Re: Legitimacy of new Heartbleed exploit?

[Ivan Kwiatkowski <ivan () kwiatkowski fr>]

I've just had a little fun with the author(s) of this scam.

After reading the first e-mail in this thread, I decided to write to the SafeMail address in case I could get some more 
information. I received a reply very quickly (kudos for professionalism), and was assured that 7 people had already 
purchased the exploit. I acted like I was interested but still suspicious, and the scammer agreed to demonstrate the 
exploit on a server I controlled, apparently oblivious to the fact that I would be running Wireshark just in case.

What ensued was actually funny. First, s/he sent back a fake heartbleed dump. I know it was fake, because the scammer 
had made a mistake in the URL. So I told him/her to try again. I received another dump. Evidently, it was forged as 
well: the raw bytes and the ascii dump didn't even match. Here's an excerpt from what I received:

0110: 20 68 74 74 70 73 3A 2F 2F 69 6E 73 74 61 6E 74   https://blog.kw
0120: 2D 65 2E 63 6F 6D 2F 69 6E 64 65 78 2E 70 68 70   iatkowski.fr/..

(The bytes actually translate to this:)

0110: 20 68 74 74 70 73 3A 2F 2F 69 6E 73 74 61 6E 74    https://instant
0120: 2D 65 2E 63 6F 6D 2F 69 6E 64 65 78 2E 70 68 70   -e.com/index.php

Finally, I called the scammer on that and s/he decided s/he didn't want to play anymore.
I was hoping to find an IP address in the mail headers, but I got Tor exit nodes every time :(

So yeah, if anyone was still wondering whether the exploit was legit or not... Now we know.
I'd like to add that whenever one stumbles on an obvious scam, the civic thing to do is to act like you buy it. 
Rationale: scammers don't have the time to separate legitimate mugus from the ones who just pretend. Their business 
model relies on the fact that only gullible people will reply. Now were they spammed back, their workload would 
increase so much that scamming wouldn't be a profitable activity anymore.

Food for thought.

Ivan

----- Original Message -----
From: "david switzer" <david.e.switzer () gmail com>
To: "H. Dong" <julius.kivimaki () gmail com>
Cc: fulldisclosure () seclists org
Sent: Friday, April 25, 2014 11:21:07 PM
Subject: Re: [FD] Legitimacy of new Heartbleed exploit?

Even moreso when you see the account that the money is being funneled into:

https://blockchain.info/address/16R14EH4v8A9GPXkAAP8gcMFBA8oxA8nbY

215,637.634057  * 482.60 (current Camp BX rate) = 104066722.195

104 mil.. they've had alot of different scams going besides this, I'm
guessing.... dang we're in the wrong line of "work" ;)



On Fri, Apr 25, 2014 at 3:29 PM, H. Dong <julius.kivimaki () gmail com> wrote:

> https://blockchain.info/address/1BKRqnmWNfK5qjhouMaBFHwjHK9ibfrKhx
> Apparently it's a rather successful scam.
>
>
> 2014-04-25 21:18 GMT+03:00 Dillon Korman <me () dillonkorman com>:
>
> > Saw a link to this:
> > http://pastebin.com/qPxR9BRv
> >
> > There is no actual exploit code in there since they insist of keeping it
> > private. Do you think there really is a working exploit on new versions
> of
> > OpenSSL?
> >
> > _______________________________________________
> > Sent through the Full Disclosure mailing list
> > http://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: http://seclists.org/fulldisclosure/
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/