Tell HN: Be aware of people trying to scam contractors
In short, I just received a nice proposal to work on a new contract, the potential customer sent me a "document" with the project specs which turned out to be a password-protected compressed file with some pictures and a ".exe" file inside.
I submitted the executable to virustotal which reports this as a trojan (https://www.virustotal.com/gui/file/088e2dabf218024d30e6899152b6a031dc30ae6f7d516492cb797292d6255d27/detection), seems like this takes screenshots and steals browser data which can be used for other purposes later.
Anyway, be cautious with proposals you receive.
A variation of this - a fake job offer, allowed scammers to steal $540 million dollars in crypto tokens. 
I guess the scammer assumed as a contractor, you may have access to other customer systems they could exploit.
The internet be crazy, ya'll.
Axie Infinity was a pyramid scheme. The fact that in the end it was "hacked" and the funds "disappeared" is highly suspicious. Occam's razor says that they just exit scammed it.
A bit of (neutral) clarification, Axie is still active and is in the top ~60 projects by market cap, and the heist was actually linked to North Korean state actors
 https://www.coingecko.com/en/coins/axie-infinity https://www.washingtonpost.com/technology/2022/04/14/us-link...
If you're going to throw shit at crypto, at least get your most basic facts straight before doing so. As the other comment points out, Axie Infinity is still around, well used and far from having been exit scammed, much less disappeared.
Well, in the crypto world, code is law after all.
An actual crime was committed. Not to mention you’d be in the same spot if you wired $540M to a bank in Mozambique.
The joke is that crypto makes it unusually easy to have your money stolen away, only to be met with the "code is law, not your keys not your coins" adage from crypto maximalists.
I’m not seeing the joke. It reads more like snark.
Not really snarky when it's true. The site "Web 3 is going great" has a number of these types of events occurring.
Law enforcement is investigating. What are you talking about?
lol, somebody missed the boat.
I was mining back in 2010, lol, I'm doing just fine. I can profit and still tell you that the underlying investment is simply bad.
Regulation is bad. There’s no need for “prosecution” and law, this is the free market at work
So an employee was using his work laptop to open job offers? Or maybe didn’t even have a work laptop? Disappointing but I didn’t have high expectations anyways
Have you ever heard of the services Glassdoor and Fishbowl? They are services where you can "review" and "rate" your employer. In general not a bad idea. However they require you to sign up with a valid _work email_! Crazy...
I have used Glassdoor on multiple occasions, writing reviews of my employers over the years, and I was never asked to use a work email.
To be fair it ensures quality (in terms of bonafide employee reviews) in their dataset, but it does limit its size. And also presumably skews it positive (no harm in the in-anonymity if you have only good things to say).
The company can also pay to delete your reviews, if you didn't know this already. Glassdoor will say they won't, but, cui bono, they make their money from companies.
Can't review your past employers anymore...
In general, beware of unexpected ".exe" files especially if they are a gateway to something you want (a contract, a payment, etc.)
No normal business operates like this, and if they do, you don't want to work for them.
The reason it's in a zip is so you never see that it's an .exe. Otherwise the email client would show the file extension and warn the user.
Microsoft in their wisdom have decided Windows users never need to see file extensions by default, so after unzipping the user would just double click an innocuous file with an MS Word icon. And maybe press OK on a prompt they've been trained to press OK on.
And because password protected zips don’t get scanned, because, well, it doesn’t have the password
What about expected executables? E.g.: “we use a niche video conferencing tool / document signing tool / dev tool , please folow this link to install it”?
And with tech challenges being so common, perhaps all it takes is a typo in some manifest to download a malicious package in a sneaky way.
You can usually google the thing and find an official link to the download and get a sense of whether it's a generally legitimate software company.
If it's an internal tool they've built, either make up a story about how you're temporarily on a machine where you can't install new software, or do it in a sandbox.
I'm not going to just blindly follow an executable download link in any circumstances. It's the same as if my bank calls me out of the blue and wants to confirm who I am with personal details, I'll look up their number online and call them back that way before proceeding. (Hasn't happened in a long time, but I do remember having to do that with a legitimate bank call ~15 years ago, when they called me and asked for my mother's maiden name before proceeding.)
> “we use a niche video conferencing tool / document signing tool / dev tool , please folow this link to install it”?
Nope. That's a nonstarter.
How do people not smell these from like a mile away? Must be proposals to people very new to this sort of work. To get me interested enough to even open a document, there's a lot you would have to get right before I hit that step.
Maybe this is a generation that has grown up with virus and spam protection good enough this almost never gets by, so they are unaware?
For us old timers this was pretty much an e-mail every other day sort of thing. I remember putting up a website for contact work and getting spam virus crap within weeks from just automated bots.
On top of that, I wouldn’t even open a compressed file from someone unless I had a previous relationship with them, and even then I still would scan it since their computer could be compromised. I don’t care if it’s a contract offer, from my attorney or the president of the United States.
Just to be clear, a password protected zip file should be an enormous blinking red light. 99% of the time, password protected zips are used to prevent virus scanners from scanning the content of the zip. Typically email providers like google will provide you with a warning that they have been unable to scan the file.
As for emails about contract jobs, even 15+ years ago these could be very targeted, specifying your company/resume etc. Now it will be getting even worse with chatGPT to write these emails in far less time and far more convincingly from non-native speakers.
Also note, unzipping files to look into them isn't automatically safe either... there are plenty of older CVEs where zip software had vulnerabilities allowing code execution, and a zero day is always possible. That's on top of the fact that zips can conceal file types of other software that might also have current CVEs.
Short story, and this should be followed by everyone in the tech community, never ever open attachments from anyone you don't know, and treat all attachments from people you do know as requiring scanning first. Not doing so puts your coworkers and your customers at risk. If you're accepting proposals for contract work, your process should always require one-on-one communication prior to accepting any attachments.
Being convinced that you’re good at detecting social engineering attacks just makes it easier for you to fall for a social engineering attack.
There are far more actual jobs that seem like just scams, like this on Upwork I just saw:I mean scam 1) $8/hr, and then they want a week free? lol.
developer rates are dropping fast across the globe as more people come online and compete at low rates, especially when applying for fully remote roles. people based in high cost of living countries can't compete with developing markets where CoL is 10x lower
Hmm, the situation is far more nuanced than you suggest. There are also downsides of outsourcing labour to developing markets, such as language barriers, time zones, cultural differences and more. I personally know several CTOs who have reverted to in-house teams after realising that the actual costs extend beyond just salaries.
Do tech people execute such exe files? Doesn't seem like a novelty method, does it?
> Do tech people execute such exe files?
Is this an .exe file in an email attachment? Then usually no.
Is this a github project which asks you to “curl totallysafe.com | sh”? Then often yes.
No way would I ever run a random exe.
I only run random bash scripts from the internet with sudo permissions
I was thinking about this, if I have already done sudo in a shell & its authentication is active for a bit then any shell script I run (source) can potentially do a sudo and elevate status.
`sudo -k` is your friend ;-)
But for an attacker that convinced you to run some malicious shell commands (e.g. `curl ...| sh` or copy/pasting more than you bargained for) that's only a minor inconvenience; next time you sudo, they're root anyway.
Also, an attacker aiming for root is a red herring. One compromised account can already be bad enough - why would they need root on your private computer when they already stole your password database, keylogged your master password and created an off-site backup of your home dir?
its been a few days but thanks for response. My concern was not a random attacker but the stuff I run after git clone from github, without much thought, I might add. it is possible for hacker to hide malicious code in a innocent looking git repo for some hot new project. wait for some people to give root access inside their home or better yet office lan & add a cronjob to steal stuff nightly with a LLMs help?
In any case safest route is to always do a new shell (or a docker vm) for fun activities.
Let's not make this about mechanism unnecessarily. They'd download an exe from that github just as easily.
99% of the time, no. But you only need one person to be absent minded (perhaps tired, maybe stressed and multitasking, maybe receiving constant interruptions from kids or work colleagues, etc).
There was some story I read years ago about how terrorists (I think it was) could have their plot foiled 99% of the time but they only needed to be successful once. Whereas their targets need to be successful 100% of the time. (I wish I could remember where I heard that)…anyways, this applies to IT security too.
Oddly enough, the quote is from a legitamate terrorist organisation following a bomb attack on a UK political conference, that wasn't that far off killing the PM at the time (and killed 5 others).
The IRA statement following the bombing was: "Thatcher will now realise that Britain cannot occupy our country and torture our prisoners and shoot our people in their own streets and get away with it. Today we were unlucky, but remember we only have to be lucky once. You will have to be lucky always. Give Ireland peace and there will be no more war."
Yes! That was exactly the source I was thinking of. Thank you
> (I wish I could remember where I heard that)
You probably heard it from multiple sources since it is a cliche used in all types of security fields. Kind of like how 'if you are getting something of value for free you are the product not the client' is for web-services people.
True. I’ve definitely heard it a few times. But there is one particular occasion that really stuck out at me. The way it was phrased, the specific domain, it was really poignant. I think because it was about terrorists and people losing lives, it brought a more tangible, human, cost to the equation.
> this applies to IT security too.
This is true, but an IT security team also has a huge number of opportunities to detect an intruder.
If the defender has just one security vulnerability, the intruder can get in -- and the defender typically won't know about the security vulnerability ahead of time. If the intruder is noisy just once, the defender can catch them -- and the intruder typically won't know what's being listened to or even what systems/credentials are real.
The point is that the consequences for failure are lower for the attacker than for the defender.
In the case of the attempted assassination of Margaret Thatcher, the bomb failed to kill Thatcher, but the IRA could always try again. Only one bomb needed to succeed, and even if they lost some operatives they could keep going until Thatcher was dead.
The case in information security is even worse, because most attackers are completely out of reach for retaliation. They're extremely difficult to track down, and even when you do it's usually to a country that won't even consider extradition. So they can try again and again, and you have to catch them every time or they'll achieve their goal.
Detection is important but by that point damage has already been done. Detection will just allow you to scope out the scale of the damage.
It’s also worth noting that we are talking about contractors laptops here. So they wouldn’t be subject to management by IT security teams. At best, they’re entirely disconnected from the IT systems that contractor is hired to work on. It at worse, they’re used as a BYOD. And the worst case is surprisingly often the norm.
It's toward the end of season one of Narcos, but the subjects are cops and criminals.
@janstice already replied with the original source, which was the IRA after bombing Margaret Thatcher's hotel.
Sigh. It's an expression as old as time.
It's 2023, and Windows still hides file extensions by default. Easy mistake to make.
See Linus Tech Tips getting his YouTube accounts "hacked".
Scare quotes make sense for social engineering, but if there's a trojan installed and used to increase access I would say that's enough to qualify as hacking.
Running an exe that steals your session cookies isn't really hacking, hence the air quotes.
So do you not think trojans count at all?
Tricking someone into running a program isn't hacking... it's malware and social engineering.
That’s a distinction without a difference.
Setting aside the trick itself, using malware to gain additional privileges is usually considered hacking.
While we’re sending warnings, watch out for jobs which have “on-call” responsibilities as they’re essentially SRE jobs and can make you work on nights and weekends.
Oncall responsiblities itself are not terrible... assuming the oncall is setup in sane way. But more often than not it isn't.
Right now I'm SRE in FAANG and the deal is quite sweet: we get paid for non-business hours, we are oncall only during daytime, I can exchange my oncall compensation for extra holiday. We also have enough time to fix recurring issues, remove noise, etc. But: I would never do unpaid oncall again. I would also think twice (or thrice) before agreeing for night shifts. As it turns out putting out fires at 3 AM can burn out entire team pretty fast.
> As it turns out putting out fires at 3 AM can burn out entire team pretty fast.
AWS has a terrible reputation for exactly this.
Could’ve just said you work at google bc that’s the only place where it works like this afaik
Well, it's part of the contract right? 1 weekend per month on call.
I do find it sad that there is no general requirement to pay employees to be on call.
So as a contractor you need to make sure that there is an extra provisioning in there AND that the rules which govern on call are extremely clear. Like what about you going on vacation? Sick? Grandma dying?
It’s strange to see something like this here.
I worked for multiple big US tech companies (both FAANG and non-FAANG) and all of them had oncall as a part of software engineering job.
Supporting the services you are developing feels like natural part of the job. And when I had a lot of tickets at night I was able to fix the issues and make oncall shifts better.
> Supporting the services you are developing feels like natural part of the job.
It wasn't always seen as a "natural part of the job". Time was when most companies had a dedicated team of support engineers, who worked in 8-hour shifts, and provided support round the clock. Developers also got to spend the occasional week or month in support. Eventually, a CEO (who I will not name) figured that they could save costs if they got rid of support, and got the dev engineers to do it instead - and sold it as a "natural part of the job" - which kool-aid almost everybody has drunk by now. Which is how devs now burn their weekends, nights, and health being on-call without a choice. I've seen on-call responsibilities pretty much involve being available 24x7 for a week, once every two months. It's not right, it's not natural, and it's a result of CEO penny-pinching. That's just it.
What you are describing is how most financial firms still work today. Sure Devs are the escalation in case the first line of support can't solve it. But the advantage of having a first line is that they are specialists in supporting, get better over a period of time, are mentally prepared because that is literally the job they signed up for and it lets Devs focus on core development. To those who say that this allows Devs to get away with murder because someone else is handling it - support escalations are very visible and if your stuff is breaking all the time, you come out looking very bad in the eyes of your management. Not to mention that any self respecting developer would/should apply a basic standard of care to their code. If anyone has developers that don't, it is an individual or cultural issue, not an issue with the model of separate support team.
> Supporting the services you are developing feels like natural part of the job.
Paying fairly your employees for providing the support outside business hours also feels like natural part of the job. Unfortunately, surprisingly few companies do this.
If you want to charge different rates based on hour of the day, you should consider contract work rather than salaried.
The whole point of taking a salary is to have a predictable income, which cuts both ways.
> If you want to charge different rates based on hour of the day, you should consider contract work rather than salaried.
What I'm saying is I don't want to do unpaid overtime and heroically sacrifice my weekends for oncall.
> The whole point of taking a salary is to have a predictable income, which cuts both ways.
Unsure what point about "cuts both ways" are you trying to make here. I think the company can pretty easily calculate how many non-business-hours are there within a month and allocate some money to compensate people doing oncall.
> unpaid overtime
There's no such thing for salaried positions. I previously worked for a company that handed out "production bonuses" to people who worked >40 hours a week, calculated based off of your annual salary and hours worked. They were very clear to never call it overtime, because that has a very different meaning (legally).
> Unsure what point about "cuts both ways" are you trying to make here
Unlike a contractor, you don't have to look for another job after a defined period. You have a regular, fixed income (and benefits) so long as both you and your employer are happy. "40 hours per week" is a convention, not a requirement, though.
Most companies are pretty good at picking 40 hours as a reasonable work-life balance mark. Some (notably startups and people mills like Amazon) push for more. That said, if you want a guarantee, stick to contracting paid hourly.
The only caveat I would add to this is: if you begin the position without the expectation of on-call being made up front, and then it's pushed on you without any extra comp, that's not exactly fair.
However, as long as that's made clear from the outset, yes, your salary covers you performing your expected duties whenever they need to be performed. It's not like salaried engineers aren't compensated well.
It seems to be fairly common for the on-call part of (salaried) jobs to be paid extra.
For example, if you're rostered to be on call - whether or not you actually need to do anything - for a given week, then you'll be paid some $$$ for the inconvenience.
Likewise, if you do actually need to do some after hours work during that on-call time (eg: some servers went down unexpectedly, find out what/why/etc + fix) then you'll be paid for that time as well.
At least, this is how it's been at my last few roles.
Office full time work is 40 hours per week during the day for most. If you are working in the evenings you probably are a contractor or a newbie.
Sounds awful, in all of the companies I've worked for the R&D department was firewalled from this type of tech support work.
If there were site related issues, that was usually the role of dev ops team to handle. That could then get triaged to a quality assurance team, eventually bug tickets could get created. Then during our normal office hours we could assign a normal software engineer to look at them.
Even the concept of being on-call physically makes me nauseous.
I don't know whether it's the general awareness of it that has been increasing or what, but it seems like job scams, bank scams, rental scams, these are all exploding in frequency lately.
Sometimes, it feels like we're in the middle disillusionment era of the internet and tech, where all the hope and positive potential of the new medium has now given way to just previous crappy life problems taking it over, only magnified.
Fraud has certainly increased as people find new ways to exploit the internet across borders with no accountability. It's not just online either, even kids are playing at misappropriation in doing things like soliciting donations from family to their college tuition funds and then just...not going to college (or taking one class at a time to look like they're actively attending, and pocketing the tuition).
Influencers celebrate and encourage this stuff, because everyone older than you is just selfish and deserves to be scammed. Great role models. Being in my stepdaughter's life has been like watching the development of the human incarnation of the Fraud Examiners' Manual. She used to be listed as a beneficiary of my life insurance policy. At this point the only (and I mean only) chapters she hasn't attempted are the ones requiring abuse of one's own assets or credentials (kickbacks, arson, etc.), which are impossible schemes to execute when you've earned neither.
The mental health awareness stuff has scaled with it too. It used to be you moved to the big city for work, and when it got to be too much to handle you'd migrate out to the suburbs or country. But the internet made it so big-city, in-your-face hustle culture follows us literally everywhere. Everyone is out to fuck you. There's no peace or escape from the madness anymore. No wonder everyone has anxiety.
This, I have seen a tendency in increased scam schemas since the pandemic started.
New job/contract work fits very neatly into the time sensitive and stressful setup that phishers and scammers lean on.
I got something similar: a compressed file with an ISO in it: it was a CD with autorun. I guess some OS will mount it automatically and run the autorun.inf if you double click on it.
This happens in the content creator world as well, an agency contacts you and says to sign a contract by executing an exe file they send you. Very clearly a scam.
Talking about scams in job proposals. Lately I've been getting a lot of recruiters contacting me with sweet fake jobs opportunities, only to really try and sell me their recruitment services.
Back when I was a contractor this was a common scam to bootstrap a new recruitment agency.
1. Post some fake job adverts
2. Collect the cvs of people who apply
3. Send those cvs in response to actual real job ads
4. If the company shows interest call the candidate and sign them up. If needed, paper over differences between from the job thought they applied for and the one you sent their cv in for.
It’s a super scummy tactic (but these are recruitment agents we’re talking about - the industry is stuffed with sharks and chancers). If you’re a hiring manager you can help to combat this unethical behaviour. Never accept CVs sent on spec (ie you didn’t ask for) by a recruiter unles you know for sure the candidate actually approved it. Whenever an agent send a cv to me like this I always send them A mail saying I didn’t request the CV and won’t be paying them a fee if we do hire the candidate. Otherwise you can find yourself in the position where the same CV arrives from a different agent and the first agent tries to claim the placement fee as well.
Same here. Many Michael Page job offers with actually valid signatures and links to valid LinkedIn profiles, but fake link targets.
What made me suspicious was the frequency of those mails. Then I checked the link targets and history was written;)
well, this is how Linus Tech Tips Youtube account was taken over.
Was there ever something like a breakdown on exactly how that went down?
Their own summary is here: https://youtu.be/yGXaAWbzl5A
Paul Hibbert (a UK tech YouTuber) was also hacked in a similar way, and he dived into info on that here: https://youtu.be/0NdZrrzp7UE
Yup, just got a variant this morning:
Subject: "Company_Name Expired: Set for dissolution"
Body: "Hello My_Name, Your business registration DEADLINE has EXPIRED as of 04/01/2023. Your business, Company_Name, has an Annual... It's OK, we're here to help. Registrar agency is a business advocate..."
It is absolute BS as I know that I recently updated everything. Not sure if it is a click-thru-to-install-malware scam or phishing to sell me services I do not need, but I'm not finding out.
I also get a LOT of official-looking emails from service providers that want to "help" keep my US Govt SAM (Services Award Management) database registration up to date, when I just need to wade through some govt forms and tick a few boxes...
I'm used to ignoring this carp, but if you are new to business ownership, it might seem right on a day you are rushed and tired. So beware out there...
I wanna say a big big thanks to Chris Harvey from the depth of my heart, I have been through hell and storm all in the hands of brokers and fake recovery agents spreading themselves all over the internet, I got rescued by Chris , immediately I contacted him he responds and asks me to reach him via email:( chrisharvey553 @ gmail . com ) which I did and my funds got recovered within 72 hours, all thanks to him, have never seen an honest and understanding being such like him all my life. all thanks and appreciation goes to him, I pray he keeps on with the good jobs.
It’s clearly suspicious and I wouldn’t advise opening these files (there’s no reason it should be a self-extracting executable instead of a standard ZIP file), but the VirusTotal report could also very well be a false-positive if malware makers used the same archiver program to create a self-extracting archive with their malware and AV engines ended up associating the self-extracting archive entrypoint (benign by itself) as associated with malware.
Has that happened with VirusTotal recently?
It seems like a false false positive otherwise, encouraging folks to discount a true positive as a false positive
All else ignored the exe reaching out to a telegram server is reason enough to baulk.
Once you know about PDF capabilities, you can't unsee
Check out https://lab6.com/ for all the cool stuff. ;)
It's up to your reader to allow them.
Even Adobe Acrobat has been caught sleeping on the job before - what better reader to rely on?
Adobe Acrobat is the one that enables every attack vector. Almost everything else won't let your PDF launch local scripts.
I've seen this first hand on Upwork as well.
For some reason Upwork always reminds me of Updawg.
Not much, you?
I got a similar package on Upwork last Friday.