Let's Feed the Phishes

by goldcove

My cell phone carrier has been offering email service for as long as I can remember and I have had an email account there since the late 1990s.  Back then, I gave out my email address to everyone who asked and, needless to say, I received a lot of spam.  For the last couple of years, I've received phishing attacks as well, and the other month I grew tired of this and decided to go vigilante and feed them some fake data.

Being suspicious of a possible malware infecting web page, I jail rooted GNU Wget to fetch the phishing page.  The handiwork seemed very sloppy.  They had basically just ripped the web mail login and made some simple changes to collect the reply.  They hadn't even removed the SquirrelMail JavaScript calls from the login form...

The one thing they changed was that they asked for the cell phone number and password instead of the usual username and password combo.  This bit of "social engineering" will probably work on unsuspecting victims, as this is the common way for this cell phone operator to authenticate users on their website.

I decided to have some fun!

My first thought was not to get some angry cybercriminals on my back, so I used Tor and ProxyChains to hide my IP (Tor will change exit node and your apparent IP address every ten minutes).

I ran a simple Python script that generates random phone numbers starting with "9" or "4" (in accordance with the cell phone number plan in my country).  It also generated random length (4-14) passwords.  After each successful fake data injection, the script will sleep for one to 15 seconds.

I added an error handler to catch connection failures.  The script then just sleeps for 60 seconds.

To be nice to the DNS server, I added the IP address of the phishing site to my /etc/hosts file.

The site had an odd behavior: It seemed that the site filtered on User-Agent string.  When I tried to GNU Wget the site, I got redirected.  I had to specify a standard web browser User-Agent to get to the site.  The code ran happily for four days, submitting false data to the phishing site and hopefully making any real data "disappear in the crowd."

The script has some caveats: random letters passwords can be quite obvious.  It would be better to add some real-life dictionary data.

Tor might be nice to hide your IP address, but a simple search at: check.tor-project.org/cgi-bin/TorBulk-ExitList.py would list most exit nodes that can contact your IP address.

Also, sending a lot of data from the same IP address will be easy to pick up and filter.  I didn't implement this before I started the script, but it should also analyze the server response.  It turned out that the phishers got tired of the site and it got redirected to a standard hosting front page.  I ended up sending data to the hosting company some ten hours after the phishing site closed.

I don't know if my action affected the phishers, but I got some laughs out of it imagining the fury of the phishers...  It was also a fun project to construct the script.

Links

#!/usr/bin/python
#Anti-phish: false data spammer
#Sends false phonenumber and password to some.phishingsite.com every n seconds

import httplib, urllib, random, string, signal
from time import sleep

PrintData = False

# Print response data on USR1 signal
def SigUSR1Handler(signum, frame):
  global PrintData
  PrintData = True

#Suspect filtering on simple headers. Add fake Win XP/ IE7 headers
headers = {"User-Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)", "Accept": "text/html", "Accept-Charset": "ISO-8859-1", "Keep-Alive": "115", "Connection": "keep-alive", "Content-Type": "application/x-www-form-urlencoded"}

#Loop endlessly
while True:
  #Create false data. 8 digit phonenumbers starting with 9 or 4. Password 4 to 14 letters
  #Decide if to use 4 or 9 as leading digit
  if random.randrange(0,2) == 0:
    leadingDigit = "9"
  else:
    leadingDigit = "4"
  fakeUserName = leadingDigit + "".join( [random.choice(string.digits) for i in xrange(7)] )
  fakePassword = "".join( [random.choice(string.letters) for i in xrange(random.randrange(4,15))])

  params = urllib.urlencode({ 'Username': fakeUserName, "Password": fakePassword })
  #Create connection
  try:
    conn = httplib.HTTPConnection("some.phishingsite.com:80")
    conn.request("POST", "/redirect.php", params, headers)
    #Server response
    response = conn.getresponse()
    print response.status, response.reason, "-", fakeUserName, fakePassword

    #If USR1 signal received, print data
    #I added this some time after first running the script. It will print the server response once.
    signal.signal( signal.SIGUSR1, SigUSR1Handler )
    if PrintData == True:
      #Returned data from server
      data = response.read()
      print data

    conn.close()

    PrintData = False
    #Lets sleep 1 to 15 sec
    sleep(random.randrange(1,16))
  except:
    print "Error connecting... sleeping 60 sec"
    sleep(60)

#End script

Code: anti-phish.py

Return to $2600 Index