[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Using Twitter for Phishing Campaign / Spam / Followers?
- To: Cal Leeming <cal@xxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Using Twitter for Phishing Campaign / Spam / Followers?
- From: huj huj huj <datskihuj@xxxxxxxxx>
- Date: Mon, 21 Mar 2011 13:32:05 +0100
decapther doesn't use ocr though
they use the indian workforce
not sure about deathbycaptcha but i think its the same principle
2011/3/18 Cal Leeming <cal@xxxxxxxxxxxxxxxx>
> Lol, I didn't know about the commercial product 'decaptcher'.
>
> For shits and giggles, I was going to write a decaptcha myself and release
> as open source, never had time though :S
>
> One option would be to apply rate limitations to API calls per IP.
>
> Or, possibly some reallllllllly heavily obfuscated JS which does key
> calculation with a matching server side algo, and injects the value into the
> form upon submission. This is one of the methods we use on our paid adult
> sites. Unless the person is really determined (and has the patience to
> deobfuscate, then port to their own code), or their bots have spidermonkey
> built in, then it usually fends off most botters.
>
> To make it harder, we also have a library of about 500 of these (each with
> a different key build algo), which are cycled automatically lol.
>
> Example:
>
> $(function() { var
> _0xafd3=["\x74\x20\x3D\x20\x22","","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x72\x65\x70\x6C\x61\x63\x65","\x22"];eval(_0xafd3[0]+s[_0xafd3[5]](/ZPAK/gi,_0xafd3[1])[_0xafd3[5]](/\",\"/gi,_0xafd3[1])[_0xafd3[5]](/\"/gi,_0xafd3[1])[_0xafd3[4]](_0xafd3[1])[_0xafd3[3]]()[_0xafd3[2]](_0xafd3[1])+_0xafd3[6]);
> var
> _0x5bfa=["\x3C\x69\x6E\x70\x75\x74\x20\x2F\x3E","\x74\x79\x70\x65","\x68\x69\x64\x64\x65\x6E","\x61\x74\x74\x72","\x6E\x61\x6D\x65","\x73\x65\x65\x64\x6B\x65\x79","\x76\x61\x6C\x75\x65","\x61\x70\x70\x65\x6E\x64","\x23\x74\x68\x65\x66\x6F\x72\x6D"];_n=$(_0x5bfa[0]);_n[_0x5bfa[3]](_0x5bfa[1],_0x5bfa[2]);_n[_0x5bfa[3]](_0x5bfa[4],_0x5bfa[5]);_n[_0x5bfa[3]](_0x5bfa[6],t);$(_0x5bfa[8])[_0x5bfa[7]](_n);
> });
>
> Again, not perfect, but it's worked well for us :)
>
>
> On Fri, Mar 18, 2011 at 3:58 PM, huj huj huj <datskihuj@xxxxxxxxx> wrote:
>
>> with services like decaptcher and deathbycaptcha this would not be a
>> hindrance anyway
>>
>> 2011/3/15 Cal Leeming <cal@xxxxxxxxxxxxxxxx>
>>
>>> Agreed. These public API methods should have brute force protection at
>>> the very least. But, because they want instant in-line form validation for
>>> email address availability, this makes it difficult. In an ideal world,
>>> they'd have a CAPTCHA on the form, and only validate upon submit with valid
>>> captcha.
>>>
>>>
>>> On Tue, Mar 15, 2011 at 3:02 PM, Reverse Skills <
>>> contact@xxxxxxxxxxxxxxxxx> wrote:
>>>
>>>> The problem is to allow unlimited access to that resource, not the
>>>> resource itself.
>>>>
>>>> 2011/3/15 Cal Leeming <cal@xxxxxxxxxxxxxxxx>:
>>>> > This conceptual flaw exists in most web apps which have a "reset
>>>> password by
>>>> > email address" feature, as most will display an error if the email
>>>> address
>>>> > does not exist in their database.
>>>> >
>>>> > On Tue, Mar 15, 2011 at 12:19 PM, Reverse Skills <
>>>> contact@xxxxxxxxxxxxxxxxx>
>>>> > wrote:
>>>> >>
>>>> >> Simple and easy way to get a list of email accounts used on Twitter.
>>>> >> For Phishing campaigns, custom Spam...
>>>> >>
>>>> >> Twitter has been notified and I suppose someday be fixed if they
>>>> think
>>>> >> there should be filtered.
>>>> >>
>>>> >> When you create a new Twitter account, the form requesting a mailing
>>>> >> address. Twitter verify that the email account is not being used, but
>>>> >> does not check any user token or limit the usage (captcha/block).
>>>> >>
>>>> >> https://twitter.com/signup ->
>>>> >> http://twitter.com/users/email_available?email=
>>>> >>
>>>> >> We just need to automate it with a simple script , ***Everything you
>>>> >> do will be your responsibility***
>>>> >> -------------------
>>>> >> #!/usr/bin/python
>>>> >> import sys, json, urllib2, os
>>>> >>
>>>> >> f =
>>>> >> urllib2.urlopen("http://twitter.com/users/email_available?email=
>>>> "+sys.argv[1])
>>>> >> data = json.load(f)
>>>> >> def valid()
>>>> >> ..
>>>> >> Email has already been taken" in data ["msg"] <-- reply
>>>> >> ..
>>>> >> -------------------
>>>> >>
>>>> >> We just need a list of users to test.. for example :
>>>> >> http://twitter.com/about/employees (don't be evil is just an
>>>> >> example!)
>>>> >> Parsing the name/nickname and testing the {user}@twitter.com a few
>>>> >> minutes later we have a list of ~ 400 valid internal email
>>>> >> *@twitter.com. An attacker could probably.. a brute force attack
>>>> >> (Google Apps), would send Phishing or try to exploit some browser
>>>> bugs
>>>> >> or similar. #Aurora #Google. Most of these e-mail are internal, not
>>>> >> public..
>>>> >> There are also some that make you think they are used to such
>>>> >> A-Directory system users :
>>>> >> ..
>>>> >> apache@xxxxxxxxxxx
>>>> >> root@xxxxxxxxxxx
>>>> >> mail@xxxxxxxxxxx
>>>> >> ..
>>>> >>
>>>> >> But, if you download a database Rockyou / Singles.org / Gawker /
>>>> >> Rootkit.com or just a typical dictionaries and domains will be quite
>>>> >> easy to get hold of a list of users large enough (*@hotmail.com,
>>>> >> *@gmail.com, etc).For example in my case I used to find user
>>>> accounts
>>>> >> in a pentest of a company that used Twitter. But probably not a good
>>>> >> idea to allow unlimited access, a malicious user could use these user
>>>> >> lists for Spam or Phishing.
>>>> >>
>>>> >> --
>>>> >> Security Researcher
>>>> >> http://twitter.com/revskills
>>>> >> --
>>>> >>
>>>> >> _______________________________________________
>>>> >> Full-Disclosure - We believe in it.
>>>> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> >> Hosted and sponsored by Secunia - http://secunia.com/
>>>> >
>>>> >
>>>>
>>>>
>>>>
>>>> --
>>>> --
>>>> Security Researcher
>>>> http://twitter.com/revskills
>>>> --
>>>>
>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/