Breaking with the sequel
At one time I was working on free-lance.ru. In the morning I usually monitored orders, and after lunch I worked directly. Once I came across an order, the amount for the execution of which was very appetizing. I immediately unsubscribed for the order, and literally a minute later I received the specification for the project in a personal. At first, I was surprised at the speed of response, and the fact that I was immediately chosen as a performer, but on the other hand, this has often happened. The file with the TZ seemed strange to me, a link to the flash movie was embedded in it. After checking the file for viruses and receiving the answer that no threats were detected, I still put down my guard and clicked on the link to the flash movie. And it was not worth clicking.
Here is the ill-fated link and the answer of the antivirus, thatin Baghdad, all calm threats were not detected.
We talked a little more with the customer in terms of time, cost, wishes, etc. and I got to work. After a while, I needed to clarify the details and I tried to contact the customer again. The customer did not contact. I tried several more times and realized that it was in vain, set to work at another job, safely forgetting about wasted time.
')
I had to recall this incident very quickly, literally the next day. I urgently needed to throw money on the phone and I decided to use the poisons as usual, since I had some pennies dangling there. But having come into the account of poison I found a round zero there. I looked at the history and found the transfer of money to someone else’s unfamiliar wallet, and with an IP that I didn’t know.
Here is my IP, I have it permanent:
OPS: Here was my IP address, for security reasons I removed it.
Here is a translation from the history of the poison:
The IP address is Moscow, and the transfer time, if in our time it is already 6:45, the time of my deep sleep.
When I discovered this, I could not understand anything, because I need to know the password for the mail and the payment password, which, by the way, I meet all the wishes for inventing passwords. I began to think and remember how to turn such a scam and at some point I remembered that strange TK. I rushed to check the browser history and found a strange entry there:
It turns out I woke up at night, for some reason I went to Yandex and went to bed again. Rave. It is clear that they threw me a Trojan. In the processes hung a strange service rutserv and googling I found the same Trojan. It turned out that the hidden Remote Manipulator System on the network even has a detailed manual on how to build it - http://www.xaker.name/forvb/showthread.php?t=20588&page=6 . Troyan immediately slammed and carried away. The most interesting is that the antivirus didn’t even curse it. The scheme seems to be disclosed, and I thought that this would all end. I naturally changed all the passwords on all sites where I registered. By the way, besides being allowed to connect to me via RDP, the trojan also worked as a keylogger, recording all my passwords and sending them to an attacker. When I found out, I said thank you for not typing passwords every time, but stupidly save them in the browser.
Then sometimes an unknown garbage such as blocking mail on google (I still have two-stage authorization) sometimes happened, blocking the VKontakte account and so on. It was clear that they were trying to go under me, but in vain the passwords were changed.
The most horror happened today. My wife and I, like everyone, probably have confidential information that we would not like to make public. And today, someone Markus Shwimmer from Germany knocked on Skype and the dialogue took shape in this way.
My wife was very scared. We both tried to understand to whom we had crossed the road and the most important thing was where compromising material came from, because it lay very far in the archive with seven passwords. Hacking the password was not realistic.
Just in case, we blocked the VKontakte accounts, having previously written to friends that something might come to them and asked them to take it appropriately and, if possible, to ignore it.
A little later, there was a hunch that compromising material could appear from an electronic mailbox, somehow long ago I sent it to the mate. It was in 2005, I had an e-mail box on mail.ru a few years later, in 2007, I changed the box to google and added mail collection function to mail.ru. For the security of the Google box, I did not bother and thought that everything was in my integrity and safety, but all mail sent to the Google box was also saved on mail.ru. This attacker hacked this box thanks to a keylogger. I then just remembered the story of the request to restore the password to the mail.ru box that occurred exactly after that strange TK.
I tried to drag out time by inventing on the go how to resolve the situation. Even if we transferred the money guarantees no one would give us, and international practice recommends not to enter into negotiations with extortionists. But the attacker quite willingly made contact, after the first hour he gave another hour, and then a couple more. In communication, I noticed "make, at least, something and there ..", "sorry, I can not" - stupid spelling errors that are not characteristic of an adequate adult. I thought it was concluded that this is the same attacker who stole my poison and who wanted to supplement. He didn’t have a goal to send compromising material, he had a goal to get money
After the first hour, I started digging in the right direction. Skype, it turns out, is in most cases directly connected to the other party. First of all, I downloaded cports and after checking the performance on a familiar interlocutor from Skype, I decided to find out the IP of the attacker. When the attacker contacted, I managed to get his IP - 109.191.235.66. With the help of this service - http://speed-tester.info/ip_location.php I learned that the IP belongs to the pool of addresses of the provider Intercommunication - http://www.is74.ru . Phoned to the support service, I was definitely satisfied in this. By the way, I got an adequate young man in the support service, who listened carefully to me, agreed to provide information only at the request of the police (which is understandable), but answered the question whether the subscriber had a current connection to my IP addresses positively. For which he thanks a lot.
Now I had trumps on my hands. The attacker's IP address, Skype correspondence, data from the provider (which would help identify the attacker), and I did not hesitate to put trumps on the table when the attacker appeared again on the network, scaring the following articles at the same time:
Compromising naturally did not go anywhere.
By the way, it is not clear why the attacker did not bother with his own security (Skype allows you to work through a proxy) and it is not clear why in the first case the IP was Moscow. Perhaps the attackers still had two.
UPD: After reading the comments, still decided to write a statement to the police.
Breaking into
Here is the ill-fated link and the answer of the antivirus, that
We talked a little more with the customer in terms of time, cost, wishes, etc. and I got to work. After a while, I needed to clarify the details and I tried to contact the customer again. The customer did not contact. I tried several more times and realized that it was in vain, set to work at another job, safely forgetting about wasted time.
')
I had to recall this incident very quickly, literally the next day. I urgently needed to throw money on the phone and I decided to use the poisons as usual, since I had some pennies dangling there. But having come into the account of poison I found a round zero there. I looked at the history and found the transfer of money to someone else’s unfamiliar wallet, and with an IP that I didn’t know.
Here is my IP, I have it permanent:
OPS: Here was my IP address, for security reasons I removed it.
Here is a translation from the history of the poison:
The IP address is Moscow, and the transfer time, if in our time it is already 6:45, the time of my deep sleep.
When I discovered this, I could not understand anything, because I need to know the password for the mail and the payment password, which, by the way, I meet all the wishes for inventing passwords. I began to think and remember how to turn such a scam and at some point I remembered that strange TK. I rushed to check the browser history and found a strange entry there:
It turns out I woke up at night, for some reason I went to Yandex and went to bed again. Rave. It is clear that they threw me a Trojan. In the processes hung a strange service rutserv and googling I found the same Trojan. It turned out that the hidden Remote Manipulator System on the network even has a detailed manual on how to build it - http://www.xaker.name/forvb/showthread.php?t=20588&page=6 . Troyan immediately slammed and carried away. The most interesting is that the antivirus didn’t even curse it. The scheme seems to be disclosed, and I thought that this would all end. I naturally changed all the passwords on all sites where I registered. By the way, besides being allowed to connect to me via RDP, the trojan also worked as a keylogger, recording all my passwords and sending them to an attacker. When I found out, I said thank you for not typing passwords every time, but stupidly save them in the browser.
Continuation
Then sometimes an unknown garbage such as blocking mail on google (I still have two-stage authorization) sometimes happened, blocking the VKontakte account and so on. It was clear that they were trying to go under me, but in vain the passwords were changed.
The most horror happened today. My wife and I, like everyone, probably have confidential information that we would not like to make public. And today, someone Markus Shwimmer from Germany knocked on Skype and the dialogue took shape in this way.
My wife was very scared. We both tried to understand to whom we had crossed the road and the most important thing was where compromising material came from, because it lay very far in the archive with seven passwords. Hacking the password was not realistic.
Just in case, we blocked the VKontakte accounts, having previously written to friends that something might come to them and asked them to take it appropriately and, if possible, to ignore it.
A little later, there was a hunch that compromising material could appear from an electronic mailbox, somehow long ago I sent it to the mate. It was in 2005, I had an e-mail box on mail.ru a few years later, in 2007, I changed the box to google and added mail collection function to mail.ru. For the security of the Google box, I did not bother and thought that everything was in my integrity and safety, but all mail sent to the Google box was also saved on mail.ru. This attacker hacked this box thanks to a keylogger. I then just remembered the story of the request to restore the password to the mail.ru box that occurred exactly after that strange TK.
I tried to drag out time by inventing on the go how to resolve the situation. Even if we transferred the money guarantees no one would give us, and international practice recommends not to enter into negotiations with extortionists. But the attacker quite willingly made contact, after the first hour he gave another hour, and then a couple more. In communication, I noticed "make, at least, something and there ..", "sorry, I can not" - stupid spelling errors that are not characteristic of an adequate adult. I thought it was concluded that this is the same attacker who stole my poison and who wanted to supplement. He didn’t have a goal to send compromising material, he had a goal to get money
After the first hour, I started digging in the right direction. Skype, it turns out, is in most cases directly connected to the other party. First of all, I downloaded cports and after checking the performance on a familiar interlocutor from Skype, I decided to find out the IP of the attacker. When the attacker contacted, I managed to get his IP - 109.191.235.66. With the help of this service - http://speed-tester.info/ip_location.php I learned that the IP belongs to the pool of addresses of the provider Intercommunication - http://www.is74.ru . Phoned to the support service, I was definitely satisfied in this. By the way, I got an adequate young man in the support service, who listened carefully to me, agreed to provide information only at the request of the police (which is understandable), but answered the question whether the subscriber had a current connection to my IP addresses positively. For which he thanks a lot.
Now I had trumps on my hands. The attacker's IP address, Skype correspondence, data from the provider (which would help identify the attacker), and I did not hesitate to put trumps on the table when the attacker appeared again on the network, scaring the following articles at the same time:
- Art. 137 of the Criminal Code of the Russian Federation - Violation of privacy;
- Art. 138 of the Criminal Code of the Russian Federation - Violation of the secrets of correspondence, telephone conversations, postal, telegraph or other communications;
- Art. 163 of the Criminal Code of the Russian Federation - Extortion;
- Art. 272 of the Criminal Code of the Russian Federation - Wrongful access to computer information;
Compromising naturally did not go anywhere.
By the way, it is not clear why the attacker did not bother with his own security (Skype allows you to work through a proxy) and it is not clear why in the first case the IP was Moscow. Perhaps the attackers still had two.
UPD: After reading the comments, still decided to write a statement to the police.
Source: https://habr.com/ru/post/134862/
All Articles