_________ SWAT MAGAZINE ISSUE FIFTEEN: MARCH 1999 __________ / \___________________________________________/ \ / Stealing Adultpass ID's and other Login info \ / By =The-Doh-Boy= & -=The Firestarter=- \ ----------------------------------------------------------------------- Doh-Boy gave me the idea to this scam in an article he wrote for this months issue, there was one or two flaws in it, so I improved on it and incorperated as much of it in this file as I could. First off we'll look at the login procedure Age check, I don't think that agecheck and adultpass are the same company, but there login procedure is very similar. What you would do is visit a web site that usualy holds some sort of sick perverts fantasy pictures (usualy rape or incest). You would then have to plug in your ID number and hit the submit button, this would then be processed by the company, if your ID was correct, then you would be forwarded to another web page which would have all of the pictures or whatever was there. Each time you enter this page the webmaster gets a small ammout of cash, I'm not too sure of the exact ammount. So your probably thinking "Great I set up a web page with an adultpass ID login and spam the newsgroups." Well yeah you could do that, but what would that prove? I mean you'd get a couple of quid out of it at the most. Doh-Boy had the idea of hacking the sites which hosted these pages and altering the HTML code so that the ID was e-mailed to an address on Hotmail. A good idea only the problem with that it you would get the little "You are about to submit information via e-mail...." Now that would be a bit suspect now wouldn't it? and even when it was sent the person would remain on the main page and not get anywhere. Now I had the idea when I was going over some CGI script's looking at verious submission scripts and stuff like that. That would submit the informaion without the victim knowing that you'd stolen his ID, but what about the idea of getting the victim to the other page? well I'm sure you've all seen the "click on the banner to enter the web page" on the index page?. You should do, all that is, is a simple javascript that opens two links at once. Now if we where to incorpirate the idea of the CGI scripts with the javascript we'd have a pretty effective way of stealing passwords. Now I don't know the first thing about CGI programming, and what if I couldn't get hosting on a site that allowed CGI scripts? and I sure as hell ain't gonna host a scam on the SWATeam. So I looked into it a bit more, how about posting informaion to an e-mail address via a CGI script? so I looked into it, a similar exploit once worked for hacking hotmail. So what would we have to do? well I'd have to incorpirate the adultpass login screen along with the form to send me the ID and to send the victim to the other pages. This would be fairly simple, first thing I needed was the HTML code for the adultpass login. So a quick browsing of the newsgroups later I found a web site that participated in the adultpass scheme. The HTML code isn't important. I was more interested in the design of it all. So I opened up the page and looked at the code, some of the code had to stay the same, I mean I wanted it too look genuine. Now I came to this line:
And there we have it. As soon as somebody puts in there ID and hits the submit button the ID will get e-mailed the the swateam@geocities.com e-mail address. Now it is a case of spamming all of the newsgroups that deal with porn sites, something along the lines of: "100% free hardcore porn! Adultpass id required" with a brief description as to the "content" of the site. The perverts are happy and I have there ID. In fact I have somewhat of a collection of them, a few weeks of that scam, with postings made almost everyday to all of the newsgroups, the site got loads of hits, and I got loads of ID's. But what would happen if they where to look in the status bar of there browser? it would read "Contacting www.geocities.com..." Hmm, well this little script pasted into the header of the page fixed that problem: Have fun with your new found knowledge, all in all it took me two hours to get it right and have the ID e-mailed to me (after failed attempts to add javascript).