More Trezor.io phishing sites | Bitcointalksearch.org

Harlot

hero member

Activity: 1806

Merit: 671

Quote from: $crypto$ on January 08, 2021, 07:41:16 AM

Quote from: Harlot on January 07, 2021, 05:34:27 PM

Quote from: btc_angela on January 03, 2021, 06:02:38 AM

Reported those sites to Namecheap, let's see how fast will they take it down.

I don't think that this will work, namecheap is not known to respond on such reports and even if the website is proven to be a scam they won't do any action to it since from what I see they only see the profit in each transaction they are doing with these criminals. I forgot about the name of the domain hoster that can successfully take down a scam website but one thing is for sure it is not namecheap that is why the most effective way of avoiding this website is making it known the the public and hope that the public will spread the awareness to others.

Namecheap will not delete it immediately if the report is few and it is difficult to prove whether this website scams can be responded to more quickly? because the scamers bought the domain there so it might not be deleted sooner.

So it's true that Harlot said we have to introduce a lot to the public and tell beginners to stay alert for phishing scams like this, so the OP is good at catching and revealing about Trezor which many scamers target.

Nope even if you spam them with the same report it won't be taken down, how do I know? I just visited one of the urls given by the OP and the site is still up and running meaning namecheap didn't respond to any of your reports and it just confirms that they actually don't care about whether the site owner is a scammer or not. Maybe this is one of the main reasons why namecheap is the preferred domain hoster for criminals since aside from it being cheap you won't expect namecheap to have some kind of action against them.

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: Welsh on January 08, 2021, 01:19:17 PM

I'm not overly familiar with Google Safe Browsing, but I'm assuming that this works very much the same way, except instead of effecting the domain, they simply blacklist in on their search engine. The only issue with that, is not everyone uses the Google search engine.

In fact, this method is much more efficient because the result of a successful report in most browsers is to show the user a warning that he is trying to visit a deceptive page. Although the report goes through Google, they also share their database with Firefox and Brave (perhaps some other browsers) so the phishing site becomes completely blocked in those browsers.

See the following example -> https://bitcointalksearch.org/topic/warning-fake-and-malicious-ledger-clone-website-5284908

If you visit the next link, you will receive a message about the deceptive page.

Code:

https://lẹdger.com/

The link from the OP is still not blocked, but I guess it will happen in a few days - and a lot depends on the number of reports that Google receives for a particular domain.

telo1

newbie

Activity: 5

Merit: 0

Yes, I also often encounter pishing links, for me that's normal but it's very dangerous. do not let you provide important assets for example email, accounts, and so on
better to avoid sensitive things, I thought!

AakZaki

legendary

Activity: 2310

Merit: 1076

zknodes.org

Quote from: Insanerman on January 08, 2021, 02:06:38 AM

Lol indeed. Those fake pages are just easy to duplicate and be instantly re-register. But actually, you can report it in namecheap if the IP of the people behind registering those phishing sites lies only to one IP (AFAIK they can detect it, unless they use VPN), and they can block them from registering again.

It's really good to still report this on namecheap. However, it is much better to have the safety on our front end. Bookmarking the main page of Trezor makes a huge step towards preventing the visiting of those phishing sites. Hence, report it or not, safety must still rely on the end0sers themselves. After all, trezor gives warning to the users about this, so it is really a user's fault when he isn't aware with this common kind of attacks.

Reporting to a domain provider such as namecheap is the most appropriate choice, because only the domain provider can block the domain itself.
Currently there are many phishing websites like this which are very dangerous for ordinary people or for people who are not careful. this will be a trap and will be very costly. Even phishing websites have 100% the same template and almost the same domain name with several different characters. Official websites such as Trezor have indeed provided warnings and must remain vigilant, the risk of being caught in phishing is the individual's fault. Phishing websites also frequently appear in spam emails giving gifts and some giveaways.

Welsh

staff

Activity: 3276

Merit: 4111

Quote from: Lucius on January 08, 2021, 07:38:13 AM

I have tried several times to go in that direction and do reports to the hosting/domain company, but at least from my experience it is often something that takes too long, at least compared to the report on Google Safe Browsing. I'm not sure what's going on with banned domains, but I guess its use should be completely disabled. I found one article on the subject that explains the whole process a little better.

I do get that, usually reporting anything is a thankless task. I can just imagine that domain registars probably appoint a very small team, with limited funding to look into these issues which would explain the long delays. I doubt that they look into it in complete depth either.

I'm not overly familiar with Google Safe Browsing, but I'm assuming that this works very much the same way, except instead of effecting the domain, they simply blacklist in on their search engine. The only issue with that, is not everyone uses the Google search engine. Although, Google is probably massively dominant in general, Bitcoin is a little more specific, and usually means people value privacy a little more. So, I'd like to think that a lot of Bitcoin users, who are susceptible to this kind of attack are using a more privacy oriented search engine.

$crypto$

legendary

Activity: 2394

Merit: 1049

Smart is not enough, there must be skills

Quote from: Harlot on January 07, 2021, 05:34:27 PM

Quote from: btc_angela on January 03, 2021, 06:02:38 AM

Reported those sites to Namecheap, let's see how fast will they take it down.

I don't think that this will work, namecheap is not known to respond on such reports and even if the website is proven to be a scam they won't do any action to it since from what I see they only see the profit in each transaction they are doing with these criminals. I forgot about the name of the domain hoster that can successfully take down a scam website but one thing is for sure it is not namecheap that is why the most effective way of avoiding this website is making it known the the public and hope that the public will spread the awareness to others.

Namecheap will not delete it immediately if the report is few and it is difficult to prove whether this website scams can be responded to more quickly? because the scamers bought the domain there so it might not be deleted sooner.

So it's true that Harlot said we have to introduce a lot to the public and tell beginners to stay alert for phishing scams like this, so the OP is good at catching and revealing about Trezor which many scamers target.

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: Welsh on January 07, 2021, 05:30:21 PM

Although, this is true, and will forever remain true. At least, getting certain domains banned might prevent very similar names from being generated. I'm not sure the normal process of web registars when banning an account. Do they remove the domain, and put it back on the market, or do they completely ban it from everyone? I'd assume the latter. Therefore, reporting very similar, and therefore easier to fall for would be beneficial in the long run, as eventually they will have to use vastly different addresses.

I have tried several times to go in that direction and do reports to the hosting/domain company, but at least from my experience it is often something that takes too long, at least compared to the report on Google Safe Browsing. I'm not sure what's going on with banned domains, but I guess its use should be completely disabled. I found one article on the subject that explains the whole process a little better.

Quote from: Harlot on January 07, 2021, 05:34:27 PM

I don't think that this will work, namecheap is not known to respond on such reports and even if the website is proven to be a scam they won't do any action to it since from what I see they only see the profit in each transaction they are doing with these criminals.

That's something I can confirm, they're very slow and inefficient when it comes to that - so if by any chance they even went to check every domain, I believe they would be left without a big chunk of the income that comes from bad guys. It is important to sell, and the fact that the domain will be used for criminal activities becomes someone else's problem.

Insanerman

sr. member

Activity: 1162

Merit: 450

Quote from: Lucius on January 07, 2021, 10:44:00 AM

Unfortunately, reporting such fake pages is literally a fight with windmills, because if we knock down one fake page, at least 5 new identical ones will appear. The big blame for this is the hosting companies that do not have any checks that would go in the direction of phishing prevention - of course it is something that would be expensive and time-consuming for them.
~
We can also report phishing to Google, so such sites will be blocked in most browsers : https://safebrowsing.google.com/safebrowsing/report_general/

Lol indeed. Those fake pages are just easy to duplicate and be instantly re-register. But actually, you can report it in namecheap if the IP of the people behind registering those phishing sites lies only to one IP (AFAIK they can detect it, unless they use VPN), and they can block them from registering again.

It's really good to still report this on namecheap. However, it is much better to have the safety on our front end. Bookmarking the main page of Trezor makes a huge step towards preventing the visiting of those phishing sites. Hence, report it or not, safety must still rely on the end0sers themselves. After all, trezor gives warning to the users about this, so it is really a user's fault when he isn't aware with this common kind of attacks.

Harlot

hero member

Activity: 1806

Merit: 671

Quote from: btc_angela on January 03, 2021, 06:02:38 AM

Reported those sites to Namecheap, let's see how fast will they take it down.

I don't think that this will work, namecheap is not known to respond on such reports and even if the website is proven to be a scam they won't do any action to it since from what I see they only see the profit in each transaction they are doing with these criminals. I forgot about the name of the domain hoster that can successfully take down a scam website but one thing is for sure it is not namecheap that is why the most effective way of avoiding this website is making it known the the public and hope that the public will spread the awareness to others.

Welsh

staff

Activity: 3276

Merit: 4111

Quote from: Lucius on January 07, 2021, 10:44:00 AM

Unfortunately, reporting such fake pages is literally a fight with windmills, because if we knock down one fake page, at least 5 new identical ones will appear. The big blame for this is the hosting companies that do not have any checks that would go in the direction of phishing prevention - of course it is something that would be expensive and time-consuming for them.

But of course a good part of the blame lies with the users themselves, who are dealing with something they don't fully understand - and the whole wisdom is actually in one sentence. "Don’t enter your seed words anywhere except into the device itself" - and anyone who can’t figure it out has definitely strayed into the world of cryptocurrencies.

We can also report phishing to Google, so such sites will be blocked in most browsers : https://safebrowsing.google.com/safebrowsing/report_general/

Although, this is true, and will forever remain true. At least, getting certain domains banned might prevent very similar names from being generated. I'm not sure the normal process of web registars when banning an account. Do they remove the domain, and put it back on the market, or do they completely ban it from everyone? I'd assume the latter. Therefore, reporting very similar, and therefore easier to fall for would be beneficial in the long run, as eventually they will have to use vastly different addresses.

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Unfortunately, reporting such fake pages is literally a fight with windmills, because if we knock down one fake page, at least 5 new identical ones will appear. The big blame for this is the hosting companies that do not have any checks that would go in the direction of phishing prevention - of course it is something that would be expensive and time-consuming for them.

But of course a good part of the blame lies with the users themselves, who are dealing with something they don't fully understand - and the whole wisdom is actually in one sentence. "Don’t enter your seed words anywhere except into the device itself" - and anyone who can’t figure it out has definitely strayed into the world of cryptocurrencies.

We can also report phishing to Google, so such sites will be blocked in most browsers : https://safebrowsing.google.com/safebrowsing/report_general/

plvbob0070

copper member

Activity: 658

Merit: 402

Quote from: btc_angela on January 03, 2021, 06:02:38 AM

And since Ledger has been hugging the limelight lately, these criminals think that people might switch to Trezor that's why they've created a lot of phishing sites like what the OP has found.

Trezor has made a statement to warn their user of the scams associated with their wallet and website.
[1] Phishing attacks are targeting Trezor users

Quote from: btc_angela on January 03, 2021, 06:02:38 AM

It's very dangerous as this malicious sites really clone the original. Do not enter your seeds.

it has been a common tactic of cyber-criminals to attack and steal credentials. Thus, it is extremely alarming as it is difficult to see the difference with its similar logo and content provided. Therefore, any user can be at risk, so we should verify the website address before signing in to our account.

We can check it using the website mentioned in this thread, which is the Punycode converter. By using it, we can see its real web address.
[1] UPDATED!!! Punycode and how to protect yourself from Homograph Phishing attacks?

btc_angela

hero member

Activity: 2632

Merit: 546

Reported those sites to Namecheap, let's see how fast will they take it down.

And since Ledger has been hugging the limelight lately, these criminals think that people might switch to Trezor that's why they've created a lot of phishing sites like what the OP has found. It's very dangerous as this malicious sites really clone the original. Do not enter your seeds.

Dave1

hero member

Activity: 1330

Merit: 536

1.

Code:

https://trėzor.io/
xn--trzor-7za.io

Quote

Whois Record for Trėzor.io
How does this work?
Domain Profile
Registrant Org    WhoisGuard, Inc.
Registrant Country    pa
Registrar    NameCheap, Inc
IANA ID: 1068
URL: www.namecheap.com
Whois Server: whois.namecheap.com

(p)
Registrar Status    clientTransferProhibited, serverTransferProhibited
Dates    22 days old
Created on 2020-12-11
Expires on 2021-12-11
Updated on 2020-12-11

Name Servers    IGOR.NS.CLOUDFLARE.COM (has 17,893,112 domains)
PAT.NS.CLOUDFLARE.COM (has 17,893,112 domains)


Tech Contact    —
IP Address    104.28.30.163 - 499 other sites hosted on this server

2.

Code:

https://trezör.io/
xn--trzor-7za.io

Archive: https://archive.is/KsHvX

Quote

Registrant Org    WhoisGuard, Inc.
Registrant Country    pa
Registrar    NameCheap, Inc
IANA ID: 1068
URL: www.namecheap.com
Whois Server: whois.namecheap.com

(p)
Registrar Status    clientTransferProhibited, serverTransferProhibited
Dates    11 days old
Created on 2020-12-22
Expires on 2021-12-22
Updated on 2020-12-22

Name Servers    DNS1.NAMECHEAPHOSTING.COM (has 999,079 domains)
DNS2.NAMECHEAPHOSTING.COM (has 999,079 domains)


Tech Contact    —
IP Address    198.54.115.24 - 278 other sites hosted on this server

And here are the rest:

Code:

xn--trezr-mua.io
xn--trezr-3ta.io
xn--treor-kib.io
xn--trzor-csa.io

Topic: More Trezor.io phishing sites (Read 221 times)