Bitcoin Forum

Hello my fellow Bitcointalkers!

Today I will show you how one scammer tried to hack my Bitcointalk account,
and I will teach you how to prevent any future similar hack attack.


1. I received PM from unknown member with this content


https://s8.hostingkartinok.com/uploads/images/2019/08/e9fe6cafc84f78c154e193a2f2761dcc.jpg


2. DO NOT click on any link as it redirects you to FAKE Bitcointalk clone website from Turkey.
With intention to collect your Login information and password, and takeover your account.


https://s8.hostingkartinok.com/uploads/images/2019/08/4cb9d52ceb50529510508a897c876db1.jpg


3. ALWAYS check website Link in address bar, and if it is safe HTTPS.


4. Always check user trust and profile and again DO NOT CLICK on any links.

When you hover over with mouse over link that is outside this forum, color will be blue

https://s8.hostingkartinok.com/uploads/images/2019/08/dada4a0c56130c2e102597a1e6e3e506.jpg


When you hover over link and you see green color, that is link inide Bitcointalk forum.

https://s8.hostingkartinok.com/uploads/images/2019/08/dea44957d29e2b86b435a1a3b64529cb.jpg


Here we have clear case of hacked account: kingpin4321
- password is changed recently
https://bitcointalk.org/index.php?action=profile;u=2447711


https://s8.hostingkartinok.com/uploads/images/2019/08/bd8faa45791d83d3baba2247a8688c23.jpg

https://s8.hostingkartinok.com/uploads/images/2019/08/3551daf48b2c3afa45e3786526fdaeda.jpg


5. Report user to admin/moderator and give him negative trust.

https://s8.hostingkartinok.com/uploads/images/2019/08/82d9fc851279f0f16a634ec46b300eb0.jpg


6. Report phishing website to Google and Symantec.
https://submit.symantec.com/antifraud/phish.cgi
https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en
https://www.phishtank.com/
https://www.comodo.com/home/internet-security/submit.php?

7. Learn how to protect yourself better.

https://s8.hostingkartinok.com/uploads/images/2019/08/9853e8e012764a712533ed22bfb57b2f.jpg

- use Firefox browser or fork called LibreWolf, it shows you warnings for unsecure logins, and it is more secure than Chrome browser. Alternative is Brave browser.

- use browser extensions: HTTPS everywhere, ClearURL, NoScript or uMatrix (for experts)

-  always double check your browser address bar for changes.

- bookmark you favorite websites and use password managers like KeePass.

- stake your Bitcoin address on forum to prove ownership of your Bitcointalk account -> Stake your Bitcoin address here (https://bitcointalk.org/index.php?topic=996318.0)

- install Malwarebytes Browser Extension[/b] for protection


8. Ask me if you have any questions.


I will update this topic with more information if needed.
Thank you for your attention.

https://s8.hostingkartinok.com/uploads/images/2019/08/b7c2f69fde2b5ac4544cc2e84bd774f0.png


Translated and adapted to Russian language by bakasabo:
https://bitcointalk.org/index.php?topic=5173654.msg52098506#msg52098506


[LEARN] Phishing Quizzes - Beginners & Experts (https://bitcointalk.org/index.php?topic=5178375) 👈

Nice guide and Information about that phishing site and how they doing it .
Hope that this are reading a lot of users and that not much fall into the trap with that .
Nice catch .

Thanks.

One more thing I noticed, after I entered fake account information with password FU.K YOUXXX
is that it redirects me to regular Bitvest Plinko Signature Campaign after it takes my 'login details'
https://bitcointalk.org/index.php?topic=5088858.0

Maybe lightlord, creator of this topic, should be contacted regarding this,
just that he is aware of the situation.
They are probably using other random links, with malicious attachments.

One more way to super protect is to install browser extension called NoScript, but it is a bit complex.

On this forum, when you rollover with the cursor the link is green if it’s a link from this forum, it’s blue, if is a link outside of this forum
So, this is also a way to prevent to click on a scam link

I will add that also.
Thanks

I think kingpin4321 fell for the exact same thing.

Yesterday in Services someone posted a fake giveaway (https://bitcointalk.org/index.php?topic=5172689.0) with a link to a phishing Bitcointalk clone, he was first to reply (http://archive.fo/Wzn7Z#selection-2273.0-2273.11). I guess I was late with my tag/flag.  :-[

A third known case (possibly even more) within the past 36 hours: Link (https://bitcointalk.org/index.php?topic=5154525.msg52073272#msg52073272)

I can do it... my only concern is that it is a hacked account,
and even if I want to punish the hacker, I also want to bring back original user kingpin4321.

Maybe it is best to wait for moderators to decide.

EDIT:
I created it.
Who knows how many users he contacted...

I think it is good to use Trust, rather than Flag.  Of if you still want to use Flag, it should be a Newbie Flag, as this Flag created by admin, on @newsilike:
https://bitcointalk.org/index.php?action=trust;u=157669
That guy has not broken any contract with you, and has not yet stolen your money.

Nice catch tho, it can really be pretty obvious attempt  from the hacker. I just wondered why choose your account over a higher account which he can benefit more, hmm sounds fishy.

 As if lightlord would even care. There is also actually no point in letting him know.

Well, I've got this assumption that the hacker thinks he can get as this user is just a Member rank and have little to know about phishing. Not knowing what he tried to mess is a techy guy and even surpass him on the knowledge about those kinds of things.

It might be good to move this one on B&H board as it is more appropriate there. Nice catch OP.

I just opened a pull request for MetaMask: https://github.com/MetaMask/eth-phishing-detect/pull/3221

The site should be blocked through the MetaMask extension if they accept it.

Same reason why he hacked user kingpin4321
and maybe he thinks members like me are stupid brainless sheeps.

Thank you for your 'advice'.


Thanks.
Fake bitcointalk login website is still very much active!
I noticed that time is not changing on fake site June 07, 2019, 10:23:06 PM for now

https://whois.domaintools.com/sebiltv.com.tr


https://s8.hostingkartinok.com/uploads/images/2019/08/1fd3656ff31b44860b295ea2156296ab.jpg

https://s8.hostingkartinok.com/uploads/images/2019/08/a785969c0a80377bb3c6f9006eb78fcc.jpg

https://s8.hostingkartinok.com/uploads/images/2019/08/318290ba3e5364722b948fb502c76c7c.jpg

I wonder why the account (kingpin4321) isn't tagged yet.

Add the flag in your OP.

I've supported the flag and tagged it since this account obviously tried to hack the OP. But we don't know if it's a hacked account or a bought account.

But yes I'm a little bit surprised to see that so few people have already done the same.  ???


https://bitcointalk.org/index.php?action=trust;u=2447711

Can you copy the URL as shown in the PM?

I'm asking because you can't do this (I can't even do it within quote tags, so I've replaced the "/" by "slash"):
It shows like this:
https://bitcointalkFAKE.org

I think the scammer replaced the lower case L by an upper case i:

And now it works:
https://bitcointaIk.org (https://bitcointalkFAKE.org)

Someone stated this before:


And I checked his history also.

Sure I can.
Here it is:


Active now:

NOTE to newbies:
Do NOT visit this links!

Firefox expands it to this:
And then obviously can't find the site.

If I try this (the first 5 characters copied from the URL from the PM, then "test" added by me:
Firefox turns it into this:
What kind of sorcery is this?

It reminds me of the homograph attack (https://bitcointalk.org/index.php?topic=5000990.msg45137783#new), which is now automatically replacred on all English boards.

This is the culprit:
Google confirms it's Cyrillic: https://en.wikipedia.org/wiki/Ge_(Cyrillic)

I guess theymos missed this one.

Why the real owner doesn't say anything, if his account had been hacked?  ???
He would already come in meta or on this thread to report the hack, no?
There is something fishy.

Some weird $hit yeah...
I noticed that also with domains.

I notified and reported Google and Symantec,
as well as Metamask thanks to mainconcept



OK.. please examine the case and catch the fish.
I reported on time, and as fast as I could.

https://s8.hostingkartinok.com/uploads/images/2019/08/29767c88aeb6e9007c522e31de75150b.jpg

That's no sorcery, but IDNA encoding (https://en.wikipedia.org/wiki/Internationalized_domain_name).

The following cyrillic letter is the cause of that:

This is quite frequently used by phishing sites to deceive others into clicking on a 'known' URL.
That's a known problem with unicode domain names.

Received exactly the same from the same user - thanks for pointing this out op!

Must be a diacritical sign I guess.

Update:

I reported fake website to this website
Phishtank
https://www.phishtank.com/

https://www.phishtank.com/phish_detail.php?phish_id=6152971


I also reported it with Watchdog extension
https://www.cryptopolice.com/

Now your thread has been moved in the beginners section I think very few members will see it.
So I think you should open a thread in Economy > Trading Discussion > Reputation  section, on Kingpin4321. It's the right place for flags and tags.
https://bitcointalk.org/index.php?board=129.0

Listen...
Someone else proposed that I move it to B&H since it is also a guide for newbies
and I don't have extra time to move topics all day round....
It is where it is now.

Thanks.



Update:
Reported to Commodo also
https://www.comodo.com/home/internet-security/submit.php?url=http://sebiltv.com.tr/index/index.php?topic=5088858.0&&submissionType=1&source=1

He was active in July almost on a daily basis and has not posted anything since July 30th. After that he either got hacked or went rogue.
He is now banned so I guess that is it.

Regarding the phishing attempt.
If you have ticked to always be logged on to bitcointalk and you see that the site is asking for your login details you should be alarmed.
If you have not ticked that option bitcointalk will log you out after 1 hour so if you open a new tab where you are asked to enter your login details confirm it on the page you usually visit when you login to bitcointalk. If you are logged out there as well, everything is fine. Log back in on the site you have saved and you usually log in on bitcointalk. If you are still logged in but the other tab is asking you to login again - you know it is a phishing attempt.

All this above is for those that don't understand phishing sites and that bitcointak internal sites are marked in green when you hover over it with your mouse.

One more thing.
It is better to use Firefox browser as it shows warnings for this unsecure logins

https://s8.hostingkartinok.com/uploads/images/2019/08/9853e8e012764a712533ed22bfb57b2f.jpg

This does just mean that the website does not use https.
This is definitely NOT an indicator for the authenticity of a website.

I'd expect any phishing site not created by completely incapable people to have a TLS certificate. You can get them for free.

I know that  ;D
And I just say it is one more step to protect yourself better...
Firefox is better than Chrome... but you still need to use your brain.

As for better protection my suggestions are on first page

You didn't understand me, I wasn't suggesting you to move this thread there but to create another one for flagging and tagging Kingpin4321 since he was still hurting people according to Efialtis testimonial.
Now he seems to have been banned, so the issue about him is closed, normally.  

BTW I don't think it's a topic for beginners since the hacker is not targeting newbie accounts and the case is raising concerns about homographic attacks, so it was a rather weird suggestion from this guy...  :-\

---

People are not only using old computers with mouse, we are in 2019 now.  ;)

That is pretty clever and quite a nasty way to phish. You see the link and click and without thinking you login again. The thing is I always keep myself logged in so if I do log out it is because I logged out myself.
It is a bit odd to get a link right to the reply saying they have replied to you. Though this is a perfect way to let someone know you have replied. I think at anytime you are ever asked to login for any reason what so ever that you should check the address. Even pages I bookmark I check the address just incase.

Very nasty and very easy to fall for this if you not paying much attention which is easy.

My pull request got accepted, MetaMask now blocks the site:

https://i.imgur.com/AANZ4AR.png

they've been doing this phishing since the dawn of time but it still works for some. it should be common sense to see something is wrong if there is the need to login again when you know you are already loggedin. the url of the website is very important to notice here.


when you aren't sure which app to use your metamask, don't use it. browser apps aren't something you can controll, you may have the privkeys but pick which app to use your metamask.

Great news!
Thank you for your support and fast response.
+merit



It may be obvious for you and me, but average user can get distracted
thinking it is just a browser issue, and enter his details, resulting in his account being hacked.

another way to secure your profile is to Stake your Bitcoin address

this is the most efficient way to prove your ownership of your Bitcointalk account -> Stake your Bitcoin address here (https://bitcointalk.org/index.php?topic=996318.0)

all you have to do is to use your BTC wallet and make a message like this ->


and post it in that thread above, someone will quote you and you are safe
if you get hacked, you will proof your identity with your BTC wallet

the tutorial -> How to sign a message?! (https://bitcointalk.org/index.php?topic=990345.0)

Good point.
I added that on the list on page 1,
and I also staked my Bitcoin address some time ago ;)

One more thing would be good to have installed is
Malwarebytes Browser Extension

for Firefox
https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/?src=search

For Brave and Chrome browsers
https://chrome.google.com/webstore/detail/malwarebytes-browser-exte/ihcjicgdanjaechkgeegckofjjedodee

https://s8.hostingkartinok.com/uploads/images/2019/08/0c518f8346a732d72ef5d160e486ea06.jpg

This step is only helpful to secure forum accounts, not to secure bitcoin.  ;D
Hackers can hack your computers, steal your account, and steal your money.
You can use signed message to get your account back, while your bitcoin will be stolen forever. There is no backwards trip for your bitcoin from hackers to you.

it's obvious

But you can always use empty BTC address with no Bitcoins to stake your address  ;)

Correct, what I mean is devices should be secured as much as possible, and should be the first priority of anyone who want to enter crypto world. Without devices security, they will lose money sooner or later.

Which is very wide knowledge to learn. Its about knowing what you doing in computer world, knowing whats possible for hackers (almost everything) and whats not possible. Where you should focus your efforts to stay secure (crypto world).
This knowledge need often branches of more specialized computer knowledge to understand them.

Example from friend of friend, easiest to learn for him is by practice so he tried to write trojan horse, and he saw what is needed (from common shared knowledge) to avoid detection from Anti Virus software and now he knew that AV software is no good and you cant feel secure with it.

I agree with you.
Scammers are smart and they always invent new ways to scam people,
so we have to update our devices on regular basis, and keep them protected as much as possible.

There is no perfect 100% protection ... sadly  :-\

Thanks for taking your time to do this especially for the newbies like us in the forum, I have just been scrolling and getting used to this forum, infact this is my first post so far. Thanks for the lesson.

Make sure the updates are legit. Many programs gained new vulnerabilities after being updated. For instance, some versions of wallets like Electrum had vulnerabilities.
I always say that the safest way is to keep your money offline on a separate device and have another PC to use for torrents, opening emails, forums and chats, and so on.
Also, don't click on any links you receive via pm or email unless you really know the sender.

All good advises, and we should all know them,
but sadly many newbies don't, so we have to remind them all the time.
And even experts can become victims if they are not super careful

Just like any other wallet.

Each wallet had vulnerabilities in the past. There is not a single one which didn't.
And some do even still have vulnerabilities which will never be fixed (e.g. jaxx).




Even if you know the sender you shouldn't click on links without verifying it.
If the original sender is compromised, malware could send emails to all contacts. While you'd believe the sender is a well known friend, in reality it is just some attacker who compromised the system of your friend.

Do not trust, verify.

thanks  :)
its reall helpfull for me to avoid any scam  :o

Lol, who to believe?

Trust no one. VERIFY ;D

Modern viruses and trojans are not made by stupid, but rather evil individuals

It is not about who is smarter, but who is more retarded (the target or the scammer).

IMO most scams around here are so blatantly obvious and no one would fall for it if they at least applied basic knowledge regarding securing their coins and common sense.
But unfortunately greed > common sense.

I agree with you.
Retarded greed wins most of the time when combined with hurry speed, lack of attention and get rich quick mentality.
Sadly if I may say  :-\

Great tutorial dkbit98, This phishing attack failed, but sadly some times the hacker has good luck and get access to the accounts... People are thinking, who is stupid enough to lose his account by this way, but we could be distracted and when we realize it was a fake page it's too late.

This was a phishing attack, just one of those multiples attacks we can see on this forum, so, we should walk carefully in this mined field. Thanks again for the tutorial, i will leave a merit on the main post ;)

These scammers did a bad job.
I always look in the browser line.
And if I saw this nonsense, I would laugh.))

But there are trickier ways!
To do this, you need to register a domain using similar letters:
ì - í - ï - ı - i / ό - ὂ - ὄ - ὅ - ö - o .............
And the "bitcointalk" site might look like this:
bıtcoıntalk.org
bitcόintalk.org
bìtcoìntalk.org
bitcointȧlk.org
...............

An example of such a site is http://lokıdn.com/blog.php (http://lokıdn.com/blog.php)
And mail -  info@lokıdn.com

I tried to register a site with such letters(bıtcόìntȧlk).
Try it yourself - https://godaddy.com
And here's what happened:

https://uk.godaddy.com/domainsearch/find?checkAvail=1&domainToCheck=bıtcόìntȧlk (https://uk.godaddy.com/domainsearch/find?checkAvail=1&domainToCheck=bıtcόìntȧlk)
https://i.0xbt.net/images/201909110041571000.jpg (https://uk.godaddy.com/domainsearch/find?checkAvail=1&domainToCheck=bıtcόìntȧlk)

Therefore, we must be careful.

https://pentest.com.tr/blog/Lapse-of-Keyboard-at-Internationalized-Domain-Name-EN.html
https://en.wikipedia.org/wiki/Í (https://en.wikipedia.org/wiki/Í)
https://en.wikipedia.org/wiki/Acute_accent
https://en.wikipedia.org/wiki/Latin_script_in_Unicode

I think everyone should think about personal security as a standard operating procedure. Gone are the days that simple and similar  passwords across all web properties are enough. Everything is getting on the Internet, even your finances. That's why every link should be thought as suspect.

Yeah... I know all about this.
If someone wants to be evil he can always invent new ways to scam people.
One more thing he can do is to buy any bitcointalk alternative domains
https://www.namecheap.com/domains/registration/results.aspx?domain=bitcointalk


That is why I advice people to play anti-phishing quizzes
and learn protection in fun way:
https://bitcointalk.org/index.php?topic=5178375

Being in an internet world, everyone should know what is phishing and what are the common ways by which scammers can scam you by impersonating the fake site as a real one. Since people do not listen and pay attention to these details, many have lost their accounts (social media & others) and even lost money from their bank accounts etc.

The rate at which scammers are trying to take over bitcointalk account this days is on the rise so one need to be careful as long as we all know what phishing sites are all about.

This Phishing strategy became popular in this community with a different style of fraud. If you manage to avoid their first attempt of phishing they will think for another way and so on so forth.

In this case, everyone should continue not tired reading some advice from our fellow forum members, because there will be a time that we will fall to their trap and the last thing we could do is to regret that we didn't pay attention to the warning of the concern members.

Thanks for this awareness it may look like a simple thing to do but the way you let us see the actual photo of phishing will help us a lot to be aware when this kind of message will be sent to us especially those members who are not fluent in English including myself.

Here are a couple more cases, with the same objective, but different kick-off approach:

 [Beware]Bitcointalk PHISHING attempt by E-Mail (https://bitcointalk.org/index.php?topic=5188072.msg52572839#msg52572839)
 Fake airdrop / phishing website posted in "Services" (https://bitcointalk.org/index.php?topic=5172689.0)

The former is initiated by the reception of an external Email allegedly sent from Bitcointalk, asking you to prove you are the owner of your account. The email obviously is not sent from Bitcointalk, but camouflaged just enough to make you think it might be. The contained phishing link looks like a regular Bitcointalk link, but it isn’t. You are directed to a phishing site that has an initial screen that asks you for your login credentials, it captures them, and then redirects you to Bitcointalk (official site, but obviously without having performed the actual real login).

The latter created an Airdrop thread, luring people to participate. He then PMs them, providing a phishing link similar to the above case (on the same domain and all; same site).
 
All in all, we need to place proper attention to cases such as these, and the one nicely detailed in the OP.

Yes. It is clearly connected and using same tactics, as I wrote in @morvillz7z topic.




That is why I recommend everyone to have some fun and learn Phishing protection fast
by simply playing Quizzes that will teach you the basics of phishing.
And if you think you are an expert you can always test yourself again:
[LEARN] Phishing Quizzes - Beginners & Experts (https://bitcointalk.org/index.php?topic=5178375) 👈

Since this topic was bumped today i decided to look around and gather information about these very specific phishing attacks, code name - I've replied to you.
I believe all these PMs are sent by the same scammers, as you will see below, the first reported case dates from as early as 2016 and have not stopped yet.
What they all have in common is the message itself, which is the same: "Hi <insert username> I've replied to you: <hidden phishing link>

Here's a few of them (probably missing ones shared on local boards):

April 09, 2016 - https://bitcointalk.org/index.php?topic=1430961.0

March 13, 2017 - https://bitcointalk.org/index.php?topic=1823854.0

April 24, 2017 - https://bitcointalk.org/index.php?topic=1884287.0

September 27, 2017 - https://bitcointalk.org/index.php?topic=2212540

November 05, 2017 - https://bitcointalk.org/index.php?topic=2360981

November 10, 2017 - https://bitcointalk.org/index.php?topic=2384313.0

November 11, 2017 - https://bitcointalk.org/index.php?topic=2385827

November 16, 2017 - https://bitcointalk.org/index.php?topic=2412522.0

November 17, 2017 - https://bitcointalk.org/index.php?topic=2415681.0

December 18, 2017 - https://bitcointalk.org/index.php?topic=2606107.0

March 10, 2018 - https://bitcointalk.org/index.php?topic=3094992.0

March 12, 2018 - https://bitcointalk.org/index.php?topic=3109869.0

March 14, 2018 - https://bitcointalk.org/index.php?topic=3120906.0;

March 25, 2018 - https://bitcointalk.org/index.php?topic=3196724.0

March 25, 2018 - https://bitcointalk.org/index.php?topic=3197069.0

April 23, 2018 - https://bitcointalk.org/index.php?topic=3378394.0

June 05, 2018 - https://bitcointalk.org/index.php?topic=4423403

June 05, 2018 - https://bitcointalk.org/index.php?topic=4419956.0

August 13, 2019 - https://bitcointalk.org/index.php?topic=5175274.0

You have a nice little collection there :)

I don't know if we can find exact source for all off them,
as most of accounts used for this have been hacked.

bump

This is a very important thread that should be bump from time to time so people will be aware of ti to always look on the url of any site that you are going to visit especially Bitcointalk, your account here is very important especially if you have a high rank.

Thanks for the heads up. While trained eyes might spot it from a mile away, it looks innocuous to many newbies. I guess that's why their PM is disabled by default as a counter-measure.

But I feel that the "You are navigating to an external link (insert link). Do you want to continue?" prompt page would be way more effective in nullifying these things.
https://community.mybb.com/uploads/mods/previews/preview_21092_1431616518_721a022f3c6c19c0d571c4e58c587e4b.png

Yeah, I guess that would be good update for bitcointalk forum, and I think it is easy to implement it fast.