
Stopping phishing campaigns with Bash - geek_at
https://blog.haschek.at/2020/stopping-phishing-campaigns-with-bash.html
======
withinboredom
Hilarious story:

I was hired to look into why a WordPress site was so slow back in 2010. It
turned out the site was hacked and they were hosting a spam viagra site on the
side. When I brought it to their attention, the owner asked: "Can we keep it
up? It will help our traffic numbers for investors and probably our Google
ranking."

I literally face-palmed.

~~~
mipmap04
Well, with a spam viagra site, I think the point is keeping it up.

On topic, it's crazy how willing some people are to defraud their investors.

~~~
darkerside
Send like a missed opportunity to pivot into a spam viagra hosting site

~~~
x86_64Ubuntu
But then your costs get allocated to the spam operation. The owner of the
website is benefiting because of the "traffic" they are receiving that is
attributed to their non-spam venture. The hacker is benefiting because of the
free hosting they are getting. The loser is anyone interested in buying the
site and having the price hinge on the traffic.

------
n0on3
That's really... __not __an appropriate response, and not only for the legal
reasons others mentioned.

Phishing sites can be / are often served by compromised hosts, so you might as
well end up doxing a box who is not run by the bad guy, causing all sorts of
mayem for the legitimate owners / admins (in addition to they be compromised).

Plus, you didn't solve anything, from the pattern you used it's pretty easy to
cleanup the data for the adversary, get rid of your garbage and put the thing
back on the next day, so you've only temporarily disrupted their operation.

A more appropriate response is to report the abuse who manages the
infrastructure (most likely a legitimate provider) and the domain registar;
both usually have appropriate channels and response procedures just for that.
If you feel kind and keen to do some free work, you can find out if the
infrastructure has also a legitimate purpose and contact the legitimate
administrator. Also, there are a lot of abuse lists that accept contributions,
as in submitions for malicious sites, where you can report this (so it gets
fetched by a variety of stuff and blocked by others while it's operational
before it gets eradicated).

I understand this does not give you any credit or allow you to write a blog
post about looping requests in bash but still.

~~~
gnfargbl
Have you ever tried reporting a phishing site through those legitimate
channels?

I have, and my experiences have been that:

* The domain registrars are apologetic and well-meaning, but tend to explain that they aren't empowered to take this stuff down without being ordered to by Law Enforcement or similar. There typically isn't a mechanism available for getting LE to respond before the phish campaign is over.

* The hosting providers chosen by phishing sites are either "bulletproof hosts" who are tacitly complicit, or more commonly are so low-end that the support departments are massively underfunded and abuse reports take eons to be processed.

Either way, the phisher achieves their objectives before the site is taken
down. That being the state of affairs then, although I don't choose to use the
kind of tactics outlined in the blog myself, I find it pretty hard to condemn
those who do.

EDIT: I do agree with you that submitting the URL/IP to abuse blacklists is a
helpful and positive thing to do. Here are a couple of submission URLs (there
are many more):
[https://pulsedive.com/submit/](https://pulsedive.com/submit/),
[https://www.abuseipdb.com/report](https://www.abuseipdb.com/report).

~~~
kayson
I've had a similar experience. I ran into a scam that was masquerading as a
popular Canadian clothing store (Roots) where everything was 50% off. I
reported the domain to Namecheap and they said they're not responsible for the
content since its hosted elsewhere. I pointed out that the domain itself was
also trying to pass as legitimate and they told me unless I was the trademark
owner they couldn't do anything. I also e-mailed the hosting provider but
never heard back.

Fortunately I got ahold of Roots via Twitter and the scam seems to have been
shut down.

~~~
wolco
Did you expect the domain company to take down the domain based on a copyright
issue reported by an entity where they are not the copyright holder?

Think of all of the false take down requests registers would receive.

------
noodlesUK
As much as I think things like this can be fun, depending on your jurisdiction
(and tbh the US loves extraditing people for silly computer crimes), it might
not be advisable. This is all but certainly illegal at least within the US.
I’m sure most competent security experts have been tempted to do things like
this, or SQLi a scammer’s form and nuke their DB, and usually bad things won’t
happen to you, you might find that you’re hacking something you weren’t
expecting, and might piss someone off other than a scammer.

~~~
mcv
While it may be technically illegal, considering the victims are themselves
worse criminals caught in the act, I really doubt anyone is going to give you
trouble over this.

Unless authorities are looking for an excuse to prosecute you, of course, but
there's plenty of bad PR to be had for authorities acting on behalf of
criminals trying to steal people's banking credentials.

~~~
KMag
Maybe if you don't cause any collateral damage, you might have a low chance of
conviction by a jury because the victim is highly non-sympathetic. (I'm not a
lawyer. This is NOT LEGAL ADVICE.) That doesn't mean you won't get charged and
incur a ton of legal costs if you pursue a jury trial rather than settling.

Always remember that U.S. courts are courts of law, not courts of justice.
That's usually a good thing (less left to interpretation), but it does have
downsides.

~~~
mcv
> _" Always remember that U.S. courts are courts of law, not courts of
> justice. That's usually a good thing (less left to interpretation)"_

Are they? My impression is that US courts rely heavily on the whims of a jury
and the judge, leading to very different outcomes for similar cases. Though
often leading to injustice (heavy punishments for poor and/or black people,
light punishments for rich and/or white people) rather than justice.

~~~
KMag
I think their biases would have worse consequences if their goal was following
some intuitive gut feeling of justice rather than having a goal of applying
the law even when the law is known to be imperfect. That is, the less explicit
the rules are, the more wiggle room there is for bias to act.

~~~
distances
I'm not so sure, I feel the civil law system followed in continental Europe
works much better as it's based on the spirit of the law instead of the exact
letter and comma.

Hard to say if this would be a better fit for the US though -- I've no idea if
that's causing issues elsewhere in more corrupt societies or not.

------
Wandfarbe
I stoped 2 webshops which basically sell expensive stuff 20% off by wire
transfer (bank transfer?!) which then never send the goods of course!

I did the following:

\- I found out where it was hosted and send them an email explaining them why
and how that shop is a scam

\- I found out where they hosted the domain and wrote the registrar an abuse
email

\- I wrote an email to the banks where the bank accounts where active

The scammer had a webchat module active and he/she did wrote back to me,
nothing came out through that, nonetheless:

next day, both webshops were gone due to being taken offline from the hosters.

I do believe, that they do have a chance because literaly no one cares. I have
seen mentioning of one of those two shops older then 6 month. I pissed at them
with very little effort in a very short time.

I do hope i helped out.

~~~
madarcho
Abuse email/report to the registrar is also my goto. Usually results in a
quick response

~~~
parliament32
You'll get a response but it'll always be a polite "fuck off" unless you have
some sort of actual authority (are you the trademark holder? are you LE? do
you have a court order?). You'll have better luck contacting the hosting
provider because they're actually responsible for the content.

------
beAbU
A colleague and I did something similar recently.

We got similar spam mails in our work inboxes. Whipped up a little ruby script
that spammed bum login data to the spammer's form url. We had our scripts
running on a couple of Heroku instances and all.

At some stage we realized that the password field in the form accepted
arbitrarily sized payloads. So we base64 encoded some 10MB file and sent that
as the password. The thinking was if we could not DoS them, we can at least
clog up their works with some real hefty payloads.

More can be seen here: [https://github.com/dj-
louw/spamscam](https://github.com/dj-louw/spamscam)

~~~
Sebb767
While funny, real-looking fake login data might be more useful, as it's
probably real easy to filter the few large requests. Unless, of course, you
bring down the server and stop the whole operation (for a time).

It would be quite interesting to do a study on both options using a honeypot-
account (to detect whether the login could be extracted by the spammer).

~~~
beAbU
So the script we wrote created real email addresses and user names. The Ruby
gem Faker ([https://github.com/faker-ruby/faker](https://github.com/faker-
ruby/faker)) takes care of that.

But yeah you are probably right. 10MB passwords possibly made it too easy for
the scammer to filter out the bum data.

We did only make the 10MB change very late in our attack, so the scammer got
1000's of fake names and emails before we cranked up the mass of each
individual request.

------
m-p-3
I normally just report those sites on
[https://safebrowsing.google.com/safebrowsing/report_phish/](https://safebrowsing.google.com/safebrowsing/report_phish/)
and it doesn't normally take long to end up with a phishing warning when you
navigate to it with a modern browser.

I also try to send an email to the registrar "abuse" email to let them know
that a specific domain is hosting a phishing page (with the exact link as
proof). That takes it down quickly as well, which forces the website owner to
do some remediation.

~~~
raverbashing
I think most URL shorteners have an abuse reporting facility (with bitly, add
a + to the end of the URL to see more info)

------
ChrisMarshallNY
I know someone that DDoSed a forum spammer.

They hit back, ten times as hard, and completely destroyed a well-established
forum, with thousands of users, that had experienced an annoying (but not
crippling) "penis pill" spam attack.

~~~
Aachen
So like... Backups? Restore, put it behind basic auth and email the password
to the members active in the past few weeks, then at your leasure implement
some captchas and go from there. Heck, restore the forum publicly as well and
use that as a sandbox to see how they'll bypass it.

~~~
ChrisMarshallNY
Shirley, you jest.

Backups are for, like, _squares_ , dude.

We live on the _edge_ , dude!

Extreme! YOLO!

In all fairness, the person involved was a truly brilliant young man, and the
experience pretty much shattered him, emotionally. He has yet to recover from
it.

In a way, it can be satisfying to be able to say "I told you so," but seeing
the human cost kinda takes the fun out of smugness.

~~~
cutemonster
How did the spammers hit back?

Can I ask what made it hard / infeasible to continue once the spammers had
stopped hitting back?

> seeing the human cost

It seems the forum meant a lot to him/her

~~~
ChrisMarshallNY
I was not directly involved in the incident; hearing about it after the fact.

My understanding is that a forum spammer started registering fake accounts,
and then did what they do. The admin saw this. He was quite smart, and figured
out who they were, then executed some kind of attack on their server. I think
it was a DDoS attack.

When they responded, the used a bunch of privilege escalation attacks to
promote some of their registered users (It was a badly-maintained phpBB site;
otherwise known as "Swiss Cheese"), and blew away a lot of the site structure
and templates, so it basically imploded.

Yeah, it was his "baby." He was also involved in a running battle of nerd egos
with some other folks, who used the incident to discredit him, and drove him
out.

~~~
cutemonster
> blew away a lot of the site structure and templates

Crazy spammers who have time for such things

Sad to hear how this affected him

------
dandare
A friend of mine fell victim to a renting scam here in Czechia. The phishing
site was using the native .cz TLD, which is well within the reach of Czech
authorities. I was particularly bored that day so I went to a local police
department to report a crime. I advised the policeman to take down the
phishing site - it was actively facilitating a crime. The poor cops had no
idea what to do and in the end they told me that this crime is taking place on
the internet and they have no means of investigating it :D.

~~~
dependenttypes
This kind of thing always confused me. Scam sites and sites promoting illegal
activities (such as fake dna tests) are everywhere. Surely the police could
take them down in the same way that they take down child porn sites.

~~~
josefx
If you asked EU politicians a few years ago there was no way to take those
down and we needed a great European firewall asap. Of course when their to
secret list of illegal sites got leaked it turned out to be sites that could
be taken down within a few hours by just contacting the hosting providers.

------
badrabbit
It was probably a compromised site. Spinning up your own domain/vps has the
drawback of it being a new site not trusted or classified by most corporate
firewalls and proxies (if setup right).

You'd be surprised how easy it is to scan+pwn some wordpress site left in
default config or vulnerable to the latest joomla exploit. They then upload a
$20 phishing kit and start spamming. If you look at the directories' root in
the path you sometimes get lucky enough to get the zip/tar file they forgot to
remove (includes their email, to which stolen creds are sent, you probably
spammed the crap out of their mailbox too). A few times I've even found
unsecured webshells they left behind (just booted them out, got emails of
people who fell for it and did the standard rfc-whatever notification)

One thing I wanted to try was to include tracker URLs when stuffing them with
fake usernames like 'bob@bob.com
[https://bobscompany.com/login.php?trackerid=1345556'](https://bobscompany.com/login.php?trackerid=1345556')
or make it a 1x1 pixel image link so when they see the fake creds I will know
their IP

------
tdeck
I have seen the code for some phish kits in the past. Many of them actually
send an email on each submission rather than saving to a file (more resilient
if the hacked WordPress site is taken down). They often also record the IP so
it may be easier to filter out "phish-feeding" attempts like this.

------
NicoJuicy
Well, I have something like HN running on
[https://handlr.sapico.me](https://handlr.sapico.me) ( automatically imports
rss feeds)

Wich had a lot of spammers and they worked around the Google Human
verification script for logging in.

Humans won't add a Title + Url + text since it shouldn't be used this way.

So ... that flow now returns a xml bomb.

Spam stopped immediately after deploying this. I'm a bit curious how long they
spend looking why the memory of their server suddenly went through the roof :p

------
mrkramer
So you DDOSed their backend but they could've whitelist their IP range and
blacklist all the others for incoming requests.

What you did does nothing against flexible and adaptive adversaries.

~~~
scalableUnicon
Even if that's the case, it made the website unavailable for future victims
who got the same text messages.

~~~
parliament32
Not if they just made the site return a 404/500 just to his IPs, which any
half-decent adversary would do. The "play dead" strategy works great with
these kind of vigilantes.

We're employed similar tactics against DDoSers at work. Start returning 500s
or just tarpit their requests, they think the site is down and they go home.

------
catmistake
This is great, bash ftw. Nice presentation, too.

Regarding its legality, I will paraphrase Bishop Berkeley: if a tree falls in
the forest, and no one is around to hear it, does it make a sound?

What I am getting at is until there is a complaint, there is no crime, and as
at least another pointed out, criminals will usually not report crimes that
reveal their own crimes. "They kidnapped my kidnap-victim!"

~~~
anonymfus
The kidnap-victim or their relatives can. So:

 _> Sadly the server didn't enable indexing otherwise I would have seen all
victims, but it was funny nonetheless._

It's actually very lucky for Haschek, because otherwise the only thing
stopping Raiffeisen from suing him for stealing credentials would be a bad
publicity.

------
saagarjha
While this is all fun and games, I am curious if DOSing someone else’s server,
even if it’s being used to run a phishing scam, is legal.

~~~
stephenmc77
I imagine it's illegal but I also assume that for it to be prosecutable, there
would have to be a complainant. Good luck to that guy trying to prove that
DDOS-ing a phishing site is worse than the phishing itself!

~~~
mhils
It is not unlikely that the phishing site is hosted on a hacked server that
still serves legitimate websites (which you would also take down in the
process). So there could be a legitimate complainant.

~~~
geek_at
in this case however both sites I "took down" were still accessible
afterwards, they just removed their backend. Still got an empty response or
404 with valid http certificate.

So probably the phishers were annoyed with the fake data and moved servers

------
rymurr
I wonder how many 'fake news' sites and other tools designed to subvert
democracy are this fragile. Seems like we could do a lot of good by disrupting
those sites rather than slowing down phishers.

Defending our democratic institutions > messing with scammers

------
1023bytes
All banks in the EU are required to use 2FA, I'm curious how these hackers get
around that.

~~~
moviuro
1\. One SMS every 90 days, because the security teams have no idea how MFA
works (I know, I work there). Even if you hop devices. See
[https://try.popho.be/psd2.html](https://try.popho.be/psd2.html)

2\. It's just a little dev step away: [http://blog.cmpxchg8b.com/2020/07/you-
dont-need-sms-2fa.html](http://blog.cmpxchg8b.com/2020/07/you-dont-need-
sms-2fa.html) . Phish kits will evolve, UX will still be bad, and phishing
will still happen.

See also
[https://sakurity.com/blog/2015/07/18/2fa.html](https://sakurity.com/blog/2015/07/18/2fa.html)

~~~
kwhitefoot
> 1\. One SMS every 90 days,

Wow that's bad.

Here in Norway we use a system called BankID that uses the SIM in your mobile
and it does it every time I log in.

------
heipei
The same IP that hosted this guys phishing page also hosted phishing pages
targeting Italian banks WeBank, Banca Intesa Sanpaolo and Banca Sella over the
past 14 days, all with wildcard certs issued by the same CA. So not really
surprising, just run of the mill phishkit activity most likely. If you have
fun spamming their inbox knock then yourself out, but it's not gonna make a
dent in the thousands of phishkits deployed every day. Source:
[https://urlscan.io/ip/89.46.110.15](https://urlscan.io/ip/89.46.110.15)

------
generaljargon
Legal issues aside, these lists are typically checked with a validation tool
that runs through them to scrub malformed or invalid entries. An example of
one such tool, taken from a krebsonsecurity post:
[https://krebsonsecurity.com/wp-
content/uploads/2019/08/chase...](https://krebsonsecurity.com/wp-
content/uploads/2019/08/chasebrute-ed2.png).

------
jitendrac
That is really a good way to make them drop all the target. but rather if I
were to do it I will do it with set of different signature snuffling randomly
to make them un-filterable and limit the rate of submission such that they
dont immediately notice me and I can make their database full of dummy data
which makes it useless for them. Many times you can also get to execute
arbitrary sql-injection and can delete the database.

In fact, in past when in collage I was trying to learn some hacking basics to
find vulnerable servers. And as on the googled article like most scripting
kiddies, I searched and found a vulnerable site which was already hacked and
had installed shell.php on it. What that vulnerability did was, it found a way
to inject the browser navigator name into php script using /proc/self/environ.
after studying attack what I did was, remove the shell and patched the
vulnerable file with some obfuscation. I was so naive(what would have happened
if my IP was tracked and I became suspected criminal),now seeing past luckily
I never got my self involved in legal things.

------
miguelmota
> cat /dev/urandom | tr -dc '0-9' | fold -w 7 | head -n 1

Useless use of cat

[http://porkmail.org/era/unix/award.html](http://porkmail.org/era/unix/award.html)

------
jitteriest
Not really important but:

`cat /dev/urandom | tr -dc '0-9' | fold -w 7 | head -n 1`

Can be accomplished in two steps instead of 4:

`tr -dc '0-9' < /dev/urandom | head -c 7`

~~~
gshubert17
When I tried either of these, on my macOS, I got

tr: Illegal byte sequence

which I got around by changing the locale:

( export LC_ALL=C; tr -dc '0-9' < /dev/urandom | head -c 7 )

with help from: [https://unix.stackexchange.com/questions/141420/tr-
complains...](https://unix.stackexchange.com/questions/141420/tr-complains-of-
illegal-byte-sequence)

------
suixo
This reminds me of something similar I did about 5 years ago:
[https://blog.securem.eu/projects/2015/03/08/flooding-the-
phi...](https://blog.securem.eu/projects/2015/03/08/flooding-the-phisherman/)

One important thing is to _report_ the phishing attempt, both to the hosting
providers involved and to the mail service used to send the emails.

------
atum47
I have made something similar couple of years ago, but I took down the video
that I recorded doing it cause I was afraid it could turn back on me.

These days I usually try to write an email to the abusar and to the hosting
services. I also did a bunch of this "flags" on Instagram ads.

Instagram is the worst, cause they open a website in their app, hiding the
true URL of the phishing site. I sent a complain to them about that. Never
heard back.

------
chadrs
I've done stuff like this but behind Tor. I tried to make the data random
enough it would be tough to see which records were real. I remember once my IP
was getting blocked after a certain amount of requests (not sure if via some
automated fail2ban or a human) but Tor has an API to swap to a new outbound
IP, so I just had it do that in the case of a timeout.

------
anticristi
Nice! If you are required to write an email address, it would be cool to use a
canary, and see if it shows up on haveibeenpwned.com.

~~~
strogonoff
I don’t think HaveIBeenPwned makes an attempt to harvest data captured by
fishing websites. It’s intended to track data leaked due to a breach of the
actual system.

~~~
Eremotherium
Mostly true but there things like Collection #1 and Anti Public Combo List
which are amalgamations of unknown provenance. A lot of it is probably prior
breaches but I wouldn't be surprised if it contained phishing data.

------
mrvenkman
"The way these things work is that they act like they're the real login form,
steal your credentials and usually send you off to the real bank so you think
you made a typo or something."

If that's the case then surely you're also flooding the bank's real site with
GET requests after the redirection.

~~~
Cthulhu_
From cURL the author can ignore the redirect to the bank's real site though.

------
alufers
Oh how cool, I thought I was the only one trying to mess with scammy sites
when I find them. Although I can see that I could improve my methods, since I
usually write a short user script which spams the forms with data from
faker.js and let the open tab sit pinned in my browser for a week or so.

~~~
mflower
I was thinking about something pretty similar -- rather than just try to
overload the server, make it more difficult for phisherpeople to figure out
which data is legitimate.

Realistically, I don't think I'd do it though -- who knows what 0 days you are
putting on your box when you connect to those sites.

------
thrownaway954
fyi... just cause you get a 404 error doesn't mean the site is down, it might
mean you are blocked. IIS for example has the request filtering module inwhich
you can return a status code when a certain filter is hit. it is very easy to
create a filter where is a query parameter is over a certain character limit
to return a 404 (filters are just regular expression). this is why you should
always check a site from
[https://downforeveryoneorjustme.com/downforme.com](https://downforeveryoneorjustme.com/downforme.com)

------
schappim
I am all for this. Thank you.

------
daniel-s
Is this a useful strategy that banks can or do employ? Filling a phisher's
catch with spammed fake credentials may pollute their database enough that
it's not worth selling.

------
hrgiger
Sorry for off topic question but are there any dirty link sharing platforms
,that you can share those links safely and warn the user and force it to copy
paste?

------
lordnacho
What do they do when they access the victim's bank account? Buy fungible goods
with the money? Send it to another account?

------
gigatexal
The author is a saint. This made my day.

------
b0re
noob question: what does an \ at the end of a bash script do? Is it the same
as ; ?

~~~
oddeyed
The opposite. ; is the same as a newline. Prepending the newline with a
backslash \ is like saying "pretend this newline isn't here". So all of the -H
arguments get applied to the same command in the example, rather than being
treated as commands in their own right.

~~~
newswasboring
Oh... I am having one of those moments where I feel like everyone else but me
knew this and I'm a dummy. But when put like this, I realize \ here is an
escape character thing, making the newline into \\\n.

------
Samuyi
great stuff

