I'm a bad boy?
Jun. 24th, 2025 09:53 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
rbarclayToday I got a suspicious email at 'ork. From: was from a domain that looked like typosquatting my employers main domain, it promised something free, it had the required sense of urgency (plus: excellent wording, BTW, perfect spelling and grammar, even hit the kind of tone that's usual in public service) .. .and it wanted me to click a link that contained what looked like a unique ID of some kind.
Hmm, the domain is rather fresh, just 2 months old. It lists the same email address that's registering our main domain, but it's hosted at Hetzner instead of on-prem. Well, wget it and look at the HTML. Looks like someone scraped our main webshite .. oh and there's "put in username & password and we'll get you your free stuff" (Klimaticket). The HTTP POST then points to our own webshite. The SSL certificate is signed by an unofficial CA .. hey, wait, that CA is trusted by my browsers at 'ork, so central IT must've added it to the store.
Ok, so it's a Phishing Awareness campaign. Talked to my colleagues and they said that if you do put in something in username/password you'll probably just be redirected to a video explaining the dangers of phishing.
So now I want to see that video, but I don't want to use "my" UID. Just varying it gets a plain 404. So I wrote a quick bruteforce shell script - with just 7 chars to go through (and some other constraints) that's perfectly feasible, a mere 300ish million requests. And I want results before the campaign is over, so let's parallelize it a bit, that's what CPU-cores and -threads are for!
...
20 minutes later I got a call from boss^2 requesting to please stop being a bad boy ;) (I did somewhat north of 500 req/s - pretty respectable considering it's spawning one wget per request, and a complete SSL session for each&every one with that - seemingly enough that whatever they're running server-side shat its pants).
Hmm, the domain is rather fresh, just 2 months old. It lists the same email address that's registering our main domain, but it's hosted at Hetzner instead of on-prem. Well, wget it and look at the HTML. Looks like someone scraped our main webshite .. oh and there's "put in username & password and we'll get you your free stuff" (Klimaticket). The HTTP POST then points to our own webshite. The SSL certificate is signed by an unofficial CA .. hey, wait, that CA is trusted by my browsers at 'ork, so central IT must've added it to the store.
Ok, so it's a Phishing Awareness campaign. Talked to my colleagues and they said that if you do put in something in username/password you'll probably just be redirected to a video explaining the dangers of phishing.
So now I want to see that video, but I don't want to use "my" UID. Just varying it gets a plain 404. So I wrote a quick bruteforce shell script - with just 7 chars to go through (and some other constraints) that's perfectly feasible, a mere 300ish million requests. And I want results before the campaign is over, so let's parallelize it a bit, that's what CPU-cores and -threads are for!
...
20 minutes later I got a call from boss^2 requesting to please stop being a bad boy ;) (I did somewhat north of 500 req/s - pretty respectable considering it's spawning one wget per request, and a complete SSL session for each&every one with that - seemingly enough that whatever they're running server-side shat its pants).