The great thing about this white hat kind of project is there’s always more work to be done. Great for intermediate beginners that like trolling as a force for good
Yea things like this are brilliant for learners because it makes them actually want to learn more and try this out . This is a great little project and videos like this is literally how I got into coding and actually started coding in my free time
To make it harder for him to sort through the list, you should just random select from the list of top 10k commonly used passwords instead of auto generating them.
Isn't it also likely the scammer would be able to reasonably discard the fake data he sent by looking at the time and the IP address they are coming from?
@@hereandnow3156 yeah he definitely shouldve used a vpn and something like the rockyou password list to be safer and more effective, still a good idea though
@@hereandnow3156only if he logs the IP with the username and password otherwise he's going to have to comb through access logs that he may or may not have
Yes, there are better ways to do it. Yes, you should share them here. No, you shouldn't berate Engineer Man for not doing them. He did 90% of the work that cost 10% of the time here. He isn't going to turn his 5 minute video into half an hour just to squeeze out that last 10%. It's a proof of concept, people.
ofc you are not going to show all the parts! I don't even know who was that stupid to think you gonna... nice job! :) ;) btw I just like to rat them & destroy all of their equipment! :D perament damage! :P
that 10% is the difference between pwning the scamming bastard and being swatted like a fly. besides, i could make something much better in around 10 minutes.
I think this is my new favorite channel... My apartment complex made us register times to use facilities during Covid. They released the availability to register for gym/spa/exercise room EXACTLY 7 days in advance, and they all got booked immediately through the UI- it was very competitive. So, I back-engineered the site and wrote a python script to sign up for whatever future gym times I wanted. It never failed. I love to see other quality abuses of python!
Unless you have that thing running all the time (looping), then your requests will all basically be in one giant block with 8 character passwords. It would be easy for him to crop them out. It would be better to kick them out slower with a bigger name base that's more randomized with passwords that are better randomized (including length). And run it constantly.
True. But chances are, the scammer wont get an awful lot of legitimate emails (I would hope in this day and age) so leaving this running on a cloud VM 24/7 with a few extra providers would make spotting real stuff almost impossible. This is great stuff and should certainly be made available to 419baiter too. Love it :)
Would be even easier if he's saving the remote IP address with them all, especially if it's going into a database where he could just use a limit and group on the select.
Seriously. It'd take 30 seconds to make a regex that'd clean this shit up. Emails are all in this format: /[a-z]*\d@yahoo\.com/g Passwords are all in this format: /.{8}/g If he's got the know-how to make a phishing page, he's got the know-how to make a regex that fixes your shit.
And different TLDs for the e-mail address. Make the random number length variable and sometimes come before the name. Maybe throw in a dictionary as well.
Great video. :-) Reading through the comments, I'm reminded of the classic joke: Q: How many programmers does it take to change a light bulb? A: 35. One to actually change the bulb and 34 to say after the fact, "I could have done that better."
Maybe a better idea is to try to make passwords seem legit, also adding random names or literally the whole dictionary, cuz not everyone makes their passwords in symbols, but instead words or phrases, so if he just scrolls through the yahoo and passwords lists and find a combination that seems unique, he will know which one is the real one and which one is not.
or he can just delete all of the emails and passwords starting from -email- and as password, -password-. The 2 ints he used to see where emails and passwords go.
A way to make this more convincing would be to have a 1000 most common passwords json file and a 10 most common email providers json file (or just a list), load those and it will be very convincing. Also, you could make it randomly sleep or get it done in batches as well if he stores a created_at time.
I've been learning C for the last two months and I'm so damn happy that I can understand what you're doing. I doubt I could implement it right now, but just understanding it is so cool to me.
@@zaftmonkeynuts5052 That's the point of studying, isn't it? Learning, enjoying, practicing the code. Yeah, I can't use Python, but I'm learning the foundation necessary to pick it up in the future. I can craft little things in "C" at the moment, and yeah... It's a different syntax, but the same fundamental rules apply. The joy is that - two months ago- I couldn't even program a "Hello World" script. I can now. Shoot, I've made some extremely awesome things that would take YOU two seconds to do. Even then, Good Lord, I see the vast difference between me in December and me now. Feels good, man.
I feel this completely! I have to understand something and set an objective in mind in order to learn it. As a little kid, those connections were formed by Neopets. I picked up a really impressive amount of HTML and CSS for a 6-8 year old. I was aiming to learn Python next, but alas life had other plans. I had a passion, but as I got older nothing helped make things "click". I lost that passion for years. But then RUclips started recommending me these more advanced "taking down scammers" videos and for the first time in forever I'm forming these connections and I'm absorbing it all like a sponge. I'm so freaking excited! The other day I made a simple little thing in Python that responds to birthday posts on Facebook with a "thank you" so I didn't have to do it myself. Such an easy little project but I did it myself and it feels so damn good!!
@@midnari I agree, it’s literally the same feeling as listening to someone bad mouth you in a foreign language and you coming eight back at them and speaking that same language. It just feels good. By all regards, coding in all its forms, is a new language and the feeling you get from understanding it and learning to implement it is the best feeling in the world.
I understand most of it but I don't really know Python so I was a bit confused at some of the things he did, like the .join(random + for loop). How does that work? You can just put a loop inside a function parameter and it will make the function execute every time it loops? Or does it make the random function execute 8 times and add the characters together?
You should randomize the length of the password, and randomize the domain of the email. As it is, all he has to do is filter out all yahoo domains with a password length of 8, and he would have minimal loss of acquired real passwords.
yeah thought his generation algo was a bit dodgy, no last names, no full stops or underscores etc, just one name, one letter, same domain, all random 8 char passwords
there is always room for improvement, but to show how easy you can overload a spammer with a short python program really opened my eyes on what you(anyone really) can do.
it's quite easy to filter out as they were all sent in a short time span, all with a yahoo email from the same address, not to mention that they all follow the same structure for name generation, and that the passwords use special characters in passwords (which im not sure craigslist does).
I work in computer repair and I get numerous people coming in and calling due to scammers. This just brings me all types of joy. Keep up the good work.
This is honestly not that hard to do and doesn't require that much knowledge, maybe he prepared for it, but if you know how to send requests in python, then it's completely feasible to write this sort of thing off the top of your head
CabinDoor A seasoned security professional could do this without Python in 10 secs if there are no CSRF tokens present. Maybe a minute or two if you need to provide a valid CSRF token. It's that easy.
As someone new to python and still relatively inexperienced with programming this was a fun video to see work in action and the context made it entertaining to think about. I want to find more videos of contextual coding that are more demonstrative like this and less about "the technicality of the programming process'. It gives me ideas to try!
A couple extra ideas: 1) I did similar, but I grabbed tom sawyer off Project Gutenberg and used it for usernames. 2) The user agent can be long, like 2k long. The user agent gets logged. The log is often on tmpfs, Which is smaller than the user space. (It just crashed, Idon't know why. ) 3) randomly generate the domain from the same words so he can't just delete all yahoo addresses. 4) the domain is hosted on godaddy, you should report it to godaddy abuse.
I don't know anything about coding and I don't know anything about python. But I also hate scammers. And I found the speed and clarity of this presentation very satisfying. Especially the part where all the fake emails start popping up to waste this guys time lol 10/10 l33tHax0r ^^
The one thing is. I like to study programming start with HTML and C# just to start of but hell the tutorials on yt are a bunch of indians with cringy-monotone english accent. Creepy it is.
That's awesome thank you for this. Mechanical engineer here, always wanted to work more on the little coding knowledge I have this has been inspiring and entertaining. Subscribed
Nice! To make it even better, the e-mail domains could be randomized, passwords could be less random (there are too many special characters in them), maybe some longer then others, and you could space out the rate in which the info is sent.
0:48 Oh no!!! 1:51 Not the names list? :) I loved it when you did the other one with the test credit card number. Great video, and I look forward to another one. They asked for it!
This is awesome. Thank you for doing this. I also love seeing inside python as I don't know how to do that but it makes it seem like something that would be cool to learn more about.
No time like the present to learn! Python isn't that hard and there are TONS of resources and the learning curve has been made so shallow, you could totally teach yourself if you wanted to. You got this!
This is amazing content and I’m about to binge all your coding videos. I reallllly appreciate you telling us the logic behind each step. I’m also appalled at the idiots in the comments, please keep making these! I learned more in 5 minutes than an entire semester of CS freshman year 😂
First of all, semesters are half a year. Secondly, a class of ~30+ can make actually learning/overcoming mental blocks almost impossible when discussing certain topics/sciences. If something was pointed out in a 5 minute video that was entirely skipped over or not thoroughly covered in a class of a few dozen people, then it can be very easy to learn more from a video than a class. Try thinking logically instead of being a smartass.
@t0xcity You're actually dumb if you think this video is better than an entire semester of CS. If you learned more from this video, then you did in a class, where more than one topic is explained in detail, then coding really isn't for you. If you can't focus, being around 30+ people, then going outside isn't for you. I can tell you've never even been to a university by your profile picture alone, and i'm honestly guessing you're 15. You really think if you have a coding interview, you'd have a better chance knowing how to solve it by just watching this video? It's a cool video sure, but it's nothing compared to a university education.
@0f392k49fg91h7fg893j the original comment was " I learned more in 5 minutes than an entire semester of CS freshman year". I understand youtube videos can be a good tool to help reinforce what you learn, but this guy specifically said THIS VIDEO, this ONE VIDEO, was better than his entire first year CS Semester, which it's obviously not. You sound like a conspiracy theorist. Try not to be so cynical all the time, and I guarantee you'll be happier. Also forsen is haHAA
cool but he'll just filter the @yahoo.com since they will be sequential. a better way to pwn this cockgoblin would be to randomize the concatenation of the email service, and set a random timer to drip post into his form. so he might get one in 5 minutes, or 2 hours. let it run in the torrent computer since that thing just sits all day, and maybe run a dynamic VPN as well. that would cripple any data collection effort due to the inability to validate submissions
Mine bitcoin? This video has nothing to do with making money. He doesn't like being scammed, so he fucked with the scammer's day. Also, this isn't 2017. It's almost 2019. Who the fuck mines bitcoin and wants to degrade their computer over time and have an electricity bill of $150+ every month? You are clearly a child.
Me: Stumbles on to this video Me: Heads on over to my spam folder Me: Opens the first email that looks like a phishing attempt Me: Let's the fun begin... Thanks for this awesome tutorial. I haven't laughed this hard in a long time.
lol if his backend is tracking your ip, he can delete them away using a simple regex db trick too. :P you should use multiple ips on top of multiple vpn proxies to confuse the scammer even more.
For those who don’t read xkcd, the suggested username would be: Bobby’); drop table usernames; drop table passwords; Depending on the Webserver and back end database this might possibly work, though probably not.
Mmm yes. Using SQL injection, but for the greater good lol. But alas, let's be honest, he's probably just ripped the code from somewhere and hardly edited it at all, which most likely would have sanitation already implamented.
dragon spirit(aka shadow999999) good programmers write good code; *great* programmers steal great code. (The actual line from Eric Raymond’s *The Cathedral and the Bazaar* is less pithy, something like “great programmers know what to rewrite and reuse” but I like this version better)
Next time, run with different emails other than Yahoo as well in order to prevent them from filtering. Ideal solution would be Proxies, run it for at least 24 hours, and the email ending change in order to prevent ANY form of filtering out the results you placed . Because right now if I was that scammer, I’d just remove all emails ending in Yahoo that were sent in within a time frame, or just remove by IP.
Thanks for fighting a battle that many of us do not know how to. Scamming takes good money and confidence out of consumers and does significant damage over time as we lose faith in good commerce.
Improvement: 1. hide your IP address using tor network to prevent the scammer blacklist out your IP. 2. randomize 'yahoo.com' email with more email providers. 3. deploy to cloud server, randomize the intervals and bomb that service for a couple of days. HAHA.
I would personally use a list of common passwords alongside legit emails: currently, this input is too easily filtered out just from the uniform password length, but also the non-legit emails. Something like this will only work as a time waster if it has a shred of believability.
...in the context of making this seem more legitimate for the scammer, which changing your IP address would do, but you'd have to change it for *every* 'upload' of this to the form; and ensure none of it is repeated, which is an ass unless you have a spare server lying around. And RE your previous comment - that's an oversimplification of how Tor works. You're basically bouncing your traffic through everyone else's, making it harder for an external individual to see what your traffic has been to someone else's, but it's not perfect.
he basically created like a file full of names, for each name he generated a random 8 character password and sent them all out to the scammer page using the url he got from the chrome console
Great video idea. I think a more efficient approach would be to send it over time. Because what he's going to do as a scammer is see everything that came in at a start time and end time notice that he got 10000 or so while phishing. Most likely he will just delete all the data that came in during a certain time frame.
unfortunately it's just a minor inconvenience, no matter how many fake combos you put in the hackers use an automated tool to test them anyways, it won't take long to find the real ones.
I've only just come across your channel and I'm amazed at how swiftly you deal with scammers. Have you ever considered teaming up with Jim Browning or, Scambaiter et al? If any of you guys combined you'd destroy scammers globally in a matter of minutes! Great channel. Subscribed!
I’d love to see them do more than ruin a scammers day. Those scammers in India are the absolute sickest people I’ve ever heard speak. The second they don’t get their way, they start cursing the other party out and….idk why but they always like to add insults about the other parties mom, lol. These guys are insanely good at what they do. I’d love it if they took it one step further and messed with the temperature control settings in one of those “call centers”. I don’t know if that’s possible though, they probably don’t have a smart thermostat to hack. It would be funny though to turn their heater up to the highest setting and watching them squirm as they try to turn it down, lol
That form name and url seems a random code. Are you sure the request is always the same? That may be used as a unique ID. If that's the case your code isn't doing anything, but simply overwriting with a new username and password all the time. I would have verified that those fields and url were always the same. Or, if they changed, also looped that with random shit inside my code. Field names could just be part of a "any" type data structure accepting all sort of shit. This means you can maybe even do more damage.
Would have been cool to add variable lengths in the passwords / emails so that the submissions aren’t so uniform. It would be fairly trivial for him to purge the database of all email/password combinations of a certain length.
you can always do more or less chars in between. takes 1 change in the code. or add more randomness i suppose. but thats not for a 5 minute video i guess :>
I just want you to know that thanks to you and your videos, I finally know what to study. Thank you. I was so lost but just watching you work cleared everything for me.
I would love to see what you could do to the fake steam websites that scammers on rocket leuge use. they get people's steam accounts, steal people's items, and sell them off for real money. it's super effective because of all the little kids that play rocket leuge, and they use websites like steomcommunity-profiles-32327.000webhostapp.com/tommy, since website preveiw in steam DMS only shows the "steomcommunity-profiles" part people could easily misread it.
Not sure if anyone mentioned, but you could have tried SQL injection, as he might not be escaping it. Could blow up the whole database if you wanted to.
You probably don't want to upload videos of yourself committing a crime on the internet. Sending fake logins to a scam site to be annoying is quite different from attacking it.
My middle name is "'); DROP TABLE loot;". How is that illegal? :-) I wouldn't consider a little SQL injection as attacking, it's more like poking and anything this simple that can't tolerate it deserves it. But probably not a good idea to tell anyone that you're the hero of the day.
roma98 yeah, mostly it’s just a simple html which sends the input to a .txt file on the phishers pc, or in some cases just shows it on a command prompt.
Scammer see's what's going on and just deletes all the data from Yahoo emails. But yea, the videos are great, keep 'em coming. If you spent a heck of a lot more time making the plan more devastating to the spammer, it would make the videos too long (perhaps unwatchable) and you'd just get fewer comments (bad for the all mighty algorithm). Good job.
@@pluto9000 The algorithm just makes sure you never see any videos that don't appeal to its whims... More of a filtering out process than a control process. But yea, you are probably totally under the algorithms control at this point. ;)
Easy way is to randomize the Yahoo emails to gmail, outlook and all the free ones, This would prompt him to delete all the free emails and lose all the legit ones. Its an extra two or three lines of code as it's python.
Nice job! Similar story: I was being texted non-stop from some outfit in Miami that said "we buy junk cars!" in English and in Spanish, along with their phone number, which was a disposable Metro PCS mobile number. After repeatedly asking them to take me off of their spam list, they ignored me every time; they hung up on me, never took my name off their list, and kept texting me. So I thought, if they want phone calls, they're gonna get some phone calls. I opened a Twilio account and put $20 on it, then wrote a script that told them what my number was and that I wanted it removed from their spam list. I wrote a simple PHP script to call the Twilio APIs and then put it to work, calling every two minutes for hours on end. I never heard from them again.
Cute, but you didn't perform some basic checks. Given that the username and password elements appeared to be named randomly, it is possible they are generated dynamically per each request of the main page (as well as the submission URL). The web server could simply be accepting your requests but not recording them as a result. Also, the email addresses are formulaic enough that they could be easily stripped out. I would have gone for a dictionary and a large pool of domain names.
Yep. First thing I saw was this, chances are it was some anti-CSRF PHP script making the fields for the POST vars randomised. Everyone is complaining about how easy it would be for the guy to remove them from his db, I doubt they even got there in the first place!
This guy missed step one: send a report to the hosting provider. By spending time coding this first, the site gets to exist longer and harvest more legitimate accounts. The fake accounts don't do anything to protect the victims. It's as trivial to test fake accounts as it is to generate them in the first place.
Some random Luke: "nice! I hate scams too!" Also, some random Luke seeing his email being randomly generated: "well, that explains a lot 🧐👀" Great vid though :)
Hey Cool work, You could have also made an array of email domains and randomly assign it to name strings to confuse the scammer more. Coz he may simply filter the @yahoo domain guys now but with randomizing the domain the scammer will be more confused
I'm a beginner, I know nothing about programmer until several months ago when I started doing CS courses for fun. And man, I'm so happy that I could actually understand about 70% what he was doing in this video. After more courses and finishing more fun programming projects, hopefully, my understanding would've reach 100%. Awesome video and fuck those scammers!
I like your vids. They're short and to the point. I don't know any better so I'll trust that you're actually being a headache to scammers. Maybe you'll encourage other with similar skills to do the same and life will become difficult for scammers.
There's a difference between being having so little understanding of something that you don't even know where you should begin and thus anywhere you try to start is just an impossible hell, and being lazy. It just so happens that with programming, it's basically impossible to start anywhere that feels productive and like you're actually learning something especially when most people go around berating people that are trying to learn and points them to extremely overly complicated thick manuals and online resources that don't get to what you're trying to learn until 100s of hours of reading that also requires college-level understanding of math and computer science to begin to understand said thick manuals anyway thus making it totally pointless, when all someone really needs is some help. Wow what a rant LOL But that's why channels like this are so awesome, these videos are actually really helpful in learning the concepts involved while showing production and payoff immediately for something you may want to do.
Templarfreak I started to type something similar and gave up, but the starting point and direction is absolutely a deterrent to many in any new expertise
Python, SQL, JAVA, PHP, C++and other programming languages take about three months to really learn, there are a plethora of tutorials here on youtube. The books are for absolute nerds that want to go really deep, but to get the basics of a programming language down takes three months max. After that you get to learn the intricacies of the language on the job. There are plenty of ICT companies looking for interns and people willing to learn it for free. They will give you the courses needed for free and you get a job to boot. see what I did there... anyways stop bi&^%% about something being hard, it's only hard, if you never get of your lazy ass to actually give it a shot and by shot I mean you actually go out and do something about it.
nice work man... you could have create an array for the email domain and randomly take from there , cause now he has loads of yahoo, easy pattern !! nice video!
A great example of data poisoning. Obviously, you could randomize the send interval, the email domain, and proxy-hop to obfuscate the origin of each request. Another technique I've had fun with... submit the Anti Virus test string, lol. This rarely works, but when it does, it's hysterical. They store the collected data as plain text and upload it to cloud storage like Dropbox, google drive etc, where it's flagged as a virus and promptly deleted. It confuses the fuck out of the novice scammer. Looking at the unconvincing password phish, I'd assume either your target had no discernible skill, or they were specifically targeting idiots (which may be the case... you can run a scam for longer if tech-savvy people just ignore you). In a more advanced attack, if you knew anything about their collection methods and how the data was processed after collection, you could do a lot more damage. SQL injection for example. Even seemingly trivial things like using UTF32 characters (especially hybrid glyphs like the Ninja Cat emoji) can really fuck up the collection, and a lot of scammers don't regex those things out, or they do it in the java script on the form page which you can easily bypass. One thing to be aware of.... they may validate email addresses before committing them. They have a mailing list, they bait those specific people and only collect passwords from people who they sent messages to. In many real-world scenarios, this wouldn't work all that well in practice. For that reason a simple DDOS would be of greater utility. This is probably a phish specifically for craigslist accounts for use in spamming. If it were a general cred-sweep targeting email accounts, you could have some fun with that by honey-potting an account and handing it over. A RAT in your Dropbox, maybe some bullshit "classified emails" between US intelligence officers, something that will let you screw with them once they take the bait. I know the point here was to fuck with them quickly, but sometimes it's fun to draw out the engagement.
It would've been a bit more effective if he used a list of common street and pet names to generate passwords, although if the scammer has a script to verify phished login creds then this didn't do much anyway =(
You know you're on a programming video when the comments are full of "a better way to do this would be to..."
@@erikpowa lol there are still people saying python is not real Programming? Damn
crowdrefactoring
Yes, because this is a really ineffective and futile attempt to waste the time of phishers. Skiddies gave him their ad revenue, though.
guize i totally made a minecraft fortntie mod so im obviously a master progremmer and i know what a script is so im leet haxxor
DIOhydrogen Monoxide is this bait?Whatever,I only know a bit of HTML :/
The great thing about this white hat kind of project is there’s always more work to be done. Great for intermediate beginners that like trolling as a force for good
wasting peoples time is where trolling started.
simple, effective and literally never gets old.
More of a red hat lol
Red hat hacking, good guys but taking an illegal and destructive approach.
@@terminatorfishstudios lol
@@terminatorfishstudios legality != morals
That was a delight to watch. I’m learning Python and I find this so inspiring.
me too :)
Same here!
same
Yea things like this are brilliant for learners because it makes them actually want to learn more and try this out . This is a great little project and videos like this is literally how I got into coding and actually started coding in my free time
Me three ✌🏻
To make it harder for him to sort through the list, you should just random select from the list of top 10k commonly used passwords instead of auto generating them.
Isn't it also likely the scammer would be able to reasonably discard the fake data he sent by looking at the time and the IP address they are coming from?
@@hereandnow3156 yeah he definitely shouldve used a vpn and something like the rockyou password list to be safer and more effective, still a good idea though
@@hereandnow3156 That is what i was also wondering
@@hereandnow3156only if he logs the IP with the username and password otherwise he's going to have to comb through access logs that he may or may not have
@@hereandnow3156Use proxying
Yes, there are better ways to do it. Yes, you should share them here.
No, you shouldn't berate Engineer Man for not doing them. He did 90% of the work that cost 10% of the time here. He isn't going to turn his 5 minute video into half an hour just to squeeze out that last 10%. It's a proof of concept, people.
Thanks for noticing this important fact which it seems many are missing.
ofc you are not going to show all the parts! I don't even know who was that stupid to think you gonna... nice job! :) ;)
btw I just like to rat them & destroy all of their equipment! :D perament damage! :P
that 10% is the difference between pwning the scamming bastard and being swatted like a fly. besides, i could make something much better in around 10 minutes.
r3wturb0x alright, you have ten minutes.
BPNave lmao
I think this is my new favorite channel...
My apartment complex made us register times to use facilities during Covid. They released the availability to register for gym/spa/exercise room EXACTLY 7 days in advance, and they all got booked immediately through the UI- it was very competitive. So, I back-engineered the site and wrote a python script to sign up for whatever future gym times I wanted. It never failed. I love to see other quality abuses of python!
504 Nigerian Princes disliked the video...
Mike Morgan they just want to share their millions of dollars is that really so hard to believe
AC3 Of Cards Error 404: Millions of dollars not found
Mike Morgan dude, some nigerians are still stuck at the moon
Is it bad that it took me legit ten seconds to realize 504 meant the amount of dislikes and not a joke about timeout errors?
Don't forget us Indians :p
I have no idea what just happened but I'm glad it did
He created a file to send 1000 emails to scammers inboxes to make them go threw each email and password so he cant tell real emails from fake ones
oh no, its infinite emails.
Control yourself...control yourself.. .THATS WHAT SHE SAID!!!!
@William Funes not funny :L
@@DebugCat the office...when they tell Michael he can't say anything inappropriate.
Imagine if you had one of those emails and were wondering how scammers gets your email 😂
These aren’t unrealistic at all so guaranteed atleast a few of them are real 😂😂
the password though.
Nathan9
Unless you have that thing running all the time (looping), then your requests will all basically be in one giant block with 8 character passwords. It would be easy for him to crop them out. It would be better to kick them out slower with a bigger name base that's more randomized with passwords that are better randomized (including length). And run it constantly.
True. But chances are, the scammer wont get an awful lot of legitimate emails (I would hope in this day and age) so leaving this running on a cloud VM 24/7 with a few extra providers would make spotting real stuff almost impossible. This is great stuff and should certainly be made available to 419baiter too. Love it :)
Would be even easier if he's saving the remote IP address with them all, especially if it's going into a database where he could just use a limit and group on the select.
They're also all yahoo adresses. So .. he could just delete all of those without losing too much data :D
Seriously. It'd take 30 seconds to make a regex that'd clean this shit up.
Emails are all in this format: /[a-z]*\d@yahoo\.com/g
Passwords are all in this format: /.{8}/g
If he's got the know-how to make a phishing page, he's got the know-how to make a regex that fixes your shit.
And different TLDs for the e-mail address. Make the random number length variable and sometimes come before the name. Maybe throw in a dictionary as well.
Breaking news man in Nigeria with no family or friends dies with millions of dollars of cash he had been trying to give away
Damn, I KNEW that Nigerian email sounded legit!
@@gedgar2000 we all missed out 😓
GABRIEL! FANTASTIC! You have a GREAT SENSE OF HUMOR!
Gabriel Hormuth Man in Nigeria? He’s a Nigerian Prince with close ties to First Nigerian Bank, thank you very much!!
WHERE do i send my SSN# and moms maiden name
You need to run this as a service across multiple IPs over several days/weeks so he can’t easily delete your responses.
I bet that website is one of hundreds he uses unfortunately
@@cardinal9009 never ever have i seen someone else use this for a pfp. I cropped my pic up more though
@@mrjpz first time I've seen someone like that as well. one more word and I'll crop my pic up more too.
@@cardinal9009 ruclips.net/user/clipUgkxIq_FBPgezSOpIPVl0WiQd0mrzAFjGsik
if you watch this clip you can see we're multiplying
awww look guys twins 😊
Great video. :-) Reading through the comments, I'm reminded of the classic joke:
Q: How many programmers does it take to change a light bulb?
A: 35. One to actually change the bulb and 34 to say after the fact, "I could have done that better."
Can't stop laughing at this. Thanks.
None, it's a hardware problem.
lol
you only need one. you said it yourself.
Here's my answer: one to actually change the bulb and 34 to use stackoverflow to figure out on how to do it.
You know this mans legit because he uses incognito mode
I use it all the time on public computers. Don't have to worry about logging myself out. No cookies, no cache, no history, I'm safe
Apathy FBI OPEN UP
TraceguyRune key loggers
shows how ignorant you are about incognito mode.
Shows how stupid you are. Jokes are a thing, you know?
Maybe a better idea is to try to make passwords seem legit, also adding random names or literally the whole dictionary, cuz not everyone makes their passwords in symbols, but instead words or phrases, so if he just scrolls through the yahoo and passwords lists and find a combination that seems unique, he will know which one is the real one and which one is not.
@badrobots statistics, like how 2/3 of doctors are male or how 3/4 of all software engineers are men
@badrobots tmw genz
or he can just delete all of the emails and passwords starting from -email- and as password, -password-. The 2 ints he used to see where emails and passwords go.
@badrobots yikes
@badrobots Cool, but who cares
A way to make this more convincing would be to have a 1000 most common passwords json file and a 10 most common email providers json file (or just a list), load those and it will be very convincing. Also, you could make it randomly sleep or get it done in batches as well if he stores a created_at time.
There's definitely going to be some better ways to do it.
Yep, and I bet there's probably even better ways than what I came up with. Such is life. :) Nice video, btw.
Eh, this statement applies to literally everything in life. This vid was fast and got the point across. Awesome stuff. Subbed.
Engineer Man like using python 3
On the new python 3.6 you can write in the last line
print(f'sending username {username} password {password} ')
I've been learning C for the last two months and I'm so damn happy that I can understand what you're doing. I doubt I could implement it right now, but just understanding it is so cool to me.
Yeah, one thing I’ve learned from programming is understanding the code and actually implementing it to something are totally different.
@@zaftmonkeynuts5052 That's the point of studying, isn't it? Learning, enjoying, practicing the code. Yeah, I can't use Python, but I'm learning the foundation necessary to pick it up in the future. I can craft little things in "C" at the moment, and yeah... It's a different syntax, but the same fundamental rules apply.
The joy is that - two months ago- I couldn't even program a "Hello World" script. I can now. Shoot, I've made some extremely awesome things that would take YOU two seconds to do. Even then, Good Lord, I see the vast difference between me in December and me now. Feels good, man.
I feel this completely! I have to understand something and set an objective in mind in order to learn it. As a little kid, those connections were formed by Neopets. I picked up a really impressive amount of HTML and CSS for a 6-8 year old. I was aiming to learn Python next, but alas life had other plans.
I had a passion, but as I got older nothing helped make things "click". I lost that passion for years. But then RUclips started recommending me these more advanced "taking down scammers" videos and for the first time in forever I'm forming these connections and I'm absorbing it all like a sponge. I'm so freaking excited!
The other day I made a simple little thing in Python that responds to birthday posts on Facebook with a "thank you" so I didn't have to do it myself. Such an easy little project but I did it myself and it feels so damn good!!
@@midnari I agree, it’s literally the same feeling as listening to someone bad mouth you in a foreign language and you coming eight back at them and speaking that same language. It just feels good. By all regards, coding in all its forms, is a new language and the feeling you get from understanding it and learning to implement it is the best feeling in the world.
I understand most of it but I don't really know Python so I was a bit confused at some of the things he did, like the .join(random + for loop).
How does that work? You can just put a loop inside a function parameter and it will make the function execute every time it loops? Or does it make the random function execute 8 times and add the characters together?
You should randomize the length of the password, and randomize the domain of the email. As it is, all he has to do is filter out all yahoo domains with a password length of 8, and he would have minimal loss of acquired real passwords.
exactly
yeah thought his generation algo was a bit dodgy, no last names, no full stops or underscores etc, just one name, one letter, same domain, all random 8 char passwords
there is always room for improvement, but to show how easy you can overload a spammer with a short python program really opened my eyes on what you(anyone really) can do.
he is just going to delete everything from yahoo during that time span
As long as they all come in at different times during the week night and day yeah that could work otherwise simple sorting could clear them
from random import randint as r
random_provider = ['@gmail.com', '@yahoo.com', '@hotmail.com', '@outlook.com'][r(0,4)]
Nonce validation would have prevented this issue from occurring. However he could be logging IPs and other request data along with the form values.
it's quite easy to filter out as they were all sent in a short time span, all with a yahoo email from the same address, not to mention that they all follow the same structure for name generation, and that the passwords use special characters in passwords (which im not sure craigslist does).
the scammer also could store the ip addresses, to prevent this attack if the whh is not using a ton of proxies.
This is the first video I’ve seen of yours and it definitely won’t be the last. Keep up the great work!
Nate C. Same here
Nate C.
me too😎😎
I work in computer repair and I get numerous people coming in and calling due to scammers. This just brings me all types of joy. Keep up the good work.
I love this because it literally only took 5 minutes of your time, and yet it is such a nasty little trick. Bravo sir
He definitely had some planning off camera and maybe even tested it before. Still a cool idea and didn't waste any time showing the viewer.
This is honestly not that hard to do and doesn't require that much knowledge, maybe he prepared for it, but if you know how to send requests in python, then it's completely feasible to write this sort of thing off the top of your head
CabinDoor A seasoned security professional could do this without Python in 10 secs if there are no CSRF tokens present. Maybe a minute or two if you need to provide a valid CSRF token. It's that easy.
I'll be waiting for the 10 second video. Let me know when you post that on RUclips.
Engineer Man Not even going to bother showing how this is done in Burp. I do testing like this for a living.
As someone new to python and still relatively inexperienced with programming this was a fun video to see work in action and the context made it entertaining to think about. I want to find more videos of contextual coding that are more demonstrative like this and less about "the technicality of the programming process'. It gives me ideas to try!
You know, even almost 5 years later I still use this video and what it taught me. Thanks Engineer Man!
A couple extra ideas:
1) I did similar, but I grabbed tom sawyer off Project Gutenberg and used it for usernames.
2) The user agent can be long, like 2k long. The user agent gets logged. The log is often on tmpfs, Which is smaller than the user space. (It just crashed, Idon't know why. )
3) randomly generate the domain from the same words so he can't just delete all yahoo addresses.
4) the domain is hosted on godaddy, you should report it to godaddy abuse.
I don't know anything about coding and I don't know anything about python. But I also hate scammers. And I found the speed and clarity of this presentation very satisfying. Especially the part where all the fake emails start popping up to waste this guys time lol 10/10 l33tHax0r ^^
same
lol Not django as in the programming language or the bounty hunter but django as in the character in my avi from the gba series boktai =)
Same. I work with coders and they seem like geniuses to me
This comment pretty much sums up my reaction to this video lol
The one thing is. I like to study programming start with HTML and C# just to start of but hell the tutorials on yt are a bunch of indians with cringy-monotone english accent. Creepy it is.
The scammer seeing a bunch of emails getting logged in just 2 minutes: interesting
Excellent. Excellent. If I had your skills, I'd do the same to these scammers and con artists.
Keep up the good work.
con artist gives them too much credit lol
He shows us the code and how to implement it yourself.
@@jacobhinger5039 only applicable to a very specific situation, he probably wants to know how to do it for a more diverse list of scams, etc
You just became my number one creator.
"Wow. All these people with random passwords of the same length logged in at the same time from the same place" :P
Nice regex trick, I'm going to steal that! I would have used a vim macro, but I like the search and replace better.
Steal away man!
Hi +99baddawg, I like your videos. Keep it up!
Yeah I don't know why I forgot you could do this in replace, saves a lot of time.
In general better search for line endings, though, before forging a pattern for your lines..
is that some addon/plugin.. ? how can i do it in vscode?
This is amazing!!! I dont know how I found this but you have my sub sir. Thank you.
Excellent username, to be sure.
That's awesome thank you for this.
Mechanical engineer here, always wanted to work more on the little coding knowledge I have this has been inspiring and entertaining.
Subscribed
I'm gonna be totally honest here... These videos are the most satisfying thing I've seen in the past 3 years. :)
Nice! To make it even better, the e-mail domains could be randomized, passwords could be less random (there are too many special characters in them), maybe some longer then others, and you could space out the rate in which the info is sent.
0:48 Oh no!!! 1:51 Not the names list? :)
I loved it when you did the other one with the test credit card number. Great video, and I look forward to another one. They asked for it!
This is awesome. Thank you for doing this. I also love seeing inside python as I don't know how to do that but it makes it seem like something that would be cool to learn more about.
No time like the present to learn! Python isn't that hard and there are TONS of resources and the learning curve has been made so shallow, you could totally teach yourself if you wanted to. You got this!
This is amazing content and I’m about to binge all your coding videos. I reallllly appreciate you telling us the logic behind each step. I’m also appalled at the idiots in the comments, please keep making these! I learned more in 5 minutes than an entire semester of CS freshman year 😂
Thanks for the kind words. That makes two of us (re: comments).
Really? from this video you learned more than your entire first freshman semester? Your school sounds like garbage..
First of all, semesters are half a year. Secondly, a class of ~30+ can make actually learning/overcoming mental blocks almost impossible when discussing certain topics/sciences. If something was pointed out in a 5 minute video that was entirely skipped over or not thoroughly covered in a class of a few dozen people, then it can be very easy to learn more from a video than a class. Try thinking logically instead of being a smartass.
@t0xcity You're actually dumb if you think this video is better than an entire semester of CS. If you learned more from this video, then you did in a class, where more than one topic is explained in detail, then coding really isn't for you. If you can't focus, being around 30+ people, then going outside isn't for you. I can tell you've never even been to a university by your profile picture alone, and i'm honestly guessing you're 15. You really think if you have a coding interview, you'd have a better chance knowing how to solve it by just watching this video? It's a cool video sure, but it's nothing compared to a university education.
@0f392k49fg91h7fg893j the original comment was " I learned more in 5 minutes than an entire semester of CS freshman year". I understand youtube videos can be a good tool to help reinforce what you learn, but this guy specifically said THIS VIDEO, this ONE VIDEO, was better than his entire first year CS Semester, which it's obviously not.
You sound like a conspiracy theorist. Try not to be so cynical all the time, and I guarantee you'll be happier. Also forsen is haHAA
This one video is enough to get a glimpse of your skills. You earned a subscriber.
cool but he'll just filter the @yahoo.com since they will be sequential. a better way to pwn this cockgoblin would be to randomize the concatenation of the email service, and set a random timer to drip post into his form. so he might get one in 5 minutes, or 2 hours. let it run in the torrent computer since that thing just sits all day, and maybe run a dynamic VPN as well.
that would cripple any data collection effort due to the inability to validate submissions
Or you could just mine bitcoin with the same computer instead of scamming a scammer without any profit
Thorsten Böhme where in the wolrd was he "SCAMMING" a scammer?
Mine bitcoin? This video has nothing to do with making money. He doesn't like being scammed, so he fucked with the scammer's day. Also, this isn't 2017. It's almost 2019. Who the fuck mines bitcoin and wants to degrade their computer over time and have an electricity bill of $150+ every month? You are clearly a child.
Thorsten Bohme, Mining Bitcoin is actually no longer profitable. If this was 2010, maybe, but it's not.
What are you talking about? I mine bitcoin on the weekend for fun in nevada. I always fine thoes shiny coins in abandoned silver mines
Me: Stumbles on to this video
Me: Heads on over to my spam folder
Me: Opens the first email that looks like a phishing attempt
Me: Let's the fun begin...
Thanks for this awesome tutorial. I haven't laughed this hard in a long time.
ok
You learn something every day... Didn't know you could regex replace in a code editor. Awesome!
It depends on the editor.
what editor was it though? coz i don't think you can do it in IDLE
@@nikhilsingh6759 he's using atom
Love what you do, thanks from all us non tech savvy people 👍
Non programmers you mean.
Initially, I read it as “Showing a Craiglist scammer, and this scanner is a boss using Python”. Nice garden path sentence!
Lol That must pissed him off, and you did that in a matter of minutes! You're good!
I certainly hope it pissed him off! Ha.
lol if his backend is tracking your ip, he can delete them away using a simple regex db trick too. :P you should use multiple ips on top of multiple vpn proxies to confuse the scammer even more.
blasttrash using prohy trought python for each request ... beter using random dns ... that dosent request password
Should have thrown in a couple Bobby Tables into the list, just in case he isn't sanitizing his data.
Little Bobby Tables.
For those who don’t read xkcd, the suggested username would be:
Bobby’); drop table usernames; drop table passwords;
Depending on the Webserver and back end database this might possibly work, though probably not.
@@jpe1 I like this idea as a concept better, using the request url to attack the hacker's data, over littering the data.
Mmm yes. Using SQL injection, but for the greater good lol.
But alas, let's be honest, he's probably just ripped the code from somewhere and hardly edited it at all, which most likely would have sanitation already implamented.
dragon spirit(aka shadow999999) good programmers write good code; *great* programmers steal great code.
(The actual line from Eric Raymond’s *The Cathedral and the Bazaar* is less pithy, something like “great programmers know what to rewrite and reuse” but I like this version better)
So glad I stumbled on this video. Awesome video dude.
I love this. Someone needs to create a meetup where coders get together once a week and hit scammers like this over coffee. Great job!
Next time, run with different emails other than Yahoo as well in order to prevent them from filtering. Ideal solution would be Proxies, run it for at least 24 hours, and the email ending change in order to prevent ANY form of filtering out the results you placed . Because right now if I was that scammer, I’d just remove all emails ending in Yahoo that were sent in within a time frame, or just remove by IP.
Sounds illegal :D
Thanks for fighting a battle that many of us do not know how to. Scamming takes good money and confidence out of consumers and does significant damage over time as we lose faith in good commerce.
The whole world uses vs code and it’s auto completion. This legend still uses Atom and rocks. Great video man.
Real programmers use butterflies...
@@PedroCristian real programmers write it on paper and use ocr to get the code
@@polarcat0156real programers use punch cards and assemble everything theirself
Improvement: 1. hide your IP address using tor network to prevent the scammer blacklist out your IP. 2. randomize 'yahoo.com' email with more email providers. 3. deploy to cloud server, randomize the intervals and bomb that service for a couple of days. HAHA.
Omega Z there’s always an IP address. Scammer groups list on IP addresses and ignores entries where the count is 2 or more.
Arjen J but tor uses random ip
I would personally use a list of common passwords alongside legit emails: currently, this input is too easily filtered out just from the uniform password length, but also the non-legit emails.
Something like this will only work as a time waster if it has a shred of believability.
Arjen J he's talking about hiding YOUR IP address
...in the context of making this seem more legitimate for the scammer, which changing your IP address would do, but you'd have to change it for *every* 'upload' of this to the form; and ensure none of it is repeated, which is an ass unless you have a spare server lying around.
And RE your previous comment - that's an oversimplification of how Tor works. You're basically bouncing your traffic through everyone else's, making it harder for an external individual to see what your traffic has been to someone else's, but it's not perfect.
Great Video. Just found it 4 years later. Clearly, it's a timeless one. Thanks.
You're amazing. You are doing noble work. Just glad you're on the side of goodness and light.
I missed the part after you said "hello everyone". ha ha ha
If I had your talent, would spend every waking hour messing with scammers! Great video!
From the console right click on "copy as curl". After that simply go and convert curl to python request. So you can skip the basic request code part.
what I thought a python was gonna eat him I didn't understand a single word
Yeah. Where is the snake?
I thought he was gone send real python over the computer to them with 2 day delivery
Liban Abu exactly. Maybe the coding he did is to build a robot snake?
he basically created like a file full of names, for each name he generated a random 8 character password and sent them all out to the scammer page using the url he got from the chrome console
Not only that but his punctuation was awful.
Tor ip changer can be used to change ip ,in this python program the scammer can list your all fake email and pass with same ip
I know im gonna need requests I know im gonna need os I know im gonna need random I know im gonna need string I know im gonna need json
I'm more of a Java guy. Why was OS needed?
os.urandom (docs.python.org/3.5/library/os.html#os.urandom)
BoliBerrys so needy
Great video idea. I think a more efficient approach would be to send it over time. Because what he's going to do as a scammer is see everything that came in at a start time and end time notice that he got 10000 or so while phishing. Most likely he will just delete all the data that came in during a certain time frame.
I have absolutely no clue what he is talking about, but a good deed never goes unnoticed
Dude this is savage, way to restore justice in the world 😁🙌🏽
unfortunately it's just a minor inconvenience, no matter how many fake combos you put in the hackers use an automated tool to test them anyways, it won't take long to find the real ones.
*social justice
*0.00001% of the world
Tamir Yankevich wtf? What has this got to do with restoring world justice? Lmao
Daniel Hernandez
I found 10,000 names, and ran it twice. The more we do the more time it takes scammers to run their automated process.
I've only just come across your channel and I'm amazed at how swiftly you deal with scammers. Have you ever considered teaming up with Jim Browning or, Scambaiter et al? If any of you guys combined you'd destroy scammers globally in a matter of minutes! Great channel. Subscribed!
I’d love to see them do more than ruin a scammers day. Those scammers in India are the absolute sickest people I’ve ever heard speak. The second they don’t get their way, they start cursing the other party out and….idk why but they always like to add insults about the other parties mom, lol. These guys are insanely good at what they do. I’d love it if they took it one step further and messed with the temperature control settings in one of those “call centers”. I don’t know if that’s possible though, they probably don’t have a smart thermostat to hack.
It would be funny though to turn their heater up to the highest setting and watching them squirm as they try to turn it down, lol
Some kind of fun. I have only a basic understanding of what you did but I love it when people scam back.
That form name and url seems a random code. Are you sure the request is always the same? That may be used as a unique ID. If that's the case your code isn't doing anything, but simply overwriting with a new username and password all the time. I would have verified that those fields and url were always the same. Or, if they changed, also looped that with random shit inside my code. Field names could just be part of a "any" type data structure accepting all sort of shit. This means you can maybe even do more damage.
ya those look like csrf tokens
Totally
my thoughts exactly
hmm
Would have been cool to add variable lengths in the passwords / emails so that the submissions aren’t so uniform. It would be fairly trivial for him to purge the database of all email/password combinations of a certain length.
right.. most people use gmail anyway
he could just filter the yahoo emails out
This is an great example of a good guy standing against hackers/scammers! Good job! Now you have a new sub and like and i turn on notification.
I mean sadly it's gonna be easy for him to just exclude all emails from yahoo with 8 chars of password, but it's a decent idea.
you can always do more or less chars in between. takes 1 change in the code. or add more randomness i suppose. but thats not for a 5 minute video i guess :>
I love the casual way he uses the scammer's setup against the scammer!
Keep making bro. You keep making I’ll keep watching 😂😂😂✌🏻
I just want you to know that thanks to you and your videos, I finally know what to study. Thank you. I was so lost but just watching you work cleared everything for me.
I just wasted time looking at this video thinking you were going to troll a scammer with Monty Python quotes.
Sorry to have let you down.
I would love to see what you could do to the fake steam websites that scammers on rocket leuge use. they get people's steam accounts, steal people's items, and sell them off for real money. it's super effective because of all the little kids that play rocket leuge, and they use websites like steomcommunity-profiles-32327.000webhostapp.com/tommy, since website preveiw in steam DMS only shows the "steomcommunity-profiles" part people could easily misread it.
Damn dude he apologized, you should feel like shit, not like you would've had anything better to do anyways
something, something, dead parrot, something.
There IS a video of someone trolling a scammer with movie quotes on RUclips. I saw it the other day.
I dream of a World where everyone has an app being fed with codes like that, running in background for just a few seconds a day.
Not sure if anyone mentioned, but you could have tried SQL injection, as he might not be escaping it. Could blow up the whole database if you wanted to.
I thought that's what he would be doing, but this is pretty cool too.
You probably don't want to upload videos of yourself committing a crime on the internet. Sending fake logins to a scam site to be annoying is quite different from attacking it.
My middle name is "'); DROP TABLE loot;". How is that illegal? :-)
I wouldn't consider a little SQL injection as attacking, it's more like poking and anything this simple that can't tolerate it deserves it.
But probably not a good idea to tell anyone that you're the hero of the day.
how do you know there's an sql database behind this login page?
roma98 yeah, mostly it’s just a simple html which sends the input to a .txt file on the phishers pc, or in some cases just shows it on a command prompt.
Wish I was that cleaver to write those programs would love to keep flooding the scammer’s with junk.
Nice! Maybe randomizing a set of emails (yahoo, gmail, aol) etc would really add to his confusion. I like it!
Scammer see's what's going on and just deletes all the data from Yahoo emails. But yea, the videos are great, keep 'em coming. If you spent a heck of a lot more time making the plan more devastating to the spammer, it would make the videos too long (perhaps unwatchable) and you'd just get fewer comments (bad for the all mighty algorithm). Good job.
You think one day we will all be controlled by the algorithm? 😅 Maybe it made me type that. 😵💫
@@pluto9000 The algorithm just makes sure you never see any videos that don't appeal to its whims... More of a filtering out process than a control process.
But yea, you are probably totally under the algorithms control at this point. ;)
Easy way is to randomize the Yahoo emails to gmail, outlook and all the free ones, This would prompt him to delete all the free emails and lose all the legit ones. Its an extra two or three lines of code as it's python.
@@singu7arity run this all day, with random time delay between entries by 3 seconds to 2 minutes or smth
Where is the python ? I thought you were going to release a python to some scammer on the street !?
you're probably joking but if you aren't, Python is a coding language
Hahahahaha, good one 😂
are you one of those "SHOW BOBS AND VEGENA" or "BORAT" kind of guy ?
python is a programming language
haha lol
Nice job!
Similar story: I was being texted non-stop from some outfit in Miami that said "we buy junk cars!" in English and in Spanish, along with their phone number, which was a disposable Metro PCS mobile number. After repeatedly asking them to take me off of their spam list, they ignored me every time; they hung up on me, never took my name off their list, and kept texting me. So I thought, if they want phone calls, they're gonna get some phone calls. I opened a Twilio account and put $20 on it, then wrote a script that told them what my number was and that I wanted it removed from their spam list. I wrote a simple PHP script to call the Twilio APIs and then put it to work, calling every two minutes for hours on end. I never heard from them again.
Haha, I love this.
Cute, but you didn't perform some basic checks. Given that the username and password elements appeared to be named randomly, it is possible they are generated dynamically per each request of the main page (as well as the submission URL). The web server could simply be accepting your requests but not recording them as a result. Also, the email addresses are formulaic enough that they could be easily stripped out. I would have gone for a dictionary and a large pool of domain names.
Yep. First thing I saw was this, chances are it was some anti-CSRF PHP script making the fields for the POST vars randomised. Everyone is complaining about how easy it would be for the guy to remove them from his db, I doubt they even got there in the first place!
*tags your username with {{Citation needed}}* :P Nah that's a good point though. Either way, the whole domain is down now
This guy missed step one: send a report to the hosting provider. By spending time coding this first, the site gets to exist longer and harvest more legitimate accounts. The fake accounts don't do anything to protect the victims. It's as trivial to test fake accounts as it is to generate them in the first place.
How apropos that the json file probably included "Jason" somewhere.
Jayson, Jase, and Jace, but no Jason.
Keep it up. I feel better now you got a scammer. Thank you, John.
Some random Luke: "nice! I hate scams too!"
Also, some random Luke seeing his email being randomly generated: "well, that explains a lot 🧐👀"
Great vid though :)
Hey Cool work, You could have also made an array of email domains and randomly assign it to name strings to confuse the scammer more. Coz he may simply filter the @yahoo domain guys now but with randomizing the domain the scammer will be more confused
I'm a beginner, I know nothing about programmer until several months ago when I started doing CS courses for fun.
And man, I'm so happy that I could actually understand about 70% what he was doing in this video. After more courses and finishing more fun programming projects, hopefully, my understanding would've reach 100%.
Awesome video and fuck those scammers!
Bro the comments dissapeared lol
The scammers got him back
@@Intikus HAHHAHA BEST WHAT IVE SEEN TODAY LMFAO
I like your vids. They're short and to the point. I don't know any better so I'll trust that you're actually being a headache to scammers. Maybe you'll encourage other with similar skills to do the same and life will become difficult for scammers.
First video I’ve seen (thank you RUclips algorithms) and I fucking love you!!
What's he doing logged in as root in terminal?
I wish I was as smart as you with computers. Awesome work 👍🏻
alxM3 stop wishing and learn something then . dont be lazy
lil trap thnx mom I will
There's a difference between being having so little understanding of something that you don't even know where you should begin and thus anywhere you try to start is just an impossible hell, and being lazy.
It just so happens that with programming, it's basically impossible to start anywhere that feels productive and like you're actually learning something especially when most people go around berating people that are trying to learn and points them to extremely overly complicated thick manuals and online resources that don't get to what you're trying to learn until 100s of hours of reading that also requires college-level understanding of math and computer science to begin to understand said thick manuals anyway thus making it totally pointless, when all someone really needs is some help.
Wow what a rant LOL
But that's why channels like this are so awesome, these videos are actually really helpful in learning the concepts involved while showing production and payoff immediately for something you may want to do.
Templarfreak I started to type something similar and gave up, but the starting point and direction is absolutely a deterrent to many in any new expertise
Python, SQL, JAVA, PHP, C++and other programming languages take about three months to really learn, there are a plethora of tutorials here on youtube. The books are for absolute nerds that want to go really deep, but to get the basics of a programming language down takes three months max. After that you get to learn the intricacies of the language on the job. There are plenty of ICT companies looking for interns and people willing to learn it for free. They will give you the courses needed for free and you get a job to boot. see what I did there... anyways stop bi&^%% about something being hard, it's only hard, if you never get of your lazy ass to actually give it a shot and by shot I mean you actually go out and do something about it.
I have 0 experience with this but the way it is presented makes it so understandable.
Well if your IP is logged when you post your form, it will be easy for him to figure out which credential are legit or not 🙄
In which case hopefully, he was using a VPN or proxy.
nice work man...
you could have create an array for the email domain and randomly take from there , cause now he has loads of yahoo, easy pattern !!
nice video!
yeah slighlty more dedication wouldve ruined the scammers career
Well done Engineer Man! I like you'r creative style and aproach! :)
A great example of data poisoning.
Obviously, you could randomize the send interval, the email domain, and proxy-hop to obfuscate the origin of each request.
Another technique I've had fun with... submit the Anti Virus test string, lol. This rarely works, but when it does, it's hysterical. They store the collected data as plain text and upload it to cloud storage like Dropbox, google drive etc, where it's flagged as a virus and promptly deleted. It confuses the fuck out of the novice scammer. Looking at the unconvincing password phish, I'd assume either your target had no discernible skill, or they were specifically targeting idiots (which may be the case... you can run a scam for longer if tech-savvy people just ignore you).
In a more advanced attack, if you knew anything about their collection methods and how the data was processed after collection, you could do a lot more damage. SQL injection for example. Even seemingly trivial things like using UTF32 characters (especially hybrid glyphs like the Ninja Cat emoji) can really fuck up the collection, and a lot of scammers don't regex those things out, or they do it in the java script on the form page which you can easily bypass.
One thing to be aware of.... they may validate email addresses before committing them. They have a mailing list, they bait those specific people and only collect passwords from people who they sent messages to. In many real-world scenarios, this wouldn't work all that well in practice. For that reason a simple DDOS would be of greater utility.
This is probably a phish specifically for craigslist accounts for use in spamming. If it were a general cred-sweep targeting email accounts, you could have some fun with that by honey-potting an account and handing it over. A RAT in your Dropbox, maybe some bullshit "classified emails" between US intelligence officers, something that will let you screw with them once they take the bait. I know the point here was to fuck with them quickly, but sometimes it's fun to draw out the engagement.
It would've been a bit more effective if he used a list of common street and pet names to generate passwords, although if the scammer has a script to verify phished login creds then this didn't do much anyway =(
not all heroes wear capes lol
you are a genius... thank you from all of us non tech people who've been scammed in the past!
should use a list of top 1000 passwords instead
and it goes like this (if you use more or less than 1000 passwords)
passwds = json.loads(open('passwd.json').read())
aPasswd = random.choice(passwds)
Exactly, picking out real passwords from that least wouldn't take much time.
When I grow up, I wanna be just like you :) This is awesome.