[HN Gopher] Stopping phishing campaigns with Bash ___________________________________________________________________ Stopping phishing campaigns with Bash Author : geek_at Score : 412 points Date : 2020-08-13 08:25 UTC (14 hours ago) (HTM) web link (blog.haschek.at) (TXT) w3m dump (blog.haschek.at) | RemySoc wrote: | I was doing this 15 years ago. Does it mean that I'm old? | beAbU wrote: | A colleague and I did something similar recently. | | We got similar spam mails in our work inboxes. Whipped up a | little ruby script that spammed bum login data to the spammer's | form url. We had our scripts running on a couple of Heroku | instances and all. | | At some stage we realized that the password field in the form | accepted arbitrarily sized payloads. So we base64 encoded some | 10MB file and sent that as the password. The thinking was if we | could not DoS them, we can at least clog up their works with some | real hefty payloads. | | More can be seen here: https://github.com/dj-louw/spamscam | Sebb767 wrote: | While funny, real-looking fake login data might be more useful, | as it's probably real easy to filter the few large requests. | Unless, of course, you bring down the server and stop the whole | operation (for a time). | | It would be quite interesting to do a study on both options | using a honeypot-account (to detect whether the login could be | extracted by the spammer). | beAbU wrote: | So the script we wrote created real email addresses and user | names. The Ruby gem Faker (https://github.com/faker- | ruby/faker) takes care of that. | | But yeah you are probably right. 10MB passwords possibly made | it too easy for the scammer to filter out the bum data. | | We did only make the 10MB change very late in our attack, so | the scammer got 1000's of fake names and emails before we | cranked up the mass of each individual request. | Wandfarbe wrote: | I stoped 2 webshops which basically sell expensive stuff 20% off | by wire transfer (bank transfer?!) which then never send the | goods of course! | | I did the following: | | - I found out where it was hosted and send them an email | explaining them why and how that shop is a scam | | - I found out where they hosted the domain and wrote the | registrar an abuse email | | - I wrote an email to the banks where the bank accounts where | active | | The scammer had a webchat module active and he/she did wrote back | to me, nothing came out through that, nonetheless: | | next day, both webshops were gone due to being taken offline from | the hosters. | | I do believe, that they do have a chance because literaly no one | cares. I have seen mentioning of one of those two shops older | then 6 month. I pissed at them with very little effort in a very | short time. | | I do hope i helped out. | madarcho wrote: | Abuse email/report to the registrar is also my goto. Usually | results in a quick response | parliament32 wrote: | You'll get a response but it'll always be a polite "fuck off" | unless you have some sort of actual authority (are you the | trademark holder? are you LE? do you have a court order?). | You'll have better luck contacting the hosting provider | because they're actually responsible for the content. | Cthulhu_ wrote: | I like to think it helped out, but at the same time, these | people are professionals and will have automation to generate | new instances and scam campaigns easily. At least it should be | more difficult for them to set up new bank accounts though, | they need ID for that, and / or a network of mules, and those | are finite resources. | pbhjpbhj wrote: | I think the bank thing is done through students quite often: | "Hey, I can't get a bank account as I'm a refugee fleeing a | war, please help by receiving PS5000 cash, we'll give you | PS100. Say it's a gift from your Aunty to buy a car with." | | I've seen reports of this in the UK at least, maybe they | managed to stop it. | Geezus_42 wrote: | At least in the US the people who accept the offer can be | charged as money mules. | berkes wrote: | I attended a meetup at our local registrar (SIDN) where they | explained how data analysts on their payroll detect such fake | webshops and how they then actively block those domains on DNS | and registrar level. | jagged-chisel wrote: | I'm assuming you don't mean "employee payroll" right? | 1023bytes wrote: | All banks in the EU are required to use 2FA, I'm curious how | these hackers get around that. | geek_at wrote: | In this case (with the second page) it looked like after you | put in your credentials they put you in a loop while they tried | to use your logins. | | I assume that if the banking backend told them the verification | sms or whatever is sent, they would have asked the user about | it and just forwarded it | moviuro wrote: | 1. One SMS every 90 days, because the security teams have no | idea how MFA works (I know, I work there). Even if you hop | devices. See https://try.popho.be/psd2.html | | 2. It's just a little dev step away: | http://blog.cmpxchg8b.com/2020/07/you-dont-need-sms-2fa.html . | Phish kits will evolve, UX will still be bad, and phishing will | still happen. | | See also https://sakurity.com/blog/2015/07/18/2fa.html | raverbashing wrote: | Some banks know security better than others | | And yes the login one might be every 90 days, but to do a | transaction there might be an extra one | | (yes Germany did away with paper tans (2fa codes) in 2019 yay | - thankfully not all banks are that stupid) | VBprogrammer wrote: | For quite a long time my bank used cargo culted 2FA i.e. 2x | things that you know. Pretty embarrassing really. Thankfully | they now have a card reader device but it's only used for | certain actions (like adding new payees). | dubbel wrote: | That's why the second, more advanced phishing page was trying | to immediately log in with the just acquired login credentials. | | If a 2FA challenge is presented, it is relayed to the victim on | the phishing website, and as soon as the code is submitted, is | it relayed to the real banks website in turn. | ThePadawan wrote: | "required to use 2FA" for login, or "required to use 2FA" to | conduct transactions? | | I'm asking because my (German) bank only very recently changed | to requiring 2FA every X days for login. I'm very curious if | they are actually compliant, since I used to be able to log in | just with 1 factor to see my current balance (but not conduct | any transactions). | rusticpenn wrote: | For me its only 2FA for transactions. | GlitchMr wrote: | Currently 2FA (legally known as "strong customer | authentication") for logging to payment services (like banks) | when one wasn't performed in 90 days is required in EEA. | | IMO implementing the bare minimum this does nothing for | security. However, often banks do that, and even if you try | to look intentionally suspicious (say, use a VPN in United | States with another web browser on another operating system) | they don't care and won't ask you for 2FA. | darkwater wrote: | If they are already sending you an SMS maybe they can try to | fake that as well and access your account immediately with the | expiring token. | berkes wrote: | Wouldn't a phishing site be able to proxy the challenge and | then record and proxy the response which the user types in? | I.e. MITM the 2fa? | tialaramex wrote: | Yes, there is existing software to automate this, I presume | that competent bad guys already use that. | | However you can't do this to WebAuthn (or its non-standard | predecessor U2F). The WebAuthn challenge is bound to a DNS | name, by the client browser. So https://fake- | bank.example/important/urgent/thing/ignore/the/... can't get | credentials for real-bank.example even if the human is | utterly convinced the fake site is their real bank, because | you need to fool the web browser not just a human. | | AFAIK zero banks use WebAuthn... | szatkus wrote: | Depends what you want to achive. With wire transfers there's | usually (always?) info about amount and last few digits of | the account you're transfering money to on your 2FA provider. | mrvenkman wrote: | "The way these things work is that they act like they're the real | login form, steal your credentials and usually send you off to | the real bank so you think you made a typo or something." | | If that's the case then surely you're also flooding the bank's | real site with GET requests after the redirection. | __s wrote: | Bash doesn't have to follow the redirect | | Even if, I'm sure the bank appreciates someone working against | phishing. A few GET requests is something they're meant to | handle. They have to be resistant to DDoS attempts from | malevolent actors | Cthulhu_ wrote: | From cURL the author can ignore the redirect to the bank's real | site though. | groznyyi wrote: | Done For You Services Affiliate Marketing System | | Insane Marketer Wesley Virgin and Ariella have created an offer | that is not only making affiliates wealthy but they are helping | 100s of millions of NEWBIES earn money online. | | Join Hore : https://bit.ly/3gpgGgd | atum47 wrote: | I have made something similar couple of years ago, but I took | down the video that I recorded doing it cause I was afraid it | could turn back on me. | | These days I usually try to write an email to the abusar and to | the hosting services. I also did a bunch of this "flags" on | Instagram ads. | | Instagram is the worst, cause they open a website in their app, | hiding the true URL of the phishing site. I sent a complain to | them about that. Never heard back. | mrkramer wrote: | So you DDOSed their backend but they could've whitelist their IP | range and blacklist all the others for incoming requests. | | What you did does nothing against flexible and adaptive | adversaries. | nostoc wrote: | People who buy phishing kit and set them up are typically not | flexible and adaptive adversaries. | [deleted] | scalableUnicon wrote: | Even if that's the case, it made the website unavailable for | future victims who got the same text messages. | parliament32 wrote: | Not if they just made the site return a 404/500 just to his | IPs, which any half-decent adversary would do. The "play | dead" strategy works great with these kind of vigilantes. | | We're employed similar tactics against DDoSers at work. Start | returning 500s or just tarpit their requests, they think the | site is down and they go home. | dandare wrote: | A friend of mine fell victim to a renting scam here in Czechia. | The phishing site was using the native .cz TLD, which is well | within the reach of Czech authorities. I was particularly bored | that day so I went to a local police department to report a | crime. I advised the policeman to take down the phishing site - | it was actively facilitating a crime. The poor cops had no idea | what to do and in the end they told me that this crime is taking | place on the internet and they have no means of investigating it | :D. | ufmace wrote: | Probably whoever works at the desk there has no idea how to get | in touch with the department responsible for investigating | internet crimes. They're probably in another office far away, | and never interact with each other. | dependenttypes wrote: | This kind of thing always confused me. Scam sites and sites | promoting illegal activities (such as fake dna tests) are | everywhere. Surely the police could take them down in the same | way that they take down child porn sites. | josefx wrote: | If you asked EU politicians a few years ago there was no way | to take those down and we needed a great European firewall | asap. Of course when their to secret list of illegal sites | got leaked it turned out to be sites that could be taken down | within a few hours by just contacting the hosting providers. | daniel-s wrote: | Is this a useful strategy that banks can or do employ? Filling a | phisher's catch with spammed fake credentials may pollute their | database enough that it's not worth selling. | heipei wrote: | The same IP that hosted this guys phishing page also hosted | phishing pages targeting Italian banks WeBank, Banca Intesa | Sanpaolo and Banca Sella over the past 14 days, all with wildcard | certs issued by the same CA. So not really surprising, just run | of the mill phishkit activity most likely. If you have fun | spamming their inbox knock then yourself out, but it's not gonna | make a dent in the thousands of phishkits deployed every day. | Source: https://urlscan.io/ip/89.46.110.15 | ChrisMarshallNY wrote: | I know someone that DDoSed a forum spammer. | | They hit back, ten times as hard, and completely destroyed a | well-established forum, with thousands of users, that had | experienced an annoying (but not crippling) "penis pill" spam | attack. | Aachen wrote: | So like... Backups? Restore, put it behind basic auth and email | the password to the members active in the past few weeks, then | at your leasure implement some captchas and go from there. | Heck, restore the forum publicly as well and use that as a | sandbox to see how they'll bypass it. | ChrisMarshallNY wrote: | Shirley, you jest. | | Backups are for, like, _squares_ , dude. | | We live on the _edge_ , dude! | | Extreme! YOLO! | | In all fairness, the person involved was a truly brilliant | young man, and the experience pretty much shattered him, | emotionally. He has yet to recover from it. | | In a way, it can be satisfying to be able to say "I told you | so," but seeing the human cost kinda takes the fun out of | smugness. | parliament32 wrote: | He said DDoS which has nothing to do with the data itself, | and auth/captcha won't help. You'll have to upgrade to | beefier servers, fatter pipes, or pay for a reverse proxy.. | CF is free now and kinda helps sometimes, but it wasn't in | the past, and any hacker with a grudge can take down your | site anyway. It's about forcing you to spend money; which, if | you're a hobby site forum host, you probably don't have. | Aachen wrote: | Ah, right, I read it differently but I think you're right. | In my initial understanding the spammers hit back by a huge | spam wave, but a counter DDoS could also be. | n0on3 wrote: | That's really... __not __an appropriate response, and not only | for the legal reasons others mentioned. | | Phishing sites can be / are often served by compromised hosts, so | you might as well end up doxing a box who is not run by the bad | guy, causing all sorts of mayem for the legitimate owners / | admins (in addition to they be compromised). | | Plus, you didn't solve anything, from the pattern you used it's | pretty easy to cleanup the data for the adversary, get rid of | your garbage and put the thing back on the next day, so you've | only temporarily disrupted their operation. | | A more appropriate response is to report the abuse who manages | the infrastructure (most likely a legitimate provider) and the | domain registar; both usually have appropriate channels and | response procedures just for that. If you feel kind and keen to | do some free work, you can find out if the infrastructure has | also a legitimate purpose and contact the legitimate | administrator. Also, there are a lot of abuse lists that accept | contributions, as in submitions for malicious sites, where you | can report this (so it gets fetched by a variety of stuff and | blocked by others while it's operational before it gets | eradicated). | | I understand this does not give you any credit or allow you to | write a blog post about looping requests in bash but still. | onetimeusename wrote: | I used to report these things but ran into some issues: 1) | There is no way I can see to contact anyone at Ali Cloud to | report abuse and no expectation they will do anything and I've | seen an increasing number of scams hosted on offshore providers | with no apparent abuse reporting system. 2) Some registrars and | hosting providers want you to sign up with an account first to | be able to create a support ticket to report abuse which is | very time consuming. 3) I would probably be spending hours per | week reporting abuse and it never seems to end. It feels like | trying to empty the ocean with a thimble. So now I just ignore | phishing scams. | n0on3 wrote: | You should be able to find the registar abuse contact | information in the whois, in the fields "Registrar Abuse | Contact Email" and "Registrar Abuse Telephone Number". | Registrars are required to provide these for the | accreditation to ICANN [0]. Both email and valid phone number | are required. | | [0] https://www.icann.org/resources/pages/faqs-2013-11-26-en | onetimeusename wrote: | yes, I meant that more for hosting providers. However, I | have never received a response from a registrar when I have | contacted them about abuse so I am not sure how useful it | is. | gnfargbl wrote: | Have you ever tried reporting a phishing site through those | legitimate channels? | | I have, and my experiences have been that: | | * The domain registrars are apologetic and well-meaning, but | tend to explain that they aren't empowered to take this stuff | down without being ordered to by Law Enforcement or similar. | There typically isn't a mechanism available for getting LE to | respond before the phish campaign is over. | | * The hosting providers chosen by phishing sites are either | "bulletproof hosts" who are tacitly complicit, or more commonly | are so low-end that the support departments are massively | underfunded and abuse reports take eons to be processed. | | Either way, the phisher achieves their objectives before the | site is taken down. That being the state of affairs then, | although I don't choose to use the kind of tactics outlined in | the blog myself, I find it pretty hard to condemn those who do. | | EDIT: I do agree with you that submitting the URL/IP to abuse | blacklists is a helpful and positive thing to do. Here are a | couple of submission URLs (there are many more): | https://pulsedive.com/submit/, | https://www.abuseipdb.com/report. | n0on3 wrote: | I had. My experience is mixed, sometimes all you wrote | happens (like, it takes days to get processed), sometimes it | doesn't (you might be surprised how fast some small providers | can react, sometimes faster than bigger ones). If you want to | speedup the process, contacting the legitimate owner is the | way (and hope their response is faster). | | I understand the will to take action, but doxing a phishing | site can cause collaterals you did not foresee and you want | to avoid, legally and otherwise. And it doesn't solve | anything, as previously explained, it just temporarily turns | them down, which leads to a comparison between the time | invested by the adversary (who will block your source as | first thing) and yours (and you don't want to go there). | Definitely is not something to suggest to inexperienced | people as "a good way to fight phishing" (which they'll take | literally, because it looks cool). There might be exceptions | to this (as in, calculated risks) but they go far beyond what | makes sense for someone alone to do. | kayson wrote: | I've had a similar experience. I ran into a scam that was | masquerading as a popular Canadian clothing store (Roots) | where everything was 50% off. I reported the domain to | Namecheap and they said they're not responsible for the | content since its hosted elsewhere. I pointed out that the | domain itself was also trying to pass as legitimate and they | told me unless I was the trademark owner they couldn't do | anything. I also e-mailed the hosting provider but never | heard back. | | Fortunately I got ahold of Roots via Twitter and the scam | seems to have been shut down. | wolco wrote: | Did you expect the domain company to take down the domain | based on a copyright issue reported by an entity where they | are not the copyright holder? | | Think of all of the false take down requests registers | would receive. | valuearb wrote: | If your insecure site has been hijacked by phishing campaigns, | you deserve to have it brought to its knees. Security is your | responsibility. | dimitrios1 wrote: | If your insecure house has been broken into, you deserve to | have all of your stuff stolen. Security is your | responsibility. | valuearb wrote: | Which doesn't apply to what I said. If you leave your | handgun unsecured and it's stolen and used in a crime | against OTHER PEOPLE, you don't believe you bear some | responsibility? | pharrington wrote: | Mind posting a link to your website? | mushufasa wrote: | This is prevalent logic in the security community, but it | sounds strange applied to other domains. | | "Porch pirates are justified because you should have secured | your amazon delivery." | | "She deserved harassment because she was dressed | provocatively" | | "Your country didn't have a wall so it deserved to be | invaded." | outworlder wrote: | They sound strange because they are bad analogies. | | This is a case where a resource was hijacked and is being | used against other people. A similarly bad analogy, but | more accurate, is if you had a car that was stolen, and | subsequently used to commit crimes. If it got stopped, it | would be beneficial to society, even if it could cause you | financial harm. | layoutIfNeeded wrote: | It's more like: "She deserves to get her car's tires | slashed because her car was stolen and is being driven on | the sidewalk hitting innocent pedestrians" | | In which case my answer would be: of course, by all means! | valuearb wrote: | None of those acts enable the criminal to commit crimes | against other people. | outworlder wrote: | I agree in principle. But... | | > Phishing sites can be / are often served by compromised | hosts, so you might as well end up doxing a box who is not run | by the bad guy, causing all sorts of mayem for the legitimate | owners / admins (in addition to they be compromised). | | Well, they are already compromised. If they were lucky, it was | just an automated system that scanned for vulnerabilities and | only dropped the phishing webserver - for now. It could be used | as a jump box to compromise further systems in the host's | network. Who knows what else may be running in the box. If it | is being used for 'legitimate purposes', whatever purpose it | is, it is at a large risk. | | The fact that it is still compromised indicates that it is not | actively/properly monitored. | | Taking it out will draw much more attention to the system from | their owners. If I had a compromised system that I didn't know | about and it was taken out, I'd be thankful it wasn't left | running for longer. | | It's not the 'correct' thing to do, but I'm not convinced that | putting the system out of comission is more harmful than | leaving it running doing who knows what. | wolco wrote: | It becomes a defensive against hacking legimate sites. | | Anyone could hack a site put malware and if they are caught | claim they hacked in to remove the malware they put. | n0on3 wrote: | Not much against taking a compromised system down, but the | provider can (should?) do that according to their ToS (and | whatever containment / response procedures they have in | place), not some targeted victim playing vigilante by running | what is basically a trivial DOS attack. My point was this is | not a good thing to show off / encourage people to do and can | have unexpectedly bad consequences. | rileytg wrote: | I had a similar situation happen to me. Someone was catfishing | (dogfishing?) using my dog; they have him listed for sale... | | I phished the seller into giving me their Zelle email which was | a full name and presumably tied to a legit bank account with a | legit person associated with it. | | I reported them, will all the facts I'd collected to the AG | office in the state I believed them to be in (OH- b/c they | offered shipping to anywhere + local delivery in Cleveland). I | reached out to other dog owners that I could identify and urged | them to also file reports. | | I passed along this information to a friend who works in cyber | crimes law enforcement (specifically in crimes against | children). He verified the information I provided to the best | of his ability and passed to his peers in another agency. | | Months later, nothing except an automated thanks from the AG | office and the site is still up. | | The main issue I'm told is I don't have any victims who | actually tried to purchase and never receive a puppy. | | https://www.qualitygreatdanepuppies.com/available-puppies | | "Johnny" is my dog. That photo is in front of my old apartment. | | I do not condone this approach of striking back, but I am | frustrated that even when I identify the culprit of a scam, | theres nothing I can do. | pavel_lishin wrote: | I would be wary about sending a warning email from an email | address that could be traced back to me. Some people panic, and | assume that you're the person responsible, or lash out at the | only person they can strike - you. | n0on3 wrote: | The infrastructure provider (if any) has likely seen more of | these than you can imagine and again, they have proper | channels for this and the people who monitor them know how to | handle it, they won't lash out on you. Same goes for the | domain registar. | | As per the box legitimate owner, while I agree that there is | all kind of crazy out there and you can avoid this if it | makes you uncomfortable (abuse-at-provider will most likely | contact them shortly without involving you), I don't see the | lash out or strike at you scenarios likely, in my experience | usually you get a thank you. | | To be clear, I'm not suggesting email "Bro, you are | compromised, bye", I mean, you can just inform them that you | received the link and were taken to a phishing site that | looks like hosted on his machine, attach screens, advice them | on next steps if you want to go the extra mile in niceness. | You're doing them a favour without breaking any law, why | would they get mad at you? | yosamino wrote: | > A more appropriate response is to report the abuse who | manages the infrastructure (most likely a legitimate provider) | and the domain registar; both usually have appropriate channels | and response procedures just for that. | | Unless of course it's behind Cloudflare - then you cannot find | out whose infrastructure the criminals are operating from and | Cloudflare itself does not give a fuck. Best case scenario: | they will forward your complaint to their customer - an unknown | party to you who might be the criminals themselves, putting you | in danger. | | Thank you, Cloudflare. | rnotaro wrote: | Pardon me but I've contacted multiple times Cloudflare and | they always shut them down. | | https://i.imgur.com/9pUiR4J.png | n0on3 wrote: | They claim they will do all this for you if they are | (allegedly) proxying malicious content. Source: their abuse | form [1], selecting "Phishing & Malware". Did you have bad | experiences with this? Might be worth sharing. | | [1] https://www.cloudflare.com/abuse/form | alsdkfjkqjwer wrote: | i used the form and emailed abuse@ (for sites blatantly | impersonating relief effort organizations at the onset of | covid-19) | | all attempts got responses like "cool, but we don't do any | of that. please contact google safe-site(tm) beta or | something and get it blocked on the browser via that". | | Everyone here posting that they replied probably used email | from a domain that is an expensive paid customer from them. | I used a @gmail one. | geek_at wrote: | I had recently a (b/s)ad experience with them. I am hosting | the demo site for my open source image hosting solution | (pictshare) behind cloudflare and had the CASM tool (that | searches automatically for child pornography) enabled. Felt | safe enough but after a while I noticed a TON of traffic.. | like gigabytes an hour through cloudflare | | Turned out someone uploaded like 1000 child pornography | images to the demo site, cloudflare didn't once send me | anything or block an image before being uploaded. | | I wrote their support and they pointed me to the abuse form | you mentioned (which would had reported the content to | myself?) | | I thought they'd look into their logs and send interpol the | uploaders IP addresses but no, they didn't do anything. | | In the end I got interpol and the local BKA (Federal | Criminal Police Office) and they were so awesome and I | prepared excel sheets for them with all ip addresses and | log entries of every consumer and uploader. | thrownaway954 wrote: | fyi... just cause you get a 404 error doesn't mean the site is | down, it might mean you are blocked. IIS for example has the | request filtering module inwhich you can return a status code | when a certain filter is hit. it is very easy to create a filter | where is a query parameter is over a certain character limit to | return a 404 (filters are just regular expression). this is why | you should always check a site from | https://downforeveryoneorjustme.com/downforme.com | noodlesUK wrote: | As much as I think things like this can be fun, depending on your | jurisdiction (and tbh the US loves extraditing people for silly | computer crimes), it might not be advisable. This is all but | certainly illegal at least within the US. I'm sure most competent | security experts have been tempted to do things like this, or | SQLi a scammer's form and nuke their DB, and usually bad things | won't happen to you, you might find that you're hacking something | you weren't expecting, and might piss someone off other than a | scammer. | pantalaimon wrote: | What do you think the scammers are going to do, call the | police? | macNchz wrote: | They presumably wouldn't call the police to report you for | messing with their scam, but it's not unthinkable-if they're | able to identify who you are-that they could SWAT you. I | believe Brian Krebs has been SWAT'ed multiple times, and has | had heroin mailed to his house to frame him. | bartvk wrote: | I have a colleague who is a security researcher. And every | now and then, he tells me he got a threat from an internet | criminal about "how they know where he lives". | darkwater wrote: | How can it be illegal sending a few fake data to a website? And | anyway I doubt they will ever sue you, at most you could be | targeted for some revenge attack if they are really pissed off | and you don't hide your traces. | StreamBright wrote: | This can be classified as denial of service attack because of | the rate your are sending the requests. Depends on the law | (and on the interpretation as well). I doubt that the phising | guys behind this will file a complaint though. | socket0 wrote: | Many phishing pages reside on compromised domains. Bob's | Plumbing Supplies might wonder why their Wordpress site | loaded with plug-ins has stopped working, ask someone to | take a look, and see your IP address all over the logs. | pbhjpbhj wrote: | If you're messing with criminals using an IP traceable to | you then the police might be the least of your problems. | berkes wrote: | Or the webhost where Bob's Plumbing Supplies is hosted | detects an attack and files a complain. Or the | SAAS/server rental sees this, puts you on some automatic | blacklist and puts in on the "to be investigated" | blacklist. Too many parties involved whom you are | "hurting" that might get back to you. | | Not saying this to keep anyone from repeating this, | though; just that when doing so, keep in mind that you're | probably not just hurting a scammer alone. | darkwater wrote: | To poison some phishing data you don't need to overload any | server. Although the act itself of poisoning data could be | seen as a DoS but since the service in question is an | illegal one IANAL but I don't think it would stand in | court. | noodlesUK wrote: | IANAL: | | This is what I expect the relevant text in the CFAA is... | | knowingly causes the transmission of a program, information, | code, or command, and as a result of such conduct, | intentionally causes damage without authorization, to a | protected computer; | flareback wrote: | Is it damage if you're just sending data to an endpoint to | see what happens. Sounds like he didn't try to send a SQL | Injection, he just sent more characters than what was | expected. | freeone3000 wrote: | Yes. It's even damage if you're sending expected | requests, but the owner of the server didn't want you to. | See: Aaron Schwartz. | xamde wrote: | Is it a protected computer? | eli wrote: | Yes. It's defined incredibly and ridiculously broadly in | the law. Pretty much any server you can get to on the | internet is "protected" | moduspol wrote: | Looks accurate. It apparently does have a legal | definition. | | https://en.wikipedia.org/wiki/Protected_computer | LinuxBender wrote: | and the blog shows intent. | mirekrusin wrote: | Is it a damage if you damage damaging thing? If effect of | your damage is less damage maybe it's not damage after all? | eitland wrote: | Depends: around here you can break into a shop at night | to put out a fire or - more realistically - break a car | window to pull out a kid (or animal) left alone in the | sun. | | I'd be careful with computer crimes on the Internet | though. | woko wrote: | > I'd be careful with computer crimes on the Internet | though. | | Exactly. Let us say you break into a shop owned by some | mafia to put out a fire, then you might be fine w.r.t. | authority, but you might be in trouble w.r.t. criminals. | Similarly, say you break a car window to pull out a pit- | bull left alone in the sun, you might have some issues | with the owner if he turns out to be part of some drug | trafficking gang. | | There is no reason to believe that phishing websites are | run by script-kiddies, there are obviously criminal rings | running all sorts of businesses on the Internet too. I | would rather leave the work to the authorities rather | than risk going through trouble with unknown criminals, | just so that I could have my funny revenge over them. | Sebb767 wrote: | > Is it a damage if you damage damaging thing? | | When in doubt - yes. It's the same reasoning forbidding | you from shooting criminals in the street, you'd just | open up mob justice. | | Of course, this is a pretty clear cut case and you might | argue that this is an emergency (as people are clearly in | danger of being scammed unless you act right now), but | overall this is a very blurry line. | [deleted] | mcv wrote: | While it may be technically illegal, considering the victims | are themselves worse criminals caught in the act, I really | doubt anyone is going to give you trouble over this. | | Unless authorities are looking for an excuse to prosecute you, | of course, but there's plenty of bad PR to be had for | authorities acting on behalf of criminals trying to steal | people's banking credentials. | KMag wrote: | Maybe if you don't cause any collateral damage, you might | have a low chance of conviction by a jury because the victim | is highly non-sympathetic. (I'm not a lawyer. This is NOT | LEGAL ADVICE.) That doesn't mean you won't get charged and | incur a ton of legal costs if you pursue a jury trial rather | than settling. | | Always remember that U.S. courts are courts of law, not | courts of justice. That's usually a good thing (less left to | interpretation), but it does have downsides. | mcv wrote: | > _" Always remember that U.S. courts are courts of law, | not courts of justice. That's usually a good thing (less | left to interpretation)"_ | | Are they? My impression is that US courts rely heavily on | the whims of a jury and the judge, leading to very | different outcomes for similar cases. Though often leading | to injustice (heavy punishments for poor and/or black | people, light punishments for rich and/or white people) | rather than justice. | KMag wrote: | I think their biases would have worse consequences if | their goal was following some intuitive gut feeling of | justice rather than having a goal of applying the law | even when the law is known to be imperfect. That is, the | less explicit the rules are, the more wiggle room there | is for bias to act. | valuearb wrote: | Jury nullification allows them to become courts of justice. | outworlder wrote: | Which is why is screened for at the jury selection stage. | gruez wrote: | Then shut up about it and don't tell them? | weinzierl wrote: | > While it may be technically illegal, considering the | victims are themselves worse criminals caught in the act, I | really doubt anyone is going to give you trouble over this. | | Depends on who you fear more: law enforcement or organized | crime. | [deleted] | TheAdamAndChe wrote: | The comment you replied to did say "Unless authorities are | looking for an excuse to prosecute you, of course." If you | suspect you're being monitored by the FBI or some other | entity, you don't want to push the envelope. | mcv wrote: | O think weinzierl suggests that the criminals behind this | might be more eager to punish you than law enforcement. | But of course for that it doesn't really matter whether | or not this is legal. | shitloadofbooks wrote: | VPS owners will if your flooding causes issues for their | (other) clients on the same hardware, etc. | | It's definitely better to not do this. | wolco wrote: | Until you realized you have been setup. The box you log into | has child porn or those logs you download have them. | | Now you pay up or cops are called. | | Trying to play a hacker may get you in more trouble unless | you really are one. | generaljargon wrote: | Legal issues aside, these lists are typically checked with a | validation tool that runs through them to scrub malformed or | invalid entries. An example of one such tool, taken from a | krebsonsecurity post: https://krebsonsecurity.com/wp- | content/uploads/2019/08/chase.... | rymurr wrote: | I wonder how many 'fake news' sites and other tools designed to | subvert democracy are this fragile. Seems like we could do a lot | of good by disrupting those sites rather than slowing down | phishers. | | Defending our democratic institutions > messing with scammers | withinboredom wrote: | Hilarious story: | | I was hired to look into why a WordPress site was so slow back in | 2010. It turned out the site was hacked and they were hosting a | spam viagra site on the side. When I brought it to their | attention, the owner asked: "Can we keep it up? It will help our | traffic numbers for investors and probably our Google ranking." | | I literally face-palmed. | mipmap04 wrote: | Well, with a spam viagra site, I think the point is keeping it | up. | | On topic, it's crazy how willing some people are to defraud | their investors. | darkerside wrote: | Send like a missed opportunity to pivot into a spam viagra | hosting site | x86_64Ubuntu wrote: | But then your costs get allocated to the spam operation. | The owner of the website is benefiting because of the | "traffic" they are receiving that is attributed to their | non-spam venture. The hacker is benefiting because of the | free hosting they are getting. The loser is anyone | interested in buying the site and having the price hinge on | the traffic. | lr4444lr wrote: | Keeping it up with Viagra, huh... | suixo wrote: | This reminds me of something similar I did about 5 years ago: | https://blog.securem.eu/projects/2015/03/08/flooding-the-phi... | | One important thing is to _report_ the phishing attempt, both to | the hosting providers involved and to the mail service used to | send the emails. | anticristi wrote: | Nice! If you are required to write an email address, it would be | cool to use a canary, and see if it shows up on | haveibeenpwned.com. | strogonoff wrote: | I don't think HaveIBeenPwned makes an attempt to harvest data | captured by fishing websites. It's intended to track data | leaked due to a breach of the actual system. | Eremotherium wrote: | Mostly true but there things like Collection #1 and Anti | Public Combo List which are amalgamations of unknown | provenance. A lot of it is probably prior breaches but I | wouldn't be surprised if it contained phishing data. | badrabbit wrote: | It was probably a compromised site. Spinning up your own | domain/vps has the drawback of it being a new site not trusted or | classified by most corporate firewalls and proxies (if setup | right). | | You'd be surprised how easy it is to scan+pwn some wordpress site | left in default config or vulnerable to the latest joomla | exploit. They then upload a $20 phishing kit and start spamming. | If you look at the directories' root in the path you sometimes | get lucky enough to get the zip/tar file they forgot to remove | (includes their email, to which stolen creds are sent, you | probably spammed the crap out of their mailbox too). A few times | I've even found unsecured webshells they left behind (just booted | them out, got emails of people who fell for it and did the | standard rfc-whatever notification) | | One thing I wanted to try was to include tracker URLs when | stuffing them with fake usernames like 'bob@bob.com | https://bobscompany.com/login.php?trackerid=1345556' or make it a | 1x1 pixel image link so when they see the fake creds I will know | their IP | jitteriest wrote: | Not really important but: | | `cat /dev/urandom | tr -dc '0-9' | fold -w 7 | head -n 1` | | Can be accomplished in two steps instead of 4: | | `tr -dc '0-9' < /dev/urandom | head -c 7` | gshubert17 wrote: | When I tried either of these, on my macOS, I got | | tr: Illegal byte sequence | | which I got around by changing the locale: | | ( export LC_ALL=C; tr -dc '0-9' < /dev/urandom | head -c 7 ) | | with help from: | https://unix.stackexchange.com/questions/141420/tr-complains... | tdeck wrote: | I have seen the code for some phish kits in the past. Many of | them actually send an email on each submission rather than saving | to a file (more resilient if the hacked WordPress site is taken | down). They often also record the IP so it may be easier to | filter out "phish-feeding" attempts like this. | catmistake wrote: | This is great, bash ftw. Nice presentation, too. | | Regarding its legality, I will paraphrase Bishop Berkeley: if a | tree falls in the forest, and no one is around to hear it, does | it make a sound? | | What I am getting at is until there is a complaint, there is no | crime, and as at least another pointed out, criminals will | usually not report crimes that reveal their own crimes. "They | kidnapped my kidnap-victim!" | anonymfus wrote: | The kidnap-victim or their relatives can. So: | | _> Sadly the server didn't enable indexing otherwise I would | have seen all victims, but it was funny nonetheless._ | | It's actually very lucky for Haschek, because otherwise the | only thing stopping Raiffeisen from suing him for stealing | credentials would be a bad publicity. | alufers wrote: | Oh how cool, I thought I was the only one trying to mess with | scammy sites when I find them. Although I can see that I could | improve my methods, since I usually write a short user script | which spams the forms with data from faker.js and let the open | tab sit pinned in my browser for a week or so. | mflower wrote: | I was thinking about something pretty similar -- rather than | just try to overload the server, make it more difficult for | phisherpeople to figure out which data is legitimate. | | Realistically, I don't think I'd do it though -- who knows what | 0 days you are putting on your box when you connect to those | sites. | NicoJuicy wrote: | Well, I have something like HN running on | https://handlr.sapico.me ( automatically imports rss feeds) | | Wich had a lot of spammers and they worked around the Google | Human verification script for logging in. | | Humans won't add a Title + Url + text since it shouldn't be used | this way. | | So ... that flow now returns a xml bomb. | | Spam stopped immediately after deploying this. I'm a bit curious | how long they spend looking why the memory of their server | suddenly went through the roof :p | b0re wrote: | noob question: what does an \ at the end of a bash script do? Is | it the same as ; ? | liuyong wrote: | In bash '\' would escape the character behind it. In this case, | newline was escaped, which means you could ignore the newline | character and treat those lines as one line. | jtylr wrote: | The end of a bash script or a line? | | If it's at the end of the line it's just signifying that the | line continues underneath and to run that block as "one line". | It's just escaping the newline character. | oddeyed wrote: | The opposite. ; is the same as a newline. Prepending the | newline with a backslash \ is like saying "pretend this newline | isn't here". So all of the -H arguments get applied to the same | command in the example, rather than being treated as commands | in their own right. | newswasboring wrote: | Oh... I am having one of those moments where I feel like | everyone else but me knew this and I'm a dummy. But when put | like this, I realize \ here is an escape character thing, | making the newline into \\\n. | lordnacho wrote: | What do they do when they access the victim's bank account? Buy | fungible goods with the money? Send it to another account? | m-p-3 wrote: | I normally just report those sites on | https://safebrowsing.google.com/safebrowsing/report_phish/ and it | doesn't normally take long to end up with a phishing warning when | you navigate to it with a modern browser. | | I also try to send an email to the registrar "abuse" email to let | them know that a specific domain is hosting a phishing page (with | the exact link as proof). That takes it down quickly as well, | which forces the website owner to do some remediation. | raverbashing wrote: | I think most URL shorteners have an abuse reporting facility | (with bitly, add a + to the end of the URL to see more info) | miguelmota wrote: | > cat /dev/urandom | tr -dc '0-9' | fold -w 7 | head -n 1 | | Useless use of cat | | http://porkmail.org/era/unix/award.html | hrgiger wrote: | Sorry for off topic question but are there any dirty link sharing | platforms ,that you can share those links safely and warn the | user and force it to copy paste? | Samuyi wrote: | great stuff | gigatexal wrote: | The author is a saint. This made my day. | jitendrac wrote: | That is really a good way to make them drop all the target. but | rather if I were to do it I will do it with set of different | signature snuffling randomly to make them un-filterable and limit | the rate of submission such that they dont immediately notice me | and I can make their database full of dummy data which makes it | useless for them. Many times you can also get to execute | arbitrary sql-injection and can delete the database. | | In fact, in past when in collage I was trying to learn some | hacking basics to find vulnerable servers. And as on the googled | article like most scripting kiddies, I searched and found a | vulnerable site which was already hacked and had installed | shell.php on it. What that vulnerability did was, it found a way | to inject the browser navigator name into php script using | /proc/self/environ. after studying attack what I did was, remove | the shell and patched the vulnerable file with some obfuscation. | I was so naive(what would have happened if my IP was tracked and | I became suspected criminal),now seeing past luckily I never got | my self involved in legal things. | saagarjha wrote: | While this is all fun and games, I am curious if DOSing someone | else's server, even if it's being used to run a phishing scam, is | legal. | godzillabrennus wrote: | I seriously doubt it is legal in the United States. Seems like | a pretty clear abuse of a computer network. | zwirbl wrote: | The author lives in Austria and the phishing attempt itself | was targeting a major Austrian bank, but I don't know if this | is legal or if that's a gray area | tracker1 wrote: | If you're in the US, it could be a violation of the Computer | Fraud and Abuse Act. I used to do stuff like this until I | became aware of the potential felony behind it. | uzakov wrote: | Same for the UK in most cases - illegal. | nikau wrote: | Probably as illegal as stealing a cocaine from a drug dealer. | emteycz wrote: | Probably less legal. No court will convict you of stealing | that cocaine, but a lot of courts would convict you of | computer attack. Don't forget that when attacking, you're | almost certainly not attacking just the phisher, but a lot of | middlemen. | Cthulhu_ wrote: | If they're hosted (e.g. shared hosting), then the hosting party | may just lock you out if they had DDOS protection because | you're using their resources. They're not happy with phishing | sites being hosted on their sites, but also not - and they | probably suffer more damage, even if it's "just" resources - | from DDOS attacks. | imgabe wrote: | Probably not, but it's like stealing from a drug dealer. They | can't report you without incriminating themselves. Of course | stealing from drug dealers is known to have other | ramifications... | stephenmc77 wrote: | I imagine it's illegal but I also assume that for it to be | prosecutable, there would have to be a complainant. Good luck | to that guy trying to prove that DDOS-ing a phishing site is | worse than the phishing itself! | mhils wrote: | It is not unlikely that the phishing site is hosted on a | hacked server that still serves legitimate websites (which | you would also take down in the process). So there could be a | legitimate complainant. | geek_at wrote: | in this case however both sites I "took down" were still | accessible afterwards, they just removed their backend. | Still got an empty response or 404 with valid http | certificate. | | So probably the phishers were annoyed with the fake data | and moved servers | schappim wrote: | I am all for this. Thank you. ___________________________________________________________________ (page generated 2020-08-13 23:00 UTC)