Wow! I don't know who or what linked it, but I'd like to consider myself pretty savvy as far as phishing goes. Gave me a heartache when I realized what I had done. Thank goodness for lastpass and for not keeping identical passes. I should've known something was screwy when it wasn't offering to fill in my login details.
So please everyone, beware. The link is on the forum somewhere that directs you to this fanbitcoin.com. I was casually surfing Bitcointalk as usual and nearly got took myself.
Topic: Fanbitcoin.com - Mirror or phishing? (Read 1489 times)
I've recreated a test site using fanbitcoin.com's copied source code, exploited the php to capture the "user" and "passwrd" fields, then I've attempted to return a server 404 like their host cloudflare.com does. It's not possible.
Once the php script begins to process, you either land on a blank page or get redirected to whatever page is specified in the "header('Location: http://site.com');" It's not possible to have the webserver display it's internal 404 (notice the URL doesn't change on cloudflare) since php is responsible for serving the header and the specific 404 page URL once it begins processing.
This is the best explanation I've found:
http://stackoverflow.com/questions/437256/why-wont-my-php-app-send-a-404-error
I created a test site and setup the cloudflare CDN. With "smarterrors" enabled, I can pass a "header("HTTP/1.1 404 Not Found");" at the bottom of the php code, after intercepting the username password, and cloudflare will throw it's 404 page.
Fair warning: CHANGE YOUR PASSWORD!
Probably phishing. Why would you make a mirror, when everyone can use the official site? :-/
One way or another, stay well away. Seems phishy (Geddit)
One way or another, stay well away. Seems phishy (Geddit)
I'm guessing the domain name or IP for bitcointalk.org is banned in other countries and this mirror provides a portal for foreign readers. I'm investigating whether my original password was possibly stolen for different reasons. I have changed my initial password BTW.
The mirror is hosted on cloudflare out of California and using their SSL cert. Although the domain owner is hidden, it's someone out of Panama.
From what I can tell so far, it looks like they mirrored this site but did not take any of the PHP forms with it. They also don't use any javascript beside a Shopify stat counter at the bottom of every page:
• The login form from the home page uses PHP to POST a "user" and "passwrd" value to fanbitcoin.com/index.php?action=login2, the same behavior as bitcointalk.org/index.php?action=login2
• Bitcointalk then uses javascript to process the "user" value "frmLogin" See http://screencast.com/t/mvVDGvbaA
• Fanbitcoin lacks the javascript to process any value "frmLogin" See http://screencast.com/t/P1fDKgQ6Zs2L
*Links removed for safety.
*I'm a complete noob.
Probably phishing. Why would you make a mirror, when everyone can use the official site? :-/
One way or another, stay well away. Seems phishy (Geddit)
One way or another, stay well away. Seems phishy (Geddit)
Pretty much all mirrors are also phishing. They can get your bitcointalk password, so one way or another it's risky. Bitcointalk is easier to remember anyway, why would you use something as dodgy as fanbitcoin?
There really needs to be a sticky that says the only domain is bitcointalk.org and any other one is a phishing site.
I wish that Google was smart enough to notice this copying and ban the copycat sites.
You should change your password here just in case.
I just attempted a login.
You should change your password here just in case.
Thanks for the reply, Theymos! Will do!
I wish that Google was smart enough to notice this copying and ban the copycat sites.
You should change your password here just in case.
I just attempted a login.
You should change your password here just in case.
I just attempted a login.
The site pulled up in a Google search for the Avalon 6. I saw it was using HTTPS, I assumed a secure signed TLS certificate was secure enough, and I entered my credentials.
I was redirected to a cloudflare error page: "The page you are looking for cannot be found":
http://screencast.com/t/UiyyTuRFH
Does anyone know if the PHP POST for "hash_passwrd" on the submit button could have passed the password to the phisher man?:
http://screencast.com/t/8de4RZt4S
I'm guessing if it did there would have been some sort of confirmation of the submission (and Chrome password manager would have prompted to save it for the site.)
Thanks guys.
The site pulled up in a Google search for the Avalon 6. I saw it was using HTTPS, I assumed a secure signed TLS certificate was secure enough, and I entered my credentials.
I was redirected to a cloudflare error page: "The page you are looking for cannot be found":
http://screencast.com/t/UiyyTuRFH
Does anyone know if the PHP POST for "hash_passwrd" on the submit button could have passed the password to the phisher man?:
http://screencast.com/t/8de4RZt4S
I'm guessing if it did there would have been some sort of confirmation of the submission (and Chrome password manager would have prompted to save it for the site.)
Thanks guys.
Tried to log in with some random characters. The site just went blank.
I almost signed in there after a Google search took me there instead of here today.
Hmm it seems so, seems to be daily updated as well. Warning well given.
I searched something about Bitcoin in Google and I found https://fanbitcoin.com in search results. It looks like another mirror site like bitcointa.lk.
Don't try to login from that site!
Don't try to login from that site!
Jump to: