168 comments

[ 3.8 ms ] story [ 222 ms ] thread
Nice! If you are required to write an email address, it would be cool to use a canary, and see if it shows up on haveibeenpwned.com.
I don’t think HaveIBeenPwned makes an attempt to harvest data captured by fishing websites. It’s intended to track data leaked due to a breach of the actual system.
Mostly true but there things like Collection #1 and Anti Public Combo List which are amalgamations of unknown provenance. A lot of it is probably prior breaches but I wouldn't be surprised if it contained phishing data.
Oh how cool, I thought I was the only one trying to mess with scammy sites when I find them. Although I can see that I could improve my methods, since I usually write a short user script which spams the forms with data from faker.js and let the open tab sit pinned in my browser for a week or so.
I was thinking about something pretty similar -- rather than just try to overload the server, make it more difficult for phisherpeople to figure out which data is legitimate.

Realistically, I don't think I'd do it though -- who knows what 0 days you are putting on your box when you connect to those sites.

While this is all fun and games, I am curious if DOSing someone else’s server, even if it’s being used to run a phishing scam, is legal.
I seriously doubt it is legal in the United States. Seems like a pretty clear abuse of a computer network.
The author lives in Austria and the phishing attempt itself was targeting a major Austrian bank, but I don't know if this is legal or if that's a gray area
If you're in the US, it could be a violation of the Computer Fraud and Abuse Act. I used to do stuff like this until I became aware of the potential felony behind it.
Same for the UK in most cases - illegal.
I imagine it's illegal but I also assume that for it to be prosecutable, there would have to be a complainant. Good luck to that guy trying to prove that DDOS-ing a phishing site is worse than the phishing itself!
It is not unlikely that the phishing site is hosted on a hacked server that still serves legitimate websites (which you would also take down in the process). So there could be a legitimate complainant.
in this case however both sites I "took down" were still accessible afterwards, they just removed their backend. Still got an empty response or 404 with valid http certificate.

So probably the phishers were annoyed with the fake data and moved servers

If they're hosted (e.g. shared hosting), then the hosting party may just lock you out if they had DDOS protection because you're using their resources. They're not happy with phishing sites being hosted on their sites, but also not - and they probably suffer more damage, even if it's "just" resources - from DDOS attacks.
Probably not, but it's like stealing from a drug dealer. They can't report you without incriminating themselves. Of course stealing from drug dealers is known to have other ramifications...
Probably as illegal as stealing a cocaine from a drug dealer.
Probably less legal. No court will convict you of stealing that cocaine, but a lot of courts would convict you of computer attack. Don't forget that when attacking, you're almost certainly not attacking just the phisher, but a lot of middlemen.
I am all for this. Thank you.
All banks in the EU are required to use 2FA, I'm curious how these hackers get around that.
For quite a long time my bank used cargo culted 2FA i.e. 2x things that you know. Pretty embarrassing really. Thankfully they now have a card reader device but it's only used for certain actions (like adding new payees).
In the EU? That definitely wouldn't be compliant, unless we're talking about 90s or something.
"required to use 2FA" for login, or "required to use 2FA" to conduct transactions?

I'm asking because my (German) bank only very recently changed to requiring 2FA every X days for login. I'm very curious if they are actually compliant, since I used to be able to log in just with 1 factor to see my current balance (but not conduct any transactions).

Currently 2FA (legally known as "strong customer authentication") for logging to payment services (like banks) when one wasn't performed in 90 days is required in EEA.

IMO implementing the bare minimum this does nothing for security. However, often banks do that, and even if you try to look intentionally suspicious (say, use a VPN in United States with another web browser on another operating system) they don't care and won't ask you for 2FA.

For me its only 2FA for transactions.
If they are already sending you an SMS maybe they can try to fake that as well and access your account immediately with the expiring token.
1. One SMS every 90 days, because the security teams have no idea how MFA works (I know, I work there). Even if you hop devices. See https://try.popho.be/psd2.html

2. It's just a little dev step away: http://blog.cmpxchg8b.com/2020/07/you-dont-need-sms-2fa.html . Phish kits will evolve, UX will still be bad, and phishing will still happen.

See also https://sakurity.com/blog/2015/07/18/2fa.html

Some banks know security better than others

And yes the login one might be every 90 days, but to do a transaction there might be an extra one

(yes Germany did away with paper tans (2fa codes) in 2019 yay - thankfully not all banks are that stupid)

> 1. One SMS every 90 days,

Wow that's bad.

Here in Norway we use a system called BankID that uses the SIM in your mobile and it does it every time I log in.

Wouldn't a phishing site be able to proxy the challenge and then record and proxy the response which the user types in? I.e. MITM the 2fa?
Depends what you want to achive. With wire transfers there's usually (always?) info about amount and last few digits of the account you're transfering money to on your 2FA provider.
Yes, there is existing software to automate this, I presume that competent bad guys already use that.

However you can't do this to WebAuthn (or its non-standard predecessor U2F). The WebAuthn challenge is bound to a DNS name, by the client browser. So https://fake-bank.example/important/urgent/thing/ignore/the/... can't get credentials for real-bank.example even if the human is utterly convinced the fake site is their real bank, because you need to fool the web browser not just a human.

AFAIK zero banks use WebAuthn...

In this case (with the second page) it looked like after you put in your credentials they put you in a loop while they tried to use your logins.

I assume that if the banking backend told them the verification sms or whatever is sent, they would have asked the user about it and just forwarded it

That's why the second, more advanced phishing page was trying to immediately log in with the just acquired login credentials.

If a 2FA challenge is presented, it is relayed to the victim on the phishing website, and as soon as the code is submitted, is it relayed to the real banks website in turn.

Done For You Services Affiliate Marketing System

Insane Marketer Wesley Virgin and Ariella have created an offer that is not only making affiliates wealthy but they are helping 100s of millions of NEWBIES earn money online.

Join Hore : https://bit.ly/3gpgGgd

As much as I think things like this can be fun, depending on your jurisdiction (and tbh the US loves extraditing people for silly computer crimes), it might not be advisable. This is all but certainly illegal at least within the US. I’m sure most competent security experts have been tempted to do things like this, or SQLi a scammer’s form and nuke their DB, and usually bad things won’t happen to you, you might find that you’re hacking something you weren’t expecting, and might piss someone off other than a scammer.
How can it be illegal sending a few fake data to a website? And anyway I doubt they will ever sue you, at most you could be targeted for some revenge attack if they are really pissed off and you don't hide your traces.
This can be classified as denial of service attack because of the rate your are sending the requests. Depends on the law (and on the interpretation as well). I doubt that the phising guys behind this will file a complaint though.
Many phishing pages reside on compromised domains. Bob's Plumbing Supplies might wonder why their Wordpress site loaded with plug-ins has stopped working, ask someone to take a look, and see your IP address all over the logs.
Or the webhost where Bob's Plumbing Supplies is hosted detects an attack and files a complain. Or the SAAS/server rental sees this, puts you on some automatic blacklist and puts in on the "to be investigated" blacklist. Too many parties involved whom you are "hurting" that might get back to you.

Not saying this to keep anyone from repeating this, though; just that when doing so, keep in mind that you're probably not just hurting a scammer alone.

If you're messing with criminals using an IP traceable to you then the police might be the least of your problems.
To poison some phishing data you don't need to overload any server. Although the act itself of poisoning data could be seen as a DoS but since the service in question is an illegal one IANAL but I don't think it would stand in court.
It is very important to understand this from the legal stand point. If you overload a legitimate or illegitimate service you might commit a crime (depending on the country). I can give you a simple example of this in a different context. In our country you cannot go after the criminal who committed the crime and cannot cause them harm. Few years back a lady got robbed by two guys on a motorbike and she went after them and hit the motorbike with her car. She was prosecuted for assault. This is a very similar situation here. Again, depending on your country, state etc. this _might_ be a bad idea.
I see your point but anyway I think that phishers hardly will sue you for poisoning their data, because you probably just uncovered one phishing campaign but they run tens of them. Putting Justice in the loop would be much riskier for them, I believe.
IANAL:

This is what I expect the relevant text in the CFAA is...

knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

(comment deleted)
Is it a damage if you damage damaging thing? If effect of your damage is less damage maybe it's not damage after all?
> Is it a damage if you damage damaging thing?

When in doubt - yes. It's the same reasoning forbidding you from shooting criminals in the street, you'd just open up mob justice.

Of course, this is a pretty clear cut case and you might argue that this is an emergency (as people are clearly in danger of being scammed unless you act right now), but overall this is a very blurry line.

Depends: around here you can break into a shop at night to put out a fire or - more realistically - break a car window to pull out a kid (or animal) left alone in the sun.

I'd be careful with computer crimes on the Internet though.

> I'd be careful with computer crimes on the Internet though.

Exactly. Let us say you break into a shop owned by some mafia to put out a fire, then you might be fine w.r.t. authority, but you might be in trouble w.r.t. criminals. Similarly, say you break a car window to pull out a pit-bull left alone in the sun, you might have some issues with the owner if he turns out to be part of some drug trafficking gang.

There is no reason to believe that phishing websites are run by script-kiddies, there are obviously criminal rings running all sorts of businesses on the Internet too. I would rather leave the work to the authorities rather than risk going through trouble with unknown criminals, just so that I could have my funny revenge over them.

Is it damage if you're just sending data to an endpoint to see what happens. Sounds like he didn't try to send a SQL Injection, he just sent more characters than what was expected.
Yes. It's even damage if you're sending expected requests, but the owner of the server didn't want you to. See: Aaron Schwartz.
While it may be technically illegal, considering the victims are themselves worse criminals caught in the act, I really doubt anyone is going to give you trouble over this.

Unless authorities are looking for an excuse to prosecute you, of course, but there's plenty of bad PR to be had for authorities acting on behalf of criminals trying to steal people's banking credentials.

> While it may be technically illegal, considering the victims are themselves worse criminals caught in the act, I really doubt anyone is going to give you trouble over this.

Depends on who you fear more: law enforcement or organized crime.

(comment deleted)
The comment you replied to did say "Unless authorities are looking for an excuse to prosecute you, of course." If you suspect you're being monitored by the FBI or some other entity, you don't want to push the envelope.
O think weinzierl suggests that the criminals behind this might be more eager to punish you than law enforcement. But of course for that it doesn't really matter whether or not this is legal.
VPS owners will if your flooding causes issues for their (other) clients on the same hardware, etc.

It's definitely better to not do this.

Maybe if you don't cause any collateral damage, you might have a low chance of conviction by a jury because the victim is highly non-sympathetic. (I'm not a lawyer. This is NOT LEGAL ADVICE.) That doesn't mean you won't get charged and incur a ton of legal costs if you pursue a jury trial rather than settling.

Always remember that U.S. courts are courts of law, not courts of justice. That's usually a good thing (less left to interpretation), but it does have downsides.

> "Always remember that U.S. courts are courts of law, not courts of justice. That's usually a good thing (less left to interpretation)"

Are they? My impression is that US courts rely heavily on the whims of a jury and the judge, leading to very different outcomes for similar cases. Though often leading to injustice (heavy punishments for poor and/or black people, light punishments for rich and/or white people) rather than justice.

I think their biases would have worse consequences if their goal was following some intuitive gut feeling of justice rather than having a goal of applying the law even when the law is known to be imperfect. That is, the less explicit the rules are, the more wiggle room there is for bias to act.
I'm not so sure, I feel the civil law system followed in continental Europe works much better as it's based on the spirit of the law instead of the exact letter and comma.

Hard to say if this would be a better fit for the US though -- I've no idea if that's causing issues elsewhere in more corrupt societies or not.

Jury nullification allows them to become courts of justice.
Which is why is screened for at the jury selection stage.
Then shut up about it and don't tell them?
Until you realized you have been setup. The box you log into has child porn or those logs you download have them.

Now you pay up or cops are called.

Trying to play a hacker may get you in more trouble unless you really are one.

What do you think the scammers are going to do, call the police?
I have a colleague who is a security researcher. And every now and then, he tells me he got a threat from an internet criminal about "how they know where he lives".
They presumably wouldn't call the police to report you for messing with their scam, but it's not unthinkable–if they're able to identify who you are–that they could SWAT you. I believe Brian Krebs has been SWAT'ed multiple times, and has had heroin mailed to his house to frame him.
I have seen the code for some phish kits in the past. Many of them actually send an email on each submission rather than saving to a file (more resilient if the hacked WordPress site is taken down). They often also record the IP so it may be easier to filter out "phish-feeding" attempts like this.
noob question: what does an \ at the end of a bash script do? Is it the same as ; ?
The end of a bash script or a line?

If it's at the end of the line it's just signifying that the line continues underneath and to run that block as "one line". It's just escaping the newline character.

The opposite. ; is the same as a newline. Prepending the newline with a backslash \ is like saying "pretend this newline isn't here". So all of the -H arguments get applied to the same command in the example, rather than being treated as commands in their own right.
Oh... I am having one of those moments where I feel like everyone else but me knew this and I'm a dummy. But when put like this, I realize \ here is an escape character thing, making the newline into \\n.
In bash '\' would escape the character behind it. In this case, newline was escaped, which means you could ignore the newline character and treat those lines as one line.
I stoped 2 webshops which basically sell expensive stuff 20% off by wire transfer (bank transfer?!) which then never send the goods of course!

I did the following:

- I found out where it was hosted and send them an email explaining them why and how that shop is a scam

- I found out where they hosted the domain and wrote the registrar an abuse email

- I wrote an email to the banks where the bank accounts where active

The scammer had a webchat module active and he/she did wrote back to me, nothing came out through that, nonetheless:

next day, both webshops were gone due to being taken offline from the hosters.

I do believe, that they do have a chance because literaly no one cares. I have seen mentioning of one of those two shops older then 6 month. I pissed at them with very little effort in a very short time.

I do hope i helped out.

I like to think it helped out, but at the same time, these people are professionals and will have automation to generate new instances and scam campaigns easily. At least it should be more difficult for them to set up new bank accounts though, they need ID for that, and / or a network of mules, and those are finite resources.
I think the bank thing is done through students quite often: "Hey, I can't get a bank account as I'm a refugee fleeing a war, please help by receiving £5000 cash, we'll give you £100. Say it's a gift from your Aunty to buy a car with."

I've seen reports of this in the UK at least, maybe they managed to stop it.

At least in the US the people who accept the offer can be charged as money mules.
I think that's true in UK too, but often the people aren't aware how wrong what they're doing is.
I attended a meetup at our local registrar (SIDN) where they explained how data analysts on their payroll detect such fake webshops and how they then actively block those domains on DNS and registrar level.
I'm assuming you don't mean "employee payroll" right?
English is not my native language. I meant "they work for SIDN at SIDN". Employees.
Abuse email/report to the registrar is also my goto. Usually results in a quick response
You'll get a response but it'll always be a polite "fuck off" unless you have some sort of actual authority (are you the trademark holder? are you LE? do you have a court order?). You'll have better luck contacting the hosting provider because they're actually responsible for the content.
"The way these things work is that they act like they're the real login form, steal your credentials and usually send you off to the real bank so you think you made a typo or something."

If that's the case then surely you're also flooding the bank's real site with GET requests after the redirection.

Bash doesn't have to follow the redirect

Even if, I'm sure the bank appreciates someone working against phishing. A few GET requests is something they're meant to handle. They have to be resistant to DDoS attempts from malevolent actors

From cURL the author can ignore the redirect to the bank's real site though.
So you DDOSed their backend but they could've whitelist their IP range and blacklist all the others for incoming requests.

What you did does nothing against flexible and adaptive adversaries.

(comment deleted)
Even if that's the case, it made the website unavailable for future victims who got the same text messages.
Not if they just made the site return a 404/500 just to his IPs, which any half-decent adversary would do. The "play dead" strategy works great with these kind of vigilantes.

We're employed similar tactics against DDoSers at work. Start returning 500s or just tarpit their requests, they think the site is down and they go home.

People who buy phishing kit and set them up are typically not flexible and adaptive adversaries.
I know someone that DDoSed a forum spammer.

They hit back, ten times as hard, and completely destroyed a well-established forum, with thousands of users, that had experienced an annoying (but not crippling) "penis pill" spam attack.

So like... Backups? Restore, put it behind basic auth and email the password to the members active in the past few weeks, then at your leasure implement some captchas and go from there. Heck, restore the forum publicly as well and use that as a sandbox to see how they'll bypass it.
Shirley, you jest.

Backups are for, like, squares, dude.

We live on the edge, dude!

Extreme! YOLO!

In all fairness, the person involved was a truly brilliant young man, and the experience pretty much shattered him, emotionally. He has yet to recover from it.

In a way, it can be satisfying to be able to say "I told you so," but seeing the human cost kinda takes the fun out of smugness.

How did the spammers hit back?

Can I ask what made it hard / infeasible to continue once the spammers had stopped hitting back?

> seeing the human cost

It seems the forum meant a lot to him/her

I was not directly involved in the incident; hearing about it after the fact.

My understanding is that a forum spammer started registering fake accounts, and then did what they do. The admin saw this. He was quite smart, and figured out who they were, then executed some kind of attack on their server. I think it was a DDoS attack.

When they responded, the used a bunch of privilege escalation attacks to promote some of their registered users (It was a badly-maintained phpBB site; otherwise known as "Swiss Cheese"), and blew away a lot of the site structure and templates, so it basically imploded.

Yeah, it was his "baby." He was also involved in a running battle of nerd egos with some other folks, who used the incident to discredit him, and drove him out.

> blew away a lot of the site structure and templates

Crazy spammers who have time for such things

Sad to hear how this affected him

He said DDoS which has nothing to do with the data itself, and auth/captcha won't help. You'll have to upgrade to beefier servers, fatter pipes, or pay for a reverse proxy.. CF is free now and kinda helps sometimes, but it wasn't in the past, and any hacker with a grudge can take down your site anyway. It's about forcing you to spend money; which, if you're a hobby site forum host, you probably don't have.
Ah, right, I read it differently but I think you're right. In my initial understanding the spammers hit back by a huge spam wave, but a counter DDoS could also be.
A colleague and I did something similar recently.

We got similar spam mails in our work inboxes. Whipped up a little ruby script that spammed bum login data to the spammer's form url. We had our scripts running on a couple of Heroku instances and all.

At some stage we realized that the password field in the form accepted arbitrarily sized payloads. So we base64 encoded some 10MB file and sent that as the password. The thinking was if we could not DoS them, we can at least clog up their works with some real hefty payloads.

More can be seen here: https://github.com/dj-louw/spamscam

While funny, real-looking fake login data might be more useful, as it's probably real easy to filter the few large requests. Unless, of course, you bring down the server and stop the whole operation (for a time).

It would be quite interesting to do a study on both options using a honeypot-account (to detect whether the login could be extracted by the spammer).

So the script we wrote created real email addresses and user names. The Ruby gem Faker (https://github.com/faker-ruby/faker) takes care of that.

But yeah you are probably right. 10MB passwords possibly made it too easy for the scammer to filter out the bum data.

We did only make the 10MB change very late in our attack, so the scammer got 1000's of fake names and emails before we cranked up the mass of each individual request.

Hilarious story:

I was hired to look into why a WordPress site was so slow back in 2010. It turned out the site was hacked and they were hosting a spam viagra site on the side. When I brought it to their attention, the owner asked: "Can we keep it up? It will help our traffic numbers for investors and probably our Google ranking."

I literally face-palmed.

Well, with a spam viagra site, I think the point is keeping it up.

On topic, it's crazy how willing some people are to defraud their investors.

Send like a missed opportunity to pivot into a spam viagra hosting site
But then your costs get allocated to the spam operation. The owner of the website is benefiting because of the "traffic" they are receiving that is attributed to their non-spam venture. The hacker is benefiting because of the free hosting they are getting. The loser is anyone interested in buying the site and having the price hinge on the traffic.
Keeping it up with Viagra, huh...
Well, I have something like HN running on https://handlr.sapico.me ( automatically imports rss feeds)

Wich had a lot of spammers and they worked around the Google Human verification script for logging in.

Humans won't add a Title + Url + text since it shouldn't be used this way.

So ... that flow now returns a xml bomb.

Spam stopped immediately after deploying this. I'm a bit curious how long they spend looking why the memory of their server suddenly went through the roof :p

I normally just report those sites on https://safebrowsing.google.com/safebrowsing/report_phish/ and it doesn't normally take long to end up with a phishing warning when you navigate to it with a modern browser.

I also try to send an email to the registrar "abuse" email to let them know that a specific domain is hosting a phishing page (with the exact link as proof). That takes it down quickly as well, which forces the website owner to do some remediation.

I think most URL shorteners have an abuse reporting facility (with bitly, add a + to the end of the URL to see more info)
I was doing this 15 years ago. Does it mean that I'm old?
A friend of mine fell victim to a renting scam here in Czechia. The phishing site was using the native .cz TLD, which is well within the reach of Czech authorities. I was particularly bored that day so I went to a local police department to report a crime. I advised the policeman to take down the phishing site - it was actively facilitating a crime. The poor cops had no idea what to do and in the end they told me that this crime is taking place on the internet and they have no means of investigating it :D.
This kind of thing always confused me. Scam sites and sites promoting illegal activities (such as fake dna tests) are everywhere. Surely the police could take them down in the same way that they take down child porn sites.
If you asked EU politicians a few years ago there was no way to take those down and we needed a great European firewall asap. Of course when their to secret list of illegal sites got leaked it turned out to be sites that could be taken down within a few hours by just contacting the hosting providers.
Probably whoever works at the desk there has no idea how to get in touch with the department responsible for investigating internet crimes. They're probably in another office far away, and never interact with each other.
I wonder how many 'fake news' sites and other tools designed to subvert democracy are this fragile. Seems like we could do a lot of good by disrupting those sites rather than slowing down phishers.

Defending our democratic institutions > messing with scammers

What do they do when they access the victim's bank account? Buy fungible goods with the money? Send it to another account?
The author is a saint. This made my day.
Is this a useful strategy that banks can or do employ? Filling a phisher's catch with spammed fake credentials may pollute their database enough that it's not worth selling.