WELCOME - YOU ARE CURRENTLY VIEWING 419EATER AS A GUEST
By joining our community you will have the ability to post topics and access other forums reserved for members. Registration is quick, simple and absolutely free. Join our community today by clicking here.
Ok, call me out for being new ::obviously:: but I had an idea that I thought worth sharing that I just don't have the time right now to pursue farther yet. Primarily an idea to render phishing web sites useless to those using them(from email address phishing, to bank/credit account, to even World of Warcraft).
The idea I recalled was several web sites that outline non-violent ways to get back at regular junk mailers. Stuff with prepaid envelopes and the like. Quite literally mailing them back their own junk. Then came across the Pirate Bay's DDo$ attack request, which simply is requesting lots of people to transfer the minimal amount to the target, in the idea that the large numbers raise the transfer costs and eventually the free $1000 they made is cobbled in fees due to the $1000 after with $3000 in transaction fees...
Anyhow, I just realized that was more back story and mind tracing then needed.
The basic idea i've come up with was to just literally fill up phisher's systems with randomly generated junk.
My thinking is/was to setup a tor web server with a simple web site on it that forwards and posts to another site's form. So for example i type my login information to page.html and it gets forwarded to gmail.com, or gmail.phish.com. Then setup a computer with brutus(word list checker/brute force) to constantly brute force randomly generated passwords against the tor web server's which is in turn pushing it to the target site. Going this route would permit the "attack" to come from an abundance of random IP addresses as well as filling their email/database with false account information, making the legitimate information be a needle in a haystack not worth filtering through.
Also in my thoughts this could be implemented differently, since there is a tor web server involved, the idea is that it could contain an sql db of phishing sites, and it would be constantly cycling through them for each attempt/value. so every time a user/brutus submits a new "theoretical account" login, it moves onto the next one and cycles back. This mixed with lengthening the timers on brutus could result in what would look like constantly incorrect logins and not a timed repetitive attack against a specific server.
I feel that this method would minimize the web programming needed, another thought for implementation would be to replace brutus in some manner.
Setup a collection of possible user logins manually(sql db of user submitted accounts, permit the 419 community to post new names). and use a collection of php/ajax/cgi/java calls to randomly generate infinite fake passwords. Then program a simple web page on the tor web server that automagically pulls a user account from the sql db, and then randomly generates a non-existing password and then submits it to the phishing sites in an ordered sequence(ensures everyone gets a turn). Then it just turns into someone refreshing their page(i know of a firefox addon for this) and getting a "success" or "fail" page while a tor web server just fills phishing sites with invalid information.
Don't know if this has ever been posted, implemented, or if i'm out of line throwing this up there. The primary purpose of tor in this project is to mask the location/information of the "attacking" computer so that it cannot be easily/directly blocked. This also has a secondary benefit of having a computer act within the mask of anonymity, as this sort of effort's legality may be questionable depending on location and implementation.
I'm not much of a programmer, so within my head, this is probably about as far as i can get with this idea. I've got the computing power. plenty of computers can be mindlessly added to the cause(consented botnet?), reminds me of [email protected]
Nurse Nasty Eloquent Noob
Joined: 31 Aug 2005
Location: Australia, where a dingo stole my eski
Wed May 13, 2009 8:29 am
First and only real question you need to ask yourself is; Is it illegal?
If yes. Then no, we wouldn't be interested.
Plus we don't really tackle phishing sites. We do kill the occasional one, but we specialize in killing fake banks.
Joined: 21 May 2004
Location: Terra Firma
Wed May 13, 2009 9:09 am
The downside to this is that it can be used against legitimate sites, as well. The ill feelings generated when one legitimate site goes down because some prankster decided to screw it up will make it bad for everyone here.
You say there are no such pranksters who will try to sabotage such anti-phishing measures? Think again ...
_________________ ... as the actress said to the bishop.
pablo 419Eater is my life
Joined: 10 Jul 2008
Wed May 13, 2009 10:23 am
@@Zaephor be careful of unintended consequences.
I have had a lot experience with phishing sites (and their death and destruction).
The fatal flaw in your plan is the bank site, credit card or whatever site that is also referenced in most phishing scripts validates the password and account information. Only the valid accounts are saved.
The denial of service only impacts the intermediate site, almost always an innocent web site. The intermediate site typically is a club, local store, small internet business, a radio station all innocent.
The final argument is the reason not to do it. If you have enough information to attack the phishing site you also have enough information to kill it and protect the innocent victims who give up passwords and account information.
Phishing scams are based on the predictable statistical distribution of responses. The scams are set up days in advance in most cases and when everything is ready a mass emailing goes out timed to maximize the responses before the intermediate site gets killed.
It is important to kill a site as close to the mailing as possible to minimize the the number of victims. When killing phishing sites, minutes are the appropriate unit.
The simplist route is to forward the phishing email to security at the bank or credit card company. (Google will find the appropriate email address by searching for something like "phishing company-name") Don't assume they have already seen the phishing scam.
Killing phishing sites is nowhere near as much fun as baiting, its usually over in less than ten minutes.
Zaephor Hello I'm New here!
Joined: 13 May 2009
Wed May 13, 2009 5:39 pm
Ahh completely forgot about those points. half asleep when i decided to type it and hadn't thought through to the downsides of people abusing it.
View next topic View previous topic
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum