Bitcoin Forum
March 19, 2024, 09:15:03 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: TradeHill - False emails claiming to be from us or Mt Gox  (Read 1038 times)
Jered Kenna (TradeHill) (OP)
Sr. Member
****
Offline Offline

Activity: 420
Merit: 250



View Profile WWW
September 07, 2011, 05:57:07 PM
 #1

Blog post here: http://wp.me/p1H2Vt-3b


We have been receiving reports of emails claiming to be TradeHill.  These emails contain a link to a site which also claims to be TradeHill and will steal your login. Security is paramount at TradeHill and we take this very seriously.

It appears that these emails are being sent to users who had an email address stored at Mt Gox when they were hacked.

We encourage you to use a completely different login at every site. We also provide 2 factor authentication to help protect against this type of attack. You can read about our 2 factor authentication here http://wp.me/p1H2Vt-d.

You should never follow a link claiming to be from TradeHill or any other Bitcoin service unless you are absolutely sure of the origin. TradeHill rarely sends emails and will not send unsolicited emails requiring you to follow a link.

Below is an example of the type of emails being sent out. Do not follow or respond to these emails.

------------------------------------------------------------------------------------------------------------------------

Dear TradeHill user,

Your account will be blocked for violating the rules of exchange.
Details: https://www.tradehill.com/User/Blocked<http://www.tradehill.tk/User/Blocked>

Thanks,
The TradeHill team"

------------------------------------------------------------------------------------------------------------------------


Once again, please do not click on these emails they are not from TradeHill.

Jered



moneyandtech.com
@moneyandtech @jeredkenna
1710839703
Hero Member
*
Offline Offline

Posts: 1710839703

View Profile Personal Message (Offline)

Ignore
1710839703
Reply with quote  #2

1710839703
Report to moderator
1710839703
Hero Member
*
Offline Offline

Posts: 1710839703

View Profile Personal Message (Offline)

Ignore
1710839703
Reply with quote  #2

1710839703
Report to moderator
1710839703
Hero Member
*
Offline Offline

Posts: 1710839703

View Profile Personal Message (Offline)

Ignore
1710839703
Reply with quote  #2

1710839703
Report to moderator
"Bitcoin: mining our own business since 2009" -- Pieter Wuille
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1710839703
Hero Member
*
Offline Offline

Posts: 1710839703

View Profile Personal Message (Offline)

Ignore
1710839703
Reply with quote  #2

1710839703
Report to moderator
the founder
Sr. Member
****
Offline Offline

Activity: 448
Merit: 251


Bitcoin


View Profile WWW
September 07, 2011, 06:03:22 PM
 #2

Honestly I think you guys and Mt.Gox should follow flexcoin on this this policy,  no links in e-mails.

It will help stop crap like this happening to our clients.


Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me  Say thank you here:  1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f
nmat
Hero Member
*****
Offline Offline

Activity: 602
Merit: 501


View Profile
September 07, 2011, 06:06:02 PM
 #3

Honestly I think you guys and Mt.Gox should follow flexcoin on this this policy,  no links in e-mails.

It will help stop crap like this happening to our clients.

It would help, but most people tend to forget that. Just saying that there won't be any emails with links is not a bullet proof technique.
Jered Kenna (TradeHill) (OP)
Sr. Member
****
Offline Offline

Activity: 420
Merit: 250



View Profile WWW
September 07, 2011, 06:09:13 PM
 #4

Honestly I think you guys and Mt.Gox should follow flexcoin on this this policy,  no links in e-mails.

It will help stop crap like this happening to our clients.



We've only sent one mass email (I don't believe it had a link in it) and I like your policy we may do the same.

The problem is if the user isn't well aware of this policy and can't tell the difference between phishing and real emails it doesn't help as much. For example AOL would put "never give out your login info over IM" on every IM window and people were handing them over right and left.

Thanks for the good feedback.

Jered

moneyandtech.com
@moneyandtech @jeredkenna
the founder
Sr. Member
****
Offline Offline

Activity: 448
Merit: 251


Bitcoin


View Profile WWW
September 07, 2011, 06:19:39 PM
 #5

it works..  the vast majority of flexcoin clients know the policy...  you know perhaps we should formalize some sort of standard for bitcoin companies that accept that policy (you, mtgox, campbx, flexcoin) ...  literally a jointly owned site that has some basic security initiatives that apply directly to our clients.  Just basic things that individuals can do to ensure they are not getting phished for example.

1 . Such as no links in e-mails.
2 . If you see an e-mail that has a link or is suspicious please report it to security@xxx.xxx
3 . Do not enter your credentials on a site that looks suspicious.
4 . If you come to the website and it's missing an HTTPS (secure) then do not provide any information and report it to security@xxx.xxx
5 . XXXX company does not provide login forms on any other site other than XXXX proper.
 
If the site is signed by all companies involved it would at least give a comfort level for both us and our clients knowing that individuals have a clearly labeled security policy to protect themselves.








Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me  Say thank you here:  1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f
the founder
Sr. Member
****
Offline Offline

Activity: 448
Merit: 251


Bitcoin


View Profile WWW
September 07, 2011, 06:21:33 PM
 #6

Honestly I think you guys and Mt.Gox should follow flexcoin on this this policy,  no links in e-mails.

It will help stop crap like this happening to our clients.

It would help, but most people tend to forget that. Just saying that there won't be any emails with links is not a bullet proof technique.


nothing is every really bullet proof...  but at least it's another roadblock...  The idea is just to try to protect the end users.


Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me  Say thank you here:  1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f
Jered Kenna (TradeHill) (OP)
Sr. Member
****
Offline Offline

Activity: 420
Merit: 250



View Profile WWW
September 07, 2011, 06:29:56 PM
 #7

it works..  the vast majority of flexcoin clients know the policy...  you know perhaps we should formalize some sort of standard for bitcoin companies that accept that policy (you, mtgox, campbx, flexcoin) ...  literally a jointly owned site that has some basic security initiatives that apply directly to our clients.  Just basic things that individuals can do to ensure they are not getting phished for example.

1 . Such as no links in e-mails.
2 . If you see an e-mail that has a link or is suspicious please report it to security@xxx.xxx
3 . Do not enter your credentials on a site that looks suspicious.
4 . If you come to the website and it's missing an HTTPS (secure) then do not provide any information and report it to security@xxx.xxx
5 . XXXX company does not provide login forms on any other site other than XXXX proper.
 
If the site is signed by all companies involved it would at least give a comfort level for both us and our clients knowing that individuals have a clearly labeled security policy to protect themselves.









I like the idea and was going that direction. Shoot me an email to my personal address and if you don't have it PM me yours and we can talk. We all worked together really well and recently there has been more movement apart. This community is what brought us to where we are today and we need to stick together.

Jered

P.S. agreed nothing is bullet proof but everything that can help without being too much of a pain to the user is welcome.

moneyandtech.com
@moneyandtech @jeredkenna
ErgoOne
Full Member
***
Offline Offline

Activity: 126
Merit: 100


View Profile
September 07, 2011, 11:01:04 PM
 #8

1 . Such as no links in e-mails.
2 . If you see an e-mail that has a link or is suspicious please report it to security@xxx.xxx
3 . Do not enter your credentials on a site that looks suspicious.
4 . If you come to the website and it's missing an HTTPS (secure) then do not provide any information and report it to security@xxx.xxx
5 . XXXX company does not provide login forms on any other site other than XXXX proper.

For what it's worth, this is a good idea and these are good points.  I'd sort them out as follows:

FOR BANKS/EXCHANGES:

1) Send no email that contains URLs in the message body.
2) Use SSL for all Web pages that contain web forms or solicit input from users.
3) Provide no logins or access from any site other than the specified site.

FOR USERS:

1) Assume that emails that contain links or ask for information are scams and report them to security@xxx.xxx, which forwards them to the proper location.
2) Report web URLs that begin with anything other than "https" to security@xxx.com.
3) Do NOT EVER click a link in an email, or hit reply, and provide any private information to what you think is a request from your bank or financial institution.  It isn't.  It's a scam.

I also recommend that Mt. Gox, Tradehill, CampBX, Flexcoin, and any other Bitcoin bank or exchange designate a specific person responsible for security in their system, and that this person keep on top of security issues.  For example, I would hope that the people responsible for these sites are aware of a major hack/compromise in the SSL security system that was reported a couple of weeks ago -- the DigiNotar hack.  To summarize, one of the links in the security chain that ensures SSL connections are secure was hacked and extremely good forged certificates were issued for several heavily used web sites, such as Google, Yahoo, the Tor Project, and others. That allowed the hackers to intercept secure SSL communications between these sites and users. It appears that the Iranian government, not cyberthieves, was responsible -- THIS time.  But a group of cyberthieves could just as easily have issued certificates for Bank of America, CitiBank, Wells Fargo, or somewhere else where people keep money, snooped THOSE communications, and... You get the idea.

If you want the details on this hack, PM me or email me and I'll fill you in.  (It's highly technical and off-topic here.)  But Bitcoin isn't immune from this sort of thing.  Somebody at each Bitcoin bank and financial site needs to keep on top of this and be responsible for taking active security measures to fend off the bad guys.
Wombat
Newbie
*
Offline Offline

Activity: 10
Merit: 0


View Profile
September 08, 2011, 02:33:09 AM
 #9

We've only sent one mass email (I don't believe it had a link in it)

3) Do NOT EVER click a link in an email, or hit reply, and provide any private information to what you think is a request from your bank or financial institution.  It isn't.  It's a scam.

Ahem. OK, you didn't give a login link, just a URL to a blog (which I still had trouble believing was actually associated with Tradehill, because I'd never seen it before). However as pointed out, training customers to click on URL's in emails sent by a financial institution is irresponsible.

Much better would be to show me that message after I logged into the site.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!