Hacking continued

At one time I worked at free-lance.ru. In the morning I usually monitored orders, and after lunch I worked directly. Once I came across an order, the amount for the implementation of which was very appetizing. I immediately unsubscribed by order, and literally a minute later I received TK for the project in PM. At first, I was surprised by the speed of the response, and the fact that I was immediately selected as the executor, but on the other hand, this already often happened. The file with TK seemed strange to me, a link to the flash movie was built into it. After checking the file for viruses and receiving the answer that no threats were found, I still put down my vigilance and clicked on the link to the flash movie. But you shouldn’t click.


Breaking

Here is the ill-fated link and the answer of the antivirus that in Baghdad everything was calmly not detected.
image

We talked a little with the customer about the timing, cost, wishes, etc. and I set to work. After some time I needed to clarify the details and I tried to contact the customer again. The customer did not contact. I tried several more times and realizing that it was in vain, I set about doing other work, safely forgetting about the lost time.

I had to recall this incident very quickly, literally the next day. I urgently needed to throw money on the phone and I decided to use Poisons as usual, since I had some pennies hanging out. But going into the poison account, I found there is a round zero. I looked into history and found a money transfer to someone else’s unfamiliar wallet, and from an unfamiliar IP to me.

Here is my IP, I have it permanent:

UPS: Here was my IP address, for security reasons, I removed it.

Here is the translation from the history of Poison:

image

the Moscow IP address, and the time of the translation, if in our time, then it is already 6:45, the time of my deep sleep.

When I discovered this, I couldn’t understand anything, because I need to know the password for the mail and the payment password, which by the way corresponds to all the wishes for inventing passwords. I began to think and remember how to scam such a scam, and at some point I remembered that strange TK. I rushed to check the browser history and found a strange entry there:

image

It turns out I woke up at night, for some reason I went to Yandex and went to bed again. Rave. It’s clear that I got a trojan. A strange rutserv service hung in the processes and by googling I found the same Trojan. It turned out to be a hidden Remote Manipulator System on the network, there is even a detailed manual for its assembly - http://www.xaker.name/forvb/showthread.php?t=20588&page=6. Troyan immediately slammed and carried away. The most interesting thing is that the antivirus did not even swear at it. The scheme seems to be open and I thought that it would all end there. I naturally changed all passwords on all sites where I registered. By the way, the Trojan, besides allowing me to connect to me via RDP, also worked as a keylogger, recording all my passwords and sending them to an attacker. When I found out, I said thanks to myself for not typing passwords each time, but stupidly saving them in the browser.

Continuation

Then at times sometimes there was an unknown garbage such as blocking mail on google (I still have two-stage authorization there), blocking the VKontakte account, and so on. It was clear that they were trying to come under me, but in vain the passwords were changed.

The worst thing happened today. My wife and I, like everyone else, probably have confidential publicity information which we would not like. And today someone Markus Shwimmer from Germany knocked on my Skype and the dialogue with us developed in this vein.
image

The wife was very scared. We both tried to understand who we had crossed the road to, and most importantly, where the dirt came from, because he was lying very far in the archive with seven passwords. Hacking a password was not real.

Just in case, we blocked VKontakte accounts, having previously written to friends that something might come to them and asked them to react appropriately to this and, if possible, ignore it.

A little later, there was a hunch that compromising material could appear from an electronic mailbox, somehow, a long time ago I sent it to a spouse. It was a year of commercials in 2005, I still had an electronic mailbox at mail.ru. A few years later, in 2007, I changed the box to Google and added the function of collecting mail from mail.ru. I didn’t worry about the safety of the Google mailbox and thought that everything was safe and sound, but on mail.ru all the letters sent to the Google mailbox were also saved. This is the box that the attacker hacked thanks to the keylogger. I then just remembered the story of the request to restore the password to the mail.ru mailbox that happened exactly after that strange TK.

I tried to waste time thinking on the go how to resolve the situation. Even if we transferred money of guarantees no one would give us yes and international practice recommends not entering into negotiations with extortionists. But the attacker was quite willing to make contact, after the first hour he gave another hour, and then a couple more. In communication I noticed “do something, at least something is there ..”, “sorry I can’t” - silly spelling mistakes that are not peculiar to an adequate adult. After thinking, I concluded that this is the same attacker who stole the poison from me and who wanted supplements. He did not have any purpose to send incriminating evidence; he had the goal of receiving money.

After the first hour, I started digging in the right direction. Skype, it turns out, in most cases directly connects to the interlocutor. The first thing I downloaded was cports, and after checking the performance on a friend of mine from Skype, I decided to find out the IP of the attacker. When the attacker got in touch, I managed to get his IP - 109.191.235.66. Using this service - http://speed-tester.info/ip_location.php I found out that IP belongs to the address pool of the Intersvyaz provider - http://www.is74.ru. Phoned with the support service, I was sure of this. By the way, in the support service I came across an adequate young man who listened carefully to me, agreed to provide information only at the request of the police (which is understandable), but answered the question whether this subscriber has a current connection to my IP addresses. For which many thanks to him.

Now I had trump cards in my hands. The IP address of the attacker, the correspondence on Skype, the data from the provider (which would help identify the attacker) and I did not hesitate to put the trump cards on the table when the attacker reappeared on the network, intimidating at the same time with the following articles:
  • Art. 137 of the Criminal Code - Violation of privacy;
  • Art. 138 of the Criminal Code - Violation of the secrecy of correspondence, telephone conversations, mail, telegraph or other messages;
  • Art. 163 of the Criminal Code - Extortion;
  • Art. 272 of the Criminal Code - Unlawful access to computer information;

Naturally, the dirt did not go anywhere.

By the way, it is not clear why the attacker did not bother with his own security (Skype allows you to work through a proxy) and it is not clear why in the first case the IP was Moscow. Perhaps there were still two attackers.

UPD: After reading the comments, I nevertheless decided to write a statement to the police.

Also popular now: