So I thought to myself the other day that if there is a checksum on credit cards and we know the type of card and the last 4 that are left on a receipt can we find a small number of valid cards and figure out YOUR number? Now im not a crypto math guy so I knew people must have already handled this... I was right and a cool optimized a luhn function so I could check a million numbers in about 3 sec.

Ok so lets first talk about where all those numbers come from what we can assume about them and why it doesn't mean a damn thing, heres a valid cc number I generated at random and what we know from it

Check Digit

Bank Id

On receipt

Unknown

I learned the first 6 digits are a bank id and after digging around awhile i made this fusion table public to hold the data. Its way cool cuz now we can lookup what type of card it is and where it came from... i dont know why we ever ask debit or credit. so then i learned how the checksum works and got this optimized version of the luhn checksum algorythm or mod 10 as its sometimes called because after you do this little trick you look to see if the number is evenly divisible by 10.
because of the way this works it turns out that for a million number there are about 100k valid numbers in that bunchso wrapping this up i found that there are tons of numbers and its trivial to make valid ones, and they only work if you have the expiration date so i deem the numbers are safe for now...
ill release some code on how you can use the fusion table to lookup cards bank and origin later

oh and heres 100k valid cc numbers :)

Update

Ok good news guys... they have removed the page finally! but i reported them like 3 times and there was no "this page is hacking" button... i think its stupid this grew to over a few hundred thousand duped before Facebook found and removed it... i even tweeted to them about this article after i made some javascript to pull the pages likes and update the count dynamically



Facebook needs to have a better way to deal with these kinds of attacks... or at least a way to report them more easily...

Original Post

A friend who i never talk to just sent me to this page on facebook... its the "The Most CRAZIEST & EPIC Facebook Break Up Ever! Absolute MUST SEE!" i usally never trust these things but they had some custom FBML so i wanted to see what was up... after you like the page you get access to the exploit code ive copied below... It gives instructions to paste the code below into address bar. Now i totally thought it was suspect but ive seen things like this do cool easter eggs before so i tried it... then i get a notification "Your invitations have been sent." doh! ive been duped... but i dont feel so bad because they have

150,490 likes

 so im just one of many. now lets see whats going on...

You must view original post to see code...

Now let me just run some carter magic on this and lets see what its doing... first it creates a link on the page, then simulates a mouse event to that link... there are then 3 function set on timers to hide the dialog, select all contacts, submit the form and then replace the container with a iframe serving spam...

i gotta admit pretty well done... get the users to run the exploit for you and because facebook makes it so hard to report hackers i bet i have infected many of my friends and have no way of stopping or recovering the notifications. I looked everywhere and i cant find any way to see a log of what ive sent and how i can recover those messages

Lame Facebook Lame!

I like to dabble in security... xss holes are fast and easy. The first one i ever found was on the online editor Aviary when i was a beta tester... it was a small one. They had scrubbed html in every field (.net had done it for them) but they had forgotten to sanitize the input from the filename in their flash app and i got my tags in! woohoo XSS holes. I happen to be checking my Wells Fargo account and you can nickname your accounts... and i thought to my self. self i wonder if i could put some html in my account nickname and have it render... lets try it :)

and

We got tags

but i was dealing with a character limit... a common problem with cross site scripting attacks but no matter i decided to try for the long shot... i used chrome to change the max length of the text field to something i could really put some code in fully not expecting it to work and then boom i got an entire script tag with a javascript alert... and its persistent!

how i changed the max length of the text field:the next morning i tried to find the correct people to call and got to the phishing department but not the real web guys... then i was really impressed... i got a call from their online fraud department they had detected that html was being posted from my account and I quickly offered up that it was me who was inserting the HTML and told them about the hole (this was months ago and im sure they fixed the hole by now so i dont think im hurting anything by posting this im sure i will know if they think otherwise) but anyways the cool part is that even though they weren't aware of the hole their system detected the XSS anyways... way cool and props to you security guys at wells fargo! i was asked not to try and attack the account portal anymore (so i wouldn't set off alarms again) and was thanked for letting them know about the hole... it was a small one but some javascript left by an attacker to send balance to remote server and then steal cookies (im sure stealing cookies wouldn't work but for the sake of this argument) if there was a large enough balance alert the attackers. also because it is a persistent attack and html doesn't render on the screen the script could sit there for a long time without the user ever knowing

so how do you protect the applications you write from XSS attacks? the answer is simple... its the same as protecting against SQL injection... sanitize all user input before anything is written to the screen. Strip html with regular expressions is always a good start and for god sakes please force character limits at the server side and dont expect the HTML maxlength="20" to do your job for you

below is my javascript alert with the cross site scripting hole in wellsfargo.com. those guys do a great job and ive been a customer for like 7 years. Wells Fargo is awesome and i hope they dont make me take this down because it is a great example of this attack and they did catch it so there really wasn't that bad of a security problem...
id love to hear your questions / comments / concerns about this article, bother me on twitter im @cartercole and i love to answer any of your questions...

Hi guys its Carter again... I recently found a forum of my friend had been spammed when i was checking site links with my SEO Tools and i wanted to share some of my findings after i had analyzed the attack on his site. His domain had 863 links from 350 unique domains so i went to go see what was going on... i found his phpbb forum had been spammed. oh noes! We had turned off CAPTCHA and didnt expect many people to join the forum but security through obscurity failed and a Russian spammer got us. so when i went to fix it i thought id run a quick experiment... because the forum had little activity we decided to pull the whole thing out and i used a redirect to catch the visits the spam would have received

This Is My Spam Trap

The spam trap has received
194 visits since 2009-12-19 which is crazy because it means these spam campaigns are probably worthwhile at least for awhile until they get caught... because forums let you create links that are of value (not nofollowed) ive seen this campaign do stuff from installing malware to affiliates for adult sites and heres my wall of shame... i know its not their fault :) im in the process of contacting the webmasters of these sites so they can get cleaned up and this list isn't all inclusive (if the referrer isn't past it wont show in this list)

Wall of Spam

Site	Visits
Visit the article [script disabled]

iono i just wanted to share some of my findings... id love to hear from anyone on their thoughts or ideas on how to combat this thanks for your time and i hope you liked the article...

there are tons of captcha solvers and sites that break images like here but i have been seeing a rise in math captchas so i wanted to real quick discuss something that i thought was kinda funny. its the idea that simple math problems are difficult for bots to solve. i found math captcha or a text based captcha that i thought would be really easy to solve so i decided i would break the captcha real quick.

basically an image captcha had a "textual riddle" version of the code in its alt tag.

one of the most difficult lines it returned was
(((((??? - 1) - 7) - 8) * 8) - 4) = -76
but i knew it had to be a number from 0 to 9 so i wrote a function to spit this out

computers are really good at math this takes no time to create and execute this simple vb
code:

so now this captcha whose images are actually kind of hard to segment and classify is broken because of 4 lines of vb code

im working on cracking my second image captcha this time the letters aren't fixed with and have a rotation. i plan to use a feed forward back propagation learning neural net so ill let you know how that goes and hopefully get to post again about another captcha ive cracked

you may also find my breaking of image captcha article interesting too...