Sent me a Suspicious Link

[shasan]

What happened:: Sent me a Suspicious Link

Scammers Profile Link: https://bitcointalk.org/index.php?action=profile;u=854267

PM/Chat Logs:
Additional Notes: This user has just sent me a message while mentioned

Hi shasan, please reply to my loan request:
https://www.bitcointalk. login-index.php-topic.574591.0.spinbot.org/index

It seems something which may take login credentials or something else. Note: the person has not posted any lending request. I have opened this link and changed my password instantly. And I opened the link on another browser then noticed it takes to a result which is not accurate.[/color][/b]

[dkbit98]

Just report message you received from him to moderators and they will ban him probably.

Few years ago I received similar message from other member scammer who tried to Hack my bitcointalk account, and I wrote how protect yourself from attacks like this:
https://bitcointalk.org/index.php?topic=5173531.0

[shasan]

Just report message you received from him to moderators and they will ban him probably.

Few years ago I received similar message from other member scammer who tried to Hack my bitcointalk account, and I wrote how protect yourself from attacks like this:
https://bitcointalk.org/index.php?topic=5173531.0

I have already reported and I have posted here to make aware others so that other forum members may stay away from this user as well as others who will send this type of link.
I think my password had been stored to the hacker but fortunately I have changed my password instantly. Now the link of the message is not working that means that person inactivated the link.

[dkbit98]

I think my password had been stored to the hacker but fortunately I have changed my password instantly. Now the link of the message is not working that means that person inactivated the link.

It's not a bad idea to change account password periodically and it's very important to use unique random password only one purpose, that is bitcointalk account in this case.
I also did a password reset and I am thinking of using new email address (with 2fa) dedicated only for bitcointalk forum.

Checking account pinoyiloco and I see that he was inactive and just woke up, and previously tagged for some ponzi scheme.
He is probably going to banned soon.

[examplens]

I am not sure why you open this link, there is obviously that is phishing link.
bitcointalk.login-index.php certainly not sounds like regular forum link or even any other website.
You remember me on my young days, when I am very curious and I like to test everything what I find.  it often did not end well.

[Obito]

You shouldn't made the link clickable especially if as you've said, it's a phishing link. You never know when someone accidentally clicks on it, it may be low but I wouldn't take chances. Good thing that you're the one that this person has targeted, we might not know what could've happened if it was a different person.

[shasan]

You shouldn't made the link clickable especially if as you've said, it's a phishing link. You never know when someone accidentally clicks on it, it may be low but I wouldn't take chances. Good thing that you're the one that this person has targeted, we might not know what could've happened if it was a different person.

The link is not working now, yet I am editing the link so that it cant work by a click. Thank you  for your suggestion. As the post created for make awareness of the community, we should avoid any reason which can harm the community.

Checking account pinoyiloco and I see that he was inactive and just woke up, and previously tagged for some ponzi scheme.
He is probably going to banned soon.

It is a great news that pinoyiloco has been auto-banned. So, pinoyiloco wont be able to post/send pmto anyone.

[khaled0111]

I believe the scammer behind this is preparing for a bigger and more sophisticated scam and is targeting mainly users who are active in the Collectibles board.

After visiting the phishing link at different times, here's what I noticed:
the first time it appeared as if am logged in as user hotdog7 (active in Colectibles)
now it shows am logged in as user Yabes (active in Colectibles) and it shows as if I have a new unread message.

here is a screenshot of the message:


My interpretation: the scammer is impersonating minerjones (a well known escrow) in order to scam Yabes (and most likely some other collectors)

Interesting part: when clicking on Yabes and hillman321' usernames I get redirected to these user's profiles: nasituygun and izumaki. I don't want to jump to conclusions, but it appears they (or at least one of them) are involved into this. Both just woke up after a long period of inactivity and nasituygun's been already tagged for sending phishing links.

[shasan]

mainly users who are active in the Collectibles board.

I am not agree with you, the scammer can target anyone who is reputed on the forum, provide escrow service, doing currency exchange, providing loan service, buy/see Collectibles or something like that.

when clicking on Yabes and hillman321' usernames I get redirected to these user's profiles: nasituygun and izumaki.

Link you have added on nasituygun is redirecting to a page which now is not working but I guess that was hacking link. I think you forgot to add the correct profile link.

[NeuroticFish]

I believe the scammer behind this is preparing for a bigger and more sophisticated scam

It may be. However, people should be aware and start blacklisting this kind of domains.
My hosts file already has 2 a new lines:

Code:

0.0.0.0	www.bitcointalk.login-index.php-topic.574591.0.spinbot.org
0.0.0.0	bitcointalk.login-index.php-topic.574591.0.spinbot.org

[dkbit98]

It is a great news that pinoyiloco has been auto-banned. So, pinoyiloco wont be able to post/send pmto anyone.

I also noticed this when I checked his profile few days ago, but I am sure he is not worried so much because this is not his only account in forum.

I believe the scammer behind this is preparing for a bigger and more sophisticated scam and is targeting mainly users who are active in the Collectibles board.

This phishing scams exist for years in forum, maybe they are using some farmed accounts and bots to send personal messages, but they can send them to anyone.
Collectibles board is just a small part of the forum and not everyone is active there, so best protection is not clicking on any link you receive from other members.
I did a little search for term spinbot and it's some kind of text rewriting, article spinning tool.

[Lucius]

At first glance it can be seen that something is wrong with the link, it is clear that it does not lead to a thread but that it tries to trick users to fall into the trap. A public warning is always welcome, but as soon as you receive such a message, use the report to admin option - such users should be removed from the forum as soon as possible without any mercy.

The only problem may be that some accounts used for such things are actually hacked, but this is the problem of the real owners - use unique and complicated passwords and keep them safe (not online or plain text file on your computer) and of course do not click on suspicious links.

[NotATether]

I believe the scammer behind this is preparing for a bigger and more sophisticated scam

It may be. However, people should be aware and start blacklisting this kind of domains.
My hosts file already has 2 a new lines:

Code:

0.0.0.0	www.bitcointalk.login-index.php-topic.574591.0.spinbot.org
0.0.0.0	bitcointalk.login-index.php-topic.574591.0.spinbot.org

Just add the entire spinbot.org domain to your hosts file so all future phishing attempts from this domain get black holed.

I believe entries apply for all subdomain IIRC.

[NeuroticFish]

Just add the entire spinbot.org domain to your hosts file so all future phishing attempts from this domain get black holed.

I believe entries apply for all subdomain IIRC.

I did add it (I've added all 3 entries), but I don't know how smart Windoze is, I know that at least wildcards are not accepted. Also spinbot is most probably a multi-purpose website and not all its users are malicious.
So, depending on each and everyone's interests, it may or may not be a good idea. So I preferred to not suggest that.

[khaled0111]

I did add it (I've added all 3 entries), but I don't know how smart Windoze is, I know that at least wildcards are not accepted.

The hosts file isn't smart, it just does what you tell it to do. And you are right, it doesn't accept wildcards. If you add a domain name to block it, it will block only the main domain. To block subdomains, you will have to add each one of them individually.
If you want a better way to block a domain with all its subdomain then better use a DNS service such as OpenDNS.

Also spinbot is most probably a multi-purpose website and not all its users are malicious.
So, depending on each and everyone's interests, it may or may not be a good idea. So I preferred to not suggest that.

The question here is how did the scammer manage to create a subdomain on spinbot.org and host the phishing page on it? Is the domain owner also involved into this or did the scammer exploit some kind of vulnerability because I don't think the website offers hosting services.