The art of Phishing Attacks

The art of Phishing Attacks.

Anonymous Hackers pose Assassination Threat to the President of the United States

Anonymous Hackers take AIM at the President of the United States.

Hundreds of Twitter Users Identified as Anonymous Hackers

Hundreds of Twitter Users Identified as Anonymous Hackers.

Is your money really safe?

With the threat of hackers targeting banks and showing no interest in protecting consumers, are banks safe?

Spies are watching your every move

People always talk about big brother spying on the populous, but hackers are doing most of the spying and using that information against you!

12/20/2014

Social Engineering of Bassem Masri

There is one thing I have very little tolerance for. that's hate against my country, hate against my flag. hate against our closest allies. in this case Israel, which I hold a deep love and respect for.

In my research of occupy / Anonymous / Activism in general, I ran across someone by the name of Bassem Masri. Who holds a ton of hate for America, burns American flags while spitting on them, all while inciting violence against Police officers.

So to give him some Consternation, I followed him closely, even down to the vehicle he drove to California. A 1997 Toyota Camry, 4 Dr, light blue, Arizona plate BGW0504.

In the process, I was able to Social Engineer the Cell Phone for Occupythemob, another Anti-America Activist, and gain the physical location they were stranded at with a flat tire and no spare.


He was very angry over this.


So, to continue my battle against abusive occupiers on american soil, I focused my eye on Bassem, and obtained his cell phone number, and the address of his father's business which he uses for receiving packages and court notices i'm sure.


What was it you said Bassem?
I can't do Sh*t?

Your phone number is 314-399-2670
Your Father runs Yeatman Market at 4401 Athlone Ave Saint Louis MO 63115

I sent Bassem an email claiming to be the CEO of a non-existent company wanting to donate hardware to his anti-government agenda. he was more than happy to receive it.

To: bassemmasriftp@gmail.com

Hello, My name is Greg Garner. I'm the CEO of Action Water Sports in San Francisco. One of our staff members told me about what you're doing to expose Police Brutality this morning. After being shown a video of your phone being destroyed, we would love to assist your movement. and are going to donate 3 portable waterproof battery units and a brand new waterproof GoPro Hero4 to increase your broadcast quality.

Please let me know where you would like these shipped, and a phone number where I can reach you directly to discuss other ways we may be able to help.

Thanks,
Greg Garner
Chief Executive Officer
Action Water Sports

From: bassemmasriftp@gmail.com

Thank u so much for the consideration I really appreciate that, those tools will help 
So much can send it to my fathers business 4401 athlone saint Louis mo 63115 my number is 3143992670 im very grateful and flattered u would Donate those tools can call me anytime 




U mad bro?
-ihazcandy




Please help if you're able for more lulz.



12/14/2014

Update on recent events

Update:

Account restored.




December 16, 2014:
LavaSolutions is now suspended.

Reason:

Hello,

We have received a complaint from an individual that your account is in violation of the Twitter Rules (https://twitter.com/rules), specifically our rules regarding posting information or images that the individual claims as private. In response to this complaint your account has been temporarily suspended.

Tweet link: https://twitter.com/lavasolutions/status/543584129283936257

###
Will be back shortly
###

Currently my main twitter account @ihazcandy is suspended for posting "private information"

I posted screen shots of DM's from my Anonrelations account showing a address that the user anoncopwatch claims is fake, but he was angry enough about it to report it to twitter demanding it be removed. butthurt much?



So regardless of Twitter policy on the subject, they are MY dm's and i'll post whatever I want from MY accounts.

The current backup account is @lavasolutions

If that account goes down, I will update the current account to this page.

###

Below are some events that followed.





As always,
Donations support operations. Please help if you can.


1/31/2014

Pastebin Disclosure

Gmail - CONSTERNATION SECURITY https://mail.google.com/mail/u/0/?ui=2&ik=35e1...
BP Group <bpgroup001@gmail.com>
CONSTERNATION SECURITY 65 messages
BP Group <bpgroup001@gmail.com> Tue, Mar 27, 2012 at 1:28 PM To: admin@pastebin.com
We only use gmail.
please contact us at this address.
Pastebin Support <admin@pastebin.com> Tue, Mar 27, 2012 at 1:29 PM To: BP Group <bpgroup001@gmail.com>
Hello,
Are you from @ENiGMAzRR ?
If so, it seems you want something removed. Please let us know what. And next time, email first before you attack. We monitor our email 24/7.
Pastebin
On Tue, Mar 27, 2012 at 7:28 PM, BP Group <bpgroup001@gmail.com> wrote:
We only use gmail.
please contact us at this address.
BP Group <bpgroup001@gmail.com> Tue, Mar 27, 2012 at 1:33 PM To: Pastebin Support <admin@pastebin.com>
that is a joint account. we are a group from several countries, mainly USA, Germany and Russia
we email you guys often for removal requests. we would appreciate a kill button.
we seem to respond faster to fraud than anyone else. obviously.
the attack was actually an accident by jess, she said wouldn't it be funny to knock on their door to say hey! fraud!
and accidentally hit enter.
was not meant to be abusive, and was an accident. [Quoted text hidden]
we have requested this be removed as well. it has created death threats, because your staff refuses to remove content. [Quoted text hidden]
Pastebin Support <admin@pastebin.com> Tue, Mar 27, 2012 at 1:41 PM To: BP Group <bpgroup001@gmail.com>
1 of 12 04/07/2012 12:41 PM
Gmail - CONSTERNATION SECURITY https://mail.google.com/mail/u/0/?ui=2&ik=35e1...
Hey,
If you need something urgently removed next time, shoot us an email. Those are handled within minutes usually, the normal abuse reports can take days, and sometimes get ignored due to the insane volume of reports.
Emails never get ignored.
The attack was kinda crazy man... biggest one we've had so far, and we get quite a few.
Often in the 5gbps range, but this one knocked our socks off.
I mesured 11.7gbps and close to 4MPPS. Don't do that again please...
I have removed http://pastebin.com/aPjZEHBZ
I noticed a few other pastes with the mention of: ENiGMAzRR
If you need any others done, let me know.
J [Quoted text hidden]
BP Group <bpgroup001@gmail.com> Tue, Mar 27, 2012 at 1:45 PM To: Pastebin Support <admin@pastebin.com>
we hacked the booter network. we are not making it public, but we have ALL the drones.
just know, any future attacks are not us, we just have access to the drones.
here is the list of our hacks.
90k http://www.90kbooter.eu/login.php A http://www.abooter.com/login.php Anarcee http://anarceebooter.net/login.php Arron XR http://arronxr.net/site/index.html Atomic http://188.72.202.198/~atomicb2/login.php Att http://www.attbooter.info/ Avoidz http://avoidz-booter.com/login.php Chilled http://46.105.241.204/xampp/mainlogin.php Cloud http://cloudhotel.in/login.php Cold http://coldbooter.com/login.php Crysis http://www.crysisbooter.info/booter/login/index.php Dex http://www.dexbooter.com/login.php Easy Web http://easywebboosting.com/booter/login.php Eclipse http://www.eclipsehits.vpsq.net/eclipsebooter/login.php Elitez http://www.crime2qlub.nl/login.php Falcon http://www.falconz.net/vip/login.php Fantas http://technicalmodz.zxq.net/login.php Grudge http://grudgester.net/login.php Insanity http://insanitybooter.net/login.php Intense http://thegamingnation.net/index.php JohnX http://www.johnx.eu/booter/login.php Kontrol http://kontrolbooter.com/login.php Kryptic http://64.120.203.94/login.php Legion http://legionbooter.info/ Linkz http://linkzhostbooter.ulmb.com/login.php Max http://maxbooter.com/login.php Meow Public http://blowbot.altervista.org/login.php Pacman http://pacmanbooter.com/login.php Pretty http://prettybooter.com/test/login.php?err=1 Quantum http://www.quantumboot.info/login.php Reflex http://v4.reflexbooter.com/login.php Relic http://relictest.leehoan.com/login.php Rileyk20 http://hackingheaven.net/booter/
2 of 12 04/07/2012 12:41 PM
Gmail - CONSTERNATION SECURITY https://mail.google.com/mail/u/0/?ui=2&ik=35e1...
Royal http://royalbooter.net/login.php Teflon http://teflonbooter.com/ Tehz http://tehzbooter.com/ TSG http://tsgbooter.com/login.php Urban http://urbanbooter.com/ V http://www.yahya.byethost7.com/login.php Wasteland http://wastelandbooter.com/login.php Wasx http://wasxbooter.com/login.php Who Yo Daddys http://whoyodaddysbooter.co.cc/login.php XBL Teddy http://xblteddybooter.info/boot/ugdevil.php Ya Kiddys http://www.yakiddys.com/login.php [Quoted text hidden]
BP Group <bpgroup001@gmail.com> Tue, Mar 27, 2012 at 1:48 PM To: Pastebin Support <admin@pastebin.com>
can you shoot me over details of the attack we are looking to analyze data to submit to the feds on this network we can't see rogue spoofed drones being sent, and we don't have the bandwidth to attack ourselves.
thanks for the removal btw. [Quoted text hidden]
Pastebin Support <admin@pastebin.com> Tue, Mar 27, 2012 at 1:49 PM To: BP Group <bpgroup001@gmail.com>
I'll talk to my hoster to see if I can fetch some more information. This is what I saw: http://i.imgur.com/gJcnC.jpg all spikes are attacks, the most left one being Jess's. [Quoted text hidden]
BP Group <bpgroup001@gmail.com> Tue, Mar 27, 2012 at 1:49 PM To: Pastebin Support <admin@pastebin.com>
romain [Quoted text hidden]
BP Group <bpgroup001@gmail.com> Tue, Mar 27, 2012 at 1:51 PM To: Pastebin Support <admin@pastebin.com>
wow, bigger than we expected to see. we can get this shit shutdown but it's going to take some work. its being run by a group of anons out of Romania one guy named godfather has wrote a automated injection script that is spreading like wildfire. thousands of new drones a day [Quoted text hidden]
BP Group <bpgroup001@gmail.com> Tue, Mar 27, 2012 at 1:57 PM To: Pastebin Support <admin@pastebin.com>
we are in the market of tracking who does what attack. helps to put a face to each attack. [Quoted text hidden]
Screenshot-30.png 21K
Pastebin Support <admin@pastebin.com> Tue, Mar 27, 2012 at 1:58 PM To: BP Group <bpgroup001@gmail.com>
3 of 12 04/07/2012 12:41 PM
Gmail - CONSTERNATION SECURITY https://mail.google.com/mail/u/0/?ui=2&ik=35e1...
good stuff, that scale on the left is bytes per second? [Quoted text hidden]
BP Group <bpgroup001@gmail.com> Tue, Mar 27, 2012 at 2:02 PM To: Pastebin Support <admin@pastebin.com>
i can't recall the scale.
he's out of Brazil, where there seems to be no law against ddos. [Quoted text hidden]
BP Group <bpgroup001@gmail.com> Tue, Mar 27, 2012 at 2:13 PM To: Pastebin Support <admin@pastebin.com>
we have to assume you guys have a real desire to end this, after all, where is your ad revenue if people can't visit your site.
we all think your company is key to the solution.
Pastebin Support <admin@pastebin.com> Tue, Mar 27, 2012 at 2:18 PM To: BP Group <bpgroup001@gmail.com>
Are you attacking again? I'm seeing 13MPPS hitting our servers... [Quoted text hidden]
BP Group <bpgroup001@gmail.com> Tue, Mar 27, 2012 at 2:22 PM To: Pastebin Support <admin@pastebin.com>
its not us its coming from Asylum Booter. we don't have access to their control panel, but we see the drones dropping from the up list [Quoted text hidden]
BP Group <bpgroup001@gmail.com> Tue, Mar 27, 2012 at 2:28 PM To: Pastebin Support <admin@pastebin.com>
thats the only other control panel with that much power that we know of. [Quoted text hidden]
Pastebin Support <admin@pastebin.com> Tue, Mar 27, 2012 at 2:29 PM To: BP Group <bpgroup001@gmail.com>
Ok thanks for the update.
Yeah I would love a few days without downtime, it causes major headaches.
I'll let you know if further attacks happen. [Quoted text hidden]
BP Group <bpgroup001@gmail.com> Tue, Mar 27, 2012 at 2:30 PM To: Pastebin Support <admin@pastebin.com>
just send me the ip lists, i need to be able to setup honeypots to sniff out their control panels location. [Quoted text hidden]
BP Group <bpgroup001@gmail.com> Tue, Mar 27, 2012 at 3:06 PM To: Pastebin Support <admin@pastebin.com>
we are not interested in the other details of the logs, rate of speed, data etc. we just need to know where it's coming from.
and we do it for freez! :)
4 of 12 04/07/2012 12:41 PM
Gmail - CONSTERNATION SECURITY https://mail.google.com/mail/u/0/?ui=2&ik=35e1...
thank yous for removing that for meh! <3 <3 <3 <3 cheers @ihazcandy [Quoted text hidden]
Pastebin Support <admin@pastebin.com> Thu, Mar 29, 2012 at 1:06 PM To: BP Group <bpgroup001@gmail.com>
Hey, Was just browsing Twitter a little, found: https://twitter.com/#!/ENiGMAzRR/status/185195794503184384
Is this a warning for another attack on Pastebin?
You know you can email us about removals right?
Jeroen [Quoted text hidden]
BP Group <bpgroup001@gmail.com> Thu, Mar 29, 2012 at 2:37 PM To: Pastebin Support <admin@pastebin.com>
this is not all about removals. i don't want to expose you communicating with us to the world, it makes people loose trust in you, you should act pissed at us over twitter. play their own game against them. anyone who attacks pastebin to do actual damage should be destroyed.
we saw the drones attacking and took credit last night to piss off the group doing it to see who claimed we were lying. no one did though. at least on irc that we saw.
we still need those ip's to identify the control panel sending the attacks. we have a common goal. we just need some cooperation. [Quoted text hidden]
Pastebin Support <admin@pastebin.com> Fri, Mar 30, 2012 at 6:14 AM To: BP Group <bpgroup001@gmail.com>
Hey,
Ok thanks for clearing that up. Good to know.
I won't be taking part in a fight with people over Twitter though, that is not what we use Twitter for.
Jeroen [Quoted text hidden]
BP Group <bpgroup001@gmail.com> Fri, Mar 30, 2012 at 6:37 AM To: Pastebin Support <admin@pastebin.com>
I'm seeing discussion from anonymous Romania talking about a attack today. I'd keep your eyes open. they are also attempting to find database access, claiming you guys are working with the feds to catch hackers. [Quoted text hidden]
Pastebin Support <admin@pastebin.com> Fri, Mar 30, 2012 at 6:38 AM To: BP Group <bpgroup001@gmail.com>
Ok, thanks for the heads up! [Quoted text hidden]
BP Group <bpgroup001@gmail.com> Fri, Mar 30, 2012 at 7:39 AM To: Pastebin Support <admin@pastebin.com>
5 of 12 04/07/2012 12:41 PM
Gmail - CONSTERNATION SECURITY https://mail.google.com/mail/u/0/?ui=2&ik=35e1...
any time. we don't like abusive politics. and thats what these people are doing to you. so we will stand by your side. privately. [Quoted text hidden]
Pastebin Support <admin@pastebin.com> Fri, Mar 30, 2012 at 9:17 AM To: BP Group <bpgroup001@gmail.com>
Quick question, is @Ihazcandy part of your crew?
I'm documenting all threats at the moment.
Cheers. [Quoted text hidden]
BP Group <bpgroup001@gmail.com> Fri, Mar 30, 2012 at 9:30 AM To: Pastebin Support <admin@pastebin.com>
yeah. Pastebin Support <admin@pastebin.com> Sat, Mar 31, 2012 at 4:18 AM To: BP Group <bpgroup001@gmail.com>
Ok thanks for the info. [Quoted text hidden]
BP Group <bpgroup001@gmail.com> Tue, Apr 3, 2012 at 4:11 AM To: Pastebin Support <admin@pastebin.com>
can I please get the ip that posted http://pastebin.com/J1PFnqgq they are attempting to sqli my site, a lost cause, but i still need to know who it is. [Quoted text hidden]
Pastebin Support <admin@pastebin.com> Tue, Apr 3, 2012 at 4:14 AM To: BP Group <bpgroup001@gmail.com>
sure man. 71.0.220.96 hope it helps.
btw are you in contact with @anonops or @youranonnews ?
a lot of shit is being written by journalists how pastebin now is totally against anonymous, most of it is not true.
i dont want to get in the middle of things publicly on twitter, so i would like to email those guys, or have a skype chat. [Quoted text hidden]
BP Group <bpgroup001@gmail.com> Tue, Apr 3, 2012 at 6:19 AM To: Pastebin Support <admin@pastebin.com>
I don't know who runs their twitter accounts, but I can get ahold of them on irc. anonymous will bind to anything that has a media story. they don't care if you take the hit in the process. the reason I assume they don't care of all the legal bullshit they have already put you through.
anyways, thanks, i'll try and get in contact with someone from anonops 4 you. [Quoted text hidden]
BP Group <bpgroup001@gmail.com> Tue, Apr 3, 2012 at 6:36 AM To: Pastebin Support <admin@pastebin.com>
are you able to search for posts by ip? I want to know if 71.0.220.96 has made any other pastes, would help a lot in tracking this person down. cant do anything legally, but i
6 of 12 04/07/2012 12:41 PM
Gmail - CONSTERNATION SECURITY https://mail.google.com/mail/u/0/?ui=2&ik=35e1...
can scare the shit out of them :P
[Quoted text hidden]
Pastebin Support <admin@pastebin.com> Tue, Apr 3, 2012 at 6:42 AM To: BP Group <bpgroup001@gmail.com>
I did a full DB search, only N4esp8rP and J1PFnqgq where posted by that ID. [Quoted text hidden]
BP Group <bpgroup001@gmail.com> Tue, Apr 3, 2012 at 6:43 AM To: Pastebin Support <admin@pastebin.com>
thanks, i contacted power2all, he's one of the people who runs anonops, said he will email you. [Quoted text hidden]
BP Group <bpgroup001@gmail.com> Tue, Apr 3, 2012 at 6:47 AM To: Pastebin Support <admin@pastebin.com>
makes no sense, the ip you gave me is listed in the paste. why would they give me their ip. any ip information on recent posts under the group name teampoison? these are the ppl doing it. [Quoted text hidden]
Pastebin Support <admin@pastebin.com> Tue, Apr 3, 2012 at 7:01 AM To: BP Group <bpgroup001@gmail.com>
that is kinda odd, i just double checked, and it is the IP that created those posts. maybe its a hacked computer? i'm not sure.
not really sure what teampoison creates, if you send paste URL's, i can check. [Quoted text hidden]
BP Group <bpgroup001@gmail.com> Tue, Apr 3, 2012 at 7:08 AM To: Pastebin Support <admin@pastebin.com>
daskCWM8 [Quoted text hidden]
Pastebin Support <admin@pastebin.com> Tue, Apr 3, 2012 at 7:09 AM To: BP Group <bpgroup001@gmail.com>
192.162.102.50
[Quoted text hidden]
BP Group <bpgroup001@gmail.com> Tue, Apr 3, 2012 at 7:11 AM To: Pastebin Support <admin@pastebin.com>
thanks mate [Quoted text hidden]
BP Group <bpgroup001@gmail.com> Tue, Apr 3, 2012 at 7:16 AM To: Pastebin Support <admin@pastebin.com>
do you have a timestamp on that post? [Quoted text hidden]
Pastebin Support <admin@pastebin.com> Tue, Apr 3, 2012 at 7:17 AM To: BP Group <bpgroup001@gmail.com>
7 of 12 04/07/2012 12:41 PM
Gmail - CONSTERNATION SECURITY https://mail.google.com/mail/u/0/?ui=2&ik=35e1...
Mon, 02 Apr 12 22:00:00 -0500
[Quoted text hidden]
Pastebin Support <admin@pastebin.com> Tue, Apr 3, 2012 at 7:17 AM To: BP Group <bpgroup001@gmail.com>
wow that is freaky timing, 22:00:00
probably a bot of some kind [Quoted text hidden]
BP Group <bpgroup001@gmail.com> Tue, Apr 3, 2012 at 7:18 AM To: Pastebin Support <admin@pastebin.com>
yeah, on the dot [Quoted text hidden]
BP Group <bpgroup001@gmail.com> Tue, Apr 3, 2012 at 7:25 AM To: Pastebin Support <admin@pastebin.com>
any other posts from the russian vpn around the same time? [Quoted text hidden]
BP Group <bpgroup001@gmail.com> Tue, Apr 3, 2012 at 8:39 AM To: Pastebin Support <admin@pastebin.com>
wanna get some good press? and a good laugh at the same time?
deface that last paste while they spread it across twitter tell the world you are a business, not a dumping ground for illegal content. and in the pastebin world, you are god. think teamposer script kiddies evoking the fury of flying spaghetti monster [Quoted text hidden]
BP Group <bpgroup001@gmail.com> Tue, Apr 3, 2012 at 8:55 AM To: Pastebin Support <admin@pastebin.com>
attached [Quoted text hidden]
flying.jpg 240K
BP Group <bpgroup001@gmail.com> Tue, Apr 3, 2012 at 9:01 AM To: Pastebin Support <admin@pastebin.com>
if you want it, monster png for quick overlay [Quoted text hidden]
8 of 12 04/07/2012 12:41 PM
Gmail - CONSTERNATION SECURITY https://mail.google.com/mail/u/0/?ui=2&ik=35e1...
flying.png 388K
Pastebin Support <admin@pastebin.com> Tue, Apr 3, 2012 at 5:26 PM To: BP Group <bpgroup001@gmail.com>
Haha that be funny. But i'm trying to get any more wars going :)
Already got a few little kids trying to give me a bad name on Twitter.
https://twitter.com/#!/ntisec this little shit for example.
I think i got his email address, so time to have a chat. [Quoted text hidden]
BP Group <bpgroup001@gmail.com> Tue, Apr 3, 2012 at 7:39 PM To: Pastebin Support <admin@pastebin.com>
anarchist.. not sure he friendly he will be [Quoted text hidden]
BP Group <bpgroup001@gmail.com> Tue, Apr 3, 2012 at 7:45 PM To: Pastebin Support <admin@pastebin.com>
I'm putting up a $25.00 bounty on his identity. care to match it? [Quoted text hidden]
BP Group <bpgroup001@gmail.com> Tue, Apr 3, 2012 at 8:37 PM To: Pastebin Support <admin@pastebin.com>
some times, when someone tries to dox you, you turn the tables, and make them run the fuck away. he will be silenced and leave you alone, because he will be distracted by people chasing him for something unrelated to you.
attached [Quoted text hidden]
nt1sec.jpg 33K
BP Group <bpgroup001@gmail.com> Tue, Apr 3, 2012 at 9:10 PM To: Pastebin Support <admin@pastebin.com>
my suggestion was to show some class. google did. people respect a company standing up and saying no. they are going to ddos you either way, you might as well get your name plastered all over the papers and enjoy the free publicity and ad-revenue generated from thin air.
social media is powerful for this. I'm sure you're already learning that. [Quoted text hidden]
9 of 12 04/07/2012 12:41 PM
Gmail - CONSTERNATION SECURITY https://mail.google.com/mail/u/0/?ui=2&ik=35e1...
Pastebin Support <admin@pastebin.com> Wed, Apr 4, 2012 at 2:56 AM To: BP Group <bpgroup001@gmail.com>
hey, i found him already last night, at least i think so.
http://bgp.he.net/dns/adrenosec.net#_whois
I emailed him on jordy@adrenochrome.org, saying i wanna chat, give me your MSN. he did, then i added him, but he never came online.
so i emailed him, saying I found all this info
owner-contact: P-JRD1687 owner-fname: Jordy owner-lname: de Jong owner-street: Schotelmos 16 owner-city: NIEUWERKERK AD IJSSEL owner-zip: 2914 VC owner-country: NL owner-phone: +31 614429859 owner-email: jordy@adrenochrome.org
I would be reporting him to the police if he didnt clean up his mess. as he was publicly saying to people lets dox him, lets bring down pastebin.
He wrote 1 more tweet after, then seemed to have gone silent.
I learned one thing though, never fucking trust journalists. I gave 1 interview to the BBC, my story has been changed so much since then, as everybody writes a different version of the original, so now i hate anonymous apparently :S im deleting all their content, at least that is what people are writing. of course this isnt true. [Quoted text hidden]
BP Group <bpgroup001@gmail.com> Wed, Apr 4, 2012 at 3:40 AM To: Pastebin Support <admin@pastebin.com>
journalists are in the bed with anon, be careful. i proved that when i was testing who follows the anon stories, by posting internal anon leaks, they never covered the stuff that made anon look bad, only published the pro-anon content.
mind if i post the info you found? to keep him away for good. we gotta stop this doxing shit. it only leads to death threats.
I don't know how much of my story you know, but people actually came to my house to silence my voice against anon. needless to say, it made me louder. [Quoted text hidden]
Pastebin Support <admin@pastebin.com> Wed, Apr 4, 2012 at 3:42 AM To: BP Group <bpgroup001@gmail.com>
hey man,
i got another email back from him, he says he's not the one using that twitter account, but he's the one who wrote a little script to attack sites.
the guy from twitter just used that code. so best not to post his dox.
ive asked if he can get me in touch with that guy.
I think all this drama will blow over soon.
cheers. [Quoted text hidden]
BP Group <bpgroup001@gmail.com> Wed, Apr 4, 2012 at 3:44 AM To: Pastebin Support <admin@pastebin.com>
10 of 12 04/07/2012 12:41 PM

12/31/2013

Anonymous OpSafeWinter exposed


After several hours researching the so called operation safe winter being conducted by Anonymous I found several red flags. mainly wepay donation pages.

Since scamming and otherwise abusive behavior is taking place by people involved with this operation, including the campaign being used to spam the anti-government opNSA. I am exposing ip's of people involved, and supporting the opsafewinter campaign.

There are some bot's in the list, but that's to be expected when phishing.

First I wanted to test how effective the trap was, so i ran over to the main Anonops irc channel #Anonops. Sure enough, I got some hits, curious discovery was one IP was inside facebook's own corporate network. could this be facebook monitoring hacker activity? or has one of their servers/computers been compromised? Hard to say.

December 31, 2013: 199.59.161.30 <--- Bot
December 31, 2013: 31.151.158.2 <--- Human
December 31, 2013: 96.255.149.128 <--- Human
December 31, 2013: 81.157.105.93 <--- Human
December 31, 2013: 75.16.201.31 <--- Human
December 31, 2013: 173.252.74.119 <--- Facebook?!?
December 31, 2013: 67.81.217.135 <--- Human

Next I went over to cyber gorilla's IRC Network to further test things, but i found it to be mainly dead and just full of idling users despite all the advertising it's received in the last few weeks. All I got was some hits from their server bots that display the title of the url posted.

December 31, 2013: 5.9.108.74 <--- Bot

Since I've already exposed the site in this test, it was time to burn it down. I posted the link from the Anonrelations account on twitter and watched the hits and RT's. I'm not going to sift through the list and pick out the automated bots but the first 9 hit way too fast to be human.

December 31, 2013: 199.59.148.210 <-- Too fast to be human
December 31, 2013: 199.59.148.209 <-- Too fast to be human
December 31, 2013: 69.164.201.127 <-- Too fast to be human
December 31, 2013: 54.241.198.78   <-- Too fast to be human
December 31, 2013: 54.241.198.78   <-- Too fast to be human
December 31, 2013: 74.112.131.242 <-- Too fast to be human
December 31, 2013: 74.112.131.241 <-- Too fast to be human
December 31, 2013: 46.236.7.246     <-- Too fast to be human
December 31, 2013: 54.241.41.133   <-- Too fast to be human

The rest are anyone's guess. I was able to cross reference some of these with older logs, and they were in fact associated with several known anonymous members. so in that aspect, the honeypot was a success.

December 31, 2013: 65.52.244.38
December 31, 2013: 173.192.79.101
December 31, 2013: 46.236.24.48
December 31, 2013: 98.137.207.17
December 31, 2013: 98.137.207.17
December 31, 2013: 54.196.145.175
December 31, 2013: 199.59.148.211
December 31, 2013: 37.59.16.156
December 31, 2013: 199.59.161.30
December 31, 2013: 54.224.152.41
December 31, 2013: 46.252.18.106
December 31, 2013: 46.246.92.155
December 31, 2013: 74.112.131.241
December 31, 2013: 23.227.176.35
December 31, 2013: 23.227.176.34
December 31, 2013: 23.227.176.34
December 31, 2013: 23.227.176.35
December 31, 2013: 98.137.207.17
December 31, 2013: 46.236.26.102
December 31, 2013: 54.225.58.239
December 31, 2013: 130.155.204.198
December 31, 2013: 212.124.109.166
December 31, 2013: 212.124.109.166
December 31, 2013: 74.96.97.57
December 31, 2013: 50.57.227.76
December 31, 2013: 74.112.131.242
December 31, 2013: 54.225.52.78
December 31, 2013: 54.225.52.78
December 31, 2013: 66.249.74.72
December 31, 2013: 199.189.85.8
December 31, 2013: 205.188.94.164
December 31, 2013: 54.196.127.20

Now that things are broken down. lets take a look at the header data on a few of these, and that will give us a better indication of what's a bot, and who's human.

Anonops Bot.
199.59.161.30 - - [31/Dec/2013:13:19:03 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 59585 "-" "Mozilla/5.0 (Compatible; Supybot 0.83.4.1+gribble (2011-08-12T18:12:56-0400))"

Human
31.151.158.2 - - [31/Dec/2013:13:19:20 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11116 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0"

Human
96.255.149.128 - - [31/Dec/2013:13:19:21 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11116 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0"

Human
81.157.105.93 - - [31/Dec/2013:13:19:31 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11116 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36"

Human
75.16.201.31 - - [31/Dec/2013:13:20:33 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11116 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36"

Interesting Facebook hit from inside anonops.
173.252.74.119 - - [31/Dec/2013:13:22:08 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 206 11165 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"

Human
67.81.217.135 - - [31/Dec/2013:13:28:13 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11116 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0"

Cyber Gorilla IRC Bot
5.9.108.74 - - [31/Dec/2013:13:58:49 +1100] "HEAD /story/24320782/anonymous-helps-the-homeless-in-houston-tx HTTP/1.1" 301 285 "-" "Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"

Interesting. amazon IP. automated i'm sure.
54.241.198.78 - - [31/Dec/2013:14:04:48 +1100] "HEAD /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 227 "-" "Google-HTTP-Java-Client/1.17.0-rc (gzip)"

Human
65.52.244.38 - - [31/Dec/2013:14:04:50 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11114 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)"

Appears human but tried to snag robots.txt. not familiar with flipboard.
54.196.145.175 - - [31/Dec/2013:14:05:46 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx HTTP/1.1" 301 597 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (FlipboardProxy/1.1; +http://flipboard.com/browserproxy)"

Hi twitter.
199.59.148.211 - - [31/Dec/2013:14:06:55 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11114 "-" "Twitterbot/1.0"

Aww how cute. someone was going to post my article as fact.. you know. cause the internet said it was real.
37.59.16.156 - - [31/Dec/2013:14:07:18 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11170 "-" "Mozilla/5.0 (compatible; PaperLiBot/2.1; http://support.paper.li/entries/20023257-what-is-paper-li)"

Human
46.246.92.155 - - [31/Dec/2013:14:09:22 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11170 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20"

Interesting
98.137.207.17 - - [31/Dec/2013:14:13:56 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 59613 "-" "NING/1.0"

Human - Ipad news reader
54.225.58.239 - - [31/Dec/2013:14:14:09 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11133 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_6) AppleWebKit/534.24 (KHTML, like Gecko) Contact: feedback@getprismatic.com"

Not sure.
130.155.204.198 - - [31/Dec/2013:14:15:10 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 58824 "-" "Java/1.6.0_27"

Another NING
212.124.109.166 - - [31/Dec/2013:14:20:39 +1100] "HEAD /story/24320782/anonymous-helps-the-homeless-in-houston-tx HTTP/1.1" 301 366 "-" "NING/1.0"

Human
74.96.97.57 - - [31/Dec/2013:14:20:42 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11169 "http://t.co/WlGhlJdTYz" "Mozilla/5.0 (Windows NT 6.0; rv:26.0) Gecko/20100101 Firefox/26.0"

web proxy I think
50.57.227.76 - - [31/Dec/2013:14:20:42 +1100] "HEAD /story/24320782/anonymous-helps-the-homeless-in-houston-tx HTTP/1.1" 301 285 "-" "EventMachine HttpClient"

Human
54.225.52.78 - - [31/Dec/2013:14:21:00 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11170 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2008091620 Firefox/3.0.2"

Human
205.188.94.164 - - [31/Dec/2013:14:21:20 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 59613 "-" "Jakarta Commons-HttpClient/3.1"

I'll look deeper into the logs when I get time, I do see that injection was successful on most occasions.










12/30/2013

Operations have resumed

Operations have resumed.
Expect CNs