Originally published at: https://boingboing.net/2019/04/15/scammer-asks-for-password-get.html
…
Why would you leave your mysql port just open? You’d think they’d be paranoid about their peers just getting in and stealing/messing their stuff up.
Before you go live with anything, check yo damn ACLs! (Not the ligament)
I have never seen a disclaimer like that before. Pics and it may or may not have happened? Do you know more than you’re letting on?
‘Mastermind criminal’ is much more of a comic book trope than something in real life.
Because the scammer doesn’t know what they’re doing.
So he used little Bobby Tables’ name as his password?
Yep.
For those wondering or need a TL;DW
I tend to think that more likely they just don’t care that deeply.
Why bother trying to be Willing e Coyote in your ingenuity when the easy prey isn’t Road Runner smart?
And his brother Scott Tiger!
The thing is, most of these operations are trying to make money. Which means they would (should) certainly think about the likelihood of others within their world predating upon their work.
Maybe that’s what we need, a digital batman going around and pwning the pwners.
I mean, if you have SSH open, you really don’t need MYSQL… I can understand why they didn’t put in any whitelist ACLs as it may give a trail back to them, provided they didn’t just set it to a specific jump box. Wonder if it’s open cause they have a remote backup script which just collects this data from these zombie boxes directly.
Seems the IP is owned by Digital Ocean https://www.talosintelligence.com/reputation_center/lookup?search=192.241.132.120 who are just a hosting service with a loot of poor reputation IPs.
Note that what he’s showing here is not necessarily what he’s doing , and doing it without due care and attention to the risks is gonna get you in trouble.
Huh? Looks like he’s showing exactly what he’s doing. He’s even down in the corner talking us through it. And who is getting in trouble? I don’t get this odd disclaimer here…?
Maybe he nmapped a bunch more ports than in his demo, and winnowed them down in the video. And nmapping indiscriminately can for sure get you in trouble.
ok that makes sense. Nmap can get you in as much trouble as Napster…in fact, I think NMap evolved from Napster the way Vger evolved from Voyager in STTMP. But never mind, that’s an unproved theory, I digress.
I think the disclaimer unpacks to this:
The scammer got burned because he followed some evil webpage’s direction about how to be a scammer without really knowing anything about how to protect himself. If you try to copy these keystrokes, you’re no smarter or more knowledgeable than this scammer and may be opening yourself up to furious vengeance just like he did, with no better hope of protecting yourself.
Nobody is going to track you down for portscanning some random host on Digital Ocean, not unless you’re doing it from your work and your own IT department notices. There are basically no traffic cops on the Internet. If you are trying to do full portscans of every host on the Internet you might end up on some blacklists but nobody is going to be knocking on your door.
Just fire up Wireshark some day on a public IP address and you’ll see that you are being constantly portscanned. Open up SSH to the Internet and bots will be attempting to guess your usernames and passwords all day long. This is why people set up port knocking and whatnot, but really as long as you have strong passwords (or disable password authentication entirely) that’s overkill IMHO.
He saved a 150 email passwords, but the scammer will probably just re-create the table and fix up the account permissions.
I would have updated the existing passwords and then added a trigger to overwrite with random passwords on insert. That way it may not have been noticed and the data collected would be useless.
Not only is nobody likely to care, in this case the guy doing the video only scanned a small list of six ports, which is pretty much un-noticable to traffic monitoring amidst the usual flood of garbage traffic on the internet. A full nmap sweep of all 65536 possible ports on a host might trigger something, but six? Not a chance.
I’m not sure the scammer is competent enough to figure out that he’s been hacked. I wouldn’t be surprised at all if he puts it back up with exactly the same flaws as the first time. There was a definite air of “babby’s first phishing site” about the whole thing. The guy couldn’t even figure out how to register the domain.
It’s a shame the guy didn’t show the emails. I wonder how many are from bots that go around and try to sign up for anything and everything. I know at least one bot has one of my email addresses and uses it absolutely everywhere. I’m always getting “welcome to our service” emails on it, usually in foreign languages.
If you have any port open and log what comes your way, you are bound to see shodan appear in there eventually. Then, after that, the Russians, North Koreans, and Chinese in that order.