[HN Gopher] Stopping phishing campaigns with Bash
___________________________________________________________________
Stopping phishing campaigns with Bash
Author : geek_at
Score : 412 points
Date : 2020-08-13 08:25 UTC (14 hours ago)
(HTM) web link (blog.haschek.at)
(TXT) w3m dump (blog.haschek.at)
| RemySoc wrote:
| I was doing this 15 years ago. Does it mean that I'm old?
| beAbU wrote:
| A colleague and I did something similar recently.
|
| We got similar spam mails in our work inboxes. Whipped up a
| little ruby script that spammed bum login data to the spammer's
| form url. We had our scripts running on a couple of Heroku
| instances and all.
|
| At some stage we realized that the password field in the form
| accepted arbitrarily sized payloads. So we base64 encoded some
| 10MB file and sent that as the password. The thinking was if we
| could not DoS them, we can at least clog up their works with some
| real hefty payloads.
|
| More can be seen here: https://github.com/dj-louw/spamscam
| Sebb767 wrote:
| While funny, real-looking fake login data might be more useful,
| as it's probably real easy to filter the few large requests.
| Unless, of course, you bring down the server and stop the whole
| operation (for a time).
|
| It would be quite interesting to do a study on both options
| using a honeypot-account (to detect whether the login could be
| extracted by the spammer).
| beAbU wrote:
| So the script we wrote created real email addresses and user
| names. The Ruby gem Faker (https://github.com/faker-
| ruby/faker) takes care of that.
|
| But yeah you are probably right. 10MB passwords possibly made
| it too easy for the scammer to filter out the bum data.
|
| We did only make the 10MB change very late in our attack, so
| the scammer got 1000's of fake names and emails before we
| cranked up the mass of each individual request.
| Wandfarbe wrote:
| I stoped 2 webshops which basically sell expensive stuff 20% off
| by wire transfer (bank transfer?!) which then never send the
| goods of course!
|
| I did the following:
|
| - I found out where it was hosted and send them an email
| explaining them why and how that shop is a scam
|
| - I found out where they hosted the domain and wrote the
| registrar an abuse email
|
| - I wrote an email to the banks where the bank accounts where
| active
|
| The scammer had a webchat module active and he/she did wrote back
| to me, nothing came out through that, nonetheless:
|
| next day, both webshops were gone due to being taken offline from
| the hosters.
|
| I do believe, that they do have a chance because literaly no one
| cares. I have seen mentioning of one of those two shops older
| then 6 month. I pissed at them with very little effort in a very
| short time.
|
| I do hope i helped out.
| madarcho wrote:
| Abuse email/report to the registrar is also my goto. Usually
| results in a quick response
| parliament32 wrote:
| You'll get a response but it'll always be a polite "fuck off"
| unless you have some sort of actual authority (are you the
| trademark holder? are you LE? do you have a court order?).
| You'll have better luck contacting the hosting provider
| because they're actually responsible for the content.
| Cthulhu_ wrote:
| I like to think it helped out, but at the same time, these
| people are professionals and will have automation to generate
| new instances and scam campaigns easily. At least it should be
| more difficult for them to set up new bank accounts though,
| they need ID for that, and / or a network of mules, and those
| are finite resources.
| pbhjpbhj wrote:
| I think the bank thing is done through students quite often:
| "Hey, I can't get a bank account as I'm a refugee fleeing a
| war, please help by receiving PS5000 cash, we'll give you
| PS100. Say it's a gift from your Aunty to buy a car with."
|
| I've seen reports of this in the UK at least, maybe they
| managed to stop it.
| Geezus_42 wrote:
| At least in the US the people who accept the offer can be
| charged as money mules.
| berkes wrote:
| I attended a meetup at our local registrar (SIDN) where they
| explained how data analysts on their payroll detect such fake
| webshops and how they then actively block those domains on DNS
| and registrar level.
| jagged-chisel wrote:
| I'm assuming you don't mean "employee payroll" right?
| 1023bytes wrote:
| All banks in the EU are required to use 2FA, I'm curious how
| these hackers get around that.
| geek_at wrote:
| In this case (with the second page) it looked like after you
| put in your credentials they put you in a loop while they tried
| to use your logins.
|
| I assume that if the banking backend told them the verification
| sms or whatever is sent, they would have asked the user about
| it and just forwarded it
| moviuro wrote:
| 1. One SMS every 90 days, because the security teams have no
| idea how MFA works (I know, I work there). Even if you hop
| devices. See https://try.popho.be/psd2.html
|
| 2. It's just a little dev step away:
| http://blog.cmpxchg8b.com/2020/07/you-dont-need-sms-2fa.html .
| Phish kits will evolve, UX will still be bad, and phishing will
| still happen.
|
| See also https://sakurity.com/blog/2015/07/18/2fa.html
| raverbashing wrote:
| Some banks know security better than others
|
| And yes the login one might be every 90 days, but to do a
| transaction there might be an extra one
|
| (yes Germany did away with paper tans (2fa codes) in 2019 yay
| - thankfully not all banks are that stupid)
| VBprogrammer wrote:
| For quite a long time my bank used cargo culted 2FA i.e. 2x
| things that you know. Pretty embarrassing really. Thankfully
| they now have a card reader device but it's only used for
| certain actions (like adding new payees).
| dubbel wrote:
| That's why the second, more advanced phishing page was trying
| to immediately log in with the just acquired login credentials.
|
| If a 2FA challenge is presented, it is relayed to the victim on
| the phishing website, and as soon as the code is submitted, is
| it relayed to the real banks website in turn.
| ThePadawan wrote:
| "required to use 2FA" for login, or "required to use 2FA" to
| conduct transactions?
|
| I'm asking because my (German) bank only very recently changed
| to requiring 2FA every X days for login. I'm very curious if
| they are actually compliant, since I used to be able to log in
| just with 1 factor to see my current balance (but not conduct
| any transactions).
| rusticpenn wrote:
| For me its only 2FA for transactions.
| GlitchMr wrote:
| Currently 2FA (legally known as "strong customer
| authentication") for logging to payment services (like banks)
| when one wasn't performed in 90 days is required in EEA.
|
| IMO implementing the bare minimum this does nothing for
| security. However, often banks do that, and even if you try
| to look intentionally suspicious (say, use a VPN in United
| States with another web browser on another operating system)
| they don't care and won't ask you for 2FA.
| darkwater wrote:
| If they are already sending you an SMS maybe they can try to
| fake that as well and access your account immediately with the
| expiring token.
| berkes wrote:
| Wouldn't a phishing site be able to proxy the challenge and
| then record and proxy the response which the user types in?
| I.e. MITM the 2fa?
| tialaramex wrote:
| Yes, there is existing software to automate this, I presume
| that competent bad guys already use that.
|
| However you can't do this to WebAuthn (or its non-standard
| predecessor U2F). The WebAuthn challenge is bound to a DNS
| name, by the client browser. So https://fake-
| bank.example/important/urgent/thing/ignore/the/... can't get
| credentials for real-bank.example even if the human is
| utterly convinced the fake site is their real bank, because
| you need to fool the web browser not just a human.
|
| AFAIK zero banks use WebAuthn...
| szatkus wrote:
| Depends what you want to achive. With wire transfers there's
| usually (always?) info about amount and last few digits of
| the account you're transfering money to on your 2FA provider.
| mrvenkman wrote:
| "The way these things work is that they act like they're the real
| login form, steal your credentials and usually send you off to
| the real bank so you think you made a typo or something."
|
| If that's the case then surely you're also flooding the bank's
| real site with GET requests after the redirection.
| __s wrote:
| Bash doesn't have to follow the redirect
|
| Even if, I'm sure the bank appreciates someone working against
| phishing. A few GET requests is something they're meant to
| handle. They have to be resistant to DDoS attempts from
| malevolent actors
| Cthulhu_ wrote:
| From cURL the author can ignore the redirect to the bank's real
| site though.
| groznyyi wrote:
| Done For You Services Affiliate Marketing System
|
| Insane Marketer Wesley Virgin and Ariella have created an offer
| that is not only making affiliates wealthy but they are helping
| 100s of millions of NEWBIES earn money online.
|
| Join Hore : https://bit.ly/3gpgGgd
| atum47 wrote:
| I have made something similar couple of years ago, but I took
| down the video that I recorded doing it cause I was afraid it
| could turn back on me.
|
| These days I usually try to write an email to the abusar and to
| the hosting services. I also did a bunch of this "flags" on
| Instagram ads.
|
| Instagram is the worst, cause they open a website in their app,
| hiding the true URL of the phishing site. I sent a complain to
| them about that. Never heard back.
| mrkramer wrote:
| So you DDOSed their backend but they could've whitelist their IP
| range and blacklist all the others for incoming requests.
|
| What you did does nothing against flexible and adaptive
| adversaries.
| nostoc wrote:
| People who buy phishing kit and set them up are typically not
| flexible and adaptive adversaries.
| [deleted]
| scalableUnicon wrote:
| Even if that's the case, it made the website unavailable for
| future victims who got the same text messages.
| parliament32 wrote:
| Not if they just made the site return a 404/500 just to his
| IPs, which any half-decent adversary would do. The "play
| dead" strategy works great with these kind of vigilantes.
|
| We're employed similar tactics against DDoSers at work. Start
| returning 500s or just tarpit their requests, they think the
| site is down and they go home.
| dandare wrote:
| A friend of mine fell victim to a renting scam here in Czechia.
| The phishing site was using the native .cz TLD, which is well
| within the reach of Czech authorities. I was particularly bored
| that day so I went to a local police department to report a
| crime. I advised the policeman to take down the phishing site -
| it was actively facilitating a crime. The poor cops had no idea
| what to do and in the end they told me that this crime is taking
| place on the internet and they have no means of investigating it
| :D.
| ufmace wrote:
| Probably whoever works at the desk there has no idea how to get
| in touch with the department responsible for investigating
| internet crimes. They're probably in another office far away,
| and never interact with each other.
| dependenttypes wrote:
| This kind of thing always confused me. Scam sites and sites
| promoting illegal activities (such as fake dna tests) are
| everywhere. Surely the police could take them down in the same
| way that they take down child porn sites.
| josefx wrote:
| If you asked EU politicians a few years ago there was no way
| to take those down and we needed a great European firewall
| asap. Of course when their to secret list of illegal sites
| got leaked it turned out to be sites that could be taken down
| within a few hours by just contacting the hosting providers.
| daniel-s wrote:
| Is this a useful strategy that banks can or do employ? Filling a
| phisher's catch with spammed fake credentials may pollute their
| database enough that it's not worth selling.
| heipei wrote:
| The same IP that hosted this guys phishing page also hosted
| phishing pages targeting Italian banks WeBank, Banca Intesa
| Sanpaolo and Banca Sella over the past 14 days, all with wildcard
| certs issued by the same CA. So not really surprising, just run
| of the mill phishkit activity most likely. If you have fun
| spamming their inbox knock then yourself out, but it's not gonna
| make a dent in the thousands of phishkits deployed every day.
| Source: https://urlscan.io/ip/89.46.110.15
| ChrisMarshallNY wrote:
| I know someone that DDoSed a forum spammer.
|
| They hit back, ten times as hard, and completely destroyed a
| well-established forum, with thousands of users, that had
| experienced an annoying (but not crippling) "penis pill" spam
| attack.
| Aachen wrote:
| So like... Backups? Restore, put it behind basic auth and email
| the password to the members active in the past few weeks, then
| at your leasure implement some captchas and go from there.
| Heck, restore the forum publicly as well and use that as a
| sandbox to see how they'll bypass it.
| ChrisMarshallNY wrote:
| Shirley, you jest.
|
| Backups are for, like, _squares_ , dude.
|
| We live on the _edge_ , dude!
|
| Extreme! YOLO!
|
| In all fairness, the person involved was a truly brilliant
| young man, and the experience pretty much shattered him,
| emotionally. He has yet to recover from it.
|
| In a way, it can be satisfying to be able to say "I told you
| so," but seeing the human cost kinda takes the fun out of
| smugness.
| parliament32 wrote:
| He said DDoS which has nothing to do with the data itself,
| and auth/captcha won't help. You'll have to upgrade to
| beefier servers, fatter pipes, or pay for a reverse proxy..
| CF is free now and kinda helps sometimes, but it wasn't in
| the past, and any hacker with a grudge can take down your
| site anyway. It's about forcing you to spend money; which, if
| you're a hobby site forum host, you probably don't have.
| Aachen wrote:
| Ah, right, I read it differently but I think you're right.
| In my initial understanding the spammers hit back by a huge
| spam wave, but a counter DDoS could also be.
| n0on3 wrote:
| That's really... __not __an appropriate response, and not only
| for the legal reasons others mentioned.
|
| Phishing sites can be / are often served by compromised hosts, so
| you might as well end up doxing a box who is not run by the bad
| guy, causing all sorts of mayem for the legitimate owners /
| admins (in addition to they be compromised).
|
| Plus, you didn't solve anything, from the pattern you used it's
| pretty easy to cleanup the data for the adversary, get rid of
| your garbage and put the thing back on the next day, so you've
| only temporarily disrupted their operation.
|
| A more appropriate response is to report the abuse who manages
| the infrastructure (most likely a legitimate provider) and the
| domain registar; both usually have appropriate channels and
| response procedures just for that. If you feel kind and keen to
| do some free work, you can find out if the infrastructure has
| also a legitimate purpose and contact the legitimate
| administrator. Also, there are a lot of abuse lists that accept
| contributions, as in submitions for malicious sites, where you
| can report this (so it gets fetched by a variety of stuff and
| blocked by others while it's operational before it gets
| eradicated).
|
| I understand this does not give you any credit or allow you to
| write a blog post about looping requests in bash but still.
| onetimeusename wrote:
| I used to report these things but ran into some issues: 1)
| There is no way I can see to contact anyone at Ali Cloud to
| report abuse and no expectation they will do anything and I've
| seen an increasing number of scams hosted on offshore providers
| with no apparent abuse reporting system. 2) Some registrars and
| hosting providers want you to sign up with an account first to
| be able to create a support ticket to report abuse which is
| very time consuming. 3) I would probably be spending hours per
| week reporting abuse and it never seems to end. It feels like
| trying to empty the ocean with a thimble. So now I just ignore
| phishing scams.
| n0on3 wrote:
| You should be able to find the registar abuse contact
| information in the whois, in the fields "Registrar Abuse
| Contact Email" and "Registrar Abuse Telephone Number".
| Registrars are required to provide these for the
| accreditation to ICANN [0]. Both email and valid phone number
| are required.
|
| [0] https://www.icann.org/resources/pages/faqs-2013-11-26-en
| onetimeusename wrote:
| yes, I meant that more for hosting providers. However, I
| have never received a response from a registrar when I have
| contacted them about abuse so I am not sure how useful it
| is.
| gnfargbl wrote:
| Have you ever tried reporting a phishing site through those
| legitimate channels?
|
| I have, and my experiences have been that:
|
| * The domain registrars are apologetic and well-meaning, but
| tend to explain that they aren't empowered to take this stuff
| down without being ordered to by Law Enforcement or similar.
| There typically isn't a mechanism available for getting LE to
| respond before the phish campaign is over.
|
| * The hosting providers chosen by phishing sites are either
| "bulletproof hosts" who are tacitly complicit, or more commonly
| are so low-end that the support departments are massively
| underfunded and abuse reports take eons to be processed.
|
| Either way, the phisher achieves their objectives before the
| site is taken down. That being the state of affairs then,
| although I don't choose to use the kind of tactics outlined in
| the blog myself, I find it pretty hard to condemn those who do.
|
| EDIT: I do agree with you that submitting the URL/IP to abuse
| blacklists is a helpful and positive thing to do. Here are a
| couple of submission URLs (there are many more):
| https://pulsedive.com/submit/,
| https://www.abuseipdb.com/report.
| n0on3 wrote:
| I had. My experience is mixed, sometimes all you wrote
| happens (like, it takes days to get processed), sometimes it
| doesn't (you might be surprised how fast some small providers
| can react, sometimes faster than bigger ones). If you want to
| speedup the process, contacting the legitimate owner is the
| way (and hope their response is faster).
|
| I understand the will to take action, but doxing a phishing
| site can cause collaterals you did not foresee and you want
| to avoid, legally and otherwise. And it doesn't solve
| anything, as previously explained, it just temporarily turns
| them down, which leads to a comparison between the time
| invested by the adversary (who will block your source as
| first thing) and yours (and you don't want to go there).
| Definitely is not something to suggest to inexperienced
| people as "a good way to fight phishing" (which they'll take
| literally, because it looks cool). There might be exceptions
| to this (as in, calculated risks) but they go far beyond what
| makes sense for someone alone to do.
| kayson wrote:
| I've had a similar experience. I ran into a scam that was
| masquerading as a popular Canadian clothing store (Roots)
| where everything was 50% off. I reported the domain to
| Namecheap and they said they're not responsible for the
| content since its hosted elsewhere. I pointed out that the
| domain itself was also trying to pass as legitimate and they
| told me unless I was the trademark owner they couldn't do
| anything. I also e-mailed the hosting provider but never
| heard back.
|
| Fortunately I got ahold of Roots via Twitter and the scam
| seems to have been shut down.
| wolco wrote:
| Did you expect the domain company to take down the domain
| based on a copyright issue reported by an entity where they
| are not the copyright holder?
|
| Think of all of the false take down requests registers
| would receive.
| valuearb wrote:
| If your insecure site has been hijacked by phishing campaigns,
| you deserve to have it brought to its knees. Security is your
| responsibility.
| dimitrios1 wrote:
| If your insecure house has been broken into, you deserve to
| have all of your stuff stolen. Security is your
| responsibility.
| valuearb wrote:
| Which doesn't apply to what I said. If you leave your
| handgun unsecured and it's stolen and used in a crime
| against OTHER PEOPLE, you don't believe you bear some
| responsibility?
| pharrington wrote:
| Mind posting a link to your website?
| mushufasa wrote:
| This is prevalent logic in the security community, but it
| sounds strange applied to other domains.
|
| "Porch pirates are justified because you should have secured
| your amazon delivery."
|
| "She deserved harassment because she was dressed
| provocatively"
|
| "Your country didn't have a wall so it deserved to be
| invaded."
| outworlder wrote:
| They sound strange because they are bad analogies.
|
| This is a case where a resource was hijacked and is being
| used against other people. A similarly bad analogy, but
| more accurate, is if you had a car that was stolen, and
| subsequently used to commit crimes. If it got stopped, it
| would be beneficial to society, even if it could cause you
| financial harm.
| layoutIfNeeded wrote:
| It's more like: "She deserves to get her car's tires
| slashed because her car was stolen and is being driven on
| the sidewalk hitting innocent pedestrians"
|
| In which case my answer would be: of course, by all means!
| valuearb wrote:
| None of those acts enable the criminal to commit crimes
| against other people.
| outworlder wrote:
| I agree in principle. But...
|
| > Phishing sites can be / are often served by compromised
| hosts, so you might as well end up doxing a box who is not run
| by the bad guy, causing all sorts of mayem for the legitimate
| owners / admins (in addition to they be compromised).
|
| Well, they are already compromised. If they were lucky, it was
| just an automated system that scanned for vulnerabilities and
| only dropped the phishing webserver - for now. It could be used
| as a jump box to compromise further systems in the host's
| network. Who knows what else may be running in the box. If it
| is being used for 'legitimate purposes', whatever purpose it
| is, it is at a large risk.
|
| The fact that it is still compromised indicates that it is not
| actively/properly monitored.
|
| Taking it out will draw much more attention to the system from
| their owners. If I had a compromised system that I didn't know
| about and it was taken out, I'd be thankful it wasn't left
| running for longer.
|
| It's not the 'correct' thing to do, but I'm not convinced that
| putting the system out of comission is more harmful than
| leaving it running doing who knows what.
| wolco wrote:
| It becomes a defensive against hacking legimate sites.
|
| Anyone could hack a site put malware and if they are caught
| claim they hacked in to remove the malware they put.
| n0on3 wrote:
| Not much against taking a compromised system down, but the
| provider can (should?) do that according to their ToS (and
| whatever containment / response procedures they have in
| place), not some targeted victim playing vigilante by running
| what is basically a trivial DOS attack. My point was this is
| not a good thing to show off / encourage people to do and can
| have unexpectedly bad consequences.
| rileytg wrote:
| I had a similar situation happen to me. Someone was catfishing
| (dogfishing?) using my dog; they have him listed for sale...
|
| I phished the seller into giving me their Zelle email which was
| a full name and presumably tied to a legit bank account with a
| legit person associated with it.
|
| I reported them, will all the facts I'd collected to the AG
| office in the state I believed them to be in (OH- b/c they
| offered shipping to anywhere + local delivery in Cleveland). I
| reached out to other dog owners that I could identify and urged
| them to also file reports.
|
| I passed along this information to a friend who works in cyber
| crimes law enforcement (specifically in crimes against
| children). He verified the information I provided to the best
| of his ability and passed to his peers in another agency.
|
| Months later, nothing except an automated thanks from the AG
| office and the site is still up.
|
| The main issue I'm told is I don't have any victims who
| actually tried to purchase and never receive a puppy.
|
| https://www.qualitygreatdanepuppies.com/available-puppies
|
| "Johnny" is my dog. That photo is in front of my old apartment.
|
| I do not condone this approach of striking back, but I am
| frustrated that even when I identify the culprit of a scam,
| theres nothing I can do.
| pavel_lishin wrote:
| I would be wary about sending a warning email from an email
| address that could be traced back to me. Some people panic, and
| assume that you're the person responsible, or lash out at the
| only person they can strike - you.
| n0on3 wrote:
| The infrastructure provider (if any) has likely seen more of
| these than you can imagine and again, they have proper
| channels for this and the people who monitor them know how to
| handle it, they won't lash out on you. Same goes for the
| domain registar.
|
| As per the box legitimate owner, while I agree that there is
| all kind of crazy out there and you can avoid this if it
| makes you uncomfortable (abuse-at-provider will most likely
| contact them shortly without involving you), I don't see the
| lash out or strike at you scenarios likely, in my experience
| usually you get a thank you.
|
| To be clear, I'm not suggesting email "Bro, you are
| compromised, bye", I mean, you can just inform them that you
| received the link and were taken to a phishing site that
| looks like hosted on his machine, attach screens, advice them
| on next steps if you want to go the extra mile in niceness.
| You're doing them a favour without breaking any law, why
| would they get mad at you?
| yosamino wrote:
| > A more appropriate response is to report the abuse who
| manages the infrastructure (most likely a legitimate provider)
| and the domain registar; both usually have appropriate channels
| and response procedures just for that.
|
| Unless of course it's behind Cloudflare - then you cannot find
| out whose infrastructure the criminals are operating from and
| Cloudflare itself does not give a fuck. Best case scenario:
| they will forward your complaint to their customer - an unknown
| party to you who might be the criminals themselves, putting you
| in danger.
|
| Thank you, Cloudflare.
| rnotaro wrote:
| Pardon me but I've contacted multiple times Cloudflare and
| they always shut them down.
|
| https://i.imgur.com/9pUiR4J.png
| n0on3 wrote:
| They claim they will do all this for you if they are
| (allegedly) proxying malicious content. Source: their abuse
| form [1], selecting "Phishing & Malware". Did you have bad
| experiences with this? Might be worth sharing.
|
| [1] https://www.cloudflare.com/abuse/form
| alsdkfjkqjwer wrote:
| i used the form and emailed abuse@ (for sites blatantly
| impersonating relief effort organizations at the onset of
| covid-19)
|
| all attempts got responses like "cool, but we don't do any
| of that. please contact google safe-site(tm) beta or
| something and get it blocked on the browser via that".
|
| Everyone here posting that they replied probably used email
| from a domain that is an expensive paid customer from them.
| I used a @gmail one.
| geek_at wrote:
| I had recently a (b/s)ad experience with them. I am hosting
| the demo site for my open source image hosting solution
| (pictshare) behind cloudflare and had the CASM tool (that
| searches automatically for child pornography) enabled. Felt
| safe enough but after a while I noticed a TON of traffic..
| like gigabytes an hour through cloudflare
|
| Turned out someone uploaded like 1000 child pornography
| images to the demo site, cloudflare didn't once send me
| anything or block an image before being uploaded.
|
| I wrote their support and they pointed me to the abuse form
| you mentioned (which would had reported the content to
| myself?)
|
| I thought they'd look into their logs and send interpol the
| uploaders IP addresses but no, they didn't do anything.
|
| In the end I got interpol and the local BKA (Federal
| Criminal Police Office) and they were so awesome and I
| prepared excel sheets for them with all ip addresses and
| log entries of every consumer and uploader.
| thrownaway954 wrote:
| fyi... just cause you get a 404 error doesn't mean the site is
| down, it might mean you are blocked. IIS for example has the
| request filtering module inwhich you can return a status code
| when a certain filter is hit. it is very easy to create a filter
| where is a query parameter is over a certain character limit to
| return a 404 (filters are just regular expression). this is why
| you should always check a site from
| https://downforeveryoneorjustme.com/downforme.com
| noodlesUK wrote:
| As much as I think things like this can be fun, depending on your
| jurisdiction (and tbh the US loves extraditing people for silly
| computer crimes), it might not be advisable. This is all but
| certainly illegal at least within the US. I'm sure most competent
| security experts have been tempted to do things like this, or
| SQLi a scammer's form and nuke their DB, and usually bad things
| won't happen to you, you might find that you're hacking something
| you weren't expecting, and might piss someone off other than a
| scammer.
| pantalaimon wrote:
| What do you think the scammers are going to do, call the
| police?
| macNchz wrote:
| They presumably wouldn't call the police to report you for
| messing with their scam, but it's not unthinkable-if they're
| able to identify who you are-that they could SWAT you. I
| believe Brian Krebs has been SWAT'ed multiple times, and has
| had heroin mailed to his house to frame him.
| bartvk wrote:
| I have a colleague who is a security researcher. And every
| now and then, he tells me he got a threat from an internet
| criminal about "how they know where he lives".
| darkwater wrote:
| How can it be illegal sending a few fake data to a website? And
| anyway I doubt they will ever sue you, at most you could be
| targeted for some revenge attack if they are really pissed off
| and you don't hide your traces.
| StreamBright wrote:
| This can be classified as denial of service attack because of
| the rate your are sending the requests. Depends on the law
| (and on the interpretation as well). I doubt that the phising
| guys behind this will file a complaint though.
| socket0 wrote:
| Many phishing pages reside on compromised domains. Bob's
| Plumbing Supplies might wonder why their Wordpress site
| loaded with plug-ins has stopped working, ask someone to
| take a look, and see your IP address all over the logs.
| pbhjpbhj wrote:
| If you're messing with criminals using an IP traceable to
| you then the police might be the least of your problems.
| berkes wrote:
| Or the webhost where Bob's Plumbing Supplies is hosted
| detects an attack and files a complain. Or the
| SAAS/server rental sees this, puts you on some automatic
| blacklist and puts in on the "to be investigated"
| blacklist. Too many parties involved whom you are
| "hurting" that might get back to you.
|
| Not saying this to keep anyone from repeating this,
| though; just that when doing so, keep in mind that you're
| probably not just hurting a scammer alone.
| darkwater wrote:
| To poison some phishing data you don't need to overload any
| server. Although the act itself of poisoning data could be
| seen as a DoS but since the service in question is an
| illegal one IANAL but I don't think it would stand in
| court.
| noodlesUK wrote:
| IANAL:
|
| This is what I expect the relevant text in the CFAA is...
|
| knowingly causes the transmission of a program, information,
| code, or command, and as a result of such conduct,
| intentionally causes damage without authorization, to a
| protected computer;
| flareback wrote:
| Is it damage if you're just sending data to an endpoint to
| see what happens. Sounds like he didn't try to send a SQL
| Injection, he just sent more characters than what was
| expected.
| freeone3000 wrote:
| Yes. It's even damage if you're sending expected
| requests, but the owner of the server didn't want you to.
| See: Aaron Schwartz.
| xamde wrote:
| Is it a protected computer?
| eli wrote:
| Yes. It's defined incredibly and ridiculously broadly in
| the law. Pretty much any server you can get to on the
| internet is "protected"
| moduspol wrote:
| Looks accurate. It apparently does have a legal
| definition.
|
| https://en.wikipedia.org/wiki/Protected_computer
| LinuxBender wrote:
| and the blog shows intent.
| mirekrusin wrote:
| Is it a damage if you damage damaging thing? If effect of
| your damage is less damage maybe it's not damage after all?
| eitland wrote:
| Depends: around here you can break into a shop at night
| to put out a fire or - more realistically - break a car
| window to pull out a kid (or animal) left alone in the
| sun.
|
| I'd be careful with computer crimes on the Internet
| though.
| woko wrote:
| > I'd be careful with computer crimes on the Internet
| though.
|
| Exactly. Let us say you break into a shop owned by some
| mafia to put out a fire, then you might be fine w.r.t.
| authority, but you might be in trouble w.r.t. criminals.
| Similarly, say you break a car window to pull out a pit-
| bull left alone in the sun, you might have some issues
| with the owner if he turns out to be part of some drug
| trafficking gang.
|
| There is no reason to believe that phishing websites are
| run by script-kiddies, there are obviously criminal rings
| running all sorts of businesses on the Internet too. I
| would rather leave the work to the authorities rather
| than risk going through trouble with unknown criminals,
| just so that I could have my funny revenge over them.
| Sebb767 wrote:
| > Is it a damage if you damage damaging thing?
|
| When in doubt - yes. It's the same reasoning forbidding
| you from shooting criminals in the street, you'd just
| open up mob justice.
|
| Of course, this is a pretty clear cut case and you might
| argue that this is an emergency (as people are clearly in
| danger of being scammed unless you act right now), but
| overall this is a very blurry line.
| [deleted]
| mcv wrote:
| While it may be technically illegal, considering the victims
| are themselves worse criminals caught in the act, I really
| doubt anyone is going to give you trouble over this.
|
| Unless authorities are looking for an excuse to prosecute you,
| of course, but there's plenty of bad PR to be had for
| authorities acting on behalf of criminals trying to steal
| people's banking credentials.
| KMag wrote:
| Maybe if you don't cause any collateral damage, you might
| have a low chance of conviction by a jury because the victim
| is highly non-sympathetic. (I'm not a lawyer. This is NOT
| LEGAL ADVICE.) That doesn't mean you won't get charged and
| incur a ton of legal costs if you pursue a jury trial rather
| than settling.
|
| Always remember that U.S. courts are courts of law, not
| courts of justice. That's usually a good thing (less left to
| interpretation), but it does have downsides.
| mcv wrote:
| > _" Always remember that U.S. courts are courts of law,
| not courts of justice. That's usually a good thing (less
| left to interpretation)"_
|
| Are they? My impression is that US courts rely heavily on
| the whims of a jury and the judge, leading to very
| different outcomes for similar cases. Though often leading
| to injustice (heavy punishments for poor and/or black
| people, light punishments for rich and/or white people)
| rather than justice.
| KMag wrote:
| I think their biases would have worse consequences if
| their goal was following some intuitive gut feeling of
| justice rather than having a goal of applying the law
| even when the law is known to be imperfect. That is, the
| less explicit the rules are, the more wiggle room there
| is for bias to act.
| valuearb wrote:
| Jury nullification allows them to become courts of justice.
| outworlder wrote:
| Which is why is screened for at the jury selection stage.
| gruez wrote:
| Then shut up about it and don't tell them?
| weinzierl wrote:
| > While it may be technically illegal, considering the
| victims are themselves worse criminals caught in the act, I
| really doubt anyone is going to give you trouble over this.
|
| Depends on who you fear more: law enforcement or organized
| crime.
| [deleted]
| TheAdamAndChe wrote:
| The comment you replied to did say "Unless authorities are
| looking for an excuse to prosecute you, of course." If you
| suspect you're being monitored by the FBI or some other
| entity, you don't want to push the envelope.
| mcv wrote:
| O think weinzierl suggests that the criminals behind this
| might be more eager to punish you than law enforcement.
| But of course for that it doesn't really matter whether
| or not this is legal.
| shitloadofbooks wrote:
| VPS owners will if your flooding causes issues for their
| (other) clients on the same hardware, etc.
|
| It's definitely better to not do this.
| wolco wrote:
| Until you realized you have been setup. The box you log into
| has child porn or those logs you download have them.
|
| Now you pay up or cops are called.
|
| Trying to play a hacker may get you in more trouble unless
| you really are one.
| generaljargon wrote:
| Legal issues aside, these lists are typically checked with a
| validation tool that runs through them to scrub malformed or
| invalid entries. An example of one such tool, taken from a
| krebsonsecurity post: https://krebsonsecurity.com/wp-
| content/uploads/2019/08/chase....
| rymurr wrote:
| I wonder how many 'fake news' sites and other tools designed to
| subvert democracy are this fragile. Seems like we could do a lot
| of good by disrupting those sites rather than slowing down
| phishers.
|
| Defending our democratic institutions > messing with scammers
| withinboredom wrote:
| Hilarious story:
|
| I was hired to look into why a WordPress site was so slow back in
| 2010. It turned out the site was hacked and they were hosting a
| spam viagra site on the side. When I brought it to their
| attention, the owner asked: "Can we keep it up? It will help our
| traffic numbers for investors and probably our Google ranking."
|
| I literally face-palmed.
| mipmap04 wrote:
| Well, with a spam viagra site, I think the point is keeping it
| up.
|
| On topic, it's crazy how willing some people are to defraud
| their investors.
| darkerside wrote:
| Send like a missed opportunity to pivot into a spam viagra
| hosting site
| x86_64Ubuntu wrote:
| But then your costs get allocated to the spam operation.
| The owner of the website is benefiting because of the
| "traffic" they are receiving that is attributed to their
| non-spam venture. The hacker is benefiting because of the
| free hosting they are getting. The loser is anyone
| interested in buying the site and having the price hinge on
| the traffic.
| lr4444lr wrote:
| Keeping it up with Viagra, huh...
| suixo wrote:
| This reminds me of something similar I did about 5 years ago:
| https://blog.securem.eu/projects/2015/03/08/flooding-the-phi...
|
| One important thing is to _report_ the phishing attempt, both to
| the hosting providers involved and to the mail service used to
| send the emails.
| anticristi wrote:
| Nice! If you are required to write an email address, it would be
| cool to use a canary, and see if it shows up on
| haveibeenpwned.com.
| strogonoff wrote:
| I don't think HaveIBeenPwned makes an attempt to harvest data
| captured by fishing websites. It's intended to track data
| leaked due to a breach of the actual system.
| Eremotherium wrote:
| Mostly true but there things like Collection #1 and Anti
| Public Combo List which are amalgamations of unknown
| provenance. A lot of it is probably prior breaches but I
| wouldn't be surprised if it contained phishing data.
| badrabbit wrote:
| It was probably a compromised site. Spinning up your own
| domain/vps has the drawback of it being a new site not trusted or
| classified by most corporate firewalls and proxies (if setup
| right).
|
| You'd be surprised how easy it is to scan+pwn some wordpress site
| left in default config or vulnerable to the latest joomla
| exploit. They then upload a $20 phishing kit and start spamming.
| If you look at the directories' root in the path you sometimes
| get lucky enough to get the zip/tar file they forgot to remove
| (includes their email, to which stolen creds are sent, you
| probably spammed the crap out of their mailbox too). A few times
| I've even found unsecured webshells they left behind (just booted
| them out, got emails of people who fell for it and did the
| standard rfc-whatever notification)
|
| One thing I wanted to try was to include tracker URLs when
| stuffing them with fake usernames like 'bob@bob.com
| https://bobscompany.com/login.php?trackerid=1345556' or make it a
| 1x1 pixel image link so when they see the fake creds I will know
| their IP
| jitteriest wrote:
| Not really important but:
|
| `cat /dev/urandom | tr -dc '0-9' | fold -w 7 | head -n 1`
|
| Can be accomplished in two steps instead of 4:
|
| `tr -dc '0-9' < /dev/urandom | head -c 7`
| gshubert17 wrote:
| When I tried either of these, on my macOS, I got
|
| tr: Illegal byte sequence
|
| which I got around by changing the locale:
|
| ( export LC_ALL=C; tr -dc '0-9' < /dev/urandom | head -c 7 )
|
| with help from:
| https://unix.stackexchange.com/questions/141420/tr-complains...
| tdeck wrote:
| I have seen the code for some phish kits in the past. Many of
| them actually send an email on each submission rather than saving
| to a file (more resilient if the hacked WordPress site is taken
| down). They often also record the IP so it may be easier to
| filter out "phish-feeding" attempts like this.
| catmistake wrote:
| This is great, bash ftw. Nice presentation, too.
|
| Regarding its legality, I will paraphrase Bishop Berkeley: if a
| tree falls in the forest, and no one is around to hear it, does
| it make a sound?
|
| What I am getting at is until there is a complaint, there is no
| crime, and as at least another pointed out, criminals will
| usually not report crimes that reveal their own crimes. "They
| kidnapped my kidnap-victim!"
| anonymfus wrote:
| The kidnap-victim or their relatives can. So:
|
| _> Sadly the server didn't enable indexing otherwise I would
| have seen all victims, but it was funny nonetheless._
|
| It's actually very lucky for Haschek, because otherwise the
| only thing stopping Raiffeisen from suing him for stealing
| credentials would be a bad publicity.
| alufers wrote:
| Oh how cool, I thought I was the only one trying to mess with
| scammy sites when I find them. Although I can see that I could
| improve my methods, since I usually write a short user script
| which spams the forms with data from faker.js and let the open
| tab sit pinned in my browser for a week or so.
| mflower wrote:
| I was thinking about something pretty similar -- rather than
| just try to overload the server, make it more difficult for
| phisherpeople to figure out which data is legitimate.
|
| Realistically, I don't think I'd do it though -- who knows what
| 0 days you are putting on your box when you connect to those
| sites.
| NicoJuicy wrote:
| Well, I have something like HN running on
| https://handlr.sapico.me ( automatically imports rss feeds)
|
| Wich had a lot of spammers and they worked around the Google
| Human verification script for logging in.
|
| Humans won't add a Title + Url + text since it shouldn't be used
| this way.
|
| So ... that flow now returns a xml bomb.
|
| Spam stopped immediately after deploying this. I'm a bit curious
| how long they spend looking why the memory of their server
| suddenly went through the roof :p
| b0re wrote:
| noob question: what does an \ at the end of a bash script do? Is
| it the same as ; ?
| liuyong wrote:
| In bash '\' would escape the character behind it. In this case,
| newline was escaped, which means you could ignore the newline
| character and treat those lines as one line.
| jtylr wrote:
| The end of a bash script or a line?
|
| If it's at the end of the line it's just signifying that the
| line continues underneath and to run that block as "one line".
| It's just escaping the newline character.
| oddeyed wrote:
| The opposite. ; is the same as a newline. Prepending the
| newline with a backslash \ is like saying "pretend this newline
| isn't here". So all of the -H arguments get applied to the same
| command in the example, rather than being treated as commands
| in their own right.
| newswasboring wrote:
| Oh... I am having one of those moments where I feel like
| everyone else but me knew this and I'm a dummy. But when put
| like this, I realize \ here is an escape character thing,
| making the newline into \\\n.
| lordnacho wrote:
| What do they do when they access the victim's bank account? Buy
| fungible goods with the money? Send it to another account?
| m-p-3 wrote:
| I normally just report those sites on
| https://safebrowsing.google.com/safebrowsing/report_phish/ and it
| doesn't normally take long to end up with a phishing warning when
| you navigate to it with a modern browser.
|
| I also try to send an email to the registrar "abuse" email to let
| them know that a specific domain is hosting a phishing page (with
| the exact link as proof). That takes it down quickly as well,
| which forces the website owner to do some remediation.
| raverbashing wrote:
| I think most URL shorteners have an abuse reporting facility
| (with bitly, add a + to the end of the URL to see more info)
| miguelmota wrote:
| > cat /dev/urandom | tr -dc '0-9' | fold -w 7 | head -n 1
|
| Useless use of cat
|
| http://porkmail.org/era/unix/award.html
| hrgiger wrote:
| Sorry for off topic question but are there any dirty link sharing
| platforms ,that you can share those links safely and warn the
| user and force it to copy paste?
| Samuyi wrote:
| great stuff
| gigatexal wrote:
| The author is a saint. This made my day.
| jitendrac wrote:
| That is really a good way to make them drop all the target. but
| rather if I were to do it I will do it with set of different
| signature snuffling randomly to make them un-filterable and limit
| the rate of submission such that they dont immediately notice me
| and I can make their database full of dummy data which makes it
| useless for them. Many times you can also get to execute
| arbitrary sql-injection and can delete the database.
|
| In fact, in past when in collage I was trying to learn some
| hacking basics to find vulnerable servers. And as on the googled
| article like most scripting kiddies, I searched and found a
| vulnerable site which was already hacked and had installed
| shell.php on it. What that vulnerability did was, it found a way
| to inject the browser navigator name into php script using
| /proc/self/environ. after studying attack what I did was, remove
| the shell and patched the vulnerable file with some obfuscation.
| I was so naive(what would have happened if my IP was tracked and
| I became suspected criminal),now seeing past luckily I never got
| my self involved in legal things.
| saagarjha wrote:
| While this is all fun and games, I am curious if DOSing someone
| else's server, even if it's being used to run a phishing scam, is
| legal.
| godzillabrennus wrote:
| I seriously doubt it is legal in the United States. Seems like
| a pretty clear abuse of a computer network.
| zwirbl wrote:
| The author lives in Austria and the phishing attempt itself
| was targeting a major Austrian bank, but I don't know if this
| is legal or if that's a gray area
| tracker1 wrote:
| If you're in the US, it could be a violation of the Computer
| Fraud and Abuse Act. I used to do stuff like this until I
| became aware of the potential felony behind it.
| uzakov wrote:
| Same for the UK in most cases - illegal.
| nikau wrote:
| Probably as illegal as stealing a cocaine from a drug dealer.
| emteycz wrote:
| Probably less legal. No court will convict you of stealing
| that cocaine, but a lot of courts would convict you of
| computer attack. Don't forget that when attacking, you're
| almost certainly not attacking just the phisher, but a lot of
| middlemen.
| Cthulhu_ wrote:
| If they're hosted (e.g. shared hosting), then the hosting party
| may just lock you out if they had DDOS protection because
| you're using their resources. They're not happy with phishing
| sites being hosted on their sites, but also not - and they
| probably suffer more damage, even if it's "just" resources -
| from DDOS attacks.
| imgabe wrote:
| Probably not, but it's like stealing from a drug dealer. They
| can't report you without incriminating themselves. Of course
| stealing from drug dealers is known to have other
| ramifications...
| stephenmc77 wrote:
| I imagine it's illegal but I also assume that for it to be
| prosecutable, there would have to be a complainant. Good luck
| to that guy trying to prove that DDOS-ing a phishing site is
| worse than the phishing itself!
| mhils wrote:
| It is not unlikely that the phishing site is hosted on a
| hacked server that still serves legitimate websites (which
| you would also take down in the process). So there could be a
| legitimate complainant.
| geek_at wrote:
| in this case however both sites I "took down" were still
| accessible afterwards, they just removed their backend.
| Still got an empty response or 404 with valid http
| certificate.
|
| So probably the phishers were annoyed with the fake data
| and moved servers
| schappim wrote:
| I am all for this. Thank you.
___________________________________________________________________
(page generated 2020-08-13 23:00 UTC)