Back in 2018 I found something similar among phishing sites that presented themselves as sites that could get your small business a instant $300k credit line with no personal guarantee (or something like that). The kind of stuff all new YC founders are probably getting in the mail to their office right now.
They all had exactly the same UI, with just a few name and color changes. They all called back to the same API with the same PII collection format.
After weeks of investigation and honeypotting, it was clear they had 2 objectives:
1. Figure out what businesses were actually alive and they had matching emails/addresses for
2. Discover who was willing to just throw business information (and other PII) at a random site, as these were most likely people who would be easily mislead to more nefarious means
In true hacker vigilante fashion I found there was zero spam-protection/anti-abuse on their collection API (that I observed) and sent a few hundred billion entries to their API of convincing fake (thanks fakerjs) data. A few days later all the websites went down... what are the odds they were using something serverless and didn't have billing alarms
2 comments
[ 2.8 ms ] story [ 16.6 ms ] threadBack in 2018 I found something similar among phishing sites that presented themselves as sites that could get your small business a instant $300k credit line with no personal guarantee (or something like that). The kind of stuff all new YC founders are probably getting in the mail to their office right now.
They all had exactly the same UI, with just a few name and color changes. They all called back to the same API with the same PII collection format.
After weeks of investigation and honeypotting, it was clear they had 2 objectives:
1. Figure out what businesses were actually alive and they had matching emails/addresses for
2. Discover who was willing to just throw business information (and other PII) at a random site, as these were most likely people who would be easily mislead to more nefarious means
In true hacker vigilante fashion I found there was zero spam-protection/anti-abuse on their collection API (that I observed) and sent a few hundred billion entries to their API of convincing fake (thanks fakerjs) data. A few days later all the websites went down... what are the odds they were using something serverless and didn't have billing alarms