×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hackers Respond To Help Wanted Ads With Malware

samzenpus posted more than 3 years ago | from the hire-this dept.

Crime 113

itwbennett writes "The FBI issued a warning Wednesday about a new twist on a long-running computer fraud technique, known as Automated Clearing House fraud. With ACH fraud, criminals install malware on a small business' computer and use it to log into the company's online bank account. In this latest twist on the scam, the criminals are apparently looking for companies that are hiring online and then sending malicious software programs that are doctored to look like job applications. One unnamed company recently lost $150,000 in this way, according to the FBI's Internet Crime Complaint Center. 'The malware was embedded in an e-mail response to a job posting the business placed on an employment website,' the FBI said in a press release. The malware, a variant of the Bredolab Trojan, 'allowed the attacker to obtain the online banking credentials of the person who was authorized to conduct financial transactions within the company.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

113 comments

so HR will just open any file? or is a word macros (1)

Joe The Dragon (967727) | more than 3 years ago | (#34936644)

so HR will just open any file? or is a word macros?

Re:so HR will just open any file? or is a word mac (2)

techsoldaten (309296) | more than 3 years ago | (#34936656)

Well, for some jobs, people do request code samples. I imagine an executable could be included in an application pretty easily and be uploaded by someone involved in the review process. This does not necessarily need to be an HR person (I can't imagine why it would be, for that matter).

Re:so HR will just open any file? or is a word mac (1)

davester666 (731373) | more than 3 years ago | (#34936874)

Yeah. Something along the lines of "I've attached an application I wrote on my own time, as an example of my work. Try it and see how you like it."

Re:so HR will just open any file? or is a word mac (2)

waddgodd (34934) | more than 3 years ago | (#34936916)

well, the IDG article calls it a Word document, so I'm assuming word macro or VBA script

Re:so HR will just open any file? or is a word mac (1)

fulldecent (598482) | more than 3 years ago | (#34938720)

people ask me for code samples all the time, they're called DOC and PDF files opened on unpatched systems

Re:so HR will just open any file? or is a word mac (0)

Anonymous Coward | more than 3 years ago | (#34942176)

Why make a bloated file? Coding is 100% textual. A .txt file will do fine, not a god-forsaken PDF file. And if it's a .doc, so help me god if it's one of those newer .doc formats that absolutely nothing will read except the absolute newest version of word, I would hunt you down.

Or just delete your email and write you off as a potential employee, one of the two.

Re:so HR will just open any file? or is a word mac (0)

Anonymous Coward | more than 3 years ago | (#34936666)

TFA says it's a .zipped exectuable. This should be auto-blocked by a properly configured email server.

semi off topic how safe are the on line applicatio (2)

Joe The Dragon (967727) | more than 3 years ago | (#34936716)

on a semi off topic how safe are the on line applications systems? resume bots? some on line applications systems can read your resume and auto fill data.

Some places what PDF resumes and PDF can have lots of executable code in them.

Re:semi off topic how safe are the on line applica (1)

Anonymous Coward | more than 3 years ago | (#34940842)

I just hope this is not something that will trigger companies to hire "taleo" like websites to manage their online applications. Taleo is one of the examples on how properly discouraging people from applying to a company!

Re:so HR will just open any file? or is a word mac (0)

Anonymous Coward | more than 3 years ago | (#34936852)

Which sounds good until you go to work in the real world and need to email test programs back and forth.

Re:so HR will just open any file? or is a word mac (1)

Macthorpe (960048) | more than 3 years ago | (#34936862)

Which sounds good until you go to work in the real world and need to email test programs back and forth.

That's why, here in the real world, we implement a little thing called "whitelisting".

Re:so HR will just open any file? or is a word mac (2)

KiloByte (825081) | more than 3 years ago | (#34937496)

Or, you realize that e-mail was never designed to lug large binary files around and pass the test programs over http.

Re:so HR will just open any file? or is a word mac (1)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#34936684)

If we are talking "small business" 'HR' is likely the owner or one of his immediate subordinates checking his email in what is otherwise(from an IT setup) disturbingly like a home environment.

Excepting, of course, small businesses that are in the business of being clueful about computers(IT consultancies and the like), it is eminently possible that 'HR' will in fact click on just about anything(and isn't patched against the latest flavors of Word macro).

Having a dedicated IT guy who is worth having is reasonably serious money by small business standards. Even calling in a consultant when you don't think that you absolutely need it will sting a bit. "Small business" IT is often disturbingly close to consumer grade, with all the horrors that that generally entails.

You don't generally see a dedicated IT guy skulking around and pissing people off for their own good with updates and AV and firewalls and such until you hit the small side of medium...

How small is small? (3, Informative)

stomv (80392) | more than 3 years ago | (#34936764)

If we are talking "small business" 'HR' is likely the owner or one of his immediate subordinates checking his email in what is otherwise(from an IT setup) disturbingly like a home environment.

A common mistake is to assume that in tUSA, "small business" means "mom and pop." In fact, the Small Business Association (SBA) defines a business as small based on number of employees, and though it depends on industry, it typically is 500 (source [sba.gov]).

It's true that, by sheer quantity, most businesses are small. There's only 500 Fortune 500 companies, but a zillion hot dog stands. In terms of number of employees or revenue or profits or any other number of factors, many small businesses aren't so small after all.

Re:so HR will just open any file? or is a word mac (3, Interesting)

EETech1 (1179269) | more than 3 years ago | (#34936832)

My old boss moved back home and worked out a spiffy job doing govt contracts and he had 4 others working for him at the time, and I was considering being the 5th, so I went down to interview and work there for a week training his new people, and he told me proudly that he was the resident IT professional as well, and I warned him that he should be hiring someone to do that full time, he seemed offended.

The next day, I introduced him to BackTrack and we decided to take some time and try to hack his network. Needless to say we were in his WEP secured network within 5 minutes, and within 15 minutes more we were happily browsing files on the Drobo connected to his laptop in his office!

I then went back to my hotel around the corner, and was easily able to see his network traffic from the hotel network, and grab his emails and other communications with wireshark!

I didnt take the job, so the IT guy was employee #5, and he spent weeks removing all the crap he found!

Cheers!

Re:so HR will just open any file? or is a word mac (1)

1u3hr (530656) | more than 3 years ago | (#34936732)

A lot of companies insist on a Word file. And you can put anything in a Word file.

I often get people who send me a 1 MB email attachment that is just a paragraph of text wrapped up in the absurdly inflated Doc format.

Re:so HR will just open any file? or is a word mac (2)

ChristTrekker (91442) | more than 3 years ago | (#34936836)

True. I've sent nicely formatted PDF resumes with tasteful fonts, and still get pestered for .doc files that will look like crap because they won't have my fonts and they probably run a different version of Word than I authored with. Very frustrating.

Re:so HR will just open any file? or is a word mac (-1)

Anonymous Coward | more than 3 years ago | (#34937084)

True. I've sent nicely formatted PDF resumes with tasteful fonts, and still get pestered for .doc files that will look like crap because they won't have my fonts and they probably run a different version of Word than I authored with. Very frustrating.

Simple answer to why some companies want to have word docs. Then they can edit your resume when they fire you!
This is a very important feature in MS office! and why they hate PDF format with time stamp!

Re:so HR will just open any file? or is a word mac (1)

HJED (1304957) | more than 3 years ago | (#34937190)

You know you can embed fonts in word documents right?

Re:so HR will just open any file? or is a word mac (1)

ArsenneLupin (766289) | more than 3 years ago | (#34938248)

I've sent nicely formatted PDF resumes with tasteful fonts, and still get pestered for .doc files that will look like crap because they won't have my fonts and they probably run a different version of Word than I authored with.

Just send them a resume.doc.exe which will format c: their hard disk. They won't ask you for doc files again.

Re:so HR will just open any file? or is a word mac (1)

fulldecent (598482) | more than 3 years ago | (#34938730)

that's easy, convert to JPG and paste in to word

Re:so HR will just open any file? or is a word mac (2)

operagost (62405) | more than 3 years ago | (#34939980)

JPG? Pfft. Use an animated GIF so they don't even have to flip the pages!

Re:so HR will just open any file? or is a word mac (0)

Anonymous Coward | more than 3 years ago | (#34939480)

True. I've sent nicely formatted PDF resumes with tasteful fonts, and still get pestered for .doc files that will look like crap because they won't have my fonts and they probably run a different version of Word than I authored with. Very frustrating.

I like good typography as much as (almost) anyone, but unless you're applying for a position as a designer, does it really matter what fonts your resume uses or, frankly, what it looks like at all? As long as it's legible....

Re:so HR will just open any file? or is a word mac (1)

Monsieur_F (531564) | more than 3 years ago | (#34940854)

Right! I always send my resumé in .txt format. I am just wondering why nobody ever hires me...

Re:so HR will just open any file? or is a word mac (1)

metamatic (202216) | more than 3 years ago | (#34939810)

I wonder if there's some way to embed a PDF in a Word document? It seems like you can embed practically anything else, including malware...

Re:so HR will just open any file? or is a word mac (2)

deniable (76198) | more than 3 years ago | (#34936882)

Our applications are handled externally. We get docx and pdf 'converted' to Word. (They change the file extensions) Our HR then brings us 'mystery files' to see if we can sort them out.

Re:so HR will just open any file? or is a word mac (1)

overlordofmu (1422163) | more than 3 years ago | (#34939550)

We were just hiring for a programming position at our office.

The hiring announcement (job ad) specifically asked for the resume to be sent as a plain text file. Anyone that could not follow instructions and sent a Word document was immediately disqualified from consideration for the job. If you cannot follow the directions in the employment ad you are responding to, you probably aren't going to be detail oriented on the job, either.

You would be amazed at what a large percentage of people sent Word documents. I can only guess that is because some of them truly believed that a Word doc is "plain text". Now, I would have more sympathy if it were encoded in UTF-16, UTF-32 or ISO-8859 and not ASCII but thinking Word is plain text? FUCK ME! I bet we all know programmers out there that don't know what binary, hexadecimal, octal or ASCII are. I bet we all know a programmer that cannot tell you how many bits are in a byte. What happened to programmers knowing their fundamentals?

Re:so HR will just open any file? or is a word mac (2)

Monsieur_F (531564) | more than 3 years ago | (#34940904)

I bet we all know a programmer that cannot tell you how many bits are in a byte.

I agree, most of them just confuse the byte with the octet and answer 8 instead of: it depends.

maybe - (2)

meerling (1487879) | more than 3 years ago | (#34936758)

Then again it could be something like "resume.doc.exe" but if they are still on the default settings of hide extensions for known filetypes it would look like "resume.doc".

That is a default setting that needs to be changed. It's made it easy to sucker so many people over the years since Microsoft made this stupid mistake you'd think every IT in the world would automatically change it. I'd rather have a user ignoring information in front of them, then hiding it and letting the company get infected. (The first is the users fault, the second might get blamed on IT.)

There are more complicated ways using special files that exploit bugs and things, but those are a lot harder to pull off, and since I didn't see a mention in the articles saying what the file actually was, I'd check the easier and more common thing first. (It did mention that users thought it looked like a word doc, but that just tells us what the user thought, not what was actually going on.)

Re:maybe - (1)

ArsenneLupin (766289) | more than 3 years ago | (#34937570)

Why are companies still accepting word docs from unknown sources? Why are companies still requesting that jobs applicants sent word docs? Frankly, they had this coming...

Re:maybe - (1)

AmiMoJo (196126) | more than 3 years ago | (#34937792)

In Vista/7 this was fixed, what, four years ago?

Any executable file downloaded via email or the web will require a UAC prompt just to run. Windows Live Mail and Outlook 2007 also have additional protection against double-extension files and executables. Also by default executables run at unprivileged user level and in most corporate settings the drones don't have the admin password.

Yeah, XP is still vulnerable, but it is 9 years old now. How many software companies go back and add major new architecture from current software to their decade old products?

Re:maybe - (1)

lordDallan (685707) | more than 3 years ago | (#34941424)

Here's [microsoft.com] the details about the bredolab trojan from Microsoft's Malware Protection Center. The file is an .exe and affects all versions Windows 95 and up. There must be some old cruft in Win7 if the same exploits it and 95.

Re:so HR will just open any file? or is a word mac (3, Funny)

0100010001010011 (652467) | more than 3 years ago | (#34936884)

Have you met anyone from HR?

You could name it NotAVirus.jpg.zip.exe, send it to them with a "My Resume" subject and it'd almost guarantee being opened.

Re:so HR will just open any file? or is a word mac (1)

Anonymous Coward | more than 3 years ago | (#34939780)

FWIW, there have also been huge security holes in the dominant PDF reader, too -- some quite recently [adobe.com].

Re:so HR will just open any file? or is a word mac (2)

SatanicPuppy (611928) | more than 3 years ago | (#34939834)

We had this happen, and yes, it was embedded in a Word document.

However the (60 year old) HR woman immediately recognized that she'd been infected and called me. This happened about a second before I picked up my phone to call her regarding the torrent of virus warnings that had just started spamming my inbox.

So, from anecdotal experience, it's just another virus file.

Read the little ".whatever" (1, Flamebait)

SquirrelDeth (1972694) | more than 3 years ago | (#34936668)

Is it really that hard? And if you don't know what .jpeg or .pdf or .virus is you should not be using a computer.
If you don't know what a turn signal is they don't even let you take the test to get your drivers licence. hint hint When someone has a sensitive computer type job they should at least be competent to operate the machine. Any other job requires you to be able to competently operate your machine (or OSHA starts sticking their nose around writing tickets) why should not the guy operating the machine that handles other peoples (his boss) money have to prove their competency.
I need all my applicable tickets/certification/first aid to do my job and I have to keep them up to date or I lose my job.

Re:Read the little ".whatever" (1)

SquirrelDeth (1972694) | more than 3 years ago | (#34936744)

BTW one place I worked had an old computer off the network and if a zip or other suspicious file was received by email etc. strait to floppy (yah I know late 90's) then to the "test" machine to see is it was a bomb. It was real easy to fix the test machine fdisk (slackware 3.6) reinstall win 98, good to go. Plus it taught us a lot about virus, trojan's etc. and gave us some good idea's, batch files for everyone haha. (A phoney website with a "quake2multiplayercheat.bat" "jediknightgodsabre.bat" with some interesting tasks) Ahh the good old days when my greatest desire was an Asus socket 7 and a Pentium 200MMX.

Re:Read the little ".whatever" (2)

kwerle (39371) | more than 3 years ago | (#34936774)

Is it really that hard? And if you don't know what .jpeg or .pdf or .virus is you should not be using a computer.

You're not kidding? You think it should be possible for a user to trivially install a virus/trojan on their computer? You're blaming the user? Really?

If you don't know what a turn signal is they don't even let you take the test to get your drivers licence.

You are kidding, right? Of course they do. You may fail (or you may not). Spend 10 minutes at an intersection and let me know what percentage of people who turn use their signal.

When someone has a sensitive computer type job they should at least be competent to operate the machine. Any other job requires you to be able to competently operate your machine (or OSHA starts sticking their nose around writing tickets) why should not the guy operating the machine that handles other peoples (his boss) money have to prove their competency.
I need all my applicable tickets/certification/first aid to do my job and I have to keep them up to date or I lose my job.

You are blaming the user...
I think I like my software to be more responsible/secure than my users. Reading email should be dead simple and safe. And using ACH should be really secure and well audited. While I think that making the email/OS supplier in this case responsible for the losses is going too far, I would certainly tend to place more of the blame with them than with the user. And any bank account that can more $150K around should probably be able to catch this sort of thing earlier - and they should probably require a second form of authentication (keycode fob, etc).

Re:Read the little ".whatever" (1)

techno-vampire (666512) | more than 3 years ago | (#34937046)

Reading email should be dead simple and safe.

Yes, it should. I can still remember when it was. But those times are long gone, and you have to check each and every email for viruses, trojans and malware (Oh my!) before opening it if you don't want something like this to happen. If that company had enough money in the bank that scammers could steal $150,000 from their account, they had enough money to afford good virus and malware protection. Granted, it might not protect them from a zero day exploit, but that's not what happened here. They were stung by something that not only could have been prevented, it should have been. If that company had been practicing safe hex, this never would have happened.

Re:Read the little ".whatever" (1)

turbidostato (878842) | more than 3 years ago | (#34937442)

"Reading email should be dead simple and safe.
  Yes, it should. I can still remember when it was."

Yes, I do too. I don't need far memories. Maybe it's because I'm using Linux.

Re:Read the little ".whatever" (1)

techno-vampire (666512) | more than 3 years ago | (#34942242)

Maybe it's because I'm using Linux.

So do I, as it happens. However, the average small business doesn't use Linux and isn't about to switch so I decided to point out a solution that would fit into what they're willing to do rather than waste time beating my head against that particular wall.

Re:Read the little ".whatever" (1)

maxwell demon (590494) | more than 3 years ago | (#34937108)

I think I like my software to be more responsible/secure than my users. Reading email should be dead simple and safe.

Attachments are just files, and the mail program cannot do much about them. If you open a file of unknown origin, then it doesn't matter if you got it by mail or downloaded it from some shady place of the internet.

Re:Read the little ".whatever" (1)

kwerle (39371) | more than 3 years ago | (#34940740)

If you use a decent email program/OS, it flags the file as being downloaded and possibly harmful. When you try to open it, it warns you - at least.

If you use a hosted mail service, like gmail, then the file never gets downloaded *at all*.

Re:Read the little ".whatever" (1)

FrootLoops (1817694) | more than 3 years ago | (#34937122)

You're blaming the user? Really?

I don't see why blaming the user is automatically negative. If I write some C code with a null pointer bug, is it my fault or Dennis Ritchie's for designing the language to include pointers? I'd say it's mine, and that I'd be a "user" of the C programming language. In this case I think blaming me, the user, is entirely justified. Then again, responsibility is not always clear-cut. If you let a little kid play with a loaded gun, it's your fault if something happens, not the gun's user or even designer.

IMO, if a user runs random executable email attachments, it's they're own fault. Nowadays on Windows they usually have to click past some warning telling them it might not be a good idea, too.

Re:Read the little ".whatever" (2)

kwerle (39371) | more than 3 years ago | (#34940858)

I don't see why blaming the user is automatically negative. If I write some C code with a null pointer bug, is it my fault or Dennis Ritchie's for designing the language to include pointers? I'd say it's mine, and that I'd be a "user" of the C programming language. In this case I think blaming me, the user, is entirely justified. Then again, responsibility is not always clear-cut. If you let a little kid play with a loaded gun, it's your fault if something happens, not the gun's user or even designer.
 

C *is* a loaded gun. Anyone who can manage to use a compiler *should* know that. Not that they do...

IMO, if a user runs random executable email attachments, it's they're own fault. Nowadays on Windows they usually have to click past some warning telling them it might not be a good idea, too.

Sure - running an executable you downloaded in email should be nearly impossible. Downloading a virus should also be very difficult. Installing a keylogger (or whatever they installed) should be nearly impossible. As technical folks, we all know how easy this stuff is - but as sympathetic users we should all appreciate that it should be made to be very very difficult. After all, when is the last time you received an executable via email that was not harmful? What about your mom? What about your grandmom? Why is it even possible for those folks to install this stuff?

Re:Read the little ".whatever" (1)

Tim C (15259) | more than 3 years ago | (#34938388)

You think it should be possible for a user to trivially install a virus/trojan on their computer? You're blaming the user? Really?

Yes, yes I am. There is absolutely nothing the OS can do to prevent a user with administrative access from installing and running software of their choice. It can warn them, it can prompt to see if they're sure, it can require the admin password, but ultimately it can't prevent them without forcing them to log out and in as a different user, or reboot into a special maintenance mode, or something else that would be greeted with howls of outrage from the user community.

Reading email should be dead simple and safe.

And so it is. Installing or running arbitrary software from unknown and untrusted sources never has been and never will be.

Re:Read the little ".whatever" (2)

kwerle (39371) | more than 3 years ago | (#34940976)

...Yes, yes I am. There is absolutely nothing the OS can do to prevent a user with administrative access from installing and running software of their choice...

In the context of reading email, I call B.S.

If all email clients disallowed the downloading of any attachments, this world would be a better place. You and I would have to jump through a hoop or 2 to do the things we do, but the 99.99% of the population that only uses that feature of email programs to install trojans/viruses would appreciate it.

Taking a step up, if all attachments went into a sandbox that was essentially a jail, then this wouldn't be an issue. You can see how that would work.

This is a technical problem. There are technical solutions that would not be too hard to implement.

Re:Read the little ".whatever" (1)

Civil_Disobedient (261825) | more than 3 years ago | (#34940142)

You're blaming the user? Really?

Blaming the user for being an idiot, not blaming the user for wiping out their hard drive. There's a difference.

Re:Read the little ".whatever" (1)

ergean (582285) | more than 3 years ago | (#34940530)

Exactly - here, in Romania, if you want to make a transaction you need to input 2 separate codes from a token - once to log in (you are logged out if you don't use the application/webpage/whatever for a few minutes depending on the bank) and once to approve the transaction.

The new tokens from my bank are a pain in the ass - you need a token/a card/the sum you want to transfer and a pin just to make the transaction, the old token was simpler - you needed only the token and the pin.

Re:Read the little ".whatever" (1)

houghi (78078) | more than 3 years ago | (#34936840)

So all people, excluding some IT people, should stay away from the computers?
Sure, that is what the IT people would love to happen. I have some bad news for you.

Just like many IT people do not give a darn about other departments, other departments do not care about you. Do your job and if it is hard, stop whining and suck it up. If you think other jobs are easier go do those.

Or you could actually work WITH the other departments and start talking to them and find a solution for most things. Unfortunately not many departments (not only IT) are willing to do that.

Re:Read the little ".whatever" (1)

SquirrelDeth (1972694) | more than 3 years ago | (#34936880)

I'm not asking anyone to program with VB *yuck* but basic knowledge of file names is not that difficult.
Stupid analogy You don't need to hire a carpenter to build your deck but you should know what the damn on/off switch is on your circular saw so you don't cut your fingers off.

Re:Read the little ".whatever" (1)

FrootLoops (1817694) | more than 3 years ago | (#34937066)

What does programming with VB have to do with anything? VB.NET is pretty respectable nowadays, IMO--at least, C# is, and they're virtually equivalent modulo syntax.

I tend to agree with you that it's the user's own fault if they didn't figure out file extensions and ran random email attachments. But, your wording hurts our case.

Re:Read the little ".whatever" (1)

imakemusic (1164993) | more than 3 years ago | (#34937756)

What does programming with VB have to do with anything?

VB specifically? Nothing, but programming in general is complex compared to knowing what file extensions mean. The average Joe, if using a computer in their day job, should understand file extensions but probably doesn't need to understand more advanced computer skills such as programming (in VB or any other language).

Re:Read the little ".whatever" (1)

Anne Thwacks (531696) | more than 3 years ago | (#34937052)

No, companies that want to stay in business should not use Widows for anything involving money and/or security. If they dont know this, they should not be using computers at all.

Opening files of any kind on a computer that hides the file type extension is like putting your hand in a black bag in a remote village in a country where you don't speak the language. Sure there might be a toffee apple in side, but it MIGHT be a ferret or worse. If you don't know what a ferret is, dont put your hand in a bag that is not yours!

Re:Read the little ".whatever" (1)

Anonymous Coward | more than 3 years ago | (#34937080)

Warning this software is beta and may eat your hamster.

Re:Read the little ".whatever" (0)

Anonymous Coward | more than 3 years ago | (#34940252)

Well, file extensions only really seem to matter to Windows anyway. For more reasonable operating systems, they are just part of the filename.

Re:Read the little ".whatever" (1)

Z00L00K (682162) | more than 3 years ago | (#34937192)

Since Microsoft in all their wisdom has decided to hide the extensions of the files on our computers these days people haven't got a clue about what they are opening until it is too late.

However - if the online banks only has a username/password credential for their access then the banks needs to be responsible for any costs that the users suffers. A method of signing transactions using at least a smart card with PIN code should be used, but since the smart card interfacing can be hacked an external mean of signing should be used like a hardware token with a keypad and PIN code that also allows the user to enter a code and get a response back that has to be provided to the bank in order to sign in and sign transactions.

Anonymous Coward (0)

Anonymous Coward | more than 3 years ago | (#34936710)

Ehhuuu whats so special about that? Its just a "targeted" scam.....
Hey what do you know marketing strikes again !!

Stole from the company? (5, Insightful)

AK Marc (707885) | more than 3 years ago | (#34936754)

I'm confused. If I walk up to a bank, write a with withdrawal in someone else's name, then hold up the bank ordering them to honor that withdrawal slip, did I steal from the bank, or from the person who's name I forged on the withdrawal slip?

Identity theft and "unauthorized access" and taking the money from an account holder is as absurd as a bank getting robbed and taking it from the last deposits made to the bank and not from their general coffers. It was never done that way before, so why is it done that way now?

Re:Stole from the company? (2)

SquirrelDeth (1972694) | more than 3 years ago | (#34936770)

Because the bank's have more money than you.

Re:Stole from the company? (1)

Anonymous Coward | more than 3 years ago | (#34936920)

And you have more apostrophe's than them.

Re:Stole from the company? (0)

Anonymous Coward | more than 3 years ago | (#34936958)

And you are more of a dick than them, which is not an easy feat.

Re:Stole from the company? (1)

ArsenneLupin (766289) | more than 3 years ago | (#34937438)

At least, he used an apostrophe, rather than a stupid-quote

Re:Stole from the company? (0)

Anonymous Coward | more than 3 years ago | (#34938216)

At least he didn't use an unnecessary-hyphen.

Re:Stole from the company? (0)

Anonymous Coward | more than 3 years ago | (#34939110)

At least, he didn't, use too many, commas

Re:Stole from the company? (0)

Anonymous Coward | more than 3 years ago | (#34936886)

That's a great point.

Why is it at all possible? (2)

PMBjornerud (947233) | more than 3 years ago | (#34937158)

Identity theft and "unauthorized access" and taking the money from an account holder is as absurd as a bank getting robbed and taking it from the last deposits made to the bank and not from their general coffers. It was never done that way before, so why is it done that way now?

Why does mere credentials allow large money transfers?

I thought everyone was using hardware ID by now.
http://en.wikipedia.org/wiki/Security_token [wikipedia.org]

I know such tokens can still be improved, and it will improve. And sure is a lot more secure than just a password.

Re:Why is it at all possible? (1)

Spectre (1685) | more than 3 years ago | (#34940020)

This is probably why they are focusing on "small businesses".

Large companies know better and have IT departments that can at least document a need for multi-factor authentication (although there isn't a guarantee that they have enough clout to force the issue).

Small companies get by on whatever the last consultant gave them and usually ignore any advice to spend money on something they would need to physically carry around.

Re:Stole from the company? (0)

Anonymous Coward | more than 3 years ago | (#34937584)

There's a Mitchell and Webb sketch about this very thing.

www.youtube.com/watch?v=CS9ptA3Ya9E

Re:Stole from the company? (1)

EdgeyEdgey (1172665) | more than 3 years ago | (#34938182)

There's a Mitchell and Webb sketch about this very thing.

www.youtube.com/watch?v=CS9ptA3Ya9E

Good link
Here [youtube.com] it is in clicky format for the lazy. Mod up.

Re:Stole from the company? (2)

AmiMoJo (196126) | more than 3 years ago | (#34937812)

Under UK law the bank is liable. The customer is only ever responsible for loss if the bank can prove that they did something negligent to cause it. Even if you PC got infected with a virus that stole your credentials as long as you had anti-virus software and didn't do anything monumentally stupid the bank takes the hit. You took reasonably precautions which is all the law requires.

Banks tried to get out of their liability by claiming that the Chip & PIN system on bank cards was infallible so any fraud must have been the responsibility of the card's owner, but that was shot down years ago.

Re:Stole from the company? (0)

Anonymous Coward | more than 3 years ago | (#34938218)

Under UK law the bank is liable. The customer is only ever responsible for loss if the bank can prove that they did something negligent to cause it. Even if you PC got infected with a virus that stole your credentials as long as you had anti-virus software and didn't do anything monumentally stupid the bank takes the hit. You took reasonably precautions which is all the law requires.

Banks tried to get out of their liability by claiming that the Chip & PIN system on bank cards was infallible so any fraud must have been the responsibility of the card's owner, but that was shot down years ago.

This is why Microsoft is attempting to get their "computer health check" passed into law. If you don't have a healthcheck certificate the bank will use this as evidence of your negligence. Of course, it won't be possible to obtain such a certificate if you are not running a Microsoft operating system. It wouldn't even be possible to realistically issue one for a computer running open source software, because how do you tell if the end user modified the software, or if hackers modified it?

Re:Stole from the company? (1)

Tim C (15259) | more than 3 years ago | (#34938466)

But that's ok because Linux doesn't get viruses, right?

Re:Stole from the company? (1)

Spyder (15137) | more than 3 years ago | (#34941032)

Doesn't matter the OS is it's a browser targeted attack. based on the scant information in the article, I'm guessing this is a XSRF attack.

Re:Stole from the company? (1)

Spyder (15137) | more than 3 years ago | (#34940980)

Based on the fact that HR has access to company accounts, the businesses targeted/affected are probably 1 person does all the management functions. Most banks I've seen use the same authentication for small businesses as personal accounts. If they have a PIN/keypad or a rotating authentication question, then a straight credential capture isn't easy. Unfortunately, while those measures are common, they aren't universal. This might also be a cross site request forgery (XSRF) attack, which would be prevented or at least mitigated by re-authenticating for each transaction. But again, if these are small businesses using the same essential security measures as personal accounts, transactional re-authentication isn't a common feature of those types of accounts.

ass rape lol (-1, Troll)

ben0s (1904604) | more than 3 years ago | (#34936794)

serves them right for using outlook. use an email program which doesnt like to be ass raped next time.

Re:ass rape lol (-1)

Anonymous Coward | more than 3 years ago | (#34936900)

serves them right for using Windows. use an operating system which doesnt like to be ass raped next time.

FIXED.

How I am not feeling bad (0)

Anonymous Coward | more than 3 years ago | (#34936826)

Looks like they go after temp agencies and body shops who insist to receive a word doc form "candidates" so they can conveniently remove the contact information before they start whoring you out.

Hackers or Criminals? (1)

frinkacheese (790787) | more than 3 years ago | (#34936906)

Errm, nobody seems to have noticed the headline of this story..

"Hackers Respond To Help Wanted Ads With Malware" ..

FFS Slashdot, these are not Hackers they are Criminals.

Re:Hackers or Criminals? (1)

maxwell demon (590494) | more than 3 years ago | (#34936994)

FFS Slashdot, these are not Hackers they are Criminals.

How can you be sure they are not hackers? Being a hacker and being a criminal are not mutually exclusive.

Re:Hackers or Criminals? (1, Insightful)

frinkacheese (790787) | more than 3 years ago | (#34937450)

This is true.. But look at this headline:

BLACK MEN RAPE YOUNG GIRLS

Now, it may be true that they are black. Its also likely that other people who were not black were also involved, but bringing out one attribute such as ethnicity or a technical aptitude really does not describe the whole situation. What the headline should be is:

CRIMINAL HACKERS...
or
BLACK RAPISTS....

Which, instead of attributing *ALL* hackers or *ALL* black men to a certain criminal activity, makes the distinction that not all people with that attribute are criminals, only a certain minotiry who engage in the mentioned criminal activity.

So whatever way you look at it, it is sloppy.

Re:Hackers or Criminals? (1)

gstrickler (920733) | more than 3 years ago | (#34942040)

In either case, there is no reason to even mention "hacker" or "black".

Headline should simply say "Criminals Respond...."

Useless Warning (1)

glodime (1015179) | more than 3 years ago | (#34936954)

The warning issued by the Internet Crime Complaint Center [ic3.gov], which has some sort of hard to describe relationship with the FBI, is completely useless to any small business that would be susceptible to this attack. The only thing that they could get from the warning is to use virus scanner for all attachments to emails. No additional information that a small business might find useful is conveyed. Further, virus scanners are a) never going to catch the newest Trojans or other malicious software, and b) unlikely to be installed as a result of this warning. Any small business that knows about the IC3 and their warnings will be using up to date email security practices. Those that don't use up to date email security practices are unlikely to know about the IC3 and their warnings. This is a highly ineffective "warning" or "note" as the IC3 describes it.

If only people demanded proper security tokens... (2)

Bourdain (683477) | more than 3 years ago | (#34937466)

I'm a CPA and work in corporate accounting.

(1) From this experience, I've observed that some of the better banks force the end user to enter numbers from security tokens not only to log in, but a new number to authorize each and every transaction (potentially limited by transaction size if desired). Further, transactions over a certain threshold may require two different individuals to log in to approve.

(2) I'm not a web designer or a real programmer, but does this setup still yield a possible attack? I could foresee a situation where all of this data is intercepted, but most of these security tokens are time sensitive and the end-user would notice delays on the website in use with interception. That said, if an attacker were essentially acting as a proxy for the bank site and just rekeying/scripting information from the bank user, the attacker could insert their own bank accounts in for a wire or ACH transaction. Does this described situation ever happen?

Re:If only people demanded proper security tokens. (0)

Anonymous Coward | more than 3 years ago | (#34937748)

just what i was thinking.
i get my token over SMS, coupled with a date and a total amount every time i commit a transaction.

while not 100% foolproof it limits even a man-in-the-middle attack too only the amounts that i make new transactions for.
i would probably soon catch up that its not working as it should be.

if they wanted to get more they'd have to get physically close to me and intercept/change phone traffic.
that's a good way for the hackers to get caught.

Re:If only people demanded proper security tokens. (0)

Anonymous Coward | more than 3 years ago | (#34938230)

Public/private key encryption is supposed to rule out that proxy situation you describe in your second question (a man-in-the-middle attack). The bank user should have an encrypted connection to the bank. If an attacker is pretending to be the bank, then the user will notice when the attacker is unable to decrypt a message that has been encrypted with the bank's public key.

In practice, this is all taken care of in the browser. If someone is trying the above attack, it will display some sort of warning - which the user might ignore or fail to understand.

Re:If only people demanded proper security tokens. (1)

Bourdain (683477) | more than 3 years ago | (#34938394)

as an addendum and really a suggestion to banks out there if this doesn't exist, but should... perhaps (granted this would be potentially a bit tedious) -- for transactions exceeding a certain size, a special security token would be ideal where:
(1) the user enters the the wire/ach data on the token itself (amount, account number, transit number)
(2) the resulting number generated would both authenticate the user for the transaction and also authenticate the amount (i.e. the amount entered on the keypad would be a seed in the implicit PRNG which any attacker would, by design, not have access to)

Re:If only people demanded proper security tokens. (1)

Red Flayer (890720) | more than 3 years ago | (#34940492)

granted this would be potentially a bit tedious

You can say that again. That would be impossible from a use standpoint. Many small businesses issue dozens or even hundreds of payments on a weekly basis (not even including payroll!). Asking payment authorizers (typically exec-level employees) to manually key in that information is ridiculous. Plus you're going to have typos that result in incorrect authentication numbers, etc. So what happens? You return a result of "authentication not valid" and they have to type the details in again. How many unsuccessful tries will you allow before locking them out?

What you have to do is authenticate the session, not the individual transaction.

Theres not many solutions to this problem... (1)

Mattpw (1777544) | more than 3 years ago | (#34941834)

Yes this does happen, they dont even need to install a trojan on your computer they do it with phishing pages which have a jabber instant messenger client which instantly relays the OTP (one time password) to a server which does an immediate backconnect to the bank etc and logs in. The other way they are bypassing these devices is through a trojan on the computer and they hijack the browser, MITB man in the browser. The OTP security token method is pretty much useless actually not really protecting against much at all which isnt already covered by ssl. The problem with the OTP devices is they are only one way authentication. The MITB attacks defeat just about everything else available even recently the active mutual authentication electronic tokens. About the only online authentication method which isnt vulnerable is the passwindow cards as they are the only online authentication I know of capable of passive mutual authentication. (active means a human has to do something and then gets tricked by the torjan in the browser, passwive is where you just view and dont do anything except enter the password) http://en.wikipedia.org/wiki/Mutual_authentication [wikipedia.org]

Obvious fix (1)

Geminii (954348) | more than 3 years ago | (#34938410)

All job applications and CVs should be in plain text. Problem solved. :)

(And yes, I've seen online application processes which will not accept text or even RTF files, demanding that any submission must end in DOC or PDF. Stupid, stupid, stupid...)

Re:Obvious fix (0)

Anonymous Coward | more than 3 years ago | (#34939626)

All job applications and CVs should be in plain text. Problem solved. :)

(And yes, I've seen online application processes which will not accept text or even RTF files, demanding that any submission must end in DOC or PDF. Stupid, stupid, stupid...)

What's wrong with PDF?

Unless you're using Adobe's godawful slow, insecure, buggy PDF reader, but who does that anymore?

Segregation of Dutues (1)

Stenchwarrior (1335051) | more than 3 years ago | (#34938596)

This is exactly why any company with access to financials of any sort should follow the Sarbanes Oxley rule of Segregation of Duties [sarbanesoxleyfocus.com]. The rule was originally intended to keep people from having many levels of access...for example: A bookkeeper shouldn't have enough levels of permission to write themselves a check, then delete the transaction in another part of the system. One person with access to multiple facets within the company is a single point of possible security failure both internally and externally. You can put up all the security you want around your walls, but if someone with bank access is also out in the public fielding resumes and browsing the web (even for legitimate reasons) and falls prey to one of these scams then the company needs to look inward for fault. Not that the criminals are not to blame, but there should be controls in place to help mitigate this very risk.

Good fucking Grief (1)

doperative (1958782) | more than 3 years ago | (#34940868)

Is this the state of Cyber Security in the twenty first century?

The Zeus botnet only targets Windows machines [wikipedia.org]

"There are a few things consumers and small businesses can do if they're unsure about e-mail attachments. The safest is to delete the attachment and write back to the sender asking for a plain text version. Alternatively, they can open the document in Google's Gmail to see if it appears legitimate" link [itworld.com]

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...