Slashdot Mirror
Hackers Track Down Banking Fraud
An anonymous reader writes "Noticing some commonalities in the spam flooding their email
in-boxes, a small group of hackers set out to track down who was
responsible. Along the way they uncovered a trail that led them to an
organized gang of criminals halfway around the world, and right back
to some of the largest financial institutions in the US, and their
customers, that became the gang's prey. See the SecurityFocus story for more details."
This reminds me of Cliff Stoll- an astrophysicist who moonlighted as a sysadmin at UC Berkley, and noticed a discrepancy of a cent or less in the CPU time accounting system.
I won't spoil the story, but see if your local library has a copy of the Cuckoo's Egg(by Stoll). His more recent book, Silicon Snake Oil, discusses the falsities behind throwing technology(computers) at people- particularly in schools, for example...and was also quite good when it came out(and schools were dumping boatloads of $ into computer labs which sat mostly empty).
He's humble, intelligent, well educated, writes fun to read stuff...one of the computer scientists(and physicists) I respect the most- far above all the three-letter personalities.
Please help metamoderate.
Along the way they uncovered a trail that led ... right back to some of the largest financial institutions in the US
So have they been arrested and charged under the DMCA for divulging weaknesses in the financial system?
the 419 fraud isn't a Ponzi scam.
A Ponzi scam is where you take money from new "investors" and use some of it to pay an apparently high return to your existing investors, grabbing the rest for yourself. Everybody's happy until (inevitably) you run out of new investors and the whole thing falls apart.
The 419 fraud involves a promise to transfer $millions into the victim's bank account, for some trumped up and obviously rather dubious reason. At the last minute you ask the victim to pay a "transfer fee" of perhaps a few $1000. You then vanish with the "transfer fee", never to be heard of again.
You're much better off using the black|grey|white hacker classes, although even that can be fuzzy at times.
If you haven't RTFA, I suggest you do. Here's why:
After nine years on the net, this is the first scam that I believe I might (though probably not, as I always show the address bar and look for the secure connection icon) have fell for.
Having your web browser load Citibank's home page, and then swiping the info via a rogue pop-up is the sneakiest tactic I've seen.
Even the link in the email appears to be from Citibank upon first glance.
A exceptionally clever and well-crafted scam.
__ Someday, but not this morning, I'll finally learn to use the preview button.
In this scam a pop up with no navigation and no URL box was presented to the user on top of a genuine web page. This confused the user into thinking the pop up came from citibank. Advertisers like such pop ups because it locks the user into a path specified by the advertiser and obscures the source of the ad. Some web designers like the format because they think it's looks less cluttered.
Most modern web browser can be set will block pop up, force navigation, or always display the URL. Many advertisers whine that this is unfair. So what. What is even more amazing is that generally responsible companies, such as eBay, will create pop up screens with no URL and no navigation, thereby setting a precedence to allow such fraud.
The same is true from images from a third party server. It is useful for advertisers to set web bugs and large scale rotating campaigns. It is even useful for websites to distribute load. It also introduces security issues.
Which is just to say that may on /. would say that the luser should be more careful, and stupid people deserve to be swindled. But i have seen financial organizations use pop ups and third party ads to push product to their customers on the customers financial information page. This is a page that should only contains sensitive information, not irrelevant content The banks are willing to compromise security to push products. And then the banks complain that customers are to blame.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
...Much worse than "Citibank didn't care". Look down lower on the SecurityFocus report and you'll see that Citibank's own fraud reporting webpage appears to be compromised, they know about it, and they hadn't (as of publication date) tried to correct it. The email reply from the fraud page is itself fraudulent, and directs users to a nonexistent toll-free number or a private AOL email address, although it appears to come from Citibank's own servers!
Also, there's a CNET article about the August 16 version of the scam, reported on August 18, 2003. The article is supposed to be here at http://news.com.com/2011-10173-5065394.html?tag=ma instry
(Link)
But when you check that link, it first comes up, then a second or two later gets redirected to a search page claiming that the article is "expired".
Strangely, the CNET search page (which searches on terms similar to the title) comes up with 2 flattering articles about Citibank's quality process, one dated 2002, the other dated 2000. Neither of those articles has "expired". Draw your own conclusions here.
For those who aren't too quick on the mouse, part of the text of the "expired" article is here:
SecurityFocus notes that Citibank should know the exact number of people who came to their website from the fraudulent redirection, although officials there claim not to know. It also seems unlikely that Citibank's systems were not compromised, considering the email replies that came from their "report fraud" webpage.I was recently (about 2 months ago) defrauded in the amount of $6000 in an Advance Fee Fraud. I realize most people will laugh at me for this, but some of these scammers can be particularly convincing. The scam in this case involved the purchase of my car (which was being sold online), and a cashier's check of an amount in excess of the agreed purchase price. This 'excess' was to be wired to the 'shipper', as the car was going overseas.
Anyhow, I decided to do something about it. I hacked into the email account used to defraud me, and followed a chain of emails and accounts that eventually led me to a handful of personal accounts. Each time I gained access to a new email account, I'd peek at all the emails inside and warn off any people who were being targeted from that particular account. After a month and a half of monitoring personal email, I gathered real names, relations, addresses and even resumes on those people involved. The particular 'ring' of scammers that got me is a family and friends affair, with the eldest brother of the family attending university in London, UK. His brothers and cousins (who live in Nigeria) work the fake email accounts and collect 'clients'. Once they have a deal made and personal information collected, they forward this to the ring leader in London, who contacts his sources to produce fake checks. He also takes over the email account, giving out a UK mobile phone number (changes often) to 'clients' who ask for one.
The money is sent in the name of one-time accomplices. These are people that the ring leader recruits to pick up money at Western Union counters. Once the money is picked up, he gives them a portion then splits the rest between himself, the cheque source and the relative who originally manned the email account.
Long story short: I have all this information, and don't know exactly what to do with it. I've tried to contact the London Metropolitan police anonymously (via email), several times, and have not heard back. I'm not sure if I should go to my own federal authority because what I've done to gather the information is illegal.
This particular scam has people involved in the US, Canada, the UK and Nigeria. I'm located in Canada. Any advice?