Jberryman

Hacking some Scammers

22 posts in this topic

Well for the first time I (partially) fell for an email scam, and it's a humbling experience. I have to admit this one was pretty slick though. I got to the second page and was like "fuck me!".

anyway, I got a forged email appearing to come from ebay that my account was being used by someone else and I have to verify it, blah, blah...

Here was the link:

http://scgi.ebay.com/verify_id=ebay&user=14626654

Please post some fake logins, also if anybody wants to whip up some script to flood them with random logins, that would be cool.

Any ideas on what to do to these guys? or how to find them?

:pissed:

0

Share this post


Link to post
Share on other sites

Well, to aid anyone in making a flood script for them, here's what I captured while submitting some fake information:

"Login" (POST was cut, un-cut it)

POST /mailform.cgi HTTP/1.1
Host: 211.234.125.70:5250
User-Agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20041001 Firefox/0.10.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://211.234.125.70:5250/
Content-Type: application/x-www-form-urlencoded
Content-Length: 125

MfcISAPICommand=SignInWelcome&siteid=0&co_partnerId=2&UsingSSL=0&ru=
&userid=EBAYUSERACCOUNTGOESHERE&pass=PASSWORDGOESHEREDUDE

"Charge" (GET was cut, un-cut it)

GET /mailformCarte.cgi?MfcISAPICommand=GetResult&query=
&MfcISAPICommand=UpdateCC&CCnumber=1234567891011128&CVV2Num=987
&Month=12&Day=25&Year=2015&Name=YOUR+NAME+ON+CARD&PIN=2015
&Street=BILLING+ADDRESS&City=CITY&State=STATE&Zip=ZIP
&Country=United+States&checkbox=checkbox HTTP/1.1
Host: 211.234.125.70:5250
User-Agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20041001 Firefox/0.10.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://211.234.125.70:5250/Protect.html

I would think you could just pipe these things to netcat or something thousands of times and jam up their server.

Edited by tokachu
0

Share this post


Link to post
Share on other sites

the ip hosts a website called wowfoto.net here's a whois on it:

Domain Name : wowfoto.net

::Registrant::

Name      : ez4web communication

Email    : baram35@mirewa.com

Address  : B1F Haein B/D 11-49 Yangjae1-dong Socho-gu Seoul Korea

Zipcode  : 137887

Nation    : KR

Tel      : 82-02-579-0513

Fax      : 82-02-579-5090

::Administrative Contact::

Name      : Jae-Han Kim

Email    : baram35@mirewa.com

Address  : B1F Haein B/D 11-49 Yangjae1-dong Socho-gu Seoul Korea

Zipcode  : 137887

Nation    : KR

Tel      : 82-02-579-0513

Fax      : 82-02-579-5090

::Technical Contact::

Name      : Whois Co., Ltd.

Email    : whois@whois.co.kr

Address  : 143-39 Shinil Bldg.1F, Samsung-dong, Kangnam-gu

Zipcode  : 135877

Nation    : KR

Tel      : 82-02-325-4259

Fax      : 82-02-325-2259

::Name Servers::

ns1.wooriserver.com 210.114.223.61

ns2.wooriserver.com 210.114.223.62

::Dates & Status::

Created Date  2001-08-28 07:58:10 EDT

Updated Date  2003-09-02 04:45:38 EDT

Valid Date    2006-08-28 07:58:10 EDT

Status        ACTIVE

damn koreans.

0

Share this post


Link to post
Share on other sites

did a full port scan of the host site to see if there were any other scam sites on different ports. This is everything:

22 SSH Remote Login Protocol

25 Simple Mail Transfer

80 World Wide Web HTTP

110 Post Office Protocol - Version 3

3976 BCI1KROOPS Server (ProFTPD Default Installation) [web.wowfoto.net]

5250 Scam page

I thought the ftp was suspicious... it apparently allows anonymous logins but requires a specific password.

0

Share this post


Link to post
Share on other sites
I thought the ftp was suspicious... it apparently allows anonymous logins but requires a specific password.

so its not anonymous then?

0

Share this post


Link to post
Share on other sites

yeah, I guess... with username anonymous it says "anonymous access OK" or something along those lines, but it won't accept an arbitrary password

0

Share this post


Link to post
Share on other sites

I have gotten emails like that, I never fell for them though as I don't use ebay. I just told my mail client to filter them out as junk/spam.

0

Share this post


Link to post
Share on other sites

to flood them with logins and passwords couldn't you use Global Brute Forcer. and apply a dictionary list.

0

Share this post


Link to post
Share on other sites

I tried to quickly set up brutus to do this but it kept crashing on XP...

I'm surprised that the site is still up

0

Share this post


Link to post
Share on other sites

I'm working on a flood script in Perl right now (uses Net::HTTP). Stay tuned.

0

Share this post


Link to post
Share on other sites

Its odd that the scam site is running on that "company" page.... maybe they got rooted?

i.e. woophoto or whatever it was called...... ;)

Edited by Cr45 Du57
0

Share this post


Link to post
Share on other sites

That's what I would have thought, except that the site is still up... but maybe. I really don't have any idea how these things usually work, but if I was the scammers I would have taken that site down after no more than 24 hours after sending the emails.

0

Share this post


Link to post
Share on other sites

umm, it's just a site made to look like the ebay site, also i would think that DOSing them would be illegal and you guys really shouldn't do it....

0

Share this post


Link to post
Share on other sites
umm, it's just a site made to look like the ebay site

Yes, but it asks you log in with your ebay user name/password, then asks you for the credit card number, SS number, mother's maiden name, everything. After you give it to them, I just went through it leaving all the fields black the whole time, it forwards you to the actual ebay website. It seems to be, and I would be willing to put money one it, that it is a scam to collect peoples info for indentity theft, credit fraud, etc.

also i would think that DOSing them would be illegal and you guys really shouldn't do it....

They are in Korea, at least the wowfoto.net hosted on that ip has all Korean contacts. I doubt they would have an easy time prosecuting over international boundaries. Also, if it's just one server that is DOSed I doubt they would even bother trying to prosecute over international boundaries. But this is a wise piece of advice, let the authorities deal with them, then you aren't risking your own neck.

Edited by Cloaked Dagger
0

Share this post


Link to post
Share on other sites

um yea....who doubted that!? o_0

i was making the comment becaue somebody said it might have been rooted and set up as a scam...

0

Share this post


Link to post
Share on other sites
i was making the comment becaue somebody said it might have been rooted and set up as a scam...

Yeah, from the looks of it a legit server was rooted. Then they set up an illegit ebay-scam using that machiene. DOSing this server will not only hurt the scammers, it will hurt a legit business as well probably.

0

Share this post


Link to post
Share on other sites

Port 22 (ssh) is open, and the web server running is on a port over 1023, so it could just be a user running thttpd. But I still like the idea of flooding the assmunch with random information. I'm almost done...hehe :growl:

0

Share this post


Link to post
Share on other sites

With the free time that I don't have, I've been trying to figure out a way to send a login packet over and over again in an attempt to fill/make ridiculously large the database or file or whatever that stores the usernames passwords (see post from Noob forum). I found a program called nemesis that will deliver packets like this, but is it enogh to just send the packet containing the username and password and ignore the responses from the webserver? And I'm not sure how to have the packet be sent repeatedly.

What would be cool is if it submitted realistic and random userids and passes

edit:

I'm working on a flood script in Perl right now (uses Net::HTTP). Stay tuned.

I missed your post, your idea beats the shit out of mine

Edited by Jberryman
0

Share this post


Link to post
Share on other sites

I'm about 2/3 done with a program that will do that. Look for it.

Here's an example of what's done:

Random name:     Kishlansky, Lillian
Random username: lillian33
Random password: math4138
Random credit #: 5687817435540035
Random card ID:  234
Random PIN #:    6151
Name on card:    LILLIAN KISHLANSKY
Maiden name:     Winkler
Random address:  10418 Bell Drive
                 Cabell, IN 43131
                 United States

Edited by tokachu
0

Share this post


Link to post
Share on other sites

IT'S DONE!

edited by StankDawg: link removed.

RUN THAT BITCH! :grr:

0

Share this post


Link to post
Share on other sites

You guys have put me in a difficult position here. I hate these jerks as much as anybody, but I cannot allow you to post scripts to attack them here. You will have to take it to email or something to protect my site. I cannot "officially" condone such activity.

It looks to me like the site is some photo site and they probably got 0wned by someone and now you are flooding the innocent victim, making them a victim once again. It may also be possible that the people running the photo site ALSO are running the scam.

Since I don't know, I must lock this thread to protect the site. Did anyone try contacting the site and askin gthem about it? What about ebay?

0

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.