Step 1. Steal Accounts, Step 2. ?, Step 3. Profit!
(or How I Learned to Stop Worrying and Spam the Scammers)
by Wavesonics (www.darkrockstudios.com)
Names have been changed to protect the stupid.
So... few months back, a friend of mine got an IM on his Steam account. Steam, for those of you who don't know, is a digital distribution platform for PC games. In addition to being able to purchase and download video games, it also provides certain services, like Instant Messaging, and other community features.
Anyway, back to the story...
So my friend, lets call him Roger, gets an IM from a friend on his buddy list, with the text:
Roger thought to himself, "Gee! I sure would like some free games! Let me go there immediately!!!"
Now, the more astute reader may have noticed that the URL in question did not in fact point to steampowered.com (Steam's official site) or even the possibly reasonable steamgames.com, but of course, to a sub-domain of k32.com (not the actual URL, but you get the idea).
When Roger got to the site it looked vaguely reminiscent of the steampowered.com website, but had many flaws: images all together missing, text completely misaligned.
But none of this fazed our intrepid Internet user, he powered right on through to his "free games." As the website indicated, all he needed do was enter his Steam username and password into the vaguely Steam looking login box, and he would have access to his games! And so he did...
He was redirected to the Steam website, albeit confused, because nowhere did he see his free games. Seconds later, the Steam client logged him off with the notice "Your account has been signed into elsewhere."
He tried to log back in, but it was no use. His password had already been changed.
This is where I come in.
I get a frantic phone call where he is not quite able to articulate what has happened, but just that Steam is not allowing him to log in. Confused, but not yet worried, I tell him I will help him out when I get back to the apartment. Once back, it first seems as though a virus has been the culprit, from what he is telling me, but then I pry the truth from him and stand, mouth gaping, in sheer amazement. My roommate, my friend, had clicked on a clearly fraudulent link, and willingly, gleefully even, entered all his information. I assure him it's not a virus, or even a hack, and that, in fact, he willingly gave over his account details in plain text.
Now I don't know about you, but I, like many geeks I know, take it as my solemn duty to raise the general technical prowess of my friends and family, to at least a slightly higher level. So this is not only embarrassing for Roger, but for me as well. I am personally offended by these scammers.
I immediately begin looking into things.
I realize that the first thing they will do with his account is message people on his buddy list in an attempt to fool them as well. Since we both have many of the same buddies, I log onto my Steam account to warn people. Sure enough, I have a message from Roger's account:
I respond with a single "." and immediately get a response, "Hey man come on you know me. If it's a trick you can just report me!" Clearly a bot.
Next I WHOIS the domain.
It's one of those free hosting companies. So I go and check out the site. It's so poorly done, it makes me cringe to think that Roger fell for it. I remove the sub-domain from the URL and go to the main hosting website. There I find a "Report Abuse" link and detail the account and scam in an email and send it off. I do the same on the Steam website so they know it's going on and can reset my friend's password.
Now, with any luck, the site will be taken down in a few hours and my friend's account restored.
I try to think what the angle of the attack could be. Why do it in the first place? On this train of thought I immediately instruct Roger to change his password on any other site that used the same one, in case they just used this to harvest username/password combos, and then try them on common bank and credit card sites, or wherever else.
With that done, I can't figure what other harm they could do. Steam doesn't show your e-mail anywhere, it doesn't store your credit card information. The only thing they could do with the account is purchase Roger some new games!
With that my mind should have been at ease.
No more damage could be done that I could see, and the situation should resolve itself once those abuse reports were processed. But I couldn't help it, something still bugged me.
I think at this point it was more of the fact that my friend had been duped, and possibly others whom they had messaged with his account. It was a dirty scheme. There was nothing elegant or creative about the scam. It wasn't even executed with any care, the website looked like crap.
From what I could figure, they had to be logging the username and password pairs and hoping to get lucky with them on another site. I wanted to at least throw a wrench in their works.
So I went back to their poorly designed site. The only thing of interest was the login form. I opened up the HTML and jotted down the field names.
Next I opened up Firebug to watch the HTTP traffic as I submitted the form. It submitted the form via GET, and sent you to a page accounts where, presumably, the values were caught, and then you were redirected with a 302 to the actual Steam website where it would just look like you failed to log in.
Formulating a plan I fired up Code::Blocks, my C++ IDE, and created a new project. I brought in a library I love called SFML (look it up) which does media related stuff, but also has nice helper classes for doing HTTP GET and POST related things.
I cobbled together a short little program that would randomly generate technically valid usernames and passwords, so they couldn't be filtered out, and then submit them to the account.php page in proper fashion.
The theory here was, if they were recording these in a database, or flat file, or whatever, I would flood their database with bad info that couldn't automatically be filtered out (because it was valid, format-wise).
Now I also didn't want to run afoul of the law here, or punish the innocent (albeit crappy) hosting company.
So I didn't want this to be any sort of DDoS-type attack. I simply wanted to flood the bad people with bad information and at least cause them some headaches. So I made the program sleep for half a second between posts, and I made sure it properly closed the connection each time. With the deed done, I added in some quick reporting that counted the number of times a certain instance of the program had "spammed the scammers," and added a quick check to make sure it had worked each time.
This way, I would know when the site was taken down, and I could stop running the program.
After a quick test, I set mine going, and distributed the program to every friend that would take it, explaining the situation and why they should do it. When all was said and done, I had a good number of people running the program, and the site stayed up for at least another 10 hours or so.
My computer alone submitted well over 60,000 false accounts.
Do the math, and I think those last few hours of operation weren't very productive for them. The hosting company took the site down, and I'm sure it just popped up somewhere else a day later.
My friend got his account back the next day, and strangely enough they had joined his account to a Asian gaming group. I have no idea what the purpose of this was, except maybe they joined all the infected accounts to it as a record of who they had infected? don't know.
But at least, for one little bit, I had my retribution against some scammers.