Tell HN: Be aware of people trying to scam contractors

RoR developer need Urgently Hourly: $8-$10 - Expert - Est. Time: 1 to 3 months, Less than 30 hrs/week - Hello, I am in urgent need of RoR developer who has 5+ years of expertise for existing(ongoing) project. To test Developer's ability we need 1 week free trail.

Do tech people execute such exe files? Doesn't seem like a novelty method, does it?

thih9 · 2 years ago

> Do tech people execute such exe files?

It depends.

Is this an .exe file in an email attachment? Then usually no.

Is this a github project which asks you to “curl totallysafe.com | sh”? Then often yes.

spacemanspiff01 · 2 years ago

No way would I ever run a random exe.

I only run random bash scripts from the internet with sudo permissions

Dylan16807 · 2 years ago

Let's not make this about mechanism unnecessarily. They'd download an exe from that github just as easily.

hnlmorg · 2 years ago

99% of the time, no. But you only need one person to be absent minded (perhaps tired, maybe stressed and multitasking, maybe receiving constant interruptions from kids or work colleagues, etc).

There was some story I read years ago about how terrorists (I think it was) could have their plot foiled 99% of the time but they only needed to be successful once. Whereas their targets need to be successful 100% of the time. (I wish I could remember where I heard that)…anyways, this applies to IT security too.

janstice · 2 years ago

Oddly enough, the quote is from a legitamate terrorist organisation following a bomb attack on a UK political conference, that wasn't that far off killing the PM at the time (and killed 5 others).

The IRA statement following the bombing was: "Thatcher will now realise that Britain cannot occupy our country and torture our prisoners and shoot our people in their own streets and get away with it. Today we were unlucky, but remember we only have to be lucky once. You will have to be lucky always. Give Ireland peace and there will be no more war."

Eisenstein · 2 years ago

> (I wish I could remember where I heard that)

You probably heard it from multiple sources since it is a cliche used in all types of security fields. Kind of like how 'if you are getting something of value for free you are the product not the client' is for web-services people.

NegativeK · 2 years ago

> this applies to IT security too.

This is true, but an IT security team also has a huge number of opportunities to detect an intruder.

If the defender has just one security vulnerability, the intruder can get in -- and the defender typically won't know about the security vulnerability ahead of time. If the intruder is noisy just once, the defender can catch them -- and the intruder typically won't know what's being listened to or even what systems/credentials are real.

sowbug · 2 years ago

It's toward the end of season one of Narcos, but the subjects are cops and criminals.

jstarfish · 2 years ago

It's 2023, and Windows still hides file extensions by default. Easy mistake to make.

nubinetwork · 2 years ago

See Linus Tech Tips getting his YouTube accounts "hacked".

Dylan16807 · 2 years ago

Scare quotes make sense for social engineering, but if there's a trojan installed and used to increase access I would say that's enough to qualify as hacking.

While we’re sending warnings, watch out for jobs which have “on-call” responsibilities as they’re essentially SRE jobs and can make you work on nights and weekends.

gggsre · 2 years ago

Oncall responsiblities itself are not terrible... assuming the oncall is setup in sane way. But more often than not it isn't.

Right now I'm SRE in FAANG and the deal is quite sweet: we get paid for non-business hours, we are oncall only during daytime, I can exchange my oncall compensation for extra holiday. We also have enough time to fix recurring issues, remove noise, etc. But: I would never do unpaid oncall again. I would also think twice (or thrice) before agreeing for night shifts. As it turns out putting out fires at 3 AM can burn out entire team pretty fast.

justinclift · 2 years ago

> As it turns out putting out fires at 3 AM can burn out entire team pretty fast.

AWS has a terrible reputation for exactly this.

dilyevsky · 2 years ago

Could’ve just said you work at google bc that’s the only place where it works like this afaik

WirelessGigabit · 2 years ago

Well, it's part of the contract right? 1 weekend per month on call.

I do find it sad that there is no general requirement to pay employees to be on call.

So as a contractor you need to make sure that there is an extra provisioning in there AND that the rules which govern on call are extremely clear. Like what about you going on vacation? Sick? Grandma dying?

throwaway019254 · 2 years ago

It’s strange to see something like this here.

I worked for multiple big US tech companies (both FAANG and non-FAANG) and all of them had oncall as a part of software engineering job.

Supporting the services you are developing feels like natural part of the job. And when I had a lot of tickets at night I was able to fix the issues and make oncall shifts better.

mangamadaiyan · 2 years ago

> Supporting the services you are developing feels like natural part of the job.

It wasn't always seen as a "natural part of the job". Time was when most companies had a dedicated team of support engineers, who worked in 8-hour shifts, and provided support round the clock. Developers also got to spend the occasional week or month in support. Eventually, a CEO (who I will not name) figured that they could save costs if they got rid of support, and got the dev engineers to do it instead - and sold it as a "natural part of the job" - which kool-aid almost everybody has drunk by now. Which is how devs now burn their weekends, nights, and health being on-call without a choice. I've seen on-call responsibilities pretty much involve being available 24x7 for a week, once every two months. It's not right, it's not natural, and it's a result of CEO penny-pinching. That's just it.

gggsre · 2 years ago

> Supporting the services you are developing feels like natural part of the job.

Paying fairly your employees for providing the support outside business hours also feels like natural part of the job. Unfortunately, surprisingly few companies do this.

throwaway675309 · 2 years ago

Sounds awful, in all of the companies I've worked for the R&D department was firewalled from this type of tech support work.

If there were site related issues, that was usually the role of dev ops team to handle. That could then get triaged to a quality assurance team, eventually bug tickets could get created. Then during our normal office hours we could assign a normal software engineer to look at them.

Even the concept of being on-call physically makes me nauseous.

nickfromseattle · 2 years ago

A variation of this - a fake job offer, allowed scammers to steal $540 million dollars in crypto tokens. [0]

I guess the scammer assumed as a contractor, you may have access to other customer systems they could exploit.

The internet be crazy, ya'll.

[0] https://www.theblock.co/post/156038/how-a-fake-job-offer-too...

kikokikokiko · 2 years ago

Axie Infinity was a pyramid scheme. The fact that in the end it was "hacked" and the funds "disappeared" is highly suspicious. Occam's razor says that they just exit scammed it.

status200 · 2 years ago

A bit of (neutral) clarification, Axie is still active and is in the top ~60 projects by market cap[0], and the heist was actually linked to North Korean state actors[1]

[0] https://www.coingecko.com/en/coins/axie-infinity [1]https://www.washingtonpost.com/technology/2022/04/14/us-link...

southernplaces7 · 2 years ago

If you're going to throw shit at crypto, at least get your most basic facts straight before doing so. As the other comment points out, Axie Infinity is still around, well used and far from having been exit scammed, much less disappeared.

satvikpendem · 2 years ago

Well, in the crypto world, code is law after all.

peyton · 2 years ago

An actual crime was committed. Not to mention you’d be in the same spot if you wired $540M to a bank in Mozambique.

JCharante · 2 years ago

So an employee was using his work laptop to open job offers? Or maybe didn’t even have a work laptop? Disappointing but I didn’t have high expectations anyways

sureglymop · 2 years ago

Have you ever heard of the services Glassdoor and Fishbowl? They are services where you can "review" and "rate" your employer. In general not a bad idea. However they require you to sign up with a valid _work email_! Crazy...

SoftTalker · 2 years ago

In general, beware of unexpected ".exe" files especially if they are a gateway to something you want (a contract, a payment, etc.)

No normal business operates like this, and if they do, you don't want to work for them.

rozab · 2 years ago

The reason it's in a zip is so you never see that it's an .exe. Otherwise the email client would show the file extension and warn the user.

Microsoft in their wisdom have decided Windows users never need to see file extensions by default, so after unzipping the user would just double click an innocuous file with an MS Word icon. And maybe press OK on a prompt they've been trained to press OK on.

aprilnya · 2 years ago

And because password protected zips don’t get scanned, because, well, it doesn’t have the password

What about expected executables? E.g.: “we use a niche video conferencing tool / document signing tool / dev tool , please folow this link to install it”?

And with tech challenges being so common, perhaps all it takes is a typo in some manifest to download a malicious package in a sneaky way.

crazygringo · 2 years ago

You can usually google the thing and find an official link to the download and get a sense of whether it's a generally legitimate software company.

If it's an internal tool they've built, either make up a story about how you're temporarily on a machine where you can't install new software, or do it in a sandbox.

I'm not going to just blindly follow an executable download link in any circumstances. It's the same as if my bank calls me out of the blue and wants to confirm who I am with personal details, I'll look up their number online and call them back that way before proceeding. (Hasn't happened in a long time, but I do remember having to do that with a legitimate bank call ~15 years ago, when they called me and asked for my mother's maiden name before proceeding.)

JohnFen · 2 years ago

> “we use a niche video conferencing tool / document signing tool / dev tool , please folow this link to install it”?

Nope. That's a nonstarter.

orangepurple · 2 years ago

Windows Sandbox

gexla · 2 years ago

How do people not smell these from like a mile away? Must be proposals to people very new to this sort of work. To get me interested enough to even open a document, there's a lot you would have to get right before I hit that step.

crazydoggers · 2 years ago

Maybe this is a generation that has grown up with virus and spam protection good enough this almost never gets by, so they are unaware?

For us old timers this was pretty much an e-mail every other day sort of thing. I remember putting up a website for contact work and getting spam virus crap within weeks from just automated bots.

On top of that, I wouldn’t even open a compressed file from someone unless I had a previous relationship with them, and even then I still would scan it since their computer could be compromised. I don’t care if it’s a contract offer, from my attorney or the president of the United States.

Just to be clear, a password protected zip file should be an enormous blinking red light. 99% of the time, password protected zips are used to prevent virus scanners from scanning the content of the zip. Typically email providers like google will provide you with a warning that they have been unable to scan the file.

As for emails about contract jobs, even 15+ years ago these could be very targeted, specifying your company/resume etc. Now it will be getting even worse with chatGPT to write these emails in far less time and far more convincingly from non-native speakers.

Also note, unzipping files to look into them isn't automatically safe either... there are plenty of older CVEs where zip software had vulnerabilities allowing code execution, and a zero day is always possible. That's on top of the fact that zips can conceal file types of other software that might also have current CVEs.

Short story, and this should be followed by everyone in the tech community, never ever open attachments from anyone you don't know, and treat all attachments from people you do know as requiring scanning first. Not doing so puts your coworkers and your customers at risk. If you're accepting proposals for contract work, your process should always require one-on-one communication prior to accepting any attachments.

Being convinced that you’re good at detecting social engineering attacks just makes it easier for you to fall for a social engineering attack.

cramjabsyn · 2 years ago

Like what?

Deleted Comment

jacknews · 2 years ago

There are far more actual jobs that seem like just scams, like this on Upwork I just saw:

I mean scam 1) $8/hr, and then they want a week free? lol.

hankchinaski · 2 years ago

developer rates are dropping fast across the globe as more people come online and compete at low rates, especially when applying for fully remote roles. people based in high cost of living countries can't compete with developing markets where CoL is 10x lower

urbandw311er · 2 years ago

Hmm, the situation is far more nuanced than you suggest. There are also downsides of outsourcing labour to developing markets, such as language barriers, time zones, cultural differences and more. I personally know several CTOs who have reverted to in-house teams after realising that the actual costs extend beyond just salaries.

zerr · 2 years ago

alexfromapex · 2 years ago

kepler1 · 2 years ago

I don't know whether it's the general awareness of it that has been increasing or what, but it seems like job scams, bank scams, rental scams, these are all exploding in frequency lately.

Sometimes, it feels like we're in the middle disillusionment era of the internet and tech, where all the hope and positive potential of the new medium has now given way to just previous crappy life problems taking it over, only magnified.

Fraud has certainly increased as people find new ways to exploit the internet across borders with no accountability. It's not just online either, even kids are playing at misappropriation in doing things like soliciting donations from family to their college tuition funds and then just...not going to college (or taking one class at a time to look like they're actively attending, and pocketing the tuition).

Influencers celebrate and encourage this stuff, because everyone older than you is just selfish and deserves to be scammed. Great role models. Being in my stepdaughter's life has been like watching the development of the human incarnation of the Fraud Examiners' Manual. She used to be listed as a beneficiary of my life insurance policy. At this point the only (and I mean only) chapters she hasn't attempted are the ones requiring abuse of one's own assets or credentials (kickbacks, arson, etc.), which are impossible schemes to execute when you've earned neither.

The mental health awareness stuff has scaled with it too. It used to be you moved to the big city for work, and when it got to be too much to handle you'd migrate out to the suburbs or country. But the internet made it so big-city, in-your-face hustle culture follows us literally everywhere. Everyone is out to fuck you. There's no peace or escape from the madness anymore. No wonder everyone has anxiety.

AlexITC · 2 years ago

This, I have seen a tendency in increased scam schemas since the pandemic started.

New job/contract work fits very neatly into the time sensitive and stressful setup that phishers and scammers lean on.