Comment by kasey_junk
2 months ago
And then what?
Exploits need to plug into a business plan. Like any business plan there has to be somewhere that money gets extracted and that money needs to be more than the exploit cost & infrastructure costs & a risk premium.
If you can’t trivially say how the exploit explicitly gets turned into cash you probably are on the wrong track. Doubly so if it’s not a known standard and commoditized way that’s happened before.
There is often phishing campaigns targeting larger channels on YT, trying to trick someone with access to it into opening malicious e-mail attachments, with the end-goal of taking over the channel. Usually the attackers then put a livestream on it and push some crypto scam. It must make enough money, given that it keeps happening.
Most recent example I've seen: https://www.youtube.com/watch?v=EnVxWK6DfMQ
So then why do they need additional information about emails? They clearly already can email these youtubers.
This will enable you to get the private e-mail of the google account that owns the channel, which is not necessarily the same one a channel may give away publicly.
So for some channels that provided no contact information, you now can acquire an email address, and for everyone else you may now get an additional one.
It also enables you to link multiple channels back to the same person.
Every bit of information you can get your hands on counts for social engineering attacks.
For very famous individuals this may also open them up to harassment. You can't find Elon Musk's private telephone number on the Tesla homepage for good reason. For that class of people, any time that sort of information leaks, they need to get a new private phone number/e-mail address.
3 replies →
Say you’re a blackhat OSINTer trying to steal crypto. You have a first initial and a last name for a target (“J. Smith”) - plus you know this person is on github and discord.
You take out your handy email list and run a regex to find candidate accounts that match “J Smith”. You pipe matches into a recon script to check if github and discord accounts exist for each email. Suddenly, you’ve got a small pool of matches. You try more account-existence recon to find all the sites they’re signed up on. You look up all breached creds tied to the target emails, then run cred stuffing against any sensitive services they’ve signed up for.
Boom, you’ve gone from first initial + last name to compromising an account in thirty minutes.
Surely the key part of this is "this person's email address and password has been published online together" rather than "I can identify this person's email address."
It can get turned into cash by the EU when Google gets a massive fine for leaking private data.
> Exploits need to plug into a business plan
Or, you know, develop a new "business plan" around an exploit.
Nobody does this. It would be an insane proposition. The vulnerability is going to die very shortly into your attempt to capitalize on it. Businesses have startup costs they have to pay off.
>Nobody does that.
Sure: https://www.abc.net.au/news/2016-07-01/league-of-legends-que...
1 reply →
Wouldn't that require, if true, that new revenue streams around exploits aren't generally pursued? It seems like new scams, and variations on old ones around new methods, come about on a somewhat regular basis. And as with any business, there is going to be some speculative work around new "product offerings", so to speak. I'm with you on the idea that they are less valuable, as 'spec work, than something that enhances existing revenue streams in a more predictable way.
You could dump all the data over a matter of weeks, then you’re sitting on a treasure trove that will pay out over 5+ years.
You could sell it non-exclusively to every data broker
Even if that did happen, it would drive down the price of the exploit and especially so for server side novel ones.