Hackers Track Down Banking Fraud 335
An anonymous reader writes "Noticing some commonalities in the spam flooding their email
in-boxes, a small group of hackers set out to track down who was
responsible. Along the way they uncovered a trail that led them to an
organized gang of criminals halfway around the world, and right back
to some of the largest financial institutions in the US, and their
customers, that became the gang's prey. See the SecurityFocus story for more details."
Yet more proof... (Score:3, Insightful)
Think of them as citizen-cops, they find the bad things and patch them, report them, these are the guys who we should praise, not put down. God Bless the white hat hacker.
Re:Yet more proof... (Score:3, Interesting)
Atrox
Re:Yet more proof... (Score:5, Insightful)
You're much better off using the black|grey|white hacker classes, although even that can be fuzzy at times.
Re:Yet more proof... (Score:2, Informative)
Re:Yet more proof... (Score:2)
Script-kiddies don't investigate code, don't investigate complex systems for flaws, and have no insight in what they are doing. However they do download pre-made tools, and try them on every system & website they can find.
These guys do the most (quantity not quality) damage and make hackers look so bad
Re:Yet more proof... (Score:3, Insightful)
You're right, I'll just disable my firewall (Score:2)
Knock it off please (Score:3, Insightful)
We lost control of the word "hackers" a long long time ago. It has been more than 10 years since the horse left the barn, stop whining about the open gate.
"Hacker" (Score:3, Insightful)
A little backbone is all that's required. Be a leader, not a follower.
This is not what you'd normally call a "hacker" (Score:5, Interesting)
This entire linked-to-article is, frankly, an advertisement. It's an advertisement to try to get people to buy security consulting services from this company. Impressively, this company managed to get the story on Slashdot. It's a sample report (you can figure this out early because of the number of tables and screenshots). (Silly execs love tables and pictures -- be sure to include lots if you're ever in a vending situation, even if they provide little useful content.) Other red flags include the fact that it's aimed at financial services (folks who have lots of money), and focuses on flaws in what Citibank is doing (with the implicit suggestion that this company could help them). Especially notable is the fact that if focuses on flaws in Citibank's behavior even if said behavior is not particularly relevant to the scam, such as the format of Citibank's emails. Are customers going to notice or care whether Citibank emails contain unique identifiers -- *not* hashbusters? No, though a security consultant who focuses on spam would.
Then they have the nice little blurb at the bottom about the company.
Frankly, they missed one important aspect. You can't sell anything to a company unless you can provide a measure of how much the company can save. They should run out and get a ballpark estimate on how much Citibank could potentially, worst-case, lose from this. They subtract proposed consulting fees and end up with a nice fat number.
The reason I find this advertisement vaguely disturbing is because folks like this are just another leech feeding off of fat, stupid corporations. Lots of consultants already do so. However, what these folks do *sounds* good but has little point. It's not financially feasible for a company to pay a small private army of techies to try to track down random Russians so that legal nastygrams can be sent to them (keep in mind that the firm didn't actually *identify* who the spammers were). There are too many potential baddies out there. A financial services corporation would be *far* better served by developing secure communication policies and technology that are *easy* to use for the consumer, and then spending money educating their customers about these. Then they become difficult to attack. To go after individual bad guys is like plugging holes in a dyke -- very profitable for the guy being paid to plug holes, but ultimately ineffective.
Hackers eh? (Score:4, Funny)
Hackers (Score:4, Interesting)
not so fast... (Score:3, Insightful)
Congradulations to them (Score:4, Insightful)
Seriously, law enforcement needs much more of this. I can't name the last time I met a cop who understood computers at all.
Re:Congradulations to them (Score:2)
I did. They rejected me because I admitted to smoking pot as an adult.
Sadly.... (Score:2)
Skipping English Class (Score:3, Funny)
"and PIN that you use on ATM."
"becaurse some of our members no longer have access to their email addresses and we must verify it" (misspelling / run on sentence)
Re:Skipping English Class (Score:2)
Re:Skipping English Class (Score:2)
Overall, I would guess that they were successful
Re:Skipping English Class (Score:2, Funny)
So are you one of the scammers?
Cliff Stoll (Score:5, Interesting)
This reminds me of Cliff Stoll- an astrophysicist who moonlighted as a sysadmin at UC Berkley, and noticed a discrepancy of a cent or less in the CPU time accounting system.
I won't spoil the story, but see if your local library has a copy of the Cuckoo's Egg(by Stoll). His more recent book, Silicon Snake Oil, discusses the falsities behind throwing technology(computers) at people- particularly in schools, for example...and was also quite good when it came out(and schools were dumping boatloads of $ into computer labs which sat mostly empty).
He's humble, intelligent, well educated, writes fun to read stuff...one of the computer scientists(and physicists) I respect the most- far above all the three-letter personalities.
Re:Cliff Stoll (Score:2, Informative)
1) HE didn't notice it, it was handed to him as an assignment to0 get him poke around and get him used to the way their computers worked because he switched jobs to the computer department recently.
2) It was 75 cents of computer time, not "a cent or less".
3) He refered to the the hacker less than nicely for using computer time, but
Re:Cliff Stoll (Score:2)
Computer labs mostly sat empty because of the badly structured school system(s). As it is, learning how to use Microsoft Excel and Access is considered to be "advanced" with Keyboarding 101 being "basic". (Yes my school actually forced students to take that Keyboarding before letting them enter other computer classes. Needless to say, a class of
E-Mails (Score:4, Informative)
Also the emails are getting "smarter" in that they look more like the place and making use of the old http://www.domain1.com@www.domain2.com which for a newbie can be very easily misread
Rus
Re:E-Mails (Score:2)
If the spammers did follow through on the scam and extract money from someone's account then it should be relatively trivial to trace the money and find the bad guys. Certainly much easier than trying to find through technological means.
Why isn't this being done?
Re:E-Mails (Score:3, Funny)
- the terrorist 5 year olds trying to smuggle their baby scissors onto airplanes, so they can cut up paper at their destination
- the terrorist 12 year olds participating in filesharing, and thereby potentially violating copyright
- the terrorist people of arabic descent trying to fly on airplanes, thereby frightening the crew and passengers by their resemblence to mideasterners
Re:E-Mails (Score:2)
If the spammers did follow through on the scam and extract money from someone's account then it should be relatively trivial to trace the money and find the bad guys. Certainly much easier than trying to find through technological means.
First, I RTFA and I am well aware that the scammers perpetrating the bank scam are Americans, and therefore the law covers them.
However, many of these scam spams come from overseas, where we have no jurisdiction. We'd have to invade them, force them to setup a government
Security is a procedure, not a product.. (Score:2)
That'd be a case of the client being dumber, and supporting this without putting up HUGE WARNING DIALOGS or (much better) just not supporting those forms of URIs at all.
When was the last time you saw a raw hex encoded IP that was not in a misleading spam? How about the domain@domain form you mention?
If something is use
Re:E-Mails (Score:2)
Re:E-Mails (Score:2)
Tracking down things these days... (Score:5, Funny)
So have they been arrested and charged under the DMCA for divulging weaknesses in the financial system?
A fool and his money (Score:4, Insightful)
Re:A fool and his money (Score:3, Insightful)
If you walk up to a few hundred thousand people and ask for their account numbers and PINs, yes, you're going to get many punches in the mouth. But you might also get an account number and a PIN, because one of the people that you walk up to is a complete idiot.
It's not that the medium makes people stupider. It's that it'
Re:A fool and his money (Score:3, Interesting)
Re:A fool and his money (Score:2)
Re:A fool and his money (Score:2, Insightful)
Re:A fool and his money (Score:2)
Some clues are just too obvious.
Re:A fool and his money (Score:2)
RTFA and look at the pictures too. Here's some help, scroll down to Figure 4:
Re:A fool and his money (Score:4, Insightful)
Hardly.
They send out spam to 180 million people, and get maybe a few hundred suckers.
Being in the
Re:A fool and his money (Score:3, Informative)
More than a few hundred suckers if you ask me!
Re:A fool and his money (Score:2)
Re:A fool and his money (Score:2)
Re:A fool and his money (Score:2, Informative)
Re:A fool and his money (Score:2)
Re:A fool and his money (Score:2)
The poo
Re:A fool and his money (Score:2)
The scariest part... (Score:5, Insightful)
I don't like to say this, but if they are indifferent about this sort of crime now, they are going to have no chance of fighting it.
Even Scarier (Score:5, Insightful)
...Much worse than "Citibank didn't care". Look down lower on the SecurityFocus report [securityfocus.com] and you'll see that Citibank's own fraud reporting webpage appears to be compromised, they know about it, and they hadn't (as of publication date) tried to correct it. The email reply from the fraud page is itself fraudulent, and directs users to a nonexistent toll-free number or a private AOL email address, although it appears to come from Citibank's own servers!
Also, there's a CNET article about the August 16 version of the scam, reported on August 18, 2003. The article is supposed to be here at http://news.com.com/2011-10173-5065394.html?tag=ma instry
(Link) [com.com]
But when you check that link, it first comes up, then a second or two later gets redirected to a search page claiming that the article is "expired".
Strangely, the CNET search page (which searches on terms similar to the title) comes up with 2 flattering articles about Citibank's quality process, one dated 2002, the other dated 2000. Neither of those articles has "expired". Draw your own conclusions here.
For those who aren't too quick on the mouse, part of the text of the "expired" article is here:
SecurityFocus notes that Citibank should know the exact number of people who came to their website from the fraudulent redirection, although officials there claim not to know. It also seems unlikely that Citibank's systems were not compromised, considering the email replies that came from their "report fraud" webpage.Even Scarier than THAT (Score:2)
I looked at the Citibank page for reporting fraudulent email (a stroke of genius to call it "/domain/spoof/report_abuse.htm".. boy does that make me think "official" and NOT "spoofed") and (a) it doesn't work in Mozilla (b) I'm not sure the form to report this stuff actually goes to anywhere that doesn't end in aol.com
Re:The scariest part... (Score:2)
Re:The scariest part... (Score:3, Interesting)
If the banks profit they will find a way to look away. Also there is a "legal" need for corporations to shuttle vast amounts of money to and from overseas accounts to hide profits from the tax collectors all over the world. I imagine it's probably realively easy to ride that wave without being
Scary and sad (Score:2, Interesting)
Sadly, the only thing that corporations care about today is bottom line. (This is the reason Microsoft antitrust was such a farce, by the way.) This story reminds me the story [securityfocus.com] about Kevin Mitnick testifying against Sprint in Vice Hack Case:
Re:The scariest part... (Score:2)
That is pretty scary.
Something similar happened up here in Canada recently (ie, this week). I got very convincing looking mail from a spammer trying to impersonate a bank asking me for my account info (apparently they updated the system and needed to reactive my account... yeah right).
The spammer only made two mistakes, though: He spoofed a bank that I do not, nor have ever actually banked with. So it was an obvious fraud. Plus, the tric
Hacking? (Score:4, Insightful)
Re:Hacking? (Score:3, Interesting)
Re:Hacking? (Score:2)
hey never performed any exploits though, like actually trying to access the web server in russia to see what information they actually had...
Maybe I don't completely understand web servers, but one question I had left from the article was "How did they get the server log files they said reported the data about hits?"
to be a complete pedant... (Score:5, Informative)
A Ponzi scam is where you take money from new "investors" and use some of it to pay an apparently high return to your existing investors, grabbing the rest for yourself. Everybody's happy until (inevitably) you run out of new investors and the whole thing falls apart.
The 419 fraud involves a promise to transfer $millions into the victim's bank account, for some trumped up and obviously rather dubious reason. At the last minute you ask the victim to pay a "transfer fee" of perhaps a few $1000. You then vanish with the "transfer fee", never to be heard of again.
Re:to be a complete pedant... (Score:4, Informative)
The more skillful 419 scammers don't stop when they get the $1000. Once they have a sucker on the hook, they milk them for all they can get by inventing a series of ever-increasing "fees", "bribes", etc that must be paid to complete the deal. A woman who worked in a law office got scammed into shelling out about $2 million of her employer's money. The Secret Service estimates the total take (so far) for these scams at about a half billion dollars.
Re:to be a complete pedant... (Score:2)
The persistent success of this scam tells me there's something very important missing from the curriculum being taught in our schools.
Re:to be a complete pedant... (Score:2, Insightful)
Re:to be a complete pedant... (Score:2)
How does one teach stupid people to shoot themselves in the head? They'd probably be too stupid to understand the hints you're giving them...
Re:to be a complete pedant... (Score:2)
The filter I want to put that through, is something like "Nobody is that stupid, perhaps there is more to the story."
My guess is that the scam was more insidious than stupid. She knew the 419 was a scam. So she tried to connect her employer to the scammer, collecting some money in the middle. The plan was to make it look like her employer had fallen for the scam, presumably in hopes that the emp
It's already half /.'ed (had to reload twice)... (Score:2, Interesting)
----
1 Overview
Not all people that send undesirable email (spam) are the same. Their motives differ as greatly as their tools and technical abilities. This document uncovers a spam gang who seeks to acquire your banking information, and the response from one of the targeted victims: Citibank.
This document describes the unique bulk-mailing tool used for recent rash of f
Yikes!!! I'm glad I RTFA (Score:5, Insightful)
After nine years on the net, this is the first scam that I believe I might (though probably not, as I always show the address bar and look for the secure connection icon) have fell for.
Having your web browser load Citibank's home page, and then swiping the info via a rogue pop-up is the sneakiest tactic I've seen.
Even the link in the email appears to be from Citibank upon first glance.
A exceptionally clever and well-crafted scam.
Re:Yikes!!! I'm glad I RTFA (Score:4, Informative)
Scary!
Bad memory (Score:2)
Homograph Attack (Unicode in URLs) (Score:2)
Protecting oneself... (Score:4, Insightful)
Unfortunately, the essential element, common sense, is what is tripping people up. Would your bank really contact you via e-mail to get your personal info? Would your bank call you up and ask for your personal info? They're your bank for chrissakes, they can get a complete profile on you just by asking the credit bureau!
Last note - the best way to prevent any failure in mental processes is to keep the mail from reaching the user in the first place. Spamassassin has done incredibly well by me ever since I trained the bayesian feature on a backlog of scam mails. I rarely get financial scam mails, instead now I have to fight soft-pedal scams that trip none of SAs hard-coded rules, but still score a bayes_99 score. Oh well...
Re:Protecting oneself... (Score:3, Interesting)
Adjust the score of bayes_99. Every few months or so, I increase the scores of the bayesian tests by 10% or so, as the training from an expanded corpus makes the bayesian scores more reliable.
I've been thinking about implementing my own spamassassin derivative that, rather than assign scores to distinct regexps and then run through a bayesian scanner, uses the regexps matched as extra tokens for the bayesian scanner to chew on. Because the regexps would be crafted to look at certain non-tokenized data (
Re:Protecting oneself... (Score:2)
Generally a good idea except that there are way too many fuckups in this world who think that links should be javascript.
Re:Protecting oneself... (Score:3, Interesting)
Stop using JavaScript completely!
Of course that will break Mozilla's plans for XUL. The best thing you could do is re-invent how JavaScript works. What if pages with JavaScript required a signature? Then we could set up trust levels per site/coder. A significant enough people use Mozilla such that people would fix their sites if they wanted to use JavaScript. If you ran into a site that didn't have signatures, and ran JavaScript you could hav
Should design for security (Score:5, Interesting)
In this scam a pop up with no navigation and no URL box was presented to the user on top of a genuine web page. This confused the user into thinking the pop up came from citibank. Advertisers like such pop ups because it locks the user into a path specified by the advertiser and obscures the source of the ad. Some web designers like the format because they think it's looks less cluttered.
Most modern web browser can be set will block pop up, force navigation, or always display the URL. Many advertisers whine that this is unfair. So what. What is even more amazing is that generally responsible companies, such as eBay, will create pop up screens with no URL and no navigation, thereby setting a precedence to allow such fraud.
The same is true from images from a third party server. It is useful for advertisers to set web bugs and large scale rotating campaigns. It is even useful for websites to distribute load. It also introduces security issues.
Which is just to say that may on /. would say that the luser should be more careful, and stupid people deserve to be swindled. But i have seen financial organizations use pop ups and third party ads to push product to their customers on the customers financial information page. This is a page that should only contains sensitive information, not irrelevant content The banks are willing to compromise security to push products. And then the banks complain that customers are to blame.
Re:Should design for security (Score:2)
In this scam a pop up with no navigation and no URL box was presented to the user on top of a genuine web page. This confused the user into thinking the pop up came from citibank. Advertisers like such pop ups because it locks the user into a path specified by the advertiser and obscures the source of the ad. Some web designers like the format because they think it's looks less cluttered.
I am (currently) safe from the malware, because I think slashdot would immediately know about a Linux-based scam like t
Re:Should design for security (Score:2)
If you look at all the bugs and holes in it, how can you believe that its actually being maintained to the point of justifying it as modern?
Browser should display real URL... (Score:5, Interesting)
pop up a warning dialog for URLs with a username
field (especially if it contains one or more dots).
Something like:
| Alert -- Actual URL is:
|
| Domain Path: badpeople.hackedsite.ru/hahaha
| Username: www.citibank.com
| Password: verify=
This would at least highlight the real site the
link is pointing to.
What if we used tax money for this - (Score:3, Interesting)
They seem to be a lot better at it than law enforcement.
No, this is not a troll...
*sigh* whatever...
In the meantime.. (Score:2)
Protect Against 303 (Score:2, Interesting)
Otherwise it seems there is NO way to protect against this (except smarter consumers... Like that's going to happen!).
Why don't banks and credit card companies... (Score:4, Insightful)
Re:Why don't banks and credit card companies... (Score:3, Informative)
Thanks,
Leabre
Hope this makes the news... (Score:4, Insightful)
Stories like this would be serious eye openers to my family and friends who seem to know nothing about computer fraud.
I submited the story to a few local news agencies. Hopefully one of them picks up on it.
My work here is done
What to do about this (Score:5, Insightful)
The Paypal scammers, with only your password, can literally take you for every cent you got AND every cent of credit availability.
And where is the mention of the origin of it all, the AOL phishers? I guess you only see it on AOL but it is a huge problem over there. The main purpose seems to use compromised accounts to spam AOL members from inside, it happened to my dad, who is still "not budging" from AOL.
The ideal solution would be a distributed deliberate response, using the form provided by the spammer, by the targetted companies, who could load predetermined user/pass combinations and disinformation (I have a script) into their database. When access is attempted using the provided login/password combinations, the criminal is detected in real time (he is not safe by proxying - he is still dead meat when seen in action. Logs will exist on the proxy servers to point right to him, the more the merrier.)
Re:What to do about this (Score:3, Interesting)
To get back on topic, I would bet a good percentage of people have multiple ebay accounts, much like they have multiple Hotmail
Re:What to do about this (Score:2)
What snipe software are you using? I use esnipe.com, but they charge "bidpoints" and that adds up on larger bid
Made for.... (Score:2)
I received a scam too: (Score:2)
Re:I received a scam too: (Score:2)
I humbly crave your indulgence [...]
Obviously this is for a UK bank, as Americans would have stopped reading at this point.
Something similar... (Score:5, Interesting)
Anyhow, I decided to do something about it. I hacked into the email account used to defraud me, and followed a chain of emails and accounts that eventually led me to a handful of personal accounts. Each time I gained access to a new email account, I'd peek at all the emails inside and warn off any people who were being targeted from that particular account. After a month and a half of monitoring personal email, I gathered real names, relations, addresses and even resumes on those people involved. The particular 'ring' of scammers that got me is a family and friends affair, with the eldest brother of the family attending university in London, UK. His brothers and cousins (who live in Nigeria) work the fake email accounts and collect 'clients'. Once they have a deal made and personal information collected, they forward this to the ring leader in London, who contacts his sources to produce fake checks. He also takes over the email account, giving out a UK mobile phone number (changes often) to 'clients' who ask for one.
The money is sent in the name of one-time accomplices. These are people that the ring leader recruits to pick up money at Western Union counters. Once the money is picked up, he gives them a portion then splits the rest between himself, the cheque source and the relative who originally manned the email account.
Long story short: I have all this information, and don't know exactly what to do with it. I've tried to contact the London Metropolitan police anonymously (via email), several times, and have not heard back. I'm not sure if I should go to my own federal authority because what I've done to gather the information is illegal.
This particular scam has people involved in the US, Canada, the UK and Nigeria. I'm located in Canada. Any advice?
Re:Something similar... (Score:2, Insightful)
Mitnick groupies might have a hissy fit for this suggestion, but John Markoff of the New York Times comes to mind as one possibility.
Re:Something similar... (Score:4, Insightful)
Re:TROLL ALERT (Score:3, Interesting)
Re:Something similar... (Score:3, Informative)
If it were in the states, you're fucked. Completely. And runaway and hide or something. Reason is, the law can't use the information because it was collected without due process (warrants and stuff).
You should have redeemed those cereal box tops for something other than a law degree. The police in the US can most certainly use the information. The restrictions on unlawful search apply only to the government. The police can't perform an illegal search, and they can't encourage a private citizen to per
Multiple Accounts, Multiple Cards? (Score:2, Insightful)
I don't really consider myself all that paranoid, but I'm not about to link the bank account that has all my savings up with Paypal. The account I linked up could be accurately described as my "spending money" account, which means that if I'm compromised, they aint getting much and I aint losing much. Since I can just walk across the street and deposit a check from my real account, I have no need to link a
Dear oh dear (Score:2)
WHAT? This email looks almost as untrustworthy as the original spam! Please forward the fraudulent email to an aol account? Are they serious?
This kind of infers that Citibank has ONE person dealing with this sort of thing, and that one person uses AOL. It would be funny if it wasn't so pathetic.
If I was a Citibank customer I'd be on
Re:Dear oh dear (Score:2)
Refuse to redirect - next browser option? (Score:2)
Complain To Citibank (Score:3, Informative)
Something is very wrong.
It seems like the citibank website is designed not to give out any email addresses but here's some addresses I've found.
I'd recommend sending a polite e-mailthe following details:
- A link to the sercurityfocus article http://www.securityfocus.com/infocus/1745
- State that there was an fraud attack on citibank that may have affected over 100,000 clients.
- State that it seems likely that citibank should be able to identify which clients were affected by checking their web logs.
- Most importantly state that there seems to be something very wrong with their e-mail fraud reporting page, which may itself be compromised, and as such could the person you are contacting forward your e-mail to the appropriate Information Security department.
Please note that these people are not in departments related to IT or web development, so just ask them to forward your email to the appropriate person. Trust me, if enough people complain about this it will get resolved.citibank@shareholders-online.com, shareholderrelations@citigroup.com, investorrelations@citi.com, fixedincomeir@citigroup.com, louis.f.fortunato@citigroup.com, evelyn.kenvin@citicorp.com, mary.cosgrove@citicorp.com, joseph.g.eicheldinger@citicorp.com, valerie.kuhl@citicorp.com, mamie.chinn-hechter@citicorp.com, geoffrey.h.siedor@travelers.com, johnsonl@citigroup.com, prettoc@citigroup.com, kevin.j.heine@citigroup.com
Mod down: -1 LIES. There is no such show. (Score:3, Interesting)
"I did post production on movie."
"I work for XYZ corporation, and we will have press release soon"
"I am a staff writer for XYZ journal, and in our new issue..."
No evidence, no content, just an empty, poorly worded promise for something to come that gets modded up without CHECKING. [discovery.com]
(hint, it's not on at 7 PDT or EDT, in fact, it's going to be all thanksgiving re-runs, all day)
Every moderator who modded this up should get SLAUGHTERED in M2 for such stupidity.
Jesus.
Re:Working phone number and one response from citi (Score:3, Informative)
That's an opinion article. (Score:3, Insightful)
Second, this statement is not entirely false. There are local root exploits for Linux. They're less important than the remote ones, but there are more of them. They get patched more quickly, but it is still strongly advised not to give random people shell accounts for this very reason.