Full Disclosure mailing list archives
Re: Legitimacy of new Heartbleed exploit?
From: Ivan Kwiatkowski <ivan () kwiatkowski fr>
Date: Mon, 28 Apr 2014 14:53:57 +0200 (CEST)
I've just had a little fun with the author(s) of this scam. After reading the first e-mail in this thread, I decided to write to the SafeMail address in case I could get some more information. I received a reply very quickly (kudos for professionalism), and was assured that 7 people had already purchased the exploit. I acted like I was interested but still suspicious, and the scammer agreed to demonstrate the exploit on a server I controlled, apparently oblivious to the fact that I would be running Wireshark just in case. What ensued was actually funny. First, s/he sent back a fake heartbleed dump. I know it was fake, because the scammer had made a mistake in the URL. So I told him/her to try again. I received another dump. Evidently, it was forged as well: the raw bytes and the ascii dump didn't even match. Here's an excerpt from what I received: 0110: 20 68 74 74 70 73 3A 2F 2F 69 6E 73 74 61 6E 74 https://blog.kw 0120: 2D 65 2E 63 6F 6D 2F 69 6E 64 65 78 2E 70 68 70 iatkowski.fr/.. (The bytes actually translate to this:) 0110: 20 68 74 74 70 73 3A 2F 2F 69 6E 73 74 61 6E 74 https://instant 0120: 2D 65 2E 63 6F 6D 2F 69 6E 64 65 78 2E 70 68 70 -e.com/index.php Finally, I called the scammer on that and s/he decided s/he didn't want to play anymore. I was hoping to find an IP address in the mail headers, but I got Tor exit nodes every time :( So yeah, if anyone was still wondering whether the exploit was legit or not... Now we know. I'd like to add that whenever one stumbles on an obvious scam, the civic thing to do is to act like you buy it. Rationale: scammers don't have the time to separate legitimate mugus from the ones who just pretend. Their business model relies on the fact that only gullible people will reply. Now were they spammed back, their workload would increase so much that scamming wouldn't be a profitable activity anymore. Food for thought. Ivan ----- Original Message ----- From: "david switzer" <david.e.switzer () gmail com> To: "H. Dong" <julius.kivimaki () gmail com> Cc: fulldisclosure () seclists org Sent: Friday, April 25, 2014 11:21:07 PM Subject: Re: [FD] Legitimacy of new Heartbleed exploit? Even moreso when you see the account that the money is being funneled into: https://blockchain.info/address/16R14EH4v8A9GPXkAAP8gcMFBA8oxA8nbY 215,637.634057 * 482.60 (current Camp BX rate) = 104066722.195 104 mil.. they've had alot of different scams going besides this, I'm guessing.... dang we're in the wrong line of "work" ;) On Fri, Apr 25, 2014 at 3:29 PM, H. Dong <julius.kivimaki () gmail com> wrote:
https://blockchain.info/address/1BKRqnmWNfK5qjhouMaBFHwjHK9ibfrKhx Apparently it's a rather successful scam. 2014-04-25 21:18 GMT+03:00 Dillon Korman <me () dillonkorman com>:Saw a link to this: http://pastebin.com/qPxR9BRv There is no actual exploit code in there since they insist of keeping it private. Do you think there really is a working exploit on new versionsofOpenSSL? _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Legitimacy of new Heartbleed exploit? Dillon Korman (Apr 25)
- Re: Legitimacy of new Heartbleed exploit? Jann Horn (Apr 25)
- Re: Legitimacy of new Heartbleed exploit? Michal Zalewski (Apr 25)
- Re: Legitimacy of new Heartbleed exploit? H. Dong (Apr 25)
- Re: Legitimacy of new Heartbleed exploit? david switzer (Apr 25)
- Re: Legitimacy of new Heartbleed exploit? Ivan Kwiatkowski (Apr 28)
- Re: Legitimacy of new Heartbleed exploit? david switzer (Apr 25)
- Re: Legitimacy of new Heartbleed exploit? Bennett Todd (Apr 25)
- Re: Legitimacy of new Heartbleed exploit? Peter Malone (Apr 25)
- Re: Legitimacy of new Heartbleed exploit? Jann Horn (Apr 25)