If I were that scammer I'd quickly see I can likley filter out all accounts added within such a short burst of time following convention of <name><number>@yahoo.com
Also, my guess is most users don't have that pattern of password...
It would be probably another 5 minutes to add: random delay and a thread pool, a file with Xk most common passwords, random user agent from another file, bunch of email domains, select at random, append numbers to local part when ... [bunch of conditions].
Another half an hour to deal with the IP address stuff.
But, I think the purpose of the video was to show how to use the requests library.
How would you deal with the 'IP address stuff'? If you plan on harvesting SOCKS proxies or using existing lists, your adversary can just check IPs against DroneBL.
Hey, I’m sure that video does not show how to build an anti-scammer solution. The scam stuff seems to be a nice back story for showing some python stuff.
OTOH, any time a scammer is required to go and look at the data, write filters and what not, it’s a win!
It's interesting to look at from the other perspective though, normally we're on the side trying to prevent malicious users and in this thread we're thinking as the 'malicious' user.
I thought the form fields were suspicious. The scammer may already have something in place that generates random user/pass form fields, and even random endpoints by the look of the url.
The "engineer" didn't check this, which he could have easily done by simply refreshing the page. But if the scammer did have any sort of protection, the engineer would have had a lot more work in it for him, having to scrape the page.. so maybe he purposely ignored this red flag.
I think he did check it and the video we saw was the fast version of this process for the sake of the viewer.
But that’s just what my instincts tell me based on the time spent investigating, the amount of useful snippets, and the lack of typos and errors while coding.
I agree that in all likelyhood, a technically clever scammer can trivially exclude the ~500 entries this guy put in, but it _does_ create some extra work for them, and we have no idea how skilled the person harvesting these things are. (Plus, a committed troublemaker could likely make these things much harder to detect, and much more work for the scammer.)
These guys clearly aren't very good, but there's a chance they might be deliberately not getting a TLS cert to avoid getting flagged by safebrowsing via CT logs.
Usually entering credentials causes an email to be sent containing at least user IP address and a User-Agent string. In this case, the UA string reveals it all
If all the scammer wanted was email addresses, they could have written a random yahoo email address generator on their own. They want legitimate email + password combos.
Given that world + dog has the entire Yahoo DB by now, I wonder if a list of yahoo username + password still has any value on the market... Well, I can only hope so, or else the scammer will just drop all the yahoo addresses from his take rather than try to clean up the data.
It might be interesting as a learning exercise but there's a lot of gotchas in running 2 as 3.
Besides the obvious things like print, which will just cause an error, there's behavioral changes, like with division and range, that may introduce more insideous bugs.
Better to read up on the difference first and use a tool.
I know you’re being sarcastic but anyway: I’m an oldie I guess as I started with Python 1.5.2 and I’ve been using 2.7 now as long as I can remember. But I had a new project last month so I used Python 3. There was basically nothing to learn. I mean, print is a function and classes don’t need to inherit from object and you’re like 99% of the way there. Learn and adopt new 3 functionally at your leisure. I’m honestly having no trouble switching between 2 and 3 and I’ve converted all my 2 code to be syntactically compatible with 3.
I've been aware of the bytes/string split for a long time since it's probably Python 3's most prominent change, so I certainly wasn't surprised by it. The surprising part for me (after having read complaints about this change over the years) is that I haven't had any trouble with it.
He should've also used load instead of loads, although in this case is not such a big problem (if he closed the file) because everything is getting loaded in memory anyway.
Right. My problem is he was trying to show off his skill (he emphasized "engineer" at the beginning of his video) so he could troll the scammer. In that case, at least know how to write proper code. Even intro to Python writes with "with".
What if the URL and the form fields are randomly generated? I would just use the Chrome console to keep submitting the form or something low-effort like that.
Put a time delay in there and let it run over a couple days. Otherwise it’s too easy to just delete all the names from that 5 minute window of entries.
54 comments
[ 2.9 ms ] story [ 132 ms ] threadAlso, my guess is most users don't have that pattern of password...
Another half an hour to deal with the IP address stuff.
But, I think the purpose of the video was to show how to use the requests library.
It's interesting to look at from the other perspective though, normally we're on the side trying to prevent malicious users and in this thread we're thinking as the 'malicious' user.
The "engineer" didn't check this, which he could have easily done by simply refreshing the page. But if the scammer did have any sort of protection, the engineer would have had a lot more work in it for him, having to scrape the page.. so maybe he purposely ignored this red flag.
But that’s just what my instincts tell me based on the time spent investigating, the amount of useful snippets, and the lack of typos and errors while coding.
Although I do think, for a learning video, that he missed out on a lot of opportunity to explain such things as I mentioned.
Also, there's some funny exposed PHP code sent along:
And some packed javascript that does nothing because it's "commented out" with <!-- ... --> inside the <script> tags, meaning it has syntax errors.In all likelihood he tries every single entry he gets against the top 100 juiciest sites (banking, email, etc), and records all successful hits.
#2600
'very common name' + 1 digit @yahoo.com generates a list almost completely of real email addresses...
Spammers don't care about cleaning their lists... So he just helped the spammer do his job, involving a few hundred unrelated victims.
#!/usr/bin/env python3
I bet your Python2 script will run on Python3.
Besides the obvious things like print, which will just cause an error, there's behavioral changes, like with division and range, that may introduce more insideous bugs.
Better to read up on the difference first and use a tool.
int//int=int instead of int/int=float.
I've been aware of the bytes/string split for a long time since it's probably Python 3's most prominent change, so I certainly wasn't surprised by it. The surprising part for me (after having read complaints about this change over the years) is that I haven't had any trouble with it.
Other posters talking about password reuse are really confused, there’s essentially no chance someone would waste sms spam on such a silly venture.