Password Reuse & Credential Stuffing

I recently did an interview with @campuscodi of ZDNet that can be read here Disqus & Kickstarter hacker warns against password reuse. There’s a few things that I want to expand on that wasn’t fully covered and give a couple of scenarios. It seems like it’s such an obvious and basic security practice to never reuse passwords. I’m sure most of us have that one password that we use on websites that we don’t really care about. I’m talking about the Netflix password we might share with our friends and family, a food delivery service, or some forum or game that you forgot you signed up for.  These websites and databases get breached daily. If you take a look at HaveIBeenPwned you probably notice that your e-mail address or username is in multiple databases that have been hacked.

reuse

Scenario: You’re an employee at a company that a hacker is targeting.

I want to preface this by saying this is strictly a scenario using breached databases and the reuse of passwords. The first thing a hacker would do is gather as much intel as possible about the employee. We’re only going to use three criteria; name, username, and e-mail address. Once those are collected, it’s as simple as searching those three fields into a website to find every username and email address you’ve ever used along with every known password. From there we would credential stuff any website that could possibly give us more info, a dropbox account, a project management system, a ticket based system, or any account that would have your phone number attached. Without giving a complete blueprint there’s only a couple more steps to successfully infiltrate or breach the employee’s company who the hacker was targeting. This is why it is absolutely pertinent to not reuse passwords and to not use a common pattern with your passwords.

And then there’s 2FA which might seem secure, but you’re still at risk of getting SIM hijacked. While I don’t think there’s much you can do to prevent this from an experienced social engineer, it’s still an extra layer of protection that I would highly recommend.

Hacking, My Demise.

With the constant need for new data and the unavailability of it for purchase on the dark web, it forced me to become an extraordinary hacker. I’ve always considered myself exceptionally gifted when it comes to reverse engineering, whether it be code, people, businesses, or websites. I’m telling you this because to me, hacking isn’t what’s portrayed on television and movies. Most people have the perception of hacking as fast-typing and matrix code being displayed on screen. It’s the complete opposite. It’s a slow difficult grind, that sometimes takes an extremely long time. I can recall working on hacking multiple sites spending hundreds of hours and even months on obtaining their databases.

I don’t recall the first “real” website I hacked, but some of the most notable ones that gained media attention and what ultimately led to my demise courtesy of the US Government were; airbnb.com, bitly.com, disqus.com, dropbox.com, facebook.com, flickr.com, groupon.com, imgur.com, kickstarter.com, kik.com, linkedin.com, netlog.com, okcupid.com, pinterest.com, rediff.com, reverbnation.com, shopify.com, vimeo.com, vine.co, voxer.com, wehearit.com, wix.com, and yelp.com. Now while I didn’t necessarily get the “key to the castle” to all of them, meaning I successfully dumped their database, but I certainly hacked into each of them in some capacity.

168million

In my proposed plea agreement it stated that, “I possessed over 168 million stolen email user names and passwords and proprietary information belonging to nearly two dozen corporations.”

I made no exception to target any top tier website that would contain large databases, specifically in the Alexa.com’s top 100 websites. Some will say that my actions were extremely nefarious, but I still lived within my own code of not dumping anything other than emails, usernames, and passwords. It was a flawed code, but unlike most nefarious hackers, I still had one that I lived by.

Hacking Yahoo with XSS

The first time I remember reading about XSS was when the Samy worm was created on MySpace in 2005. In fact, I had actually used different XSS techniques to bypass MySpace’s filters during my operation.

Anyways, the first time I saw a Yahoo XSS was on another spammer’s landing page that was promoting a work from home program. My friend owned the program he was pushing and wanted me to check out his landing page and see how he was making $5,000/day. After investigating it for a few minutes, I saw that there was a bit of code loading from the domain yahoo.com. This was unusual, because there wasn’t any reason why any assets from yahoo.com should be loading. I captured the headers and saw that it linked back to hk.groups.yahoo.com or something similar. There was a forum on the page that was vulnerable to a persistent XSS attack. He was stealing yahoo user’s cookie sessions and mailing with them.

sorted-XSS

After understanding the intricacies of this operation I wasn’t too surprised that he was clearing $5,000/day. Within the hour, I found the injection point and had injected my own code into the vulnerable Yahoo forum. Now when you steal a user’s session cookie it means that you don’t need their login credentials, no email, no password, nothing. You were already logged into their account by having their cookie. The worm was fairly simple, you grab the users cookie, hit mail.yahoo.com, and send mail to everyone in their address book. Once users read the email and visited the website that was sent in the email,  it would grab their cookie and go through the process all over again. Yahoo killed the website that was vulnerable in just a couple of days, but not before making close to $30,000.

For me, hacking and spamming is a high that can’t be replicated. Over the next year, I would go on to find more XSS exploits, once again playing cat and mouse with Yahoo’s security team. The most infamous XSS exploit that I found was on the Yahoo developer’s blog. It was a publicly known exploit, but for me it was a chance to slap Yahoo in the face. Now I didn’t necessarily have a grudge against Yahoo, but at the time they were offering security researchers $12.50 voucher to their store for these same exploits that put every user on Yahoo at risk.

On this particular XSS vulnerability and worm, I hacked over 5 million accounts and sent over 25 million emails in a 3 day period. At the peak of this worm I was making $1,000 every 10 minutes. I was promoting a work from home program that paid $100 per sign up and I accumulated over 2,500 sales, do the math on that one. This caused havoc for yahoo and eventually led them to change the way they stored cookies.

Here’s a couple of articles detailing the exploits:

Hacking Databases 101

There was always a constant need for fresh databases. It was the fuel that kept my spam operation running. The only options back then were to buy them from a sketchy source which was probably a fed or a scammer or to hack them yourself. I don’t know what caused me to have such a great belief in myself, but I remember thinking. “What can any other hacker learn that I can’t?”. I looked at it from a completely different perspective than I did sports like basketball, football, or baseball. It didn’t require you to be physically gifted or talented. I used the same tool everyone else had access to, Google.

I learned how to hack using Google. I think the first thing anyone learns when it comes to hacking is SQL injection. After spending an hour reading about SQL injection and downloading Havij, I was ready to begin hacking. I set my goals high and wanted to only hack the largest databases. To do that I first needed to see what the most popular websites online were. So I headed over to alexa.com and downloaded the top 1M websites list. I had my programmer create software that would search each site on google with a dork list and check to see if the website was vulnerable. When it was done it would look something like this:

site:domain.com inurl:php?*=*
site:domain.com inurl:asp?*=*
site:domain.com inurl:cgi?*=*

etc

This would search Google for all injection points and place a ‘ after the = sign. If an error came back it meant the website was vulnerable. I admit, it wasn’t a sophisticated method at all, but the number of positive hits that came back was astounding. In fact, there were too many results, it got to the point where if the website didn’t have more than 100k records, I wouldn’t even bother dumping them. I hacked hundreds of websites using this method that I basically taught myself in less than a couple hours. At this moment I realized how far security really was behind technology.  This would go on to provide me a steady stream of data for almost a year.

Twitter v1.0

In the spam game staying current with the trends is just as important as any other marketing job. I’ve always had an eye for trends and being able to predict the next big social media website. By 2011 Twitter had grown to over 250 million members and had no plan of slowing down. This made Twitter a prime candidate for my next spam operation. Back then there was no security, I don’t even think they had a security team to be honest.

The operation would be fairly simple and would have the same concept as most of my operations. Take the email and password combinations from the databases I owned and check to see if they used the same password. I was amazed at not only how many worked, but how many people actually had a twitter account. The thing is, if you had a twitter account you probably used the same password you signed up to any other site with. The raw number was about 10% (that’s not excluding if the email address was even registered on twitter). At the time that was somewhere in the neighborhood of 3 million valid twitter accounts.

The second function of the software would DM the account’s followers and send out a tweet. The first campaign I ran was a bizop offer. Bizop was my goto because it appealed to everyone and yielded the highest return. I mean who doesn’t want to make money from home?

While the campaign was a success with netting thousands of dollars a day, the risk didn’t seem worth it. What I mean is there were hundreds of websites asking “Did Twitter get hacked?” And “Help! My twitter account has been hacked”. Not only that, journalists and bloggers alike were writing about the havoc I was causing on Twitter.

twitter2011

For now, the operation was on the back burner and I would revert back to the more quiet operations.

Singlesnet.com – Hacked.

There wasn’t ever any reports made by media or even a response from Singlesnet. Now I’m not sure exactly when it was hacked, but I came into possession of this database from a trade I did with a friend. The date on the file was 2011 so I’m assuming it was hacked not long after eHarmony. In fact, this database was just as glorious as eHarmony. It contained 16 million records of emails and plaintext passwords. I treated this database the same way I did eHarmony. The contact mail operation was back in full force. I actually found the farticle (fake news article) I used to promote the work from home programs.

cnbc7

The Birth of Contact Mail

After receiving the eHarmony database, I had to do some serious brainstorming on how I could maximize the profits with this data. I knew that the people who already had the database would be sending all kinds of dating offers to the e-mail addresses. I also knew that I would be able to mail to the same list, but I didn’t want to compete with the other guys. I had to think outside of the box, so I thought back to my very first MySpace operation nearly three years ago and came up with the brilliant idea to e-mail the contacts in the address book. Little did I know how much this method would change the spam game forever.

The software created would attempt to login to hotmail.com and check whether the user used the same password as they did on eHarmony. You have to remember this was back in 2010 and people weren’t as educated about security as they are today.  So after running the accounts through the software about 25% of the people used the same password. When it was finally done I had around 1 million valid hotmail accounts that I could mail with.

I had just moved from Florida to downtown Los Angeles with a girl I met online, paying $3,800/mo for a condo that I probably couldn’t afford. In fact, at the time, I only had a couple hundred dollars to my name. Hurting for cash and Christmas being right around the corner, this operation had to work.

condo2

With little to no start-up cash, I had to bootstrap and think outside of the box once again. I remembered back to my first mailing operation where I used a service that rented cloud servers that allowed you to pay as you go. It was easy to trick the payment processing by using a prepaid gift card, as they would only check your card for $1 and bill you at the end of the billing cycle. It cost me $20 for a prepaid tracfone which was used to verify my account on the cloud service. It was their security precaution for my previous endeavors with their service.

I created 15 servers which meant that I was able to place my mailing software on each one. This meant that I had the power of 15 mailers. At approximately 100 mails per second across 15 servers, I was sending nearly 100,000 e-mails a minute. I didn’t realize exactly how fast this was, but I was soon going to find out. At the time I was promoting a bizop offer which is basically a make money from home program. It was a program that would pay me around $40 per sign up. At the peak hours of the day I was making something like $10,000 an hour. The adrenaline rush, excitement, and anxiety that this caused was unmatched to any drug I had ever tried. Over the weekend, I had accumulated something like 8,000 sign ups. That’s right, over 15,000,000 e-mails sent and $300,000 in revenue generated from a free database, a $20 tracfone, and a $10 gift card.

SOk9x

This was the first time that the internet was introduced to “contact mail”. It was also the first time that the advertiser (the person who owned the program) experienced this type of traffic. The advertiser was irate once he found out how the sales were generated and called it all fraud. While in a sense, I did agree it was deceptive, but what couldn’t be disputed was the fact that there was a ton of money generated and sitting in his bank accounts. We ended up settling on an agreement of $100,000 and parted ways. I was 21 years and this was definitely the most money I had ever seen. It was a moment in my life where I knew had discovered something great and would be set financially for a very long time.

Eharmony.com – Hacked! The Database that Changed Everything

The first reports of eHarmony.com being hacked came out in 2011 and supposedly only a portion of the users was hacked. It’s ridiculous how wrong these “security researchers” and journalist can be. The truth is this database was actually hacked in June of 2010 and finally came to the public/underground market of Carder.biz in 2011. I came across this database from a user on the now defunct forum DigitalGangster.com. I didn’t know the guy, but I boasted about my mailing operation and told him we could make a ton of money off this data. He ended up sending me the entire database of 20+ million usernames, emails, and MD5 hashes. To be honest, I blocked the guy as soon as I received the SQL file and never heard from him again. Back then I only knew of 4 people that had this database and I knew it would be a race to hit it first.

eharm

I knew if I did everything right I would easily make a million dollars of this database. There was a problem though, all of these passwords were encrypted in MD5. Now for those who don’t know what MD5 is, it’s the most basic encryption and looks like this.

Hash: e10adc3949ba59abbe56e057f20f883e
Decoded: 123456

Since I didn’t have the computing power to crack these hashes, I went ahead and used the Chinese operated service cmd5.org. They gave me a great deal and solved most of the hashes easily. The encryption was actually the users password in UPPERCASE and hashed using MD5. So after all the hashes were decrypted, I just had to convert them to lowercase. The fun was about to begin.

My First Hacked Database – Hi5.com

The year was 2009 and I had just brokered the sale of the database Hi5.com for the late developer and hacker Ryan D. Johnson aka Rj2. This was the first time that I had my hands on a massive set of raw data. Now I’ve had phish lists before, but this was different. This was 20+ million records of usernames, emails, and passwords. I was astonished. I had a massive trove of data and the opportunities that came with it was endless.

hi5

With Facebook on the rise and other social networks starting to die out I needed to change my approach to spamming. This is when I decided to get into the e-mail spam game, but I didn’t have a clue where to start…

The First Hack, MySpace.

I’m taking you back to 2007 and although it wasn’t the first social network, it was the one of my era, and the one that introduced me to making money online. I remember browsing MySpace and being intrigued by all of the comment spam of free ringtones and $500 gift cards to Macy’s and other retail stores. Now at the time, I didn’t exactly understand how this spam worked, but I knew Macy’s or any other retailer wasn’t giving out free $500 gift cards. I did some researching and found out that these were actually affiliate marketing offers. The person who sends out the link would earn somewhere between $1 to $2 for each time someone filled out the form. For ringtones it was somewhere in the neighborhood of $6 to $12.

myspace_spam

Now that I understood the process, it was time to get to work. Before I do anything, I always brainstorm on the most effective way to achieve the best results. In this case, I wanted to get the most sign ups, which meant I needed to get as many people as possible to see my spam. At the time, I was employed at a local pet store that was paying me a whopping $7/hr. After saving a couple of paychecks, I paid $400 to a programmer from the AOL scene to build a custom mass messenger for MySpace.com. I then created a fake profile of an attractive female and mass messaged about 300 celebrities and musicians to check out my new pictures. Little did they know, I created a clear-div overlay (a transparent image that lays on top of my entire myspace profile) that redirected them to my phish page, regardless of where they clicked on my profile.

I successfully phished the majority of the accounts and continued the process of adding a clear-div overlay on their profiles, which acted as a phishing worm. Soon I was phishing anywhere from 20,000 to 50,000 accounts per day. There was a program called MyChanger that helped automate my entire operation. After the phish were loaded into the software, I would launch my very own free gift card and ringtones campaigns. With this program I could update their profiles, send out bulletins, and even leave comments on their friend’s profiles.

main

I was 17 years old and cleared $5,000 in my first week of online entrepreneurship. From that day forward, I knew exactly what I wanted to become.