Author

Topic: [BEWARE!] Bitcointalk Credential Phishing Attack -- Targeting Collectibles (Read 479 times)

legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
Just forwarded to you. Thanks for investigating!
This is what the URL looks like in your PM: https://bitcointalk.oгg/index.php?topic=5338607.60. But if I post it, theymos converts it into normal characters again so you don't see anything special.** Click loyce.club/other/non-ascii.txt to see what it looks like after saving in a text file.
The word "bitcointalk" is normal, the "org" has a non-ascii character.

In Google's search field it looks almost normal:
__________________________________________________
Image loading...
In DuckDuckGo's search field the different "r" is easier to notice:
___________________________________________________________________
Image loading...
If you search the fake "oгg" on Google, you'll notice the difference.
It's a smart trick, and I don't think it can be prevented without making PMs in certain languages impossible.

** I was wrong, this character doesn't get replaced!
copper member
Activity: 544
Merit: 215
If I PM this (to my Mobile):
Code:
Test fake URL:
[url=thisurldoesntexistttt.com]https://bitcoin talk.org/index.php?topic=5339312[/url]
I receive this:
PM to the user with a link that appears to be a valid page on the forum (hint, it's not -- see stage 2)
Can you forward me the PM? I'm curious why theymos' fix didn't work here. Was there a non-ascii character in the it?
If that's the case, maybe theymos can fix that too:
Done. I only did the ones that look really similar to Latin characters, and it only applies to English sections. It's done at display time, so it's retroactive.
Although it probably won't work for PMs that aren't in English.

Just forwarded to you. Thanks for investigating!
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
If I PM this (to my Mobile):
Code:
Test fake URL:
[url=thisurldoesntexistttt.com]https://bitcoin talk.org/index.php?topic=5339312[/url]
I receive this:
PM to the user with a link that appears to be a valid page on the forum (hint, it's not -- see stage 2)
Can you forward me the PM? I'm curious why theymos' fix didn't work here. Was there a non-ascii character in the it?
If that's the case, maybe theymos can fix that too:
Done. I only did the ones that look really similar to Latin characters, and it only applies to English sections. It's done at display time, so it's retroactive.
Although it probably won't work for PMs that aren't in English.
legendary
Activity: 2730
Merit: 7065
PS
Does anyone knows what the heck is going on with images from my post showing Data Migration in Process?
hostingkartinok.com seems to be migrating to a new hosting provider, that's why your images aren't being displayed on the forum. According to what they explained on their homepage, all images that don't violate their terms and conditions will soon become available again.

It's an off-topic question, but why aren't you using Imgur for example? I don't remember that I ever had issues with my images from Imgur becoming unavailable as long as they are https.     
hero member
Activity: 2030
Merit: 578
No God or Kings, only BITCOIN.
Just reported a thread from this board awhile ago and I think it's still here since this post of mine was made but just want to disseminate this as well especially to newbies that you shouldn't click or open links frequently better if you hold it first when in mobile or copy and verify.

I did an archive of that Brand New account's thread in case it will be deleted and for awareness too. I'll just put it in a code format.

Code:
https://archive.is/odrck
legendary
Activity: 2212
Merit: 7064
This is not anything new and I know this because I was the target few years ago like I explained in this topic How Scammer tried to Hack my Bitcointalk and how to Protect yourself?.
I see that the same pattern was used and only thing that was changed is the link they are using to trick forum members, so best thing would be not to click any links you receive in your inbox and always double check address bar.

PS
Does anyone knows what the heck is going on with images from my post showing Data Migration in Process?

hero member
Activity: 2128
Merit: 532
FREE passive income eBook @ tinyurl.com/PIA10
OP, you might want to add this too.

"Don't assume all phishing links are of http (insecure protocol). Now they can even bear the https (secure protocol) to be even more convincing.

When I used to work with phishing links, I've seen loads of these.
hero member
Activity: 2520
Merit: 952
The only thing I would miss is url, I use mobile mostly and the browser cuts up the part of url, so I would never know the part of url that screams phishing attack.
legendary
Activity: 2394
Merit: 2223
Signature space for rent
Thanks for sharing with the community, it's quite an important topic. Although this isn't a new scam method, it's pretty easy to mislead users here. Sometimes mind does not work instantly for all users. Especially those who aren't familiar with that kind of story would fall into this hack attempt easily. The hacker design hacking process cleverly, on the other end should be clever to save themselves from that hacking attempt. If just anyone thinks why I logged out once click that link even the link was a forum link then most likely they could realize what is going on. So, we have to use our brain always to prevent that kind of scam/hack. There is no alternative at all.
legendary
Activity: 1526
Merit: 1359
Despite some of their disadvantages, password managers help prevent phishing attacks that trick you into entering your passwords on fraudulent websites since they offer your login credentials only when you are on the correct website (domain). There are many free password managers available, but if you want something reliable and secure, you can consider a password manager service.

Since I started using a password manager, I have never been the victim of phishing sites, and I do not get concerned with data breaches because I use different credentials for every service I use.
copper member
Activity: 544
Merit: 215
Good catch op the attacker use a link to re-direct into another domain and this domain is suspicious by this if the victim is not aware of the link it's going to be a disaster for the account victim. I think phishing will just trigger if the user clicks the login button but not just visiting the link it's self. Just a thought bothering me does the Attacker create the same website as the bitcoin talk?

Yes. It’s as simple as viewing the page source HTML of a legitimate login page on Bitcointalk, pasting it into a new file on their server, and making a modification to post the username and password to a location on the attacker’s server. If they’re lazy, they will just store the plaintext credentials to a text file that they’re actively monitoring.

As soon as someone hits ‘Login,’ boom — the attackers have the credentials and it’s game over for the user. This is where multi-factor authentication normally saves you; even if they have your password, they would need the second-factor token. I’d absolutely enable 2FA if it was offered here.
legendary
Activity: 1708
Merit: 1280
Top Crypto Casino
Good catch op the attacker use a link to re-direct into another domain and this domain is suspicious by this if the victim is not aware of the link it's going to be a disaster for the account victim. I think phishing will just trigger if the user clicks the login button but not just visiting the link it's self. Just a thought bothering me does the Attacker create the same website as the bitcoin talk?
legendary
Activity: 2492
Merit: 1232
Thank you for the heads up OP, it seems those who didn't know if this phishing link will fall as their next victim.  That's why I didn't log out of my account on PC, that's totally a red flag when you open a link and ask to re-login your account while on the other tab your account was already logged in.

edit:
here's the warning thread that I was talking about Fake bitcointalk site (bitminers.asia)
Not only by that but there's also a locked topic of List of scam / fake bitcointalk sites that need to update and it seems OP was inactive for a long time.

A good thread to remember upon the step of checking the potential phishing links here in the forum.
legendary
Activity: 2436
Merit: 1104
nice catch! and what you did should be done by anyone who is in doubt of a website or any website they have been redirected or recommended with.

This reminds me of a similar case where a member posted a warning against a fake bitcointalk.org thread that is trying to scam unsuspecting buyers. I remember one member with a good reputation was used as bait by the creator of that fake bitcointalk thread.

edit:
here's the warning thread that I was talking about Fake bitcointalk site (bitminers.asia)
legendary
Activity: 2730
Merit: 7065
The sentence "Your session has expired. Please log in again." might let user guard down, especially if they didn't tick or don't remember whether they tick "stay logged in forever".
True, but in that case the user should still never log back in via a link he got from someone else. He should instead do it from his bookmarks or whatever method he uses. I have opened my profile thousands of times, so I usually start typing Pmal... in the address bar which takes me to bitcointalk and I am logged in after a few clicks.

NotATether makes a good point as well. There is no recaptcha in the picture from the fake site.   
legendary
Activity: 3136
Merit: 3213
Nice found on the phishing site and link !
Glad you checked the link and all behind the other page there.
This should be for sure again a warning for all and newbies to check the Links you click first.
Safes some trouble and time .
Thanks for the warning about the page and the pms from Users with that link .
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
The red flag of that login page is that there is no recaptcha shown anywhere, while the real site forces you to solve a recaptcha to log in.
legendary
Activity: 2730
Merit: 7065
shouldn't that user priestos get a red trust?
priestos has been banned > https://bpip.org/Profile?id=2635234.

May I clarify a little? If a link comes, we click on it, then we see that we are required to enter our password from the forum again, isn't this a signal for attention?
That's exactly what it is. If you are reading your PMs, that means you are already logged in to your account. If you are logged in, you don't need to log in again just to view another page of the forum unless you didn't tick the stay logged in forever box and you got logged out account automatically after 60 mins or whatever count you entered in that field.

Also, if you were to hover over that link in PM with your mouse, the color of it should be blue since it is redirecting to an off-forum site. Forum posts are highlighted in green.  
legendary
Activity: 2072
Merit: 4265
✿♥‿♥✿
May I clarify a little? If a link comes, we click on it, then we see that we are required to enter our password from the forum again, isn't this a signal for attention? When you click on the links of the forum, this does not happen, but where they require you to enter a password, it already screams that something is wrong.
Am I getting it right?

If I'm not mistaken, this is a common practice on all phishing sites.
Correct me.
legendary
Activity: 3178
Merit: 1054

very pushy actor that he really did the lengthy job of creating a subdomain that includes the bitcointalk's parameter to lure his victim. although it can't fool a savvy user nowadays, it still could make it if the user drank too much beer.

shouldn't that user priestos get a red trust?  but lets verify first from the mod. i suppose OP had reported it already.
legendary
Activity: 3206
Merit: 3596
Thank you for making this thread/post. Smiley

Don't trust... verify Smiley
copper member
Activity: 544
Merit: 215
Forum friends,

I want to make everyone aware of a new tactic that scammers are employing to phish Bitcointalk forum credentials from those who frequent the Collectibles section. These credentials can then be used to forcibly take over the account, and then use the account (and its implied trust) to facilitate scams.


Attack

Stage 1:

PM to the user with a link that appears to be a valid page on the forum (hint, it's not -- see stage 2)




Stage 2:

User is redirected to a malicious domain controlled by the threat actors; note the domain is actually raiciegodesign[.]com and the username is tracked in the URL

https://bitcointalk[.]org.topic-index.php-5329455.0.raiciegodesign[.]com/index.php?u=blucepheus&l=5338607.60




Upon entering credentials, the page will simply refresh, and guess what? Your credentials are now posted to the threat actors' server, and they can instantly take over your account (the first thing they'll do is change your password and email to lock you out). In addition, they now have access to your profile and will probably attempt to log in to your personal email account using your account password, as well as other services like Amazon, financial institutions, etc.

It appears the scammers have expanded past Telegram and are now using PMs as a medium to phish credentials, and likely use those stolen credentials to facilitate scams. For a long time, we have acted under the assumption that a PM from a trusted user on the forum is enough to validate. This proves it is not.

Protect Yourself:

  • Inspect any URL before entering credentials
  • Use a very unique, complex password on Bitcointalk to protect your other accounts; consider a password manager for generation, i.e. 1Password
  • Do everything you can to verify that the person you're speaking to via PM is truly that individual. Consider the possibility that their account is being operated by a scammer.
  • Use a trusted escrow for any high-value transactions.

Stay safe and remain vigilant.

-bc
Jump to: