This won't solve the problem but it might make you feel better.
Posted on 11/19/2004 6:57:12 PM PST by misterrob
Okay folks, need some thoughts on cyber crime. My struggling start-up company was the victim of some soul-less person who decided to use a stolen credit card and then download copyrighted information from our server. They have since contacted us with some extortion demands which we won't pay, based both on principle and poverty. Come up with $40K or they distribute the two reports out to the world. They sent it to 10 people tonight and copied the addressed to us.
I've already filled out an on-line complaint with the FBI and I'm sure holding my breath waiting for them to do anything about it. Anyone else have any thoughts that they could share besides bend over and take it?
We are CoRE. We have obtained copies of your NanoMemory and NanoElectronics research reports. We believe in democatization of information. We will be emailing copies of the report to approximately 4,000 individuals involved in nanotechnology. The list is exhaustive. We will post the report on USENET.
We will seed the report into the major peer to peer networks. We will post messages on a number of industry forums indicating the release of the report into the public domain.
The reports retail at $3,995 each. If we receive an ex gratia payment equivalent to 10 copies of the report we will destroy the reports and abandon our plan. We have been paid significantly higher amounts by other larger organizations, including market research firms and investment banks, to prevent public domain release of expensive proprietary information products. We understand that you are a new business and you have put a lot of work into these reports, so we are being fair and requesting a lower amount. It is nearly Christmas. We want you to feel the love.
We hope that you have learned a valuable lesson. If you agree to our terms, we will advise you on additional security measures that you can take to protect your proprietary information. We are the best. We are CoRE.
You have EXACTLY 24 hours to reply. We do not compromise or negotiate. Law enforcement will not be able to assist you in any way. We are invisible. We are CoRE.
If you do not respond, we will email the reports to you on 11/22, copying 10 individuals from the mailing list on the email. That loss will be equivalent to our ex gratia payment. If we receive no further response, we will submit the report to our anonymous listserver. 4,000 * 3,995 = ?
Your friends at CoRE
Second one:
You will have received a separate email message with the Emerging NanoElectronics Markets report, which was addressed to 10 individuals picked at random from the mailing list.
10 * $3,995 = $39,995
If we do not hear from you by 5pm EST on Monday, the Emerging NanoElectronics Markets report will be sent to everybody on our nanotechnology mailing list. We will also send out the NanoMemory report to the same mailing list one week later.
Do not ignore us. This problem will not go away as you have now learned. Only you can make it go away.
With seasonal love from your friends at CoRE
Bastards......probably think that DU is too right wing for them.
CALL the FBI and do not give up until you get the proper department.
I believe CoRE is a hacking group that pirates software...
What a drag! I have no suggestions but I hope you get some help!!
Call local law enforcement immediately.
So let me get this streight... You sell an electronic file for about 4 grand, and are supprised when someone threatens to duplicate it?
For 4 grand you can print it on photo-copy/scanner proof paper, and send it by registered courier after the payment clears. At least they would have to re-type the whole thing manually.
For a tech company you seem to have taken some rather unwarranted risks.
BTW watch for 'about.blank'......it's a system killer.
No, they actually sent it people at Merrill Lynch, General Electric, a few start-ups and some VC firms. I sent notes to all of them and told them the story. I also lied a bit but told them these people steal reports, infect them with viruses and then send them out posing as someone inside the original company's organization. They shouldn't spread the reports around and not should they post them on the server lest they spread the plague.
The next mailing goes out to 4,000 people and it's up on usenet. I take solace in knowing that at least a lot of people out there will see my company's reports and become more familiar with our work. Still, the $100K plus hit is going to be a bit sh*t sandwhich to eat.
Interesting. I had thought that most of these were coming from Russians, but the language in this note sounds very American. Please keep us informed of what happens.
As an aside, this sort of thing points out fundamental weaknesses in the way we buy and sell information. It will continue to be possible until we face up to the implications of this question:
"how can I be fairly compensated for my creativity, in a world where my work can be duplicated and distributed almost instantly, at nearly zero cost?"
Well... I work in the software industry. Unfortunately, FBI is your best bet, unless you're a serious computer security expert that could potentially set a trap for them. Personally, I'd offer to pay - they have to receive the money somehow - and that's where the internet is no longer (as good of) a shield. Then you pass that info to the FBI. I would think the regular (non-information crime division) would be pretty darn good at tracking financial accounts, if not internet extortionists.
We publish reports, not software code. What they did is steal a credit card, use it to buy my reports and then try and extort money. They also sent out the reports to people using a bogus address with our domain name.
If you work for Intel and are found with photcopied documents you get fired. If you pass electronic copyright around and the IT department finds out you can get screwed for it. We can't stop someone from running it on a printer and sending it out to people but no one is going to buy bootlegged stuff if they work for a company. College kids and lowlifes were never going to pay so I don't really lose anything.
In the end, if someone wants to rip you they will.
Can I assume you reported this to local authorities since you found out the credit card was stolen or did the creditor contact you? Just curious.
I actually happened to be at the same conference with him this week and since the order looked fishy given that the hacker used, get this, a spoofed version of a competitor's domain, I brought it up to him.
Silly question .... The phone book has the Blue pages for reporting extortion and espionage; why did you simply web-file a complaint?
If you call someone, and talk to a real-live person; they can trace the account, and they may even have you pay the amount just so they can then convict the recipients as they 'cash in'.
I'd be all over this with the FBI, local police and your ISP.
1. Paying Core $40K would not seem to buy you anything. The horse is out of the barn.
2. Anyone could do this, whether with a stolen credit card or a legitimate purchase. It seems you have discovered a flaw in your business model.
3. If they send it to 4000 addresses, you probably could track them down -- question is at what cost.
4. Copyright infringement carries with it substantial criminal penalties. If you can get a prosecutor interested in this, and if there are some US actors involved, you might get them heavily fined or jailed for a short time.
Sick! Sick! Sick!
Hire a computer genius to track them? Too bad you can't just go to the yellow pages under Ruthless Internet Tracker.
You are correct. They are an international hacking crew. They usually only "crack" software for release to the general public. I am surprised and disappointed to hear that they are doing this.
Mister, the FBI is slow in responding because they know that logs on kept on servers, etc. These people can be traced. Just be patient.
As to what you have to do to not have them release the copyrighted info.....I don't know about that. I would say that you are out of luck.
However, I hope you have learned a good lesson about computer security.
Get encryption software.
Get a firewall, both hardware and software and a hotshot tech who knows how to configure both.
Have levels of security on those computers that have internet access.
Have a "server" so that only the server has access to the internet and other computers in the system have to go through the server to get to the internet.
Restrict internet access to only those computers which require it.
Restrict internet access to only those employees who require it. ( Marginal employees/lower echelon employees will usually use real-time chat programs, go to chat sites, do personal email, shop, etc. They alone can make your system more vulnerable. ) Run a tighter ship.
Good luck!
Exactly as I understood it.
My point is, for THAT PRICE photocopy proof paper is a cheap investment as is FedEx delivery. Anything in electronic form is almost certain to be be illegally copied - more likely the higher the price.
They have been dealing with this type of crime for several years now and it is growing rapidly. http://www.fbi.gov/pressrel/pressrel01/nipc030801.htm
Do not make the payoff. If you do, they will either return later, asking for more money, or sell the blackmail material to somebody else who will contact you next.
As I read it, they paid for the privledge of download with a stolen credit card. They did not hack his computer.
Granted it is bad, but computer security is you responsibility. Sounds like a small price to pay for the education you are getting.
No, what they did was steal the credit card of someone else and then use it to steal from me. You don't get tthe product off of the server without having the card authenticated by my merchant account.
I can't see that you'll really lose that much business.
First, how many people on their "mailing list" (and who says that "CoRE" even *has* enough industry savvy to know who would be "high value" contacts and who isn't?) would really be likely buyers of your report in the first place.
Second, unless you've already done business with those companies in the past, odds are that most of the "mass mailings" will end up being looked at by some sysadmin flunky getting the "to no-one in particular" emails, who will either consider the mailing to be some sort of con-game spam and delete it, or at best figure it's worth exactly what the company has paid for it, i.e. nothing -- unsolicited emails seldom contain anything of real value.
Finally, any company who receives it who might actually be in the market for your reports is at least moderately likely to pay you for a legitimate copy if they like what they got illegitimately, or if nothing else will want to contact you to see what other similar products you offer.
So I wouldn't worry *too* much about lost sales, unless these jackasses managed to get a copy of your actual customer list, which I highly doubt.
Bad idea.
My business is much lower tech. I manage a minature golf course.
Last Winter, the aluminium rails were stolen from 36 holes. That's roughly 2000 board feet of aluminiium 2X4[plus 72 custom-castings...hole numbers and par markers].
It was cut up & sold as scrap. The police found which scrap yard bought the ruined rails. They found the ruined bleachers from a soccer stadium & several little league parks. They found cut-up playground equipment stolen from schools and parks. All to no avail.
Scrap Buyers aren't like Pawnbrokers. Scrap Yards can pay in cash, pay with checks made out to cash & not get ID from the sellors/theives. they are not required to "know their sources".
The recycle industry has given thieves a Free Ride. Government {local, state & national} ignores this issue, Recycle is "PC"...can't go there!
Internet Explorer IFRAME Buffer Overflow Vulnerability
Advisory: SA12959
Release Date: 2004-11-02
Last Update: 2004-11-18
Critical:
Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 6
CVE reference: CAN-2004-1050
Description:
A vulnerability has been reported in Internet Explorer, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to a boundary error in the handling of certain attributes in the IFRAME, FRAME, and EMBED HTML tags. This can be exploited to cause a buffer overflow via a malicious HTML document containing overly long strings in e.g. the "SRC" and "NAME" attributes of the tag.
Successful exploitation allows execution of arbitrary code.
The vulnerability has been confirmed in the following versions:
* Internet Explorer 6.0 on Windows XP SP1 (fully patched).
* Internet Explorer 6.0 on Windows 2000 (fully patched).
NOTE: This advisory has been rated "Extremely critical" as a working exploit has been published on public mailing lists. A variant of the MyDoom virus is now also exploiting this vulnerability.
It would take an expert to download the code from an infected source and successfully push it out to the cretins. But infected sources are out there - so be careful. ....whatever you do.
...They must have seen your FR tag...misterrob...with a space.
mister rob
No product sold at that price should be delivered automatically without a person reviewing each transaction.
Any legitimate business that might receive this stolen information would be committing a crime by using it.
Assuming that business is in the USA...
Do you have the full headers that came with the email. I might be able to do some snooping around for you. That truly stinks.
Also, when they downloaded the material, do you have access to the logs on your server. It might be interesting to see what IP was used (my guess would be some proxy of throwaway Inet acct) but ya never know.. sometimes these types trip up and you can catch them that way.
Freepmail or ping me and Ill see what I can find out about this Core group.
Just an FYI, of course. One wouldn't want to take on a project like that without extensive knowledge.
Again, contact the FBI. The "bogus email address" is *NOT* the only routing information available. Somewhere there's an electronic "paper trail" indicating where those emails actually originated, and the FBI has a good chance of accessing it.
It might just trace back to some anonymous remailer, but even many of those can be cracked with a proper warrent.
Plus, given the pompous "do not attempt, we are CoRe and we're super hackers, you betcha" messages scattered through the email, it sounds to me more like these are kids trying to convince you *not* to trace them, than real pros secure in their ability to actually stay untraceable. So give it a try.
Finally, don't even think of paying them, except in some sort of "sting" operation designed to entrap them. If you pay them, at all, you'll *never* be rid of them.
Even if they've totally ruined the market value of this report (and I doubt it), you can always write more reports, or update this one so that potential customers would still have a reason to buy the latest and greatest from you, instead of just keeping an illicit copy of the compromised one.
Note to self: Retribution is bad.
If you are a computer software engineer, USE BLACK MEDICINE.
Set up a spy-bot system to find out who's buying or who has bought your reports.
Everybody else is doing it.
Screw them before they screw you.
You can easily find the addresses of where your product went to.
Stop thinking like a white man...
THINK LIKE A WOMAN. GET REVENGE.
I have no idea what you just said ? Black medicine?
Black Medicine is a self-defense technique - pretend to give in, and strike them when they least expect it. Videos and books are available at your local gun show.
Hey! I'm a woman...I resemble that remark. lol
This won't solve the problem but it might make you feel better.
Actually I think it is the Secret Service that handles credit card fraud. So contact the Department of the Treasury.
Yes, I understood that, too. Never hurts to remind people.
contact Steve Gibson, Gibson Research I think it's GRC.com or GRC.org, very knowledgeable in this kind of stuff....
Then go out as your real name and tell your customer base that someone stole your document and altered it with false information. If they want the REAL document, they still have to send you $3,995
P.S. My consulting fee just so happens to be $3,995. I'll take it in cash or copyrighted documents.
Narby
Perhaps I didn't make my point clear. The idea is to put out so much disinformation, and TELL EVERYONE that there is disinformation on the street, that the genuine document you're being extorted over won't be worth a dime to the bad guys. A real customer will have to pay you in order to know that it's real.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.