[BEWARE!] Bitcointalk Credential Phishing Attack -- Targeting Collectibles

LoyceV

legendary

Activity: 3290

Merit: 16489

Thick-Skinned Gang Leader and Golden Feather 2021

Quote from: blucepheus on May 26, 2021, 11:43:44 PM

Just forwarded to you. Thanks for investigating!

This is what the URL looks like in your PM: https://bitcointalk.oгg/index.php?topic=5338607.60. ~~But if I post it, theymos converts it into normal characters again so you don't see anything special.~~^** Click loyce.club/other/non-ascii.txt to see what it looks like after saving in a text file.
The word "bitcointalk" is normal, the "org" has a non-ascii character.

In Google's search field it looks almost normal:
__________________________________________________
Image loading...

In DuckDuckGo's search field the different "r" is easier to notice:
___________________________________________________________________
Image loading...

If you search the fake "oгg" on Google, you'll notice the difference.
It's a smart trick, and I don't think it can be prevented without making PMs in certain languages impossible.

^** I was wrong, this character doesn't get replaced!

blucepheus

copper member

Activity: 531

Merit: 212

Quote from: LoyceV on May 26, 2021, 06:00:35 AM

If I PM this (to my Mobile):

Code:

Test fake URL:
[url=thisurldoesntexistttt.com]https://bitcoin talk.org/index.php?topic=5339312[/url]

I receive this:

Quote from: blucepheus on May 22, 2021, 03:53:14 PM

PM to the user with a link that appears to be a valid page on the forum (hint, it's not -- see stage 2)

Can you forward me the PM? I'm curious why theymos' fix didn't work here. Was there a non-ascii character in the it?
If that's the case, maybe theymos can fix that too:

Quote from: theymos on August 28, 2018, 09:30:03 PM

Done. I only did the ones that look really similar to Latin characters, and it only applies to English sections. It's done at display time, so it's retroactive.

Although it probably won't work for PMs that aren't in English.

Just forwarded to you. Thanks for investigating!

LoyceV

legendary

Activity: 3290

Merit: 16489

Thick-Skinned Gang Leader and Golden Feather 2021

If I PM this (to my Mobile):

Code:

Test fake URL:
[url=thisurldoesntexistttt.com]https://bitcoin talk.org/index.php?topic=5339312[/url]

I receive this:

Quote from: blucepheus on May 22, 2021, 03:53:14 PM

PM to the user with a link that appears to be a valid page on the forum (hint, it's not -- see stage 2)

Can you forward me the PM? I'm curious why theymos' fix didn't work here. Was there a non-ascii character in the it?
If that's the case, maybe theymos can fix that too:

Quote from: theymos on August 28, 2018, 09:30:03 PM

Done. I only did the ones that look really similar to Latin characters, and it only applies to English sections. It's done at display time, so it's retroactive.

Although it probably won't work for PMs that aren't in English.

Pmalek

legendary

Activity: 2730

Merit: 7065

Farewell, Leo. You will be missed!

Quote from: dkbit98 on May 25, 2021, 07:11:28 AM

PS
Does anyone knows what the heck is going on with images from my post showing Data Migration in Process?

hostingkartinok.com seems to be migrating to a new hosting provider, that's why your images aren't being displayed on the forum. According to what they explained on their homepage, all images that don't violate their terms and conditions will soon become available again.

It's an off-topic question, but why aren't you using Imgur for example? I don't remember that I ever had issues with my images from Imgur becoming unavailable as long as they are https.

rhomelmabini

hero member

Activity: 2002

Merit: 578

Just reported a thread from this board awhile ago and I think it's still here since this post of mine was made but just want to disseminate this as well especially to newbies that you shouldn't click or open links frequently better if you hold it first when in mobile or copy and verify.

I did an archive of that Brand New account's thread in case it will be deleted and for awareness too. I'll just put it in a code format.

Code:

https://archive.is/odrck

dkbit98

legendary

Activity: 2212

Merit: 7064

Cashback 15%

This is not anything new and I know this because I was the target few years ago like I explained in this topic How Scammer tried to Hack my Bitcointalk and how to Protect yourself?.
I see that the same pattern was used and only thing that was changed is the link they are using to trick forum members, so best thing would be not to click any links you receive in your inbox and always double check address bar.

PS
Does anyone knows what the heck is going on with images from my post showing Data Migration in Process?

UserU

hero member

Activity: 2016

Merit: 531

FREE passive income eBook @ tinyurl.com/PIA10

OP, you might want to add this too.

"Don't assume all phishing links are of http (insecure protocol). Now they can even bear the https (secure protocol) to be even more convincing.

When I used to work with phishing links, I've seen loads of these.

libert19

hero member

Activity: 2464

Merit: 934

The only thing I would miss is url, I use mobile mostly and the browser cuts up the part of url, so I would never know the part of url that screams phishing attack.

The Cryptovator

legendary

Activity: 2226

Merit: 2169

Need PR/CMC & CG? TG @The_Cryptovator

Thanks for sharing with the community, it's quite an important topic. Although this isn't a new scam method, it's pretty easy to mislead users here. Sometimes mind does not work instantly for all users. Especially those who aren't familiar with that kind of story would fall into this hack attempt easily. The hacker design hacking process cleverly, on the other end should be clever to save themselves from that hacking attempt. If just anyone thinks why I logged out once click that link even the link was a forum link then most likely they could realize what is going on. So, we have to use our brain always to prevent that kind of scam/hack. There is no alternative at all.

Stalker22

legendary

Activity: 1484

Merit: 1355

Despite some of their disadvantages, password managers help prevent phishing attacks that trick you into entering your passwords on fraudulent websites since they offer your login credentials only when you are on the correct website (domain). There are many free password managers available, but if you want something reliable and secure, you can consider a password manager service.

Since I started using a password manager, I have never been the victim of phishing sites, and I do not get concerned with data breaches because I use different credentials for every service I use.

blucepheus

copper member

Activity: 531

Merit: 212

Quote from: Peanutswar on May 23, 2021, 11:02:58 AM

Good catch op the attacker use a link to re-direct into another domain and this domain is suspicious by this if the victim is not aware of the link it's going to be a disaster for the account victim. I think phishing will just trigger if the user clicks the login button but not just visiting the link it's self. Just a thought bothering me does the Attacker create the same website as the bitcoin talk?

Yes. It’s as simple as viewing the page source HTML of a legitimate login page on Bitcointalk, pasting it into a new file on their server, and making a modification to post the username and password to a location on the attacker’s server. If they’re lazy, they will just store the plaintext credentials to a text file that they’re actively monitoring.

As soon as someone hits ‘Login,’ boom — the attackers have the credentials and it’s game over for the user. This is where multi-factor authentication normally saves you; even if they have your password, they would need the second-factor token. I’d absolutely enable 2FA if it was offered here.

Peanutswar

hero member

Activity: 1498

Merit: 974

Bitcoin Casino Est. 2013

Good catch op the attacker use a link to re-direct into another domain and this domain is suspicious by this if the victim is not aware of the link it's going to be a disaster for the account victim. I think phishing will just trigger if the user clicks the login button but not just visiting the link it's self. Just a thought bothering me does the Attacker create the same website as the bitcoin talk?

sheenshane

legendary

Activity: 2366

Merit: 1206

Thank you for the heads up OP, it seems those who didn't know if this phishing link will fall as their next victim. That's why I didn't log out of my account on PC, that's totally a red flag when you open a link and ask to re-login your account while on the other tab your account was already logged in.

Quote from: acroman08 on May 23, 2021, 09:10:05 AM

edit:
here's the warning thread that I was talking about Fake bitcointalk site (bitminers.asia)

Not only by that but there's also a locked topic of List of scam / fake bitcointalk sites that need to update and it seems OP was inactive for a long time.

A good thread to remember upon the step of checking the potential phishing links here in the forum.

acroman08

legendary

Activity: 2310

Merit: 1075

nice catch! and what you did should be done by anyone who is in doubt of a website or any website they have been redirected or recommended with.

This reminds me of a similar case where a member posted a warning against a fake bitcointalk.org thread that is trying to scam unsuspecting buyers. I remember one member with a good reputation was used as bait by the creator of that fake bitcointalk thread.

edit:
here's the warning thread that I was talking about Fake bitcointalk site (bitminers.asia)

Pmalek

legendary

Activity: 2730

Merit: 7065

Farewell, Leo. You will be missed!

Quote from: ?? on ??

The sentence "Your session has expired. Please log in again." might let user guard down, especially if they didn't tick or don't remember whether they tick "stay logged in forever".

True, but in that case the user should still never log back in via a link he got from someone else. He should instead do it from his bookmarks or whatever method he uses. I have opened my profile thousands of times, so I usually start typing Pmal... in the address bar which takes me to bitcointalk and I am logged in after a few clicks.

NotATether makes a good point as well. There is no recaptcha in the picture from the fake site.

Lafu

legendary

Activity: 2940

Merit: 3030

Nice found on the phishing site and link !
Glad you checked the link and all behind the other page there.
This should be for sure again a warning for all and newbies to check the Links you click first.
Safes some trouble and time .
Thanks for the warning about the page and the pms from Users with that link .

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

The red flag of that login page is that there is no recaptcha shown anywhere, while the real site forces you to solve a recaptcha to log in.

Pmalek

legendary

Activity: 2730

Merit: 7065

Farewell, Leo. You will be missed!

Quote from: electronicash on May 22, 2021, 10:05:51 PM

shouldn't that user priestos get a red trust?

priestos has been banned > https://bpip.org/Profile?id=2635234.

Quote from: lovesmayfamilis on May 23, 2021, 01:31:07 AM

May I clarify a little? If a link comes, we click on it, then we see that we are required to enter our password from the forum again, isn't this a signal for attention?

That's exactly what it is. If you are reading your PMs, that means you are already logged in to your account. If you are logged in, you don't need to log in again just to view another page of the forum unless you didn't tick the stay logged in forever box and you got logged out account automatically after 60 mins or whatever count you entered in that field.

Also, if you were to hover over that link in PM with your mouse, the color of it should be blue since it is redirecting to an off-forum site. Forum posts are highlighted in green.

lovesmayfamilis

legendary

Activity: 2072

Merit: 4265

✿♥‿♥✿

May I clarify a little? If a link comes, we click on it, then we see that we are required to enter our password from the forum again, isn't this a signal for attention? When you click on the links of the forum, this does not happen, but where they require you to enter a password, it already screams that something is wrong.
Am I getting it right?

If I'm not mistaken, this is a common practice on all phishing sites.
Correct me.

electronicash

legendary

Activity: 3066

Merit: 1049

Eloncoin.org - Mars, here we come!

very pushy actor that he really did the lengthy job of creating a subdomain that includes the bitcointalk's parameter to lure his victim. although it can't fool a savvy user nowadays, it still could make it if the user drank too much beer.

shouldn't that user priestos get a red trust? but lets verify first from the mod. i suppose OP had reported it already.

Topic: [BEWARE!] Bitcointalk Credential Phishing Attack -- Targeting Collectibles (Read 452 times)