Tell HN: Be aware of people trying to scam contractors
In short, I just received a nice proposal to work on a new contract, the potential customer sent me a "document" with the project specs which turned out to be a password-protected compressed file with some pictures and a ".exe" file inside.
I submitted the executable to virustotal which reports this as a trojan (https://www.virustotal.com/gui/file/088e2dabf218024d30e6899152b6a031dc30ae6f7d516492cb797292d6255d27/detection), seems like this takes screenshots and steals browser data which can be used for other purposes later.
Anyway, be cautious with proposals you receive.
107 comments
[ 3.6 ms ] story [ 215 ms ] threadPaul Hibbert (a UK tech YouTuber) was also hacked in a similar way, and he dived into info on that here: https://youtu.be/0NdZrrzp7UE
There was some story I read years ago about how terrorists (I think it was) could have their plot foiled 99% of the time but they only needed to be successful once. Whereas their targets need to be successful 100% of the time. (I wish I could remember where I heard that)…anyways, this applies to IT security too.
You probably heard it from multiple sources since it is a cliche used in all types of security fields. Kind of like how 'if you are getting something of value for free you are the product not the client' is for web-services people.
This is true, but an IT security team also has a huge number of opportunities to detect an intruder.
If the defender has just one security vulnerability, the intruder can get in -- and the defender typically won't know about the security vulnerability ahead of time. If the intruder is noisy just once, the defender can catch them -- and the intruder typically won't know what's being listened to or even what systems/credentials are real.
It’s also worth noting that we are talking about contractors laptops here. So they wouldn’t be subject to management by IT security teams. At best, they’re entirely disconnected from the IT systems that contractor is hired to work on. It at worse, they’re used as a BYOD. And the worst case is surprisingly often the norm.
In the case of the attempted assassination of Margaret Thatcher, the bomb failed to kill Thatcher, but the IRA could always try again. Only one bomb needed to succeed, and even if they lost some operatives they could keep going until Thatcher was dead.
The case in information security is even worse, because most attackers are completely out of reach for retaliation. They're extremely difficult to track down, and even when you do it's usually to a country that won't even consider extradition. So they can try again and again, and you have to catch them every time or they'll achieve their goal.
The IRA statement following the bombing was: "Thatcher will now realise that Britain cannot occupy our country and torture our prisoners and shoot our people in their own streets and get away with it. Today we were unlucky, but remember we only have to be lucky once. You will have to be lucky always. Give Ireland peace and there will be no more war."
https://en.wikipedia.org/wiki/Yes,_and...
It depends.
Is this an .exe file in an email attachment? Then usually no.
Is this a github project which asks you to “curl totallysafe.com | sh”? Then often yes.
I only run random bash scripts from the internet with sudo permissions
But for an attacker that convinced you to run some malicious shell commands (e.g. `curl ...| sh` or copy/pasting more than you bargained for) that's only a minor inconvenience; next time you sudo, they're root anyway.
//Edit
Also, an attacker aiming for root is a red herring. One compromised account can already be bad enough - why would they need root on your private computer when they already stole your password database, keylogged your master password and created an off-site backup of your home dir?
In any case safest route is to always do a new shell (or a docker vm) for fun activities.
I do find it sad that there is no general requirement to pay employees to be on call.
So as a contractor you need to make sure that there is an extra provisioning in there AND that the rules which govern on call are extremely clear. Like what about you going on vacation? Sick? Grandma dying?
I worked for multiple big US tech companies (both FAANG and non-FAANG) and all of them had oncall as a part of software engineering job.
Supporting the services you are developing feels like natural part of the job. And when I had a lot of tickets at night I was able to fix the issues and make oncall shifts better.
Paying fairly your employees for providing the support outside business hours also feels like natural part of the job. Unfortunately, surprisingly few companies do this.
The whole point of taking a salary is to have a predictable income, which cuts both ways.
What I'm saying is I don't want to do unpaid overtime and heroically sacrifice my weekends for oncall.
> The whole point of taking a salary is to have a predictable income, which cuts both ways.
Unsure what point about "cuts both ways" are you trying to make here. I think the company can pretty easily calculate how many non-business-hours are there within a month and allocate some money to compensate people doing oncall.
There's no such thing for salaried positions. I previously worked for a company that handed out "production bonuses" to people who worked >40 hours a week, calculated based off of your annual salary and hours worked. They were very clear to never call it overtime, because that has a very different meaning (legally).
> Unsure what point about "cuts both ways" are you trying to make here
Unlike a contractor, you don't have to look for another job after a defined period. You have a regular, fixed income (and benefits) so long as both you and your employer are happy. "40 hours per week" is a convention, not a requirement, though.
Most companies are pretty good at picking 40 hours as a reasonable work-life balance mark. Some (notably startups and people mills like Amazon) push for more. That said, if you want a guarantee, stick to contracting paid hourly.
However, as long as that's made clear from the outset, yes, your salary covers you performing your expected duties whenever they need to be performed. It's not like salaried engineers aren't compensated well.
For example, if you're rostered to be on call - whether or not you actually need to do anything - for a given week, then you'll be paid some $$$ for the inconvenience.
Likewise, if you do actually need to do some after hours work during that on-call time (eg: some servers went down unexpectedly, find out what/why/etc + fix) then you'll be paid for that time as well.
At least, this is how it's been at my last few roles.
It wasn't always seen as a "natural part of the job". Time was when most companies had a dedicated team of support engineers, who worked in 8-hour shifts, and provided support round the clock. Developers also got to spend the occasional week or month in support. Eventually, a CEO (who I will not name) figured that they could save costs if they got rid of support, and got the dev engineers to do it instead - and sold it as a "natural part of the job" - which kool-aid almost everybody has drunk by now. Which is how devs now burn their weekends, nights, and health being on-call without a choice. I've seen on-call responsibilities pretty much involve being available 24x7 for a week, once every two months. It's not right, it's not natural, and it's a result of CEO penny-pinching. That's just it.
If there were site related issues, that was usually the role of dev ops team to handle. That could then get triaged to a quality assurance team, eventually bug tickets could get created. Then during our normal office hours we could assign a normal software engineer to look at them.
Even the concept of being on-call physically makes me nauseous.
Right now I'm SRE in FAANG and the deal is quite sweet: we get paid for non-business hours, we are oncall only during daytime, I can exchange my oncall compensation for extra holiday. We also have enough time to fix recurring issues, remove noise, etc. But: I would never do unpaid oncall again. I would also think twice (or thrice) before agreeing for night shifts. As it turns out putting out fires at 3 AM can burn out entire team pretty fast.
AWS has a terrible reputation for exactly this.
I guess the scammer assumed as a contractor, you may have access to other customer systems they could exploit.
The internet be crazy, ya'll.
[0] https://www.theblock.co/post/156038/how-a-fake-job-offer-too...
[0] https://www.coingecko.com/en/coins/axie-infinity [1]https://www.washingtonpost.com/technology/2022/04/14/us-link...
https://twitter.com/GergelyOrosz/status/1660192047674925056
https://web3isgoinggreat.com
It seems like a false false positive otherwise, encouraging folks to discount a true positive as a false positive
No normal business operates like this, and if they do, you don't want to work for them.
And with tech challenges being so common, perhaps all it takes is a typo in some manifest to download a malicious package in a sneaky way.
If it's an internal tool they've built, either make up a story about how you're temporarily on a machine where you can't install new software, or do it in a sandbox.
I'm not going to just blindly follow an executable download link in any circumstances. It's the same as if my bank calls me out of the blue and wants to confirm who I am with personal details, I'll look up their number online and call them back that way before proceeding. (Hasn't happened in a long time, but I do remember having to do that with a legitimate bank call ~15 years ago, when they called me and asked for my mother's maiden name before proceeding.)
Nope. That's a nonstarter.
Microsoft in their wisdom have decided Windows users never need to see file extensions by default, so after unzipping the user would just double click an innocuous file with an MS Word icon. And maybe press OK on a prompt they've been trained to press OK on.
1. Post some fake job adverts
2. Collect the cvs of people who apply
3. Send those cvs in response to actual real job ads
4. If the company shows interest call the candidate and sign them up. If needed, paper over differences between from the job thought they applied for and the one you sent their cv in for.
It’s a super scummy tactic (but these are recruitment agents we’re talking about - the industry is stuffed with sharks and chancers). If you’re a hiring manager you can help to combat this unethical behaviour. Never accept CVs sent on spec (ie you didn’t ask for) by a recruiter unles you know for sure the candidate actually approved it. Whenever an agent send a cv to me like this I always send them A mail saying I didn’t request the CV and won’t be paying them a fee if we do hire the candidate. Otherwise you can find yourself in the position where the same CV arrives from a different agent and the first agent tries to claim the placement fee as well.
What made me suspicious was the frequency of those mails. Then I checked the link targets and history was written;)
For us old timers this was pretty much an e-mail every other day sort of thing. I remember putting up a website for contact work and getting spam virus crap within weeks from just automated bots.
On top of that, I wouldn’t even open a compressed file from someone unless I had a previous relationship with them, and even then I still would scan it since their computer could be compromised. I don’t care if it’s a contract offer, from my attorney or the president of the United States.
As for emails about contract jobs, even 15+ years ago these could be very targeted, specifying your company/resume etc. Now it will be getting even worse with chatGPT to write these emails in far less time and far more convincingly from non-native speakers.
Also note, unzipping files to look into them isn't automatically safe either... there are plenty of older CVEs where zip software had vulnerabilities allowing code execution, and a zero day is always possible. That's on top of the fact that zips can conceal file types of other software that might also have current CVEs.
Short story, and this should be followed by everyone in the tech community, never ever open attachments from anyone you don't know, and treat all attachments from people you do know as requiring scanning first. Not doing so puts your coworkers and your customers at risk. If you're accepting proposals for contract work, your process should always require one-on-one communication prior to accepting any attachments.
Sometimes, it feels like we're in the middle disillusionment era of the internet and tech, where all the hope and positive potential of the new medium has now given way to just previous crappy life problems taking it over, only magnified.
Influencers celebrate and encourage this stuff, because everyone older than you is just selfish and deserves to be scammed. Great role models. Being in my stepdaughter's life has been like watching the development of the human incarnation of the Fraud Examiners' Manual. She used to be listed as a beneficiary of my life insurance policy. At this point the only (and I mean only) chapters she hasn't attempted are the ones requiring abuse of one's own assets or credentials (kickbacks, arson, etc.), which are impossible schemes to execute when you've earned neither.
The mental health awareness stuff has scaled with it too. It used to be you moved to the big city for work, and when it got to be too much to handle you'd migrate out to the suburbs or country. But the internet made it so big-city, in-your-face hustle culture follows us literally everywhere. Everyone is out to fuck you. There's no peace or escape from the madness anymore. No wonder everyone has anxiety.
Subject: "Company_Name Expired: Set for dissolution"
Body: "Hello My_Name, Your business registration DEADLINE has EXPIRED as of 04/01/2023. Your business, Company_Name, has an Annual... It's OK, we're here to help. Registrar agency is a business advocate..."
It is absolute BS as I know that I recently updated everything. Not sure if it is a click-thru-to-install-malware scam or phishing to sell me services I do not need, but I'm not finding out.
I also get a LOT of official-looking emails from service providers that want to "help" keep my US Govt SAM (Services Award Management) database registration up to date, when I just need to wade through some govt forms and tick a few boxes...
I'm used to ignoring this carp, but if you are new to business ownership, it might seem right on a day you are rushed and tired. So beware out there...