πŸ’°Hacking the Scammers

How someone I don't know hacked the scammers back

DISCLAIMER: This is not my work. I would never and don't condone illegal hacking of scammers

I have since decided to take credit for this work after a lot of consideration, it was obvious anyways.

A short while ago I got a text from a random number saying the following:

Scam Text

I knew right away this was a scam but also knew that others fall for this all the time, my own wife had fallen for it a few months back. I posted about it in a channel online and someone, lets call them s1n, was ready to get revenge on these lowlifes who wanted to just scam random people out of their hard-earned cash.

S1n started out by doing some initial recon. First was a nmap scan (yielding them more domains they use and their region):

FTP SSL cert showing Region
HTTP SSL-Cert showing other DNS names that can be used

Along with this they started browsing the site while intercepting traffic with Burp Suite. The site looked to be a clone of the actual USPS site (Wayback Machine URL):

Scammer Site

There were a few interesting requests being made, but all to a different url. Hm... Gotta make sure this is still the scammers:

nslook confirming same IP

Great, they are! The first of these interesting requests was web socket communications where the client would send a filename and the contents were returned.

WSS

Interesting... This looks like an easy LFI. And it is!

WSS LFI

The LFI gave S1n more info about the environment so that they could look around more effectively than fuzzing.

/proc/self/cmdline

Upon using this new directory found, S1n was able to grab all the PHP files they had seen while browsing the scam site. These files are highly obfuscated and almost impossible to read. There are also many Chinese characters making it even worse for English speakers, they are linked below. Though they do seem safe, use at own risk.

143KB
reconstruction.zip
archive
Open
Files taken from scam webserver

Looking through these files they could observe that they were using a telegram channel to communicate back to them and were storing data in a MySQL server. S1n could not find any sensitive data with the LFI that would allow them to get further access into the web server. Most things were setup an run with supervisord and, though it had SSH, it had not been used it seemed.

Telegram token variable being used

While looking around S1n also found the nginx access log and it revealed one of the IPs of the people setting it up, if they didn't use a VPN.

nginx access.log
IPlocation info on the IP

Based on the certificate information and this IP, and we are just getting started, I think we can agree that this is likely Chinese scammers.

Now after browsing around S1n looked at some of the files he had grabbed and looked back at some of the requests he intercepted and found something that looked like and SQL injection.

Single quote in a POST param causing error

Firing up SQLMap they tried it and it worked! They were into the scammers database!

Scammers database

Now that we are inside the database lets take a peek around. First lets DOXX the scammers running this site:

That Telegram link as a description looks interesting ;)

Now lets take a look at the configuration:

And finally lets see what data was taken from the poor people scammed by this site:

Wow. So much data on these people. Also look at how many are in this table:

Along with this they are tracking who visits the site of course:

S1n didn't say what they are going to do with all this incriminating evidence but I know I will be sending it over to whatever internet crime center will listen to try to get it shut down and the culprits brought to justice.

Thanks for reading!

PreviousSpooky Scammers (Back for the holidays)NextSystematic Destruction (Hacking the Scammers pt. 2)

Last updated

Was this helpful?