54 comments

[ 2.9 ms ] story [ 132 ms ] thread
If I were that scammer I'd quickly see I can likley filter out all accounts added within such a short burst of time following convention of <name><number>@yahoo.com

Also, my guess is most users don't have that pattern of password...

filtered by IP and Useragent.
Also seems some kind of ID is encoded in the URL he got redirected to after visiting the initial link, as well as the field names.
It would be probably another 5 minutes to add: random delay and a thread pool, a file with Xk most common passwords, random user agent from another file, bunch of email domains, select at random, append numbers to local part when ... [bunch of conditions].

Another half an hour to deal with the IP address stuff.

But, I think the purpose of the video was to show how to use the requests library.

How would you deal with the 'IP address stuff'? If you plan on harvesting SOCKS proxies or using existing lists, your adversary can just check IPs against DroneBL.
Hey, I’m sure that video does not show how to build an anti-scammer solution. The scam stuff seems to be a nice back story for showing some python stuff. OTOH, any time a scammer is required to go and look at the data, write filters and what not, it’s a win!
True.

It's interesting to look at from the other perspective though, normally we're on the side trying to prevent malicious users and in this thread we're thinking as the 'malicious' user.

I thought the form fields were suspicious. The scammer may already have something in place that generates random user/pass form fields, and even random endpoints by the look of the url.

The "engineer" didn't check this, which he could have easily done by simply refreshing the page. But if the scammer did have any sort of protection, the engineer would have had a lot more work in it for him, having to scrape the page.. so maybe he purposely ignored this red flag.

I think he did check it and the video we saw was the fast version of this process for the sake of the viewer.

But that’s just what my instincts tell me based on the time spent investigating, the amount of useful snippets, and the lack of typos and errors while coding.

There's no need to put engineer in quotes. This video wasn't an in-depth how-to; it was just a quick proof-of-concept.
It wasn't meant as an attack. I don't know his name, but his channel is called engineer-something, so I meant it as "engineer-something".

Although I do think, for a learning video, that he missed out on a lot of opportunity to explain such things as I mentioned.

I checked out the page myself, and the endpoints and form fields are the exact same for me.

Also, there's some funny exposed PHP code sent along:

    <?php
    session_start();
    ?>
And some packed javascript that does nothing because it's "commented out" with <!-- ... --> inside the <script> tags, meaning it has syntax errors.
I agree that in all likelyhood, a technically clever scammer can trivially exclude the ~500 entries this guy put in, but it _does_ create some extra work for them, and we have no idea how skilled the person harvesting these things are. (Plus, a committed troublemaker could likely make these things much harder to detect, and much more work for the scammer.)
Definitely not skilled enough to install a TLS certificate :)
These guys clearly aren't very good, but there's a chance they might be deliberately not getting a TLS cert to avoid getting flagged by safebrowsing via CT logs.
All you have to do is check which ip address is over represented in the logins table and delete those.
How would it create extra work for him, unless he's manually entering emails and password into the usual email sites?

In all likelihood he tries every single entry he gets against the top 100 juiciest sites (banking, email, etc), and records all successful hits.

Usually entering credentials causes an email to be sent containing at least user IP address and a User-Agent string. In this case, the UA string reveals it all
For educational purposes only. <wink>

#2600

Yeah. Let's not the cover-all disclaimer
The terrible thing here is that:

'very common name' + 1 digit @yahoo.com generates a list almost completely of real email addresses...

Spammers don't care about cleaning their lists... So he just helped the spammer do his job, involving a few hundred unrelated victims.

This is likely not made to harvest email addresses for spam, but rather for email:password combos.
If all the scammer wanted was email addresses, they could have written a random yahoo email address generator on their own. They want legitimate email + password combos.
Given that world + dog has the entire Yahoo DB by now, I wonder if a list of yahoo username + password still has any value on the market... Well, I can only hope so, or else the scammer will just drop all the yahoo addresses from his take rather than try to clean up the data.
If you can somehow find the yahoo DB, I will pay you $5000 in bitcoin for it :)
It makes me a little sad to see him write Python 2 code. There's only 18 month of Python 2 left.
That's what all of us oldies do. We can't get used to the hip new stuff so quickly ;)
Most of the time you're writing Python3 code and you don't even know it... try changing #!/usr/bin/env python to

#!/usr/bin/env python3

I bet your Python2 script will run on Python3.

And then there is 2to3, which has not failed me once.
It might be interesting as a learning exercise but there's a lot of gotchas in running 2 as 3.

Besides the obvious things like print, which will just cause an error, there's behavioral changes, like with division and range, that may introduce more insideous bugs.

Better to read up on the difference first and use a tool.

The "hip new stuff" is, in this case, already ten years old, though.
I know you’re being sarcastic but anyway: I’m an oldie I guess as I started with Python 1.5.2 and I’ve been using 2.7 now as long as I can remember. But I had a new project last month so I used Python 3. There was basically nothing to learn. I mean, print is a function and classes don’t need to inherit from object and you’re like 99% of the way there. Learn and adopt new 3 functionally at your leisure. I’m honestly having no trouble switching between 2 and 3 and I’ve converted all my 2 code to be syntactically compatible with 3.
Uh-oh, and well, integer division now gives float

    $ python3
    >>> 1/2
    0.5
VS

    $ python2.7
    >>> 1/2
    0
which can cause a great load of bugs if you're just porting some existing code.
True, but I can’t recall a single time I wanted the integer division behavior of Python 2.
In most C-like languages, int/int gives int. The fact that 3 returns float is a little troubling.
You can use // instead of / to request a integer division with integer result.

int//int=int instead of int/int=float.

Python is not a c-like language, though.
And strings are now strings, surprisingly, and not bytes...
Why do you say surprisingly?

I've been aware of the bytes/string split for a long time since it's probably Python 3's most prominent change, so I certainly wasn't surprised by it. The surprising part for me (after having read complaints about this change over the years) is that I haven't had any trouble with it.

Apologies, it was a (failed) attempt at sarcasm :)
(comment deleted)
The sad thing is he didn’t use open in context manager....
He should've also used load instead of loads, although in this case is not such a big problem (if he closed the file) because everything is getting loaded in memory anyway.
Right. My problem is he was trying to show off his skill (he emphasized "engineer" at the beginning of his video) so he could troll the scammer. In that case, at least know how to write proper code. Even intro to Python writes with "with".
What's the scam here? The scammer gets access to someone's Craigslist account... and then what? They take down or change their posts?
Due to password reuse being very common, getting access to a craigslist account means you've got access to their email account as well.
It’s probably targeted against dealer accounts if they aren’t asking for cc info.

Other posters talking about password reuse are really confused, there’s essentially no chance someone would waste sms spam on such a silly venture.

What if the URL and the form fields are randomly generated? I would just use the Chrome console to keep submitting the form or something low-effort like that.
this dude should do this on multi thread and distributed in cloud. this is so vanilla, also the hacker can just just filter with a easy regex. lame
Seems a little dodgy to redirect output from an apparent scammers website to an apparent root shell.
Put a time delay in there and let it run over a couple days. Otherwise it’s too easy to just delete all the names from that 5 minute window of entries.