A unique way to mine traffic
All information provided is taken from public sources, is for informational purposes only and does not call for action!
We will be looking for access to various CRM systems, analyze the systems, analyze the victim, perform a spill on the victim's clients on her behalf.
There are an incredible number of possibilities - all of them depend on the functionality of the system we managed to penetrate. We may encounter the possibility of sending SMS messages, messages to messengers, messages to other related applications, messages to e-mail.
The most important thing here is that such a mailing will have a high trust, due to the fact that it is not sent from the left numbers and emails.
Step 1. Finding access
So, let's start searching for our victims. The first thing we need to do is to turn to a search engine and ask for CRM systems. Do not throw on the largest, as there have long been introduced 2FA (not all). I would advise you to start with medium-sized systems. I can recommend the service Capterra - it is a list of all software, with the ability to sort by popularity. In this service we will be able to see at a glance whether the functionality we need is available.
There is a function for sending emails, contact lists, etc.
Having selected several platforms, we proceed to their initial analysis.
We go to the main page and look for the login button.
By the way, sometimes it's not there, but you can find the login page via google with the query "namesite login"
After that we can observe four variants of events:
- Enter log/email:pass:company code - this is fine, we can move on to search queries.
- Enter log/email:pass:company code - this is not suitable for us, because we will probably not be able to find out the company code without access to mail.
- Enter log/email:pass:company domain - this may work for us, because the URL:LOG:PASS database may have the same domain in the URL field.
Go to the company domain to log in - same thing, we just use the company URL from the database for the login page.
Now we take actually our query from this page and go to look for it using software in the databases url:log:pass.
After sorting by software I get the results and check them.
It is necessary to go through all the results found and get access to some accounts. At this stage, we will be able to understand whether it is possible to work with this query at all or not.
In the process of search, if we managed to enter the account, then the platform is suitable for us, there will be platforms where mandatory 2FA is always, in this case the platform is not suitable for us.
* You can poke at all links on the 2FA page, trying to bypass it, I once managed to bypass it this way on one platform.
** If one time knocked out 2FA, try other accounts, there have been times when 10 accounts have 2FA and one is open.
Step 2. Platform Analysis
Here we are, we've found our accounts, logged into them, and we see different patterns depending on the types of activities our victims are engaged in.
The first thing I would do in the sorting process would be to create a separate file for each platform and record the access and a brief description on it (how many clients/what they do/user permission level). We will meet ordinary employees and admins, you can understand at once, the ordinary has a lot of functions cut down and no access to manage CRM settings, and the admin has everything.
Suppose you have two accesses: 1000 clients and 100k clients.
We take a small and go to study the system.
What you need to understand - Checklist:
- Is it possible to send sms to customers?
- Is it possible to send messages to clients in related applications, if any (for example, you may find a crm with airbnb integration).
- Is it possible to send messages from corporate mail to clients' and partners' mail.
- See what data there is about clients, unload all lists, check for photos of client documents and payment data.
Depending on the specifics, see if there is any other valuable information that we can sell.
In 99% of cases, CRM allows you to send texts and emails from corporate email and corporate phones, but this may be limited by a valid subscription or there may simply be no corporate email attached.
In some cases you can pull a large customer base, somewhere you can pull their photo IDs, somewhere you can even access credit cards.
If you thought this was fantastic, I'm going to surprise you, I've found a lot of it.
Do not analyze the platform from a large account, so that it suddenly did not fly off, study and test from small accounts. I do not recommend registering free trials for the test, because if you can not find access valid for the test, and inprininciple to get them you will be difficult, go to another site.
In some cases it will not be possible to send one message to everyone at once, and you may have to poke around with everyone, it depends on the platform.
Step 3. Analyze the victim
I hope you have found your accesses and are ready to pour, but here comes the question, what to pour to maximize conversion?
I'll tell you this, if you have imagination and enthusiasm, you can pour anything.
First of all, let's study the victim:
Find his site online, walk around, see what he's selling.
Figure out his geo.
Find out what he sells most or what his services are most popular.
Got the information? Now it's just a matter of coming up with an offer.
Step 4. Monetization Methods
Monetizing traffic can be done in many ways, and I suggest familiarizing yourself with each of them to have a complete arsenal. As not all areas of victims' business will fit a certain monetization method.
One thing is for sure - we need the money :)
Drainer
There are quite a few accesses you can get suitable for drainer.
From life examples, I got access to the CRM company engaged in blockchain projects, it is actually a gold mine for an offerer under the drainer, but inexperience access died before I had time to shed it.
You need to think through your offerer in great detail, present everything very qualitatively, make a quality landing page specifically for one spill.
After analyzing the company, which you did in the last step, you should already understand whether your audience is suitable for a crypto-offer.
Let's talk some more about offers. In fact, with a great desire you can screw any topic under the drainer, for example, if your victim sells something.
As an example, an offer will be like this:
Dear friends! We are pleased to inform you that we now accept payments in cryptocurrency! In honor of this event, today there are 70% discounts on all products paid with cryptocurrency. Go to the store.
Again, this is just a text, your offer should be of high quality and well thought out.
Keep in mind that such an offer will have a lower conversion rate, as it will only interest those who know what crypto is, and such in such a store may not be so many.
Phishing bank cards
Almost every access is suitable for this topic, an offer can be invented for absolutely every project.
Since everyone is suitable here, you can complicate the psychology a little.
After analyzing your victim, try to come up with an offer that will press psychologically on the victim.
Your offer should have foreseeable consequences in case of rejection, for example, problems with the law, blocked cards. In this case, the conversion rate will be much higher.
Depending on the offerer, you can add different custom fields, which can then come in handy on the stuffing, such as address, zip, etc.
So what do you do with that? There are different teams, people who are currently looking for inbiv cards with otp (sms code or push). You can make a deal with them, and pour traffic to the phish, in live mode they will beat cards with otp.
Collecting databases
Any valuable information you collect may be of interest to competitors or authorities. The first thing you can try to do is to offer to buy all the information back from the victim himself, hinting at what it will cost him. If not, you can try to sell it to competitors. If not, you can sell it on a forum or in a darke base.
A few nuances:
About re-binding: I don't recommend re-binding accounts because sometimes after a spill, access to them is retained and that's a good thing, you can re-spill or use the account for other purposes.
Additional monetization: Just yesterday came across an account where it is possible bulk email distribution with the addition of a file in the attachment, you can distribute any malware actually under any pretext.
About neighbors: I for the entire history of my work, did not meet a single neighbor, perhaps because ackeys in 60% of cases die after working with them. Perhaps after the publication of neighbors and will appear, but as I said above - I do not recommend changing accesses and bind the ackee, as he 100% will die when a legitimate user can not get into the panel. Neighbors can be calculated by the logs of mailing lists, letters delivered to clients.
About other accesses: Taking access to one account, do not be lazy to scour all the bases for the presence of other requests of the same user. It is also good for finding new CRM systems or similar systems, as the user in practice uses at least two different systems.
Infection of the corp. system: It depends on the individual case, I have not done this, but it is possible.
Conclusion
Using this method, you can flood hundreds of thousands of emails and posts in one click, with a very high trust rate.
You may have noticed that I have not given you any actual links to CRMs that I work with, there are plenty of them, do your own search, try and test.
As for ULP databases - there are plenty of them in the public domain, once your query is over, you can buy it off your personal logs for a notional couple of dollars.