Hackers Respond To Help Wanted Ads With Malware 113
itwbennett writes "The FBI issued a warning Wednesday about a new twist on a long-running computer fraud technique, known as Automated Clearing House fraud. With ACH fraud, criminals install malware on a small business' computer and use it to log into the company's online bank account. In this latest twist on the scam, the criminals are apparently looking for companies that are hiring online and then sending malicious software programs that are doctored to look like job applications. One unnamed company recently lost $150,000 in this way, according to the FBI's Internet Crime Complaint Center. 'The malware was embedded in an e-mail response to a job posting the business placed on an employment website,' the FBI said in a press release. The malware, a variant of the Bredolab Trojan, 'allowed the attacker to obtain the online banking credentials of the person who was authorized to conduct financial transactions within the company.'"
so HR will just open any file? or is a word macros (Score:2)
so HR will just open any file? or is a word macros?
Re: (Score:3)
Well, for some jobs, people do request code samples. I imagine an executable could be included in an application pretty easily and be uploaded by someone involved in the review process. This does not necessarily need to be an HR person (I can't imagine why it would be, for that matter).
Re: (Score:1)
Yeah. Something along the lines of "I've attached an application I wrote on my own time, as an example of my work. Try it and see how you like it."
Re: (Score:3)
well, the IDG article calls it a Word document, so I'm assuming word macro or VBA script
Re: (Score:2)
people ask me for code samples all the time, they're called DOC and PDF files opened on unpatched systems
Re: (Score:2)
whoosh
people ask me for bytecode samples all the time, I embed them in DOC and PDF files to be opened by HR people on unpatched systems
Re:so HR will just open any file? or is a word mac (Score:4, Insightful)
semi off topic how safe are the on line applicatio (Score:3)
on a semi off topic how safe are the on line applications systems? resume bots? some on line applications systems can read your resume and auto fill data.
Some places what PDF resumes and PDF can have lots of executable code in them.
Re: (Score:1)
Re: (Score:2)
Which sounds good until you go to work in the real world and need to email test programs back and forth.
That's why, here in the real world, we implement a little thing called "whitelisting".
Re: (Score:3)
Or, you realize that e-mail was never designed to lug large binary files around and pass the test programs over http.
Re: (Score:3)
Re: (Score:2)
Excepting, of course, small businesses that are in the business of being clueful about computers(IT consultancies and the like), it is eminently possible that 'HR' will in fact click on just about anything(and isn't patched against the latest flavors of Word macro).
Having a dedicated IT guy who is worth having is
How small is small? (Score:4, Informative)
A common mistake is to assume that in tUSA, "small business" means "mom and pop." In fact, the Small Business Association (SBA) defines a business as small based on number of employees, and though it depends on industry, it typically is 500 (source [sba.gov]).
It's true that, by sheer quantity, most businesses are small. There's only 500 Fortune 500 companies, but a zillion hot dog stands. In terms of number of employees or revenue or profits or any other number of factors, many small businesses aren't so small after all.
Re: (Score:3, Interesting)
My old boss moved back home and worked out a spiffy job doing govt contracts and he had 4 others working for him at the time, and I was considering being the 5th, so I went down to interview and work there for a week training his new people, and he told me proudly that he was the resident IT professional as well, and I warned him that he should be hiring someone to do that full time, he seemed offended.
The next day, I introduced him to BackTrack and we decided to take some time and try to hack his network.
Re: (Score:2)
I often get people who send me a 1 MB email attachment that is just a paragraph of text wrapped up in the absurdly inflated Doc format.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I've sent nicely formatted PDF resumes with tasteful fonts, and still get pestered for .doc files that will look like crap because they won't have my fonts and they probably run a different version of Word than I authored with.
Just send them a resume.doc.exe which will format c: their hard disk. They won't ask you for doc files again.
Re: (Score:2)
that's easy, convert to JPG and paste in to word
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Right! I always send my resumé in .txt format. I am just wondering why nobody ever hires me...
Re: (Score:3)
Re: (Score:2)
The hiring announcement (job ad) specifically asked for the resume to be sent as a plain text file. Anyone that could not follow instructions and sent a Word document was immediately disqualified from consideration for the job. If you cannot follow the directions in the employment ad you are responding to, you probably aren't going to be detail oriented on the job, either.
You would be amazed at what a large percentage of people sent Word doc
Re: (Score:3)
I agree, most of them just confuse the byte with the octet and answer 8 instead of: it depends.
Re: (Score:2)
Why not accept PDFs? Every OS can produce them easily, and it's an open ISO standard. Reformatting a resume into plain text is annoying and is probably costing you good candidates.
maybe - (Score:3)
That is a default setting that needs to be changed. It's made it easy to sucker so many people over the years since Microsoft made this stupid mistake you'd think every IT in the world would automatically change it. I'd rather have a user ignoring information in front of them, then hiding it and letting the company get infected. (The firs
Re: (Score:2)
what do want people to send PDF? wait PDF is just (Score:2)
what do want people to send PDF? wait PDF is just as bad as some word doc files.
Re: (Score:2)
In Vista/7 this was fixed, what, four years ago?
Any executable file downloaded via email or the web will require a UAC prompt just to run. Windows Live Mail and Outlook 2007 also have additional protection against double-extension files and executables. Also by default executables run at unprivileged user level and in most corporate settings the drones don't have the admin password.
Yeah, XP is still vulnerable, but it is 9 years old now. How many software companies go back and add major new architecture fro
Re: (Score:2)
Re:so HR will just open any file? or is a word mac (Score:4, Funny)
Have you met anyone from HR?
You could name it NotAVirus.jpg.zip.exe, send it to them with a "My Resume" subject and it'd almost guarantee being opened.
Re: (Score:1)
FWIW, there have also been huge security holes in the dominant PDF reader, too -- some quite recently [adobe.com].
Re: (Score:3)
We had this happen, and yes, it was embedded in a Word document.
However the (60 year old) HR woman immediately recognized that she'd been infected and called me. This happened about a second before I picked up my phone to call her regarding the torrent of virus warnings that had just started spamming my inbox.
So, from anecdotal experience, it's just another virus file.
Read the little ".whatever" (Score:1, Flamebait)
If you don't know what a turn signal is they don't even let you take the test to get your drivers licence. hint hint When someone has a sensitive computer type job they should at least be competent to operate the machine. Any other job requires you to be able to competently operate your machine (or OSHA starts sticking their nose around writing tickets) why should not the guy operating the mach
Re: (Score:1)
Re: (Score:3)
Is it really that hard? And if you don't know what .jpeg or .pdf or .virus is you should not be using a computer.
You're not kidding? You think it should be possible for a user to trivially install a virus/trojan on their computer? You're blaming the user? Really?
If you don't know what a turn signal is they don't even let you take the test to get your drivers licence.
You are kidding, right? Of course they do. You may fail (or you may not). Spend 10 minutes at an intersection and let me know what percentage of people who turn use their signal.
When someone has a sensitive computer type job they should at least be competent to operate the machine. Any other job requires you to be able to competently operate your machine (or OSHA starts sticking their nose around writing tickets) why should not the guy operating the machine that handles other peoples (his boss) money have to prove their competency.
I need all my applicable tickets/certification/first aid to do my job and I have to keep them up to date or I lose my job.
You are blaming the user...
I think I like my software to be more responsible/secure than my users. Reading email should be dead simple and safe. And using ACH should be really
Re: (Score:2)
Yes, it should. I can still remember when it was. But those times are long gone, and you have to check each and every email for viruses, trojans and malware (Oh my!) before opening it if you don't want something like this to happen. If that company had enough money in the bank that scammers could steal $150,000 from their account, they had enough money to afford good virus and malware protection. Granted, it might not protect them from a zero day exploit, b
Re: (Score:2)
"Reading email should be dead simple and safe.
Yes, it should. I can still remember when it was."
Yes, I do too. I don't need far memories. Maybe it's because I'm using Linux.
Re: (Score:2)
Maybe it's because I'm using MailScanner [mailscanner.info] and ClamAV [clamav.net].
Re: (Score:2)
So do I, as it happens. However, the average small business doesn't use Linux and isn't about to switch so I decided to point out a solution that would fit into what they're willing to do rather than waste time beating my head against that particular wall.
Re: (Score:2)
"the average small business doesn't use Linux and isn't about to switch so I decided to point out a solution that would fit into what they're willing to do rather than waste time beating my head against that particular wall."
With regards these kind of problems I'm more than glad that they *do* waste their time beating their heads against the wall once and again: the more problems they have, the more checks I collect. It's up to them to make their business case about being so tightly tied to a single almost
Re: (Score:2)
Hosted on Gmail. Done.
Re: (Score:1)
Attachments are just files, and the mail program cannot do much about them. If you open a file of unknown origin, then it doesn't matter if you got it by mail or downloaded it from some shady place of the internet.
Re: (Score:2)
If you use a decent email program/OS, it flags the file as being downloaded and possibly harmful. When you try to open it, it warns you - at least.
If you use a hosted mail service, like gmail, then the file never gets downloaded *at all*.
Re: (Score:1)
Ah, yet another annoying warning message the user clicks away unread. And given that the computer cannot know if you know and trust whoever wrote that mail, it would likely give at least 90% "false positives".
You mean, at gmail there's no way to get at attachments of mails?
Re: (Score:2)
Ah, yet another annoying warning message the user clicks away unread.
I guess you're referring to the Windows model, where I hear there are an awful lot of warnings. I don't face that issue, so I believe it is possible to have a reasonable number of warnings.
And given that the computer cannot know if you know and trust whoever wrote that mail, it would likely give at least 90% "false positives".
I disagree on 2 points:
1. That "the computer can't know if you know and trust the source." Certainly it can get some idea.
2. That downloading *anything* from email is a reasonable thing to do. Certainly downloading a *program* from email is virtually never a good idea and should be impossible for the casual user.
You mean, at gmail there's no way to get at attachments of mails? Somehow I cannot believe that.
Of c
Re: (Score:2)
You're blaming the user? Really?
I don't see why blaming the user is automatically negative. If I write some C code with a null pointer bug, is it my fault or Dennis Ritchie's for designing the language to include pointers? I'd say it's mine, and that I'd be a "user" of the C programming language. In this case I think blaming me, the user, is entirely justified. Then again, responsibility is not always clear-cut. If you let a little kid play with a loaded gun, it's your fault if something happens, not the gun's user or even designer.
IMO,
Re: (Score:3)
I don't see why blaming the user is automatically negative. If I write some C code with a null pointer bug, is it my fault or Dennis Ritchie's for designing the language to include pointers? I'd say it's mine, and that I'd be a "user" of the C programming language. In this case I think blaming me, the user, is entirely justified. Then again, responsibility is not always clear-cut. If you let a little kid play with a loaded gun, it's your fault if something happens, not the gun's user or even designer.
C *is* a loaded gun. Anyone who can manage to use a compiler *should* know that. Not that they do...
IMO, if a user runs random executable email attachments, it's they're own fault. Nowadays on Windows they usually have to click past some warning telling them it might not be a good idea, too.
Sure - running an executable you downloaded in email should be nearly impossible. Downloading a virus should also be very difficult. Installing a keylogger (or whatever they installed) should be nearly impossible. As technical folks, we all know how easy this stuff is - but as sympathetic users we should all appreciate that it should be made to be very very difficult. After all, when is the last time yo
Re: (Score:2)
If you let a little kid play with a loaded gun, it's your fault if something happens, not the gun's user or even designer.
C *is* a loaded gun. Anyone who can manage to use a compiler *should* know that. Not that they do...
I'm sorry, I don't get how your use of my analogy fits. There doesn't seem to be a supervisory "parent" figure to blame when the C programmer generates a pointer bug. I certainly agree C is a metaphorical loaded gun, I just don't see that statement's relevance.
After all, when is the last time you received an executable via email that was not harmful? What about your mom? What about your grandmom? Why is it even possible for those folks to install this stuff?
I have to send and receive executables via email relatively frequently, though my grandma certainly doesn't. IIRC Outlook won't even let you run them, which is probably a good idea.
When a user infects their computer with an email attachment, who pays
Re: (Score:2)
The mail app or OS could run downloaded apps in a sandbox and as a less privileged user. At least that would minimize the damage that could be done, modulo priv-escalation and bugs in the sandboxing code... Might make things a little less bad.
Re: (Score:2)
You think it should be possible for a user to trivially install a virus/trojan on their computer? You're blaming the user? Really?
Yes, yes I am. There is absolutely nothing the OS can do to prevent a user with administrative access from installing and running software of their choice. It can warn them, it can prompt to see if they're sure, it can require the admin password, but ultimately it can't prevent them without forcing them to log out and in as a different user, or reboot into a special maintenance m
Re: (Score:3)
...Yes, yes I am. There is absolutely nothing the OS can do to prevent a user with administrative access from installing and running software of their choice...
In the context of reading email, I call B.S.
If all email clients disallowed the downloading of any attachments, this world would be a better place. You and I would have to jump through a hoop or 2 to do the things we do, but the 99.99% of the population that only uses that feature of email programs to install trojans/viruses would appreciate it.
Taking a step up, if all attachments went into a sandbox that was essentially a jail, then this wouldn't be an issue. You can see how that would work.
This is a te
Re: (Score:2)
You're blaming the user? Really?
Blaming the user for being an idiot, not blaming the user for wiping out their hard drive. There's a difference.
Re: (Score:2)
Exactly - here, in Romania, if you want to make a transaction you need to input 2 separate codes from a token - once to log in (you are logged out if you don't use the application/webpage/whatever for a few minutes depending on the bank) and once to approve the transaction.
The new tokens from my bank are a pain in the ass - you need a token/a card/the sum you want to transfer and a pin just to make the transaction, the old token was simpler - you needed only the token and the pin.
Re: (Score:2)
Re: (Score:1)
Stupid analogy You don't need to hire a carpenter to build your deck but you should know what the damn on/off switch is on your circular saw so you don't cut your fingers off.
Re: (Score:2)
I tend to agree with you that it's the user's own fault if they didn't figure out file extensions and ran random email attachments. But, your wording hurts our case.
Re: (Score:2)
What does programming with VB have to do with anything?
VB specifically? Nothing, but programming in general is complex compared to knowing what file extensions mean. The average Joe, if using a computer in their day job, should understand file extensions but probably doesn't need to understand more advanced computer skills such as programming (in VB or any other language).
Re: (Score:2)
Opening files of any kind on a computer that hides the file type extension is like putting your hand in a black bag in a remote village in a country where you don't speak the language. Sure there might be a toffee apple in side, but it MIGHT be a ferret or worse. If you don't know what a ferret is, dont put your hand in a bag that
Re: (Score:1)
Re: (Score:2)
Since Microsoft in all their wisdom has decided to hide the extensions of the files on our computers these days people haven't got a clue about what they are opening until it is too late.
However - if the online banks only has a username/password credential for their access then the banks needs to be responsible for any costs that the users suffers. A method of signing transactions using at least a smart card with PIN code should be used, but since the smart card interfacing can be hacked an external mean of
Stole from the company? (Score:5, Insightful)
Identity theft and "unauthorized access" and taking the money from an account holder is as absurd as a bank getting robbed and taking it from the last deposits made to the bank and not from their general coffers. It was never done that way before, so why is it done that way now?
Re: (Score:2)
Re: (Score:1)
And you have more apostrophe's than them.
Re: (Score:2)
Re: (Score:2)
Nice!
Why is it at all possible? (Score:3)
Identity theft and "unauthorized access" and taking the money from an account holder is as absurd as a bank getting robbed and taking it from the last deposits made to the bank and not from their general coffers. It was never done that way before, so why is it done that way now?
Why does mere credentials allow large money transfers?
I thought everyone was using hardware ID by now.
http://en.wikipedia.org/wiki/Security_token [wikipedia.org]
I know such tokens can still be improved, and it will improve. And sure is a lot more secure than just a password.
Re: (Score:1)
This is probably why they are focusing on "small businesses".
Large companies know better and have IT departments that can at least document a need for multi-factor authentication (although there isn't a guarantee that they have enough clout to force the issue).
Small companies get by on whatever the last consultant gave them and usually ignore any advice to spend money on something they would need to physically carry around.
Re: (Score:1)
There's a Mitchell and Webb sketch about this very thing.
www.youtube.com/watch?v=CS9ptA3Ya9E
Good link
Here [youtube.com] it is in clicky format for the lazy. Mod up.
Re: (Score:3)
Under UK law the bank is liable. The customer is only ever responsible for loss if the bank can prove that they did something negligent to cause it. Even if you PC got infected with a virus that stole your credentials as long as you had anti-virus software and didn't do anything monumentally stupid the bank takes the hit. You took reasonably precautions which is all the law requires.
Banks tried to get out of their liability by claiming that the Chip & PIN system on bank cards was infallible so any fraud
Re: (Score:2)
But that's ok because Linux doesn't get viruses, right?
Re: (Score:2)
Doesn't matter the OS is it's a browser targeted attack. based on the scant information in the article, I'm guessing this is a XSRF attack.
Re: (Score:2)
Based on the fact that HR has access to company accounts, the businesses targeted/affected are probably 1 person does all the management functions. Most banks I've seen use the same authentication for small businesses as personal accounts. If they have a PIN/keypad or a rotating authentication question, then a straight credential capture isn't easy. Unfortunately, while those measures are common, they aren't universal. This might also be a cross site request forgery (XSRF) attack, which would be prevented o
Hackers or Criminals? (Score:1)
Errm, nobody seems to have noticed the headline of this story..
"Hackers Respond To Help Wanted Ads With Malware" ..
FFS Slashdot, these are not Hackers they are Criminals.
Re: (Score:1)
FFS Slashdot, these are not Hackers they are Criminals.
How can you be sure they are not hackers? Being a hacker and being a criminal are not mutually exclusive.
Re: (Score:1, Insightful)
This is true.. But look at this headline:
BLACK MEN RAPE YOUNG GIRLS
Now, it may be true that they are black. Its also likely that other people who were not black were also involved, but bringing out one attribute such as ethnicity or a technical aptitude really does not describe the whole situation. What the headline should be is:
CRIMINAL HACKERS...
or
BLACK RAPISTS....
Which, instead of attributing *ALL* hackers or *ALL* black men to a certain criminal activity, makes the distinction that not all people with t
Re: (Score:1)
In either case, there is no reason to even mention "hacker" or "black".
Headline should simply say "Criminals Respond...."
Useless Warning (Score:1)
If only people demanded proper security tokens... (Score:3)
(1) From this experience, I've observed that some of the better banks force the end user to enter numbers from security tokens not only to log in, but a new number to authorize each and every transaction (potentially limited by transaction size if desired). Further, transactions over a certain threshold may require two different individuals to log in to approve.
(2) I'm not a web designer or a real programmer, but does this setup still yield a possible attack? I could foresee a situation where all of this data is intercepted, but most of these security tokens are time sensitive and the end-user would notice delays on the website in use with interception. That said, if an attacker were essentially acting as a proxy for the bank site and just rekeying/scripting information from the bank user, the attacker could insert their own bank accounts in for a wire or ACH transaction. Does this described situation ever happen?
Re: (Score:2)
(1) the user enters the the wire/ach data on the token itself (amount, account number, transit number)
(2) the resulting number generated would both authenticate the user for the transaction and also authenticate the amount (i.e. the amount entered on the keypad wo
Re: (Score:2)
You can say that again. That would be impossible from a use standpoint. Many small businesses issue dozens or even hundreds of payments on a weekly basis (not even including payroll!). Asking payment authorizers (typically exec-level employees) to manually key in that information is ridiculous. Plus you're going to have typos that result in incorrect authentication numbers, etc. So what happens? You return a result of "authentication not valid" and they h
Re: (Score:2)
not unlike having checks over a certain threshold signed by two people instead of just one
I don't think the "small" businesses referenced in this article have so many 150k wires/ach's going out all the time
Re: (Score:2)
So how would your plan defend against regular small payments that add up to $150k if the authorizers are not checking supporting documents for every transaction?
Authenticating each large-value transaction by the means you suggest is just redundant. Why not handle it how most companies already handle it? That is: limits on the approving authority of each person, multiple authorizers needed o
Re: (Score:2)
It doesn't. It's presumed an attacker is less likely to be interested in wasting his time making many small transactions. Further, any decent bank should recognize repetitive transactions occurring in a short period of time (or, if over a longer period, it should be caught by reconciling cash). Keep in mind, my plan is not about mistake or fraud
Re: (Score:2)
Why would one presume that? Many small transactions are much more likely to evade detection. I don't have numbers, but I'd be very surprised if the majority of fraud was perpetrated via multiple small transactions.
I bank with Citi extensively, on two of
Theres not many solutions to this problem... (Score:1)
Obvious fix (Score:2)
All job applications and CVs should be in plain text. Problem solved. :)
(And yes, I've seen online application processes which will not accept text or even RTF files, demanding that any submission must end in DOC or PDF. Stupid, stupid, stupid...)
Segregation of Dutues (Score:2)
Good fucking Grief (Score:1)
Is this the state of Cyber Security in the twenty first century?
The Zeus botnet only targets Windows machines [wikipedia.org]
"There are a few things consumers and small businesses can do if they're unsure about e-mail attachments. The safest is to delete the attachment and write back to the sender asking for a plain text version. Alternatively, they can open the document in Google's Gmail to see if it appears legitimate" link [itworld.com]
Re: (Score:2)
When are they going to learn? But the big question is: which they? The users? Or the software makers?