Could this person login from a remote system (obviously if an unauthorized person could, then probably yes)? If it was a phishing email, could it have been on a personal computer? You wouldn't see any trace of the malware on the corporate PC but maybe the personal is what's infected.
- Andy O. _____ From: David W. McSpadden [mailto:[email protected]] Sent: Wednesday, August 26, 2009 11:16 AM To: NT System Admin Issues Subject: Re: Reporting user fraud FBI pointed to phishing email with a drive by bot\keylogger. But Trend\VipreRescue\Spybot all come back negative??? Even using Fport scanner I don't see anything out of the ordinary??? ----- Original Message ----- From: Daniel Rodriguez <mailto:[email protected]> To: NT System Admin Issues <mailto:[email protected]> Sent: Wednesday, August 26, 2009 12:06 PM Subject: Re: Reporting user fraud Hmmm.... this sounds what happened to Bullit County in Louisville, Ky. Someone was logging into the county network and was able to get $416K wired out of the country. They just reported it about two months ago. Seems that some hacker group was able to access their system and used login and passwords of users within the system. It is fixed, now, and they were able to recover a majority of the money. They think that one, or some, of the users were either surfing where they were not supposed to, or someone received some type of phishing email. On Wed, Aug 26, 2009 at 11:40 AM, Jon Harris <[email protected]> wrote: You forgot HR some of them can create positions with salaries or modify a persons salary. Either way money could be leaking out that should not be. Jon On Wed, Aug 26, 2009 at 11:12 AM, Jonathan Link <[email protected]> wrote: A is too specific, could've been brute force or an easily guessed password in addition to malware/keylogger. Can you determine what was accessed with any degree of certainty? What regulatory agencies is your organization governed by? I'd start with that. Interestingly, did you read this Washington Post article? http://www.washingtonpost.com/wp-dyn/content/article/2009/08/24/AR2009082402 272.html?nav=hcmodule <http://www.washingtonpost.com/wp-dyn/content/article/2009/08/24/AR200908240 2272.html?nav=hcmodule&sid=ST2009082500907> &sid=ST2009082500907 (beware the wrap) I would also review banking information if this person is at all involved with bookkeeping, AP or AR functions. On Wed, Aug 26, 2009 at 10:59 AM, David W. McSpadden <[email protected]> wrote: If someone has access to your ssl website with valid username and password you assume that either 1 of 2 things have happened: A someone has a keylogger and their computer is compromised. B someone just out and out gave the information away. Is that a correct assessment? If you have the IP from the 'hacker' that accessed your website who do you report it too??? Most likely it is a bot and nothing can be done but who do you report it too none the less??? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
