Phishing Disruption Guide
#1
Disrupting Phishing Operations
[Image: phishing-illustration-vector.jpg]
I was looking for an interesting project the other day and remembered a YouTube video I had watched. In the video a guy found a phishing page trying to get amazon login details. He then coded a program in python that would send fake logins to the site to clutter up the logs with the fake accounts. The phishers would have to determine which logins were actual people getting tricked, and which ones were the program. I found this pretty inspiring. It's not illegal to login to a phishing page and you're doing the internet a favor by sabotaging the phishers' site. The program this guy made was nice, but it could be better in a few ways. Firstly, the format of the email addresses it was sending lacked variety. Second, the program was only sending about one login every 2-5 seconds. Which would still be a pain for the phishers. So I decided to make my own program. I'll post the code at the bottom of this thread and on a pastebin.
Step 1 Finding a phishing site
This was simple enough. The video showed the guy searching phishtank to find the phishing site. So I did the same. Here's the link to Phishtank: hxxps://phishtank.com (replace the x's with t's). I found a few good candidates pretty quickly.
Step 2 Analyzing the site
Now I just had to find out where the request to login was being sent to and what the format was. I use firefox, so I pulled up Menu > Web Developer > Network. Then I logged into the phishing site with some fake credentials. Usually when you're logging into a site, the credentials are sent to the site in a HTTP POST request. Sure enough, the first request after I logged in was a HTTP POST. The POST data had two fields. A email and password field. This was almost too easy. I copied the URL the post request was sent to and got to work coding.
Step 3 Coding the tool
I decided to code the tool in python 3. I would need a few modules: requests, json, random, and threading. Requests for sending the HTTP requests (could've used urrlib.requests too but thought I'd try a module I haven't used before), json for accessing the lists of names and passwords (probably not totally necessary but working with JSON in python is really easy), random for getting random numbers to use in the fake email addresses, and threading so we can be doing multiple requests at a time. The rest was pretty trivial. Some minor bugs popped up mainly because of me. But the tool was done in well under an hour. I also needed some data for creating emails and passwords. I used the names list and 500 worst passwords list for emails and usernames. https://github.com/danielmiessler/SecLists/
Step 4 Attacking the phishing site
Now it was time to test. I made the tool print out every email/password combo it sent and the total number of requests it had sent. The tool started out with 8 threads. It worked perfectly. Unfortunately it also sent the requests so fast I couldn't read the output lol. So I throttled it back to 4ish threads and it still went pretty fast, but I could also read the output. It sent several requests a second at this point. The first site I got in several thousand requests in less than 10 minutes. I stopped it a few times to change the thread count, but several times it got up in the thousands of login requests. In total it sent the first site around 10,000 logins. The last few minutes the program started throwing exceptions. This was actually a good thing however, because the server was straight up denying any more connections from me (web servers usually have a maximum number of allowed connections per client). So I just stopped it for a minute and dialed back the thread count. If I recall correctly, the site started acting like the phishing page didn't exist anymore. Even if I tried to go to it in my browser. Whether it was some countermeasure on the phishers end, or I really messed up the site I'm not sure.
Round 2...
So now that the tool was working well, I tried it out on a new phishing site. I had to modify the tool slightly because the request was obviously going to go somewhere different and the post request was slightly different. This attack went more or less like the second one. The requests got into the 10,000ish range. But around 10-15 minutes in, the website started replying to any requests with a HTTP 404 not found. I tried browsing to the site in my browser. Same deal. I waited a few minutes and tried the tool again. The site still responded with 404 not found.
Post operation analysis
Although this attack is effective, it isn't perfect. There are a few ways the phishers could identify which logins were fake, depending on how much information they have available to them.
User Agent
If they have access to the HTTP logs, they could just see what user agent the requests have (they were all the same). It would be fairly easy to pick out because the requests module uses a user agent you won't see much in normal browsers. Granted, I could also just have my program use random legitimate browser user agents. That might be a good addition to the program.
IP Address
I didn't attempt to hide my IP address. So again, if the phishers had access to and knew to look in the HTTP logs they could just remove any credentials that came from my IP. This is also something I could work around. For one, if other people start using the tool, their IP will be different. I could also run the tool over TOR or a proxy, but I wouldn't want to overload a proxy or TOR so I'd prefer not to do this. Another option is using a VPS/Server to run the tool on. AWS has a free tier VPS you can get pretty easily. Since I didn't hide my IP, I may have retribution from the phishers to worry about. But I'll cross that bridge when I get there. And if they do retaliate somehow then I'll know my attack was effective.
Time
The requests all came in the same 10-20 minute window. So the phishers could just scrap all credentials gathered in that time period. But they do run the risk of getting rid of any actual victims' creds being deleted. A way around this particular countermeasure is to randomize the times the requests come in and space out the requests over a longer period of time.
Email Format
I did a decent job of making the email format varied. But it is possible to find the general format the emails are in and remove ones that match. Of course, many victims probably have emails in those formats too so it's not completely effective. Besides, it's easy for me to work around this. Just make the email formats more varied.
Passwords
The passwords came from a wordlist. So if the phishers just removed logins that had passwords that they determined to be from me that could somewhat help. It runs into a similar problem as the email format however. 1) The actual victims may have the same passwords. 2) I can just get more passwords XD.
The code is on pastebin: https://pastebin.com/NkzxuYk6
Reply
#2
(05-15-2020, 08:22 AM)D!CE9090 Wrote: PhisherFucker, LOL!

Hey, thank you. At least we know others are sick of these script kiddies that can't find legit work.
 
No problem, I'm glad you liked it. I mean most phishers/scammers don't expect to be attacked so I can understand why they wouldn't implement any checks. Besides, how do you even decide if your illegitimate site is being logged into legitimately? If they try to sanitize anything, they might filter out actual victims. I suppose they could do something captcha-like. But what phisher thinks someone is going to attack their phishing site? The phishers think they are the hunters. That's not always the case >:)
 
Can't wait to see your "strategy." Sounds interesting.
Reply
#3
Here is some great information:
https://resources.infosecinstitute.com/a...hers/#gref
Reply
#4
(05-16-2020, 01:39 AM)D!CE9090 Wrote: Here is some great information:
https://resources.infosecinstitute.com/a...hers/#gref
 
Great. Thanks for the share.
Edit: oh and thanks for deleting your posts and making it look like I'm talking to myself lol
Reply
#5
Lmao! I totally was thinking.. "he's gonna say something" hahaha

"Leave no trace." Old habits..
Reply
#6
(05-16-2020, 11:53 PM)D!CE9090 Wrote: Lmao! I totally was thinking.. "he's gonna say something" hahaha

"Leave no trace." Old habits..
 
No trace except for me quoting you... Wink
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Guide to XSS (Examples included) NO-OP 3 11,700 04-29-2019, 12:44 PM
Last Post: mhiats37
  ebay xss/spear phishing tutorial - my second blog post MLT 0 3,157 01-11-2016, 09:37 PM
Last Post: MLT