Newbie account spreading malware using a fake link.

examplens

legendary

Activity: 3472

Merit: 3507

Crypto Swap Exchange

Quote from: Timelord2067 on June 17, 2020, 01:34:56 AM

It's probably better if you post a link to the thread post *without* reposting the actual suspicious link in a new place. You can also report the post via the link in the lower right corner of the actual post entitled "report to moderator".

OP properly post a link in "code", so it is visible here as evidence but it is not clickable and does not bring the possibility of someone accidentally clicking and get malicious software from there.
I find only a link to Virustotal page, and I don't see a problem there either.
maybe he wanted an opinion of more experienced members, so he opened this topic and get some answers which would not be possible if use "report to moderator" option.

@coupable, you did a good job, all these suspicious accounts have been banned and his posts deleted. Maybe you can really lock this topic, there is no need for further discussion here.

Timelord2067

legendary

Activity: 3696

Merit: 2219

💲🏎️💨🚓

It's probably better if you post a link to the thread post *without* reposting the actual suspicious link in a new place. You can also report the post via the link in the lower right corner of the actual post entitled "report to moderator".

coupable

hero member

Activity: 2338

Merit: 757

Quote from: mole0815 on June 15, 2020, 03:50:58 PM

In the meta area there is a thread from Lafu in which such cases are constantly being processed: Report Malware and Suspicious Links here so Mods can take Action !

This what i was looking for before starting this thread. I didn't notice this topic before. Thanks for your suggestion and for your fast response.

Quote from: LoyceV on June 15, 2020, 02:39:19 PM

Quote from: LoyceV on July 21, 2019, 12:08:59 PM

How to use it

Find the msgID, userID or topicID you need. Let's use msgID 51902990.
Remove the last 4 digits from the msgID to get the directory name (if there are less than 4 digits, use 0): 5190.
Put everything together behind the (above) URL and add ".html": http://loyce.club/archive/posts/5190/51902990.html.

This is what I do:

Copy the userID (2819111) to your clipboard.
Click http://loyce.club/archive/members/
Put your cursor behind the link
Press these keys: CTRL-V Backspace Backspace Backspace Backspace / CTRL-V .html Enter

(the ".html" are 5 separate keys)

It's still a little bit complicated for me as am not that familiar with loyce.club tools. Thank you Loyce for the nice easy guide. I will try it for sure.

Quote from: The Cryptovator on June 16, 2020, 12:44:41 AM

I tried it on mobile device, when click on view image it's forced to download multiple file. Unfortunately even I use cancel button but a file was downloaded (I just tried myself for test but deleted file immediately without extract it). Is this users embedded it or force from the website?

I found it strange that the website is called screenshot.net It looks like a legit domain as it's ssl certificated.
I sent the file to a friend of mine who is expert in this kind of malwares. I am waiting for his analysis and i will post the result here.

Thank you all.
I am closing this topic.

The Cryptovator

legendary

Activity: 2408

Merit: 2226

Signature space for rent

I tried it on mobile device, when click on view image it's forced to download multiple file. Unfortunately even I use cancel button but a file was downloaded (I just tried myself for test but deleted file immediately without extract it). Is this users embedded it or force from the website? Anyway file shouldn't download from unknown source and shouldn't install on the device to avoid any kind of attack.

Thanks OP for warning, most likely that users nuked since post history is ZERO.

mole0815

staff

Activity: 2548

Merit: 2709

Join the world-leading crypto sportsbook NOW!

In the meta area there is a thread from Lafu in which such cases are constantly being processed: Report Malware and Suspicious Links here so Mods can take Action !

The 3 users mentioned here are really not needed by the forum. Thanks for being attentive... Problem is solved Wink

LoyceV

legendary

Activity: 3290

Merit: 16489

Thick-Skinned Gang Leader and Golden Feather 2021

Quote from: coupable on June 15, 2020, 12:41:13 PM

i decided to post here so detective users can check his unedited posts using LoyceV tool which i can't use it correctly yet.

It's so easy:

Quote from: LoyceV on July 21, 2019, 12:08:59 PM

Viewing unedited/deleted posts

See http://loyce.club/archive/posts/ for all posts (Working!)
New posts are archived within seconds after being created, and instantly available.
See http://loyce.club/archive/members/ for posts made by a certain user (Working!)
Updated every 5 minutes.
See http://loyce.club/archive/topics/ for posts made in a certain topic (Working!)
Updated every 5 minutes.

How to use it

Find the msgID, userID or topicID you need. Let's use msgID 51902990.
Remove the last 4 digits from the msgID to get the directory name (if there are less than 4 digits, use 0): 5190.
Put everything together behind the (above) URL and add ".html": http://loyce.club/archive/posts/5190/51902990.html.

This is what I do:

Copy the userID (2819111) to your clipboard.
Click http://loyce.club/archive/members/
Put your cursor behind the link
Press these keys: CTRL-V Backspace Backspace Backspace Backspace / CTRL-V .html Enter

(the ".html" are 5 separate keys)
That's it! When used it it, my browser remembers the URLs, so all I do is type "posts", "members" or "topics", my browser completes the URL, then paste the number, hit Backspace 4 times, type a slash ("/"), paste the number again, type .html and hit Enter. The whole thing takes about 3 seconds (after some practice). End result: http://loyce.club/archive/members/281/2819111.html. 3 of his posts have a "screenshot".

coupable

hero member

Activity: 2338

Merit: 757

Quote from: bitmover on June 15, 2020, 12:43:24 PM

I just tagged the user https://bitcointalk.org/index.php?action=trust;u=2819111

I will tag the others as well.

thanks for pointing that out.

Thanks for your fast reaction before the scammers got more victims. I am waiting for moderators to nuke those accounts too.

Quote from: enhu on June 15, 2020, 12:45:49 PM

I've download it after someone said thank you to it.

Please don't open it in your device. It's a confirmed malware.
You as a veteran member, should not fall as a victim for those scammers. I advice you not to trust anything posted by a newbie account in this forum.

TalkStar

copper member

Activity: 1204

Merit: 737

✅ Need Campaign Manager? TG > @TalkStar675

Quote from: enhu on June 15, 2020, 12:45:49 PM

I've download it after someone quote it and said thank you to it. Fuckit! I did try to open but it says extract so I took a look at it and its a zip file. I was to look at what is inside of it but have not since I'm not with my linux system. Crazy how he thinks he could just do it without being noticed when everyone here is on the look out of things like this and scammers.

Its not just that thread, you can check out more threads that the link were inserted. I can't find some of the threads.

Yeah that guy was looking for someone like you. I will suggest you to remove the file from your device to keep your device safer. You are not a newbie and you may know that its not a good option to download any file from unknown sources.

"Coupable" you did a good job by detecting the link which contains malware. I hope community users will be aware about this and they will not download that file.

MRKLYE

legendary

Activity: 1358

Merit: 1003

Designer - Developer

Fucking rookies... You can just encode a dropper into straight up image files and then plant a RAT on their terminal..

enhu

legendary

Activity: 2492

Merit: 1018

I've download it after someone quote it and said thank you to it. Fuckit! I did try to open but it says extract so I took a look at it and its a zip file. I was to look at what is inside of it but have not since I'm not with my linux system. Crazy how he thinks he could just do it without being noticed when everyone here is on the look out of things like this and scammers.

Its not just that thread, you can check out more threads that the link were inserted. I can't find some of the threads.

this https://bitcointalksearch.org/topic/seems-like-bitcoin-is-too-slow-to-progress-5255778

bitmover

legendary

Activity: 2352

Merit: 6089

bitcoindata.science

I just tagged the user https://bitcointalk.org/index.php?action=trust;u=2819111

I will tag the others as well.

thanks for pointing that out.

coupable

hero member

Activity: 2338

Merit: 757

This topic was posted in Bitcoin Discussion board by a newbie account (created today) named Rizotolok. The topic contains a link pretending to be a screenshot but by checking, it leads to a page where the link to the image is downloadable zip file. I have checked it using virus total and it shows a Trojan malware.
Suspecious link:

Code:

[url=https://www.screenshȯt.net/lKtgMY.jpg]https://www.screenshȯt.net/lKtgMY.jpg[/url]

VirusTotal scan result: https://www.virustotal.com/gui/file/45896fc99e6aa2bbaa7ea55ca1c465a0051fe9dfb93090dd2955b15194bb9db0/detection

After warning users, op had edited his original post and remove the link before i can archive it. But he forgot to remove it from his other posts which i succeeded to archive it: http://archive.vn/hZrL1

In the same topic, two other newbie accounts posted to confirm that the investment is safe. I had also archived it for reference: http://archive.is/fC99n
Suspecious accounts: (all are created today)
Rizotolok
FlorenceLove
Mathieuinve2018

I was about to just report the topic to mods but after op edited it, i decided to post here so detective users can check his unedited posts using LoyceV tool which i can't use it correctly yet.

Topic: Newbie account spreading malware using a fake link. (Read 328 times)