Again, Phishing Iancoleman

[Chikito]

Damn, Scammer everywhere!.

I won't create a new thread but this is important for us and also newbie, the last day ago I have a warning electrum phishing website and today got recently new phishing iancoleman.

Code:

https://incoleman.io/

Normally, a real website need sub/virgule bip39 like this https://iancoleman.io/bip39/

how I found this phishing?

accidentally, searching bip39 keyword in the google searching box.



Please, install AdBlock now.

let's see the relationship that IP

https://www.virustotal.com/gui/ip-address/190.115.18.218/relations



of course, the scammer will use the same server to create a new domain.

Domain Information:

IP Address: 190.115.18.218
Domain Name: incoleman.io
Registry Domain ID: D503300001187922502-LRMS
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: www.namecheap.com
Updated Date: 2020-10-20T12:52:15Z
Creation Date: 2020-10-20T12:52:12Z
Registry Expiry Date: 2021-10-20T12:52:12Z
Registrar Registration Expiration Date:
Registrar: NameCheap, Inc

what phishing website create next?

[Charles-Tim]

I found this to be true, I was even confused when you coded it up there, it is so similar to iancoleman.io, the site will truly be a phishing site with no two intentions than to scam anyone that mistakely input his/her seed phrase, or who mistakenly use the fake site to generate seed phrase. Domain providers are not working enough to let people not to use such fake domain, if I am a domain provider, I would have known this will only lead to scam site, and google is also good in spreading false information, making scam more easily and unknowingly accessible to people which could later be victims.

[masulum]

Domain providers are not working enough to let people not to use such fake domain, if I am a domain provider, I would have known this will only lead to scam site,

I have an experience working in domain provider service, why they are accepting related domain, because sometimes we can found 2 similar companies name. If domain provider blocked 1 of them before any evidence of scam sites, it can be wrong and will make their reputations bad.

How to solve this? all domain provider have abuse report, so we can take advantages from this, if you find scammers or phishing sites, you can report it, if you have enough proof, the domain will be taken down by them. But, it need few weeks for service provider to check it, except there are several user report that site it will become priority investigations, and it will be faster to taken down that domains.

[mk4]

what phishing website create next?

Every single on of the same websites being normally used as phishing sites. It's pretty safe to assume that as long as phishing sites still work for tricking the less-informed, they will continue to exist.

[webtricks]

It's actually a bad idea to provide direct form on the website to generate mnemonic code. It would have been better if Ian Coleman only provided source code on the website so the only option user had was to copy the whole code, paste that in any text editor and then run the file in his browser.

Providing the functionality of address generation directly on the website without any explicit 'warning text' on the top has exposed the users to several potential vulnerabilities (phishing site being the one) because newbies will always prefer generating addresses quickly on the website rather than downloading the page and running it offline.

If there wasn't a form on the website, it wouldn't be possible for anyone to imitate the website and steal the private information.

[o_e_l_e_o]

Losing track of how many times I am copying and pasting this. Any one of these steps would be enough to prevent you from falling victim to this scam. Practice all of them for maximum safety.

Stop using Google to find the website of exchanges, services, or wallets.

Stop following random links without checking the URL.

Start using uBlock Origin.

Never type your seed in anywhere.

How many times does this need repeated?

[DdmrDdmr]

Searching around (base on the first phrase on the scam screen), I encounter a few other sites with a distant name to the original, but similar interface. Although some of them reference the original github source code (down the bottom of the screen), giving an additional link to their own (and thus claiming somehow that their version is allegedly based on the original version), the all seem a danger to me:

Code:

https[colon]//coinomi.github[dot]io/tools/bip39/
https[colon]//crypto.greenhex[dot]net/bip39-personal-standalone[dot]html
https[colon]//s3.amazonaws[dot]com/groovehq/uploaded/9e08fc9sg6ppxst6nbhc015wedgbt85n6xw6xnm88krwi2bdj6?1486558363

I’m not going to investigate if there is even a trace of legitimacy in any of them, but clearly the risk of not using the original legit site is tremendous, however we come accross the alternative site.

[NotATether]

of course, the scammer will use the same server to create a new domain.

If that's the case, some basement guy hosting a bunch of fake websites on a single server, then their IP address can be blocked with a firewall and this will disable access to all of those sites until the scammer gets a new IP (which requires them to temporarily take the sites offline while rebooting)

Someone can code a script that queries the DNS information of typosquatting domains, extract the IP addresses, and make a list out of them for pasting into a firewall program. Or set up a name server for people to use and put a firewall with the list on that. It would only catch phishing domains though, not scam domains with completely different names.