Slashdot Mirror
Spam That Delivers a Pink Slip
alphadogg wrote in with a Network World story that begins: "Last week, a handful of employees at Dekalb Medical Center in Decatur, Ga., received e-mails saying they were being laid off. The subject line read 'Urgent — employment issue,' and the sender listed on the message was at dekalb.org, which is the domain the medical center uses. The e-mail contained a link to a Web site that claimed to offer career-counseling information. And so a few employees, concerned about their employment status and no doubt miffed about being laid off via e-mail, clicked on the link to learn more and unwittingly downloaded a keylogger program that was lurking at the site. Score another one for spammers."
Clever, because we all know our soulless corporations would do that.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
Evil too, of course, and I wouldn't be particularly sad if those responsible were raped to death by manatees. But still pretty fucking hilarious.
Then what is the article? -1?
So would downloading the keylogger count as a breach in the company's acceptable use policy, therefore warranting them an actual pink slip?
Disclaimer: Any errors in spelling, tact or fact are transmission errors.
(Not really.)
There was a notice on the internal site for _ntel last week about this, but IT was catching it. With the layoffs there, they were a ripe target.
Heh, while some people actually spend money to CURE people of paranoia, it would be (at least) useful to have paranoia CLASSES thought as part of any "PC operator" course ;)
By reading this signature you agree to not disagree with the post you just read.
Cornered....like a rat...danger at every turn!
Darwin's List seems assured of a good genetic pool to recruit candidates from.
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
My favorite virus email was the "I Love You" virus. Since I worked for a French company at the time, the entire executive staff triggered the virus and the entire company got spammed by it. That was funny since you got emails from the CEO that he loved you. But the cure hurted more when it kicked in. For every email that was deleted from the server, Norton sent out a notification email that the email was deleted. The network grind to a halt because of the notification emails instead of the actual virus emails. Go figure.
In Soviet Russia, spam deletes you!
Curiosity was framed. Ignorance killed the cat.
Doesn't sound like spam at all... sounds more like a targeted attack on the organization.
phishers, especially when they get caught, tried, convicted and imprisoned?
Keyloggers do transmit to certain IP addresses.
--- Grow a pair, liberals... stop letting the Republicans bully you!
so you're saying the server.... surrendered?
How do you go about "unwittingly downloaded a keylogger program"? Even if you run Win OS and use IE at default settings it takes unpatched exploit and/or click of OK. After that keylogger needs to get past firewall to ring home to be of any use. So can someone explain how this can happen on a properly maintained computer?
Step 1. Date or make friends with someone in HR systems who runs the Peoplesoft/Oracle/SAP HR system. Help them out with database work (like complex batch jobs).
Step 2. Pay attention to the kinds of queries they need help with.
Step 3. If they begin compiling seniority studies / benefits calculations for projections IN THE FUTURE (red flag!) or estimate retirement dates if your company has a defined pension benefit, see step 4.
Step 4. Put up resume on dice.com and start "disappearing" during lunch to return headhunter phone calls.
To those who claims that SPF (RFC 4408) is not useful... it does prevent exactly this kind of attack. (The recipients might receive the emails, but they would flag as having a bogus Return-Path.)
I would not accept being fired by some nonconfrontational method like this.
Just pretend you never got it. and ignore it, go about your day. Apparently the boss is already too much of a pussy as to actually fire you in the fire place, so what is the chance he will say anything. Hell come back the next day, then cause a small scene making them look like idiots.
THey are afraid of confrontation, make that fear a realization (in a calm way, but put it all on them)
The phrase "more better" is acceptable English. suck it grammar Nazis
But does the keylogger work on Linux?
\
I thought not.
Nothing to see here, just moronic borgslaves, move along....
WHY don't all these moron CTO's and VP's of IS get their asses canned, paying MS for their shit?
I thought, getting a "pink slip", was slang for taking the loser's car off his hands after a street race.
And "getting your walking papers" meant getting fired...
Someone enlighten me? Yank doesn't always make sense to me.
> no, yes, maybe (tagging beta)
This kind of stories will end with really stiff laws and high-profile enforcement. Hacking also used to be a harmless pastime of C.Sci students until a bunch of assholes caused real damage. Spammers should just stick with their p3n1s 3nlargm3nt creams and continue to enjoy their status as a pests, but not real villains.
If only people used digital signatures, impersonating senders would be a lot harder.
Please correct me if I got my facts wrong.
'Urgent -- employment issue' smells of spam to me. Why did anyone open a mail with a subject like that.
The companys email filter should have stopped that. It would not have worked here.
I have to ask: why is it relevant that the company was French, and in what way do you think that the fact, that it was French, make the executive staff more likely to trigger the virus?
Note: English is my third language, and I may just not have understood that particular sentence correctly. Also, I am not French or from anywhere closely associated with France, so my question is not due to hurt sensibilities or anything like that.
That's what you get for using an insecure OS (*cough* Windows)/browser (*cough* IE)/configuration/whatever. Too bad the IT department often doesn't learn about security until there's a bigger breach.
OK, so who clicked the "unwittingly downloaded a keylogger program" link in the article without having second thoughts?
;)
A double whammy for the phishers if it linked to the keylogger infected file in question.
biopowered.co.uk - catalytically cracking triglycerides for home automotive use since 2008. Just say no to big oil!
Yeah, well, this could be only the beginning. I've long said that spammer/VXers could really invade companies if they sent their wares with subject lines like "Meeting Notice", "Employee Satisfaction Survey", or other business-oriented text. A general attack on companies would work, and you could be real trouble for a specific company if you had any knowledge of their internal processes and wanted to target their employees.
Companies make this scenario even more likely by the way they do business. Not a week goes by without me getting an email from some external service provider (health insurance, 401k contractor, travel agent, etc.) with a link to their external website. Of course, each requires a login using a social security number or employee ID, and the websites often have names I don't necessarily recognize. How am I supposed to know that (made-up example here) an email from "mytravelagent.com" is REALLY from American Express Travel Services?
Companies would be wise to require that links from emails to all service contractors point to an internal URL that gets redirected or proxied to the external servers. That would make it a bit harder to direct phishing attacks against their hapless employees.
In Soviet Russia, spam junks YOU!!
Aikon-
Because the French are such a loving people.
When my users have an email-related problem or question, I beg them to send me the original message with full email headers. Instead, this is what I get every single time:
From: Xxxx Xxxxxxx [mailto:xxx@xxx.xxx]
Sent: Wednesday, November 01, 2006 09:47 AM
To: Xxxxxx Xxxxx
Subject: PROBLEM
Which aren't email headers at all. Too many times it was a problem of someone badly forging the return address of our domain to make it look like someone in the company sent it. I'm pretty sure a company with 25 employees would realize that ksdffkjsdfkj@xxx.xxx isn't legitimate. The easiest way to combat this is to deny incoming email sent from "your" domain.
And "Received: from yourdomain [some IP in timbuktu (instead of your mailserver IP)]" should be a dead giveaway, but people refuse to learn simple stuff like what an IP address is.
Educating users isn't an option, because people don't listen. Instead of asking, they install malware out of fear.
Yeah, I got one of these too. Since I've been self-employed for over 23 years, it looks like I would have already heard about this layoff. Sigh. I'm always the last to know!
Their SMTP gateway should have detected a server outside of their network was trying to send a message with an internal email address as the sender and blocked it. It never would have worked in my company. Plus if someone in my company received a message like this which would have had an external email address as a sender, someone would have called me right away. I then would have blocked the site, blocked similar emails, seen who was sent a similar message and spoke with them to find out who visited the site and scanned and/or reloaded all the recipients' computers anyway.
:-/
If it was sent by a computer internally, I think I could see that also (I'll have to check on that) and get that computer/employee taken care of.
We had a similar social engineering test recently. A small number of people but still more than I'd like followed the instructions in the email, a similar number notified me or another employee that could help them make sense of the message, and I had the email blocked and the ISP of the sender on the phone within minutes. It was only after that I was informed about the test. I know I passed. I'm sure a few others failed.
Your technology has to protect your organization to a certain point but your employees MUST be trained to not fall for this kind of stuff. Unfortunately, some will never learn because they think it's IT's job to keep this stuff from happening. Why did I choose this career again?
But why is the rum gone?
Its a phish attack, not spam.
I want to delete my account but Slashdot doesn't allow it.
A well planned keylogger placement should be undetectable, no? This farce raises attention, and seems likely to garner further investigation.
SF author Larry Niven actually used something very like that idea in his "Known Space" future history. The idea was that society had decided that anyone who was the least bit violent/aggressive was "ill" and gave them meds to make them a happy little camper. Not mindless zombies, just very passive. (That's a difference of degree, of course.) But there was still a need for a police force, to protect against threats both from within and outside human space. So the the police force -- the ARM (Amalgamated Regional Militias) -- were taken off their meds, or even given other meds to make them more paranoid. Only during the work week, of course -- on days off, they took their non-paranoid meds instead.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
Where is the link?
I would like to see this site they went to.
My Sig indicates the end of the comment I posted.
Different time zones. My office was located in the Pacific Time Zone and France is on the other side of the Eastern Time Zone. So the virus was in full swing by the time my co-workers got into the office. Besides, French or not, the executive management team has always been clueless and/or loveless. :)
This also explains why the french gene pool is the most diversified in the world.
Don't laugh, Radio Shack actualy fired a lot of people through the internal E-Mail system.
Any email virus checker that sends any kind of "This email had a virus but I removed it" email either to the recipient or to the listed sender is broken IMO (except in the case where its got both a virus and genuine content in which case the virus should be removed, a note inserted into the email next to the genuine content and it sent on to the recipiant)
As a recipiant of email, I dont care that I got a virus in my mail, I just want it gone. The listed sender probobly doesnt care since its likely fake anyway.
Nono, there are two types of people in this world, those who:
1) Start their arrays with one;
1) Start their arrays with zero.
Proof by very large bribes. QED.
I'm the Information Security Analyst at DeKalb Medical Center. The article isn't exactly right, it mixes up two different stories that my boss told the reporter.
"Pink Slip" email: A few employees received an email from "John.E" (John.T@chenpr.com) saying that they had insider knowledge that the email recipient would be getting fired soon. The email went on to say that there were some "folks who helped" his brother, and gave a phone number in Alabama that has been disconnected. The domain name belongs to a company in Massachusetts, so this may be a Joe Job on them or someone just forging their address to make their services look legit. Others have received this Spam, too.
"Keylogger" email: This was just a regular SPAM email, but was forged to be from a legitimate email address in our company. It had a link to an executable on a website in China, but was disguised using html to make it look like the link went to our domain. There was no keylogger in the payload of this trojan, only a SPAM virus that we quickly detected and removed. This email got through because it was forged from a specific email address that we allow to come from the internet with a forged "From" address.
Hope that helps clear things up.
There are one types of people in this world, those who: 1) Start their arrays with one; 1) Start their arrays with zero.
Slow Down, Cowboy! It's been 60 minutes since you last successfully posted a comment.
Seriously, how many people really get legitimate e-mail from the major spam havens like China, Korea and Brazil? Until these ISPs start filtering port 25 traffic from their broadband customers, I don't see much of a reason to accept any smtp traffic from their wholesale IP space.
...For browsing the internet with IE. An IT department that lets employee do that is inviting trouble, period.
I used to be all compassionate and sympathetic with victims, but now I am just tired of the overall cluelessness, carelessness and inertia in 90% of IT departments out there.
If fishermen were behaving like an IT department, they'll slather themselves with fish offals, then jump in shark-infested water.
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
I used to live there (still live in the county over). Based on my experiences with Atlanta, I wouldn't be the least bit surprised if this is somehow related to a larger problem.
I'm hoping that it's just coincidence it happened a week before election week.
Don't think that a small group of dedicated individuals can't change the world. It's the only thing that ever has.
It continues to amaze me how there is no end to the amount of experts on slashdot. No matter bad thing happens, there are an seemingly infinite amount of people on slashdot where "it wouldn't have happened to me" and "if they had done such and such it would have prevented it" and "that's why this and this exists"
If you're so good, then band together and actually fix the issue for everyone instead of playing armchair quarterback and bitching.
Aye. But I'll further submit that the GGP is wrong as well.
<nitpick mode="feigned_ignorance"> ;-)
Most people would agree that it's better to start your array with the first element of the array, rather than a superfluous zero or one. For example most people will put foo = [ 25 87 17 65 ] (or the equivalent in their programming language of choice) instead of foo = [ 0 25 87 17 65 ] or foo = [ 1 25 87 17 65 ] when they intend to convey a four element array with the values 25, 87, 17 and 65.
</nitpick>
I hate to sound cynical, but this story is not news. There is nothing new here. There have been thousands of different attacks like this, and there will be thousands more.
We (the slashdot community, the IT world, the rest of the world) have to make a choice here:
1. Easy, 1-click executability of untrustworthy active content in emails and the like is a serious bug which must be aggressively stamped out.
2. Having people get pwned like this is an unfortunate fact of life, like disease and bad weather. We may be able to ameliorate it somewhat, but it's not a problem we can ever meaningfully solve, so we should stop complaining, stop treating every new socially-engineered email virus vector as "interesting", and learn to live with it.
Now (being as how I've already admitted I'm in a cynical mood), I can say that I do realize full well that (1) will never happen, and that we've already gone wholeheartedly with option (2).
We've all had this discussion a thousand times before, so to save time, let's just skip it with some of the predictable, defensive responses. Don't say, "but there are good uses for easy, 1-click executability, it's a feature users need and want." All you're really saying is, let's go with option (2). Don't say, "Removing 1-click executability wouldn't help, because stupid users would just download and save the attachments and execute them manually." If you believe that disallowing clickability wouldn't help (wouldn't make the spread of email viruses a thousand times less rampant), all you're really saying is, let's go with option (2).
I know Sharon very well. The true story is a number of users received email about employment it had a link to a phishing site. There was no keylogger involved. I know the media doesn't want the facts to get in the way of a good story but sheesh
In my old company, it was one of the members of the (very snooty and self-righteous) IT staff that propogated the "I Love You" virus.
If you are not allowed to question your government then the government has answered your question.
Labour law is a funny thing. You need a job to live -- even the best welfare program is pretty lousy compared to the worst minimum wage job. You definitely need a job to thrive. Employment -- not just access to employment -- would seem to be a basic human right, at least unless technology obviates both labour AND scarcity, and we end up defaulting to some kind of socialism (robotic socialism, as its sometimes called). And yet the more you try to protect peoples' jobs, the more you restrict the ability of businesses to do their thing. You decrease their ability to cherry pick employees and maximize their efficiency. If you give business the freedom to fire incompetent employee WITHOUT the two verbal warnings, two written warnings, and a disciplinary meeting (that's the process here in British Columbia anyway), you're also giving them the freedom to fire employees for nonsense reasons like their religion or drinking a different brand of beer than the CEO.
GOOD businesses don't need any regulation of course -- my job sucks, but my manager is fantastic. Time off when you need it, encouragement for what you do right, helpful advice on how to improve, no flak about sick days, etc. I had no intention doing more than the bare minimum necessary to keep the job and pay for classes and coffee. Now I actually kind of care, and do my best to excel (to whatever extent it's possible to excel at working a cash register, anyway).
Conversely, a bad manager will find some dumb excuse to fire you no matter what. That's not to say you can't come out ahead in a labour hearing, but it's so difficult and such a hassle that it rarely occurs. I know so many people that have had to work 2 and 3 hour shifts (illegal in BC -- you HAVE to pay employees for at least four hours of work no matter how long they're actually there). Restaurants are particularly bad about this. It's just the opposite for people in unions of course, since they have the union reps to make sure that their rights are enforced, no matter how monstrously shitty the employee in question. Teachers who flirt with students and have to be "firewalled" because it's so difficult to fire them are practically a cliche. I dated a woman who did HR for a hospital -- her entire job was described as "interpreting the collective agreement". The hospital had a staff of twenty people who dealt entirely with handling union issues, completely aside from the effort of actually HIRING and FIRING people, running benefit programs, etc. Ironically, the HR staff were not themselves unionized, and earned less than half of what a newly-hired nurse would. It's a good thing that people who get into HR do it because they love the work.
I'd say that finding the balance between employer rights, employee rights, the right to work, how to deal with bad employees, how to deal with bad managers, etc, is definitely a work in progress. It's definitely one of the challenges involved in getting capitalism "right", that is, not something that makes life miserable for people. Employers deserve the freedom to run their businesses the way they like, but employees deserve to have confidence that they can get as much work as they need and to be treated reasonably. It makes it easy to see why some people like the idea of socialism so much -- when everyone receives the necessities of life automatically, it frees them up to treat labour as a true commodity, one that can be bought or sold freely at whatever prices the market will bear. As it is, we essentially HAVE to sell our labour, other than those few who get the opportunity to be entrepeneurs.
It's betterer.
Is this infected PC the company's property or the employee's? If it belongs to the company, and they infected their own machines, who cares!?! Good for a grin, I say.
Goddamned kids! Get off my lawn!
Yeah, like I am so going to help the people who just fired me. Let 'em burn!
Goddamned kids! Get off my lawn!