Cable Forum - View Single Post - Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

Chroma · 25-04-2008, 20:31

RE: Secure banking.

Most users online that i know of, myself included have a list of maybe half a dozen passwords/datasets that are frequently used, for instance some people use the same passwords for email (secure and unsecure webbased), forums and banking.

Its not outside the realm of possibility to get a users profile and figure out his half dozen passwords and the URL of his bank, then brute force the account with a very small list (generaly 3 attempts before the account is locked and you need to call up your bank) that would result in a 50% chance of gaining access to someones account.

This without even discusing the possibilities of an external organisation gaining control of the packet filtering equipment and monitoring the streams from users at a given exchange to their own ends, then redirecting traffic to a spoofed DNS that again redirects people to a frudulent mirror of your banks site.

You honestly think that serious criminal and terrorist organisations have no interest in an almost unlimited free source of additional income to pay for whatever will forward their agendas? even if such a move involved actual physical access to the equipment its a striaght forward matter to hand an openreach worker a nice fat brown envelope to look the other way for 30 mins whilst you peruse the premises.

Think about this:
I (Being a criminal mastermind genius) start sniffing on customers data and begin compiling a list for each customers passwords over unsecured connections.
I also generate a list for each customers online banking urls (not the actual secure stuff just the site URL)
I also spend a couple of hundred opening bank accounts to the sites found to be most frequently used, i do this merely to gain access to those bank sites and set up my own fake servers, you have to speculate to accumulate

Now after mirroring my own bogus servers i start redirecting traffic to them using phorms equipment to route everything through my own shady DNS servers, i do this only to harvest customer passwords and once i have these passwords i display an error stating the website is currently down for "Maintainance" followed by an appology and a request to "please allow up to 24hrs while we fix our errors." (Masterminds are not all like Blofeld we can be nice too)

After 12~18hrs i stop redirecting traffic, and do this same redirection every few weeks for the next 6 months farming as much as i can.
After this 6 months i would purchase my flights to a non extradition country with a damned good telecommunications network (Russia and China spring to mind as fun destinations)
i then run my script to systematicaly log in to and transfer money out of the millions of valid accounts now at my disposal, starting with all business accounts (netting me the most cash) right down through to individal personal accounts.
Funneling all this cash into a long list of seperate accounts abroad (that i would have been spending the 6 month profiling time setting up) this is to avoid suspicion of every british resident dumping money into a single tracable account and raising a red flag.
Then i would start phase 2 to swap the money around these accounts and bounce it around a little before trickling into a nice large private account, the trick is to keep it moving around and confuse anoyone looking to trace it to a single point, after nine hours of reviewing logs anyone will go squeg eyed and begin to make errors.
After touching down in Russia i would then extract as much cash as i could by hand and place it onto a few banks over there before transfering it around further, using some to get myself a nice "black market" new identity. To move around to another country where i would hapily reside for the rest of my life knee deep in banknotes.
Once set up i would forward Kent an email enquiring as to the point of targeting adverts to anyone online in the UK when they no longer had any money to be interested in any of them.

Thereby pulling off the biggest bank heist in history and netting myself a nice little sum to start a new life of absurd and unending pleasures beyond anyones wildest dreams.
Of course i would totaly cripple the UK economy as residents and businessmen woke the next day to have their cards eaten by the machines.
But frankly to hell with you guys, i can afford a slew of lawyers to fend you off

All this with a few months of setup, without having to resort to violence or raising my voice and not placing a single hostage or even myself at any risk.

The best of it is that since the police and home office are entirely reluctant to investigate what happens online it could take months of red tape before a single suspect is generated let alone people pointing the finger at me

It would however make an awesome screenplay (and this has the added benifit of not having an angry nation track me down like the dog that i am.)

Ok so maybe im scaremongeing and just a touch sarcastic and upon rereading it, I seem to descend entirely into paranoid drivel and sheer tinfoil hattery.
But the simple fact is that monitoring SSL and https isnt nessisary to gain some seriously sensitive information on a person that could be used to his or her detriment.

25-04-2008, 20:31	#4858
Chroma Inactive Join Date: Apr 2008 Posts: 30	Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797] RE: Secure banking. Most users online that i know of, myself included have a list of maybe half a dozen passwords/datasets that are frequently used, for instance some people use the same passwords for email (secure and unsecure webbased), forums and banking. Its not outside the realm of possibility to get a users profile and figure out his half dozen passwords and the URL of his bank, then brute force the account with a very small list (generaly 3 attempts before the account is locked and you need to call up your bank) that would result in a 50% chance of gaining access to someones account. This without even discusing the possibilities of an external organisation gaining control of the packet filtering equipment and monitoring the streams from users at a given exchange to their own ends, then redirecting traffic to a spoofed DNS that again redirects people to a frudulent mirror of your banks site. You honestly think that serious criminal and terrorist organisations have no interest in an almost unlimited free source of additional income to pay for whatever will forward their agendas? even if such a move involved actual physical access to the equipment its a striaght forward matter to hand an openreach worker a nice fat brown envelope to look the other way for 30 mins whilst you peruse the premises. Think about this: I (Being a criminal mastermind genius) start sniffing on customers data and begin compiling a list for each customers passwords over unsecured connections. I also generate a list for each customers online banking urls (not the actual secure stuff just the site URL) I also spend a couple of hundred opening bank accounts to the sites found to be most frequently used, i do this merely to gain access to those bank sites and set up my own fake servers, you have to speculate to accumulate Now after mirroring my own bogus servers i start redirecting traffic to them using phorms equipment to route everything through my own shady DNS servers, i do this only to harvest customer passwords and once i have these passwords i display an error stating the website is currently down for "Maintainance" followed by an appology and a request to "please allow up to 24hrs while we fix our errors." (Masterminds are not all like Blofeld we can be nice too) After 12~18hrs i stop redirecting traffic, and do this same redirection every few weeks for the next 6 months farming as much as i can. After this 6 months i would purchase my flights to a non extradition country with a damned good telecommunications network (Russia and China spring to mind as fun destinations) i then run my script to systematicaly log in to and transfer money out of the millions of valid accounts now at my disposal, starting with all business accounts (netting me the most cash) right down through to individal personal accounts. Funneling all this cash into a long list of seperate accounts abroad (that i would have been spending the 6 month profiling time setting up) this is to avoid suspicion of every british resident dumping money into a single tracable account and raising a red flag. Then i would start phase 2 to swap the money around these accounts and bounce it around a little before trickling into a nice large private account, the trick is to keep it moving around and confuse anoyone looking to trace it to a single point, after nine hours of reviewing logs anyone will go squeg eyed and begin to make errors. After touching down in Russia i would then extract as much cash as i could by hand and place it onto a few banks over there before transfering it around further, using some to get myself a nice "black market" new identity. To move around to another country where i would hapily reside for the rest of my life knee deep in banknotes. Once set up i would forward Kent an email enquiring as to the point of targeting adverts to anyone online in the UK when they no longer had any money to be interested in any of them. Thereby pulling off the biggest bank heist in history and netting myself a nice little sum to start a new life of absurd and unending pleasures beyond anyones wildest dreams. Of course i would totaly cripple the UK economy as residents and businessmen woke the next day to have their cards eaten by the machines. But frankly to hell with you guys, i can afford a slew of lawyers to fend you off All this with a few months of setup, without having to resort to violence or raising my voice and not placing a single hostage or even myself at any risk. The best of it is that since the police and home office are entirely reluctant to investigate what happens online it could take months of red tape before a single suspect is generated let alone people pointing the finger at me It would however make an awesome screenplay (and this has the added benifit of not having an angry nation track me down like the dog that i am.) Ok so maybe im scaremongeing and just a touch sarcastic and upon rereading it, I seem to descend entirely into paranoid drivel and sheer tinfoil hattery. But the simple fact is that monitoring SSL and https isnt nessisary to gain some seriously sensitive information on a person that could be used to his or her detriment.