[SCAM] Ongoing attempt - Phishing link send around in PM, copy of the forum

[Ridicuss]

I fell for it. Lost my old account. retard...

[Ridicuss]

if this helps, i got two
   Today at 02:15:57 PM   BTC-E Trade Bot / Earn .1 btc a week   haasBB8   
   Today at 11:34:18 AM   BTC-E Trade Bot / Earn .1 btc a week   dirtscience

Dirtscience was my hijacked account. Sorry for the stupidity guys.

[hennessyhemp]

I can tell you I did not enter my Bitcointalk information on any website other than bitcointalk so I am fairly certain it was not phished out of me...I had a weak password...so I am guessing brute-force...but I really don't know much about how a hacker comes to steal my account...I just know it definitely happened July 10th, 2013, and I have updated my password so it is much stronger now.

I am a legitimate user with a real life connection to me.  The impostor only posed as me and tried to pump my account (presumably for scamming) and apparently tried to buy other accounts from another user.  Definitely posted like 50 messages in an hour to try to get my account higher...which didn't work, as another member kept popping up on his threads alerting users he was posting like crazy.  I discovered this whole fiasco on the 7/12/2013.  Password has been updated...but this is crazy...guy was fairly smart and very capable, it's rather unnerving. 

[LoWang]

Allright, so I believe this started by luring the credentials from somebody and then using it to hijack more accounts through the phishing PMs (it is funny that the word phishing is in the address itself:). BruteForce attack is out of the question because that would assume somebody hacked into the site and got the password hash database (which I hope is not true)
Badbear you said "the ban (which we can do) is really just reactionary to stop further damage" and yet you did not do this at least. That translates to me as you don't really care even if this could have prevented a lot more account hijacks... I believe you have not ever worked at an IT company Let's hope this will serve like a security education for those who fall for it without causing too much damage or money loss...

[dexX7]

I fell for it. Lost my old account. retard...

Which one was that?

In case of account compromisation, those accounts should be banned/tagged or there should be a sticky somewhere on this board, so nobody gets tricked into believing it is a legit member.

There is an trust issue though. Who do you believe? A newbie who claims he or she is user x? Hm..

Badbear, what would you need to stop it?

[BadBear]

I fell for it. Lost my old account. retard...

Which one was that?

In case of account compromisation, those accounts should be banned/tagged or there should be a sticky somewhere on this board, so nobody gets tricked into believing it is a legit member.

There is an trust issue though. Who do you believe? A newbie who claims he or she is user x? Hm..

Badbear, what would you need to stop it?

We need to be given access to the information we need in order to do something about it. Theymos declined, so I can only assume the help of the moderators is not needed or wanted when it comes to these situations.

Edit: So make sure to contact him directly with all inquiries, complaints, reports or otherwise .

[binaryFate]

One solution is to enable an optional 2 factors authentication:
https://bitcointalk.org/index.php?topic=178568.0

Nowadays, any website that handles something serious proposes it. And this forum is definitely something of that level, it deserves it.

[Ridicuss]

I fell for it. Lost my old account. retard...

Which one was that?

In case of account compromisation, those accounts should be banned/tagged or there should be a sticky somewhere on this board, so nobody gets tricked into believing it is a legit member.

There is an trust issue though. Who do you believe? A newbie who claims he or she is user x? Hm..

Badbear, what would you need to stop it?

We need to be given access to the information we need in order to do something about it. Theymos declined, so I can only assume the help of the moderators is not needed or wanted when it comes to these situations.

Edit: So make sure to contact him directly with all inquiries, complaints, reports or otherwise .

I did contact theymos about the dirtscience account. I heard nothing back, but I can see the hijacker has not posted anymore form the 10th on, I'm guessing its banned. I do have a way to prove I was the original owner but it would require getting a vendor here involved. I have already squared away my problems with the vendor myself. If dirtscience is still active and you want to trust go ahead.. If you dont want to ban it. Not my problem anymore.

[whiskers75]

Do you know what's funny about this?

If you take that link, and make it legit, like so: https://bitcointalk.org/index.php?topic=252907.0.html (not phishing)
It leads to a thread titled: "The lost Bitcoins... a question of curiosity" about lost coins.

[hennessyhemp]

One solution is to enable an optional 2 factors authentication:
https://bitcointalk.org/index.php?topic=178568.0

Nowadays, any website that handles something serious proposes it. And this forum is definitely something of that level, it deserves it.

Yes...wholeheartedly agree 2 form authy!...it really sucks to attempt to build a rep, and log in to discover someone found a way to piss on it in your absence.  In my case if you do any simple googling...you'll find I am connected to me in real life, so finding out a hacker used my account and posted all kinds of non-sense all over this forum was particularly unsettling...2 form would have probably worked pretty well even if he had gotten my weak password.

[pontiacg5]

One solution is to enable an optional 2 factors authentication:
https://bitcointalk.org/index.php?topic=178568.0

Nowadays, any website that handles something serious proposes it. And this forum is definitely something of that level, it deserves it.

Yes...wholeheartedly agree 2 form authy!...it really sucks to attempt to build a rep, and log in to discover someone found a way to piss on it in your absence.  In my case if you do any simple googling...you'll find I am connected to me in real life, so finding out a hacker used my account and posted all kinds of non-sense all over this forum was particularly unsettling...2 form would have probably worked pretty well even if he had gotten my weak password.

I imagine all that extra security doesn't come free. Would you be willing to pay extra for a forum membership just for that extra security? For all the guys in this thread there sure are a whole lot absent. No money ever goes solely through this site anyway, not like some exchange or anything...

I'd be more ashamed that I fell for the trap and that it was exposed for all to see on the net. Hopefully you learned your lesson. Blaming the forum is just wrong though.

[binaryFate]

One solution is to enable an optional 2 factors authentication:
https://bitcointalk.org/index.php?topic=178568.0

Nowadays, any website that handles something serious proposes it. And this forum is definitely something of that level, it deserves it.

Yes...wholeheartedly agree 2 form authy!...it really sucks to attempt to build a rep, and log in to discover someone found a way to piss on it in your absence.  In my case if you do any simple googling...you'll find I am connected to me in real life, so finding out a hacker used my account and posted all kinds of non-sense all over this forum was particularly unsettling...2 form would have probably worked pretty well even if he had gotten my weak password.

I imagine all that extra security doesn't come free. Would you be willing to pay extra for a forum membership just for that extra security? For all the guys in this thread there sure are a whole lot absent. No money ever goes solely through this site anyway, not like some exchange or anything...

I'd be more ashamed that I fell for the trap and that it was exposed for all to see on the net. Hopefully you learned your lesson. Blaming the forum is just wrong though.

I strongly disagree. You have 2 factor authentications on all websites that are handling bitcoins and bitcoin-related assets. You have 2FA on your conventional bank websites too. Pretty much everywhere where it is critical.
This forum is falling into this category, there are large auctions going on, funding campains, many things for which trust and reputation are keys. What matters really is not the name of it, just a "forum" so you might think there's nothing critical, no what really matters is what is going on here. And this place remains a central one in the BTC world.

As for the money, I agree it's not free. There is as we speak more than 600BTC of donations made to the forum that are supposed to be used for improvements, but this amount is just standing useless at the moment. 1% of it would be enough for a 2FA. Money is not a problem.

[tysat]

I strongly disagree. You have 2 factor authentications on all websites that are handling bitcoins and bitcoin-related assets. You have 2FA on your conventional bank websites too. Pretty much everywhere where it is critical.
This forum is falling into this category, there are large auctions going on, funding campains, many things for which trust and reputation are keys. What matters really is not the name of it, just a "forum" so you might think there's nothing critical, no what really matters is what is going on here. And this place remains a central one in the BTC world.

As for the money, I agree it's not free. There is as we speak more than 600BTC of donations made to the forum that are supposed to be used for improvements, but this amount is just standing useless at the moment. 1% of it would be enough for a 2FA. Money is not a problem.

6000BTC!  2FA could definitely be afforded by the forum.

[hennessyhemp]

Make no mistake, I don't blame the forum...clearly, my password was weak.  I blame the hacker, and myself for not securing my account better.  I'm just saying if two form authentication became available, I'd turn it on immediately.

Also I'm not ashamed that a hacker hacked my shit.  It was weak, and this site in particular is a hacker breeding ground, lesson learned.  I really didn't expect anyone to try to steal my account for any reason...but clearly I should always assume that.

[Ridicuss]

I don't blame the forum either. I was the idiot in a hurry and quickly logged back in on the phishing site. But because the dirtscience account had no reputation anyway it was really no big deal. Just could have caused me some trouble with a seller here. Again my fault.

[melon]

got this too but just ignored it-don't rember sender

[paveq]

Should we just delete or report unsolisticated and spammy private messages? Since I started posting to the forum a day ago, I've received two PM's from people I don't know advertising this btce-bot service.  I've never posted to a thread related to btce-bot.

[BadBear]

Report them, they're phishers.

[pedrog]

Should we just delete or report unsolisticated and spammy private messages? Since I started posting to the forum a day ago, I've received two PM's from people I don't know advertising this btce-bot service.  I've never posted to a thread related to btce-bot.

Got it too.

Report them, they're phishers.

Just did, never remember to do that, thanks.

[Swordsoffreedom]

I've adjusted the limits to make spamming more difficult.

Activity	Min. seconds between post actions	Max PM recipients	PMs per hour
0	360	3	5
16	74	5	30
30	60	5	60
60	30	5	60
100	12	10	120
200	10	15	120
300	8	20	120

Shouldn't this be its own post somewhere or did I miss it ?