Lightshot is a very famous and easy to use application for capturing and sharing snapshots for your desktop. Personally speaking, Lightshot is one of my favorite apps that I have been using for many many years.
You simply mark the area you want to capture and just hit upload. In a few seconds you will have a short link that you can share with anyone. No captcha, no accounts, no limitations. Awesome! (yeah, kinda)
The problem is that all screenshots uploaded to the cloud are accessible to anyone. Ok, nothing bad so far right? Well, here comes the bad part. The ID of every image has low-entropy as it is made of a 6-digit alphanumeric combination. (eg. uggmt9). And as if that was not bad enough, the ID is not even random! It is incremented letter by letter, digit by digit. So you can simply change the ID and a new random screenshot will appear.
And so on… Scary right?
This might be the first case that the phrase “It is not a bug, its a feature” is actually pretty accurate.
It is definitely not a bug. From Lightshot website, FAQ section:
Q: I have accidentally uploaded a screenshot with my private information. How can I remove it from prtnscr.com?
A: You can ask our support team to remove the screenshot from prntscr.com via our email firstname.lastname@example.org, or you can just press the abuse button under the image on our website.
So it is actually designed to work that way but its in not made clear to all users that shared images are public and that they should not share public or sensitive information. So as you imagined many users are not aware of that danger and are using this application to share private information. And this is not something secret either.
There are many Reddit posts, even from over 6 years ago, that mention this “feature”.
There are even awesome open source tools like ShotLooter (https://github.com/utkusen/shotlooter) that are pretty easy to use and grab tons of private information such as passwords, private keys, credit cards, BTC wallets automatically using Python, OCR, OpenCV and awesomeness.
“Shotlooter tool is developed to find sensitive data inside the screenshots which are uploaded to https://prnt.sc/ (via the LightShot software) by applying OCR and image processing methods.”
You can customize the keywords you want to search and even search for matching logos such as phpMyAdmin or KeePass.
So this tool definitely got my attention and I started using it just for fun.
After a few minutes I have already got some really interesting results like the following.
This image seems to be from an email and just out of curiosity I tried to login as the picture surprisingly contains a username , a password AND a URL. How convenient right?
I was redirected to a pretty convincing Crypto trading platform that I have never heard of.
I tried to login and surprisingly enough I managed to login as email@example.com.
Two factor was disabled for this account (pretty unusual for trading platforms) and no other security mechanism was triggered as I would expect. The account balance was over 14.000€ with BTC and ETH wallets.
This was insanely crazy and I thought what are the odds of this actually happening?
At first I thought that this poor guy will probably lose all his assets in a few seconds but I was pretty suspicious from the beginning so I started to search more information about the email and the specific trading platform.
Found some information online that confirm the obvious. That this is a scam website.
You can actually “login” as firstname.lastname@example.org with any password, or with any username/password combination or even without a password at all simply by accessing the following URL https://bit-trading.online/profile
So I tried to figure out the scam behind this. Why are they doing this? How are they profiting? Is it just a joke?
I tried to withdraw some BTC.
And as expected they asked for a “Withdrawal confirmation” fee of 0.0015BTC (~13.09EUR) with current BTC value (13/09/2020).
Anyone that has used an online crypto trading platform even for one time has already enough red flags to get away from this scam but I was curious if there were actually users that fell for this scam.
The address is not dynamic so we could just explore the transactions to find out more.
More than 260 users were tricked to deposit the “fees” to withdraw the BTC balance.
Almost everyday a new transaction is made. Scammers only from this campaing till today have made almost 0.20BTC (1746EUR).
After some more research I found out that the scammers are automatically uploading the same images every few seconds to Lightshot in order to trick users into their scam.
This is one of the most sophisticated and well made scam campaigns I have ever came across and that is why I wanted it to share it with you.
The scammers took this to the next level with attention to detail and the fact that they were not greedy and asked for such a low and convincing “fee” is what I think made this campaign so successful.
Although stealing bitcoins is not my thing, I think this is a really interesting case and has to offer many potential for a few experiments like running honeypots or understanding how potential attackers might act.
What are your thoughts on this? Any fun ideas? I thought about creating some SSH honeypots to try to understand what are the first things that an attacker might try to do on a compromised host but I would like to hear your thoughts on this.