The script used to trash a banking phishing site

trash.sh

#!/bin/bash

while :; do

    verf=$(cat /dev/urandom | tr -dc '0-9' | fold -w 8 | head -n 1)
    pin=$(cat /dev/urandom | tr -dc '0-9' | fold -w 5 | head -n 1)

    ip=$(printf "%d.%d.%d.%d\n" "$((RANDOM % 256))" "$((RANDOM % 256))" "$((RANDOM % 256))" "$((RANDOM % 256))")


    curl -s -I http://elba-app.com/Raiffeisen/ > header.txt

    cookie=$(cat header.txt | grep 'Set-Cookie:' | cut -d ' ' -f 2 | cut -d ';' -f 1)
    location=$(cat header.txt | grep 'location:' | cut -d ' ' -f 2 | cut -d '/' -f 1)

echo "$ip $cookie with $location"

echo "[i] Login"
curl -s "http://elba-app.com/Raiffeisen/$location/submit.php" \
  -H 'Connection: keep-alive' \
  -H 'Cache-Control: max-age=0' \
  -H 'Upgrade-Insecure-Requests: 1' \
  -H 'Origin: http://elba-app.com' \
  -H "X-Forwarded-For: $ip" \
  -H "CF-Connecting-IP: $ip" \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36' \
  -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
  -H "Referer: http://elba-app.com/Raiffeisen/$location/login.php?" \
  -H 'Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7' \
  -H "Cookie: $cookie" \
  --data-raw "verbot=&type=username&state_text=Salzburg&state=ELOOE-05-V-&username=ELOOE-05-V-$verf" \
  --compressed \
  --insecure

echo "[i] Pass"

curl -s "http://elba-app.com/Raiffeisen/$location/pass.php?" \
  -H 'Connection: keep-alive' \
  -H "CF-Connecting-IP: $ip" \
  -H 'Cache-Control: max-age=0' \
  -H 'Upgrade-Insecure-Requests: 1' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36' \
  -H "X-Forwarded-For: $ip" \
  -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
  -H "Referer: http://elba-app.com/Raiffeisen/$location/login.php?" \
  -H 'Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7' \
  -H "Cookie: $cookie" \
  --compressed \
  --insecure

  echo "[i] hundle"

    curl -s "http://elba-app.com/Raiffeisen/$location/hundle-pin.php" \
  -H 'Connection: keep-alive' \
  -H 'Accept: text/html, */*; q=0.01' \
  -H 'X-Requested-With: XMLHttpRequest' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36' \
  -H "Content-Type: multipart/related" \
  -H "X-Forwarded-For: $ip" \
  -H "CF-Connecting-IP: $ip" \
  -H 'Origin: http://elba-app.com' \
  -H "Referer: http://elba-app.com/Raiffeisen/$location/pass.php?" \
  -H 'Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7' \
  -H "Cookie: $cookie" \
   --form "pin=$pin" \
  --compressed \
  --insecure

    echo "Sent $verf with pin $pin"

done

You are a tech god among men. I just finished reading your blog at https://blog.haschek.at/2020/stopping-phishing-campaigns-with-bash.html and what a fun ride. Thanks!

Glad you liked it

Read your blog post. I also had similar case. After I saw that my script was kind of slow, I implemented multithread. It became MUCH faster. Right now scripts sends request only after you get 200 response. Multithread or asynchronous for the win

Read your blog post. I also had similar case. After I saw that my script was kind of slow, I implemented multithread. It became MUCH faster. Right now scripts sends request only after you get 200 response. Multithread or asynchronous for the win

Awesome, can you share it?

You are a legend