1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Plan to get stolen ipod touch back

Discussion in 'BlackHat Lounge' started by trevor1617, Aug 18, 2010.

  1. trevor1617

    trevor1617 BANNED BANNED

    Joined:
    Nov 12, 2009
    Messages:
    123
    Likes Received:
    64
    So my ipod was stolen last saturday and I had access to two email accounts. One was junk so I sent an email to myself on it saying "bank information" then placed a link to a website of mine for them to click and access....They have repeatedly visited the page and I know this because it is the same ip multiple times from iPhone platform. What can I do to track them down? If it helps I can supply the IP I just want my ipod back so back I rely on it for so much. I know usually its a goner being an ipod but I thought it was worth a shot. Please let me know what you think. If its hopeless its hopeless but thought
    I would try.
     
  2. hackNstuff

    hackNstuff BANNED BANNED Premium Member

    Joined:
    Jun 10, 2010
    Messages:
    136
    Likes Received:
    15
    Hmm, you could try sending another lead, perhaps "credit card site" with a user/pass and direct it to a fake site that "won't display" on the ipod, in an attempt to get them to use their computer...if you get that IP you could try going to the police...
    Verified log from ipod, hit to same site using your user/pass provided in the email and logging an IP is pretty incriminating, you could even say it's attempted identity theft.
    BTW, is it an iPod or iPhone? If it's an iPod you should be able to do something with the IP you logged when it hit you the first time. If it's an iPhone then it has its own IP address.
     
  3. trevor1617

    trevor1617 BANNED BANNED

    Joined:
    Nov 12, 2009
    Messages:
    123
    Likes Received:
    64
    Its an iPod Touch

    For the form how would I make the page incompatible on an iPod?
     
  4. hackNstuff

    hackNstuff BANNED BANNED Premium Member

    Joined:
    Jun 10, 2010
    Messages:
    136
    Likes Received:
    15
    Well you could sniff user agent if you wanted to really get to it, but the easiest way would be to throw an error the first time you submit the form saying it's incompatible, the second time you throw an error, site down, etc. Perhaps say "security is expired, would you like to send a password reset to your email address? " This opens the door for more social engineering as well as keeps them interested.
    There's a chance if you play it right that you could even let them "reset" the password via an email link, and upon signing in to your fake site it could ask to install a "plugin" which could be some sort of reverse shell or virus designed to give you access to their computer, hopefully they don't have a good antivirus program running. You really have to get creative and see how long you can keep them on the line, if your site looks professional enough heck, you might even lead them to thinking they can re-order your credit card and have it sent to their address...something along those lines.
    Get creative, keep them interested, if you can act legit you may just be able to play their greed against them.
    Another tactic you might use is to provide a way they can change "your email address" once "logging in" ...they may go ahead and do that instead of sending a password reset to your email address, use "weak security", eg:
    email on ipod has account number, user, pass, login page allows attempted login using user/pass, or to reset pw OR change primary email address if you use your account number. Once you have their IP + registered email address *someone* out there can track it down, I know in the case of really illegal stuff the FBI/NSA/big brother can probably subpoena/just take the info from gmail/yahoo...it's just a matter of getting the right attention, claiming identity theft, or something like that.

    Good luck! Make sure to keep us up to date on what's going on if you do get anywhere....

    Edit: Also, if you can get them logging in from the iPod (log user agent) as well as a computer on a home network (different agent) and see they are the same IP address, I bet the police can pinpoint that for you. Two attempts of someone "hacking your data and trying to steal your identity" from the same IP address *should* get you the attention you need, maybe not enough for a search warrant, but possibly enough to send an officer out, hopefully enough to scare them into handing it over....
     
    Last edited: Aug 18, 2010
  5. trevor1617

    trevor1617 BANNED BANNED

    Joined:
    Nov 12, 2009
    Messages:
    123
    Likes Received:
    64
    Thank you very much for the help I am definitely going to try something like this. He/she was greedy enough to steal the ipod they are greedy enough to be stupid and try and steal my credit card number.
     
  6. Chronos

    Chronos Junior Member

    Joined:
    May 5, 2010
    Messages:
    126
    Likes Received:
    294
    Assuming you filed a police report...

    Take this information to the police, have the police call the ISP, and the ISP can tell you the exact location of the IP address.

    BOOM! Solved...
     
  7. johnny.bravo

    johnny.bravo Newbie

    Joined:
    Nov 11, 2009
    Messages:
    6
    Likes Received:
    1
    Wish I could use some tricks to get my $100 basketball stolen yesterday from my gym locker back :( i guess a lock would've done the trick.
     
  8. hackNstuff

    hackNstuff BANNED BANNED Premium Member

    Joined:
    Jun 10, 2010
    Messages:
    136
    Likes Received:
    15
    Yea, that's what one would hope...there is often a big difference between what *can* be done and what *will* be done. Often police won't believe you/don't want to go through the trouble and the only way to get the info is via court process...just because we know how it works doesn't mean the police will really care...that's why I've mentioned dropping the words "identity theft" and "hacking my accounts" around, it might motivate them a bit more than if they just hear, "somebody stole my iPod! I think they're reading my email!"

    It's sure worth a shot...
     
  9. Chronos

    Chronos Junior Member

    Joined:
    May 5, 2010
    Messages:
    126
    Likes Received:
    294

    Say you really do have sensative information in your email...

    If you bring the IP, evidence you own the iPod in, it is there duty to obtain a warrant (for the IP, to find the address) to arrest this person.


    Through all the bad stories you've heard I bet most people only ever filed a police report, not go as far obtain there PHYSICAL location...