The story of a hack or how they tried to lead away everything, but did not take away anything
The purpose of this topic is to publicize the actions of fraudsters who tried to deceive not only ordinary users, but also harm honest people who brought them to clean water. Attackers are afraid of publicity and fame, as this will greatly harm their plans. I publish this post at the request of a friend and founder of the project macpages.me Nail Yangazov . Further, the story goes on his behalf.
I have my main mail on the MobileMe service, which by the way next summer will become history. I was naive and never used complex, generated passwords on the network and everything was great. However, at the end of 2010, while working at a computer, I suddenly received a message about password recovery in the mail, I did not order the procedure myself. Naturally, I understand that they want to divert the mail, but I manage to change the password myself before the attacker. Since then, I have only used passwords generated by the software, for example, 1Password on Mac.
Everything was normal until recently - there was a unique password in the mail with special characters, letters of different registers and a length of at least 10 characters. With the selection of such a hack, not every botnet can. In addition, this password was not the only one for all accounts - mail, twitter, panel for the domain, etc.
')
Last week, a non-existent personality, Alexey Shcherbakov, from the “development department” of the marberry.ru online store, writes to the support@macpages.me mail of the project. Offers a very tasty affiliate program, promising 15% discount to users on all Apple equipment and a good percentage of our project for attracted customers.
I note that we already have a similar affiliate program with iPrintIt - a photo printing service from iPhoto and Aperture in Russia. I know their founder personally and the company was created not so long ago in our eyes, I think you can still dig up the topics of discussion and the origin of the idea at ru_mac. Therefore, I reacted with suspicion to the new proposal, which came from nowhere.
I’ll clarify with the manager where such cheap equipment comes from, we can’t always bring something from Finland at that price, and here we also promise a good percentage to our users and our discount. Some economic wonders, as it turned out later - no, just ordinary scammers.
They answer that they are purchased at DiShaus LLC and do not worry, all the equipment is “white” and under warranty (for those who do not know, I will say that DiHaus is really one of the main, if not the main distributor of Apple equipment in Russia, large retailers like Re: Store). It seems to be quite normal communication, they respond on time and quite correctly, but the site of the store, to put it mildly, strains it in a hurry, half of the links do not work, information about the technique is scarce, and contacts are even poorer.
Then I climb on their site and stumble upon a community link in Vkontakte. More than 80 thousand participants, videos with grateful customers, some discussions. It seems to be quite a lively community, imbued with a little trust and agree to the affiliate program. Although I know that it is not difficult to wind this business on a social network.
Sunday evening I am preparing a banner in the sidebar with a discount offer. It was agreed with the manager that by entering the code word “macpages” when placing the order, the buyer will receive a 15% discount. Finally, I decide to google and read reviews about the company:
All spelling is preserved, these and other reviews are available here , as well as many other sites on the net. Looking ahead to say that a scammer is really 17 years old at the moment, it can therefore be a tradesman - a minor.
I understand that I didn’t contact those and decide to make a page with unscrupulous stores and services that work with Apple technology in order to warn other users. The guys with marberry.ru, allegedly unaware of anything, continue to specify by mail how we will interact, I do not answer them.
I wake up today at 8 am. The habit of immediately checking email on the iPhone does not fail - at 3:39 the night the main email password was changed. Next come the password recovery messages for admin macpages.me and the panels for the domains, I have two of them - on the webnames and majordomo. At the first, the contact email was also changed so that I could not regain access even after successfully logging in to MobileMe.
So losing everything on the network at once, to put it mildly, was a surprise. But he did not panic.
The guys from marberry.ru cleaned up all the loopholes, changed passwords and control questions to recover passwords. They were not ashamed to indicate the name, address, mobile number in the contacts of the account holder. But in the end, Apple let them down ...
For mail on MobileMe, there are several customization options - in the account itself at me.com and on the company's website at appleid.apple.com. So, we cleaned the whole thing through the second address, but in the settings for me.com my second email address remained untouched - the lists of alternative email addresses turned out to be independent at both addresses, and on me.com it doesn’t seem to be edited. As you may have guessed, I was able to send a link to recover the password to the saved address.
Next, getting access to the mail regained control over the domains and the admin site. In the case of webnames, I was lucky - the company is located in Samara and I was able to personally come to the office, presented a passport and a manager without too much paperwork (which was surprising!) Erased the attacker's contact address by typing mine.
Later, I also saw in the mail messages about attempts to recover passwords on various services, but access for fraudsters was closed ... From the hopelessness began even more inadequate actions with marberry:
The climax - ask for a compromise. The sender's address is fake, so Mail counted it as spam:
And I made the following conclusions:
We have come to the most interesting moment, but first of all I emphasize that I publish publicly available data - from social networks, websites and open sources. Our nail is Vladimir Shakurov, registered in Kazan, 17 full years, and in May there will be 18, and therefore responsibility will be added:
His profile on Vkontakte, you can send greetings. But the group literally today was covered by Vkontakte moderators, many complaints:
By the way, a comrade is talented, deceiving dozens if not hundreds of people using the Apple technique, he is working on new projects, which I would recommend bypassing and advising others to do the same ( do not open these addresses; phishing is possible ):
The list will be updated. His domains are all registered through PrivacyProtect.org, but at the moment I managed to find out:
This raises the question of what to do next. In our departments I believe a little, but suddenly? There are some contacts in the FSB, is it worth it to use? If it seems to someone that nothing terrible has happened and the theft of passwords is a childish prank, then besides the passwords there were credit card data and personal personal data.
I ask everyone who has the opportunity to disseminate information about this person as widely as possible. In turn, through familiar bloggers I will try to ensure the maximum number of reposts in runet, and you can copy and paste as many as you like.
And one more thing, rather to lawyers. This person also knows some information about me (full name, registration, passport, phone number). I do not rule out that soon something will be written about me on the net. Will it be possible to attract additional money for this business? After all, the facts will not be there, which means slander.
UPD
An interesting video testimony of this man’s divorce was found - link (VK)
A certain Elena describes in her blog how they threw her and post his passport and “legal” data - link
Reduced copy of his passport - link (VKontakte)
Foreword
I have my main mail on the MobileMe service, which by the way next summer will become history. I was naive and never used complex, generated passwords on the network and everything was great. However, at the end of 2010, while working at a computer, I suddenly received a message about password recovery in the mail, I did not order the procedure myself. Naturally, I understand that they want to divert the mail, but I manage to change the password myself before the attacker. Since then, I have only used passwords generated by the software, for example, 1Password on Mac.
Everything was normal until recently - there was a unique password in the mail with special characters, letters of different registers and a length of at least 10 characters. With the selection of such a hack, not every botnet can. In addition, this password was not the only one for all accounts - mail, twitter, panel for the domain, etc.
')
Marberry.ru
Last week, a non-existent personality, Alexey Shcherbakov, from the “development department” of the marberry.ru online store, writes to the support@macpages.me mail of the project. Offers a very tasty affiliate program, promising 15% discount to users on all Apple equipment and a good percentage of our project for attracted customers.
I note that we already have a similar affiliate program with iPrintIt - a photo printing service from iPhoto and Aperture in Russia. I know their founder personally and the company was created not so long ago in our eyes, I think you can still dig up the topics of discussion and the origin of the idea at ru_mac. Therefore, I reacted with suspicion to the new proposal, which came from nowhere.
I’ll clarify with the manager where such cheap equipment comes from, we can’t always bring something from Finland at that price, and here we also promise a good percentage to our users and our discount. Some economic wonders, as it turned out later - no, just ordinary scammers.
They answer that they are purchased at DiShaus LLC and do not worry, all the equipment is “white” and under warranty (for those who do not know, I will say that DiHaus is really one of the main, if not the main distributor of Apple equipment in Russia, large retailers like Re: Store). It seems to be quite normal communication, they respond on time and quite correctly, but the site of the store, to put it mildly, strains it in a hurry, half of the links do not work, information about the technique is scarce, and contacts are even poorer.
Something's wrong here Cap
Then I climb on their site and stumble upon a community link in Vkontakte. More than 80 thousand participants, videos with grateful customers, some discussions. It seems to be quite a lively community, imbued with a little trust and agree to the affiliate program. Although I know that it is not difficult to wind this business on a social network.
Sunday evening I am preparing a banner in the sidebar with a discount offer. It was agreed with the manager that by entering the code word “macpages” when placing the order, the buyer will receive a 15% discount. Finally, I decide to google and read reviews about the company:
- Sell ​​Apple products are not expensive, in fact, cheating. I filed an application with the Prosecutor General’s Office and Petrovka 38/04/11. On the same day, Petrovka called back and clarified the details of how to contact me. The question is how long such cases can be considered, and what else do I need to do to get the money back?
- my friend is a victim. I live in Kazan. To find this scammer. Really no one can plant him?
- They found him. He is 16 years old, and he has been caught several times already. I hope to pay damages.
- all who are deceived to call the police department of KAZAN. (on K. Marx str.) +7 (843) 291-27-85 Novikov A.A.
- Today in the contact wrote, all that I think about this Vova, in short, I was quickly banned everywhere and obscended.
All spelling is preserved, these and other reviews are available here , as well as many other sites on the net. Looking ahead to say that a scammer is really 17 years old at the moment, it can therefore be a tradesman - a minor.
I understand that I didn’t contact those and decide to make a page with unscrupulous stores and services that work with Apple technology in order to warn other users. The guys with marberry.ru, allegedly unaware of anything, continue to specify by mail how we will interact, I do not answer them.
You got hacked
I wake up today at 8 am. The habit of immediately checking email on the iPhone does not fail - at 3:39 the night the main email password was changed. Next come the password recovery messages for admin macpages.me and the panels for the domains, I have two of them - on the webnames and majordomo. At the first, the contact email was also changed so that I could not regain access even after successfully logging in to MobileMe.
So losing everything on the network at once, to put it mildly, was a surprise. But he did not panic.
It's all about the nuances
The guys from marberry.ru cleaned up all the loopholes, changed passwords and control questions to recover passwords. They were not ashamed to indicate the name, address, mobile number in the contacts of the account holder. But in the end, Apple let them down ...
For mail on MobileMe, there are several customization options - in the account itself at me.com and on the company's website at appleid.apple.com. So, we cleaned the whole thing through the second address, but in the settings for me.com my second email address remained untouched - the lists of alternative email addresses turned out to be independent at both addresses, and on me.com it doesn’t seem to be edited. As you may have guessed, I was able to send a link to recover the password to the saved address.
Next, getting access to the mail regained control over the domains and the admin site. In the case of webnames, I was lucky - the company is located in Samara and I was able to personally come to the office, presented a passport and a manager without too much paperwork (which was surprising!) Erased the attacker's contact address by typing mine.
Later, I also saw in the mail messages about attempts to recover passwords on various services, but access for fraudsters was closed ... From the hopelessness began even more inadequate actions with marberry:
- Before I managed to return the zones to the domain, on macpages.ru they placed obscene language in my direction and address of registration (disclosure of personal data is punishable?), And later made a redirect to marberry.ru
- Sent an SMS about it:
- We started calling via Skype (St. Petersburg gateway at +7 (812) 458-87-70) and from unknown numbers (in fact, I know the numbers):
The climax - ask for a compromise. The sender's address is fake, so Mail counted it as spam:
findings
And I made the following conclusions:
- Do not "tie" all the services on one mail, it is better to create a separate box for this business and do not shine it anywhere
- Try to specify alternative emails in your profiles, as a rule you can quickly restore access through them
- Use only serious passwords, no logins and 12345 - I don’t get sick of it, but there are such users
- Different services - different passwords
- If possible, restrict all access by ip and use SMS notification. If the mail is taken away from you, they will not get without ip, and if they succeed in it, they won’t fake your SIM
The nail of the program
We have come to the most interesting moment, but first of all I emphasize that I publish publicly available data - from social networks, websites and open sources. Our nail is Vladimir Shakurov, registered in Kazan, 17 full years, and in May there will be 18, and therefore responsibility will be added:
His profile on Vkontakte, you can send greetings. But the group literally today was covered by Vkontakte moderators, many complaints:
By the way, a comrade is talented, deceiving dozens if not hundreds of people using the Apple technique, he is working on new projects, which I would recommend bypassing and advising others to do the same ( do not open these addresses; phishing is possible ):
- beta.lefreim.com and lefreim.com
- marberry.ru
- vovashakurov.ru
- mrbr.ru
- medialights.ru
The list will be updated. His domains are all registered through PrivacyProtect.org, but at the moment I managed to find out:
- Full name
- Passport (full details)
- ISP and some email addresses
- Personal mobile numbers and contact numbers marberry.ru
- Nearest contacts with names and numbers, including possible contacts of partners
- There are logs of authorizations, correspondence, SMS
This raises the question of what to do next. In our departments I believe a little, but suddenly? There are some contacts in the FSB, is it worth it to use? If it seems to someone that nothing terrible has happened and the theft of passwords is a childish prank, then besides the passwords there were credit card data and personal personal data.
I ask everyone who has the opportunity to disseminate information about this person as widely as possible. In turn, through familiar bloggers I will try to ensure the maximum number of reposts in runet, and you can copy and paste as many as you like.
And one more thing, rather to lawyers. This person also knows some information about me (full name, registration, passport, phone number). I do not rule out that soon something will be written about me on the net. Will it be possible to attract additional money for this business? After all, the facts will not be there, which means slander.
UPD
An interesting video testimony of this man’s divorce was found - link (VK)
A certain Elena describes in her blog how they threw her and post his passport and “legal” data - link
Reduced copy of his passport - link (VKontakte)
Source: https://habr.com/ru/post/129204/
All Articles