Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Crime Security IT

Hackers Respond To Help Wanted Ads With Malware 113

itwbennett writes "The FBI issued a warning Wednesday about a new twist on a long-running computer fraud technique, known as Automated Clearing House fraud. With ACH fraud, criminals install malware on a small business' computer and use it to log into the company's online bank account. In this latest twist on the scam, the criminals are apparently looking for companies that are hiring online and then sending malicious software programs that are doctored to look like job applications. One unnamed company recently lost $150,000 in this way, according to the FBI's Internet Crime Complaint Center. 'The malware was embedded in an e-mail response to a job posting the business placed on an employment website,' the FBI said in a press release. The malware, a variant of the Bredolab Trojan, 'allowed the attacker to obtain the online banking credentials of the person who was authorized to conduct financial transactions within the company.'"
This discussion has been archived. No new comments can be posted.

Hackers Respond To Help Wanted Ads With Malware

Comments Filter:
  • so HR will just open any file? or is a word macros?

    • Well, for some jobs, people do request code samples. I imagine an executable could be included in an application pretty easily and be uploaded by someone involved in the review process. This does not necessarily need to be an HR person (I can't imagine why it would be, for that matter).

      • Yeah. Something along the lines of "I've attached an application I wrote on my own time, as an example of my work. Try it and see how you like it."

      • by waddgodd ( 34934 )

        well, the IDG article calls it a Word document, so I'm assuming word macro or VBA script

      • people ask me for code samples all the time, they're called DOC and PDF files opened on unpatched systems

    • If we are talking "small business" 'HR' is likely the owner or one of his immediate subordinates checking his email in what is otherwise(from an IT setup) disturbingly like a home environment.

      Excepting, of course, small businesses that are in the business of being clueful about computers(IT consultancies and the like), it is eminently possible that 'HR' will in fact click on just about anything(and isn't patched against the latest flavors of Word macro).

      Having a dedicated IT guy who is worth having is
      • How small is small? (Score:4, Informative)

        by stomv ( 80392 ) on Thursday January 20, 2011 @01:21AM (#34936764) Homepage

        If we are talking "small business" 'HR' is likely the owner or one of his immediate subordinates checking his email in what is otherwise(from an IT setup) disturbingly like a home environment.

        A common mistake is to assume that in tUSA, "small business" means "mom and pop." In fact, the Small Business Association (SBA) defines a business as small based on number of employees, and though it depends on industry, it typically is 500 (source [sba.gov]).

        It's true that, by sheer quantity, most businesses are small. There's only 500 Fortune 500 companies, but a zillion hot dog stands. In terms of number of employees or revenue or profits or any other number of factors, many small businesses aren't so small after all.

      • Re: (Score:3, Interesting)

        by EETech1 ( 1179269 )

        My old boss moved back home and worked out a spiffy job doing govt contracts and he had 4 others working for him at the time, and I was considering being the 5th, so I went down to interview and work there for a week training his new people, and he told me proudly that he was the resident IT professional as well, and I warned him that he should be hiring someone to do that full time, he seemed offended.

        The next day, I introduced him to BackTrack and we decided to take some time and try to hack his network.

    • by 1u3hr ( 530656 )
      A lot of companies insist on a Word file. And you can put anything in a Word file.

      I often get people who send me a 1 MB email attachment that is just a paragraph of text wrapped up in the absurdly inflated Doc format.

      • True. I've sent nicely formatted PDF resumes with tasteful fonts, and still get pestered for .doc files that will look like crap because they won't have my fonts and they probably run a different version of Word than I authored with. Very frustrating.
        • by HJED ( 1304957 )
          You know you can embed fonts in word documents right?
        • I've sent nicely formatted PDF resumes with tasteful fonts, and still get pestered for .doc files that will look like crap because they won't have my fonts and they probably run a different version of Word than I authored with.

          Just send them a resume.doc.exe which will format c: their hard disk. They won't ask you for doc files again.

        • that's easy, convert to JPG and paste in to word

        • I wonder if there's some way to embed a PDF in a Word document? It seems like you can embed practically anything else, including malware...
      • by deniable ( 76198 )
        Our applications are handled externally. We get docx and pdf 'converted' to Word. (They change the file extensions) Our HR then brings us 'mystery files' to see if we can sort them out.
      • We were just hiring for a programming position at our office.

        The hiring announcement (job ad) specifically asked for the resume to be sent as a plain text file. Anyone that could not follow instructions and sent a Word document was immediately disqualified from consideration for the job. If you cannot follow the directions in the employment ad you are responding to, you probably aren't going to be detail oriented on the job, either.

        You would be amazed at what a large percentage of people sent Word doc
        • I bet we all know a programmer that cannot tell you how many bits are in a byte.

          I agree, most of them just confuse the byte with the octet and answer 8 instead of: it depends.

        • by roju ( 193642 )

          Why not accept PDFs? Every OS can produce them easily, and it's an open ISO standard. Reformatting a resume into plain text is annoying and is probably costing you good candidates.

    • Then again it could be something like "resume.doc.exe" but if they are still on the default settings of hide extensions for known filetypes it would look like "resume.doc".

      That is a default setting that needs to be changed. It's made it easy to sucker so many people over the years since Microsoft made this stupid mistake you'd think every IT in the world would automatically change it. I'd rather have a user ignoring information in front of them, then hiding it and letting the company get infected. (The firs
      • Why are companies still accepting word docs from unknown sources? Why are companies still requesting that jobs applicants sent word docs? Frankly, they had this coming...
      • by AmiMoJo ( 196126 )

        In Vista/7 this was fixed, what, four years ago?

        Any executable file downloaded via email or the web will require a UAC prompt just to run. Windows Live Mail and Outlook 2007 also have additional protection against double-extension files and executables. Also by default executables run at unprivileged user level and in most corporate settings the drones don't have the admin password.

        Yeah, XP is still vulnerable, but it is 9 years old now. How many software companies go back and add major new architecture fro

      • Here's [microsoft.com] the details about the bredolab trojan from Microsoft's Malware Protection Center. The file is an .exe and affects all versions Windows 95 and up. There must be some old cruft in Win7 if the same exploits it and 95.
    • by 0100010001010011 ( 652467 ) on Thursday January 20, 2011 @01:57AM (#34936884)

      Have you met anyone from HR?

      You could name it NotAVirus.jpg.zip.exe, send it to them with a "My Resume" subject and it'd almost guarantee being opened.

    • by Anonymous Coward

      FWIW, there have also been huge security holes in the dominant PDF reader, too -- some quite recently [adobe.com].

    • We had this happen, and yes, it was embedded in a Word document.

      However the (60 year old) HR woman immediately recognized that she'd been infected and called me. This happened about a second before I picked up my phone to call her regarding the torrent of virus warnings that had just started spamming my inbox.

      So, from anecdotal experience, it's just another virus file.

  • Is it really that hard? And if you don't know what .jpeg or .pdf or .virus is you should not be using a computer.
    If you don't know what a turn signal is they don't even let you take the test to get your drivers licence. hint hint When someone has a sensitive computer type job they should at least be competent to operate the machine. Any other job requires you to be able to competently operate your machine (or OSHA starts sticking their nose around writing tickets) why should not the guy operating the mach
    • BTW one place I worked had an old computer off the network and if a zip or other suspicious file was received by email etc. strait to floppy (yah I know late 90's) then to the "test" machine to see is it was a bomb. It was real easy to fix the test machine fdisk (slackware 3.6) reinstall win 98, good to go. Plus it taught us a lot about virus, trojan's etc. and gave us some good idea's, batch files for everyone haha. (A phoney website with a "quake2multiplayercheat.bat" "jediknightgodsabre.bat" with some in
    • by kwerle ( 39371 )

      Is it really that hard? And if you don't know what .jpeg or .pdf or .virus is you should not be using a computer.

      You're not kidding? You think it should be possible for a user to trivially install a virus/trojan on their computer? You're blaming the user? Really?

      If you don't know what a turn signal is they don't even let you take the test to get your drivers licence.

      You are kidding, right? Of course they do. You may fail (or you may not). Spend 10 minutes at an intersection and let me know what percentage of people who turn use their signal.

      When someone has a sensitive computer type job they should at least be competent to operate the machine. Any other job requires you to be able to competently operate your machine (or OSHA starts sticking their nose around writing tickets) why should not the guy operating the machine that handles other peoples (his boss) money have to prove their competency.
      I need all my applicable tickets/certification/first aid to do my job and I have to keep them up to date or I lose my job.

      You are blaming the user...
      I think I like my software to be more responsible/secure than my users. Reading email should be dead simple and safe. And using ACH should be really

      • Reading email should be dead simple and safe.

        Yes, it should. I can still remember when it was. But those times are long gone, and you have to check each and every email for viruses, trojans and malware (Oh my!) before opening it if you don't want something like this to happen. If that company had enough money in the bank that scammers could steal $150,000 from their account, they had enough money to afford good virus and malware protection. Granted, it might not protect them from a zero day exploit, b

        • "Reading email should be dead simple and safe.
            Yes, it should. I can still remember when it was."

          Yes, I do too. I don't need far memories. Maybe it's because I'm using Linux.

          • by yuna49 ( 905461 )

            Maybe it's because I'm using MailScanner [mailscanner.info] and ClamAV [clamav.net].

          • Maybe it's because I'm using Linux.

            So do I, as it happens. However, the average small business doesn't use Linux and isn't about to switch so I decided to point out a solution that would fit into what they're willing to do rather than waste time beating my head against that particular wall.

            • "the average small business doesn't use Linux and isn't about to switch so I decided to point out a solution that would fit into what they're willing to do rather than waste time beating my head against that particular wall."

              With regards these kind of problems I'm more than glad that they *do* waste their time beating their heads against the wall once and again: the more problems they have, the more checks I collect. It's up to them to make their business case about being so tightly tied to a single almost

        • by kwerle ( 39371 )

          Hosted on Gmail. Done.

      • I think I like my software to be more responsible/secure than my users. Reading email should be dead simple and safe.

        Attachments are just files, and the mail program cannot do much about them. If you open a file of unknown origin, then it doesn't matter if you got it by mail or downloaded it from some shady place of the internet.

        • by kwerle ( 39371 )

          If you use a decent email program/OS, it flags the file as being downloaded and possibly harmful. When you try to open it, it warns you - at least.

          If you use a hosted mail service, like gmail, then the file never gets downloaded *at all*.

          • If you use a decent email program/OS, it flags the file as being downloaded and possibly harmful. When you try to open it, it warns you - at least.

            Ah, yet another annoying warning message the user clicks away unread. And given that the computer cannot know if you know and trust whoever wrote that mail, it would likely give at least 90% "false positives".

            If you use a hosted mail service, like gmail, then the file never gets downloaded *at all*.

            You mean, at gmail there's no way to get at attachments of mails?

            • by kwerle ( 39371 )

              Ah, yet another annoying warning message the user clicks away unread.

              I guess you're referring to the Windows model, where I hear there are an awful lot of warnings. I don't face that issue, so I believe it is possible to have a reasonable number of warnings.

              And given that the computer cannot know if you know and trust whoever wrote that mail, it would likely give at least 90% "false positives".

              I disagree on 2 points:
              1. That "the computer can't know if you know and trust the source." Certainly it can get some idea.
              2. That downloading *anything* from email is a reasonable thing to do. Certainly downloading a *program* from email is virtually never a good idea and should be impossible for the casual user.

              You mean, at gmail there's no way to get at attachments of mails? Somehow I cannot believe that.

              Of c

      • You're blaming the user? Really?

        I don't see why blaming the user is automatically negative. If I write some C code with a null pointer bug, is it my fault or Dennis Ritchie's for designing the language to include pointers? I'd say it's mine, and that I'd be a "user" of the C programming language. In this case I think blaming me, the user, is entirely justified. Then again, responsibility is not always clear-cut. If you let a little kid play with a loaded gun, it's your fault if something happens, not the gun's user or even designer.

        IMO,

        • by kwerle ( 39371 )

          I don't see why blaming the user is automatically negative. If I write some C code with a null pointer bug, is it my fault or Dennis Ritchie's for designing the language to include pointers? I'd say it's mine, and that I'd be a "user" of the C programming language. In this case I think blaming me, the user, is entirely justified. Then again, responsibility is not always clear-cut. If you let a little kid play with a loaded gun, it's your fault if something happens, not the gun's user or even designer.

          C *is* a loaded gun. Anyone who can manage to use a compiler *should* know that. Not that they do...

          IMO, if a user runs random executable email attachments, it's they're own fault. Nowadays on Windows they usually have to click past some warning telling them it might not be a good idea, too.

          Sure - running an executable you downloaded in email should be nearly impossible. Downloading a virus should also be very difficult. Installing a keylogger (or whatever they installed) should be nearly impossible. As technical folks, we all know how easy this stuff is - but as sympathetic users we should all appreciate that it should be made to be very very difficult. After all, when is the last time yo

          • If you let a little kid play with a loaded gun, it's your fault if something happens, not the gun's user or even designer.

            C *is* a loaded gun. Anyone who can manage to use a compiler *should* know that. Not that they do...

            I'm sorry, I don't get how your use of my analogy fits. There doesn't seem to be a supervisory "parent" figure to blame when the C programmer generates a pointer bug. I certainly agree C is a metaphorical loaded gun, I just don't see that statement's relevance.

            After all, when is the last time you received an executable via email that was not harmful? What about your mom? What about your grandmom? Why is it even possible for those folks to install this stuff?

            I have to send and receive executables via email relatively frequently, though my grandma certainly doesn't. IIRC Outlook won't even let you run them, which is probably a good idea.

            When a user infects their computer with an email attachment, who pays

        • by roju ( 193642 )

          The mail app or OS could run downloaded apps in a sandbox and as a less privileged user. At least that would minimize the damage that could be done, modulo priv-escalation and bugs in the sandboxing code... Might make things a little less bad.

      • by Tim C ( 15259 )

        You think it should be possible for a user to trivially install a virus/trojan on their computer? You're blaming the user? Really?

        Yes, yes I am. There is absolutely nothing the OS can do to prevent a user with administrative access from installing and running software of their choice. It can warn them, it can prompt to see if they're sure, it can require the admin password, but ultimately it can't prevent them without forcing them to log out and in as a different user, or reboot into a special maintenance m

        • by kwerle ( 39371 )

          ...Yes, yes I am. There is absolutely nothing the OS can do to prevent a user with administrative access from installing and running software of their choice...

          In the context of reading email, I call B.S.

          If all email clients disallowed the downloading of any attachments, this world would be a better place. You and I would have to jump through a hoop or 2 to do the things we do, but the 99.99% of the population that only uses that feature of email programs to install trojans/viruses would appreciate it.

          Taking a step up, if all attachments went into a sandbox that was essentially a jail, then this wouldn't be an issue. You can see how that would work.

          This is a te

      • You're blaming the user? Really?

        Blaming the user for being an idiot, not blaming the user for wiping out their hard drive. There's a difference.

      • by ergean ( 582285 )

        Exactly - here, in Romania, if you want to make a transaction you need to input 2 separate codes from a token - once to log in (you are logged out if you don't use the application/webpage/whatever for a few minutes depending on the bank) and once to approve the transaction.

        The new tokens from my bank are a pain in the ass - you need a token/a card/the sum you want to transfer and a pin just to make the transaction, the old token was simpler - you needed only the token and the pin.

    • Comment removed based on user account deletion
      • I'm not asking anyone to program with VB *yuck* but basic knowledge of file names is not that difficult.
        Stupid analogy You don't need to hire a carpenter to build your deck but you should know what the damn on/off switch is on your circular saw so you don't cut your fingers off.
        • What does programming with VB have to do with anything? VB.NET is pretty respectable nowadays, IMO--at least, C# is, and they're virtually equivalent modulo syntax.

          I tend to agree with you that it's the user's own fault if they didn't figure out file extensions and ran random email attachments. But, your wording hurts our case.
          • What does programming with VB have to do with anything?

            VB specifically? Nothing, but programming in general is complex compared to knowing what file extensions mean. The average Joe, if using a computer in their day job, should understand file extensions but probably doesn't need to understand more advanced computer skills such as programming (in VB or any other language).

      • No, companies that want to stay in business should not use Widows for anything involving money and/or security. If they dont know this, they should not be using computers at all.

        Opening files of any kind on a computer that hides the file type extension is like putting your hand in a black bag in a remote village in a country where you don't speak the language. Sure there might be a toffee apple in side, but it MIGHT be a ferret or worse. If you don't know what a ferret is, dont put your hand in a bag that

        • by Anonymous Coward
          Warning this software is beta and may eat your hamster.
    • by Z00L00K ( 682162 )

      Since Microsoft in all their wisdom has decided to hide the extensions of the files on our computers these days people haven't got a clue about what they are opening until it is too late.

      However - if the online banks only has a username/password credential for their access then the banks needs to be responsible for any costs that the users suffers. A method of signing transactions using at least a smart card with PIN code should be used, but since the smart card interfacing can be hacked an external mean of

  • by AK Marc ( 707885 ) on Thursday January 20, 2011 @01:19AM (#34936754)
    I'm confused. If I walk up to a bank, write a with withdrawal in someone else's name, then hold up the bank ordering them to honor that withdrawal slip, did I steal from the bank, or from the person who's name I forged on the withdrawal slip?

    Identity theft and "unauthorized access" and taking the money from an account holder is as absurd as a bank getting robbed and taking it from the last deposits made to the bank and not from their general coffers. It was never done that way before, so why is it done that way now?
    • Because the bank's have more money than you.
    • Identity theft and "unauthorized access" and taking the money from an account holder is as absurd as a bank getting robbed and taking it from the last deposits made to the bank and not from their general coffers. It was never done that way before, so why is it done that way now?

      Why does mere credentials allow large money transfers?

      I thought everyone was using hardware ID by now.
      http://en.wikipedia.org/wiki/Security_token [wikipedia.org]

      I know such tokens can still be improved, and it will improve. And sure is a lot more secure than just a password.

      • by Spectre ( 1685 )

        This is probably why they are focusing on "small businesses".

        Large companies know better and have IT departments that can at least document a need for multi-factor authentication (although there isn't a guarantee that they have enough clout to force the issue).

        Small companies get by on whatever the last consultant gave them and usually ignore any advice to spend money on something they would need to physically carry around.

    • by AmiMoJo ( 196126 )

      Under UK law the bank is liable. The customer is only ever responsible for loss if the bank can prove that they did something negligent to cause it. Even if you PC got infected with a virus that stole your credentials as long as you had anti-virus software and didn't do anything monumentally stupid the bank takes the hit. You took reasonably precautions which is all the law requires.

      Banks tried to get out of their liability by claiming that the Chip & PIN system on bank cards was infallible so any fraud

    • by Spyder ( 15137 )

      Based on the fact that HR has access to company accounts, the businesses targeted/affected are probably 1 person does all the management functions. Most banks I've seen use the same authentication for small businesses as personal accounts. If they have a PIN/keypad or a rotating authentication question, then a straight credential capture isn't easy. Unfortunately, while those measures are common, they aren't universal. This might also be a cross site request forgery (XSRF) attack, which would be prevented o

  • Errm, nobody seems to have noticed the headline of this story..

    "Hackers Respond To Help Wanted Ads With Malware" ..

    FFS Slashdot, these are not Hackers they are Criminals.

    • FFS Slashdot, these are not Hackers they are Criminals.

      How can you be sure they are not hackers? Being a hacker and being a criminal are not mutually exclusive.

      • Re: (Score:1, Insightful)

        This is true.. But look at this headline:

        BLACK MEN RAPE YOUNG GIRLS

        Now, it may be true that they are black. Its also likely that other people who were not black were also involved, but bringing out one attribute such as ethnicity or a technical aptitude really does not describe the whole situation. What the headline should be is:

        CRIMINAL HACKERS...
        or
        BLACK RAPISTS....

        Which, instead of attributing *ALL* hackers or *ALL* black men to a certain criminal activity, makes the distinction that not all people with t

        • In either case, there is no reason to even mention "hacker" or "black".

          Headline should simply say "Criminals Respond...."

  • The warning issued by the Internet Crime Complaint Center [ic3.gov], which has some sort of hard to describe relationship with the FBI, is completely useless to any small business that would be susceptible to this attack. The only thing that they could get from the warning is to use virus scanner for all attachments to emails. No additional information that a small business might find useful is conveyed. Further, virus scanners are a) never going to catch the newest Trojans or other malicious software, and b) unlikel
  • by Bourdain ( 683477 ) on Thursday January 20, 2011 @04:32AM (#34937466)
    I'm a CPA and work in corporate accounting.

    (1) From this experience, I've observed that some of the better banks force the end user to enter numbers from security tokens not only to log in, but a new number to authorize each and every transaction (potentially limited by transaction size if desired). Further, transactions over a certain threshold may require two different individuals to log in to approve.

    (2) I'm not a web designer or a real programmer, but does this setup still yield a possible attack? I could foresee a situation where all of this data is intercepted, but most of these security tokens are time sensitive and the end-user would notice delays on the website in use with interception. That said, if an attacker were essentially acting as a proxy for the bank site and just rekeying/scripting information from the bank user, the attacker could insert their own bank accounts in for a wire or ACH transaction. Does this described situation ever happen?
    • as an addendum and really a suggestion to banks out there if this doesn't exist, but should... perhaps (granted this would be potentially a bit tedious) -- for transactions exceeding a certain size, a special security token would be ideal where:
      (1) the user enters the the wire/ach data on the token itself (amount, account number, transit number)
      (2) the resulting number generated would both authenticate the user for the transaction and also authenticate the amount (i.e. the amount entered on the keypad wo
      • granted this would be potentially a bit tedious

        You can say that again. That would be impossible from a use standpoint. Many small businesses issue dozens or even hundreds of payments on a weekly basis (not even including payroll!). Asking payment authorizers (typically exec-level employees) to manually key in that information is ridiculous. Plus you're going to have typos that result in incorrect authentication numbers, etc. So what happens? You return a result of "authentication not valid" and they h

        • dude -- as I suggested -- this would just be for large amounts

          not unlike having checks over a certain threshold signed by two people instead of just one

          I don't think the "small" businesses referenced in this article have so many 150k wires/ach's going out all the time
          • I don't think the "small" businesses referenced in this article have so many 150k wires/ach's going out all the time

            So how would your plan defend against regular small payments that add up to $150k if the authorizers are not checking supporting documents for every transaction?

            Authenticating each large-value transaction by the means you suggest is just redundant. Why not handle it how most companies already handle it? That is: limits on the approving authority of each person, multiple authorizers needed o

            • So how would your plan defend against regular small payments that add up to $150k if the authorizers are not checking supporting documents for every transaction?

              It doesn't. It's presumed an attacker is less likely to be interested in wasting his time making many small transactions. Further, any decent bank should recognize repetitive transactions occurring in a short period of time (or, if over a longer period, it should be caught by reconciling cash). Keep in mind, my plan is not about mistake or fraud

              • It's presumed an attacker is less likely to be interested in wasting his time making many small transactions.

                Why would one presume that? Many small transactions are much more likely to evade detection. I don't have numbers, but I'd be very surprised if the majority of fraud was perpetrated via multiple small transactions.

                Session auth in and of itself is not considered good enough for the business banking systems of at least Citibank for one company I've worked with.

                I bank with Citi extensively, on two of

    • Yes this does happen, they dont even need to install a trojan on your computer they do it with phishing pages which have a jabber instant messenger client which instantly relays the OTP (one time password) to a server which does an immediate backconnect to the bank etc and logs in. The other way they are bypassing these devices is through a trojan on the computer and they hijack the browser, MITB man in the browser. The OTP security token method is pretty much useless actually not really protecting agains
  • All job applications and CVs should be in plain text. Problem solved. :)

    (And yes, I've seen online application processes which will not accept text or even RTF files, demanding that any submission must end in DOC or PDF. Stupid, stupid, stupid...)

  • This is exactly why any company with access to financials of any sort should follow the Sarbanes Oxley rule of Segregation of Duties [sarbanesoxleyfocus.com]. The rule was originally intended to keep people from having many levels of access...for example: A bookkeeper shouldn't have enough levels of permission to write themselves a check, then delete the transaction in another part of the system. One person with access to multiple facets within the company is a single point of possible security failure both internally and externall
  • Is this the state of Cyber Security in the twenty first century?

    The Zeus botnet only targets Windows machines [wikipedia.org]

    "There are a few things consumers and small businesses can do if they're unsure about e-mail attachments. The safest is to delete the attachment and write back to the sender asking for a plain text version. Alternatively, they can open the document in Google's Gmail to see if it appears legitimate" link [itworld.com]

    • by Skapare ( 16644 )

      When are they going to learn? But the big question is: which they? The users? Or the software makers?

Keep up the good work! But please don't ask me to help.

Working...