The great thing about this white hat kind of project is there’s always more work to be done. Great for intermediate beginners that like trolling as a force for good
Yes, there are better ways to do it. Yes, you should share them here. No, you shouldn't berate Engineer Man for not doing them. He did 90% of the work that cost 10% of the time here. He isn't going to turn his 5 minute video into half an hour just to squeeze out that last 10%. It's a proof of concept, people.
ofc you are not going to show all the parts! I don't even know who was that stupid to think you gonna... nice job! :) ;) btw I just like to rat them & destroy all of their equipment! :D perament damage! :P
that 10% is the difference between pwning the scamming bastard and being swatted like a fly. besides, i could make something much better in around 10 minutes.
Yea things like this are brilliant for learners because it makes them actually want to learn more and try this out . This is a great little project and videos like this is literally how I got into coding and actually started coding in my free time
Great video. :-) Reading through the comments, I'm reminded of the classic joke: Q: How many programmers does it take to change a light bulb? A: 35. One to actually change the bulb and 34 to say after the fact, "I could have done that better."
To make it harder for him to sort through the list, you should just random select from the list of top 10k commonly used passwords instead of auto generating them.
Isn't it also likely the scammer would be able to reasonably discard the fake data he sent by looking at the time and the IP address they are coming from?
@@hereandnow3156 yeah he definitely shouldve used a vpn and something like the rockyou password list to be safer and more effective, still a good idea though
@@hereandnow3156only if he logs the IP with the username and password otherwise he's going to have to comb through access logs that he may or may not have
Unless you have that thing running all the time (looping), then your requests will all basically be in one giant block with 8 character passwords. It would be easy for him to crop them out. It would be better to kick them out slower with a bigger name base that's more randomized with passwords that are better randomized (including length). And run it constantly.
True. But chances are, the scammer wont get an awful lot of legitimate emails (I would hope in this day and age) so leaving this running on a cloud VM 24/7 with a few extra providers would make spotting real stuff almost impossible. This is great stuff and should certainly be made available to 419baiter too. Love it :)
Would be even easier if he's saving the remote IP address with them all, especially if it's going into a database where he could just use a limit and group on the select.
Seriously. It'd take 30 seconds to make a regex that'd clean this shit up. Emails are all in this format: /[a-z]*\d@yahoo\.com/g Passwords are all in this format: /.{8}/g If he's got the know-how to make a phishing page, he's got the know-how to make a regex that fixes your shit.
And different TLDs for the e-mail address. Make the random number length variable and sometimes come before the name. Maybe throw in a dictionary as well.
A way to make this more convincing would be to have a 1000 most common passwords json file and a 10 most common email providers json file (or just a list), load those and it will be very convincing. Also, you could make it randomly sleep or get it done in batches as well if he stores a created_at time.
I think this is my new favorite channel... My apartment complex made us register times to use facilities during Covid. They released the availability to register for gym/spa/exercise room EXACTLY 7 days in advance, and they all got booked immediately through the UI- it was very competitive. So, I back-engineered the site and wrote a python script to sign up for whatever future gym times I wanted. It never failed. I love to see other quality abuses of python!
Maybe a better idea is to try to make passwords seem legit, also adding random names or literally the whole dictionary, cuz not everyone makes their passwords in symbols, but instead words or phrases, so if he just scrolls through the yahoo and passwords lists and find a combination that seems unique, he will know which one is the real one and which one is not.
or he can just delete all of the emails and passwords starting from -email- and as password, -password-. The 2 ints he used to see where emails and passwords go.
You should randomize the length of the password, and randomize the domain of the email. As it is, all he has to do is filter out all yahoo domains with a password length of 8, and he would have minimal loss of acquired real passwords.
yeah thought his generation algo was a bit dodgy, no last names, no full stops or underscores etc, just one name, one letter, same domain, all random 8 char passwords
there is always room for improvement, but to show how easy you can overload a spammer with a short python program really opened my eyes on what you(anyone really) can do.
it's quite easy to filter out as they were all sent in a short time span, all with a yahoo email from the same address, not to mention that they all follow the same structure for name generation, and that the passwords use special characters in passwords (which im not sure craigslist does).
I've been learning C for the last two months and I'm so damn happy that I can understand what you're doing. I doubt I could implement it right now, but just understanding it is so cool to me.
@@zaftmonkeynuts5052 That's the point of studying, isn't it? Learning, enjoying, practicing the code. Yeah, I can't use Python, but I'm learning the foundation necessary to pick it up in the future. I can craft little things in "C" at the moment, and yeah... It's a different syntax, but the same fundamental rules apply. The joy is that - two months ago- I couldn't even program a "Hello World" script. I can now. Shoot, I've made some extremely awesome things that would take YOU two seconds to do. Even then, Good Lord, I see the vast difference between me in December and me now. Feels good, man.
I feel this completely! I have to understand something and set an objective in mind in order to learn it. As a little kid, those connections were formed by Neopets. I picked up a really impressive amount of HTML and CSS for a 6-8 year old. I was aiming to learn Python next, but alas life had other plans. I had a passion, but as I got older nothing helped make things "click". I lost that passion for years. But then RU-vid started recommending me these more advanced "taking down scammers" videos and for the first time in forever I'm forming these connections and I'm absorbing it all like a sponge. I'm so freaking excited! The other day I made a simple little thing in Python that responds to birthday posts on Facebook with a "thank you" so I didn't have to do it myself. Such an easy little project but I did it myself and it feels so damn good!!
@@midnari I agree, it’s literally the same feeling as listening to someone bad mouth you in a foreign language and you coming eight back at them and speaking that same language. It just feels good. By all regards, coding in all its forms, is a new language and the feeling you get from understanding it and learning to implement it is the best feeling in the world.
I understand most of it but I don't really know Python so I was a bit confused at some of the things he did, like the .join(random + for loop). How does that work? You can just put a loop inside a function parameter and it will make the function execute every time it loops? Or does it make the random function execute 8 times and add the characters together?
This is honestly not that hard to do and doesn't require that much knowledge, maybe he prepared for it, but if you know how to send requests in python, then it's completely feasible to write this sort of thing off the top of your head
CabinDoor A seasoned security professional could do this without Python in 10 secs if there are no CSRF tokens present. Maybe a minute or two if you need to provide a valid CSRF token. It's that easy.
I don't know anything about coding and I don't know anything about python. But I also hate scammers. And I found the speed and clarity of this presentation very satisfying. Especially the part where all the fake emails start popping up to waste this guys time lol 10/10 l33tHax0r ^^
The one thing is. I like to study programming start with HTML and C# just to start of but hell the tutorials on yt are a bunch of indians with cringy-monotone english accent. Creepy it is.
A couple extra ideas: 1) I did similar, but I grabbed tom sawyer off Project Gutenberg and used it for usernames. 2) The user agent can be long, like 2k long. The user agent gets logged. The log is often on tmpfs, Which is smaller than the user space. (It just crashed, Idon't know why. ) 3) randomly generate the domain from the same words so he can't just delete all yahoo addresses. 4) the domain is hosted on godaddy, you should report it to godaddy abuse.
I work in computer repair and I get numerous people coming in and calling due to scammers. This just brings me all types of joy. Keep up the good work.
Nice job! Similar story: I was being texted non-stop from some outfit in Miami that said "we buy junk cars!" in English and in Spanish, along with their phone number, which was a disposable Metro PCS mobile number. After repeatedly asking them to take me off of their spam list, they ignored me every time; they hung up on me, never took my name off their list, and kept texting me. So I thought, if they want phone calls, they're gonna get some phone calls. I opened a Twilio account and put $20 on it, then wrote a script that told them what my number was and that I wanted it removed from their spam list. I wrote a simple PHP script to call the Twilio APIs and then put it to work, calling every two minutes for hours on end. I never heard from them again.
Next time, run with different emails other than Yahoo as well in order to prevent them from filtering. Ideal solution would be Proxies, run it for at least 24 hours, and the email ending change in order to prevent ANY form of filtering out the results you placed . Because right now if I was that scammer, I’d just remove all emails ending in Yahoo that were sent in within a time frame, or just remove by IP.
cool but he'll just filter the @yahoo.com since they will be sequential. a better way to pwn this cockgoblin would be to randomize the concatenation of the email service, and set a random timer to drip post into his form. so he might get one in 5 minutes, or 2 hours. let it run in the torrent computer since that thing just sits all day, and maybe run a dynamic VPN as well. that would cripple any data collection effort due to the inability to validate submissions
Mine bitcoin? This video has nothing to do with making money. He doesn't like being scammed, so he fucked with the scammer's day. Also, this isn't 2017. It's almost 2019. Who the fuck mines bitcoin and wants to degrade their computer over time and have an electricity bill of $150+ every month? You are clearly a child.
As someone new to python and still relatively inexperienced with programming this was a fun video to see work in action and the context made it entertaining to think about. I want to find more videos of contextual coding that are more demonstrative like this and less about "the technicality of the programming process'. It gives me ideas to try!
For those who don’t read xkcd, the suggested username would be: Bobby’); drop table usernames; drop table passwords; Depending on the Webserver and back end database this might possibly work, though probably not.
Mmm yes. Using SQL injection, but for the greater good lol. But alas, let's be honest, he's probably just ripped the code from somewhere and hardly edited it at all, which most likely would have sanitation already implamented.
dragon spirit(aka shadow999999) good programmers write good code; *great* programmers steal great code. (The actual line from Eric Raymond’s *The Cathedral and the Bazaar* is less pithy, something like “great programmers know what to rewrite and reuse” but I like this version better)
Nice! To make it even better, the e-mail domains could be randomized, passwords could be less random (there are too many special characters in them), maybe some longer then others, and you could space out the rate in which the info is sent.
lol if his backend is tracking your ip, he can delete them away using a simple regex db trick too. :P you should use multiple ips on top of multiple vpn proxies to confuse the scammer even more.
This is awesome. Thank you for doing this. I also love seeing inside python as I don't know how to do that but it makes it seem like something that would be cool to learn more about.
No time like the present to learn! Python isn't that hard and there are TONS of resources and the learning curve has been made so shallow, you could totally teach yourself if you wanted to. You got this!
Me: Stumbles on to this video Me: Heads on over to my spam folder Me: Opens the first email that looks like a phishing attempt Me: Let's the fun begin... Thanks for this awesome tutorial. I haven't laughed this hard in a long time.
you can always do more or less chars in between. takes 1 change in the code. or add more randomness i suppose. but thats not for a 5 minute video i guess :>
unfortunately it's just a minor inconvenience, no matter how many fake combos you put in the hackers use an automated tool to test them anyways, it won't take long to find the real ones.
Improvement: 1. hide your IP address using tor network to prevent the scammer blacklist out your IP. 2. randomize 'yahoo.com' email with more email providers. 3. deploy to cloud server, randomize the intervals and bomb that service for a couple of days. HAHA.
I would personally use a list of common passwords alongside legit emails: currently, this input is too easily filtered out just from the uniform password length, but also the non-legit emails. Something like this will only work as a time waster if it has a shred of believability.
...in the context of making this seem more legitimate for the scammer, which changing your IP address would do, but you'd have to change it for *every* 'upload' of this to the form; and ensure none of it is repeated, which is an ass unless you have a spare server lying around. And RE your previous comment - that's an oversimplification of how Tor works. You're basically bouncing your traffic through everyone else's, making it harder for an external individual to see what your traffic has been to someone else's, but it's not perfect.
Would have been cool to add variable lengths in the passwords / emails so that the submissions aren’t so uniform. It would be fairly trivial for him to purge the database of all email/password combinations of a certain length.
I would love to see what you could do to the fake steam websites that scammers on rocket leuge use. they get people's steam accounts, steal people's items, and sell them off for real money. it's super effective because of all the little kids that play rocket leuge, and they use websites like steomcommunity-profiles-32327.000webhostapp.com/tommy, since website preveiw in steam DMS only shows the "steomcommunity-profiles" part people could easily misread it.
I just want you to know that thanks to you and your videos, I finally know what to study. Thank you. I was so lost but just watching you work cleared everything for me.
Great video idea. I think a more efficient approach would be to send it over time. Because what he's going to do as a scammer is see everything that came in at a start time and end time notice that he got 10000 or so while phishing. Most likely he will just delete all the data that came in during a certain time frame.
Not sure if anyone mentioned, but you could have tried SQL injection, as he might not be escaping it. Could blow up the whole database if you wanted to.
You probably don't want to upload videos of yourself committing a crime on the internet. Sending fake logins to a scam site to be annoying is quite different from attacking it.
My middle name is "'); DROP TABLE loot;". How is that illegal? :-) I wouldn't consider a little SQL injection as attacking, it's more like poking and anything this simple that can't tolerate it deserves it. But probably not a good idea to tell anyone that you're the hero of the day.
roma98 yeah, mostly it’s just a simple html which sends the input to a .txt file on the phishers pc, or in some cases just shows it on a command prompt.
I've only just come across your channel and I'm amazed at how swiftly you deal with scammers. Have you ever considered teaming up with Jim Browning or, Scambaiter et al? If any of you guys combined you'd destroy scammers globally in a matter of minutes! Great channel. Subscribed!
I’d love to see them do more than ruin a scammers day. Those scammers in India are the absolute sickest people I’ve ever heard speak. The second they don’t get their way, they start cursing the other party out and….idk why but they always like to add insults about the other parties mom, lol. These guys are insanely good at what they do. I’d love it if they took it one step further and messed with the temperature control settings in one of those “call centers”. I don’t know if that’s possible though, they probably don’t have a smart thermostat to hack. It would be funny though to turn their heater up to the highest setting and watching them squirm as they try to turn it down, lol
That form name and url seems a random code. Are you sure the request is always the same? That may be used as a unique ID. If that's the case your code isn't doing anything, but simply overwriting with a new username and password all the time. I would have verified that those fields and url were always the same. Or, if they changed, also looped that with random shit inside my code. Field names could just be part of a "any" type data structure accepting all sort of shit. This means you can maybe even do more damage.
Cute, but you didn't perform some basic checks. Given that the username and password elements appeared to be named randomly, it is possible they are generated dynamically per each request of the main page (as well as the submission URL). The web server could simply be accepting your requests but not recording them as a result. Also, the email addresses are formulaic enough that they could be easily stripped out. I would have gone for a dictionary and a large pool of domain names.
Yep. First thing I saw was this, chances are it was some anti-CSRF PHP script making the fields for the POST vars randomised. Everyone is complaining about how easy it would be for the guy to remove them from his db, I doubt they even got there in the first place!
This guy missed step one: send a report to the hosting provider. By spending time coding this first, the site gets to exist longer and harvest more legitimate accounts. The fake accounts don't do anything to protect the victims. It's as trivial to test fake accounts as it is to generate them in the first place.
There's a difference between being having so little understanding of something that you don't even know where you should begin and thus anywhere you try to start is just an impossible hell, and being lazy. It just so happens that with programming, it's basically impossible to start anywhere that feels productive and like you're actually learning something especially when most people go around berating people that are trying to learn and points them to extremely overly complicated thick manuals and online resources that don't get to what you're trying to learn until 100s of hours of reading that also requires college-level understanding of math and computer science to begin to understand said thick manuals anyway thus making it totally pointless, when all someone really needs is some help. Wow what a rant LOL But that's why channels like this are so awesome, these videos are actually really helpful in learning the concepts involved while showing production and payoff immediately for something you may want to do.
Templarfreak I started to type something similar and gave up, but the starting point and direction is absolutely a deterrent to many in any new expertise
Python, SQL, JAVA, PHP, C++and other programming languages take about three months to really learn, there are a plethora of tutorials here on youtube. The books are for absolute nerds that want to go really deep, but to get the basics of a programming language down takes three months max. After that you get to learn the intricacies of the language on the job. There are plenty of ICT companies looking for interns and people willing to learn it for free. They will give you the courses needed for free and you get a job to boot. see what I did there... anyways stop bi&^%% about something being hard, it's only hard, if you never get of your lazy ass to actually give it a shot and by shot I mean you actually go out and do something about it.
That's awesome thank you for this. Mechanical engineer here, always wanted to work more on the little coding knowledge I have this has been inspiring and entertaining. Subscribed
Some random Luke: "nice! I hate scams too!" Also, some random Luke seeing his email being randomly generated: "well, that explains a lot 🧐👀" Great vid though :)
A great example of data poisoning. Obviously, you could randomize the send interval, the email domain, and proxy-hop to obfuscate the origin of each request. Another technique I've had fun with... submit the Anti Virus test string, lol. This rarely works, but when it does, it's hysterical. They store the collected data as plain text and upload it to cloud storage like Dropbox, google drive etc, where it's flagged as a virus and promptly deleted. It confuses the fuck out of the novice scammer. Looking at the unconvincing password phish, I'd assume either your target had no discernible skill, or they were specifically targeting idiots (which may be the case... you can run a scam for longer if tech-savvy people just ignore you). In a more advanced attack, if you knew anything about their collection methods and how the data was processed after collection, you could do a lot more damage. SQL injection for example. Even seemingly trivial things like using UTF32 characters (especially hybrid glyphs like the Ninja Cat emoji) can really fuck up the collection, and a lot of scammers don't regex those things out, or they do it in the java script on the form page which you can easily bypass. One thing to be aware of.... they may validate email addresses before committing them. They have a mailing list, they bait those specific people and only collect passwords from people who they sent messages to. In many real-world scenarios, this wouldn't work all that well in practice. For that reason a simple DDOS would be of greater utility. This is probably a phish specifically for craigslist accounts for use in spamming. If it were a general cred-sweep targeting email accounts, you could have some fun with that by honey-potting an account and handing it over. A RAT in your Dropbox, maybe some bullshit "classified emails" between US intelligence officers, something that will let you screw with them once they take the bait. I know the point here was to fuck with them quickly, but sometimes it's fun to draw out the engagement.
It would've been a bit more effective if he used a list of common street and pet names to generate passwords, although if the scammer has a script to verify phished login creds then this didn't do much anyway =(
Hey Cool work, You could have also made an array of email domains and randomly assign it to name strings to confuse the scammer more. Coz he may simply filter the @yahoo domain guys now but with randomizing the domain the scammer will be more confused
I'm a beginner, I know nothing about programmer until several months ago when I started doing CS courses for fun. And man, I'm so happy that I could actually understand about 70% what he was doing in this video. After more courses and finishing more fun programming projects, hopefully, my understanding would've reach 100%. Awesome video and fuck those scammers!
I like your vids. They're short and to the point. I don't know any better so I'll trust that you're actually being a headache to scammers. Maybe you'll encourage other with similar skills to do the same and life will become difficult for scammers.
You are causing a guy in India sitting in a cave to have to put his flute down, thereby upsetting his cobra that was rising from a basket. Now he has a pissed off cobra. Your fault, you must be overridden with guilt.
the scammer can add in the php file these: $subj = "Login from".$ip." "; in now he can delete all the fake logins, that came from the same ip address. ;) and he can also prevent you from entering his fake website by blocking your IP using IP deny Manager in cPanel :D The Best way to make a scammer crazy is by reporting his Phishing Page to Google Safe Browsing and spambots. and the phishing page will be down in 24 hour.
You're overestimating the intelligence of a phisher that literally mashes their keyboard to generate entropy. Check out all the "asdasdasd" in the URL and form keys at 1:35.
A fun little prank, but if the guy has any brains he will just exclude all of those that were submitted within a short timeframe or possibly by your IP address if he logged it.
nice work man... you could have create an array for the email domain and randomly take from there , cause now he has loads of yahoo, easy pattern !! nice video!
That generation pattern was so obvious, that i would filter out these in seconds.. This might look impressive to the uninitiated, but to a coder this looks just lazy and pretty low-effort.
Agree, any scammer with the basic level of skill needed to set up that scam will also just instantly delete all those entries in whatever csv file that php script writes and the scammer then reads in excel (most likely)
Sky "i have no idea about code" there there, one day you'll see what we see :) Imagine seeing a crowbar next to your front door, and the door is still closed. Nomatter what you do with that crowbar, the criminal is looooong from here and entirely unaffected by what you do. That's what this video is. Waving a crowbar around telling people he's batman. The counter-scam bubble is worth tapping, it seems.
Thanks for fighting a battle that many of us do not know how to. Scamming takes good money and confidence out of consumers and does significant damage over time as we lose faith in good commerce.
I’m imagining him laying out this process in a video now 😂 “I can’t stand commenters and I thought this would be a fun way to waste the commenters time and hopefully teach you some python😊”