User creating massive amounts of referral spam - Marcy

[Quickseller]

Spammers Profile Link: https://bitcointalk.org/index.php?action=profile;u=350925

This person has made 30 posts (including some new threads) with his referral link today

Upon closer inspection of the referral links he is posting the domain of the referral link matches his handle which makes be believe that he owns the site. A quick glance of the site he is advertising, makes me believe this is some kind of cloud mining ponzi scam site.

edit: it appears he was trying to spread malware, and there have been other cases of this happening. The most recent example is Magic Of Nigeria

edit: it appears the most recent example is now Marcy https://bitcointalk.org/index.php?action=profile;u=405552

[1715160485]

1715160485

[XinXan]

Yep its probably some cloud mining ponzi but he actually posted 2 different websites, its kind of weird that he decided to do this now, maybe his account was sold or hacked?

[hilariousandco]

His name is EmpoEX but the ref links he's spamming are for a cloud mining company. Likely a hacked account I think. Someone was doing the exact same earlier but for different site I think. Handled what ones I could anyway.

[DiamondCardz]

His name is EmpoEX bit the ref links he's spamming are for a cloud mining. Likely a hacked account I think. Someone was doing the exact same earlier but for different site I think. Handled what ones I could anyway.

Yeah. I reported all the posts of the previous guy who seemed to be hacked, and this one (this one about an hour ago I think). There's a looot, I think I've reported at least 50 of these hacked account spambot posts in total now. It's crazy.

Edit: Oh my God I love your personal text hilariousandco

[Quickseller]

His name is EmpoEX bit the ref links he's spamming are for a cloud mining. Likely a hacked account I think. Someone was doing the exact same earlier but for different site I think. Handled what ones I could anyway.

Thanks. I swear I thought that I saw one of the domains he was advertising to match his forum handle.

It looks like the referral number is always the same across different sites, so I think the various sites are all the same.

[DiamondCardz]

It looks like the referral number is always the same across different sites, so I think the various sites are all the same.

Perhaps. Considering that I couldn't find any references on Google to the site this hacked account and the last one were advertising - though I did find one with the same domain but an .eu TLD, so perhaps this site tries to rip-off the trustworthiness of that - I have a feeling that there is no actual referring going on at all, and that this is indeed simply an attempt to scam people.

[TheButterZone]

Nuke from orbit just to be sure.

[hilariousandco]

Seems he's regained control of his account as he's edited all the posts:

Apologies for anyone who clicked the link here. Please delete this thread.

Nuke from orbit just to be sure.

Only newbies can be nuked. Think this is why we need more active Globals though as well.

Edit: Oh my God I love your personal text hilariousandco

I laughed when I first saw it.

[Quickseller]

Seems he's regained control of his account as he's edited all the posts:

Apologies for anyone who clicked the link here. Please delete this thread.

He probably saw the negative trust he got as well as this thread. It seems that his password was only changed once recently which would really not explain very much.

[unamis76]

It seems we have been having a big surge of spammers in the last few hours. I hope the mods have the time to take care of all that, it's big work sometimes... I'm helping anytime I can by reporting, keep it up, mods

[Cyrus]

I hope the mods have the time to take care of all that, it's big work sometimes... I'm helping anytime I can by reporting, keep it up, mods

We're on it. And appreciate the help.

[Grand_Voyageur]

I hope the mods have the time to take care of all that, it's big work sometimes... I'm helping anytime I can by reporting, keep it up, mods

We're on it. And appreciate the help.

Just reported another possible alt - YourNewGod, uid: 412771 - of the said spammer.

[hilariousandco]

Yeah, handled the ones of his that I could. Just keep reporting them.

[shorena]

Aaand another one: https://bitcointalk.org/index.php?action=profile;u=412771

Probably hacked as well. I guess the weak passwords from the leak are broken now.

[Twipple]

Aaand another one: https://bitcointalk.org/index.php?action=profile;u=412771

Probably hacked as well. I guess the weak passwords from the leak are broken now.

I don't think its accounts hacked from the hack. It would be stupid to use the accounts for posting spam to a referral link as that would generate a much smaller profit than using it for other purposes.

[hilariousandco]

Yeah, probably the users just clicked a phishing link themselves or got a virus from somewhere else.

[EcuaMobi]

Yeah, probably the users just clicked a phishing link themselves or got a virus from somewhere else.

I got this PM from EmpoEX:

Hello,

We have noticed that you have left us a negative trust rating for spamming referral links.
Our account was hacked by a trojan horse virus that was spread around the last couple of days, resulting in spam being sent out. If you did not notice, we edited all posts to apologise for the inconveniences. They have now since been deleted.

We're asking kindly if you can remove the negative trust from our account.

Thank you very much
#EmpoEX Team

I linked him to this thread and asked him to provide more details. If what he says is true he should give as much information as possible to prevent this in the future.

[Grand_Voyageur]

Yeah, probably the users just clicked a phishing link themselves or got a virus from somewhere else.

I guess it was linked to the phishing attempts reported today by QS & AT101ET. Maybe, You & other Staff have more solid proofs about the issues.

Yeah, probably the users just clicked a phishing link themselves or got a virus from somewhere else.

I got this PM from EmpoEX:

Hello,

We have noticed that you have left us a negative trust rating for spamming referral links.
Our account was hacked by a trojan horse virus that was spread around the last couple of days, resulting in spam being sent out. If you did not notice, we edited all posts to apologise for the inconveniences. They have now since been deleted.

We're asking kindly if you can remove the negative trust from our account.

Thank you very much
#EmpoEX Team

I linked him to this thread and asked him to provide more details. If what he says is true he should give as much information as possible to prevent this in the future.

+1. It would be great to learn some lessons from it & maybe we can also turn it in a distributed digital forensics effort. 

[EmpoEX]

The link that was spammed by this account was spammed by others in the Altcoin ANN section. The thread which I saw was yesterday at about 2-3 PM here: https://bitcointalk.org/index.php?topic=1082561.msg11550385#msg11550385 (since deleted).

Here is a backup of the thread:



Link was clicked and visited showing a site which downloads a miner exe. Upon double clicking it, nothing appeared to have happened. A few hours later, our accounts started getting logged into such as here, twitter and other sites. Security emails were received, and we tracked it to this IP: 37.123.112.27. After this, posts were made throughout every section on the forum with a referral link + a locked thread. We promptly went through and edited all posts to request them to be deleted.

Not entirely sure how the passwords were leaked but it seems the trojan gained access to stored passwords in Google Chrome, as all passwords in use were 30+ chars long and not guessable or weak by any means.

Upon closer inspection of the referral links he is posting the domain of the referral link matches his handle

The link that was spammed contained an ID on the end of the URL specifically "?ref=271292" for a hashminer.net site, which does not in any way match our handle.



Here is a backup of the thread which was posted by us into the Altcoin ANN section yesterday showing a totally different ref number, for cloudminer.biz domain:



Please refrain from unnecessary accusations.

I would like to clarify that we do not own and are not associated with the site that was linked. You can check the history of our account, we are running a professional exchange. It would be greatly appreciated that anyone who has placed negative trust to edit their trust to restore our account to good standing.

Hopefully this helps clear up the situation.
#EmpoEX Team

[Muhammed Zakir]

Code:

The link that was spammed by this account was spammed by others in the Altcoin ANN section. The thread which I saw was yesterday at about 2-3 PM here: https://bitcointalk.org/index.php?topic=1082561.msg11550385#msg11550385 (since deleted).

Here is a backup of the thread:

[img]https://i.imgur.com/DAL6Rpv.png[/img]

Link was clicked and visited showing a site which downloads a miner exe. Upon double clicking it, nothing appeared to have happened. A few hours later, our accounts started getting logged into such as here, twitter and other sites. Security emails were received, and we tracked it to this IP: 37.123.112.27. After this, posts were made throughout every section on the forum with a referral link + a locked thread. We promptly went through and edited all posts to request them to be deleted.

Not entirely sure how the passwords were leaked but it seems the trojan gained access to stored passwords in Google Chrome, as all passwords in use were 30+ chars long and not guessable or weak by any means.

[quote author=Quickseller link=topic=1082790.msg11552287#msg11552287 date=1433619233]
Upon closer inspection of the referral links he is posting the domain of the referral link matches his handle
[/quote]

The link that was spammed contained an ID on the end of the URL specifically "?ref=271292" for a hashminer.net site, which does not in any way match our handle. 

[img]https://i.imgur.com/WEMOjep.png[/img]

Here is a backup of the thread which was posted by us into the Altcoin ANN section yesterday showing a totally different ref number, for cloudminer.biz domain:

[img]https://i.imgur.com/08Yuj5n.png[/img]

Please refrain from unnecessary accusations.

I would like to clarify that we do not own and are not associated with the site that was linked. You can check the history of our account, we are running a professional exchange. It would be greatly appreciated that anyone who has placed negative trust to edit their trust to restore our account to good standing.

Hopefully this helps clear up the situation.
#EmpoEX Team

Cloudminer.biz referral ID will be different from Bitcointalk UID.

Edit: I think we need more Global Mods. YourNewGod excessively spamming. Hope these accounts will be banned soon.