
Hacker takes down CEO wire transfer scammers - aburan28
http://www.theregister.co.uk/2016/09/06/hacker_hacks_ceo_wire_transfer_scammers_sends_win_10_creds_to_cops/
======
tvanantwerp
The accounting guy at an office I've worked for once got a spoofed email from
the CEO asking for bank account info to initiate a wire transfer. Thankfully,
the first thing he did was bring it to me to verify authenticity. "This
doesn't sound like [our CEO]", he said. "It's not rude enough."

~~~
eli
We've gotten them too. I think we would have caught it regardless but we've
always had the bank require two officers to sign off on any transfers anyway.
Seems like the hassle is definitely worth it compared to losing millions of
dollars.

~~~
e40
This. We've done this for 30+ years and it's saved us countless times.

~~~
walshemj
Seconded Even the smallest club /organisation I have been involved with
normally has multiple signatories ( 2 out of 3) for even the smallest cheques.

------
cm2187
> _" We sent them a prepared PDF document pretending to be transaction
> confirmation and they opened it which led to Twitter handles, usernames, and
> identity information."_

I'm glad to see that PDF is still a safe format....

~~~
kuschku
Use a sandboxed PDF reader, like PDF.js.

Or use one that just doesn’t support all the retarded features, like KDE’s
Okular.

~~~
oneweekwonder
Until you need to submit your taxes using the retarded features.

~~~
kuschku
I don’t think any country would be stupid enough to do that.

In most countries, you just use your eID and a smartcard reader to login, and
fill out an online form.

~~~
milankragujevic
Which requires ActiveX :(

~~~
kuschku
Does it? ElSter works with JS (and a local authenticator program that
interfaces with your smartcard) nowadays, too. Java or ActiveX were only
required many years ago.

------
kelvin0
Well at least the scammers got more savvy, the previous template they used was
really bad, AKA: "I am Prince/Ambassador/Prime Minister from
<InsertRemoteCountryNameHere> and my funds <InsertBigAmount$$$> are locked in
<BigForeignBank> (...)"

Also, taking down a scammer operation is quite a noteworthy endeavor! But,
let's not forget the "reverse-scammers" are also doing a public service:

[http://www.419eater.com/html/letters.htm](http://www.419eater.com/html/letters.htm)

Some of this stuff is hilarious.

~~~
kayla210
Just finished reading most of "Busted!" Wow, this website's gold. I love to
read this kind of stuff. Do you have any favorites you'd mind sharing?

~~~
kelvin0
There's one where he gets the scammers to dress up and take pictures to proove
who they are ... you can't make this stuff up :) I'll try to find the link.

------
csomar
> "We sent them a prepared PDF document pretending to be transaction
> confirmation and they opened it which led to Twitter handles, usernames, and
> identity information."

Wait a second? If you are doing a Wire Transfer, it means you have the Scammer
bank account name, routing number and IBAN.

How, in hell, this is not enough to identify the fraudsters?

~~~
eli
Sometimes it's the bank account of an innocent third party they have hijacked.
Or it's opened with false credentials.

~~~
csomar
Receiving 3million USD in your account from a foreign account doesn't trigger
any bells? I assume the false credentials account is, probably, brand new and
the person in unknown to the agency/public.

Seems sketchy to me.

~~~
saint_fiasco
There is a scam where a Nigerian prince says he needs your help, he will send
money to your back account and needs you to withdraw that and send him cash.
Of course he will let you keep a portion of the money for your trouble.

Only in this scam the prince actually sends you money, so you gladly send some
to the prince and keep the rest.

Of course, the cops then want to know why the money from some poor guy's life
savings ended up on your bank account...

------
marmot777
Whoever takes down criminals like this wire transfer scammer is a hero. Fuck
crackers, scammers, and other douche bags.

~~~
ta_the_gray
(Using a throwaway for obvious reasons here.) I couldn't agree more. Lately
I've been taking down scammers left and right. For instance, my wife got a
text recently trying to phish Bank of America accounts. She gave me the URL,
and I emptied their database and took the site offline. These people are
straight-up evil.

~~~
marmot777
It may seem like I was doing something pretty obvious: preaching to the choir.
But it takes intention, effort, skill and at least some passion or anger drive
motivation to follow-through on something like this. It's worth saying out
loud that it's an act of heroism.

~~~
sillysaurus3
Praising this isn't necessarily a good idea. I'm the last to say something
like that, but the CFAA is legitimately terrifying.

To see how little tolerance people have for hackers, look at the Steubenville
incident:
[https://www.reddit.com/r/TwoXChromosomes/comments/51ot8u/act...](https://www.reddit.com/r/TwoXChromosomes/comments/51ot8u/activist_who_helped_expose_steubenville_rape_of_a/d7ebmwe)

When you do something like this, a mistake -- even a minor one -- can turn you
from a heroic vigilante into the hunted.

The point of an indictment is to indict you, but people generally talk about
accusations as if they're fact. That would give me pause before executing a
plan like this, no matter how moral.

For example, ta_the_gray didn't use Tor, or else their comment would be marked
dead. That means they're putting a _lot_ of faith into HN to conceal their IP
address. Hopefully they used Tor -> VPN -> HN, but even then, how did they pay
for the VPN? Stuff like this takes a lot of training and preparation to pull
off flawlessly.

Of course, if you live outside of America, your situation may be different.

~~~
marmot777
I'm in the U.S. and I've never been a hero of any sort, just to clear the air
on that. :-)

This is my last post of the night so I don't have to time right now to read
all that you mentioned and maybe it's not necessary. You're saying that making
a mistake going after a cracker or scammer or other douche bag of this sort
can easily backfire on you if you make a mistake? The conclusion you make then
is don't do it? I'm not even disagreeing if this what you're saying. If it's
truly not so much heroism as I claimed but in fact reckless stupidity then
I'll concede the match on this point.

------
TwoBit
It seems like terrible security to send millions of dollars to arbitrary
destinations based on an email.

~~~
marmot777
Jesus, no kidding. You'd think that _at least_ a phone call to verify.
Presumably, with that much money involved, it's worth a few minutes on the
phone for each one.

~~~
reitanqild
You'd think.

I think a lot of businesses have this or something else coming. There is such
a massive indifference to security around in certain companies that reporting
legitimate issues will feel embarrassing.

~~~
marmot777
I agree. Frankly, I think most people don't give a fuck about security. I
can't explain why. If all this shit was happening at gun point, we'd have
declared a massive national emergency by now. But because it's "cyber" it does
not seem to freak the fuck out of people like it should. I wish I understood.

~~~
Vendan
From my experience, it's a combination of "What's the worst that could
happen", "It wouldn't happen to us", and "That's what we have insurance for".
Not the most reassuring thing.

~~~
reitanqild
> Not the most reassuring t

Especially when it happens at companies that sells to high-value targets :-/

~~~
marmot777
Or even noodles or ice cream cones

------
wyldfire
> Those Windows 10 password hashes only last a few hours when subjected to
> tools like John the Ripper.

Is this on a single Xeon or high end GPU or some enormous equipment farm? How
can Win 10 have such a fast hash? Let me guess, backwards compatibility with
some ancient windows release?

~~~
Vendan
Raw NTLM, and yeah, it's not terribly fast, but it's relatively simple to get
up to gigahashes a second (I've got a box that churns out 21 GH/s on raw
NTLM). Plus, it's not salted, so it's trivial to just grab every hash and
crack them all at the same time. Just keep in mind that you are unlikely to
get a raw NTLM unless you've pwned a machine. Network sniffing and spoofing
will get you a NetNTLMv1 or v2, and they are much slower, and salted.

~~~
walshemj
Its a known weakness working at British Telecom I had to (legaly) break into a
clients systems and brute forcing NTLM was how I did it.

I made sure I had sign off from a very very senior manager to ok this though I
did not want to get on the wrong side of our internal security guys.

~~~
Vendan
I'm basically outsource red team for a bunch of smaller companies, so I'm
cracking NTLM, both NetNTLMv1/v2 and raw all the time.

------
coldcode
While I am all for hacking the scammers, its a little sad that it is so easy
to steal information from Windows 10.

------
ge96
Are cops actually prepared for this sort of thing? If you handed them the
information and was like "Here's a hacker, take them down." The cops have a
division or something for cyber security enforcement or whatever? I'm just
asking as I don't imagine police officers being the tech type regarding
hacking.

~~~
function_seven
Like a lot of things, I'd imagine the capability varies tremendously among the
different police departments. I wouldn't be surprised if New York or London
police have sophisticated detectives dedicated to cyber-security. (I also
wouldn't be surprised if they're still woefully outmatched, either)

Meanwhile, if I were to deliver this info to my local police department, I
have very little faith they'd even know what I'm talking about.

~~~
robinduckett
When local police arrived, I had to explain Skype to them. This is when I
realised they probably couldn't do anything about it.

~~~
rz2k
It could be that their security experts were in their early twenties and had
never heard of skype.

~~~
thaumasiotes
My 13-year-old brother and sister are on skype constantly. If the computer's
open, skype is running in the background.

Skype is also well-known among current chinese college students.

Basically, I think it's unlikely that anyone in their early twenties has never
heard of skype.

------
nurettin
I don't get wire scams. So you send money to the hacker's account and the
hacker transfers it immediately to another bank?

~~~
eli
yes

~~~
nurettin
And the international banking systems in place, with all their power and
money, are somehow unable to roll back transactions when it comes to multiple
banks.

Sounds more like banks are the real scammers.

------
Hydraulix989
How does this work?

The CEO is ostensibly supposed to wire cash into the mark's bank account, but
needs their banking info?

~~~
celticninja
Someone pretending to be the CEO emails the CFO, CFO makes the payment. As
mentioned they usually compromise the email system first and look for similar
requests, this way they know what sort of format the CFO is expecting and the
figures that they deal with, try to make it look as usual as possible.

------
MrLeftHand
So the hackers can fall for the same trap?

I wonder if there was a situation where a hacker fell for his own trap.

'Oh sweet! Got an email about p_n_s enlargement.'

'Wait a minute....'

~~~
knodi123
> I wonder if there was a situation where a hacker fell for his own trap.

I once booby trapped the kitchen sink so the sprayer would shoot whoever
turned on the water next... But then I forgot about it and went to wash a
dish.

Does that count?

~~~
MrLeftHand
If it was an intelligent kitchen, with an IoT faucet and sink, then yeah
pretty much.

~~~
knodi123
Yep, of course it was, and the tap only poured Glaceau Smart Water. I hacked
the dish sprayer with an sql injection.

~~~
MrLeftHand
Wow everything is smart in that kitchen, even the water.

Can you inject SQL into the Smart Water, or use a DDoS on it?

------
tlrobinson
So why are they tipping off the scammers to this technique?

