Image for post
Image for post

CryptoRhythm: Analyzing and disrupting a PayPal scam (with love and toucans!)

At this point, we’re all used to receiving a few (if not tens or hundreds of) scam emails a week. Modern email services do an outstanding job of keeping these messages relegated to the spam folder through SPF, DKIM, and DMARC authentication. Still, a message or two will slip through on occasion. Such was the case when I found the following email in my inbox about a week ago.

Image for post
Image for post
A PayPal scam email sent from hello@mynumerology(dot)in

Disclaimer: I don’t recommend clicking on spam links, even to pentest the website. If you choose to do so, be sure to use a VPN.

Initial contact

As one of the world’s largest online payment systems, PayPal is an obvious target for hackers and scammers. Groups on the dark web frequently sell compromised accounts on the site for as little as $200. Like the one above, these emails will attempt to draw out various sensitive details from users like account passwords, payment information, social security numbers, images of government IDs, and information PayPal itself doesn’t even collect, such as debit card PINs.

While purporting to be sent from the official PayPal email service@paypal.com, this email is actually from hello@mynumerology(dot)in using an account named ‘service@paypal.com’. This technique is usually easy to spot because most email services show the sender's name and email in the message header.

I decided to do a bit more reconnaissance before proceeding to the scam website. mynumerology(dot)in indeed does not provide SPF or DMARC records that authenticate email sent from its domain, allowing scammers to spoof email from it.

Image for post
Image for post
MXToolbox’s SuperTool is a great way to check for email security issues.

This website itself seems fine. As mentioned previously, the scammers are taking advantage of the domain’s lack of email security policies to send spam from it, and the website’s owners likely aren’t complicit.

Image for post
Image for post
The mynumerology(dot)in website

PayPal encourages users who receive phishing emails targeting their services to forward them to spoof@paypal.com, which I did before exploring the scam any further.

Image for post
Image for post
Google’s Safe Browsing warning for the phishing site

synxdeveloper(dot)com

The link included in the email led to synxdeveloper(dot)com. By the time I had browsed to it, Google’s Safe Browsing feature had already identified the site as a phishing campaign, which probably cut down on the scam’s success rate significantly.

The site is one of the better PayPal impersonations I have seen in a while. Beyond the obvious indicator that the domain name is incorrect, the text at the bottom of the site states that this version of PayPal is served to Singapore residents (perhaps where the CryptoRhythm author resides). This would not be the same site served to US residents. Buttons other than the “Log In” button do not function, either.

Image for post
Image for post
The fake PayPal login landing page

Taking a moment to check the WHOIS database, I saw that the domain was registered only a short time ago.

Domain Name: SYNXDEVELOPER.COM
Registry Domain ID: 2561479332_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.tucows.com
Registrar URL: http://tucowsdomains.com
Updated Date: 2020-09-25T05:35:28
Creation Date: 2020-09-23T05:49:51
Registrar Registration Expiration Date: 2021-09-23T05:49:51
Registrar: TUCOWS, INC.
Registrar IANA ID: 69
Reseller: Yahoo Small Business

I also noticed that URL parameters for country, locale, and what is probably a client ID were set when browsing to the site, but modifying each of them didn’t yield any interesting results.

Image for post
Image for post
URL parameters created when browsing to the scam website (client ID redacted)

After supplying some fake credentials, I stepped through several pages attempting to obtain additional information, including billing address, debit card number and PIN, birth date, social security number, and even a copy of the user’s passport or other government-issued ID.

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Screenshots of the phishing site attempting to gather the user’s PayPal credentials, billing address, and debit card
Image for post
Image for post
Image for post
Image for post
More screenshots of the phishing site attempting to gather the user’s birth date, SSN, debit card PIN, and an official ID

Experimenting with sqlmap + ZAP

Image for post
Image for post
Using sqlmap to scan the URL parameters

I started by hitting the URL parameters with sqlmap to test for SQL injection vulnerabilities. However, this wasn’t very successful because, as I would discover later, the application wasn’t storing any form data and was simply emailing it to the scammer when the user submitted it. At least I probably hindered the scammer from finding any real user data by sending them thousands of emails filled with garbage SQL input.

Image for post
Image for post
The sqlmap failure message

Next, I ran OWASP’s ZAP web scanner on the site. This attempt was much more fruitful, specifically through the use of the spider to find a bunch of URLs that weren’t linked directly from the main page.

Image for post
Image for post
ZAP spider results
Image for post
Image for post
The ‘/install’ page for the scam website

Most of the pages didn’t provide any interesting information— they were primarily blank or contained error messages. Then I browsed to the /img directory…

mhamdi_manager (aka U7TiM4TE_H4x0R Plugin)

Image for post
Image for post
The “mhamdi_manager” or “U7TiM4TE_H4x0R Plugin 2018” didn’t seem to be an original part of CryptoRhythm.

I was very surprised to see that the scammer had left a management application unprotected, albeit in an obscure directory. I was even more surprised to see that it contained a (mostly) functional file browser complete with actions to upload, edit, or delete files. Unfortunately, neither the “Anon shell” or “Adminer” buttons worked. I would have to obtain my own shell.

Whatever the “mhamdi_manager” or “U7TiM4TE_H4x0R Plugin 2018” page was, I don’t believe it was part of the original application, instead being added on to the application by the scammer that purchased this instance of CryptoRhythm. Either way, it made my goal fairly easy to accomplish.

Image for post
Image for post
Image for post
Image for post
The viewing and editing capabilities of the management application

By poking around in the management application a bit more, I was able to learn that this scam was called CryptoRhythm and had existed long enough to be on version 2.1. Unfortunately, there was no developer contact information included in the file. :)

Since neither the “Anon shell” or “Adminer” buttons in the management application actually functioned, I needed to write and upload my own PHP backdoor. Using the innocuous name img.php, I uploaded the simple file below to the /img directory using the management application.

Image for post
Image for post
A simple PHP backdoor that forwards commands passed as a URL parameter to the shell.

Finding victim files

It works! Using my backdoor, I was able to browse beyond the scope of the management application and inspect the file system.

Image for post
Image for post
The server’s ‘/etc/passwd’ file — usually something that should not be accessible from the web

Here, I found out that while user data wasn’t actually being collected and stored on the web server, victims’ uploaded “verification documents” were accessible to anyone with the link to them.

Image for post
Image for post
A list of government IDs provided by scam victims
Image for post
Image for post
Image for post
Image for post
A few of the IDs that I found and forwarded to PayPal’s fraud department

I definitely took the liberty of deleting these from the server, although I highly doubt that I arrived soon enough to prevent the scammers from downloading them. The IDs and any additional data I could find have been forwarded to PayPal in the hope that they can notify the victims of the scam. I also deleted the folders that contained the images so that future uploaded images would fail to save.

Preventing others from being scammed

While inspecting the code, I learned that the scam site is simply emailing all form data to the scammer rather than storing it locally. This is probably to prevent data loss due to the short-term nature of most scam sites. I found the line below in a mailer.php file. It controls the email address where inputted data is forwarded.

Image for post
Image for post
‘papa05@protonmail.com’ (presumably the scammer’s email address) where scam information was forwarded

I simply changed it to one of my Spamex forwarding addresses that in turn sent it to spoof@paypal.com. I also contacted ProtonMail to report the scammer’s “papa05@protonmail.com” address, but I don’t believe any action could be taken against the account since there was no way to verify that the scammer owned it.

Image for post
Image for post
My Spamex email address that forwarded the emails to me, and thus to PayPal.

The scammer didn’t seem to notice the different email address, as it remained the same for a period of several days. During that time I was also able to analyze a few test emails that I sent through the site.

Image for post
Image for post
An email from the CryptoRhythm application forwarded through Spamex, reporting an uploaded document

There used to be a scam here…

Eventually, the scammer noticed that I had tampered with the email settings and reset most of the application while also restricting access to the management page. I would have assumed that they were using Docker or another application to run the scam site in a container, but apparently not (or my basic backdoor was just good enough for them to think it was part of the application and back it up, because I was able to get right back in using it).

Image for post
Image for post
I could still use my backdoor!

After gathering all the source code and copying it to my PC, I wanted to prevent the scam from functioning any further. To not risk a complete infrastructure burn-down by running rm -rf * from the root directory (and thus risking losing my backdoor access in the event the scammer restores the site), I simply edited the front page.

Image for post
Image for post
This new landing page looks much nicer without all that PayPal stuff.

The scammer and I went back and forth for a few days by restoring and deleting the main page, but I don’t think they were able to find my backdoor. Eventually, I browsed to the site one night after work and found that either they were tired of my memes or that the scam on this domain was no longer generating useful data (probably a bit of both…).

Image for post
Image for post
Goodbye!

A side note on CryptoRhythm

I can find a few references to CryptoRhythm on the clear web, mostly for older versions targeting other platforms and by those looking to sell the scam kit for around $20. There’s also an old “mhamdi_manager” page cached on Google, although I don’t believe this application has any relation to the scam.

Regardless, I uploaded the code (with a few choice deletions) to a private GitHub repository. I’d happily give anyone who wants to learn about phishing kits access if I can verify you have an established interest in security topics.

DFIR, CTFs, disinformation, STEM education, and pretty much anything else that comes to mind. RIT Computing Security ’22. wyatttauber.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store