emails, hacks and ripoffs - New Scam to be aware of - Nursing Homes

[woodPixel]

I thought to post this article from todays ABC News reporting on a trend thats been rising.

102yo grandmother scammed out of aged care bond in $375,000 email hack - ABC News

As some of you will have POA's for their parents, or themselves may be contemplating the next stage of life, these kinds of frauds are rampant and you should be aware of them*


The scam is both basic AND elaborate. Its elegant as it goes after The Big Bux and gets people at their most accommodating and else-where focused.

Basically, email servers are WIDE OPEN to hackers who have winkled/determined/bought previous login details en-masse for previous hacks. People recycle passwords. If I had your email, plus a few passwords that have been nicked during a hack of a service or eight, I can start working out what your password structures might be.

Now, for you PERSONALLY this may not be a problem, but for businesses its a major issue and one they barely gives a rats a$$ about.


In this case, and also the case for SOLICITORS (another high-fat, easy-as target) the scammers get the email/password for one or many addresses at the company/firm.

They simply set up Thunderbird/outlook to log on and grab every email on that account and get updates. It looks exactly like a worker working from home.

Now, nursing homes, companies and solicitors usually use dumb addresses that many people access.... contact@... help@... payments@.... settlements@.... info@.... service@...

They bide their time and watch for the beginnings of a juicy transaction.... mum being put into her new home.... money to be paid (they just use filters) and then hijack the conversation... deleting the emails they both send and those send in response TO those queries. Its all PERFECTLY LEGIT..... just like the employee working from home....

So, they simply pick up the thread, just like any employee would, handle the transaction and ensure the money is paid into their own account rather than the companies and PRESTO - $320,000 and offffffffff wwwwweeeeee gggggoooooo.....


ALWAYS ring the company to confirm large payment details.

I would rate this scam as 10/10 for how easy it is and the surety of the payoff. I've seen many involving solicitors and house settlements.


OBVIOUSLY better systems need to be in place... but until they are, well, you are the victims.



* I thought to disclose some knowledge. I was the CTO of a credit card processing firm (just the risk management middle men). I designed most of the risk management software and APIs. The firm processed 1 to 3 billion in USD transactions a day. Depending on region and site, between 7.5% and 25% of transactions were fraud. We captured those, denied them and put all the know-how into an adaptive rules-based system. I think you can easily guess which places and groups of... ah... "peoples"... were the worst originators of fraud. To give you an idea of how bad it was, the Commonwealth Bank in NSW every day, lost $1 mil to fraud... thats one bank in one state in one day...... now, we were an international firm with a focus on a particular region... it left me feeling sad that there were so many scumbags out there... and how basic and stupid they were... they simply never let up....

[Simplicity]

Sounds like cash, an bank cheque’s could still be the go.

Cheers Matt.

[AndyJ]

The actual problem here is that account number and BSB are not linked to the person who holds it and it appears that not even the banks keep that information. This is a very Australian problem and should be addressed. Transferring money back isn't particularly easy in Europe too but it is at least possible to identify the account holder.

I always thought that this is a silly way of what? Privacy?

[q9]

I dunno if this would have made a difference in this case, but here goes:

You should stick your email into this site: Attention Required! | Cloudflare and see if it has been compromised. And by 'it' I mean any service you may have signed up to with that email. The report does a fairly good job of telling where it may have been found.

He also has a section where you can enter a password and it checks how many times it finds a match. Any number more than 0 is bad news.

If you get a hit from any of these, change your passwords. All of them. And ensure they are all different.

[AlexS]

Thanks, WP. Daughter & SiL both work in high level IT security and from what they have said, your last paragraph comes as no surprise.

q9, thanks for that warning. Unfortunately, there's a catch 22. One of the most dangerous things you can do is click on a link on a web page.

[AndyJ]

...
He also has a section where you can enter a password and it checks how many times it finds a match. Any number more than 0 is bad news..

Sorry mate, as soon as you do that your password has been compromised and needs to be changed.

[q9]

Sorry mate, as soon as you do that your password has been compromised and needs to be changed.

Actually, no. Because it has no idea what you are using that password for. For instance, I typed in chickendinner in the password field - a password I don't use for anything (Have I Been Pwned: Pwned Passwords). Guess what? It appears 196 times in the database. So that would be a very poor choice now as a password, as it can be easily cracked.

But if you are paranoid - he also has an api where you can hash your password on your local machine (nothing sent over the network) then you sent a portion of that, maybe first half over the internet and it sends back a list of hashes that match that...then you look for your hash on your local machine. See a match? Your password is compromised. If you're into that kind of thing, here's a vid:

Have You Been Pwned? - Computerphile - YouTube

[AndyJ]

you are feeding someone elses database with passwords. such as are used to run dictionary attacks. sharing passwords is a very bad idea even without context.

[woodPixel]

you are feeding someone elses database with passwords. such as are used to run dictionary attacks. sharing passwords is a very bad idea even without context.

Its called a rainbow table. We've been using them for years.

Password cracking is futile.


There are two sure-fire ways to obtain passwords if you have access to the computer/person

-- Suck in every single file, config, program, image and piece of data from that persons computer. In all of that is likely to be a password.
-- Or it can be obtained with a 40 watt soldering iron and about 10 minutes ...

Personally I think people are overly worried about the whole thing. Who is even faintly interested in another persons password to GoatFurries.com or some other inanity..... if they want YOU, they will spy on you directly. Literally break into someone's house, or steal their mail, or compromise their ID as a scam and use it to borrow money/credit cards.

Loosing a password isn't the end of the world.

password_strength.png