back to article Crude scammer targets Brit oil brokers

Panda Labs researchers have identified a scammer who is fleecing British oil buyers using a malware-free spin on the classic Nigerian scam. They say the scammers steal credentials from oil brokers to swindle buyers across Germany, Spain, and across Asia out of cash. The sting works using a PDF file in the first stage of the …

  1. Jonathan Richards 1 Silver badge

    Amish spearphish

    Good morning; you do not know me but I would be grateful if you would send by return email the usernames and passwords that you use for oil trading activities.

    Thank you.

    1. Robert Helpmann??
      Childcatcher

      Re: Amish spearphish

      ...I would be grateful if you would send by return email the usernames and passwords...

      And here's the thing: that works! As sad as it may sound, this is exactly how many phishing attacks work, just with more words.

  2. Andy The Hat Silver badge

    'Once executed, the PDF ..."

    WTF? Why is a PDF able to execute? This was discussed the other day - a PDF is a data file and should be readable by a PDF reader - why is it being executed by the operating system?

    Data handling is getting to the stage where a step backwards is required. It may be slick to do things automatically with data files but some common sense control is required.

    1. John 110
      FAIL

      Re: 'Once executed, the PDF ..."

      There'll be details in the PDF linked to the article....wait a minute...

    2. gerdesj Silver badge

      Re: 'Once executed, the PDF ..."

      At a guess, this might be a double extension jobbie eg "InnocentFileHonest.pdf.exe". My mail gateways dump things like that immediately 8) Also many AV systems have a tweak that does a similar job.

  3. x 7

    Yet another reason to disable javascript in the Adobe Reader, and also set it to run in Protected Mode.

    Both are in Edit > Preferences. Look at Javascript and Security

    It ships with Javascript enabled and protected mode off by default, and as far as I can see subsequent updates revert any changes to these settings

  4. Amphibious RawCod

    grey area? line crossed?

    "This was confirmed when we accessed the FTP server that the stolen data was sent to, and found that

    the oldest files dated back to August 2013. That is, the attack had been underway for almost six months

    completely undetected."

    I don't imagine that Panda had permission to access the hacker's FTP server. I wonder if they just openly admitted crossing a line over into computer misuse act territory (or whatever equivalent exists in the relevant jurisdiction)..

    1. Number6

      Re: grey area? line crossed?

      You just need a good lawyer. The compromised machine already had permission to access the server, else how could it upload the credentials. There was nothing in writing restricting it to write-only access so one assumes they could use the same machine to read from the server too.

      1. Captain DaFt

        Re: grey area? line crossed?

        "There was nothing in writing restricting it to write-only access so one assumes they could use the same machine to read from the server too."

        Are you sure? Are you really, really sure?

        Be a bit embarrassing if this come to trail and the judge had to throw the case out because the hackers had uploaded a EULA, and someone using the compromised machine clicked [x] I Agree.

        (For the benefit of readers at home, Yes, that was sarcasm aimed at EULAs.)

  5. Anonymous Coward
    Meh

    pretence

    and the victims prefer to pretend it didn't happen - thus making sure the problem lasts a lot longer - ho hum

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022