Inside a Cybercrime Scam Operation

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in a previous video we got a behind the scenes look at a digital online scam because a viewer who happened to be a WordPress hosting provider and administrator was willing to share some server-side code PHP HTML everything on the back end that anyone wouldn't be able to see unless they had access to the server the computer the device itself and that was awesome enough as it is but something even more incredible is that they sent us even more take a look at this email no honor among Thieves they are signing their WordPress scripts to get credit hey I came across a few interesting things lately when battling the WordPress phishing sites I'd email you the full archive but it looks like Gmail doesn't like me sending these hey we got to get this individual uh spun up with some password protected archives zip files 7-Zip anything here they say one thing that caught my eye was the number of times people signed their script with their online handle they could get credit for their work even like adding a copyright option and they list some commands that they run on the server for a Wells Fargo scheme the pretense for another fishing lore and hook couple the files here and even digging into some of the PHP that's present so I've downloaded these and I've got them staged and stored in remnux my reverse engineering malware Linux distribution I created a directory for us to take a look at these and I want to show you those commands just as we saw here it's just simply listing hey what's on the server a couple different PHP files one thing that they were pointing out though was spocks a little bit interesting they hadn't seen that before I don't know if that's meant to be the like sports streaming something or another but of course there are a couple other files interestingly enough within that spox directory a couple of anti-files functions mail Wells results and config files and we can dig into each of the ones they were willing to send I do want to take a look at that spox config file that was present in that directory and take a look looks like a couple variables just being set here double login double access show question email credit card uh I'm assuming these are meant to be like Boolean values however they are just set to the string of yes that's odd and then an email that hey okay you could fill in for whatever email I suppose the user of this script would want I'm presuming this is some a cyber crime as a service where hey you can plug and play other code that other script kitties or threat actors whatever unsophisticated folks you wanted to to create your own Mal spam campaigns your own phishing emails so you can steal credentials and be a bad guy bad person just like everyone else I don't know what these redirection API protection things are there is a key listed here presumably for an API key it says hey don't change this however I don't know what this API is for I haven't been able to track that down yet and again this isn't everything within these archives he they only sent me a couple files but there are some other interesting ones in here if we take a look more at the other spocks files there is a Spock's anti-bot spam here and this is interesting because okay we got a little bit of those Clues on hey the individuals that are willing to just kind of chest thump and claim hey this was our script we wrote this shaking taking credit and even adding some silly copyright to it over on telegram Spock's coder we can go take a look at that one and uh recording doesn't make you a coder I don't know if that's a dig at me or not take a look this is a giant array a whole big long list of just simple words that we'll be referring to bots so online web crawlers robots things that might be looking through the internet to index things or Cache things like you can see Google dot googlebot just here and a couple of the other ones like Baidu spider or maybe a LinkedIn any of the things that might be out and about and what they do is they actually go through and take hey the remote address that you're looking at one of these Bots are present in the server remote address or the user agent it looks like that's just for logging purposes it ends up saving it to a text file of bots.txt so it's trying to Archive create keep a list of all of the user agents that might be including any of those ones that it wants to avoid and take a look actually further down they check hey all of these Bot names that are defined up here in this big long list again if they are in the user agent then they log this into their bots.txt file and after they save this file they respond hey 404 not found exit we're not going to return a real page to you because you're a robot because you're trying to find things information that we don't want shared they just say go away this page is not real it's not found and you aren't able to return the web page if it's like a bot like python URL lip or curl or googlebot or any of the others and actually before we go too much further I do want to give some love to today's sponsor sneak I'll be honest I write bad code even though I try to hunt for vulnerabilities and lots of other software I still have vulnerabilities even in my own projects everyone does and that's why I use sneak to scan for vulnerabilities in code dependencies containers and configuration files and sneak helps find and fix those vulnerabilities in real time you can try it and see for yourself you can sign up for free with my link below import your repositories and sit back and let sneak do the work for you it'll find the flaws and vulnerabilities in your own applications check out this prototype pollution vulnerability that sneak uncovered we can see more details about the code path that introduce this vulnerability and even learn more about this kind of vulnerability or any others if you check out the sneak learn lesson I've referenced the sneak learn lessons and their vulnerability database a ton especially in assessments and penetration testing and even during Capture the Flag competitions from there you can see an explanation of a flaw proof of concept exploit code and attack demonstrations and most importantly how to mitigate this vulnerability but the best part sneak helps you fix this vulnerability with a single click it'll automatically open a pull request so you can just merge and move on so seriously check out sneak it's crazy how many vulnerabilities could be affecting your projects and you don't even realize take advantage of the resources and learning material and learn all about the different vulnerabilities out there it's completely free and you can sign up right now with my link in the video description huge thanks to sneak for sponsoring this video this is a run.php script for the name and the individual who sent these all along the WordPress hosting provider and administrator said this actually came from an AOL or a Yahoo phishing scam and they grab okay the post requests for login and password maybe this form here that we're presented to receive their credentials getting the IP address that they retrieve and then getting some signals okay just arrays to determine if it's good or bad and then staging things inside of a file determining whether or not they actually had credentials if the login or password are empty and if they do they end up sending an email they end up staging hey we got a new login from this IP address from this better tools at Yandex are you or at least to that address right where it includes in the message the username that was stolen the password that was stolen from the IP address at this date all created by our good friend grills with the Z because he's leaked cyber Ninja Warrior and it just sends the email and it just responds hey Returns on the web page with the encoding hey signal was bad you weren't able to log in all the while they've stolen your credentials now we're going to do some of the fun ones I think these are the coolest because they're basically stuff that we're going to chat about a little bit before here and there's a whole lot of Runway here this is cookies.php with our coder Simo saper 11 or Sumo saper I don't know how to say your hacker name here uh but cookies are retrieved of course and you could fill out what would be your telegram token or your telegram chat ID and these are all commented which like is super duper handy thank you uh obvious nefarious malicious individual and there's a function defined to go ahead and send a message where you build up the request parameters for HTTP and you go ahead and post to this request URL which is as you would expect the API for telegram with a bot and a telegram token to send a message and then curl to make this request it's again stealing whatever cookies it might end up tracking down and bundling all up and stealing it sending it over here send a message for all the cookies with our telegram token and you'll use telegram to exfiltrate that sensitive information I do want to dig into uh Simo saper we're building out quite a list of some uh maybe some threat actors and script kitties wanted to put their name on their homework here the thing is that didn't have anything interesting because it was just the function it was just building out the functionality but our aol.php is another one where you can get a little bit more interesting stuff here take a look hey we've got an RP address pulling down we're building out the message for our AOL updates so to speak with the email that's provided the password that's provided and of course the IP address on goiptool.com that we end up sending this creating our use dot text file where we kind of log all this just as well server side from whatever but ultimately here it is here's another telegram bot with their uh token with the with the bot ID the chat ID and message space that they want to send us all to and they do the exact same process where they go ahead and use Curl to send a message have telegram get all this data for us where they can look at it after the fact of course hey here's a simple stupid redirect to aol's login mail.aol.com now normally that's the gist that's everything because wow okay cool we found our credential Harvester we're seeing we're leaking through email we're seeing see we're exfiltrating through telegram but in the last couple of videos you all were super duper smart and let me know in the comments you know sometimes there's a way where you could actually dig into what some of those telegram Bots are seeing this is an email that came following that previous video where they mentioned hey if you wanted to use this URL you could actually see from the API noting the bot ID you could try to get updates you might be able to see even just with get messages maybe denoting the chat ID you could pull down what messages are present there or if you wanted to you could send messages and maybe spam the channel if you wanted to make a little bit more of a mess go a little gray hat right and they pulled this down again for the end point in the previous video so let's get wild and let's take that link again from the previous video as an example where we could try to look at the telegram bot records for that previous one now I'll hit enter here and it will return nothing uh because it looks like okay that one got cleaned up that individual did note that and let me know hey it looks like the API got wiped maybe all the records in that channel have been removed deleted did but they actually had a few records in the past but we can dig into those in just a moment let's try this technique on our current Newfound API tokenbot this is again our aol.php and here is our bot present here uh let me see if I can just create a new page where I have this https link but this will end up being modified right with the previous API and now let's go grab that bot's IP address all that's token and everything that we need let's get back to our terminal and let's try and clear the screen to run this curl command let me add curl at the start of that um but this returns unauthorized so maybe this one is a little bit more locked down I don't know maybe they were a little bit smarter and putting this one together I haven't had luck with that while the others had and I'm curious again if you want to let me know some other super smart stuff in the comments I think you could actually even just go to get where you specify like oh some other post data uh tact data or whatever and you make like Json where you can say hey the chat ID can actually reference uh whatever the message channel was that we see in the source code here that might be able to get you one message or you could Loop through as many of those as you want to get just about everything you could even have it like forward things to your telegram account all the crazy stuff uh if you wanted to kind of Snoop and listen in on this uh for research education but I thought that would be worthwhile to show let's dig into some of the logs from the previous video or that individual again who just emailed me and said take a look at all the stuff that we track down this is what the API used to return When you would run get updates for the token found in the previous video looks like it did have results it had update IDs it had Bots that were present uh usernames that were included are Khalifa Khalifa 666 bot who is a bot and presumably the one okay reaching and linking all of these specific user credentials now note I have gone through to try to redact the victim ID the username the user ID their IP address but you can see the entries in here that we saw again just previously in the last video where they include some information again the user ID username password IP address and their location looks like just about all these are from py uh Paraguay right so let me see can I actually pull these and let me bring this into uh what is it Google translate all right hop on over here to Google translate um university account type member number redacted redacted uh and their location right but if you'll notice they include even just another bit of text here underneath that let me see if I can slap that in pasting that in it says uh bad key for that one okay I'm curious if that's a note that like oh their password didn't work or something here we got another one let's see this says mallow I can end that in mallow bad okay another one bad presumably scrolling down this one has teen uh that let me grab this and we can do it one more time teen one million uh what the heck University account savings account maria123 is the password has one million uh and that's the note here it has one million I don't know if that's supposed to mean there's a million dollars in that account uh but that's still a spooky thing to see but that is the output that you might see if you could pull down a response from one of the API telegram Bots uh info and updates and messages that could be pulled down from that channel another individual showcase kind of a similar thing hey they were reaching out saying look we're seeing the same sort of stuff uh if you wanted to end up using get and then trying to Loop through stuff you very well could and they were actually able to set up some of that forwarding that you can do with the telegram bot messages apparently it was a deleted account but you could see here's that Office 365 HTML logs at whatever time and date is given user agents probably the username email password IP address uh and another hey maybe a potential uh threat actor we could probably go see what they're up to on the telegram stuff so at this point we have a like whole list between all those folks here looks like we got Spock's code motor we can add that one to our list we have what was it grills I don't know if we'll be able to track that on down on telegram but the other one Mr Q looks like it came from telegram uh what else did we have we had Simo saper of course of course that looks like a channel to even join they had a join message there and I'm going to assume those are our actors here between look they literally put a flag in the ground they tried to write a little copyright trying to make sure they can credit themselves in their code let's go see if Simo saper is a friend if you didn't know you can go to uh T dot me with whatever telegram I think username or Channel and it will just kind of get you the little setup there uh and oh this is okay black hat Egypt we are black hat with the owner Simo saper 11 given that user and let's go see what this thing's about taking a look within telegram here this is black hat Egypt and it's a thing it's okay messages from June 17th relatively recently I'm recording on the 19th here looks like API check all numbers little uh utility here you can make your own python script this has 1800 almost 1900 subscribers present don't mind whatever chat I have over on my telegram side this other you know cyber crime Shannon it's it's whatever uh new API privilege check all domains three million emails simple twillow tester script okay so just sharing code just sharing uh data leaks here's some python script to OS remove system 32 RM Tech rif is the I even I don't think this what else do we have here here's some videos oh some pictures oh he's doing his thing rdp'd into something there oh oh he's gonna make a course he's gonna he's jumping on the chord span wagon spamming course by blackhead Egypt what is spamming what is scam page what is scamps oh get an academy going there's a video here F Society you've got Elliot Alderson up in there [Music] oh God I had to turn the music off that was horrendous what is this what is this video he's got like an SMTP spammer is that what this thing is couple of hits oh goodness for like targeted accounts is that like actually what's happening like okay given a username or password what is this Grant I don't know take with a grain of salt but I'd have to think okay logging in are these just all of the stolen credentials that have been ported into this Outlook email this thing is called Silver Bullet that was the name of the application that he either has or built or I don't know it's 80 000 emails to just log in with like another ah oh no okay I don't feel like I should be here I don't want to watch this anymore what do they do I'm done I'm out I'm out I'm out combo priv for crack.txt uh DMS messages I don't know making sales selling deals getting cyber crime up at the business emails available how to install python 2 with fixed pip and windows oh no no no no you should not be using python 2 at this point come on sub finder syntax cpanel xss okay oh look at this look at this bot.php let me get that yeah we can do that one because it's PHP there's another API bot token just hanging out over there this one looks a little bit bigger getting contents SK live multi-string explode it just flat out does send message again with telegram ID User Group Etc commands like building out a whole thing here this is massive stripe payments in the API mix this is massive it's just AP is this just stripe payments like trying to make that as a telegram bot can we see anything from this bot token let's get this into here uh get updates and let's try to do one more curl command on that not found oh oh I need to include the bot prefix can't get updates method while webhook is active use delete web book what can we get stuff from that where's the channel ID where's the channel ID I don't see it in here it's not included it's not included in the bot it's all just variables they don't actually have it set I mean I have it set but it's like from I don't know if it's in here but that one looks unless it's like a user ID but that wouldn't make sense to me I thought it's supposed to be like the message ID or the channel ID wait it's from update and update is file git contents based off the input stream oh so oh wow okay so a little bit more flexibility there huh all right I'm gonna leave that on alone and there is so much stuff in here black cat Egypt is the gift that keeps on giving but we have three other things to chase let's go explore those before we forget can we find grills here's a thing I don't know if that's him I don't know if that's our guy or his the three guys one of maybe the three or two who knows Spock's coder however we gotta have a lead for cause Spock's coder gave us oh was that not his name was it Spock's DZ that's supposed to be his telegram right what about Spock's DZ oh he's a thing oh [Laughter] attention guys I already told that spox coder is no longer my account it was mighty in 2019 and 2020 but I deleted my old telegram account because someone chose that that's right I used to use my name on Old scan pages I made before 2021 but now I am a new man all right well I mean that explains why this thing was like what copyright 2020 for copyright spox coder is a fake one spox coder official is as real as it gets he's official this is from October 18 2021. what is the latest stuff in here June 16th okay it's back in Action over in the spox coder official Channel what is this binary skull dot Chase USPS scam page and letters what is this what is this world that I live in heart sender laughs just unlike me I love you virus that'd be that'd be ghetto he is a store you could you can buy stuff rdps for sale hey 60 gigs over in the US twenty dollars that's cheap all right we could go down a long Rabbit Hole here but we gotta move on to our friend Mr Q I guess box coder official was still a thing though does that bring me to a completely separate one oh that's him that's that's his real account I follow that's his username let's go take a look at uh Mr Q ah um I don't speak this language I don't know what I'm gonna find here and I'm sketched out could I like Google translate some of these no I don't want to forward them get out of my ah um what is this what is this what is this place that I'm in oh God oh I'm still scrolling up why could I copy and paste these so they go in Google Translate oh come on Google I am not a robot stop okay okay we're back to Google Translate third grade chemistry God willing the questions will be easy and all of them will pass third grade chemistry is that their username I'm done I'm out I'm out nothing else nothing for us to dig into further here hey thanks so much for hanging out everyone that was a little bit of a wild ride I hope you had fun uh some wild and crazy stuff weird things to see weird things to dig into and play with um but man uh I don't know it was cool to get again that inside look like the inside perspective for what some of the scan pages are looking like what even the whole scam campaigns and this whole cyber crime info Steeler thing as a business really really is it's a spooky thing hey thanks again I hope you enjoyed this video like comment subscribe please do check out our sponsor sneak in the description and I hope to see you in the next video what why is it so slow oh my God okay get out of my life
Info
Channel: John Hammond
Views: 44,976
Rating: undefined out of 5
Keywords: cybersecurity, learn, programming, coding, capture the flag, ctf, malware, analysis, dark web, how to learn cybersecurity, beginners
Id: KZoeP7YGnHo
Channel Id: undefined
Length: 23min 5sec (1385 seconds)
Published: Tue Jun 20 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.