Re: [FD] Legitimacy of new Heartbleed exploit?

[Ivan Kwiatkowski <ivan@xxxxxxxxxxxxxx>]

I've just had a little fun with the author(s) of this scam.

After reading the first e-mail in this thread, I decided to write to the 
SafeMail address in case I could get some more information. I received a reply 
very quickly (kudos for professionalism), and was assured that 7 people had 
already purchased the exploit. I acted like I was interested but still 
suspicious, and the scammer agreed to demonstrate the exploit on a server I 
controlled, apparently oblivious to the fact that I would be running Wireshark 
just in case.

What ensued was actually funny. First, s/he sent back a fake heartbleed dump. I 
know it was fake, because the scammer had made a mistake in the URL. So I told 
him/her to try again. I received another dump. Evidently, it was forged as 
well: the raw bytes and the ascii dump didn't even match. Here's an excerpt 
from what I received:

0110: 20 68 74 74 70 73 3A 2F 2F 69 6E 73 74 61 6E 74   https://blog.kw
0120: 2D 65 2E 63 6F 6D 2F 69 6E 64 65 78 2E 70 68 70   iatkowski.fr/..

(The bytes actually translate to this:)

0110: 20 68 74 74 70 73 3A 2F 2F 69 6E 73 74 61 6E 74    https://instant
0120: 2D 65 2E 63 6F 6D 2F 69 6E 64 65 78 2E 70 68 70   -e.com/index.php

Finally, I called the scammer on that and s/he decided s/he didn't want to play 
anymore.
I was hoping to find an IP address in the mail headers, but I got Tor exit 
nodes every time :(

So yeah, if anyone was still wondering whether the exploit was legit or not... 
Now we know.
I'd like to add that whenever one stumbles on an obvious scam, the civic thing 
to do is to act like you buy it. Rationale: scammers don't have the time to 
separate legitimate mugus from the ones who just pretend. Their business model 
relies on the fact that only gullible people will reply. Now were they spammed 
back, their workload would increase so much that scamming wouldn't be a 
profitable activity anymore.

Food for thought.

Ivan

----- Original Message -----
From: "david switzer" <david.e.switzer@xxxxxxxxx>
To: "H. Dong" <julius.kivimaki@xxxxxxxxx>
Cc: fulldisclosure@xxxxxxxxxxxx
Sent: Friday, April 25, 2014 11:21:07 PM
Subject: Re: [FD] Legitimacy of new Heartbleed exploit?

Even moreso when you see the account that the money is being funneled into:

https://blockchain.info/address/16R14EH4v8A9GPXkAAP8gcMFBA8oxA8nbY

215,637.634057  * 482.60 (current Camp BX rate) = 104066722.195

104 mil.. they've had alot of different scams going besides this, I'm
guessing.... dang we're in the wrong line of "work" ;)



On Fri, Apr 25, 2014 at 3:29 PM, H. Dong <julius.kivimaki@xxxxxxxxx> wrote:

> https://blockchain.info/address/1BKRqnmWNfK5qjhouMaBFHwjHK9ibfrKhx
> Apparently it's a rather successful scam.
>
>
> 2014-04-25 21:18 GMT+03:00 Dillon Korman <me@xxxxxxxxxxxxxxxx>:
>
> > Saw a link to this:
> > http://pastebin.com/qPxR9BRv
> >
> > There is no actual exploit code in there since they insist of keeping it
> > private. Do you think there really is a working exploit on new versions
> of
> > OpenSSL?
> >
> > _______________________________________________
> > Sent through the Full Disclosure mailing list
> > http://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: http://seclists.org/fulldisclosure/
> >
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/