[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Using Twitter for Phishing Campaign / Spam / Followers?
- To: huj huj huj <datskihuj@xxxxxxxxx>
- Subject: Re: [Full-disclosure] Using Twitter for Phishing Campaign / Spam / Followers?
- From: Cal Leeming <cal@xxxxxxxxxxxxxxxx>
- Date: Mon, 21 Mar 2011 17:50:45 +0000
Yeah, just noticed that. Soon as I get some spare time, I'll prob have a
shot at making one. It'd be interesting to know what the success rate /
latency / concurrency / hours of availability are when using decaptcher (due
to it being human based), I can't imagine it'd be very good :S
On Mon, Mar 21, 2011 at 12:32 PM, huj huj huj <datskihuj@xxxxxxxxx> wrote:
> decapther doesn't use ocr though
> they use the indian workforce
>
> not sure about deathbycaptcha but i think its the same principle
>
> 2011/3/18 Cal Leeming <cal@xxxxxxxxxxxxxxxx>
>
>> Lol, I didn't know about the commercial product 'decaptcher'.
>>
>> For shits and giggles, I was going to write a decaptcha myself and release
>> as open source, never had time though :S
>>
>> One option would be to apply rate limitations to API calls per IP.
>>
>> Or, possibly some reallllllllly heavily obfuscated JS which does key
>> calculation with a matching server side algo, and injects the value into the
>> form upon submission. This is one of the methods we use on our paid adult
>> sites. Unless the person is really determined (and has the patience to
>> deobfuscate, then port to their own code), or their bots have spidermonkey
>> built in, then it usually fends off most botters.
>>
>> To make it harder, we also have a library of about 500 of these (each with
>> a different key build algo), which are cycled automatically lol.
>>
>> Example:
>>
>> $(function() { var
>> _0xafd3=["\x74\x20\x3D\x20\x22","","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x72\x65\x70\x6C\x61\x63\x65","\x22"];eval(_0xafd3[0]+s[_0xafd3[5]](/ZPAK/gi,_0xafd3[1])[_0xafd3[5]](/\",\"/gi,_0xafd3[1])[_0xafd3[5]](/\"/gi,_0xafd3[1])[_0xafd3[4]](_0xafd3[1])[_0xafd3[3]]()[_0xafd3[2]](_0xafd3[1])+_0xafd3[6]);
>> var
>> _0x5bfa=["\x3C\x69\x6E\x70\x75\x74\x20\x2F\x3E","\x74\x79\x70\x65","\x68\x69\x64\x64\x65\x6E","\x61\x74\x74\x72","\x6E\x61\x6D\x65","\x73\x65\x65\x64\x6B\x65\x79","\x76\x61\x6C\x75\x65","\x61\x70\x70\x65\x6E\x64","\x23\x74\x68\x65\x66\x6F\x72\x6D"];_n=$(_0x5bfa[0]);_n[_0x5bfa[3]](_0x5bfa[1],_0x5bfa[2]);_n[_0x5bfa[3]](_0x5bfa[4],_0x5bfa[5]);_n[_0x5bfa[3]](_0x5bfa[6],t);$(_0x5bfa[8])[_0x5bfa[7]](_n);
>> });
>>
>> Again, not perfect, but it's worked well for us :)
>>
>>
>> On Fri, Mar 18, 2011 at 3:58 PM, huj huj huj <datskihuj@xxxxxxxxx> wrote:
>>
>>> with services like decaptcher and deathbycaptcha this would not be a
>>> hindrance anyway
>>>
>>> 2011/3/15 Cal Leeming <cal@xxxxxxxxxxxxxxxx>
>>>
>>>> Agreed. These public API methods should have brute force protection at
>>>> the very least. But, because they want instant in-line form validation for
>>>> email address availability, this makes it difficult. In an ideal world,
>>>> they'd have a CAPTCHA on the form, and only validate upon submit with
>>>> valid
>>>> captcha.
>>>>
>>>>
>>>> On Tue, Mar 15, 2011 at 3:02 PM, Reverse Skills <
>>>> contact@xxxxxxxxxxxxxxxxx> wrote:
>>>>
>>>>> The problem is to allow unlimited access to that resource, not the
>>>>> resource itself.
>>>>>
>>>>> 2011/3/15 Cal Leeming <cal@xxxxxxxxxxxxxxxx>:
>>>>> > This conceptual flaw exists in most web apps which have a "reset
>>>>> password by
>>>>> > email address" feature, as most will display an error if the email
>>>>> address
>>>>> > does not exist in their database.
>>>>> >
>>>>> > On Tue, Mar 15, 2011 at 12:19 PM, Reverse Skills <
>>>>> contact@xxxxxxxxxxxxxxxxx>
>>>>> > wrote:
>>>>> >>
>>>>> >> Simple and easy way to get a list of email accounts used on Twitter.
>>>>> >> For Phishing campaigns, custom Spam...
>>>>> >>
>>>>> >> Twitter has been notified and I suppose someday be fixed if they
>>>>> think
>>>>> >> there should be filtered.
>>>>> >>
>>>>> >> When you create a new Twitter account, the form requesting a mailing
>>>>> >> address. Twitter verify that the email account is not being used,
>>>>> but
>>>>> >> does not check any user token or limit the usage (captcha/block).
>>>>> >>
>>>>> >> https://twitter.com/signup ->
>>>>> >> http://twitter.com/users/email_available?email=
>>>>> >>
>>>>> >> We just need to automate it with a simple script , ***Everything you
>>>>> >> do will be your responsibility***
>>>>> >> -------------------
>>>>> >> #!/usr/bin/python
>>>>> >> import sys, json, urllib2, os
>>>>> >>
>>>>> >> f =
>>>>> >> urllib2.urlopen("http://twitter.com/users/email_available?email=
>>>>> "+sys.argv[1])
>>>>> >> data = json.load(f)
>>>>> >> def valid()
>>>>> >> ..
>>>>> >> Email has already been taken" in data ["msg"] <-- reply
>>>>> >> ..
>>>>> >> -------------------
>>>>> >>
>>>>> >> We just need a list of users to test.. for example :
>>>>> >> http://twitter.com/about/employees (don't be evil is just an
>>>>> >> example!)
>>>>> >> Parsing the name/nickname and testing the {user}@twitter.com a few
>>>>> >> minutes later we have a list of ~ 400 valid internal email
>>>>> >> *@twitter.com. An attacker could probably.. a brute force attack
>>>>> >> (Google Apps), would send Phishing or try to exploit some browser
>>>>> bugs
>>>>> >> or similar. #Aurora #Google. Most of these e-mail are internal, not
>>>>> >> public..
>>>>> >> There are also some that make you think they are used to such
>>>>> >> A-Directory system users :
>>>>> >> ..
>>>>> >> apache@xxxxxxxxxxx
>>>>> >> root@xxxxxxxxxxx
>>>>> >> mail@xxxxxxxxxxx
>>>>> >> ..
>>>>> >>
>>>>> >> But, if you download a database Rockyou / Singles.org / Gawker /
>>>>> >> Rootkit.com or just a typical dictionaries and domains will be quite
>>>>> >> easy to get hold of a list of users large enough (*@hotmail.com,
>>>>> >> *@gmail.com, etc).For example in my case I used to find user
>>>>> accounts
>>>>> >> in a pentest of a company that used Twitter. But probably not a good
>>>>> >> idea to allow unlimited access, a malicious user could use these
>>>>> user
>>>>> >> lists for Spam or Phishing.
>>>>> >>
>>>>> >> --
>>>>> >> Security Researcher
>>>>> >> http://twitter.com/revskills
>>>>> >> --
>>>>> >>
>>>>> >> _______________________________________________
>>>>> >> Full-Disclosure - We believe in it.
>>>>> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> >> Hosted and sponsored by Secunia - http://secunia.com/
>>>>> >
>>>>> >
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> --
>>>>> Security Researcher
>>>>> http://twitter.com/revskills
>>>>> --
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>>
>>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/