I was hired to look into why a WordPress site was so slow back in 2010. It turned out the site was hacked and they were hosting a spam viagra site on the side. When I brought it to their attention, the owner asked: "Can we keep it up? It will help our traffic numbers for investors and probably our Google ranking."
But then your costs get allocated to the spam operation. The owner of the website is benefiting because of the "traffic" they are receiving that is attributed to their non-spam venture. The hacker is benefiting because of the free hosting they are getting. The loser is anyone interested in buying the site and having the price hinge on the traffic.
That's really... not an appropriate response, and not only for the legal reasons others mentioned.
Phishing sites can be / are often served by compromised hosts, so you might as well end up doxing a box who is not run by the bad guy, causing all sorts of mayem for the legitimate owners / admins (in addition to they be compromised).
Plus, you didn't solve anything, from the pattern you used it's pretty easy to cleanup the data for the adversary, get rid of your garbage and put the thing back on the next day, so you've only temporarily disrupted their operation.
A more appropriate response is to report the abuse who manages the infrastructure (most likely a legitimate provider) and the domain registar; both usually have appropriate channels and response procedures just for that. If you feel kind and keen to do some free work, you can find out if the infrastructure has also a legitimate purpose and contact the legitimate administrator. Also, there are a lot of abuse lists that accept contributions, as in submitions for malicious sites, where you can report this (so it gets fetched by a variety of stuff and blocked by others while it's operational before it gets eradicated).
I understand this does not give you any credit or allow you to write a blog post about looping requests in bash but still.
Have you ever tried reporting a phishing site through those legitimate channels?
I have, and my experiences have been that:
* The domain registrars are apologetic and well-meaning, but tend to explain that they aren't empowered to take this stuff down without being ordered to by Law Enforcement or similar. There typically isn't a mechanism available for getting LE to respond before the phish campaign is over.
* The hosting providers chosen by phishing sites are either "bulletproof hosts" who are tacitly complicit, or more commonly are so low-end that the support departments are massively underfunded and abuse reports take eons to be processed.
Either way, the phisher achieves their objectives before the site is taken down. That being the state of affairs then, although I don't choose to use the kind of tactics outlined in the blog myself, I find it pretty hard to condemn those who do.
I've had a similar experience. I ran into a scam that was masquerading as a popular Canadian clothing store (Roots) where everything was 50% off. I reported the domain to Namecheap and they said they're not responsible for the content since its hosted elsewhere. I pointed out that the domain itself was also trying to pass as legitimate and they told me unless I was the trademark owner they couldn't do anything. I also e-mailed the hosting provider but never heard back.
Fortunately I got ahold of Roots via Twitter and the scam seems to have been shut down.
I had. My experience is mixed, sometimes all you wrote happens (like, it takes days to get processed), sometimes it doesn't (you might be surprised how fast some small providers can react, sometimes faster than bigger ones). If you want to speedup the process, contacting the legitimate owner is the way (and hope their response is faster).
I understand the will to take action, but doxing a phishing site can cause collaterals you did not foresee and you want to avoid, legally and otherwise. And it doesn't solve anything, as previously explained, it just temporarily turns them down, which leads to a comparison between the time invested by the adversary (who will block your source as first thing) and yours (and you don't want to go there). Definitely is not something to suggest to inexperienced people as "a good way to fight phishing" (which they'll take literally, because it looks cool). There might be exceptions to this (as in, calculated risks) but they go far beyond what makes sense for someone alone to do.
> Phishing sites can be / are often served by compromised hosts, so you might as well end up doxing a box who is not run by the bad guy, causing all sorts of mayem for the legitimate owners / admins (in addition to they be compromised).
Well, they are already compromised. If they were lucky, it was just an automated system that scanned for vulnerabilities and only dropped the phishing webserver – for now. It could be used as a jump box to compromise further systems in the host's network. Who knows what else may be running in the box. If it is being used for 'legitimate purposes', whatever purpose it is, it is at a large risk.
The fact that it is still compromised indicates that it is not actively/properly monitored.
Taking it out will draw much more attention to the system from their owners. If I had a compromised system that I didn't know about and it was taken out, I'd be thankful it wasn't left running for longer.
It's not the 'correct' thing to do, but I'm not convinced that putting the system out of comission is more harmful than leaving it running doing who knows what.
Not much against taking a compromised system down, but the provider can (should?) do that according to their ToS (and whatever containment / response procedures they have in place), not some targeted victim playing vigilante by running what is basically a trivial DOS attack. My point was this is not a good thing to show off / encourage people to do and can have unexpectedly bad consequences.
> A more appropriate response is to report the abuse who manages the infrastructure (most likely a legitimate provider) and the domain registar; both usually have appropriate channels and response procedures just for that.
Unless of course it's behind Cloudflare - then you cannot find out whose infrastructure the criminals are operating from and Cloudflare itself does not give a fuck. Best case scenario: they will forward your complaint to their customer - an unknown party to you who might be the criminals themselves, putting you in danger.
They claim they will do all this for you if they are (allegedly) proxying malicious content. Source: their abuse form [1], selecting "Phishing & Malware". Did you have bad experiences with this? Might be worth sharing.
I had recently a (b/s)ad experience with them. I am hosting the demo site for my open source image hosting solution (pictshare) behind cloudflare and had the CASM tool (that searches automatically for child pornography) enabled. Felt safe enough but after a while I noticed a TON of traffic.. like gigabytes an hour through cloudflare
Turned out someone uploaded like 1000 child pornography images to the demo site, cloudflare didn't once send me anything or block an image before being uploaded.
I wrote their support and they pointed me to the abuse form you mentioned (which would had reported the content to myself?)
I thought they'd look into their logs and send interpol the uploaders IP addresses but no, they didn't do anything.
In the end I got interpol and the local BKA (Federal Criminal Police Office) and they were so awesome and I prepared excel sheets for them with all ip addresses and log entries of every consumer and uploader.
i used the form and emailed abuse@ (for sites blatantly impersonating relief effort organizations at the onset of covid-19)
all attempts got responses like "cool, but we don't do any of that. please contact google safe-site(tm) beta or something and get it blocked on the browser via that".
Everyone here posting that they replied probably used email from a domain that is an expensive paid customer from them. I used a @gmail one.
I would be wary about sending a warning email from an email address that could be traced back to me. Some people panic, and assume that you're the person responsible, or lash out at the only person they can strike - you.
The infrastructure provider (if any) has likely seen more of these than you can imagine and again, they have proper channels for this and the people who monitor them know how to handle it, they won't lash out on you. Same goes for the domain registar.
As per the box legitimate owner, while I agree that there is all kind of crazy out there and you can avoid this if it makes you uncomfortable (abuse-at-provider will most likely contact them shortly without involving you), I don't see the lash out or strike at you scenarios likely, in my experience usually you get a thank you.
To be clear, I'm not suggesting email "Bro, you are compromised, bye", I mean, you can just inform them that you received the link and were taken to a phishing site that looks like hosted on his machine, attach screens, advice them on next steps if you want to go the extra mile in niceness. You're doing them a favour without breaking any law, why would they get mad at you?
I had a similar situation happen to me. Someone was catfishing (dogfishing?) using my dog; they have him listed for sale...
I phished the seller into giving me their Zelle email which was a full name and presumably tied to a legit bank account with a legit person associated with it.
I reported them, will all the facts I'd collected to the AG office in the state I believed them to be in (OH- b/c they offered shipping to anywhere + local delivery in Cleveland). I reached out to other dog owners that I could identify and urged them to also file reports.
I passed along this information to a friend who works in cyber crimes law enforcement (specifically in crimes against children). He verified the information I provided to the best of his ability and passed to his peers in another agency.
Months later, nothing except an automated thanks from the AG office and the site is still up.
The main issue I'm told is I don't have any victims who actually tried to purchase and never receive a puppy.
> "Johnny" is my dog. That photo is in front of my old apartment.
I've successfully used the DMCA against spammers who used my photos in their spam. Hosting providers and platforms usually have process in place to deal with copyright infringement even if they're turning a blind eye to fraud.
Unfortunately, that is the only success I've had against them.
I used to report these things but ran into some issues:
1) There is no way I can see to contact anyone at Ali Cloud to report abuse and no expectation they will do anything and I've seen an increasing number of scams hosted on offshore providers with no apparent abuse reporting system.
2) Some registrars and hosting providers want you to sign up with an account first to be able to create a support ticket to report abuse which is very time consuming.
3) I would probably be spending hours per week reporting abuse and it never seems to end. It feels like trying to empty the ocean with a thimble.
So now I just ignore phishing scams.
You should be able to find the registar abuse contact information in the whois, in the fields "Registrar Abuse Contact Email" and "Registrar Abuse Telephone Number". Registrars are required to provide these for the accreditation to ICANN [0]. Both email and valid phone number are required.
yes, I meant that more for hosting providers. However, I have never received a response from a registrar when I have contacted them about abuse so I am not sure how useful it is.
It's more like: "She deserves to get her car's tires slashed because her car was stolen and is being driven on the sidewalk hitting innocent pedestrians"
In which case my answer would be: of course, by all means!
They sound strange because they are bad analogies.
This is a case where a resource was hijacked and is being used against other people. A similarly bad analogy, but more accurate, is if you had a car that was stolen, and subsequently used to commit crimes. If it got stopped, it would be beneficial to society, even if it could cause you financial harm.
As much as I think things like this can be fun, depending on your jurisdiction (and tbh the US loves extraditing people for silly computer crimes), it might not be advisable. This is all but certainly illegal at least within the US. I’m sure most competent security experts have been tempted to do things like this, or SQLi a scammer’s form and nuke their DB, and usually bad things won’t happen to you, you might find that you’re hacking something you weren’t expecting, and might piss someone off other than a scammer.
While it may be technically illegal, considering the victims are themselves worse criminals caught in the act, I really doubt anyone is going to give you trouble over this.
Unless authorities are looking for an excuse to prosecute you, of course, but there's plenty of bad PR to be had for authorities acting on behalf of criminals trying to steal people's banking credentials.
Maybe if you don't cause any collateral damage, you might have a low chance of conviction by a jury because the victim is highly non-sympathetic. (I'm not a lawyer. This is NOT LEGAL ADVICE.) That doesn't mean you won't get charged and incur a ton of legal costs if you pursue a jury trial rather than settling.
Always remember that U.S. courts are courts of law, not courts of justice. That's usually a good thing (less left to interpretation), but it does have downsides.
> "Always remember that U.S. courts are courts of law, not courts of justice. That's usually a good thing (less left to interpretation)"
Are they? My impression is that US courts rely heavily on the whims of a jury and the judge, leading to very different outcomes for similar cases. Though often leading to injustice (heavy punishments for poor and/or black people, light punishments for rich and/or white people) rather than justice.
I think their biases would have worse consequences if their goal was following some intuitive gut feeling of justice rather than having a goal of applying the law even when the law is known to be imperfect. That is, the less explicit the rules are, the more wiggle room there is for bias to act.
I'm not so sure, I feel the civil law system followed in continental Europe works much better as it's based on the spirit of the law instead of the exact letter and comma.
Hard to say if this would be a better fit for the US though -- I've no idea if that's causing issues elsewhere in more corrupt societies or not.
> While it may be technically illegal, considering the victims are themselves worse criminals caught in the act, I really doubt anyone is going to give you trouble over this.
Depends on who you fear more: law enforcement or organized crime.
The comment you replied to did say "Unless authorities are looking for an excuse to prosecute you, of course." If you suspect you're being monitored by the FBI or some other entity, you don't want to push the envelope.
O think weinzierl suggests that the criminals behind this might be more eager to punish you than law enforcement. But of course for that it doesn't really matter whether or not this is legal.
They presumably wouldn't call the police to report you for messing with their scam, but it's not unthinkable–if they're able to identify who you are–that they could SWAT you. I believe Brian Krebs has been SWAT'ed multiple times, and has had heroin mailed to his house to frame him.
I have a colleague who is a security researcher. And every now and then, he tells me he got a threat from an internet criminal about "how they know where he lives".
How can it be illegal sending a few fake data to a website?
And anyway I doubt they will ever sue you, at most you could be targeted for some revenge attack if they are really pissed off and you don't hide your traces.
This is what I expect the relevant text in the CFAA is...
knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
Is it damage if you're just sending data to an endpoint to see what happens. Sounds like he didn't try to send a SQL Injection, he just sent more characters than what was expected.
When in doubt - yes. It's the same reasoning forbidding you from shooting criminals in the street, you'd just open up mob justice.
Of course, this is a pretty clear cut case and you might argue that this is an emergency (as people are clearly in danger of being scammed unless you act right now), but overall this is a very blurry line.
Depends: around here you can break into a shop at night to put out a fire or - more realistically - break a car window to pull out a kid (or animal) left alone in the sun.
I'd be careful with computer crimes on the Internet though.
> I'd be careful with computer crimes on the Internet though.
Exactly. Let us say you break into a shop owned by some mafia to put out a fire, then you might be fine w.r.t. authority, but you might be in trouble w.r.t. criminals. Similarly, say you break a car window to pull out a pit-bull left alone in the sun, you might have some issues with the owner if he turns out to be part of some drug trafficking gang.
There is no reason to believe that phishing websites are run by script-kiddies, there are obviously criminal rings running all sorts of businesses on the Internet too. I would rather leave the work to the authorities rather than risk going through trouble with unknown criminals, just so that I could have my funny revenge over them.
This can be classified as denial of service attack because of the rate your are sending the requests. Depends on the law (and on the interpretation as well). I doubt that the phising guys behind this will file a complaint though.
Many phishing pages reside on compromised domains. Bob's Plumbing Supplies might wonder why their Wordpress site loaded with plug-ins has stopped working, ask someone to take a look, and see your IP address all over the logs.
Or the webhost where Bob's Plumbing Supplies is hosted detects an attack and files a complain. Or the SAAS/server rental sees this, puts you on some automatic blacklist and puts in on the "to be investigated" blacklist. Too many parties involved whom you are "hurting" that might get back to you.
Not saying this to keep anyone from repeating this, though; just that when doing so, keep in mind that you're probably not just hurting a scammer alone.
To poison some phishing data you don't need to overload any server. Although the act itself of poisoning data could be seen as a DoS but since the service in question is an illegal one IANAL but I don't think it would stand in court.
It is very important to understand this from the legal stand point. If you overload a legitimate or illegitimate service you might commit a crime (depending on the country). I can give you a simple example of this in a different context. In our country you cannot go after the criminal who committed the crime and cannot cause them harm. Few years back a lady got robbed by two guys on a motorbike and she went after them and hit the motorbike with her car. She was prosecuted for assault. This is a very similar situation here. Again, depending on your country, state etc. this _might_ be a bad idea.
I see your point but anyway I think that phishers hardly will sue you for poisoning their data, because you probably just uncovered one phishing campaign but they run tens of them. Putting Justice in the loop would be much riskier for them, I believe.
I stoped 2 webshops which basically sell expensive stuff 20% off by wire transfer (bank transfer?!) which then never send the goods of course!
I did the following:
- I found out where it was hosted and send them an email explaining them why and how that shop is a scam
- I found out where they hosted the domain and wrote the registrar an abuse email
- I wrote an email to the banks where the bank accounts where active
The scammer had a webchat module active and he/she did wrote back to me, nothing came out through that, nonetheless:
next day, both webshops were gone due to being taken offline from the hosters.
I do believe, that they do have a chance because literaly no one cares. I have seen mentioning of one of those two shops older then 6 month. I pissed at them with very little effort in a very short time.
You'll get a response but it'll always be a polite "fuck off" unless you have some sort of actual authority (are you the trademark holder? are you LE? do you have a court order?). You'll have better luck contacting the hosting provider because they're actually responsible for the content.
I attended a meetup at our local registrar (SIDN) where they explained how data analysts on their payroll detect such fake webshops and how they then actively block those domains on DNS and registrar level.
I like to think it helped out, but at the same time, these people are professionals and will have automation to generate new instances and scam campaigns easily. At least it should be more difficult for them to set up new bank accounts though, they need ID for that, and / or a network of mules, and those are finite resources.
I think the bank thing is done through students quite often: "Hey, I can't get a bank account as I'm a refugee fleeing a war, please help by receiving £5000 cash, we'll give you £100. Say it's a gift from your Aunty to buy a car with."
I've seen reports of this in the UK at least, maybe they managed to stop it.
We got similar spam mails in our work inboxes. Whipped up a little ruby script that spammed bum login data to the spammer's form url. We had our scripts running on a couple of Heroku instances and all.
At some stage we realized that the password field in the form accepted arbitrarily sized payloads. So we base64 encoded some 10MB file and sent that as the password. The thinking was if we could not DoS them, we can at least clog up their works with some real hefty payloads.
While funny, real-looking fake login data might be more useful, as it's probably real easy to filter the few large requests. Unless, of course, you bring down the server and stop the whole operation (for a time).
It would be quite interesting to do a study on both options using a honeypot-account (to detect whether the login could be extracted by the spammer).
So the script we wrote created real email addresses and user names. The Ruby gem Faker (https://github.com/faker-ruby/faker) takes care of that.
But yeah you are probably right. 10MB passwords possibly made it too easy for the scammer to filter out the bum data.
We did only make the 10MB change very late in our attack, so the scammer got 1000's of fake names and emails before we cranked up the mass of each individual request.
I also try to send an email to the registrar "abuse" email to let them know that a specific domain is hosting a phishing page (with the exact link as proof). That takes it down quickly as well, which forces the website owner to do some remediation.
They hit back, ten times as hard, and completely destroyed a well-established forum, with thousands of users, that had experienced an annoying (but not crippling) "penis pill" spam attack.
So like... Backups? Restore, put it behind basic auth and email the password to the members active in the past few weeks, then at your leasure implement some captchas and go from there. Heck, restore the forum publicly as well and use that as a sandbox to see how they'll bypass it.
In all fairness, the person involved was a truly brilliant young man, and the experience pretty much shattered him, emotionally. He has yet to recover from it.
In a way, it can be satisfying to be able to say "I told you so," but seeing the human cost kinda takes the fun out of smugness.
I was not directly involved in the incident; hearing about it after the fact.
My understanding is that a forum spammer started registering fake accounts, and then did what they do. The admin saw this. He was quite smart, and figured out who they were, then executed some kind of attack on their server. I think it was a DDoS attack.
When they responded, the used a bunch of privilege escalation attacks to promote some of their registered users (It was a badly-maintained phpBB site; otherwise known as "Swiss Cheese"), and blew away a lot of the site structure and templates, so it basically imploded.
Yeah, it was his "baby." He was also involved in a running battle of nerd egos with some other folks, who used the incident to discredit him, and drove him out.
He said DDoS which has nothing to do with the data itself, and auth/captcha won't help. You'll have to upgrade to beefier servers, fatter pipes, or pay for a reverse proxy.. CF is free now and kinda helps sometimes, but it wasn't in the past, and any hacker with a grudge can take down your site anyway. It's about forcing you to spend money; which, if you're a hobby site forum host, you probably don't have.
Ah, right, I read it differently but I think you're right. In my initial understanding the spammers hit back by a huge spam wave, but a counter DDoS could also be.
A friend of mine fell victim to a renting scam here in Czechia. The phishing site was using the native .cz TLD, which is well within the reach of Czech authorities. I was particularly bored that day so I went to a local police department to report a crime. I advised the policeman to take down the phishing site - it was actively facilitating a crime. The poor cops had no idea what to do and in the end they told me that this crime is taking place on the internet and they have no means of investigating it :D.
Probably whoever works at the desk there has no idea how to get in touch with the department responsible for investigating internet crimes. They're probably in another office far away, and never interact with each other.
This kind of thing always confused me. Scam sites and sites promoting illegal activities (such as fake dna tests) are everywhere. Surely the police could take them down in the same way that they take down child porn sites.
If you asked EU politicians a few years ago there was no way to take those down and we needed a great European firewall asap. Of course when their to secret list of illegal sites got leaked it turned out to be sites that could be taken down within a few hours by just contacting the hosting providers.
It was probably a compromised site. Spinning up your own domain/vps has the drawback of it being a new site not trusted or classified by most corporate firewalls and proxies (if setup right).
You'd be surprised how easy it is to scan+pwn some wordpress site left in default config or vulnerable to the latest joomla exploit. They then upload a $20 phishing kit and start spamming. If you look at the directories' root in the path you sometimes get lucky enough to get the zip/tar file they forgot to remove (includes their email, to which stolen creds are sent, you probably spammed the crap out of their mailbox too). A few times I've even found unsecured webshells they left behind (just booted them out, got emails of people who fell for it and did the standard rfc-whatever notification)
One thing I wanted to try was to include tracker URLs when stuffing them with fake usernames like 'bob@bob.com https://bobscompany.com/login.php?trackerid=1345556' or make it a 1x1 pixel image link so when they see the fake creds I will know their IP
I have seen the code for some phish kits in the past. Many of them actually send an email on each submission rather than saving to a file (more resilient if the hacked WordPress site is taken down). They often also record the IP so it may be easier to filter out "phish-feeding" attempts like this.
Well, I have something like HN running on https://handlr.sapico.me ( automatically imports rss feeds)
Wich had a lot of spammers and they worked around the Google Human verification script for logging in.
Humans won't add a Title + Url + text since it shouldn't be used this way.
So ... that flow now returns a xml bomb.
Spam stopped immediately after deploying this. I'm a bit curious how long they spend looking why the memory of their server suddenly went through the roof :p
Not if they just made the site return a 404/500 just to his IPs, which any half-decent adversary would do. The "play dead" strategy works great with these kind of vigilantes.
We're employed similar tactics against DDoSers at work. Start returning 500s or just tarpit their requests, they think the site is down and they go home.
Regarding its legality, I will paraphrase Bishop Berkeley: if a tree falls in the forest, and no one is around to hear it, does it make a sound?
What I am getting at is until there is a complaint, there is no crime, and as at least another pointed out, criminals will usually not report crimes that reveal their own crimes. "They kidnapped my kidnap-victim!"
>Sadly the server didn't enable indexing otherwise I would have seen all victims, but it was funny nonetheless.
It's actually very lucky for Haschek, because otherwise the only thing stopping Raiffeisen from suing him for stealing credentials would be a bad publicity.
I imagine it's illegal but I also assume that for it to be prosecutable, there would have to be a complainant. Good luck to that guy trying to prove that DDOS-ing a phishing site is worse than the phishing itself!
It is not unlikely that the phishing site is hosted on a hacked server that still serves legitimate websites (which you would also take down in the process). So there could be a legitimate complainant.
in this case however both sites I "took down" were still accessible afterwards, they just removed their backend. Still got an empty response or 404 with valid http certificate.
So probably the phishers were annoyed with the fake data and moved servers
If you're in the US, it could be a violation of the Computer Fraud and Abuse Act. I used to do stuff like this until I became aware of the potential felony behind it.
Probably not, but it's like stealing from a drug dealer. They can't report you without incriminating themselves. Of course stealing from drug dealers is known to have other ramifications...
If they're hosted (e.g. shared hosting), then the hosting party may just lock you out if they had DDOS protection because you're using their resources. They're not happy with phishing sites being hosted on their sites, but also not - and they probably suffer more damage, even if it's "just" resources - from DDOS attacks.
The author lives in Austria and the phishing attempt itself was targeting a major Austrian bank, but I don't know if this is legal or if that's a gray area
Probably less legal. No court will convict you of stealing that cocaine, but a lot of courts would convict you of computer attack. Don't forget that when attacking, you're almost certainly not attacking just the phisher, but a lot of middlemen.
I wonder how many 'fake news' sites and other tools designed to subvert democracy are this fragile. Seems like we could do a lot of good by disrupting those sites rather than slowing down phishers.
Defending our democratic institutions > messing with scammers
1. One SMS every 90 days, because the security teams have no idea how MFA works (I know, I work there). Even if you hop devices. See https://try.popho.be/psd2.html
For quite a long time my bank used cargo culted 2FA i.e. 2x things that you know. Pretty embarrassing really. Thankfully they now have a card reader device but it's only used for certain actions (like adding new payees).
"required to use 2FA" for login, or "required to use 2FA" to conduct transactions?
I'm asking because my (German) bank only very recently changed to requiring 2FA every X days for login. I'm very curious if they are actually compliant, since I used to be able to log in just with 1 factor to see my current balance (but not conduct any transactions).
Currently 2FA (legally known as "strong customer authentication") for logging to payment services (like banks) when one wasn't performed in 90 days is required in EEA.
IMO implementing the bare minimum this does nothing for security. However, often banks do that, and even if you try to look intentionally suspicious (say, use a VPN in United States with another web browser on another operating system) they don't care and won't ask you for 2FA.
That's why the second, more advanced phishing page was trying to immediately log in with the just acquired login credentials.
If a 2FA challenge is presented, it is relayed to the victim on the phishing website, and as soon as the code is submitted, is it relayed to the real banks website in turn.
Yes, there is existing software to automate this, I presume that competent bad guys already use that.
However you can't do this to WebAuthn (or its non-standard predecessor U2F). The WebAuthn challenge is bound to a DNS name, by the client browser. So https://fake-bank.example/important/urgent/thing/ignore/the/... can't get credentials for real-bank.example even if the human is utterly convinced the fake site is their real bank, because you need to fool the web browser not just a human.
Depends what you want to achive. With wire transfers there's usually (always?) info about amount and last few digits of the account you're transfering money to on your 2FA provider.
The same IP that hosted this guys phishing page also hosted phishing pages targeting Italian banks WeBank, Banca Intesa Sanpaolo and Banca Sella over the past 14 days, all with wildcard certs issued by the same CA. So not really surprising, just run of the mill phishkit activity most likely. If you have fun spamming their inbox knock then yourself out, but it's not gonna make a dent in the thousands of phishkits deployed every day. Source: https://urlscan.io/ip/89.46.110.15
Legal issues aside, these lists are typically checked with a validation tool that runs through them to scrub malformed or invalid entries. An example of one such tool, taken from a krebsonsecurity post: https://krebsonsecurity.com/wp-content/uploads/2019/08/chase....
That is really a good way to make them drop all the target.
but rather if I were to do it I will do it with set of different signature snuffling randomly to make them un-filterable and limit the rate of submission such that they dont immediately notice me and I can make their database full of dummy data which makes it useless for them. Many times you can also get to execute arbitrary sql-injection and can delete the database.
In fact, in past when in collage I was trying to learn some hacking basics to find vulnerable servers. And as on the googled article like most scripting kiddies, I searched and found a vulnerable site which was already hacked and had installed shell.php on it.
What that vulnerability did was, it found a way to inject the browser navigator name into php script using /proc/self/environ. after studying attack what I did was, remove the shell and patched the vulnerable file with some obfuscation. I was so naive(what would have happened if my IP was tracked and I became suspected criminal),now seeing past luckily I never got my self involved in legal things.
I have made something similar couple of years ago, but I took down the video that I recorded doing it cause I was afraid it could turn back on me.
These days I usually try to write an email to the abusar and to the hosting services. I also did a bunch of this "flags" on Instagram ads.
Instagram is the worst, cause they open a website in their app, hiding the true URL of the phishing site. I sent a complain to them about that. Never heard back.
I've done stuff like this but behind Tor. I tried to make the data random enough it would be tough to see which records were real. I remember once my IP was getting blocked after a certain amount of requests (not sure if via some automated fail2ban or a human) but Tor has an API to swap to a new outbound IP, so I just had it do that in the case of a timeout.
I don’t think HaveIBeenPwned makes an attempt to harvest data captured by fishing websites. It’s intended to track data leaked due to a breach of the actual system.
Mostly true but there things like Collection #1 and Anti Public Combo List which are amalgamations of unknown provenance. A lot of it is probably prior breaches but I wouldn't be surprised if it contained phishing data.
"The way these things work is that they act like they're the real login form, steal your credentials and usually send you off to the real bank so you think you made a typo or something."
If that's the case then surely you're also flooding the bank's real site with GET requests after the redirection.
Even if, I'm sure the bank appreciates someone working against phishing. A few GET requests is something they're meant to handle. They have to be resistant to DDoS attempts from malevolent actors
Oh how cool, I thought I was the only one trying to mess with scammy sites when I find them. Although I can see that I could improve my methods, since I usually write a short user script which spams the forms with data from faker.js and let the open tab sit pinned in my browser for a week or so.
I was thinking about something pretty similar -- rather than just try to overload the server, make it more difficult for phisherpeople to figure out which data is legitimate.
Realistically, I don't think I'd do it though -- who knows what 0 days you are putting on your box when you connect to those sites.
fyi... just cause you get a 404 error doesn't mean the site is down, it might mean you are blocked. IIS for example has the request filtering module inwhich you can return a status code when a certain filter is hit. it is very easy to create a filter where is a query parameter is over a certain character limit to return a 404 (filters are just regular expression). this is why you should always check a site from https://downforeveryoneorjustme.com/downforme.com
Is this a useful strategy that banks can or do employ? Filling a phisher's catch with spammed fake credentials may pollute their database enough that it's not worth selling.
Sorry for off topic question but are there any dirty link sharing platforms ,that you can share those links safely and warn the user and force it to copy paste?
The opposite. ; is the same as a newline. Prepending the newline with a backslash \ is like saying "pretend this newline isn't here". So all of the -H arguments get applied to the same command in the example, rather than being treated as commands in their own right.
Oh... I am having one of those moments where I feel like everyone else but me knew this and I'm a dummy. But when put like this, I realize \ here is an escape character thing, making the newline into \\n.
If it's at the end of the line it's just signifying that the line continues underneath and to run that block as "one line". It's just escaping the newline character.
In bash '\' would escape the character behind it. In this case, newline was escaped, which means you could ignore the newline character and treat those lines as one line.
I was hired to look into why a WordPress site was so slow back in 2010. It turned out the site was hacked and they were hosting a spam viagra site on the side. When I brought it to their attention, the owner asked: "Can we keep it up? It will help our traffic numbers for investors and probably our Google ranking."
I literally face-palmed.