⚠️ Attention: Fake Emails from "LowEndTalk.cc" ⚠️

risharde

I had a professor recently tell me that computer science isn't a science. I guess he was right.

devp

@risharde said: I had a professor recently tell me that computer science isn't a science. I guess he was right.

A subset of Mathematics ( both Theoretical and Applied ).
For reference reading links are shared earlier in current thread.

Void

@risharde said:
I had a professor recently tell me that computer science isn't a science. I guess he was right.

If you had to add science to the word, it ain’t “science” mostly. Political science, Social Science etc for example.

MikeA

@stevewatson301 said:

@dahartigan said: Getting the same thing from a lowendspirit.us domain now.

@MikeA would you be so kind to add SPF, DKIM and DMARC records on your domain? It's being used to send phishing email, which isn't so nice.

The domain is expired, I bought it from the person and never used it to save Jon any hassle, I just removed all DNS record at the time and let it sit. Not my problem. Maybe the companies actually having the spam sent from their services can handle it.

MikeA

Oops, apparently I did redirect it to my domain a week ago before it expired. I added (I think) appropriate records to it on Namecheap. Regardless, it's not my problem.

SirFoxy

@MikeA said:
Oops, apparently I did redirect it to my domain a week ago before it expired. I added (I think) appropriate records to it on Namecheap. Regardless, it's not my problem.

🐟🎣

laoban

How did they get email addresses?

jbiloh

@laoban said:
How did they get email addresses?

We are still investigating.

One theory, as mentioned earlier in this thread there is a theory that it was through gravatar and that the email accessible through that service was limited to 3 percent of our users.

Falzo

@jbiloh said:

@laoban said:
How did they get email addresses?

We are still investigating.

One theory, as mentioned earlier in this thread there is a theory that it was through gravatar and that the email accessible through that service was limited to 3 percent of our users.

maybe just scraping profiles which might have their setting to 'mail visible to others: yes'

skorous

@Falzo said: maybe just scraping profiles which might have their setting to 'mail visible to others: yes'

I got a half dozen of them and my email isn't public.

jbiloh

@skorous said:

@Falzo said: maybe just scraping profiles which might have their setting to 'mail visible to others: yes'

I got a half dozen of them and my email isn't public.

Would you mind sending them to us via a support ticket?

Even though the phishing site is already down we are still collecting data.

Hxxx

This is why LET shouldn't allow providers to ask customers to post an order id in a public forum to get any sort of bonus. Provider get's compromised, DB leaks, that's one way to match LET users.

TimboJones

@yoursunny said:

@dahartigan said:

@yoursunny said:

@dahartigan said:
I just uploaded the contents to termbin if anyone else would like to see it without clicking the dodgy link: https://termbin.com/sfgq

The page references multiple CSS and JavaScript resources from lowendtalk.com domain.
One of these resources can be modified to cause a warning displayed if someone clicks the phishing email.

You will win a nobel prize one day

That ain't happening.

计算机专业是大坑。
我读了计算机相关专业（信息安全），现在到了研究所。
研究所的墙上、光荣榜里挂着诺贝尔奖获得者的名字，爸爸来参观时就问我什么时候可以得诺贝尔奖。
我去查了，诺贝尔奖根本没有计算机的！
所以，我当时应该去读化学，才有机会获得诺贝尔奖。

Computer Science has no future.
I majored in Information Security, a subject closely related to computer science.
When my father visited me in a research lab where I am working at, he pointed to the Nobel Prize winners in the awards gallery and asked when I would win a Nobel Prize.
I checked the qualifications and realized that there isn't a Nobel Prize category for computer science.
Hence, I should have chosen chemistry major in order to have an opportunity of winning the Nobel Prize.

You're just going to have to become a President and do it the Obama way.

You can bring about World Peace, right? Solve the problems of the Middle East? Easy stuff.

skorous

@jbiloh said:

Would you mind sending them to us via a support ticket?

Even though the phishing site is already down we are still collecting data.

Lemme check. I already deleted them but perhaps I haven't emptied the trash yet.

skorous

Only had two left. Sent them in.

jbiloh

@skorous said:
Only had two left. Sent them in.

Thank you!

Hotmarer

You can see that this is fake because LET doesn't have such nice looking e-mails.

dane_doherty

What's the lore of tinyweasel?

ascicode

Because some peeps using discord.

dahartigan

@dane_doherty said:
What's the lore of tinyweasel?

Twas once a fellow named tinyweasel,
Who came here to make some new friends.
Then suddenly Weasel blew his diesel,
And DDoS'd the forums instead.

dahartigan

@zulaika said: TinyWeasel never DDoSed

I took some creative license with my little poem, I know you didn't strictly DDoS the forum technically, but the poem wouldn't be as effective if it used words with a more positive connotation.

bulbasaur

@zulaika said:

@dahartigan said: And DDoS'd the forums instead.

Incorrect. TinyWeasel never DDoSed the forum directly, though, if you were in #lowendtalk (like I was back in late 2021), you might've seen some things.

To add in some more context, LET has around ~84,000 users (bots? A few months ago, and this was waaay lower?) right now. If we know that ~4400 users had their emails scraped (various means), then only around ~5% of users were affected. LES has ~3400 users.

Now, you might be wondering how one can pull this off. Well, it's quite simple, even with Cloudflare in place. We hit up our buddy (@Francisco), get a $3.5 VPS with a /48, write something in your favorite language to randomly pick a /128 out of that prefix, and serve it up as a SOCKS5 proxy server. Example how this can be done:

l := CIDRMask/8
for i := len(b) - 1; i >= l; i-- {
  b[i] = byte(rand.Intn(255))
}

Now, what's next? Well, simple, we use the tagsearch endpoint with a value of " ". This returns every registered user. We then compile a big list of email domains, before using the /users/by-names (documented endpoint, I should add) to get the gravatar hash; check if "secure.gravatar.com" is in photoUrl (I think that vanillaicons is also affected, not sure).

All that is next is to write a script to use a thread pool and a somewhat crappy server to hash up every possible combination ([lowendtalk, let]@possible_domain.xyz). After this, we take our list, and pr0fit.

FYI IPv6 isn't setup properly on LET. Try and login from a /48, you'll get ratelimited after a bit.

Oh, and this should work on VanillaForums, too.

Love the opsec (or lack thereof). He ends up revealing both his scheme and the time at which he performed the username enumeration (when he was a BuyVM customer).

In before he posts people's privates and ends up being banned.

zulaika

@stevewatson301 said: Love the opsec (or lack thereof). He ends up revealing both his scheme and the time at which he performed the username enumeration (when he was a BuyVM customer).

You're free to seethe and dilate, of course. BuyVM is the cesspool of providers.

bulbasaur

@stevewatson301 said: Love the opsec (or lack thereof). He ends up revealing both his scheme and the time at which he performed the username enumeration (when he was a BuyVM customer).

You're free to seethe and dilate, of course. BuyVM is the cesspool of providers.

Says the guy who literally "seethe[d] and dilate[d]" over some guy who made POST requests from a single IP to his phishing server.

bulbasaur

@zulaika said:

@stevewatson301 said:

@stevewatson301 said: Love the opsec (or lack thereof). He ends up revealing both his scheme and the time at which he performed the username enumeration (when he was a BuyVM customer).

You're free to seethe and dilate, of course. BuyVM is the cesspool of providers.

Says the guy who literally "seethe[d] and dilate[d]" over some guy who made POST requests from a single IP.

Je moet je losse anus dichthouden want elke keer dat je iets zegt komt er alleen maar schijt uit!

You should consider a registration on Hostloc for your fetishes.

bulbasaur

@zulaika said:

You should consider a registration on Hostloc for your fetishes.

What fetishes? All I know is that the libera netops are to blame. Hell, if anything, I only came to LET because they kept k-lining me off the network. Go and direct your blame to https://nitter.net/jessnode (Michael Pothecary), Aaron Jones, Gareth Pulham, and Tom Wesley.

[email protected], [email protected], [email protected], [email protected], [email protected]

efnet/ircnet isn't the same, you see.

I'm not clued up on the IRC drama you speak of. Mind giving me some reading material? (PM me if you don't want to discuss this publicly.)

dahartigan

Any final words before ze mods ban you?

dosai

@zulaika tinyweasel nick is up for grabs, be quick.

bulbasaur

@zulaika said: Yes, of course, and that is this will be the last LET account.

Not sure about that though. You could register at Hostloc to offer NAT VMs but you'd need to learn Chinese (automated translations are shit), which leaves this as the only place to do so.

How's that project coming up BTW? Never got a chance to use underserver, FWIW.

Offshore_Solutions

@Hotmarer said:
You can see that this is fake because LET doesn't have such nice looking e-mails.

The sad thing about TinyWeasel is he's a very intelligent hacker. That intelligence could have done so much good besides phishing / scamming.

Who is he mad at & can that issue ever be resolved? The magic to @jbiloh's success is his thick skin & ability to forgive members in order to give them 2nd chances. Under most other leaders, 30% of this community would be permanently banned. That is a noble & rare quality.

But some are unredeemable. Will TinyWeasel always be an evil genius with a hot temper just waiting to blow & hack again?

@stevewatson301
How's that project coming up BTW? Never got a chance to use underserver, FWIW.

At what URL can TinyWeasel's project you refer to be found? "UnderServer"