π°Hacking the Scammers
How someone I don't know hacked the scammers back
DISCLAIMER: This is not my work. I would never and don't condone illegal hacking of scammers
A short while ago I got a text from a random number saying the following:
I knew right away this was a scam but also knew that others fall for this all the time, my own wife had fallen for it a few months back. I posted about it in a channel online and someone, lets call them s1n, was ready to get revenge on these lowlifes who wanted to just scam random people out of their hard-earned cash.
S1n started out by doing some initial recon. First was a nmap scan (yielding them more domains they use and their region):
Along with this they started browsing the site while intercepting traffic with Burp Suite. The site looked to be a clone of the actual USPS site (Wayback Machine URL):
There were a few interesting requests being made, but all to a different url. Hm... Gotta make sure this is still the scammers:
Great, they are! The first of these interesting requests was web socket communications where the client would send a filename and the contents were returned.
Interesting... This looks like an easy LFI. And it is!
The LFI gave S1n more info about the environment so that they could look around more effectively than fuzzing.
Upon using this new directory found, S1n was able to grab all the PHP files they had seen while browsing the scam site. These files are highly obfuscated and almost impossible to read. There are also many Chinese characters making it even worse for English speakers, they are linked below. Though they do seem same use at own risk.
Looking through these files they could observe that they were using a telegram channel to communicate back to them and were storing data in a MySQL server. S1n could not find any sensitive data with the LFI that would allow them to get further access into the web server. Most things were setup an run with supervisord and, though it had SSH, it had not been used it seemed.
While looking around S1n also found the nginx access log and it revealed one of the IPs of the people setting it up, if they didn't use a VPN.
Based on the certificate information and this IP, and we are just getting started, I think we can agree that this is likely Chinese scammers.
Now after browsing around S1n looked at some of the files he had grabbed and looked back at some of the requests he intercepted and found something that looked like and SQL injection.
Firing up SQLMap they tried it and it worked! They were into the scammers database!
Now that we are inside the database lets take a peek around. First lets DOXX the scammers running this site:
Database: facaisss_top
Table: admin
[9 entries]
+------+----------------------------------+---------+-------------------------------+--------+---------+-----------------+----------------------------------+--------------------------+---------------------+------------+
| id | token | desc | name | type | avatar | login_ip | password
| username | login_time | permission |
+------+----------------------------------+---------+-------------------------------+--------+---------+-----------------+----------------------------------+--------------------------+---------------------+------------+
| 9527 | qHJK7M0rNUy7UYulDi05qojUSFM9pM3C | ??? | ???TG:https://t.me/wangduoyu0 | 1 | <blank> | 106.226.19.70 | 2d028f8ca2b73eb7d4546d7994c742ff | Twez7K15Vd5Gpan4C/uaqw== | 2024-01-02 22:05:25 | <blank> |
| 9531 | jLgco5RMvFqgyxONDUVk2JmxEqFEkovq | <blank> | NULL | 3 | NULL | 38.207.142.214 | d42fe63b6643993a8f97dc47985d982a | jQVmD0P+gg055h7ZJHznaQ== | 2023-12-19 12:59:36 | NULL |
| 9532 | 2fCCgWhzw7waNNQReGf1Ycmcp42rTn5v | <blank> | NULL | 2 | NULL | 178.173.225.134 | 0a283f0b0d570adc1bfb51572955d37f | K87+QTqJTMy6qVxRJXxpeQ== | 2024-01-02 22:16:54 | NULL |
| 9533 | d5EOAVfo0HZsprmAACK7iH9pTz56zNhN | <blank> | NULL | 2 | NULL | 5.161.50.112 | 782e3af2dd3da9f7ebc9f05332872dc4 | d3m9yTko9mXTJD0B5yO0zg== | 2023-12-28 07:59:08 | NULL |
| 9537 | a3zps4dfc3cuZOV3G1RtWMWPcUdCmjGn | <blank> | NULL | 2 | NULL | 89.185.30.226 | 4f8a2379bb3c474680354c63bc1ee6fc | OyaHyjxHRDOhrh39bXqR6Q== | 2024-01-03 07:32:38 | NULL |
| 9539 | jAYkPihKE768TpoGnQ3pTsYZ4pNQ3C18 | <blank> | NULL | 2 | NULL | 182.84.160.242 | 5b73c2e8c152520b55e15b14c45e3f49 | TJzkjGwJ+dFQ9tOGVtyHGw== | 2024-01-03 02:50:19 | NULL |
| 9540 | wi3g2ZnGFV4vnUn2LiVPFmAhOfKfbKlJ | <blank> | NULL | 2 | NULL | 106.226.19.70 | 9c7115ddce2c84b3ac7efd12f667f662 | nAHd7K32eSgwpYU2xRCJdA== | 2024-01-02 22:05:40 | NULL |
| 9541 | TTTCcT3YWljq0isK5RDnN7PpfkMcN3OK | <blank> | NULL | 2 | NULL | 39.144.169.135 | d0a44137ee2002fda76053c3607ec5cd | F7/lmK6VJ682vkqgERb00Q== | 2024-01-03 05:38:43 | NULL |
| 9542 | bPBaUEoFrI3xpwMjJoE8Dp5zRMVWVgLa | <blank> | NULL | 2 | NULL | 137.184.82.92 | d0f364e103cb423430a1c419a4278bf6 | 7+KbdbgLprg1HxWnDiIVQA== | 2024-01-03 11:20:37 | NULL |
+------+----------------------------------+---------+-------------------------------+--------+---------+-----------------+----------------------------------+--------------------------+---------------------+------------+That Telegram link as a description looks interesting ;)
Now lets take a look at the configuration:
Database: facaisss_top
Table: config
[1 entry]
+-------+---------+-----+--------------------------+---------+-------+-------+--------------------------------------------------+--------+---------+------------------------+---------+---------+---------+---------+---------+----------+----------+-----------+------------+------------+------------+------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+-----------------------+-----------------------+--------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+-------------------+-------------------+---------------------+----------------------+
| pid | tg_uid | otp | key | url | mount | state | title | is_tor | tg_msg | order | bt_file | captcha | ht_type | tg_open | timeout | allow_pc | tg_token | two_title | allow_once | pay_status | store_name | succ_count | title_desc | unattended | success_url | redirect_url | refresh_rate | refuse_cards | two_title_desc | highlight_cards | is_ip_detection | country_whitelist | refuse_cards_type | display_filled_card | is_refuse_cards_type |
+-------+---------+-----+--------------------------+---------+-------+-------+--------------------------------------------------+--------+---------+------------------------+---------+---------+---------+---------+---------+----------+----------+-----------+------------+------------+------------+------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+-----------------------+-----------------------+--------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+-------------------+-------------------+---------------------+----------------------+
| 10086 | <blank> | 0 | vHbippHvUZKYtXUA3NGKZA== | <blank> | Β£900 | VFg= | RGVsaXZlcnkgZmFpbGVkLCBhZGRyZXNzZWUgdW5rbm93bg== | 0 | <blank> | 9300120111410471677883 | 1 | 0 | 1 | 0 | 120 | 0 | <blank> | <blank> | 0 | 1 | <blank> | 3 | VVNQUyBBbGxvd3MgeW91IHRvIFJlZGVsaXZlciB5b3VyIHBhY2thZ2UgdG8geW91ciBhZGRyZXNzIGluIGNhc2Ugb2YgZGVsaXZlcnkgZmFpbHVyZSBvciBhbnkgb3RoZXIgY2FzZS4gWW91IGNhbiBhbHNvIHRyYWNrIHRoZSBwYWNrYWdlIGF0IGFueSB0aW1lLCBmcm9tIHNoaXBtZW50IHRvIGRlbGl2ZXJ5Lg== | 0 | https://www.usps.com/ | https://www.usps.com/ | 3 | 434257,43425,44578,44823,51158,371263,376668,377481,377693,379290,400022,400344,400898,400899,400908,401939,402018,402087,402258,402400,403015,403163,403446,403905,403926,403995,406095,406421,406498,406644,409758,410040,410608,410848,411238,411600,411606,411740,411773,411810,411870,411931,412061,412125,412174,412185,412421,413037,413358,413520,414080,414238,414352,414709,415417,415710,415746,415758,415888,416004,416860,416994,417021,417046,418702,419310,420495,421783,422135,422967,423421,423729,423998,424132,424840,425103,425300,425307,425418,425838,425839,426752,426937,426938,427081,427082,427178,428191,430572,431143,432613,432692,432822,433280,434219,434559,435541,435544,435546,435547,435737,435836,435880,436618,436885,437303,437307,438557,438628,438915,440262,440393,441251,441413,441420,441814,441904,442743,443040,443042,443045,443047,443051,443122,443161,443292,445326,445785,446053,447141,447436,447914,448233,448267,448563,448570,448975,450122,451002,451129,451431,451440,451461,453506,453641,453936,454481,454900,454905,454921,454951,455225,455495,455711,456367,456628,457431,458415,458453,458643,458953,459954,460291,461354,462192,463467,464714,464969,465108,466600,467321,468840,471304,472092,472776,473310,473690,473691,473910,474428,474487,475675,475708,476974,477248,478499,478662,478665,479287,479482,479841,480213,480233,480313,484718,485246,485340,486236,487038,489504,490312,491288,491689,493109,493452,494149,494340,494632,497816,498503,510250,510277,510363,510555,510581,510805,510870,510875,511092,511201,511271,511360,511475,511516,511534,511558,511563,511565,511597,511786,511824,511897,511970,512106,512107,512230,512903,512980,514181,514348,514377,514400,514420,514422,514441,514474,514759,514998,515142,515307,515368,515478,515549,515550,515592,515597,515599,515676,515934,516445,517805,518155,518221,518375,518725,518752,519280 | <blank> | 373914,514120,514121,514122,514123,514124,514125,514126,514127,514128,514129,554405,461634,457709,426910,426911,426971,426972,412738,412004,448129,484814,484815,461993,461994,406098,459521,486266,486268,466042,466043,371710,376786,474165,446542,457083,425907,374355,414718,432739,425907,601120,371306,379134,549409,376761,485620,373918,407221,424631,406042,446542,416814,371697,373919,483312,406049,512992,442756,434769,483312,517546,444796,372655,475055,483316,542418,517546,552285,518941,517546,514978,512992,494638,486796,483313,474187,454482,448975,442939,442777,420767,414795,414718,409589,407222,406042,406032,379000,372655,371536,552448,517546,517545,512992,512991,413040,413040,377935,438854,515354,401105,513505,476186,537811,414740,417046,433747,530997,559591,549460,542543,542543,414720,475824,414720,475824,490070,376750,426684,434256,448975,440066,542539,473622,442755,475824,531260,517546,372722,546616,372298,558962,371290,371382,371383,371409,371584,372298,372550,372651,372657,372723,373191,373726,373915,373965,374830,376731,376741,376778,376784,377936,378001,379253,379295,379572,379582 | 0 | <blank> | 0 | 1 | 0 |
+-------+---------+-----+--------------------------+---------+-------+-------+--------------------------------------------------+--------+---------+------------------------+---------+---------+---------+---------+---------+----------+----------+-----------+------------+------------+------------+------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+-----------------------+-----------------------+--------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+-------------------+-------------------+---------------------+----------------------+And finally lets see what data was taken from the poor people scammed by this site:
Database: facaisss_top
Table: userinfo
[61 columns]
+------------------+---------------------+
| Column | Type |
+------------------+---------------------+
| account | varchar(255) |
| code | varchar(255) |
| name | varchar(255) |
| status | int(11) |
| address1 | longtext |
| address2 | longtext |
| birthday | varchar(255) |
| card_alpha2 | longtext |
| card_bank | longtext |
| card_bank_phone | longtext |
| card_bank_url | longtext |
| card_brand | longtext |
| card_country | longtext |
| card_date | longtext |
| card_last_four | varchar(255) |
| card_name | longtext |
| card_number | longtext |
| card_scheme | longtext |
| card_type | longtext |
| city | longtext |
| country | longtext |
| creat_time | datetime |
| cvv | longtext |
| email | longtext |
| email_password | varchar(255) |
| email_verify | varchar(255) |
| first_name | longtext |
| house | varchar(255) |
| id | bigint(20) unsigned |
| ip | varchar(255) |
| is_card_numer | int(11) |
| is_code | int(11) |
| is_cvv | int(11) |
| is_ep | int(11) |
| is_highlight | varchar(255) |
| is_otp | varchar(255) |
| is_pin | int(11) |
| is_routing | int(11) |
| is_ssn | int(11) |
| is_two_verify | int(11) |
| item_name | longtext |
| last_name | longtext |
| login_type | int(11) |
| murmur | varchar(255) |
| one_key_pass | int(11) |
| operation_record | longtext |
| order_id | varchar(255) |
| otp | varchar(255) |
| password | varchar(255) |
| phone | longtext |
| phone_last_four | varchar(255) |
| pin | varchar(255) |
| price | varchar(255) |
| return_url | varchar(255) |
| routing_account | varchar(255) |
| routing_number | varchar(255) |
| ssn_last_four | varchar(255) |
| state | longtext |
| update_time | datetime |
| user_agent | longtext |
| zip | longtext |
+------------------+---------------------+Wow. So much data on these people. Also look at how many are in this table:
SELECT COUNT(*) FROM userinfo WHERE STATUS IS NOT NULL: '3818'Along with this they are tracking who visits the site of course:
Database: facaisss_top
Table: records
[9 columns]
+-----------------+---------------------+
| Column | Type |
+-----------------+---------------------+
| create_time | datetime |
| id | bigint(20) unsigned |
| ip | varchar(255) |
| lang | varchar(255) |
| murmur | varchar(255) |
| os_name_version | varchar(255) |
| plat | varchar(255) |
| update_time | datetime |
| user_agent | varchar(255) |
+-----------------+---------------------+S1n didn't say what they are going to do with all this incriminating evidence but I know I will be sending it over to whatever internet crime center will listen to try to get it shut down and the culprits brought to justice.
Thanks for reading!
Last updated
