Post dated: 10 Dec 2022
Dear Internet,
Today my Mom came to me about an SMS from Singapore Post.
It wasn’t actually from Singapore Post – it was a bunch of internet scammers pretending to be Singapore Post. They were claiming that there she had an undelivered package, and that she needed to go on their website, so she could provide them with her address and her credit card information to pay for the redelivery fees.
I was feeling extra vindictive and petty today, so instead of just telling her that it’s a scam and to move on with my day, I decided I was going to pull a tiny prank.
HTTP Requests
Most of the time when computers communicate over the Internet, they do so in the form
of HTTP requests. (nerds please don't kill me I know it's nowhere near that simple)
You can view the HTTP requests your web browser sends and receives to/from a website by going into your browser’s Network Activity Inspector in its Developer Tools menu. (Opened with F12 on Firefox and Chrome).
After a bit of inspection, I found this specific website asked for 2 requests in the following format:
(yes, that is monospace Comic Sans)
Typically this request is made on the website using their form. But we’ll be making our requests with Python so we can automate things – which’ll be key.
You’ll see that I’ve taken the liberty of populating the request with fake information: the credit card number is a fake number, and the address, zip code, and phone number all belong to a police station on the other side of the island.
The funny thing is that whenever they receive a fake credit card, they check its validity first by making a fraudulent charge on it (the first of many). For every charge they attempt to make, their payment gateway provider will charge them about 5 US cents.
This is where the fun comes in!
Python Requests
We import the request
library in python so that we can make HTTP requests. We also
need the URL that actually takes the requests (also visible in your Developer Console).
We create a new HTTP request that passes the fake credit card number to the API that the website uses to check credit card numbers. We then print the response to those requests so we know that program is running fine.
We repeat that process in an infinite loop, each time costing them about 5 cents.
(I've hidden the website's API URL -- they're already dead anyway)
The Damage
My computer made about a new request every 2-3 seconds, and I left the program running for about 3 hours – which comes to 3600 to 5400 requests, which roughly translates to them losing about 180 to 270 dollars.
I could have probably done more damage by using multithreading, but by the time the idea came to me the website was already down and they stopped accepting HTTP requests.
Moral of the story, don’t scam people. Thanks for reading, and I hope you have an awesome day ahead.
Love, yu-no