[HN Gopher] How does one get hired by a top cybercrime gang? ___________________________________________________________________ How does one get hired by a top cybercrime gang? Author : wyldfire Score : 169 points Date : 2021-06-16 14:41 UTC (8 hours ago) (HTM) web link (krebsonsecurity.com) (TXT) w3m dump (krebsonsecurity.com) | ackbar03 wrote: | Wait hang on, that cliff hanger though | | >"Multiple security experts quickly zeroed in on how | investigators were able to retrieve the funds, which did not | represent the total amount Colonial paid (~$4.4 million): The | amount seized was roughly what a top DarkSide affiliate would | have earned for scoring the initial malware infection that | precipitated the ransomware incident." | | I'm not quite sure what this implies? That the team who did the | initial infection was in fact some sort of FBI undercover? | | So undercover FBI successfully hacked colonial pipeline, ignited | all this press coverage and attention, and quietly disappeared | with the ransom amount? Am I interpreting that correctly? | l33t2328 wrote: | > I'm not quite sure what this implies? | | This implies less technically inclined "affiliates" used the | malware made by someone else, slipped up and had their 85% cut | retrieved. Meanwhile, the creators of the ransomware took their | 15% cut safely. | chevill wrote: | >I'm not quite sure what this implies? That the team who did | the initial infection was in fact some sort of FBI undercover? | | I suppose that's one of the many possibilities that are | implied, but its not even close to the most likely. | | I think its more likely that some of the attackers' systems or | accounts were compromised (AKA hacked). | jaywalk wrote: | If you would have clicked on the link to the article, it's | explained in a little more detail and a few experts weigh in | with what likely happened: | https://krebsonsecurity.com/2021/06/justice-dept-claws-back-... | meowface wrote: | This article is similarly light on actual details of how they | might've done it. | great_reversal wrote: | Getting hired is just applying to another job posting. The | interview process is two-step, with a project-based technical | component. The job itself is also two-step: first year is similar | to contract work, with good employees brought into the fold not | long after. | | It looks like DOJ is trying to make an example out of some lowly | frontend/freelance developer. Her work includes: | | - creating a "web panel used to access victim data stored in a | database" | | - added a feature that "showed an infected computer or 'bot' | status in different colors based on the colors of a traffic | light" | | - added a feature that "allowed other Trickbot Group members to | know when their co-conspirators were working on a particular | infected machine" | | One thing DOJ accuses her of is "developing tools and protocols | for the storage of credentials stolen and exfiltrated from | victims infected by Trickbot." But its pretty obvious they don't | know what "frontend developer" even means. | watwut wrote: | Why would doing these be fundamentally less bad then other tech | other work for gang? It is pretty clear from your examples that | she knew who she is working for. And yes, this sort of admin | codinf large part of any hackers group. Large scale operation | reaquires that. | | Second, your section "Her work includes" picks least harmful | sounding sentences. And they still sound harmful enough. | ggggtez wrote: | I don't think it's obvious at all. | | They gave one example of how she got hired, but not a | comprehensive list of every feature she made. | zrobotics wrote: | I mean, surely if one isn't absolutely clueless it would be | pretty obvious what is being developed. Sure, she didn't code | the active part of the malware, but the types of information | being passed & displayed would almost certainly tip off what | her employer was up to. I'm sure they know what a front-end dev | does, none of that sounds like something beyond the job | description. | | It does seem shitty that all the other suspects had their names | redacted except her, she likely wasnt high level in the | organization, so singling her out like this is shitty. If the | other suspects are still under investigation, react all the | names until they can be made public. But that's a legal, not | technical, issue. | balls187 wrote: | This reminds me of the story in Freakanomics about the street | level drug dealers making basically minimum wage, with the | majority of the money going to high level traffickers who are | typically firewalled through layers of middlemen. | distribot wrote: | I think that the difference here is that actors in places with | radically different COL can pariticpate. Imagine if a kid in a | Northern Triangle country could sell drugs on the street of an | American city--the risk/reward is much different. To them, even | American minimum wage could be a boon. | ghaff wrote: | It's common in a fair number of places: professional sports, | music, book writing (among those doing it for money), acting, | law (to a lesser degree). | | The very top does well, even very very well. Most everyone else | scrapes by--if that. | | Most professional jobs aren't like that. Sure senior execs can | make an outsized amount of money but most of the rank and file | are still doing OK. | jedberg wrote: | Law is more bimodal than a pyramid. | | All those other ones you mentioned rely on popularity to | determine one's paycheck, which is why they are all pyramids. | ghaff wrote: | They're not really pyramids though. If you're a baseball | player, you either make a _lot_ of money by most people 's | standards, albeit for a possibly short career, or you | basically don't make much at all, even if you can play in | the minors. | | Law isn't quite so stark. You don't _have_ to be at a white | shoe firm to do OK (corporate counsel, prosperous practice | in a smaller city) but a lot of lawyers certainly make | pretty modest salaries. | jedberg wrote: | It's still a pyramid. There are a few people at the top. | There is the next layer of the people who make a decent | living, aka the "middle class" actors, the folks making | MLB minimum wage ($600K/yr), etc. and then all the people | in the bottom layer trying to break in (the starving | actors, the minor league players, etc). | | And lawyers are very bimodal. You have a ton of lawyers | who make less than <$90K/yr, and then a whole bunch | making >$200K/yr, and not a lot in between. | Spooky23 wrote: | Exactly. The middle ones are all government attorneys who | exchange earning potential for stability and more humane | hours. | ghaff wrote: | Maybe. I don't dispute that law is bimodal but I also am | pretty sure there are a fair number of corporate counsels | and partners at smaller practices earning comfortable low | six figure salaries out there. | duxup wrote: | If I recall correctly many had regular jobs that even paid | better. | | The idea of a full time 'career criminal' guy who works at it | full time without another job seems less common than people | seem to think. | cooldrcool2 wrote: | Most drug dealers I know just do it to achieve a lifestyle | they wouldn't normally be capable of with their existing | job(s). | ipaddr wrote: | Most drug dealers are doing it so they can smoke/drink for | free maybe make a few dollars. | voidfunc wrote: | Some, knew one in college paying the 40k/yr tuition | selling overpriced molly/weed/coke to the students. Good | racket lol. | | He got his degree and then went into some marketing and | sales gig for a decade is doing quite well and I believe | continues to sell on the side to trusted clients so not a | street dealer (saw him last year at a buddies wedding). | hellbannedguy wrote: | While we're being honest, there's a small segment that | sells because they think it cool. | | That whole gangster rap testosterone street $900 shoe | guy. | | In college, I moved into a very cheap apartment. I had no | idea, it was the worst part of Oakland. I saw some things | that didn't make any sense. Some successful dealers had | other opportunities. Most probally didn't. I was so | naieve, I didn't know my roommate was selling until my | second semester. I just though he had a lot of friends. | He finally told me what he did one night over a video | game. | | Where is he now? He's in a midwest prison over dealing | pot. Yes, dealing pot. Why? He heard Potheads pay triple | for what Californian's pay. He got his brother to come | along. I remember him telling his brother, "you don't | want to be a Waiter for life?" | | He, and his brother go to Ohio. They set up shop. They | weren't violent, and didn't fit the stereotypes of a drug | dealers. | | Everything was fine until they hired this little rich | white kid who thought he was in a NWA alternative | reality. He was "slinging" their product in his | vernacular. | | Will this idiot killed a guy over a small amount of pot. | | The cops were more interested in the "kingpin" behind the | operation. | | Well the kid squealed, and the prosecutor threw the book | at my friend. They made him out to be Pablo Chicone. He | was anything but a hard nosed killer. He never even owned | a gun. | | Well, he got a long sentence. | snypher wrote: | There should be a name for this type of societal | organization... anyway, I have a rocketship to catch. | yellowstuff wrote: | Tournament theory | | https://en.wikipedia.org/wiki/Tournament_theory | omgwtfbbq wrote: | Not even close. | paulpauper wrote: | A blue origin one? lol | Kenji wrote: | There already is a name for it: Government. | tyingq wrote: | It doesn't say what these coders make. But, as with the | dealers, it's likely tax free, so even "minimum wage" is better | than it sounds. | wolverine876 wrote: | No benefits, no social security, no resume, no references | (outside the criminal world, if they even use references), no | personal network (outside crime), permanent and catastrophic | damage to your reputation if you are caught ... but you save | on taxes! | bryanrasmussen wrote: | yeah but considering the risks it's actually very, very bad. | dataviz1000 wrote: | The hospital costs for uninsured low level drug dealers who | have a lead allergy must be astronomical. | elefanten wrote: | Sure, but society picks up the tab | dmos62 wrote: | If you examine marginal behaviour, we're all picking up | each others' tabs. | knolax wrote: | Where do you live where that"s free? | grecy wrote: | There's only one Developed country where it isn't. | northwest65 wrote: | Where do you live that it's not?? | odiroot wrote: | Unfortunately, very often it's not lead-free. | mmcgaha wrote: | Many of the people that sell drugs aren't concerned with what | they make. The money is under the table so it does not | interfere with other welfare assistance they get. Additionally, | many of these people are not able to work for someone else | because they aren't used to structure. Think of the people you | bought pot from when you were a kid, they were most likely a | woman working some easy to replace job with a man who did | absolutely or damn near nothing. | haskellandchill wrote: | Can confirm, mostly dealt drugs to be cool. Way too much risk | for almost no reward. Was an idiot and thought I was | contributing to the culture but after leaving the game I still | get questioned if I'm a cop and get no respect from the | paranoid dealers where I moved to. I thought we were a society | :( | [deleted] | grumblenum wrote: | https://www.fbijobs.gov/ | hyperbovine wrote: | Wait, the "wall of perp photos connected by bits of yarn" is | REAL?! And here I thought I was watching way too many | procedurals. Mind = blown. | erichurkman wrote: | If they represented it with a real photo you wouldn't be able | to tell the difference to a general office job. | callalex wrote: | Look at how your last few jobs were represented by the | recruiting department compared to how the actual job was. | Everybody does this, it's a transparent lie to push you over | the edge if you were already interested. | noofen wrote: | Shame, I smoked a blunt 3 months ago in California. I'll try | again next year! | kortilla wrote: | I wonder what the stats are on how many amazing candidates | they are losing because someone had an edible on a weekend 9 | months ago. | | "Sorry, you admitted you drank a beer 6 months back. Try | again in a couple of years and don't drink!" | Pokepokalypse wrote: | "Sorry, you admitted you drank a beer 6 months back. Try | again in a couple of years and don't admit that you drink!" | vageli wrote: | You undergo polygraph to join FBI, no? Seems like a bad | idea to start under false pretenses. | darig wrote: | Roll your own. | truenindb wrote: | Here is irrefutable evidence that the suspect is actually a | berlin police: https://www.youtube.com/watch?v=wwZbonjAlPc | distribot wrote: | Why would a person doing this type of crime reside in the US? I | understand quality of life is higher than Russia, but Russia | neighbors Latvia--her country of origin. It is confusing to me | because if she were there, her activities would have been | discovered but she would have had the tacit protection of the | state. | DominikD wrote: | She doesn't reside in US, read the text. She lives in Suriname | and was just flying through (or temporarily to) the US. | distribot wrote: | Yup, I commented before finishing the text based on where she | was arrested. | | The point still stands I think. Yes, it's not as flagrant as | _living_ in the US. But you 'd think a person engaged in this | kind of thing would feel reluctant to have a layover in a | country that cooperates closely with US law enforcement let | alone Miami. | Grustaf wrote: | > quality of life is higher than Russia | | Have you been to Russia? | _RPL5_ wrote: | Have you? What's your impression? | azinman2 wrote: | Quite frankly she doesn't come across as very smart, and | certainly not very technologically sophisticated. The idea that | you run into a problem and use Google to solve it hardly | constitutes skill development. | | It is interesting that they're hiring based on job boards. I | don't know how normal gangs recruit but I'd guess it's a lot of | word of mouth. It seems when there are real honest alternatives | out there for skilled labor, that you need to go to the public | will also be an Achilles' heel. | [deleted] | tyingq wrote: | She was at least able to make a dashboard that combined | database info as well as "Trojan horse status" for active | victims. In a way that worked well enough for them to scam | enough people that it caught the US's attention. | mwint wrote: | This doesn't in any way downplay your point, I just noticed | this sentence and it made me think: "The idea that you run into | a problem and use Google to solve it hardly constitutes skill | development." | | It's probably natural for most folks on HN to consider | "googling problems" an obvious, basic first solution - but I'm | always stunned by how many people in real life, outside of the | IT industry, don't have that path in their brains well-trodden. | For some reason, they'd rather flail around or ask a real human | (often me) for help, rather than type a couple words into a | search bar and see what happens. | | I wonder if there's an opportunity to teach a "how to search" | class in schools. You could have some fun open-Google exams! | BeFlatXIII wrote: | > I wonder if there's an opportunity to teach a "how to | search" class in schools. You could have some fun open-Google | exams! | | I had something similar to that when I was in elementary | school, including comparing results across search engines. | Boolean searches plus Smart Selection of keywords would | quickly lead you to good sources. | | Sometime between when I graduated high school and 2016, most | of those tricks stopped working reliably. Google, Bing, and | DDG are the only games in town for the anglophone world and | all three drown out the worthwhile results in reposted blog | spam. Until you magically discover the shibboleth that | directs you to actual information, you're stuck in a hell of | shitty how-to websites that have nearly-identical irrelevant | information. | | It's less hassle and more accurate (though slower and | possibly outdated) to directly ask a known local expert. | piptastic wrote: | Good idea, "how to search" should also be paired with | filtering noise. | | There's a ton of information now and it's not always | intuitive to understand what information you should value and | when. | wyldfire wrote: | XKCD to the rescue! [1] | | [1] https://xkcd.com/627/ | nkrisc wrote: | Many (most?) people are simply not curious. When they run | into something they don't know how to do, they don't wonder | how to figure out how to do it, they just sit there until | someone shows them how. | | I assume when most people here on HN run into a problem, | their first thought isn't, "who can I ask?" but instead, "how | can I figure it out?" because most hacker types are naturally | curious and relish an opportunity to learn something new. | | In my experience most people who zero interest in learning | something new when they encounter something they don't know. | vageli wrote: | > Many (most?) people are simply not curious. | | Is this really so? With respect, this take seems too | cynical to me. I say this as a person to whom many come | when they can't figure things out. | | I often initially feel much like you do, but I temper that | feeling with the knowledge that the asker is likely under | delivery pressure, etc and has to subvert their curiosity | in order to maintain velocity. | _zamorano_ wrote: | Shockingly to me, in many fields, Google results are bare. | | Coming from IT, in the industry, even questions about | software (very specialized, to be honest) get useless | results. | | I think the openess of information in software is the | exception, not the norm, though many fields like science are | making improvements. | prova_modena wrote: | This rings true for me, and reminds me of my early | experience learning about machining and CNC machines. There | are a lot of very low quality googleable sources out there | for that field (mostly dealing with the hobbyist side of | it) that crowded out the information I needed for | professional development and troubleshooting. | | Eventually, as my knowledge of the field increased I | learned the "pro" terminology for certain objects and | processes, which improved my ability to search useful info. | I also discovered through chance or personal recommendation | some very useful pro-level online sources, which don't have | a large presence on search engines. There was a long grind | of several years before I got to the point where I could | search online for machining information and solutions | online with confidence that I could find useful results and | assess their reliability. Even then, there is a lot that I | need to find in books/manuals or in conversation with | experts. | | While this is a process that takes place when learning | about any technical topic, in my experience its easier in | programming (and to a lesser degree general IT topics) than | in fields that exist primarily in the world of physical | objects. IMO, this has something to do with the tendency of | programming problems to "self-define" themselves in | specific textual language (I.E. compiler errors you can | copy and paste into google) and also with origins and | focuses of the largest internet knowledge bases. | neuroticfish wrote: | >I wonder if there's an opportunity to teach a "how to | search" class in schools. | | We did this in a public middle school around 2002-2003 with | boolean searches. Was this unique to my experience or has | this been a common thing for awhile? | [deleted] | wizzwizz4 wrote: | Neither: there was a brief period where there was decent | ICT education, then it all went away again. | josefresco wrote: | Pretty sure 20% of my value as a professional web builder and | resident family tech support rep is my ability or willingness | to "Google" something. I'm being 100% serious - I attribute | most of my tech knowledge simply to my curiosity, and | willingness to search out a solution. Many people (including | my own kids) are happy to A) not know or B) ask someone else | (me). | mmcgaha wrote: | Don't think this is new either. Before we even had internet | access at work people would ask me for help with excel or | some other program and the first thing I would do would be | to use built in help. Many folks just don't understand how | much help a book/helpfile/internet can be. | arp242 wrote: | It's not even unique to IT/software; my ex-girlfriend was | a vet an she just googles things as well. Turns out there | are lots of veterinary procedures on YouTube for example, | and for some of the rarer chirurgies and such you need to | do it's pretty useful. | at-fates-hands wrote: | >> For some reason, they'd rather flail around or ask a real | human (often me) for help, | | When I was briefly in sales before becoming a developer, I | had a co-worker who, for the life of her, could not remember | how to do a soft-line break in MS Word. She literally would | ask me at least once a day. I finally just printed the | keystroke (shift + return) on a sheet of paper and when she | would peer over the cube, I'd just hold it up and she'd sit | down again. | | Even in our sales group, the majority knew to use Google to | get answers to all kinds of technical questions. But you're | right, there's still a big group of people who are unaware or | too lazy to go there first. | GiorgioG wrote: | Agreed. The layperson for the most person does not know how | to search effectively. Even among my developer friends today | who are competent, if they can't find something, they come to | me. I have a knack for finding things that are difficult to | find - going back all the way to when AltaVista was the best | search engine around - I can't really explain it. | | My parents, in-laws, etc... they all say on a pretty regular | basis that they have trouble finding what they're searching | for. Google tries really hard to return relevant results | (which actually annoys me because I really, really, really | want it to search for exactly what I typed - by default.) | im_down_w_otp wrote: | I encounter often the opposite problem where I'm regularly | telling people who are flailing around on Google to deal with | some unexpected problem, "I don't know, but you know you | will? An Oncologist/IP-attorney/electrician/etc. Instead of | using Google to find a pile of amateurs' competing anecdotes, | perhaps you can use it to find an actual expert who can help | you?" | mikeyouse wrote: | Very true. "Just google it" works for a very specific | subset of problems. In most disciplines, especially "real | world" ones outside of computing, there is no easily | googleable answer to most problems. Lawyers get a hard time | for answering every question with "it depends" but | unfortunately, that's the domain a lot of people work | within and it's the right answer most of the time. | NikolaNovak wrote: | I see what you're saying, and I guess like most, I've | experienced both: | | * A trivial technological problem that leaves my family | helpless though it's literally the first hit on Google | | * A critical life-impacting issue, usually health but | sometimes things like taxes or mortgage or household | maintenance - things where trustworthy experts exist and | are readily available here - and they go to random sketchy | Facebook groups and get random advice from random people | (frequently involving Crystals or essential oils but I | digress into whole other rant :P ) | TheOtherHobbes wrote: | There seem to be two modes here. There's an objective | fact-checking mode, and a personal network of trust mode. | | This becomes a problem when the personal network is made | of people who rely on hearsay, and signals-of-belonging | instead of evidence-based information. | | It's also a problem when "official" experts aren't truly | expert, for various possible reasons - including | corruption, incompetence, deliberate bad faith, and | others. | | It's hard for people who think in one way to understand | that others don't think in the same ways. | captn3m0 wrote: | I've realized over time that my "google a solution" instinct | only kicks in while I'm dealing with tech problems. | | For everything else, my brain takes some time to make that | leap. | jrm4 wrote: | I regularly teach an Information for IT professionals course | in a college. My first assignment, (group, part icebreaker) | involves | | - comparing different search engines (to google, mostly) | | - seeing if you can find patent numbers, etc. | | - and the best, I mix up a bunch of "real" and "fake" sites | | (e.g., the Carbon Monoxide awareness site and then the | Dihydrogen Monoxide site, and giggle as they critique that | the second one needs a better web designer and needs to be | more professional...) | drdec wrote: | There are some definite non-trivial skills involved in | successfully googling the solution to a problem. The biggest | one is having enough reading comprehension to understand what | you found (or alternatively, having enough time/patience to | watch YouTube videos that take forever to get to the point. | The second most important is the ability to recognize non- | solutions or non-optimal solutions. | | For many people, they are used to learning from other people | instead of from search results. So it makes sense that their | first instinct is to reach for asking those around them. | adolph wrote: | > opportunity to teach a "how to search" class | | Not as much as SEO "how to break search" opportunities. | jacquesm wrote: | > The idea that you run into a problem and use Google to solve | it hardly constitutes skill development. | | What does, according to you? | axiosgunnar wrote: | Something ultra-specific to this particular gatekeeping | individual, I suppose. | azinman2 wrote: | Taking a course, reading books, watching lectures, and | actually building projects in new domains. I'm not going to | learn machine learning by googling each step and copy/pasting | stack overflow. I'm not going to learn how TCP works by | Googling and copy/pasting stack overflow at each requirement. | | Skill development is something that takes a lot of time and | practice. | | None of that is to say that stack overflow isn't useful, or | that I won't learn things when I run into a problem by | reading a blog entry. But to me that isn't the same thing as | learning a new skill, unless that skill is so small and | shallow that a single blog entry is all of the knowledge | you'd ever need. | [deleted] | [deleted] | balls187 wrote: | > The idea that you run into a problem and use Google to solve | it hardly constitutes skill development. | | Until you come across people who can't even do that. | | I'm unsure of your age, but I was a developer before Google was | a thing, and researching your answer, using Gopher, Usenet, | and/or books was very much how we solved problems. | | Honorable mention: talking to that Old-office-coffee-stained- | teeth-sys-admin-who-probably-forgot-more-about-computers-than- | I-ever-knew. | azinman2 wrote: | I'm not saying knowing how to google isn't a necessary skill | with unequal distribution. I'm saying that's not the pathway | that'll take her as a front end web dev and allow her to | write the underlying malware that the front end provides a UI | around. | | It's as meaningless a statement as "I know how to read books | so I can learn new skills." | JohnBooty wrote: | The idea that you run into a problem and use Google to | solve it hardly constitutes skill development. | | You need to understand a domain somewhat well in order to | Google effectively. | | For example, I don't know anything about flowers. | | Sometimes I see a flower that I'd like to identify, but I can't | really Google it -- aside from color and perhaps the number of | petals I'd have no idea what terms I'd use to describe a flower | and therefore what I might possibly type into Google. | | (note: This is just an example. Never really tried to identify | a flower w/ Google. Perhaps I could use Google image search, | etc.) | azinman2 wrote: | You could use Google Lens. | | However we're not talking about a domain she knows zero | about. We're talking about her building web pages. I'm | guessing she's not suggesting that you could throw at her | 'build a new OS kernel that brings cryptographic signatures | as a base primitive for all operations'. So the reality is | she'll be able to Google for n+1 things, not n+1000. | | Either way, my point is n+1 Googling isn't the same thing as | learning a new skill. It's expanding your knowledge right at | the periphery of what you understand. | beermonster wrote: | Is this true anymore? It used to be true back when all the | really cool Google search operators worked and the service | didn't use natural language processing to process search | queries. But these days you're 'supposed' to use google like | this: 'what is the purple wild flower that grows in spring in | England?' as opposed to 'filetype:pdf site:blah.org +foo -bar | 2010..2012' which would find files of type pdf on domain | blah.org referring to foo but not bar between the years 2010 | and 2012. | | Honestly I prefer searching the latter way and would love to | know which search operators still work these days. | hsbauauvhabzb wrote: | Some UX concepts are like this. Surely I'm not the only one | who arrives at a problem I can't describe to google in a way | that returns meaningful results? | [deleted] | azinman2 wrote: | For people downvoting me, I'd love to know why. The many | comments here aren't negating what I said or explaining why I | was wrong. | corobo wrote: | You're saying she's dumb because she Googles the answer.. not | the part where she hosts malware on her own domain? Maybe | voluntarily travelling to the US from a country with no | extradition deal with the US? It's the Googling that does it | haha | | Being able to search is a legitimate skill that relatively | few have too. We will probably disagree a bunch here, I can't | be fluffed to have that to and fro -- so I downvoted and | moved on | TrackerFF wrote: | > It is interesting that they're hiring based on job boards. | | I remember reading how even cartels hire people through normal | job listings. IIRC, there was some sordid article regarding | this, where the cartels will list out jobs for "security" jobs, | think regular security guard work, event security detailing, | etc. | | They'd then drive out the candidates to some remote and closed- | off training site, push them hard, and just kill anyone that | didn't make the cut. ___________________________________________________________________ (page generated 2021-06-16 23:00 UTC)