Poisoning the phishing pool
I can’t stand phishing, so when someone send me a link to login today, I decided to poison the phising pool. The site in question (hopefully disabled by now) asked for my Yahoo! account info.
So how to poison the phishing pool? Quite easy! Just send the phiser a lot of false data. So much that the real data of poor people is harder to filter out. Luckily with Perl, it’s quite easy to do so.
First, let’s look at the page. It looks like a Flickr login screen, but if you scan the source, you’ll see that the form isn’t being submitted to Flickr/Yahoo!, but to a mailto.cgi at www2.fiberbit.net. The source even shows where the mails are being forwarded to (the_kontrak@yahoo.com). After tweaking the page a little on my own server, I found out that the mailto.cgi script sends out a mail with the login info, aswell as HTTP_REFERER, IP address and browser information. So in order to fake our information we need to spoof everything.
What needs to be done?- Generate usernames
- Generate passwords
- Spoof referrer
- Spoof IP address
- Spoof browser information
Yahoo! usernames usually contain some name and a rather pointless number. For this, we need names. Behind The Name offers us random names, so let’s use that. As for passwords, let’s just go the easy way: Text::Password::Pronounceable
The referrer and browser info are all decided at the client’s side, so claiming to be a MS Windows machine with Internet Explorer 6 and coming from the “evil form” isn’t so hard. Since the IP address is also being passed on to the attacker, we’ll use proxies. PublicProxyServers.com is a good place to start.
Here’s the script I’m using to spam the attacker (yes, I now am a spammer shrug):
use strict;
use LWP::UserAgent;
use Parallel::ForkManager;
use Text::Password::Pronounceable;
# Set up a ForkManager to speed things up a little
my $pm = new Parallel::ForkManager(15);
# Create the user agent object
my $ua = LWP::UserAgent->new;
# Yes sir! We're MSIE!
$ua->agent('Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)');
# Populate the proxy array
my @proxies = map { chomp; $_; } (<DATA>);
while(1) {
my $pid = $pm->start and next;
# Sorry behindthename.com! Don't want to hammer your server,
# but have no other option :-S
my $html = $ua->get('http://www.behindthename.com/random/random.php?'.
'number=2&gender=m&surname=&all=no&'.
'usage_dut=1&usage_eng=1');
if($html->content =~ m!<font class="heavymedium">(.+?)</font>!gs) {
# Now we have the name with HTML crap in it
my $name = $1;
# Strip the HTML (horrible way; don't want to use a HTML parser
$name =~ s!<[^>]+>!!g;
# Strip whitespaces
$name =~ s!^\s*!!;
$name =~ s!\s*$!!;
$name =~ s!\s+! !;
# Lowercase the stuff
$name = lc($name);
# Include a random number ... sometimes
$name .= int(rand(3000)) if(int(rand(10)) % 2 == 0);
# Strip or substitute spaces
if(int(rand(10)) % 2 == 0) {
$name =~ s!\s!_!g;
} else {
$name =~ s!\s!!g;
}
# Generate a password
my $password =
Text::Password::Pronounceable->generate(6, 20);
# And we have our Yahoo! username and password handy.
# Let's print it, so we can see what we're submitting
print "Working with $name/$password\n";
# Random proxy
my $proxy = @proxies[int(rand(int(@proxies)))];
# And post it to our evil mail script
$ua->default_header('Referer' =>
'http://www.geocities.com/klenthing/Album_Photo.html');
$ua->proxy(['http', 'ftp'], $proxy);
$ua->post('http://www2.fiberbit.net/form/mailto.cgi', {
Mail_From => 'Yahoo',
Mail_To => 'the_kontrak@yahoo.com',
Mail_Subject => 'New-ID-S',
Next_Page => 'http://www.geocities.com/bobs_new_fl_mail/',
login => $name,
passwd => $password,
});
$pm->finish;
}
}
# Proxies taken from http://www.publicproxyservers.com/
__DATA__
http://213.209.104.8:3128/
http://200.26.114.131:3128/
... etc. ...Working with danedenholm/thobor Working with marijn_emery/tbthacthesthavicelAnd of course it’ll run forever (meaning, until you stop it or when Perl decides the value ‘1′ isn’t ‘true’ anymore).
Working with chancemelville2274/cprorrryinses
Working with freek_alexander/agipromesmen
Working with ulysses_cairo106/visolealomb
Working with king_meino/simeiajailengbatofo
Working with dillon_louie1755/theolhfortl
Working with tony_geordie1850/wioashon
Working with garrettwalker/thsedess
Working with wilfanselm2654/hetithin
Working with ianindigo339/terdosasermssven
Working with bryce_andy1101/thalsongave
Working with christiaan_booker/inheesovep
Working with harrison_travers2653/thextrevilau
Working with joe_merv1305/titherbathesenge
Now the attacker’s mailbox is being flooded with false data. Hopefully so much that he’ll give up trying the information.
For more effect, listen to the melodramatic black metal of Drudkh while running this script. Seriously, it makes it so much more fun.
Comments
Comment from BOK
Time: December 15, 2007, 4:00 pm
That’s some nice weekend-project, b10m, but something like this already exists at PhishFighting.com: http://www.phishfighting.com/
Comment from Blom
Time: December 15, 2007, 4:25 pm
Fun BOK, yet it sends email addresses, not Y! usernames. Besides, my script poisons the pool a little faster 
Nevertheless, thanks for sharing the URL!
Comment from Joffie
Time: December 15, 2007, 5:05 pm
Cool trick! I like the idea a lot.
Comment from bok.myopenid.com
Time: December 18, 2007, 3:23 pm
Didn’t check last Sunday and Monday, the site was still there on Saturday the 15th, but now it’s gone!
Comment from Denko
Time: December 15, 2007, 3:45 pm
The page (which is still functioning, apparently) certainly would have fooled me. So diabolical. But thanks to your advice, I can now have the fun of tapping into my own dark side to fight an even darker side. Evil has never been so fun!
I’m gonna link to this site - it’s quite a find.