Crime Could Have Paid (maybe).

At some point we read in the news about a murder for an amount of money that seems senseless, especially given the amount. I cannot recall the story exactly but there was one where a person in a homeless shelter was murdered over a debt of tube-socks.

In the homeless world where clothing and shoes are donated, socks are not, so discount socks become a valuable commodity. Quite sad this happened but as one goes up the socioeconomic ladder we see crimes that reflect the values of the class and perpetrators. An Oxy addicted bank robber might kill someone over $2000.00 to $4000.00, a typical amount taken when a threatening note is passed to a teller. An Armored car robber might not bother killing someone for that fee and certainly would not bother to kill someone over socks, but at over $100,000? I am sure its been done for that amount or less.

Some jobs pay well. A few years ago I was involved in a Penetration test where we had to “capture the flag” (present the contents of a file to a supervisor) for pay plus a bonus if a glaring weakness was discovered. I set about trying to get into the company from within, since I figured they would have shiny new firewalls and a 24/7 admin team and someone, someone always knows that a Pen Test is going to happen because most people are terrible at keeping secrets and no one wants to look bad.

I did a google search on the company. Nothing really interesting but that is always my first step. The next I did a whois search and found that they had 4 nameservers, 2 were third party, most likely secure, and 2 were of the same domain name and in a sequential IP address . So I did a “host -al domain.name ns1.domain.name” type lookup and all the subdomains popped up and they all had IP addresses not belonging to the webhost.

A quick scan of port 80 and port 443 revealed open ports on a number of internal servers. One that looked interesting to me was hr.domain.name. I pointed my web browser to the HR site and it had all types of useful information including the procedure for starting your first day on the job. The person to see, what to bring (photo ID for passport, Drivers License and job ID) . It also had instructions for supervisors. One was that the supervisor had to have the resume of the new hire on file within 2 months after the 1 month trial period for new hires had ended. That was a 3 month limit. I signed up on their “careers” site and applied for a job as a network admin and submitted a 17k jpg file saved as a txt file and then a .docx file…so it was gibberish. (I would submit again if needed) and I was emailed back a Thank You for Applying notice that gave the Job ID.

The next day I followed instructions on the HR server, talked to who I was supposed to talk to, filled out tax forms, signed an agreement that I was employed for 1 month only on a trial basis (the term “A Good Fit” was not used then, but I am sure it is now) I watched a video on diversity and harassment policy, I agreed not to ask anyone out on a date and then I reported to the Senior System Administrator. I was also told to bring my resume again as they were not able to read the one they had on file for some reason.

He was baffled as to why I was there. He said “who hired you?” and I said “I don’t think he is here now or he would have met me” and he said “Dave”. You must be hired for the second shift.

I left and had a coffee, then I had about three beers, then a coffee and then some Life Savers and went back for the start of second shift. I met “Dave” and said “Bob told me I was on second shift”

And I was in.

I got the file easily as I had access to everything from the start. The next morning I contacted my supervisor for the gig and told him the contents of the file. Then I told him how I got it.

He was quite angry, He said it was a penetration test of the firewall and passwords and other technical things. I got paid for the job but I did not get the bonus.

Then I wondered, what would have happened had I just quit my security gig after getting the Network Admin gig? I would have had a job that paid about $90,000 per year if I made it through the one month trial period. I would have known about the file and protected it and made my team look really good. But I would have gotten the job via fraud. If I was ever discovered people would have had a good reason to never hire me again for anything.

But it could have been a crime that paid. I likely would have never gone to jail for it even if I had been discovered. I probably would have never even been arrested.

People are deceptive at job interviews all the time. People exaggerate on their resumes quite often, this would have just been one step above that by never actually going to an interview.

For $90,000 there are people out there who would kill for that amount, but $90,000 + health and dental & a 401k and maybe some profit sharing and a chance for a promotion and Christmas bonus for 5 years or more?

That is tempting and perhaps I was foolish for doing the job I was hired to do instead of doing the job I was never hired to do for more money and more stability, but here I am now.

I have always had this in the back of my mind. I wondered who has done this? Who has done something similar? A well crafted career fraud can pay better than most crimes and be legal and have your proceeds “laundered” because you have been getting them as a legitimate paycheck and paying taxes on it.

Yesterday on LinkedIn I saw a “Trending” story about an ex-poker player named Haseeb Qureshi who landed a $250k job with Airbnb with about 1 year experience as an instructor at one of those “coding camps”. The interesting thing about the story is that Qureshi had previously been involved in a poker scam where fake accounts and references were used to produce a profit. More later as I investigate this.

And it might be the guy is completely legitimate but I saw a bit of my penetration testing technique in his story so I have to check it out.