Phishing in Buffalo, USA: How they can steal your money easily.
Had you ask yourself if all those websites which you often visit, those all emails from your Xbox subscription, your Bank, your Apple ID, and from all account you can have are veridical?
It doesn’t matter how much you think you know, this is a vast world and at some point you’ll find bad people who will try to smash out you. The following story which I’m going to tell you was completely real, it’s about some assholes who tried to barking up the wrong tree.
First of all, What’s Phishing?
Phishing, itself has another kind of attack called whaling, let me explain you each one at following.
The key difference between whaling and spear-phishing is that whaling attacks target specific, high ranking victims within a company, whereas a spear-phishing attacks can be used to target any individual.
As you seen this attack is oriented to final-users, pitifully, there are people who still trust in everything on the Internet. They think they are capable to earn a million dollar just clicking an advertisement, so, for this reason, there are bad people who steal your personal information as such credit card information or your ID Card number easily. Older times, those people used archaic methods like calling you at your work pretending to be an employee from your Bank. Actually, that people create complex and barely ways to steal your information, even Do you think that you’re safe right now?
Let’s begin
It was a Friday night, I was finishing up a documentation when suddenly a friend of mine called me. She seemed so scared to even about to break in tears, I asked her if she was ok, or what was happening then, she received an apparently legit Apple email where it said she had to provide her credit card information or her phone was going to be blocked due to their “Privacy Policies”. Immediately I said, “Nobody will ask you your credit card information in this way!”.
Imagine this situation, some bad guys steal your credit card information, the first thing comes to your mind is “I will lose all my money”, but, that’s not the worst part, imagine they sell your information and your card is used to buy drugs or guns, and then there’s a murder with those guns, the police will seeking for the owner of that card used to buy the guns (You) and how will you explain that your data was stolen if you didn’t notice about it?
Then, I asked her for the email and It seemed real, with the same Apple’s certificate, the Apple’s email address, and everything! If I weren’t me, I couldn’t notice it. I saw that after he introduced her information she was redirected to a strange URL that’s had the only thing I needed, she gave me a clue.
I started to use my skills, the first step, resolve the IP address, the next step, geolocalize it. My surprise was have found this picture.
¡Boom! I thought those guys are geniuses, surely they put above some scuttle a Raspberry Pi or something like this connected to that public network.
The hostname you see below belongs to a US company who provide the Internet service to public places in the United States. Nobody was going to think that companies were robbers or criminals. ¡Pefect crime!
At that moment I felt I had to do something else, those guys probably had all that traffic in their database, maybe they had my friend’s information, but due to that fancy attack, I was sure they had a lot of data behind scenes.
I used a common tool called Nmap to looking for all ports available at that IP address, they had services such as Apache, MySQL, and OpenSSH.
There are several basic steps in the Pentesting and Information Security world.
I had to get a connection to “their” server but how? I started to looking for vulnerabilities at https://cve.mitre.org/ in their services versions, when I found their OpenSSH version was unpatched, apparently all source code was affect with a bug which allowed to grant access using a flag in one of the authentication strategies, so the only thing I needed to do was:
$ ssh IP_ADDRESS -vvv
With the below command the SSH client will use the verbose mode displaying in this way every step at authentication process, I found the bug!
I coded a small and simple exploit using my favorite programming language “Ruby” and I put hands on action.
It took me less 10 minutes to get access to their server, and then I found they had a MySQL service with all people information with a small trigger who sent every record after being created to another Raspberry Pi of them, did you know where? Yes, the IP address was located in one of the worst neighborhoods in Buffalo, they were more stupid than I thought. How I supposed they already had every single record in another local server, so I destroyed the whole DB information. Immediately I sent an anonymous email to FBI agents with every proof.
Fortunately 2 weeks after I realized out that the server was down, the company owner of the public network didn’t need a web server such as Apache or something like this. The device was succesfully removed from that square, if the life is enoughly good, those assholes are in behind bars.
Cybercrimes are seriously punished in countries like the United States, if you think being a Hacker means steal information or money, you’re completely wrong. Every action you commit with a keyboard comes with severe actions.
I’m pretty sure that my friend won’t commit the same mistake again twice.
