Slashdot Mirror
Hackers Respond To Help Wanted Ads With Malware
itwbennett writes "The FBI issued a warning Wednesday about a new twist on a long-running computer fraud technique, known as Automated Clearing House fraud. With ACH fraud, criminals install malware on a small business' computer and use it to log into the company's online bank account. In this latest twist on the scam, the criminals are apparently looking for companies that are hiring online and then sending malicious software programs that are doctored to look like job applications. One unnamed company recently lost $150,000 in this way, according to the FBI's Internet Crime Complaint Center. 'The malware was embedded in an e-mail response to a job posting the business placed on an employment website,' the FBI said in a press release. The malware, a variant of the Bredolab Trojan, 'allowed the attacker to obtain the online banking credentials of the person who was authorized to conduct financial transactions within the company.'"
Well, for some jobs, people do request code samples. I imagine an executable could be included in an application pretty easily and be uploaded by someone involved in the review process. This does not necessarily need to be an HR person (I can't imagine why it would be, for that matter).
I'm guessing that that is why they are hitting small businesses...
on a semi off topic how safe are the on line applications systems? resume bots? some on line applications systems can read your resume and auto fill data.
Some places what PDF resumes and PDF can have lots of executable code in them.
I'm confused. If I walk up to a bank, write a with withdrawal in someone else's name, then hold up the bank ordering them to honor that withdrawal slip, did I steal from the bank, or from the person who's name I forged on the withdrawal slip?
Identity theft and "unauthorized access" and taking the money from an account holder is as absurd as a bank getting robbed and taking it from the last deposits made to the bank and not from their general coffers. It was never done that way before, so why is it done that way now?
Learn to love Alaska
Then again it could be something like "resume.doc.exe" but if they are still on the default settings of hide extensions for known filetypes it would look like "resume.doc".
That is a default setting that needs to be changed. It's made it easy to sucker so many people over the years since Microsoft made this stupid mistake you'd think every IT in the world would automatically change it. I'd rather have a user ignoring information in front of them, then hiding it and letting the company get infected. (The first is the users fault, the second might get blamed on IT.)
There are more complicated ways using special files that exploit bugs and things, but those are a lot harder to pull off, and since I didn't see a mention in the articles saying what the file actually was, I'd check the easier and more common thing first. (It did mention that users thought it looked like a word doc, but that just tells us what the user thought, not what was actually going on.)
A common mistake is to assume that in tUSA, "small business" means "mom and pop." In fact, the Small Business Association (SBA) defines a business as small based on number of employees, and though it depends on industry, it typically is 500 (source).
It's true that, by sheer quantity, most businesses are small. There's only 500 Fortune 500 companies, but a zillion hot dog stands. In terms of number of employees or revenue or profits or any other number of factors, many small businesses aren't so small after all.
Support a few technologists in Washington.
Is it really that hard? And if you don't know what .jpeg or .pdf or .virus is you should not be using a computer.
You're not kidding? You think it should be possible for a user to trivially install a virus/trojan on their computer? You're blaming the user? Really?
If you don't know what a turn signal is they don't even let you take the test to get your drivers licence.
You are kidding, right? Of course they do. You may fail (or you may not). Spend 10 minutes at an intersection and let me know what percentage of people who turn use their signal.
When someone has a sensitive computer type job they should at least be competent to operate the machine. Any other job requires you to be able to competently operate your machine (or OSHA starts sticking their nose around writing tickets) why should not the guy operating the machine that handles other peoples (his boss) money have to prove their competency.
I need all my applicable tickets/certification/first aid to do my job and I have to keep them up to date or I lose my job.
You are blaming the user...
I think I like my software to be more responsible/secure than my users. Reading email should be dead simple and safe. And using ACH should be really secure and well audited. While I think that making the email/OS supplier in this case responsible for the losses is going too far, I would certainly tend to place more of the blame with them than with the user. And any bank account that can more $150K around should probably be able to catch this sort of thing earlier - and they should probably require a second form of authentication (keycode fob, etc).
My old boss moved back home and worked out a spiffy job doing govt contracts and he had 4 others working for him at the time, and I was considering being the 5th, so I went down to interview and work there for a week training his new people, and he told me proudly that he was the resident IT professional as well, and I warned him that he should be hiring someone to do that full time, he seemed offended.
The next day, I introduced him to BackTrack and we decided to take some time and try to hack his network. Needless to say we were in his WEP secured network within 5 minutes, and within 15 minutes more we were happily browsing files on the Drobo connected to his laptop in his office!
I then went back to my hotel around the corner, and was easily able to see his network traffic from the hotel network, and grab his emails and other communications with wireshark!
I didnt take the job, so the IT guy was employee #5, and he spent weeks removing all the crap he found!
Cheers!
True. I've sent nicely formatted PDF resumes with tasteful fonts, and still get pestered for .doc files that will look like crap because they won't have my fonts and they probably run a different version of Word than I authored with. Very frustrating.
Constitutionally Correct
Our applications are handled externally. We get docx and pdf 'converted' to Word. (They change the file extensions) Our HR then brings us 'mystery files' to see if we can sort them out.
Have you met anyone from HR?
You could name it NotAVirus.jpg.zip.exe, send it to them with a "My Resume" subject and it'd almost guarantee being opened.
well, the IDG article calls it a Word document, so I'm assuming word macro or VBA script
Just because you're paranoid doesn't mean they aren't out to get you
Identity theft and "unauthorized access" and taking the money from an account holder is as absurd as a bank getting robbed and taking it from the last deposits made to the bank and not from their general coffers. It was never done that way before, so why is it done that way now?
Why does mere credentials allow large money transfers?
I thought everyone was using hardware ID by now.
http://en.wikipedia.org/wiki/Security_token
I know such tokens can still be improved, and it will improve. And sure is a lot more secure than just a password.
I lost my sig.
I'm a CPA and work in corporate accounting.
(1) From this experience, I've observed that some of the better banks force the end user to enter numbers from security tokens not only to log in, but a new number to authorize each and every transaction (potentially limited by transaction size if desired). Further, transactions over a certain threshold may require two different individuals to log in to approve.
(2) I'm not a web designer or a real programmer, but does this setup still yield a possible attack? I could foresee a situation where all of this data is intercepted, but most of these security tokens are time sensitive and the end-user would notice delays on the website in use with interception. That said, if an attacker were essentially acting as a proxy for the bank site and just rekeying/scripting information from the bank user, the attacker could insert their own bank accounts in for a wire or ACH transaction. Does this described situation ever happen?
Or, you realize that e-mail was never designed to lug large binary files around and pass the test programs over http.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Or use stuff like rapidshare, megaupload etc.
We had this happen, and yes, it was embedded in a Word document.
However the (60 year old) HR woman immediately recognized that she'd been infected and called me. This happened about a second before I picked up my phone to call her regarding the torrent of virus warnings that had just started spamming my inbox.
So, from anecdotal experience, it's just another virus file.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
JPG? Pfft. Use an animated GIF so they don't even have to flip the pages!
Gamingmuseum.com: Give your 3D accelerator a rest.
I don't see why blaming the user is automatically negative. If I write some C code with a null pointer bug, is it my fault or Dennis Ritchie's for designing the language to include pointers? I'd say it's mine, and that I'd be a "user" of the C programming language. In this case I think blaming me, the user, is entirely justified. Then again, responsibility is not always clear-cut. If you let a little kid play with a loaded gun, it's your fault if something happens, not the gun's user or even designer.
C *is* a loaded gun. Anyone who can manage to use a compiler *should* know that. Not that they do...
IMO, if a user runs random executable email attachments, it's they're own fault. Nowadays on Windows they usually have to click past some warning telling them it might not be a good idea, too.
Sure - running an executable you downloaded in email should be nearly impossible. Downloading a virus should also be very difficult. Installing a keylogger (or whatever they installed) should be nearly impossible. As technical folks, we all know how easy this stuff is - but as sympathetic users we should all appreciate that it should be made to be very very difficult. After all, when is the last time you received an executable via email that was not harmful? What about your mom? What about your grandmom? Why is it even possible for those folks to install this stuff?
I agree, most of them just confuse the byte with the octet and answer 8 instead of: it depends.
McCartney fans pay bus tickets. [...] Lennon fans too, with discretion.
...Yes, yes I am. There is absolutely nothing the OS can do to prevent a user with administrative access from installing and running software of their choice...
In the context of reading email, I call B.S.
If all email clients disallowed the downloading of any attachments, this world would be a better place. You and I would have to jump through a hoop or 2 to do the things we do, but the 99.99% of the population that only uses that feature of email programs to install trojans/viruses would appreciate it.
Taking a step up, if all attachments went into a sandbox that was essentially a jail, then this wouldn't be an issue. You can see how that would work.
This is a technical problem. There are technical solutions that would not be too hard to implement.