I made my first (not indicating that there were any others!) crime in 2009 when I was 14 years old. Well, the criminality of phishing was controversial at the time but it’s 2020 now and we are well beyond it’s possible limitation period so I can talk about it freely:
Before Facebook was a thing in Slovakia, everybody was on Pokec.sk. Now, If you remember the attention-seeking posts of 2009 Facebook, this was much worse. People posted everything. From vaunting about beating up some minorities to sales of “private albums” or even drugs.
And every once in a while some jealous guy asked if somebody could hack an account. It was intriguing. I just started thinking, somehow naturally (look at my first blog post), about the possibilities. Without ever reading about social engineering, I immediately saw that stupidity is the way…
We, wanna-be hackers are hardly motivated by learning secrets of the others. Rather than that we look for fun and ego-boost. I first thought about actually using the method when my older brother came back from school and started rambling about his classmate. She was dumb, he said, and was awful to everybody. So I thought, just getting a hold of her account and change the profile picture to something funny… could be nice.
Are you already disgusted by my 14yo self? #metoo. It’ll be worse.
Technical difficulties… or rather possibilities
Not that in 2009 any service was good with security, but Pokec was top-notch, incredibly bad.
“Please, come inside” spam filter
First of all, the spam filter… When I tried to send a mail from random free hosting with “From” [email protected] (address they used to inform their users about the service), it ended up in spam. But looking at the headers I noticed the spam score only a little bit above the threshold. Just adding random hash into message and some other mail headers made it through the filter right to the Inbox.
Even funnier part was the fact that the site did not rely on cookies. This meant that they just appended a session ID into every link which was often faulty and you just ended up logged out all of a sudden. This is why most users learned to fill in their credentials immediately after seeing the login page. It has become a reflex.
Problems with SSL? Oh, just do not use it!!
What you see on the image is a special page intended for people who have problems when logging in using SSL. It’s called “Login without SSL” Yes, this was genius. Furthermore, there was no random secret value being generated in the form, so to log in you just needed to prepare the link, refer it from anywhere and it worked!
Oh and there was a premium service. It was called “Azet Plus” and it enabled you… basically only to look at the older messages and use more smileys. But it was something everybody wanted.
Preparing the system
I had unlimited possibilities with such combination of “features”. I quickly learned some PHP, created a script that sends a mail stating “Win Azet Plus for 7 days! Just click here!”, which led to the copied login page modified to trigger another script that
- sends the credentials to me
- sends an email “You have been included in the draw” to the victim and
- redirects these credentials to the original login script.
Everything was perfect. I have even found one of the testing mails in my Gmail account:
After successfully hacking into my brother’s classmate’s account I just played with it. I just had to write a nick to my script and wait. And…
It just worked on EVERYONE. Except maybe one or two people. It was tremendous. Notice the passwords. Phone numbers, variations of nicks, “genius”… That is truly genius!
After a first few random victims I tried a friend of mine called. He was very irritated, smoking outside some party and his voice was shaking.
Hey bro, I do not know who to call, I’m angry as fuck … You know the girl I told you about… you know the one I like. I just saw her dancing with another guy and it looked like they’re together. I just kick-bend a fender on my car. I do not know what to do…
I told him to calm down and asked him about her Pokec nick. I explained him everything and he agreed. He even bought her the premium service so that we could look inside the history.
She reacted to the phishing immediately (her password is highlighted in the image above, it is two times the word that translates as “I don’t know” and I remember him talking enthusiastically about how smart she is that she used such password) So we started going through her personal communication. After just a few minutes we found the message to her best friend:
But… I want [John Doe] 🙁
(imagine his real name instead of John Doe)
Now ladies, if you like a guy and he seems to like you… Sometimes he just needs to know. The friend got confidence and they started dating in like a week. And almost exactly 7 years after all this, they got married. I wasn’t invited, but hell, I drop some tears when I saw it on Facebook. I do not know if he told her or not and I doubt that they will ever see this post.
So what have we learned today? I won’t do anything like that anymore, and I do not see this as an ideal way to find a partner. But remember, phishing isn’t always only black-hat or white-hat. It can be cupidy-pink-hat too!