Slashdot Mirror
Hackers Respond To Help Wanted Ads With Malware
itwbennett writes "The FBI issued a warning Wednesday about a new twist on a long-running computer fraud technique, known as Automated Clearing House fraud. With ACH fraud, criminals install malware on a small business' computer and use it to log into the company's online bank account. In this latest twist on the scam, the criminals are apparently looking for companies that are hiring online and then sending malicious software programs that are doctored to look like job applications. One unnamed company recently lost $150,000 in this way, according to the FBI's Internet Crime Complaint Center. 'The malware was embedded in an e-mail response to a job posting the business placed on an employment website,' the FBI said in a press release. The malware, a variant of the Bredolab Trojan, 'allowed the attacker to obtain the online banking credentials of the person who was authorized to conduct financial transactions within the company.'"
so HR will just open any file? or is a word macros?
Genius!
Well, for some jobs, people do request code samples. I imagine an executable could be included in an application pretty easily and be uploaded by someone involved in the review process. This does not necessarily need to be an HR person (I can't imagine why it would be, for that matter).
TFA says it's a .zipped exectuable. This should be auto-blocked by a properly configured email server.
Is it really that hard? And if you don't know what .jpeg or .pdf or .virus is you should not be using a computer.
If you don't know what a turn signal is they don't even let you take the test to get your drivers licence. hint hint When someone has a sensitive computer type job they should at least be competent to operate the machine. Any other job requires you to be able to competently operate your machine (or OSHA starts sticking their nose around writing tickets) why should not the guy operating the machine that handles other peoples (his boss) money have to prove their competency.
I need all my applicable tickets/certification/first aid to do my job and I have to keep them up to date or I lose my job.
If we are talking "small business" 'HR' is likely the owner or one of his immediate subordinates checking his email in what is otherwise(from an IT setup) disturbingly like a home environment.
Excepting, of course, small businesses that are in the business of being clueful about computers(IT consultancies and the like), it is eminently possible that 'HR' will in fact click on just about anything(and isn't patched against the latest flavors of Word macro).
Having a dedicated IT guy who is worth having is reasonably serious money by small business standards. Even calling in a consultant when you don't think that you absolutely need it will sting a bit. "Small business" IT is often disturbingly close to consumer grade, with all the horrors that that generally entails.
You don't generally see a dedicated IT guy skulking around and pissing people off for their own good with updates and AV and firewalls and such until you hit the small side of medium...
I'm guessing that that is why they are hitting small businesses...
Ehhuuu whats so special about that? Its just a "targeted" scam.....
Hey what do you know marketing strikes again !!
on a semi off topic how safe are the on line applications systems? resume bots? some on line applications systems can read your resume and auto fill data.
Some places what PDF resumes and PDF can have lots of executable code in them.
I often get people who send me a 1 MB email attachment that is just a paragraph of text wrapped up in the absurdly inflated Doc format.
I'm confused. If I walk up to a bank, write a with withdrawal in someone else's name, then hold up the bank ordering them to honor that withdrawal slip, did I steal from the bank, or from the person who's name I forged on the withdrawal slip?
Identity theft and "unauthorized access" and taking the money from an account holder is as absurd as a bank getting robbed and taking it from the last deposits made to the bank and not from their general coffers. It was never done that way before, so why is it done that way now?
Learn to love Alaska
Then again it could be something like "resume.doc.exe" but if they are still on the default settings of hide extensions for known filetypes it would look like "resume.doc".
That is a default setting that needs to be changed. It's made it easy to sucker so many people over the years since Microsoft made this stupid mistake you'd think every IT in the world would automatically change it. I'd rather have a user ignoring information in front of them, then hiding it and letting the company get infected. (The first is the users fault, the second might get blamed on IT.)
There are more complicated ways using special files that exploit bugs and things, but those are a lot harder to pull off, and since I didn't see a mention in the articles saying what the file actually was, I'd check the easier and more common thing first. (It did mention that users thought it looked like a word doc, but that just tells us what the user thought, not what was actually going on.)
A common mistake is to assume that in tUSA, "small business" means "mom and pop." In fact, the Small Business Association (SBA) defines a business as small based on number of employees, and though it depends on industry, it typically is 500 (source).
It's true that, by sheer quantity, most businesses are small. There's only 500 Fortune 500 companies, but a zillion hot dog stands. In terms of number of employees or revenue or profits or any other number of factors, many small businesses aren't so small after all.
Support a few technologists in Washington.
Looks like they go after temp agencies and body shops who insist to receive a word doc form "candidates" so they can conveniently remove the contact information before they start whoring you out.
My old boss moved back home and worked out a spiffy job doing govt contracts and he had 4 others working for him at the time, and I was considering being the 5th, so I went down to interview and work there for a week training his new people, and he told me proudly that he was the resident IT professional as well, and I warned him that he should be hiring someone to do that full time, he seemed offended.
The next day, I introduced him to BackTrack and we decided to take some time and try to hack his network. Needless to say we were in his WEP secured network within 5 minutes, and within 15 minutes more we were happily browsing files on the Drobo connected to his laptop in his office!
I then went back to my hotel around the corner, and was easily able to see his network traffic from the hotel network, and grab his emails and other communications with wireshark!
I didnt take the job, so the IT guy was employee #5, and he spent weeks removing all the crap he found!
Cheers!
True. I've sent nicely formatted PDF resumes with tasteful fonts, and still get pestered for .doc files that will look like crap because they won't have my fonts and they probably run a different version of Word than I authored with. Very frustrating.
Constitutionally Correct
Which sounds good until you go to work in the real world and need to email test programs back and forth.
Which sounds good until you go to work in the real world and need to email test programs back and forth.
That's why, here in the real world, we implement a little thing called "whitelisting".
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
Yeah. Something along the lines of "I've attached an application I wrote on my own time, as an example of my work. Try it and see how you like it."
Sleep your way to a whiter smile...date a dentist!
Our applications are handled externally. We get docx and pdf 'converted' to Word. (They change the file extensions) Our HR then brings us 'mystery files' to see if we can sort them out.
Have you met anyone from HR?
You could name it NotAVirus.jpg.zip.exe, send it to them with a "My Resume" subject and it'd almost guarantee being opened.
Errm, nobody seems to have noticed the headline of this story..
"Hackers Respond To Help Wanted Ads With Malware" ..
FFS Slashdot, these are not Hackers they are Criminals.
well, the IDG article calls it a Word document, so I'm assuming word macro or VBA script
Just because you're paranoid doesn't mean they aren't out to get you
The warning issued by the Internet Crime Complaint Center, which has some sort of hard to describe relationship with the FBI, is completely useless to any small business that would be susceptible to this attack. The only thing that they could get from the warning is to use virus scanner for all attachments to emails. No additional information that a small business might find useful is conveyed. Further, virus scanners are a) never going to catch the newest Trojans or other malicious software, and b) unlikely to be installed as a result of this warning. Any small business that knows about the IC3 and their warnings will be using up to date email security practices. Those that don't use up to date email security practices are unlikely to know about the IC3 and their warnings. This is a highly ineffective "warning" or "note" as the IC3 describes it.
Identity theft and "unauthorized access" and taking the money from an account holder is as absurd as a bank getting robbed and taking it from the last deposits made to the bank and not from their general coffers. It was never done that way before, so why is it done that way now?
Why does mere credentials allow large money transfers?
I thought everyone was using hardware ID by now.
http://en.wikipedia.org/wiki/Security_token
I know such tokens can still be improved, and it will improve. And sure is a lot more secure than just a password.
I lost my sig.
You know you can embed fonts in word documents right?
null
I'm a CPA and work in corporate accounting.
(1) From this experience, I've observed that some of the better banks force the end user to enter numbers from security tokens not only to log in, but a new number to authorize each and every transaction (potentially limited by transaction size if desired). Further, transactions over a certain threshold may require two different individuals to log in to approve.
(2) I'm not a web designer or a real programmer, but does this setup still yield a possible attack? I could foresee a situation where all of this data is intercepted, but most of these security tokens are time sensitive and the end-user would notice delays on the website in use with interception. That said, if an attacker were essentially acting as a proxy for the bank site and just rekeying/scripting information from the bank user, the attacker could insert their own bank accounts in for a wire or ACH transaction. Does this described situation ever happen?
Or, you realize that e-mail was never designed to lug large binary files around and pass the test programs over http.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Or use stuff like rapidshare, megaupload etc.
just what i was thinking.
i get my token over SMS, coupled with a date and a total amount every time i commit a transaction.
while not 100% foolproof it limits even a man-in-the-middle attack too only the amounts that i make new transactions for.
i would probably soon catch up that its not working as it should be.
if they wanted to get more they'd have to get physically close to me and intercept/change phone traffic.
that's a good way for the hackers to get caught.
Public/private key encryption is supposed to rule out that proxy situation you describe in your second question (a man-in-the-middle attack). The bank user should have an encrypted connection to the bank. If an attacker is pretending to be the bank, then the user will notice when the attacker is unable to decrypt a message that has been encrypted with the bank's public key.
In practice, this is all taken care of in the browser. If someone is trying the above attack, it will display some sort of warning - which the user might ignore or fail to understand.
I've sent nicely formatted PDF resumes with tasteful fonts, and still get pestered for .doc files that will look like crap because they won't have my fonts and they probably run a different version of Word than I authored with.
Just send them a resume.doc.exe which will format c: their hard disk. They won't ask you for doc files again.
as an addendum and really a suggestion to banks out there if this doesn't exist, but should... perhaps (granted this would be potentially a bit tedious) -- for transactions exceeding a certain size, a special security token would be ideal where:
(1) the user enters the the wire/ach data on the token itself (amount, account number, transit number)
(2) the resulting number generated would both authenticate the user for the transaction and also authenticate the amount (i.e. the amount entered on the keypad would be a seed in the implicit PRNG which any attacker would, by design, not have access to)
All job applications and CVs should be in plain text. Problem solved. :)
(And yes, I've seen online application processes which will not accept text or even RTF files, demanding that any submission must end in DOC or PDF. Stupid, stupid, stupid...)
This is exactly why any company with access to financials of any sort should follow the Sarbanes Oxley rule of Segregation of Duties. The rule was originally intended to keep people from having many levels of access...for example: A bookkeeper shouldn't have enough levels of permission to write themselves a check, then delete the transaction in another part of the system. One person with access to multiple facets within the company is a single point of possible security failure both internally and externally. You can put up all the security you want around your walls, but if someone with bank access is also out in the public fielding resumes and browsing the web (even for legitimate reasons) and falls prey to one of these scams then the company needs to look inward for fault. Not that the criminals are not to blame, but there should be controls in place to help mitigate this very risk.
Loading...
people ask me for code samples all the time, they're called DOC and PDF files opened on unpatched systems
-- I was raised on the command line, bitch
that's easy, convert to JPG and paste in to word
-- I was raised on the command line, bitch
True. I've sent nicely formatted PDF resumes with tasteful fonts, and still get pestered for .doc files that will look like crap because they won't have my fonts and they probably run a different version of Word than I authored with. Very frustrating.
I like good typography as much as (almost) anyone, but unless you're applying for a position as a designer, does it really matter what fonts your resume uses or, frankly, what it looks like at all? As long as it's legible....
We were just hiring for a programming position at our office.
The hiring announcement (job ad) specifically asked for the resume to be sent as a plain text file. Anyone that could not follow instructions and sent a Word document was immediately disqualified from consideration for the job. If you cannot follow the directions in the employment ad you are responding to, you probably aren't going to be detail oriented on the job, either.
You would be amazed at what a large percentage of people sent Word documents. I can only guess that is because some of them truly believed that a Word doc is "plain text". Now, I would have more sympathy if it were encoded in UTF-16, UTF-32 or ISO-8859 and not ASCII but thinking Word is plain text? FUCK ME! I bet we all know programmers out there that don't know what binary, hexadecimal, octal or ASCII are. I bet we all know a programmer that cannot tell you how many bits are in a byte. What happened to programmers knowing their fundamentals?
FWIW, there have also been huge security holes in the dominant PDF reader, too -- some quite recently.
I wonder if there's some way to embed a PDF in a Word document? It seems like you can embed practically anything else, including malware...
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
We had this happen, and yes, it was embedded in a Word document.
However the (60 year old) HR woman immediately recognized that she'd been infected and called me. This happened about a second before I picked up my phone to call her regarding the torrent of virus warnings that had just started spamming my inbox.
So, from anecdotal experience, it's just another virus file.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
JPG? Pfft. Use an animated GIF so they don't even have to flip the pages!
Gamingmuseum.com: Give your 3D accelerator a rest.
You can say that again. That would be impossible from a use standpoint. Many small businesses issue dozens or even hundreds of payments on a weekly basis (not even including payroll!). Asking payment authorizers (typically exec-level employees) to manually key in that information is ridiculous. Plus you're going to have typos that result in incorrect authentication numbers, etc. So what happens? You return a result of "authentication not valid" and they have to type the details in again. How many unsuccessful tries will you allow before locking them out?
What you have to do is authenticate the session, not the individual transaction.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
what do want people to send PDF? wait PDF is just as bad as some word doc files.
I just hope this is not something that will trigger companies to hire "taleo" like websites to manage their online applications. Taleo is one of the examples on how properly discouraging people from applying to a company!
Right! I always send my resumé in .txt format. I am just wondering why nobody ever hires me...
McCartney fans pay bus tickets. [...] Lennon fans too, with discretion.
Is this the state of Cyber Security in the twenty first century?
The Zeus botnet only targets Windows machines
"There are a few things consumers and small businesses can do if they're unsure about e-mail attachments. The safest is to delete the attachment and write back to the sender asking for a plain text version. Alternatively, they can open the document in Google's Gmail to see if it appears legitimate" link
I agree, most of them just confuse the byte with the octet and answer 8 instead of: it depends.
McCartney fans pay bus tickets. [...] Lennon fans too, with discretion.
Yes this does happen, they dont even need to install a trojan on your computer they do it with phishing pages which have a jabber instant messenger client which instantly relays the OTP (one time password) to a server which does an immediate backconnect to the bank etc and logs in. The other way they are bypassing these devices is through a trojan on the computer and they hijack the browser, MITB man in the browser. The OTP security token method is pretty much useless actually not really protecting against much at all which isnt already covered by ssl. The problem with the OTP devices is they are only one way authentication. The MITB attacks defeat just about everything else available even recently the active mutual authentication electronic tokens. About the only online authentication method which isnt vulnerable is the passwindow cards as they are the only online authentication I know of capable of passive mutual authentication. (active means a human has to do something and then gets tricked by the torjan in the browser, passwive is where you just view and dont do anything except enter the password) http://en.wikipedia.org/wiki/Mutual_authentication
Why make a bloated file? Coding is 100% textual. A .txt file will do fine, not a god-forsaken PDF file. And if it's a .doc, so help me god if it's one of those newer .doc formats that absolutely nothing will read except the absolute newest version of word, I would hunt you down.
Or just delete your email and write you off as a potential employee, one of the two.
dude -- as I suggested -- this would just be for large amounts
not unlike having checks over a certain threshold signed by two people instead of just one
I don't think the "small" businesses referenced in this article have so many 150k wires/ach's going out all the time
So how would your plan defend against regular small payments that add up to $150k if the authorizers are not checking supporting documents for every transaction?
Authenticating each large-value transaction by the means you suggest is just redundant. Why not handle it how most companies already handle it? That is: limits on the approving authority of each person, multiple authorizers needed over $x amount. Hard cap on very high amounts for online submission -- personal verification (via verified telephone or in-person signature) for extremely high amounts?
I have a release authority of $3 million per day (second authorizer required). If I want to go over that amount, I must call the dedicated line at the bank from my phone number on record to request an increase in my limit. I cannot call from my cell or another location, or they will refuse. I must also give personal information to the bank rep to verify it is me.
Now, my situation is not normal for a small business (though my company is considered a small business by US standards). But I have worked for companies that are clearly small businesses, with 100 employees and $100MM revenue (some would only dream of that revenue). And even in those companies, it would be ridiculous to also do transaction authentication because it is redundant when you already do session auth.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
whoosh
people ask me for bytecode samples all the time, I embed them in DOC and PDF files to be opened by HR people on unpatched systems
-- I was raised on the command line, bitch
Why not accept PDFs? Every OS can produce them easily, and it's an open ISO standard. Reformatting a resume into plain text is annoying and is probably costing you good candidates.
It doesn't. It's presumed an attacker is less likely to be interested in wasting his time making many small transactions. Further, any decent bank should recognize repetitive transactions occurring in a short period of time (or, if over a longer period, it should be caught by reconciling cash). Keep in mind, my plan is not about mistake or fraud issues, it's about third party attackers (i.e. supporting documents are not the issue here).
I agree with your suggestions, but those are designed to minimize mistake and fraud related events, not necessarily online redirection of funds. By requiring two different people from, most likely, two different computers to approve a transaction, it's less likely that both computers will be compromised. That said, having a small degree of inexpensive security in place via transactional authorization keys like I suggest would strongly minimize potential redirection of funds by an attacker (i.e. the point at issue in the article).
Session auth in and of itself is not considered good enough for the business banking systems of at least Citibank for one company I've worked with. That suggests to me, they also feel just session auth is insufficient.
Also, caller id can generally be manipulated, so that alone is not a bulletproof control from your bank. That said, all of these things are about low[est] hanging fruit, not 100% perfection, which is an impossible standard.
Screw these companies hiring online. They've got to cut costs, I know. Always got to improve profits and cut labor costs somehow. So instead of the workers' quality of life improving along with the success of the company you generally see the worker having perquisites cut, benefits cut, and overall enjoyment of their jobs reduced.
I welcome all economy rotting, fetid and unmoving. It will happen one way or the other, but it's nice to see people pushing the boulder along.
WHAT DID YOU THINK WAS GOING TO HAPPEN, KHAN?
Why would one presume that? Many small transactions are much more likely to evade detection. I don't have numbers, but I'd be very surprised if the majority of fraud was perpetrated via multiple small transactions.
I bank with Citi extensively, on two of their online banking platforms. Both require only session auth.
Which is why they always call back on that number. You'd have to be pretty good to spoof outgoing calls to that number.
Inexpensive? That's not inexpensive... If I had to enter in a code of some 20+ digits for every transaction over $X, then type in the response code (via on-screen click to prevent keylogger issues)... that'd be expensive -- and then another authorizer or two would need to do the same -- that's expensive. Also consider that you're dealing with alpha characters for SWIFT codes, IBANs, etc.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai