Hacker News Comments on
Showing a Craigslist scammer who's boss using Python
Engineer Man
·
Youtube
·
95
HN points
·
0
HN comments
- This course is unranked · view top recommended courses
Hacker News Stories and Comments
All the comments and stories posted to Hacker News that reference this video.⬐ mrweaselIt makes me a little sad to see him write Python 2 code. There's only 18 month of Python 2 left.⬐ starbugs⬐ donohoeThat's what all of us oldies do. We can't get used to the hip new stuff so quickly ;)⬐ welder⬐ NoneMost of the time you're writing Python3 code and you don't even know it... try changing #!/usr/bin/env python to#!/usr/bin/env python3
I bet your Python2 script will run on Python3.
⬐ ageofwant⬐ flyingfencesAnd then there is 2to3, which has not failed me once.⬐ matmann2001It might be interesting as a learning exercise but there's a lot of gotchas in running 2 as 3.Besides the obvious things like print, which will just cause an error, there's behavioral changes, like with division and range, that may introduce more insideous bugs.
Better to read up on the difference first and use a tool.
The "hip new stuff" is, in this case, already ten years old, though.⬐ js2I know you’re being sarcastic but anyway: I’m an oldie I guess as I started with Python 1.5.2 and I’ve been using 2.7 now as long as I can remember. But I had a new project last month so I used Python 3. There was basically nothing to learn. I mean, print is a function and classes don’t need to inherit from object and you’re like 99% of the way there. Learn and adopt new 3 functionally at your leisure. I’m honestly having no trouble switching between 2 and 3 and I’ve converted all my 2 code to be syntactically compatible with 3.⬐ alain_gilbertUh-oh, and well, integer division now gives floatVS$ python3 >>> 1/2 0.5
which can cause a great load of bugs if you're just porting some existing code.$ python2.7 >>> 1/2 0
⬐ aldanorAnd strings are now strings, surprisingly, and not bytes...⬐ js2⬐ js2Why do you say surprisingly?I've been aware of the bytes/string split for a long time since it's probably Python 3's most prominent change, so I certainly wasn't surprised by it. The surprising part for me (after having read complaints about this change over the years) is that I haven't had any trouble with it.
⬐ aldanorApologies, it was a (failed) attempt at sarcasm :)True, but I can’t recall a single time I wanted the integer division behavior of Python 2.⬐ 1024coreIn most C-like languages, int/int gives int. The fact that 3 returns float is a little troubling.⬐ earenndilPython is not a c-like language, though.⬐ zaarnYou can use // instead of / to request a integer division with integer result.int//int=int instead of int/int=float.
None⬐ yeukhonThe sad thing is he didn’t use open in context manager....⬐ Phrodo_00He should've also used load instead of loads, although in this case is not such a big problem (if he closed the file) because everything is getting loaded in memory anyway.⬐ yeukhonRight. My problem is he was trying to show off his skill (he emphasized "engineer" at the beginning of his video) so he could troll the scammer. In that case, at least know how to write proper code. Even intro to Python writes with "with".If I were that scammer I'd quickly see I can likley filter out all accounts added within such a short burst of time following convention of <name><number>@yahoo.comAlso, my guess is most users don't have that pattern of password...
⬐ legohead⬐ elifI thought the form fields were suspicious. The scammer may already have something in place that generates random user/pass form fields, and even random endpoints by the look of the url.The "engineer" didn't check this, which he could have easily done by simply refreshing the page. But if the scammer did have any sort of protection, the engineer would have had a lot more work in it for him, having to scrape the page.. so maybe he purposely ignored this red flag.
⬐ eat_veggies⬐ Dolores12I checked out the page myself, and the endpoints and form fields are the exact same for me.Also, there's some funny exposed PHP code sent along:
And some packed javascript that does nothing because it's "commented out" with <!-- ... --> inside the <script> tags, meaning it has syntax errors.<?php session_start(); ?>
⬐ pavel_lishinThere's no need to put engineer in quotes. This video wasn't an in-depth how-to; it was just a quick proof-of-concept.⬐ legohead⬐ jamraIt wasn't meant as an attack. I don't know his name, but his channel is called engineer-something, so I meant it as "engineer-something".Although I do think, for a learning video, that he missed out on a lot of opportunity to explain such things as I mentioned.
I think he did check it and the video we saw was the fast version of this process for the sake of the viewer.But that’s just what my instincts tell me based on the time spent investigating, the amount of useful snippets, and the lack of typos and errors while coding.
filtered by IP and Useragent.⬐ iforgotpassword⬐ rad_gruchalskiAlso seems some kind of ID is encoded in the URL he got redirected to after visiting the initial link, as well as the field names.It would be probably another 5 minutes to add: random delay and a thread pool, a file with Xk most common passwords, random user agent from another file, bunch of email domains, select at random, append numbers to local part when ... [bunch of conditions].Another half an hour to deal with the IP address stuff.
But, I think the purpose of the video was to show how to use the requests library.
⬐ DKnollHow would you deal with the 'IP address stuff'? If you plan on harvesting SOCKS proxies or using existing lists, your adversary can just check IPs against DroneBL.⬐ rad_gruchalskiHey, I’m sure that video does not show how to build an anti-scammer solution. The scam stuff seems to be a nice back story for showing some python stuff. OTOH, any time a scammer is required to go and look at the data, write filters and what not, it’s a win!⬐ DKnollTrue.It's interesting to look at from the other perspective though, normally we're on the side trying to prevent malicious users and in this thread we're thinking as the 'malicious' user.
The terrible thing here is that:'very common name' + 1 digit @yahoo.com generates a list almost completely of real email addresses...
Spammers don't care about cleaning their lists... So he just helped the spammer do his job, involving a few hundred unrelated victims.
⬐ pavel_lishin⬐ vmarshall23This is likely not made to harvest email addresses for spam, but rather for email:password combos.⬐ certifiedloudIf all the scammer wanted was email addresses, they could have written a random yahoo email address generator on their own. They want legitimate email + password combos.⬐ laurentlGiven that world + dog has the entire Yahoo DB by now, I wonder if a list of yahoo username + password still has any value on the market... Well, I can only hope so, or else the scammer will just drop all the yahoo addresses from his take rather than try to clean up the data.⬐ ryanlolIf you can somehow find the yahoo DB, I will pay you $5000 in bitcoin for it :)Seems a little dodgy to redirect output from an apparent scammers website to an apparent root shell.⬐ ZimahlWhat's the scam here? The scammer gets access to someone's Craigslist account... and then what? They take down or change their posts?⬐ ryanlol⬐ lxeIt’s probably targeted against dealer accounts if they aren’t asking for cc info.Other posters talking about password reuse are really confused, there’s essentially no chance someone would waste sms spam on such a silly venture.
⬐ Willson50They try the username + password on other sites.⬐ Sohcahtoa82⬐ pavel_lishinRelevant XKCD: https://xkcd.com/792/Due to password reuse being very common, getting access to a craigslist account means you've got access to their email account as well.What if the URL and the form fields are randomly generated? I would just use the Chrome console to keep submitting the form or something low-effort like that.⬐ newshortsPut a time delay in there and let it run over a couple days. Otherwise it’s too easy to just delete all the names from that 5 minute window of entries.⬐ zb3Usually entering credentials causes an email to be sent containing at least user IP address and a User-Agent string. In this case, the UA string reveals it all⬐ ourmandaveFor educational purposes only. <wink>#2600
⬐ ccnafr⬐ albowiczYeah. Let's not the cover-all disclaimerMy hero!⬐ techVentureStarthis dude should do this on multi thread and distributed in cloud. this is so vanilla, also the hacker can just just filter with a easy regex. lame⬐ pavel_lishinI agree that in all likelyhood, a technically clever scammer can trivially exclude the ~500 entries this guy put in, but it _does_ create some extra work for them, and we have no idea how skilled the person harvesting these things are. (Plus, a committed troublemaker could likely make these things much harder to detect, and much more work for the scammer.)⬐ starbugsDefinitely not skilled enough to install a TLS certificate :)⬐ ryanlol⬐ andrewstuart2These guys clearly aren't very good, but there's a chance they might be deliberately not getting a TLS cert to avoid getting flagged by safebrowsing via CT logs.How would it create extra work for him, unless he's manually entering emails and password into the usual email sites?In all likelihood he tries every single entry he gets against the top 100 juiciest sites (banking, email, etc), and records all successful hits.
⬐ greenhatmanAll you have to do is check which ip address is over represented in the logins table and delete those.