1. InfoconDB
  2. DEF CON
  3. DEF CON 32 (2024)
  4. Smishing Smackdown: Unraveling the Threads of USPS Smishing and Fighting Back

Smishing Smackdown: Unraveling the Threads of USPS Smishing and Fighting Back

Presented at DEF CON 32 (2024), Aug. 10, 2024, 10:30 a.m. (45 minutes).

It's the holiday season and all through the air, Messages arrive, not with joy, but despair. A sinister plot unfolds, a digital dance, Smishing scammers striking, a threat to enhance. This past holiday season saw a dramatic rise in SMS phishing (smishing) messages, specifically targeting people pretending to be the USPS. Almost everyone in the United States received one of these messages using a kit sold by the ‘Smishing Triad’. While many of us knew these were scams many more did not, including someone close to me. I knew I had to do something about it once I started receiving these texts myself. With my focus in web application testing, I immediately took interest in these smishing kits and how I could exploit them. After a thorough review, some collaboration with other researchers, and a little reverse engineering I was able to find two vulnerabilities in the scammer’s kits allowing me to login to the admin panels. Using this I have been able to recover over 390k distinct credit cards that the scammers had gathered using over 40 admin panels and well over 900 unique domains. Along with this was info on the scammers themselves like login IPs, usernames, and some cracked passwords they use. This talk will cover the technical details of how I reverse engineered this kit, found these vulnerabilities, and collected the victim and admin data for each of these sites. My Blog: [link](https://blog.smithsecurity.biz/systematic-destruction-hacking-the-scammers-pt.-2) [link](https://blog.smithsecurity.biz/hacking-the-scammers)

Presenters:

  • S1nn3r
    S1nn3r is a recent college graduate. He holds the OSCP, GCIH, eCPPT, Sec+, and some more alphabet soup. He has interned with multiple DoD agencies and now will work in the private sector doing red teaming. During his internships he has worked in exploit development, red teaming, and threat analysis. During his time at school, he has been elected president of the Cybersecurity Club, led multiple CTF teams, organized CTFs, discovered a CVE, and has been awarded over $10k from bug bounty programs.

Similar Presentations: