
Operation Luigi: How I hacked my friend without her noticing - adamch
https://defaultnamehere.tumblr.com/post/163734466355/operation-luigi-how-i-hacked-my-friend-without#jfuf232n3
======
devwastaken
This is the best commentary on a real-life social engineering hack I've seen.
Whats really interesting is how he was able to be undetected mostly, because
services like linkedin only had an optional requirement for forcing all
devices to re-login when a password was changed, and that the hacked
individual wasn't using 2FA on her email.

~~~
albertgoeswoof
Agree this is excellent, and demonstrates how straightforward phishing really
is. 2FA wouldn't save you here either, as that can easily be phished at the
same time (except for U2F tokens).

~~~
jethro_tell
right the point of u2f is the physical token

~~~
vertex-four
The "point" of U2F instead of HOTP/TOTP is that the code you send to
evilhacker.com can't be used on google.com - so getting a usable token by
phishing is impossible. HOTP/TOTP are flawed in that you can send the
generated code to evilhacker.com and they can use it to log in to google.com
with you being none the wiser.

------
shalmanese
One of my favorite low key social engineering hacks is that I used to have a
keylogger installed on every machine I own. Whenever a friend needs to hop on
my machine to show me something, they'd log into an account they own and I
would have their password.

Then I'd do the same Luigi-like low key messing with them for a while. My
favorite was when a friend had a VNC server running on their machine with
control capabilities. I would sit next to them and subtly jerk the mouse
pointer right before they were about to click on something and it drove them
mad for a good 20 minutes before I couldn't hold onto the giggles anymore.

edit: To add a bit of context, this was in the Windows 98 era, before the age
of social media where we started putting all of our secrets onto our machines.
And it was among a group of friends where everyone was trying to hack everyone
else and pretty much anything was considered fair game. All of us were high
school kids so there wasn't some super serious reputation we had to protect.

~~~
Sleeep
Just wow...

>One of my favorite low key social engineering hacks is that I used to have a
keylogger installed on every machine I own. Whenever a friend needs to hop on
my machine to show me something, they'd log into an account they own and I
would have their password.

This isn't a "low key social engineering hack", it's betraying someone's
trust.

>I would sit next to them and subtly jerk the mouse pointer right before they
were about to click on something and it drove them mad for a good 20 minutes
before I couldn't hold onto the giggles anymore.

This isn't actually funny, it's just being obnoxious and mean.

If you're next to them why not just jerk their arm when they are trying to
click? It achieves the same "goal" of "entertaining" yourself and pissing the
other person off. Jerk their laptop when you walk by. Throw stuff at them.
Smack them in the head. Trip them when they get up to pee. "Hilarious."

>among a group of friends where everyone was trying to hack everyone else and
pretty much anything was considered fair game.

This sounds like the bully saying "we were all having fun together."

You don't know the difference between having fun with someone and having fun
at their expense - and that's just disturbing.

As someone who lived during the Windows 98 era, I wouldn't want others reading
my IMs and emails (I had some _very_ sexual and personal communication over
those channels) or viewing my browsing habits.

~~~
stale2002
Cmon, man. You've never heard of someone "hacking" a facebook account and
changing the profile picture to a poop emoji or something?

It is juvenile prank, sure, but high schoolers are literally juveniles.

Obviously, you shouldn't do stuff like this to someone who will freak out and
get upset about it.

Persistent bullying and harassment is, of course, not ok. But most "cyber
crimes" that high schoolers commit against each other are NOT that. They are
dumb pranks like changing a person's sexual orientation on facebook.

For most situations, the vast majority of kids would just be embarrassed for
like 10 seconds, laugh, and maybe try to prank the person back.

~~~
yladiz
Yeah but there's a big difference between 'hacking' a friend's Facebook or
MySpace account, since it usually happens if they just leave the account open
on a computer, and actually keylogging their password.

------
raybb
This post was at bit hard to read with the buzzfeed-esque jokes and writing
style.

Here's my summary:

    
    
      1. Someone gets permission to hack their friend
      2. They find their email / phone number online
      3. They lookup old password leaks for the email (passwords don't work)
      4. They end up setting up a fake page to phish their friend (it works)
      5. They wait until their friend falls asleep to reset the twitter password
      6. They make their friend follow a bunch of fake Mario accounts on Twitter
      7. Friend notices, they meetup to swap stories (the friend doesn't follow the fake Mario accounts)

~~~
TeMPOraL
I think the details were pretty interesting, so let me expand your summary:

    
    
      1. Someone gets permission to hack their friend
      2. They find their email / phone number online
      3. They lookup old password leaks for the email
        3.1. They find their password hash (salted) in the Tumblr dump
        3.2. Tumblr turned out to use the same hash for everybody, so the author
             finds other accounts with the same hash, follows them to a LinkedIn
             leak (unsalted), and successfully recovers the password
        3.3. The password turns out not to work (changed some time ago)
      4. They end up setting up a fake page to phish their friend
        4.1. First phishing attempt produces... the old password that is already
             known through point 3.
        4.2. Second attempt is modified to reject user input a few times, producing
             another password, which happens to work
        4.3. The victim grows suspicious of the phishing e-mails, but another
             message puts those suspicions to rest
      5. They wait until their friend falls asleep to reset the Twitter password and (later, in the same way) capture
         their LinkedIn account
      6. They photoshop their profile pictures to subtly include a Mario character, and they
         make their friend follow a bunch of fake Mario accounts on Twitter
        6.1. When that doesn't get noticed, they redo the trick in a much less subtle way
      7. Friend notices, they meetup to swap stories (the friend doesn't follow the fake Mario accounts)

~~~
jklein11
I would pay good money to have all HN articles summarized like this

~~~
gexcolo
It might not be the digest you asked for, but it's the summary we deserve:
[http://n-gate.com/hackernews/2017/07/31/0/](http://n-gate.com/hackernews/2017/07/31/0/)

~~~
KirinDave
I am exhausted just imagining that this bucko is still at this project. It's
like a perpetual motion machine of self-hatred.

Irony is only irony if it is not greater than 73% of your life, according to
scientists. This person long ago passed that threshold.

~~~
syrrim
You're assuming they actually read the threads. It would be easier, and yield
the same results, to merely read the headline, and write based on that. In
fact, I'm sure a simple script could cover the majority of cases, leaving them
to only need to write for the odd one their script can't cover.

~~~
KirinDave
Knowing them, I don't think that's what they do tho.

~~~
TeMPOraL
Yeah, they definitely read the threads. This is some pinpoint-accuracy hate
and idiocy.

------
iiv
While slightly enjoyable (for the first few paragraphs) I couldn't finish
reading it. The author is trying _way_ too hard to be funny.

I suppose it is written to another audience, perhaps the people that use
tumblr find this funnier.

~~~
misingnoglic
> That’s REAL nice of you to offer old mate LinkedIn but I’m absolutely golden
> as it is in terms of logouts so don’t even worry about it I’ll be just fine
> how it is NO REALLY don’t trouble yourself, I’m sure your CPU cycles are
> busy displaying everyone’s 6000 word Thinkpieces about “Cyber” for “Non-
> technical Business Decision Makers”.

You can't tell me you didn't find this hysterical

~~~
executesorder66
I found the length of that sentence hysterical.

------
adtac
Quite long ago, I read a fairly similar article (without this ridiculous
commentary, of course). It went something like this:

\- a friend asks author to try and hack him

\- author tries a bunch of things in vain, finally decides to use a rogue
wireless AP and does a MITM

\- identifies that notepad++ has automatic updates turned on and that it's
over HTTP

\- creates a custom executable and writes a script (or something) to serve
this payload when notepad++ tries to download a EXE

\- fakes an update (by returning true when notepad++ queries an HTTP endpoint
for the latest version on startup)

I'd be really thankful if someone could link me to this post. My usually
powerful google-fu has let me down this time (I tried all _sorts_ of things).
Notepad++ and MITM are the only things I strongly remember.

~~~
svenfaw
This one looks like a good match: [https://null-byte.wonderhowto.com/how-
to/hack-like-pro-hijac...](https://null-byte.wonderhowto.com/how-to/hack-like-
pro-hijack-software-updates-install-rootkit-for-backdoor-access-0149225/)

~~~
adtac
While that uses a similar exploit, it's not the one alas! The article I'm
referring to used a rogue AP where the author essentially created a pineapple-
like device (or something; I'm probably misremembering this part).

Thanks anyway! :)

Edit: this was also more of a story than a how-to like guide.

------
darth_mastah
I found it really enjoyable and rather funny. I really liked the attention to
detail as well, e.g. replicating last 5 searches in order to stay stealthy. I
imagine that lots of effort went into the hacking exercise and the write-up.
Nicely done.

------
apathetic
> I use the incredibly cutting edge “Inspect Element” feature of the popular
> hacking software, Google Chrome, to edit the text of the email but keep the
> look.

I used do this to fake screenshots as well. People assumed I edited them with
Photoshop!

------
pepelondono
I actually found this post really good. The buzzfeed-esque jokes are made this
way with the only purpose of helping raise awareness about online security and
how anyone with a minimum knowledge of the Internet can easily breach into
your accs.

------
Jonnax
Social Engineering is a thing to watch out for. I've learnt to never answer
honestly when they're asking stuff like "Where were you born?" "What's your
first pet" etc.

Instead I've made up some answers that I'll never tell anyone else.

However that doesn't really make those details secure. 2FA is where it's at.

~~~
StavrosK
> Instead I've made up some answers that I'll never tell anyone else.

You should make up some answers like ighe9Chik9oorooy. That's what I do.

~~~
Sleeep
A (random) English word is a better answer. Otherwise you can be phished by
someone communicating with a phone rep.

"For security what's your pet's name?"

"I don't have a pet, I just put a bunch of random characters."

\--

Due to implementation these questions are actually sometimes hard to answer
truthfully sometimes. My fav teacher has a . in her name but "special
characters" are not allowed in answers. My pet's name is 4 characters, too
short. How did I answer my first car? Year, make, model? Make? Year and model?
Just model? Who can remember?

~~~
manmal
Only, how is the phisher supposed to know that I used a randomized password?

~~~
Sleeep
1) Guess

2) The HN post I replied to.

------
sleazybae
my notes from this article:

    
    
      * don't use linkedin
      * don't use hotmail
      * always use 2FA
      * use complicated and different passwords
      * security questions matter
      * avocado toast?
      * change passwords periodically

~~~
PhasmaFelis
> _avocado toast?_

A couple of Australian doofuses said that it's millenials' own fault they
can't afford homes, because some of them buy expensive meals sometimes.
[http://time.com/money/4778942/avocados-millennials-home-
buyi...](http://time.com/money/4778942/avocados-millennials-home-buying/)

The internet has had a lot of fun with it.
[https://www.washingtonpost.com/news/food/wp/2017/05/15/dont-...](https://www.washingtonpost.com/news/food/wp/2017/05/15/dont-
mess-with-millennials-avocado-toast-the-internet-fires-back-at-a-
millionaire/?utm_term=.199c5f071b93)

~~~
fgandiya
I found it rich the millionaire said that given that his grandfather gave him
$34k to buy as house(0).

(0):[https://www.cnbc.com/2017/05/16/millionaire-tells-
millennial...](https://www.cnbc.com/2017/05/16/millionaire-tells-millennials-
to-stop-buying-avocados-to-afford-a-home.html)

~~~
Sleeep
Steps to becoming a millionaire:

1) Family gives you money.

2) Don't squander the money on hookers and blow.

3) Use life opportunities that having wealth brings to create more wealth.[1]

4) Congrats, you're a millionaire.

Anyone can do it!

[1] They say "you need money to make money" and speaking as someone who has
both lived with no money and now lives with lots of money, it's sooooooo true.
The more money you have the easier it is to acquire even more money.

------
misingnoglic
This is the same guy who did a great blog post about finding his friends
tinder accounts by spoofing a new tinder service. They're absolutely
hysterical, and I hope he keeps doing more.

~~~
arprocter
[https://defaultnamehere.tumblr.com/post/147747146865/stalkin...](https://defaultnamehere.tumblr.com/post/147747146865/stalking-
your-facebook-friends-on-tinder)

------
taiar
I had no problems with the humor parts. Good article.

------
chefandy
"Hello and welcome to a blog post. I am writing it and you are reading it.
It’s amazing what we can do with computers these days."

Ugh. And I'm closing the tab. Appreciate the effort with humor, but you really
should concentrate on being able to write something that's informative and
enjoyable to read, and THEN try your hand at making your writing funny. The
first sentence/paragraph needs to be a hook to get people interested, not some
meta jokey blurb that doesn't have anything to do with anything.

~~~
TeMPOraL
> _The first sentence /paragraph needs to be a hook to get people interested,
> not some meta jokey blurb that doesn't have anything to do with anything._

The first sentence/paragraph needs to be the first sentence/paragraph. I'm
personally sick of people optimizing things to "hook" their "audience". I much
prefer when people simply write honestly and to the point. Not everything in
life has to be a sales pitch.

(This post was definitely not "to the point", but that's a stylistic choice of
the author; I can respect that even if I don't like it.)

------
fiatpandas
It's possible to discover this girls full name, twitter, Instagram, Linkedin,
etc (full identity) based on a few careless clues left by the author. Very
irresponsible considering he has revealed her password habits and other
personal vulnerabilities.

Loved the write up though.

~~~
sesqu
The author acknowledged as much in the footnotes:

> If you really tried you could probably find Diana’s Twitter from these. You
> would then be a hacking genius, binary flowing through your veins, and have
> a CVE number assigned to your personally. I, a humble wannabee, am relying
> on your strict ethics to prevent you from, uh, stalking the friend of some
> guy whose blog post you read. You can do it. I believe in you.

> Having said that, I don’t really have an overwhelming amount of faith in the
> idea that someone won’t try to do that. You can stay chilled out, dear
> reader, since before this blog was published Diana and I had a nice chat and
> fixed up her personal security.

------
nobleach
>There are entire criminal industries built on the idea that people use the
same password all over the place because nobody cares enough to remember more
than a few passwords because they’ve got things to scroll on their phone okay.

Or... because having to remember more than 3 random combinations of arbitrary
letters, numbers, and a subset of extended ASCII, is not a tenable solution.
Of course people use things like l33tspeak. We can remember words. I wouldn't
say laziness has anything to do with it.

------
_d4bj
If there was no salt in the database, it looks Tumblr used a secret "pepper"
([https://en.wikipedia.org/wiki/Pepper_(cryptography)](https://en.wikipedia.org/wiki/Pepper_\(cryptography\)))?
Why wouldn't they include a salt as well? Or did the database dump just not
have the salt column?

~~~
IncRnd
> If there was no salt in the database, it looks Tumblr used a secret "pepper"

It's absolutely clear that Tumblr did not use a pepper to create the dumped
hash values in the article. Multiple users had the same hash, and most of
those users had the same password as each other on another site.

~~~
ameliaquining
A pepper is shared among all users of a site. That's what makes it different
from a salt.

Or are you saying that the exact same hash was found in multiple separate
database dumps? I didn't see any indication of that in the article.

~~~
TeMPOraL
What you say seems to directly contradict the Wikipedia link above, which
says:

"The pepper is randomly generated for each value to be hashed (within a
limited set of values), and is never stored. When data is tested against a
hashed value for a match, this is done by iterating through the set of values
valid for the pepper, and each one in turn is added to the data to be tested
(usually by suffixing it to the data), before the cryptographic hash function
is run on the combined value."

~~~
ameliaquining
The talk page mentions "pepper" having two meanings, both of which are
mentioned in the article. I wasn't familiar with the one that involves brute-
forcing it on every login attempt, and I've never heard of it being used in
production on a real site (whereas a global shared secret seems to be
reasonably common).

~~~
cyphar
> I wasn't familiar with the one that involves brute-forcing it on every login
> attempt, and I've never heard of it being used in production on a real site
> (whereas a global shared secret seems to be reasonably common).

In case you're interested, that is the same scheme as the one used by JoeyH's
keysafe[1].

[1]: [http://joeyh.name/code/keysafe/](http://joeyh.name/code/keysafe/)

------
refrigerator
If you liked this, the same guy has also written other stuff in the past -
[https://defaultnamehere.tumblr.com/post/139351766005/graphin...](https://defaultnamehere.tumblr.com/post/139351766005/graphing-
when-your-facebook-friends-are-awake)

------
TazeTSchnitzel
An opsec screwup in that post has told me what's possibly the real first name
of “Diana”.

Opsec is hard.

~~~
mihaitodor
He screwed up big time. You can google her tweets :|

------
peterwwillis
So basically we've learned that the best defense to getting hacked is to not
become a target of bored script kiddies, because those bastards are as
ingenious as they are terrible writers.

~~~
fenwick67
Really it's "look at the address bar".

~~~
peterwwillis
Pop quiz: without investigating, is [https://www.capitalonecredit.com/sign-
in/](https://www.capitalonecredit.com/sign-in/) a valid URL owned by Capital
One?

Second quiz: Without investigating, can you tell me when this domain expires,
if it is registrar locked, if anyone can purchase this domain once it expires,
what the mechanism used to verify a request for certificate for an existing
domain is, if anyone can use a free TLS certificate service to create a valid
signed site once they own it, and how much time it would take for this to
happen if it was automated?

(spoiler alert: the address bar will not tell you any of this)

~~~
TeMPOraL
> _(spoiler alert: the address bar will not tell you any of this)_

Related: who on the Chrome team had that "bright" idea to dumb down the
website security popup that shows when you click on the padlock next to the
address bar? All the relevant info seems to have moved somewhere to Security
tab in the Chrome Dev Tools...

------
mihaitodor
Google cache is unforgiving:
[https://webcache.googleusercontent.com/search?q=cache:RzU97r...](https://webcache.googleusercontent.com/search?q=cache:RzU97rMfqbQJ:https://twitter.com/i/moments/885059758667051009+&cd=1&hl=en&ct=clnk&gl=us)

------
djvdorp
This has gotta be the funniest blogpost in years, yet so legit that it makes
one sad how easy it is to pull this off.

------
amai
Reminds me strongly of the hacking as shown in
[https://en.wikipedia.org/wiki/Mr._Robot_%28TV_series%29](https://en.wikipedia.org/wiki/Mr._Robot_%28TV_series%29)

------
cypher303
Hey, I use inspect! I've run untrusted code every computing day of my life, so
I guess that makes me a script kiddie. My advice, keep on script kiddie'ing,
because it will definitely pay off.

------
h2onock
I really enjoyed this despite it being veeeeeeerry long, nice work!

------
rlglwx
Even with her permission he is still breaking the law. Unlawful access to a
system is not the user's prerogative but the system operator's.

------
nsnick
So phishing?. He did it with phishing.

------
cwkoss
I hope they tried '3ertyui'.

------
AJRF
VZerbst

------
kutkloon7
I don't know if I'm in an especially good mood today, but it's quite a while
ago I read something that I found as amusing as this.

I'm actually really impressed by the phishing approach.

------
trustworthy
Well I enjoyed reading it, a little bit too much cringe, but still interesting
articel!

------
megamindbrian
I like the personality here.

------
saae
It is just… great. Did you write that as it happened? It really unfolds like a
novel.

------
jchw
This has been posted 3 times in the past 24 hours. And so has the last thing
this person has posted.

------
callesgg
Can help it but i find the article kind of creepy.

Is he hacking her cause of romantic interests?

Is he hacking her for the thrill?

Is he hacking her to be able to write the article?

Is he hacking her to show her that he can?, or to show her that it is
possible, or to show her the world she is living in?

~~~
Raphmedia
"I’m [...] with my friend Diana. [...] I ask her if it would be okay for me to
try and hack all her stuff. She’s instantly visibly excited. I explain how
this could result in me seeing everything she’s ever put on a computer ever.
She tells me she thinks this is going to be “so good”. "

~~~
callesgg
"I ask her if it would be okay for me to try and hack all her stuff."

Why would he ask that? It is strange.

It is also strange how he tries to trivialize what he is doing. From his
perspective it is trivial, but for some people it will not be trivial, why
would he write an article about something that he believes is generically
trivial. Another alternative is that he does not understand that it might not
be trivial to some people.

I did read the article... just quoting is probably not going to answer my
question.

~~~
Raphmedia
> Why would he ask that? It is strange.

To make a blog post about it.

His blog title is _The hacker known as "Alex"_ and his previous articles are
similar to this one.

See a discussion about one of his previous articles
[https://news.ycombinator.com/item?id=11130688](https://news.ycombinator.com/item?id=11130688)

------
tomxor
Hacked? cool, so what new unintended abilities has you friend gained?... yes
i'm futilely rejecting the twisted definition perpetuated by the media and co.

------
westmeal
The part that perturbed me the most about his account is he didn't even
backtrace the IP floppy disk log via the DHCP authenication backtrace. It's a
rookie mistake, but so is misspelling 'nothin personnel kid'.

