How To

Don’t fall prey to this Bitcoin phishing attack

We got the following email to our company’s main mailbox yesterday. I took a screenshot of it, so you can click on it to view it large (see below). It certainly sounds ominous, and to the layperson, enough “details” are included in the message to make them start to worry and God forbid, even consider paying the turd who sent this out.

First and foremost, I need to say that this is a templated phishing attack. In other words, it sounds personal, but no one person is being specifically targeted. The hacker who sent this out is hoping that enough people will feel guilty and scared to start paying him/her the fee, after which point he or she will keep asking for more money.

I looked at the email headers and they were “stripped”, meaning the actual routing information for this email wasn’t included, flagging this message right away as a fake. Sure, it looks like it’s coming from our email address, but the hacker is “spoofing” it, using software that makes it look as if it was sent from us, when in fact it was sent from them. I know this sounds complicated to most people, but don’t worry, read on, I’ll give you other reasons why this is all fake and I’ll tell you what you need to do to safeguard against actual occurrences of these things. You can’t eliminate the possibility of this actually happening, but you can minimize it through basic precautions and regular upkeep of your network security.

This is why it’s important to be confident in the security measures and precautions that you have implemented at home or at the office. For example, I know that:

  • I change my passwords fairly regularly and I use long, randomized passwords or passphrases. I store them in Keychain, the built-in app that comes with every Mac.
  • I have standard network security in place, such as a firewall, a router that uses NAT, and I don’t keep any ports open by themselves. Network devices can open ports, but the firewall only allows incoming traffic to those devices and only when they initiate it. This is fairly standard on all modern firewalls. I know my router doesn’t have software vulnerabilities. I know because I update its firmware whenever a new version comes out, which is something everyone should definitely do with their routers.
  • I have anti-virus software that checks my computers. I update it regularly. You should do the same. There are many options here, pick one that you like to use.
  • I use a network traffic analysis tool called Fingbox, which alerts me to unusual traffic patterns, ports and devices using my network. There are other similar devices on the market and everyone should have one of these things and should know how to use it.
  • The email account the hacker talks about isn’t hosted on our local network, it’s hosted offsite with my web hosting provider, who is in a different country and has some fairly serious security measures in place to detect the sort of behavior the hacker brags about. So even if they’ve hacked into it, that doesn’t give them access to the kind of data they’re talking about.

Making a “full dump of my disk” is a ridiculous and funny thing to say. I have about 12-16 TB of data connected to my computer at any given time. Good luck making a “full dump” of that! It would take weeks, nay months…

The hacker apparently “looked at my web traffic” and was “shocked”. “Sites for adults”, oh no… I’m not even going to gratify that accusation with a response except to say every single one of us can visit whatever sites we damn well please on the internet, but we also need to be ready to accept the consequences of those web visits. The consequences can include: the logging of your activities on the site, the activation of your webcam and surreptitious recording of your “activities” as you surf those sites, the installation of trojans, and in case you visit illegal websites, possible visits from law enforcement. Macs are less likely to be “vandalized” in these ways by bad websites, but Windows computers can easily fall prey to code attacks. Know what you’re getting into and be willing to accept the consequences.

It also helps to have something called a Privise webcam cover (it used to be called Privoo when I bought it). It’s inexpensive and is a sliding cover for the webcam, allowing you to keep prying eyes from looking at you through the webcam even if they’ve hacked into your computer.

The filthy, smelly little bug who sent the phishing message wanted payment in Bitcoin. It is of course untraceable and would force you to buy the currency in order to pay him/her. Law enforcement wouldn’t be able to trace the transaction, even if you filed a police report afterward. This is why I don’t like cryptocurrencies! Not only are they wildly speculative but the transactions are untraceable, making them perfect for modern-day highway robbers and thieves.

Don’t think for a moment that once you pay the turd his asking fee, whatever he/she’s got on you will “self-destruct automatically”. No, he’ll keep whatever he’s got and he’ll keep milking you for money — after all, you’re his cash cow now. Moo…

Like I said above, your best defense is to learn and implement basic network security measures, be confident in what you’re put in place and if you messed up, own it and accept the consequences, but never pay the hackers, you’ll only encourage them. And back up your data! That should be your #1 safety precaution against anything. Ideally, you should have one synchronous local copy (gets updated regularly), an asynchronous local copy (only gets updated 2-3 times a year) and an offsite copy (or two). If your data is important to you, back it up!

Standard
Thoughts

Catching a code injection hacker in the act

Several days ago, I installed the Redirection plugin from Urban Giraffe. It’s truly awesome, in more ways than one. John Godley, you are an amazing programmer! As I re-arranged the categories on my blog, I tracked the 404 errors through the plugin. On Saturday morning, I noticed the following bit of information in my log:

You can click on the thumbnail to view the screenshot at full size. Look at the entries for IP address 65.90.251.169. Notice something peculiar? That’s a hacker trying to inject malicious code into my pages. He was trying to call to code contained in a text file by the name ide.txt located on a possibly compromised domain.

First, I checked out his domain, new-fields.com. It looked legitimate. The text file was another story altogether. Have a look at the screenshots above. I also saved the code to my computer in case it ends up disappearing from the hacker’s website.

I tested the code, and it looks like some pages from the podPress plugin are targeted or affected — at least that’s what the error message given by WP referenced when I ran the code. I had that plugin enabled at the time, and I’ve disabled it since. It seems that the code tries to modify one of the header.php pages, along with checking disk space (?). So I thought, let me find out who this hacker is. Apparently, he’s from Napperville, IL, US, or at least that’s where his IP address lives.

What’s more, I thought it’d be interesting to see who owns that domain name where his text file resides. It turns out to be one Samir Farajallah from Dubai.

So what we’ve got so far is some dude in Dubai who owns the domain where the malicious code resides, and some hacker in Napperville, IL, trying to exploit my blog using that malicious code.

Wait, it gets better… On Saturday evening, I have another look at my blog’s 404 log, and I find that some other hacker from Vietnam (IP address: 203.171.31.19) is trying to hack into my blog using that exact same code, but this time the text file’s located on some domain in Argentina. That last link leads directly to the text file with the malicious code, but it’s harmless if you browse it. It only works if you run it as PHP code, like these hackers are trying to do.

So far, it looks like I’ve got two hackers, who may or may not be working together, using the same malicious code, located on two different, possibly compromised domains, and trying to modify my header files, possibly to insert code in there that will display splog content or some other stuff.

Update: It looks like three more hackers are trying their luck today, on Sunday morning, 9/30/07. Their IP addresses are 65.98.14.194, 66.79.165.19 and 66.11.231.48.

What I can tell you is that they haven’t been successful. I checked all of my files, and none of them have been touched. Everything’s fine. At this point, I’m not going to waste any more of my time trying to hunt them down. If I see that the attacks continue, I’ll notify my web hosting provider, along with the hosting providers of the other domains, and I’ll also notify the ISPs who own the IP addresses used in the attacks.

My thanks go out to John Godley for the wonderful Redirection plugin. I wouldn’t have been able to catch these hackers without it. I don’t often check my 404 log files, although I should.

I’ve been working in IT for 13 years or so. Maybe I’m naive, maybe I’m too honest for my own good, but I’ve stayed away from this hacking business, and I’ll continue to do so. It’s just not a sustainable lifestyle. I believe that the bad stuff you do in life will catch up with you sooner or later. It’s inevitable. These hackers will get what’s coming to them, and I won’t even have to lift a finger beyond what I’ve done so far.

Standard
Thoughts

Photos as passwords foil hackers

I can’t believe how simple, yet incredibly useful this is! Instead of using silly passwords, with even sillier password rules that give you headaches, just use this! Choose a familiar picture as the password, have the system pixelate the heck out of it, then pick it out from among a group of pixelated photos every time you want to log on. How cool is that? Also, kudos to Tracy Staedter from Discovery News – just about every time I stumble on a cool article at Discovery News, it’s written by her. 🙂

Standard