Phishers are not nice people.

Quite a while ago I woke up to some unread emails telling me that 3 nice people from Brazil had ordered 5 servers from a company I co-run. It was a nice surprise but the orders looked fishy: They were all ordered around the same time all with different details, and all of the details WERE WRITTEN IN CAPS LOCK. I thought it was weird but I had never met someone from Brazil before, perhaps that's just how they roll?

Anyway a few days later I woke up to a phonecall from a company called MarkMonitor, apparently these 3 nice Brazilian people have been using their servers and our network to phish for bank logins: victims computers are compromised and their hosts file altered so that any attempts to visit one of several prominent banks would instead take the victim to the attackers server which served up a realistic looking login page. However upon login their account credentials were emailed to noipro12@gmail.com, which was the email of one client who ordered two of the five servers from us. I did a quick grep over each of the servers /var/www to confirm that it was the same person using fake identities and then suspended all of the servers. A game of cat and mouse ensued where he would sign up for accounts using stolen details, we would suspend his servers as soon as we found them. Screw him, people who steal other peoples money like this as well as disrupt legitimate businesses (PayPal were really not happy with us) deserve to be shut down and that's exactly what I did.

I noticed a pattern while dealing with this, he always used the same initial root password:

(Note: This is not his account password, it's his initial root password which we tell all clients to change ASAP). The console that the fields are referencing is a feature of SolusVM that allows clients to log into their servers via a Java applet that actually logs into the host node itself and then jumps inside their container - its pretty good if you loose access to your server. I think its a terrible idea and the security restrictions we have on the node means it doesn't work at all (we don't let random clients connect to the host node!). I thought this password might be worth trying with his email, and voila I was in:

It turns out this guy makes a living off renting cheap virtual servers using stolen credit card information, setting up phishing sites, blasting out phishing emails and then clearing out the poor people who get tricked. Using the one email I got I was able to access a whole range of other email accounts:

  • acido43@gmail.com (primary Google account)
  • roxleto@hotmail.com (primary email, used since 2009. Name: Paulo Guimsn)
  • vooedescontos1@gmail.com
  • googleduox@hotmail.com
  • onlid4.12@gmail.com

Each of these is used to set up a PayPal account for the user and rent a server from a provider. The acido43 address had a blank Facebook and Google+ account and it appears to be used pretty regularly, a lot of the other accounts have backup emails set to acido43@gmail.com.

By gaining access to a single email account I was able to get into a lot of accounts - His facebook, contact info on his personal account, mobile numbers, his search history, his habits and his youtube history.

It was scarily easy how simple it was to gain access to other services like PayPal, 4Shared, FaceBook and Hotmail by having that account - simply resetting the password was enough for most services like PayPal and 4Shared, despite the fact that I was logging in from a different country on a different continent. FaceBook was not much better, but that was because the account is fairly new and un-used. FaceBook detects when you are logging in from a new/unusual country or timezone and prompts you to confirm who you really are by using your phone.

Hotmail was the best and the worst and deserves a paragraph of its own. Upon logging into his Live account the service locked me out, asking me to enter his year of birth, the place his mother was born or by sending an email to a second and obscured account. I tried using a proxy in Brazil to log in but it still wouldn't let me access the account. As accessing his account would have been nice but getting his emails would be enough I simply entered his credentials into ThunderBird and downloaded all of his emails since 2009, bypassing the account lockout.

So yeah. I downloaded all his emails and wiped them from his accounts and he hasn't bothered us since. If you are going to steal peoples money at least use a different password for all your accounts.

Edit: A few people have said that I should have contacted the police about this rather than take matters into my own hands. Sure, I could have done (and maybe I should have), but it would have been utterly pointless. This isn't some high level phisher raking in hundreds of thousands of dollars, he's a drop in the ocean, and the Brazilian police would not have cared in the slightest.