Author

Topic: Fanbitcoin.com - Mirror or phishing? (Read 1512 times)

legendary
Activity: 906
Merit: 1002
March 15, 2016, 04:27:44 AM
#13
Wow! I don't know who or what linked it, but I'd like to consider myself pretty savvy as far as phishing goes. Gave me a heartache when I realized what I had done. Thank goodness for lastpass and for not keeping identical passes. I should've known something was screwy when it wasn't offering to fill in my login details.

So please everyone, beware. The link is on the forum somewhere that directs you to this fanbitcoin.com. I was casually surfing Bitcointalk as usual and nearly got took myself.
newbie
Activity: 13
Merit: 0
December 07, 2015, 07:16:20 PM
#12
This will be my last update. Sorry to keep resurrecting this thread. I've been tinkering around a bit on my free time with php and learning how these phishing sites work. I guess that's just the personality traits of our type of people.

I've recreated a test site using fanbitcoin.com's copied source code, exploited the php to capture the "user" and "passwrd" fields, then I've attempted to return a server 404 like their host cloudflare.com does. It's not possible.

Once the php script begins to process, you either land on a blank page or get redirected to whatever page is specified in the "header('Location: http://site.com');" It's not possible to have the webserver display it's internal 404 (notice the URL doesn't change on cloudflare) since php is responsible for serving the header and the specific 404 page URL once it begins processing.

This is the best explanation I've found:
http://stackoverflow.com/questions/437256/why-wont-my-php-app-send-a-404-error


I created a test site and setup the cloudflare CDN. With "smarterrors" enabled, I can pass a "header("HTTP/1.1 404 Not Found");" at the bottom of the php code, after intercepting the username password, and cloudflare will throw it's 404 page.

Fair warning: CHANGE YOUR PASSWORD!
newbie
Activity: 13
Merit: 0
December 05, 2015, 12:01:05 PM
#11
Probably phishing. Why would you make a mirror, when everyone can use the official site? :-/

One way or another, stay well away. Seems phishy (Geddit)

I'm guessing the domain name or IP for bitcointalk.org is banned in other countries and this mirror provides a portal for foreign readers. I'm investigating whether my original password was possibly stolen for different reasons. I have changed my initial password BTW.

The mirror is hosted on cloudflare out of California and using their SSL cert. Although the domain owner is hidden, it's someone out of Panama.

From what I can tell so far, it looks like they mirrored this site but did not take any of the PHP forms with it. They also don't use any javascript beside a Shopify stat counter at the bottom of every page:

• The login form from the home page uses PHP to POST a "user" and "passwrd" value to fanbitcoin.com/index.php?action=login2, the same behavior as bitcointalk.org/index.php?action=login2
• Bitcointalk then uses javascript to process the "user" value "frmLogin" See http://screencast.com/t/mvVDGvbaA
• Fanbitcoin lacks the javascript to process any value "frmLogin" See http://screencast.com/t/P1fDKgQ6Zs2L

*Links removed for safety.
*I'm a complete noob.
sr. member
Activity: 392
Merit: 251
December 05, 2015, 05:59:43 AM
#10
Probably phishing. Why would you make a mirror, when everyone can use the official site? :-/

One way or another, stay well away. Seems phishy (Geddit)
legendary
Activity: 1232
Merit: 1030
give me your cryptos
December 04, 2015, 05:14:03 PM
#9
Pretty much all mirrors are also phishing. They can get your bitcointalk password, so one way or another it's risky. Bitcointalk is easier to remember anyway, why would you use something as dodgy as fanbitcoin?
copper member
Activity: 2996
Merit: 2374
December 04, 2015, 09:51:20 AM
#8
There really needs to be a sticky that says the only domain is bitcointalk.org and any other one is a phishing site.
newbie
Activity: 13
Merit: 0
December 04, 2015, 07:37:44 AM
#7
I wish that Google was smart enough to notice this copying and ban the copycat sites.

I just attempted a login.

You should change your password here just in case.

Thanks for the reply, Theymos! Will do!
administrator
Activity: 5222
Merit: 13032
December 03, 2015, 10:31:48 PM
#6
I wish that Google was smart enough to notice this copying and ban the copycat sites.

I just attempted a login.

You should change your password here just in case.
newbie
Activity: 13
Merit: 0
December 03, 2015, 09:13:06 PM
#5
I just attempted a login.

The site pulled up in a Google search for the Avalon 6. I saw it was using HTTPS, I assumed a secure signed TLS certificate was secure enough, and I entered my credentials.

I was redirected to a cloudflare error page: "The page you are looking for cannot be found":
http://screencast.com/t/UiyyTuRFH

Does anyone know if the PHP POST for "hash_passwrd" on the submit button could have passed the password to the phisher man?:
http://screencast.com/t/8de4RZt4S

I'm guessing if it did there would have been some sort of confirmation of the submission (and Chrome password manager would have prompted to save it for the site.)

Thanks guys.
hero member
Activity: 896
Merit: 508
November 20, 2015, 04:41:04 AM
#4
Tried to log in with some random characters. The site just went blank.
full member
Activity: 142
Merit: 100
November 18, 2015, 05:48:35 PM
#3
I almost signed in there after a Google search took me there instead of here today.
hero member
Activity: 493
Merit: 500
Sarthak's a dumb girl
September 16, 2015, 05:59:12 AM
#2
Hmm it seems so, seems to be daily updated as well. Warning well given.
legendary
Activity: 2310
Merit: 1422
September 16, 2015, 05:55:36 AM
#1
I searched something about Bitcoin in Google and I found https://fanbitcoin.com in search results. It looks like another mirror site like bitcointa.lk.
Don't try to login from that site!
Jump to: