BitcoIntalk phishing PM! Warning!

[AT101ET]

This morning I got a PM from a newbie asking me if an account (he gave me a link in the PM) was an alt of mine.
I straight away new something was up because I only have one alt and barely post on it...
I clicked on the link in the PM to see the profile of the user he was talking about and something weird happened. For some reason the forum asked me to log in with my account credentials.
I thought that was quite strange so I looked at the address in the browser.
The sneaky son of a ***** had a phishing link set up to steel people's log ins...

If you get a message like this, DO NOT enter your credentials! Make sure you're account has an address that you can sign to prove ownership...

Here is the PM:

!!! WARNING: This user is a newbie. If you are expecting a message from a more veteran member, then this is an imposter !!!
hey is this your alt?
https://bitcolntalk.org/index.php?action=profile;u=388262
is it for sale? it's listed for sale in the service section said contact you. how much you want?

[erikalui]

Thanks for the post. The link PM is pretty easy and seems genuine to hack a person's account as the "i" is replaced with "l". That's why I had asked for the option to disallow newbies from sending/posting links to make it safer.

[Muhammed Zakir]

Thank you for the warning! Please remove "https" from url. People may click it accidentally.

Thanks for the post. The link PM is pretty easy and seems genuine to hack a person's account as the "i" is replaced with "l". That's why I had asked for the option to disallow newbies from sending/posting links to make it safer.

Newbies do come here for legitimate reasons. PMs mustn't disabled for newbies.

[hilariousandco]

Left negative but make sure you report the PM so a mod can handle him.

[AT101ET]

Left negative but make sure you report the PM so a mod can handle him.

I'll do so now.
I've edited the original post to disable the link to prevent others from clicking on it as requested.

[el kaka22]

I've entered a detail of a perma-banned account from my friend (which was an account farmer but all his ~10 accounts have been banned) to that site. The account's last active date was April. If the account's active date changes, then I can confirm that it is a phishing site.
Edit: I found that the site's clock stops at June 07, 2015, 05:31:48 AM. That is just a snapshot of bitcointalk at that time. Also according to the whois data, that domain is registered just today. And even entering a empty login detail there redirects me to the specific user's profile.

[erikalui]

Thank you for the warning! Please remove "https" from url. People may click it accidentally.

Thanks for the post. The link PM is pretty easy and seems genuine to hack a person's account as the "i" is replaced with "l". That's why I had asked for the option to disallow newbies from sending/posting links to make it safer.

Newbies do come here for legitimate reasons. PMs mustn't disabled for newbies.

I am not saying to disable the PM option for newbies but they shouldn't be allowed to post links as mostly people join this website and start either spamming their referral link or post malicious links.

[Twipple]

Does it mean someone bought the bitcolntalk domain and is using it for phishing ? Could be very dangerous if people fall for it. Another thread on forum https://bitcointalk.org/index.php?topic=1083278.0

[el kaka22]

I've entered a detail of a perma-banned account from my friend (which was an account farmer but all his ~10 accounts have been banned) to that site. The account's last active date was April. If the account's active date changes, then I can confirm that it is a phishing site.

Just confirmed that it is an active phishing site! The perma-banned account's last active time has changed from April to Today! Please be careful from this domain!

[Quickseller]

I am not saying to disable the PM option for newbies but they shouldn't be allowed to post links as mostly people join this website and start either spamming their referral link or post malicious links.

I am not sure what the criteria is, however a lot of links that newbies send via PM (and post) will get auto removed by the forum and will be replaced with "[suspicious link removed]"

There are legit reasons for newbies to send a number of links to people, however I think phishing sites of the forum should probably be added to the list of domains that get auto removed

[jacktheking]

Thanks for reporting it. I remember seeing one link like this sometime back. It's good that I did not click on it. Next up.. it will be bitc0intalk.org, b1tcointalk.org. So.. I think it will be better for the admins to create a script that will stop those link - look similar to Bitcointalk.org.

[nikona]

Thanks for reporting it. I remember seeing one link like this sometime back. It's good that I did not click on it. Next up.. it will be bitc0intalk.org, b1tcointalk.org. So.. I think it will be better for the admins to create a script that will stop those link - look similar to Bitcointalk.org.

Something similar already existed a few days back. I remember getting a message from someone, where it showed something like [LINK Removed] . Not sure if that has been removed.
That can help eliminate these spam messages.

[dothebeats]

Good thing there is a feature of the forum wherein suspicious links coming from private messages are automatically disabled. Gullible people (like me) still clicks on links that are being sent by unknown users, thinking that this might be some good websites. Good thing I haven't encountered one of those PM's yet.

---

There are legit reasons for newbies to send a number of links to people, however I think phishing sites of the forum should probably be added to the list of domains that get auto removed

I agree on this idea that suspicious links should have a complete list so as to get them auto-deleted if ever another user attempts to use them again.

[PryptoMontreal]

I opened that link and put up a random password and random account name, on doing so, that particular profile opened and my account was already logged in. So he got my account password? Just to be safe, I changed the password.

[achow101]

I opened that link and put up a random password and random account name, on doing so, that particular profile opened and my account was already logged in. So he got my account password? Just to be safe, I changed the password.

He did not. It just redirects you back to the actual profile in the actual forum. In fact, you can do this without entering anything.

[AT101ET]

I think it's just a phishing page where whatever you input into the text boxes will automatically be sent to the page owner. Even if you proceed without entering any information, you will be redirected to the actual user profile as I assume that's what the redirect address is once you click proceed.
I'm lucky I was alert and paying attention to the link. I have an address that I can prove account ownership from, but the hassle would have been far too annoying. I guess we all just need to stay alert. Scammers are adapting. Adaptation can sometimes suck

[crazyearner]

Had a number of pms like this in past and present I just ignore them as it seems mods or admins don't want to do anything to prevent it from happening in the future as reported so many of them and get ignored or I get marked as incorrect so I only help when really needed now. I only click stuff in pms when I know it is real and not a fake cover up link or something that looks fake. Even then I do  background checks on it before even entering and when I do seen some real catchy ones trying to capture your details. So simple answer always take care when reading and clicking.

[unamis76]

This phishing website is similar to the one that appeared a while back, when the forum was offline, asking for "donations". Some smart guy is trying to steal accounts...

I hope the guy is traceable and that theymos can do something about this. I bet this is why we've been having a lot of spam and malware linked around.

[el kaka22]

Because they got one of my (friend's) banned account and the forum is having the record of all account's last login IP address, can the forum admin just track it and ban that IP address?
BTW, link to the hacked perma-banned account profile: https://bitcointalk.org/index.php?action=profile;u=483205 (note the site is bitcointalk.org, not a phishing site)