[BEWARE!] Bitcointalk Credential Phishing Attack -- Targeting Collectibles

[blucepheus]

Forum friends,

I want to make everyone aware of a new tactic that scammers are employing to phish Bitcointalk forum credentials from those who frequent the Collectibles section. These credentials can then be used to forcibly take over the account, and then use the account (and its implied trust) to facilitate scams.


Attack

Stage 1:

PM to the user with a link that appears to be a valid page on the forum (hint, it's not -- see stage 2)




Stage 2:

User is redirected to a malicious domain controlled by the threat actors; note the domain is actually raiciegodesign[.]com and the username is tracked in the URL

https://bitcointalk[.]org.topic-index.php-5329455.0.raiciegodesign[.]com/index.php?u=blucepheus&l=5338607.60




Upon entering credentials, the page will simply refresh, and guess what? Your credentials are now posted to the threat actors' server, and they can instantly take over your account (the first thing they'll do is change your password and email to lock you out). In addition, they now have access to your profile and will probably attempt to log in to your personal email account using your account password, as well as other services like Amazon, financial institutions, etc.

It appears the scammers have expanded past Telegram and are now using PMs as a medium to phish credentials, and likely use those stolen credentials to facilitate scams. For a long time, we have acted under the assumption that a PM from a trusted user on the forum is enough to validate. This proves it is not.

Protect Yourself:

• Inspect any URL before entering credentials
• Use a very unique, complex password on Bitcointalk to protect your other accounts; consider a password manager for generation, i.e. 1Password
• Do everything you can to verify that the person you're speaking to via PM is truly that individual. Consider the possibility that their account is being operated by a scammer.
• Use a trusted escrow for any high-value transactions.

Stay safe and remain vigilant.

-bc

[1715382834]

1715382834

[minerjones]

Thank you for making this thread/post.

Don't trust... verify

[electronicash]

very pushy actor that he really did the lengthy job of creating a subdomain that includes the bitcointalk's parameter to lure his victim. although it can't fool a savvy user nowadays, it still could make it if the user drank too much beer.

shouldn't that user priestos get a red trust?  but lets verify first from the mod. i suppose OP had reported it already.

[lovesmayfamilis]

May I clarify a little? If a link comes, we click on it, then we see that we are required to enter our password from the forum again, isn't this a signal for attention? When you click on the links of the forum, this does not happen, but where they require you to enter a password, it already screams that something is wrong.
Am I getting it right?

If I'm not mistaken, this is a common practice on all phishing sites.
Correct me.

[Pmalek]

shouldn't that user priestos get a red trust?

priestos has been banned > https://bpip.org/Profile?id=2635234.

May I clarify a little? If a link comes, we click on it, then we see that we are required to enter our password from the forum again, isn't this a signal for attention?

That's exactly what it is. If you are reading your PMs, that means you are already logged in to your account. If you are logged in, you don't need to log in again just to view another page of the forum unless you didn't tick the stay logged in forever box and you got logged out account automatically after 60 mins or whatever count you entered in that field.

Also, if you were to hover over that link in PM with your mouse, the color of it should be blue since it is redirecting to an off-forum site. Forum posts are highlighted in green.  

[NotATether]

The red flag of that login page is that there is no recaptcha shown anywhere, while the real site forces you to solve a recaptcha to log in.

[Lafu]

Nice found on the phishing site and link !
Glad you checked the link and all behind the other page there.
This should be for sure again a warning for all and newbies to check the Links you click first.
Safes some trouble and time .
Thanks for the warning about the page and the pms from Users with that link .

[Pmalek]

The sentence "Your session has expired. Please log in again." might let user guard down, especially if they didn't tick or don't remember whether they tick "stay logged in forever".

True, but in that case the user should still never log back in via a link he got from someone else. He should instead do it from his bookmarks or whatever method he uses. I have opened my profile thousands of times, so I usually start typing Pmal... in the address bar which takes me to bitcointalk and I am logged in after a few clicks.

NotATether makes a good point as well. There is no recaptcha in the picture from the fake site.   

[acroman08]

nice catch! and what you did should be done by anyone who is in doubt of a website or any website they have been redirected or recommended with.

This reminds me of a similar case where a member posted a warning against a fake bitcointalk.org thread that is trying to scam unsuspecting buyers. I remember one member with a good reputation was used as bait by the creator of that fake bitcointalk thread.

edit:
here's the warning thread that I was talking about Fake bitcointalk site (bitminers.asia)

[sheenshane]

Thank you for the heads up OP, it seems those who didn't know if this phishing link will fall as their next victim.  That's why I didn't log out of my account on PC, that's totally a red flag when you open a link and ask to re-login your account while on the other tab your account was already logged in.

edit:
here's the warning thread that I was talking about Fake bitcointalk site (bitminers.asia)

Not only by that but there's also a locked topic of List of scam / fake bitcointalk sites that need to update and it seems OP was inactive for a long time.

A good thread to remember upon the step of checking the potential phishing links here in the forum.

[Peanutswar]

Good catch op the attacker use a link to re-direct into another domain and this domain is suspicious by this if the victim is not aware of the link it's going to be a disaster for the account victim. I think phishing will just trigger if the user clicks the login button but not just visiting the link it's self. Just a thought bothering me does the Attacker create the same website as the bitcoin talk?

[blucepheus]

Good catch op the attacker use a link to re-direct into another domain and this domain is suspicious by this if the victim is not aware of the link it's going to be a disaster for the account victim. I think phishing will just trigger if the user clicks the login button but not just visiting the link it's self. Just a thought bothering me does the Attacker create the same website as the bitcoin talk?

Yes. It’s as simple as viewing the page source HTML of a legitimate login page on Bitcointalk, pasting it into a new file on their server, and making a modification to post the username and password to a location on the attacker’s server. If they’re lazy, they will just store the plaintext credentials to a text file that they’re actively monitoring.

As soon as someone hits ‘Login,’ boom — the attackers have the credentials and it’s game over for the user. This is where multi-factor authentication normally saves you; even if they have your password, they would need the second-factor token. I’d absolutely enable 2FA if it was offered here.

[Stalker22]

Despite some of their disadvantages, password managers help prevent phishing attacks that trick you into entering your passwords on fraudulent websites since they offer your login credentials only when you are on the correct website (domain). There are many free password managers available, but if you want something reliable and secure, you can consider a password manager service.

Since I started using a password manager, I have never been the victim of phishing sites, and I do not get concerned with data breaches because I use different credentials for every service I use.

[The Cryptovator]

Thanks for sharing with the community, it's quite an important topic. Although this isn't a new scam method, it's pretty easy to mislead users here. Sometimes mind does not work instantly for all users. Especially those who aren't familiar with that kind of story would fall into this hack attempt easily. The hacker design hacking process cleverly, on the other end should be clever to save themselves from that hacking attempt. If just anyone thinks why I logged out once click that link even the link was a forum link then most likely they could realize what is going on. So, we have to use our brain always to prevent that kind of scam/hack. There is no alternative at all.

[libert19]

The only thing I would miss is url, I use mobile mostly and the browser cuts up the part of url, so I would never know the part of url that screams phishing attack.

[UserU]

OP, you might want to add this too.

"Don't assume all phishing links are of http (insecure protocol). Now they can even bear the https (secure protocol) to be even more convincing.

When I used to work with phishing links, I've seen loads of these.

[dkbit98]

This is not anything new and I know this because I was the target few years ago like I explained in this topic How Scammer tried to Hack my Bitcointalk and how to Protect yourself?.
I see that the same pattern was used and only thing that was changed is the link they are using to trick forum members, so best thing would be not to click any links you receive in your inbox and always double check address bar.

PS
Does anyone knows what the heck is going on with images from my post showing Data Migration in Process?

[rhomelmabini]

Just reported a thread from this board awhile ago and I think it's still here since this post of mine was made but just want to disseminate this as well especially to newbies that you shouldn't click or open links frequently better if you hold it first when in mobile or copy and verify.

I did an archive of that Brand New account's thread in case it will be deleted and for awareness too. I'll just put it in a code format.

Code:

https://archive.is/odrck

[Pmalek]

PS
Does anyone knows what the heck is going on with images from my post showing Data Migration in Process?

hostingkartinok.com seems to be migrating to a new hosting provider, that's why your images aren't being displayed on the forum. According to what they explained on their homepage, all images that don't violate their terms and conditions will soon become available again.

It's an off-topic question, but why aren't you using Imgur for example? I don't remember that I ever had issues with my images from Imgur becoming unavailable as long as they are https.     

[LoyceV]

If I PM this (to my Mobile):

Code:

Test fake URL:
[url=thisurldoesntexistttt.com]https://bitcoin talk.org/index.php?topic=5339312[/url]

I receive this:

Test fake URL:
http://thisurldoesntexistttt.com

Theymos prevents fake Bitcointalk link descriptions.

PM to the user with a link that appears to be a valid page on the forum (hint, it's not -- see stage 2)

Can you forward me the PM? I'm curious why theymos' fix didn't work here. Was there a non-ascii character in the it?
If that's the case, maybe theymos can fix that too:

Done. I only did the ones that look really similar to Latin characters, and it only applies to English sections. It's done at display time, so it's retroactive.

Although it probably won't work for PMs that aren't in English.