Jump to content


Photo
- - - - -

Hacking some Scammers


  • This topic is locked This topic is locked
21 replies to this topic

#1 Jberryman

Jberryman

    SUP3R 31337 P1MP

  • Members
  • 283 posts

Posted 05 October 2004 - 03:18 PM

Well for the first time I (partially) fell for an email scam, and it's a humbling experience. I have to admit this one was pretty slick though. I got to the second page and was like "fuck me!".

anyway, I got a forged email appearing to come from ebay that my account was being used by someone else and I have to verify it, blah, blah...
Here was the link:
http://scgi.ebay.com...y&user=14626654

Please post some fake logins, also if anybody wants to whip up some script to flood them with random logins, that would be cool.
Any ideas on what to do to these guys? or how to find them?
:pissed:

#2 tokachu

tokachu

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 458 posts
  • Country:
  • Gender:Male

Posted 05 October 2004 - 03:51 PM

Well, to aid anyone in making a flood script for them, here's what I captured while submitting some fake information:

"Login" (POST was cut, un-cut it)
POST /mailform.cgi HTTP/1.1
Host: 211.234.125.70:5250
User-Agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20041001 Firefox/0.10.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://211.234.125.70:5250/
Content-Type: application/x-www-form-urlencoded
Content-Length: 125

MfcISAPICommand=SignInWelcome&siteid=0&co_partnerId=2&UsingSSL=0&ru=
&userid=EBAYUSERACCOUNTGOESHERE&pass=PASSWORDGOESHEREDUDE
"Charge" (GET was cut, un-cut it)
GET /mailformCarte.cgi?MfcISAPICommand=GetResult&query=
&MfcISAPICommand=UpdateCC&CCnumber=1234567891011128&CVV2Num=987
&Month=12&Day=25&Year=2015&Name=YOUR+NAME+ON+CARD&PIN=2015
&Street=BILLING+ADDRESS&City=CITY&State=STATE&Zip=ZIP
&Country=United+States&checkbox=checkbox HTTP/1.1
Host: 211.234.125.70:5250
User-Agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20041001 Firefox/0.10.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://211.234.125.70:5250/Protect.html
I would think you could just pipe these things to netcat or something thousands of times and jam up their server.

Edited by tokachu, 05 October 2004 - 03:54 PM.


#3 ilpimp

ilpimp

    SUP3R 31337

  • Members
  • 190 posts

Posted 05 October 2004 - 04:10 PM

the ip hosts a website called wowfoto.net here's a whois on it:

Domain Name : wowfoto.net

::Registrant::
Name      : ez4web communication
Email    : baram35@mirewa.com
Address  : B1F Haein B/D 11-49 Yangjae1-dong Socho-gu Seoul Korea
Zipcode  : 137887
Nation    : KR
Tel      : 82-02-579-0513
Fax      : 82-02-579-5090

::Administrative Contact::
Name      : Jae-Han Kim
Email    : baram35@mirewa.com
Address  : B1F Haein B/D 11-49 Yangjae1-dong Socho-gu Seoul Korea
Zipcode  : 137887
Nation    : KR
Tel      : 82-02-579-0513
Fax      : 82-02-579-5090

::Technical Contact::
Name      : Whois Co., Ltd.
Email    : whois@whois.co.kr
Address  : 143-39 Shinil Bldg.1F, Samsung-dong, Kangnam-gu
Zipcode  : 135877
Nation    : KR
Tel      : 82-02-325-4259
Fax      : 82-02-325-2259

::Name Servers::
ns1.wooriserver.com 210.114.223.61
ns2.wooriserver.com 210.114.223.62

::Dates & Status::
Created Date  2001-08-28 07:58:10 EDT
Updated Date  2003-09-02 04:45:38 EDT
Valid Date    2006-08-28 07:58:10 EDT
Status        ACTIVE


damn koreans.

#4 Jberryman

Jberryman

    SUP3R 31337 P1MP

  • Members
  • 283 posts

Posted 05 October 2004 - 04:46 PM

did a full port scan of the host site to see if there were any other scam sites on different ports. This is everything:

22 SSH Remote Login Protocol
25 Simple Mail Transfer
80 World Wide Web HTTP
110 Post Office Protocol - Version 3
3976 BCI1KROOPS Server (ProFTPD Default Installation) [web.wowfoto.net]
5250 Scam page

I thought the ftp was suspicious... it apparently allows anonymous logins but requires a specific password.

#5 riscphree

riscphree

    Dangerous free thinker

  • Members
  • 1,936 posts
  • Gender:Male

Posted 05 October 2004 - 05:04 PM

I thought the ftp was suspicious... it apparently allows anonymous logins but requires a specific password.

so its not anonymous then?

#6 Jberryman

Jberryman

    SUP3R 31337 P1MP

  • Members
  • 283 posts

Posted 05 October 2004 - 05:13 PM

yeah, I guess... with username anonymous it says "anonymous access OK" or something along those lines, but it won't accept an arbitrary password

#7 Cloaked Dagger

Cloaked Dagger

    HACK THE PLANET!

  • Members
  • 61 posts
  • Location:South Florida, USA. 954 area code.

Posted 05 October 2004 - 11:18 PM

I have gotten emails like that, I never fell for them though as I don't use ebay. I just told my mail client to filter them out as junk/spam.

#8 ennui

ennui

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 398 posts
  • Location:Tennessee

Posted 05 October 2004 - 11:22 PM

to flood them with logins and passwords couldn't you use Global Brute Forcer. and apply a dictionary list.

#9 Jberryman

Jberryman

    SUP3R 31337 P1MP

  • Members
  • 283 posts

Posted 06 October 2004 - 08:36 AM

I tried to quickly set up brutus to do this but it kept crashing on XP...
I'm surprised that the site is still up

#10 tokachu

tokachu

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 458 posts
  • Country:
  • Gender:Male

Posted 07 October 2004 - 07:49 PM

I'm working on a flood script in Perl right now (uses Net::HTTP). Stay tuned.

#11 Cr45 Du57

Cr45 Du57

    Hakker addict

  • Members
  • 619 posts
  • Gender:Not Telling

Posted 07 October 2004 - 07:53 PM

Its odd that the scam site is running on that "company" page.... maybe they got rooted?
i.e. woophoto or whatever it was called...... ;)

Edited by Cr45 Du57, 07 October 2004 - 07:53 PM.


#12 Jberryman

Jberryman

    SUP3R 31337 P1MP

  • Members
  • 283 posts

Posted 07 October 2004 - 08:10 PM

That's what I would have thought, except that the site is still up... but maybe. I really don't have any idea how these things usually work, but if I was the scammers I would have taken that site down after no more than 24 hours after sending the emails.

#13 hacnslash

hacnslash

    Banisher of n00bs

  • Agents of the Revolution
  • 2,454 posts

Posted 07 October 2004 - 08:18 PM

umm, it's just a site made to look like the ebay site, also i would think that DOSing them would be illegal and you guys really shouldn't do it....

#14 Cloaked Dagger

Cloaked Dagger

    HACK THE PLANET!

  • Members
  • 61 posts
  • Location:South Florida, USA. 954 area code.

Posted 07 October 2004 - 08:34 PM

umm, it's just a site made to look like the ebay site

Yes, but it asks you log in with your ebay user name/password, then asks you for the credit card number, SS number, mother's maiden name, everything. After you give it to them, I just went through it leaving all the fields black the whole time, it forwards you to the actual ebay website. It seems to be, and I would be willing to put money one it, that it is a scam to collect peoples info for indentity theft, credit fraud, etc.

also i would think that DOSing them would be illegal and you guys really shouldn't do it....

They are in Korea, at least the wowfoto.net hosted on that ip has all Korean contacts. I doubt they would have an easy time prosecuting over international boundaries. Also, if it's just one server that is DOSed I doubt they would even bother trying to prosecute over international boundaries. But this is a wise piece of advice, let the authorities deal with them, then you aren't risking your own neck.

Edited by Cloaked Dagger, 07 October 2004 - 08:40 PM.


#15 hacnslash

hacnslash

    Banisher of n00bs

  • Agents of the Revolution
  • 2,454 posts

Posted 07 October 2004 - 08:40 PM

um yea....who doubted that!? o_0

i was making the comment becaue somebody said it might have been rooted and set up as a scam...

#16 Cloaked Dagger

Cloaked Dagger

    HACK THE PLANET!

  • Members
  • 61 posts
  • Location:South Florida, USA. 954 area code.

Posted 07 October 2004 - 08:44 PM

i was making the comment becaue somebody said it might have been rooted and set up as a scam...

Yeah, from the looks of it a legit server was rooted. Then they set up an illegit ebay-scam using that machiene. DOSing this server will not only hurt the scammers, it will hurt a legit business as well probably.

#17 tokachu

tokachu

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 458 posts
  • Country:
  • Gender:Male

Posted 07 October 2004 - 08:51 PM

Port 22 (ssh) is open, and the web server running is on a port over 1023, so it could just be a user running thttpd. But I still like the idea of flooding the assmunch with random information. I'm almost done...hehe :growl:

#18 Jberryman

Jberryman

    SUP3R 31337 P1MP

  • Members
  • 283 posts

Posted 07 October 2004 - 09:03 PM

With the free time that I don't have, I've been trying to figure out a way to send a login packet over and over again in an attempt to fill/make ridiculously large the database or file or whatever that stores the usernames passwords (see post from Noob forum). I found a program called nemesis that will deliver packets like this, but is it enogh to just send the packet containing the username and password and ignore the responses from the webserver? And I'm not sure how to have the packet be sent repeatedly.
What would be cool is if it submitted realistic and random userids and passes

edit:

I'm working on a flood script in Perl right now (uses Net::HTTP). Stay tuned.

I missed your post, your idea beats the shit out of mine

Edited by Jberryman, 07 October 2004 - 10:06 PM.


#19 tokachu

tokachu

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 458 posts
  • Country:
  • Gender:Male

Posted 07 October 2004 - 09:18 PM

I'm about 2/3 done with a program that will do that. Look for it.


Here's an example of what's done:
Random name:     Kishlansky, Lillian
Random username: lillian33
Random password: math4138
Random credit #: 5687817435540035
Random card ID:  234
Random PIN #:    6151
Name on card:    LILLIAN KISHLANSKY
Maiden name:     Winkler
Random address:  10418 Bell Drive
                  Cabell, IN 43131
                  United States

Edited by tokachu, 07 October 2004 - 09:56 PM.


#20 tokachu

tokachu

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 458 posts
  • Country:
  • Gender:Male

Posted 07 October 2004 - 10:47 PM

IT'S DONE!

edited by StankDawg: link removed.

RUN THAT BITCH! :grr:




BinRev is hosted by the great people at Lunarpages!