Context
I received a message inviting me to join a high-paying online job, am unemployed, so I made friends. After learning for a while this is a scam so I decided to attack this server. The whole process of learning and detailing the scam I left on youtube , here I would like to go deeper into the technique.
Collect information
Deployment server at Zenlayer co data center in Hanoi and HCM
Frontend written in vuejs template of China
Payload sent and received from vue is encrypted
webserver is Tengine which is rewritten based on nginx by taobao
Attack method
Most scammers want to eat quickly so the account registration process is very fast and there are few authentication methods, so choosing DDoS attack is my priority. I try to register phone number 0000000001 also.
Now it’s time to create the payload: the encryption method is probably somewhere in the minify and obfuscate JS pile, it’s not difficult for chrome (thanks google), you can create a debug breakpoint before the frontend sends the request to trace back. The setT function is in a file named zepto.all.js – a seemingly innocuous ajax support library but calls the encrypt options.data=gde(keyWords,JSON.stringify(options.data));
Keywords that are the key for encryption are also saved here
And gde() is the encrypt function with a spelling that hopefully frustrates the reader.
I copied the setT and dependencies out and tested the single request, everything was fine. I deployed a nodejs to register random 1000 accounts and then let pm2 restart the process forever. Server congested, under maintenance, then it blocked my nodejs IP, I used tor to rotate IPs, then it only let me register 3 accounts for 1 IP. I found the deposit endpoint it doesn’t block, it freezes again but after a while it blocks 1 blockIP range for all endpoints.
After a while come back to visit, it doesn’t block anymore!? I guess this system maintenance team works without version control, the most recent deploy has erased the previous person’s work. Fraud groups work quite locally, people in this department often don’t know what other departments do, this organization is not effective in terms of work but is quite safe for the top. Thank you for reading, next time I will approach a more sophisticated group of scammers.