Forum Thread: Been Studying Indian Scammers. Ideas?

Hello fellow greyhats (and others),

EDIT: All Personal infomation and IP addresses have been redacted.

A few months ago I was contacted by some Indian Scammers claiming they were microsoft, of course being completely aware of their pathetic attempt I was about to put the phone down, but for some reason I didn't and was curious about what they would do. I wasn't scared about being inflitrated, I run Linux as my main system.

Anyway, long story short they eventually took me to this website (through a teamviewer session), where they logged in, the url is http://xxx.xxx.xxx.xxx/crm/ which was directed from a domain name which quite clearly isn't a legtimate web design company. When he logged in I clicked the "remember password" button. Which was a big mistake for them. I soon examined the password and found it to be "abc123", I spent a few weeks scanning the web app for vunerabilites and eventually found some php files in the http://xxx.xxx.xxx.xxx/crm/include/ page, there are a few vulnerable PHP files. If you run them, you get some infomation regarding the company, for example transation details, you get a list of the agents working for the scamming company, the person that contacted me was ktsnoida, I soon tried the abc123 password on some of their accounts, and 80% worked, what noobs :P.

I have scanned and they have two ports open, 80 and 3389, and are running windows server 2008 R2 on a VPS, (you can find the hosting companies through whois search on the IP's). So I researched the companies and the back story, and I know the main guy who organises it is called "R...t K...n", and the writer of the rubbish web app is called K....v B....u, by the looks of things, the software developer is a legitmate guy; just rubbish at programming xD The rest of the intel isn't really relevent to inflitrating them; if you want to know anything just ask.

I DDOS'd them a few times, (using sockstress), and have observed their reduced scamming with the /include/transaction_details_db.php page, which shows all transations.

I also changed all their passwords that had access to, to PWNED or pwned. I have noticed they are stopping slowly, however they aren't shut down completely, I want to deface the site or get root access to the server.

I also contemplated DDOS'ing then contacting them in order to arrange a "ransom" type deal; but I couldn't find many good anonymous ways to transfer money, i looked into Bitcoin, but buying and selling bitcoin is difficult anonymously.

Of course here I have all the clients emails, I was contemplating launching a spear phising attack with infectious media in order to get a foothold into their network.

Any ideas guys? Thanks.
pry0cc

Be the First to Respond

Share Your Thoughts

  • Hot
  • Active