Bitcoin Forum
January 22, 2020, 09:18:36 AM *
News: Latest Bitcoin Core release: 0.19.0.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Fanbitcoin.com - Mirror or phishing?  (Read 1415 times)
Karartma1
Legendary
*
Offline Offline

Activity: 1834
Merit: 1073


Be Revolutionary Or Die Trying


View Profile WWW
September 16, 2015, 10:55:36 AM
 #1

I searched something about Bitcoin in Google and I found https://fanbitcoin.com in search results. It looks like another mirror site like bitcointa.lk.
Don't try to login from that site!

I am not interested in preserving the status quo; I want to overthrow it. Niccolò Machiavelli
1579684716
Hero Member
*
Offline Offline

Posts: 1579684716

View Profile Personal Message (Offline)

Ignore
1579684716
Reply with quote  #2

1579684716
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1579684716
Hero Member
*
Offline Offline

Posts: 1579684716

View Profile Personal Message (Offline)

Ignore
1579684716
Reply with quote  #2

1579684716
Report to moderator
21coin
Hero Member
*****
Offline Offline

Activity: 493
Merit: 500


Sarthak's a dumb girl


View Profile
September 16, 2015, 10:59:12 AM
 #2

Hmm it seems so, seems to be daily updated as well. Warning well given.

Jake-R
Full Member
***
Offline Offline

Activity: 140
Merit: 100


View Profile
November 18, 2015, 10:48:35 PM
 #3

I almost signed in there after a Google search took me there instead of here today.
Zeroxal
Hero Member
*****
Offline Offline

Activity: 868
Merit: 508



View Profile
November 20, 2015, 09:41:04 AM
 #4

Tried to log in with some random characters. The site just went blank.
MathewCNichols
Newbie
*
Offline Offline

Activity: 13
Merit: 0


View Profile WWW
December 04, 2015, 02:13:06 AM
 #5

I just attempted a login.

The site pulled up in a Google search for the Avalon 6. I saw it was using HTTPS, I assumed a secure signed TLS certificate was secure enough, and I entered my credentials.

I was redirected to a cloudflare error page: "The page you are looking for cannot be found":
http://screencast.com/t/UiyyTuRFH

Does anyone know if the PHP POST for "hash_passwrd" on the submit button could have passed the password to the phisher man?:
http://screencast.com/t/8de4RZt4S

I'm guessing if it did there would have been some sort of confirmation of the submission (and Chrome password manager would have prompted to save it for the site.)

Thanks guys.
theymos
Administrator
Legendary
*
Offline Offline

Activity: 3640
Merit: 7420


View Profile
December 04, 2015, 03:31:48 AM
 #6

I wish that Google was smart enough to notice this copying and ban the copycat sites.

I just attempted a login.

You should change your password here just in case.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
MathewCNichols
Newbie
*
Offline Offline

Activity: 13
Merit: 0


View Profile WWW
December 04, 2015, 12:37:44 PM
 #7

I wish that Google was smart enough to notice this copying and ban the copycat sites.

I just attempted a login.

You should change your password here just in case.

Thanks for the reply, Theymos! Will do!
Quickseller
Copper Member
Legendary
*
Offline Offline

Activity: 2030
Merit: 1815



View Profile WWW
December 04, 2015, 02:51:20 PM
 #8

There really needs to be a sticky that says the only domain is bitcointalk.org and any other one is a phishing site.

Happy New Year!
Decoded
Legendary
*
Offline Offline

Activity: 1232
Merit: 1024


give me your cryptos


View Profile
December 04, 2015, 10:14:03 PM
 #9

Pretty much all mirrors are also phishing. They can get your bitcointalk password, so one way or another it's risky. Bitcointalk is easier to remember anyway, why would you use something as dodgy as fanbitcoin?

looking for a signature campaign, dm me for that
Sir_lagsalot
Sr. Member
****
Offline Offline

Activity: 392
Merit: 251



View Profile
December 05, 2015, 10:59:43 AM
 #10

Probably phishing. Why would you make a mirror, when everyone can use the official site? :-/

One way or another, stay well away. Seems phishy (Geddit)
MathewCNichols
Newbie
*
Offline Offline

Activity: 13
Merit: 0


View Profile WWW
December 05, 2015, 05:01:05 PM
Last edit: December 05, 2015, 05:34:38 PM by MathewCNichols
 #11

Probably phishing. Why would you make a mirror, when everyone can use the official site? :-/

One way or another, stay well away. Seems phishy (Geddit)

I'm guessing the domain name or IP for bitcointalk.org is banned in other countries and this mirror provides a portal for foreign readers. I'm investigating whether my original password was possibly stolen for different reasons. I have changed my initial password BTW.

The mirror is hosted on cloudflare out of California and using their SSL cert. Although the domain owner is hidden, it's someone out of Panama.

From what I can tell so far, it looks like they mirrored this site but did not take any of the PHP forms with it. They also don't use any javascript beside a Shopify stat counter at the bottom of every page:

• The login form from the home page uses PHP to POST a "user" and "passwrd" value to fanbitcoin.com/index.php?action=login2, the same behavior as bitcointalk.org/index.php?action=login2
• Bitcointalk then uses javascript to process the "user" value "frmLogin" See http://screencast.com/t/mvVDGvbaA
• Fanbitcoin lacks the javascript to process any value "frmLogin" See http://screencast.com/t/P1fDKgQ6Zs2L

*Links removed for safety.
*I'm a complete noob.
MathewCNichols
Newbie
*
Offline Offline

Activity: 13
Merit: 0


View Profile WWW
December 08, 2015, 12:16:20 AM
Last edit: December 08, 2015, 09:13:23 PM by MathewCNichols
 #12

This will be my last update. Sorry to keep resurrecting this thread. I've been tinkering around a bit on my free time with php and learning how these phishing sites work. I guess that's just the personality traits of our type of people.

I've recreated a test site using fanbitcoin.com's copied source code, exploited the php to capture the "user" and "passwrd" fields, then I've attempted to return a server 404 like their host cloudflare.com does. It's not possible.

Once the php script begins to process, you either land on a blank page or get redirected to whatever page is specified in the "header('Location: http://site.com');" It's not possible to have the webserver display it's internal 404 (notice the URL doesn't change on cloudflare) since php is responsible for serving the header and the specific 404 page URL once it begins processing.

This is the best explanation I've found:
http://stackoverflow.com/questions/437256/why-wont-my-php-app-send-a-404-error


I created a test site and setup the cloudflare CDN. With "smarterrors" enabled, I can pass a "header("HTTP/1.1 404 Not Found");" at the bottom of the php code, after intercepting the username password, and cloudflare will throw it's 404 page.

Fair warning: CHANGE YOUR PASSWORD!
Eisenhower34
Legendary
*
Offline Offline

Activity: 893
Merit: 1000



View Profile
March 15, 2016, 09:27:44 AM
 #13

Wow! I don't know who or what linked it, but I'd like to consider myself pretty savvy as far as phishing goes. Gave me a heartache when I realized what I had done. Thank goodness for lastpass and for not keeping identical passes. I should've known something was screwy when it wasn't offering to fill in my login details.

So please everyone, beware. The link is on the forum somewhere that directs you to this fanbitcoin.com. I was casually surfing Bitcointalk as usual and nearly got took myself.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!