't too quick on the mouse, part of the text of the "expired" article is here:
SecurityFocus notes that Citibank should know the exact number of people who came to their website from the fraudulent redirection, although officials there claim not to know. It also seems unlikely that Citibank's systems were not compromised, considering the email replies that came from their "report fraud" webpage.I was recently (about 2 months ago) defrauded in the amount of $6000 in an Advance Fee Fraud. I realize most people will laugh at me for this, but some of these scammers can be particularly convincing. The scam in this case involved the purchase of my car (which was being sold online), and a cashier's check of an amount in excess of the agreed purchase price. This 'excess' was to be wired to the 'shipper', as the car was going overseas.
Anyhow, I decided to do something about it. I hacked into the email account used to defraud me, and followed a chain of emails and accounts that eventually led me to a handful of personal accounts. Each time I gained access to a new email account, I'd peek at all the emails inside and warn off any people who were being targeted from that particular account. After a month and a half of monitoring personal email, I gathered real names, relations, addresses and even resumes on those people involved. The particular 'ring' of scammers that got me is a family and friends affair, with the eldest brother of the family attending university in London, UK. His brothers and cousins (who live in Nigeria) work the fake email accounts and collect 'clients'. Once they have a deal made and personal information collected, they forward this to the ring leader in London, who contacts his sources to produce fake checks. He also takes over the email account, giving out a UK mobile phone number (changes often) to 'clients' who ask for one.
The money is sent in the name of one-time accomplices. These are people that the ring leader recruits to pick up money at Western Union counters. Once the money is picked up, he gives them a portion then splits the rest between himself, the cheque source and the relative who originally manned the email account.
Long story short: I have all this information, and don't know exactly what to do with it. I've tried to contact the London Metropolitan police anonymously (via email), several times, and have not heard back. I'm not sure if I should go to my own federal authority because what I've done to gather the information is illegal.
This particular scam has people involved in the US, Canada, the UK and Nigeria. I'm located in Canada. Any advice?
Surf with Javascript off. Stops spammers of all stripes from trying to exploit your browser to cover their tracks. Check e-mail with a mail client that isn't stupid (ie, outlook), and allows you to toggle HTML rendering on/off so you can examine the underlying code (even better, get a client that only displays plain text.) Get a Mac to really screw up malware.
Unfortunately, the essential element, common sense, is what is tripping people up. Would your bank really contact you via e-mail to get your personal info? Would your bank call you up and ask for your personal info? They're your bank for chrissakes, they can get a complete profile on you just by asking the credit bureau!
Last note - the best way to prevent any failure in mental processes is to keep the mail from reaching the user in the first place. Spamassassin has done incredibly well by me ever since I trained the bayesian feature on a backlog of scam mails. I rarely get financial scam mails, instead now I have to fight soft-pedal scams that trip none of SAs hard-coded rules, but still score a bayes_99 score. Oh well...
Don't people realize that you are allowed to have multiple bank accounts, and multiple credit cards?
I don't really consider myself all that paranoid, but I'm not about to link the bank account that has all my savings up with Paypal. The account I linked up could be accurately described as my "spending money" account, which means that if I'm compromised, they aint getting much and I aint losing much. Since I can just walk across the street and deposit a check from my real account, I have no need to link a credit card to Paypal. If I did, I would simply get a new credit card with a low credit limit. It's not like it's difficult to get a credit card, is it?
To stop this phishing technique, browsers ought to
pop up a warning dialog for URLs with a username
field (especially if it contains one or more dots).
Something like:
| Alert -- Actual URL is:
|
| Domain Path: badpeople.hackedsite.ru/hahaha
| Username: www.citibank.com
| Password: verify=
This would at least highlight the real site the
link is pointing to.
>;k
I said 'hacked into their email', because I spent a week finding an honest to goodness flaw in Yahoo! Mail. This flaw lets me send a malicious email. When the email is opened, it is read like normal. When the page is left, the user is redirected to a "Relogin" screen, but the URL is still within the Yahoo! domain. After collecting the password, the user is forwarded harmlessly back to reading the email. That actually involved 'hacking'... Plus, I gained access to the ring leaders computer through his BT DSL account.
I've reported the crime to the RCMP, but the criminals are in the UK and Nigeria. I don't want to tell the RCMP the info I have, because what I've done is illegal.
The parent is NOT a troll.
This is a common troll.
"I did post production on movie."
"I work for XYZ corporation, and we will have press release soon"
"I am a staff writer for XYZ journal, and in our new issue..."
No evidence, no content, just an empty, poorly worded promise for something to come that gets modded up without CHECKING.
(hint, it's not on at 7 PDT or EDT, in fact, it's going to be all thanksgiving re-runs, all day)
Every moderator who modded this up should get SLAUGHTERED in M2 for such stupidity.
Jesus.
Fuck Beta. Fuck Dice
Sadly, the only thing that corporations care about today is bottom line. (This is the reason Microsoft antitrust was such a farce, by the way.) This story reminds me the story about Kevin Mitnick testifying against Sprint in Vice Hack Case:
Truely scary. Scary and sad.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
No, Mr. Joseph wouldn't know if he is not part of IT or Security/Investigations, but he is correct, there has not been a breach since Adrian Lano hacked the proxy servers a few years ago (I dont have a link to a previous story on that). But the story is not fabricated, and the response e-mail the author recieved from the fraud report was legitimate (although the aol account is questionable, it is indeed legitmate, hatsu1 stands for Home Access Tech Suport Unit 1).
That is not an article claimed to be factual. It's opinion. It's counterpoint.
Second, this statement is not entirely false. There are local root exploits for Linux. They're less important than the remote ones, but there are more of them. They get patched more quickly, but it is still strongly advised not to give random people shell accounts for this very reason.
I hereby place the above post in the public domain.
This isn't exactly someone who ran out and did something positive securitywise out of the goodness of his heart. It isn't even data from someone who works in security and ran out and did something on the side.
This entire linked-to-article is, frankly, an advertisement. It's an advertisement to try to get people to buy security consulting services from this company. Impressively, this company managed to get the story on Slashdot. It's a sample report (you can figure this out early because of the number of tables and screenshots). (Silly execs love tables and pictures -- be sure to include lots if you're ever in a vending situation, even if they provide little useful content.) Other red flags include the fact that it's aimed at financial services (folks who have lots of money), and focuses on flaws in what Citibank is doing (with the implicit suggestion that this company could help them). Especially notable is the fact that if focuses on flaws in Citibank's behavior even if said behavior is not particularly relevant to the scam, such as the format of Citibank's emails. Are customers going to notice or care whether Citibank emails contain unique identifiers -- *not* hashbusters? No, though a security consultant who focuses on spam would.
Then they have the nice little blurb at the bottom about the company.
Frankly, they missed one important aspect. You can't sell anything to a company unless you can provide a measure of how much the company can save. They should run out and get a ballpark estimate on how much Citibank could potentially, worst-case, lose from this. They subtract proposed consulting fees and end up with a nice fat number.
The reason I find this advertisement vaguely disturbing is because folks like this are just another leech feeding off of fat, stupid corporations. Lots of consultants already do so. However, what these folks do *sounds* good but has little point. It's not financially feasible for a company to pay a small private army of techies to try to track down random Russians so that legal nastygrams can be sent to them (keep in mind that the firm didn't actually *identify* who the spammers were). There are too many potential baddies out there. A financial services corporation would be *far* better served by developing secure communication policies and technology that are *easy* to use for the consumer, and then spending money educating their customers about these. Then they become difficult to attack. To go after individual bad guys is like plugging holes in a dyke -- very profitable for the guy being paid to plug holes, but ultimately ineffective.
May we never see th
Ten to one this story never reaches even the back page of the paper. Citibank refuses to even admit that anything happened (if I read the article correctly) and the average reporter would find most of this account incomprehensible. Until the Marines burst into the Russian Credit Card Theives' base and rescue the pretty blonde army woman they've been imprisoning there, this isn't "news" by a long shot, and the corporate media will continue to say hackers = criminals, because that's the story that is most easily sensationalized.
Freedom: "I won't!"
Just use the term "hacker" in it's positive meaning, or proper meaning if you like, and don't worry about people getting the wrong idea. It's easily fixed by telling them the meaning you appled to it, if it seems relevant/necessary.
A little backbone is all that's required. Be a leader, not a follower.
Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
Here is the URL I received (in one line):
The 10-cheapdesign.com site is now shut down.
The bad guys somehow have their web server set up to not URL encode the spaces as %20, so you don't see the spaces in your address bar. The real URL you are visiting, is truncated from the view of the browser's address bar. This combined with a well worded email (you can't rely on them making spelling mistakes to catch this), and a complete replica of the website, is a dangerous thing.
On top of that, the warnings in the news and on the bank websites are inaccurate. They say not to send user names and passwords in email. That isn't how the scam works. It appears to be a safe link to your real bank site, unless you check for the presense of spaces in the URL or the SSL certificate on the login page.
Something is very wrong.
It seems like the citibank website is designed not to give out any email addresses but here's some addresses I've found.
I'd recommend sending a polite e-mailthe following details:
- A link to the sercurityfocus article http://www.securityfocus.com/infocus/1745
- State that there was an fraud attack on citibank that may have affected over 100,000 clients.
- State that it seems likely that citibank should be able to identify which clients were affected by checking their web logs.
- Most importantly state that there seems to be something very wrong with their e-mail fraud reporting page, which may itself be compromised, and as such could the person you are contacting forward your e-mail to the appropriate Information Security department.
Please note that these people are not in departments related to IT or web development, so just ask them to forward your email to the appropriate person. Trust me, if enough people complain about this it will get resolved.citibank@shareholders-online.com, shareholderrelations@citigroup.com, investorrelations@citi.com, fixedincomeir@citigroup.com, louis.f.fortunato@citigroup.com, evelyn.kenvin@citicorp.com, mary.cosgrove@citicorp.com, joseph.g.eicheldinger@citicorp.com, valerie.kuhl@citicorp.com, mamie.chinn-hechter@citicorp.com, geoffrey.h.siedor@travelers.com, johnsonl@citigroup.com, prettoc@citigroup.com, kevin.j.heine@citigroup.com