Showing a Craigslist scammer who's boss using Python

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

SELECT * FROM passwords WHERE ip != "engineerman"

πŸ‘οΈŽ︎ 705 πŸ‘€οΈŽ︎ u/tetyys πŸ“…οΈŽ︎ Jul 29 2018 πŸ—«︎ replies

If the scammer has any sense they will be logging IPs and user agents and would easily be able to filter this noise out. You could get around this using tor exit nodes and randomised common user agents. Looking at the quality of the spoofed page they probably don't. The scammer should also be using a CSRF token to make this kind of attack more difficult.

πŸ‘οΈŽ︎ 277 πŸ‘€οΈŽ︎ u/kmaid πŸ“…οΈŽ︎ Jul 29 2018 πŸ—«︎ replies

Code review: that's unnecessary effort to convert the names to JSON and then parse the JSON instead of just reading lines from a flat text file. Also, pointless `''.join` on a single string for `name_extra`?

πŸ‘οΈŽ︎ 183 πŸ‘€οΈŽ︎ u/sandwich_today πŸ“…οΈŽ︎ Jul 29 2018 πŸ—«︎ replies

Part of me wonders if the weird POST URL and user/pass form field names is to help identify which target/email landed the user on the page.

It's possible the scammer would be able to easily discard all of these if they're scoped/tagged/associated with that single email.

Bonus points if they went the extra mile to create an entirely different website per email they sent out.

πŸ‘οΈŽ︎ 71 πŸ‘€οΈŽ︎ u/CSEngineer13 πŸ“…οΈŽ︎ Jul 29 2018 πŸ—«︎ replies

Back in the day, I got a Craiglist scammer big time by pulling a similar kind of prankβ€”and let me tell you: getting the scammer's address and contact details was the easy part. The hard part was getting the python into the box.

πŸ‘οΈŽ︎ 217 πŸ‘€οΈŽ︎ u/TizardPaperclip πŸ“…οΈŽ︎ Jul 29 2018 πŸ—«︎ replies

Nice work!

FYI in case you weren't aware, json provides the load method which takes in a file object so you don't need to use .read(). You should also probably closing the file handle (either explicitly or using a with block).

I realise that this probably doesn't matter one tiny little bit for a script like this, but it would be good practice for anything serious!

πŸ‘οΈŽ︎ 25 πŸ‘€οΈŽ︎ u/j03 πŸ“…οΈŽ︎ Jul 29 2018 πŸ—«︎ replies

I liked the video.

πŸ‘οΈŽ︎ 14 πŸ‘€οΈŽ︎ u/NotCoder πŸ“…οΈŽ︎ Jul 29 2018 πŸ—«︎ replies

The Post URL looks randomized, If you really wanted to flood the attacker's inbox, do a first request to grab a new "post" url, extract the form field keys, then send the results back in

If you really wanted to make this scammer suffer:

  1. Use the Faker module people have indicated. Feeding only yahoo addresses will make it relatively easy for the spammer to drop the yahoo addresses.
  2. You only feed 1k entries to the spammer at a time.
  3. Consider using Multiprocessing so that you spin up multiple connections at once to the spammer.
  4. Insert a randomized delay on each one of your requests so the spammer has a harder time of figuring out which connections are legit
  5. Get an account at a place that has a proxy frontend so that they can't figure out who behind the proxy endpoint is slamming them
  6. Get access to a free proxy point to expand on #5.
πŸ‘οΈŽ︎ 13 πŸ‘€οΈŽ︎ u/Hasteur πŸ“…οΈŽ︎ Jul 29 2018 πŸ—«︎ replies

rm *yahoo.com

πŸ‘οΈŽ︎ 55 πŸ‘€οΈŽ︎ u/dylan15766 πŸ“…οΈŽ︎ Jul 29 2018 πŸ—«︎ replies
Captions
someone tried to scam engineer man this morning and I'm not about to let him get away with it let's show him who's boss so I got a super legit text message this morning it looks a little bit like this Craigslist dot Potts fam com well that sounds like the Craigslist URL let's go ahead and have a look at this URL and see what we're working with so we got a login page and it's a total BS as far as I can tell so what's the worst possible thing I could do to him right now well I could just send him a bunch of fake emails and passwords over and over so just go ahead and do that so do that all put my login box up here grab my trusty chrome console click preserve log throw an email and password in here click login and then analyze which one it sent it to so that looks like it form data email and password sent to this crazy weird URL and then it looks like it's redirecting to Craigslist phone verification so I definitely have the right call so we'll go ahead and use that URL for the rest of this video so go ahead and copy these things into my code I know I need this request URL just make a note there and I know I need these two pieces of data and that should be it for chrome console I can just close all that out next I'm going to be sending fake names I'm gonna need a names list so go ahead and just hit up the Internet's for that top thousand baby boy names sure that'll work yeah that'll work perfect so just select all these great let's copy those we'll make a JSON file do you like named JSON and paste all those in there get rid of this garbage and then we'll just use a little regex magic to basically take all these names and convert it into a to an array oh look at that magic come to the top here and add the opening bracket go all the way to the bottom and add the closing bracket that's there for the names we're good we're good there okay time to start building the code I know I'm gonna need a few things and um I need requests now I'm gonna need OS I know I'm gonna need a random I know I'm gonna need string I know I'm gonna need JSON I'll need a character list and a random seed I have this URL they'll be sent a request to so I'll put that into a URL variable it's next I need to open and parse the name so name equals json dot hello it s open names dot JSON and then read and I can start my loop for name and names so I have the name but I also need like name extra and I need that because I need a few extra digits on the end just to you know make the thing seem like it's more of an email so I'll just add a few digits the end of that I'll then do the username which will be the lowercase name plus the name extra plus then I'm just gonna do like at yahoo.com just be fine password will be similar to the name extra I will just join a random choice of characters I will just do like eight of those that should be fine to set up the actual call to the server so we use request stop post sent to the URL allow redirects will be false settle prevents us from going to the Craigslist page after and then the data is going to be basically this here because we saw that these are the two fields that he is sending send a username to the first password to the second let's give it a try to make sure everything's working so far yep it's not outputting anything but we'll make it output some stuff so we can add some output to see what's doing so print like sending username and password and it will put username and password in there go ahead and write it again and watch as it works so right now it's sending all these emails and passwords to his form and hopefully what this will do is it'll confuse his system into thinking that these are legit and he'll have a hard time distinguishing between the legitimate ones and the fake ones and we're done I can't stand scammer so I thought this would be a fun way to both waste this guy's time and show you something cool in Python so if you liked the video let me know in the comments see you next video
Info
Channel: undefined
Views: 4,823,058
Rating: 4.8996387 out of 5
Keywords: craigslist scam, python, messing with scammers, engineer man
Id: UtNYzv8gLbs
Channel Id: undefined
Length: 5min 26sec (326 seconds)
Published: Sun Jul 29 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.