If Something Smells Phishy, It Most Likely Is!

in #community6 years ago (edited)

My preference is to resteem public announcement posts rather than write my own. Why write a post when someone can do it better? I am aware that a post may be missed on the feed, therefore, will take a moment to bring awareness to recent phishing attacks.

Please read the recent phishing activity posted by @guiltyparties and the sharing of @irvinesimages's recent phishing attack experience.

https://steemit.com/phishing/@guiltyparties/phishing-is-back

https://steemit.com/photofeed/@irvinesimages/peaceful-essence

phishing-3390518_1280.jpg

What is Phishing on the STEEM blockchain and how does it affect you?


Many of us know not to click on unknown links. Steemit is a platform attracting users new to the social media/blogging scene who may not be savvy on such matters. As a result, phishing attacks do occur on the STEEM blockchain.

Per Wikipedia:

Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords….and is carried out by email spoofing or instant messaging…It often directs users to enter personal information at a fake website, the look and feel of which are identical to the legitimate site, the only difference being the URL of the website in concern.


With relevance to Steemit, phishing occurs when someone leaves a comment on your post enticing you to click on a (green) link to take you to the event. You are then directed to a fake website and asked to enter your password. Within minutes, your account is hacked and the readily available STEEM/SBD in your account would then be transferred to blocktrades or another exchange. The scammer then takes over your account and sends the same phishing comments to your friends/other Steemians.

DO NOT CLICK ON LINKS!
Especially not on comments. I admit to using markdown format to make links used on my posts “clean-looking”, but would never do so on comment. No one I know would do such things, so do be careful!

Always note the URL of a site before entering your password!
A legit link from Steemit would start with https://steemit.com.

My Morning Started Off Phishy


This morning I came across the post by @irvinesimages about being victim to a phishing attack. Half asleep since it was 5:00 AM my time (sleeping schedule way off due to my having pneumonia), I followed the events and realized another victim of the attack (who had 1,117 STEEM stolen) was now sending out phishing messages to other Steemians. The individual is at Reputation 64 which is beyond my mere Rep 56. The comments were fairly recent. Not knowing what to do, I asked a friend who told me about the @steemcleaners’s Discord room. I joined, left a comment in the phishing channel, and @bullionstackers immediately responded to my comment. He immediately notified the right parties (witnesses @guiltyparties, @pjau and @arcange ) and advised me to not take action because the scammer could target my own account. Being a newbie in the @steemcleaners world, I left the issue with them because there really is nothing more I could have done. I would have felt terrible knowing others were victimized by the account and I knew about it but didn't take action in any way.

Since the morning until now, the team is actively taking action against this stolen account who continues to send phishing messages to others. Due to the high Reputation and flagging retaliation, it is taking some time for them to take control of the account.

Why I Added New Witnesses


STEEM is a self-governing community. I respect that there are volunteers like @bullionstackers and witnesses in the Steem Cleaners Discord room actively combating phishing attacks on the STEEM blockchain to mediate phishing attacks. The witnesses that were notified (@guiltyparties, @pjau and @arcange) responded in a timely manner to help combat the issue. Without the assistance of Steem Cleaners community, phishing attacks would be on full rampant. Who would help these individuals being targeted due to malice intentions?

I have now voted for three new witnesses: @patrice, @guiltyparties, and @pjau. @arcange was already on my witness list.


Links of Interests for Victims of Phishing Attacks

@simplymike wrote a post on how to get your account back if you are victim of a Phishing attack:
https://steemit.com/mapsters/@simplymike/got-hacked-here-s-how-to-get-your-account-and-reputation-score-back

Steem Cleaner's Discord Room: https://discord.gg/2NfBRVP

beeyou copy-paula.jpg

Image and content references: example of "clean-looking" links that should NEVER be clicked on if received in a comment.
Wikipedia, Phishing Image

Sort:  

Seeing a lot of this in the real-estate industry. Buyers getting false wiring instructions and then sending money to the scammer's bank account. Can equate to hundreds of thousands of dollars.

Yeah I work in utilites and I've seen that as well...pretty sad, I'm usually one of the 1st people to have to notify them....

Yes, this scam does happen often in the real estate industry. My professional background is in IT, but I did study real estate and land use affairs. I dabbled in the industry for a while, and see many instances of the fraudulent wiring instructions. Good closing companies enforce policies about wiring transfers and I would also hope buyers do their due diligence by selecting a good real estate professional that would take the time to educate the buyer on such issues. It does help that many of the real estate documents are now e-signed, so the buyer has to be sure to follow the instructions on those set of "private" documents. Following instructions from other avenues would result in the phishing activity you mentioned.

Thanks for stopping by @kimor!

Too bad John Podesta didn't read this type of post before he sunk Hillary's campaign by falling victim to a Russian phishing scheme.

It does go to show that anyone could be a victim of phishing activities. It doesn't matter how educated or knowledgeable a person is about a subject, scammers will find a way and pounce on that opportune moment! Perhaps if phishing awareness is a major topic of concern and discussion in the real world, political pathways could be different, as you stated.

Thanks for stopping by @kiporen212!

A Big Thumb Up for the Post and Resteem.

Thanks @quarantine. Let's hope you have plenty of "push-up" help so you can grow the account and continue to quarantine the hacked accounts! :)

Yes, Push Up make me Strong to handle the Phishers.

Just like folks that try to scam on Twitter, maybe this is a bit of a compliment for the STEEM community....sorry if anyone was affected by these cowards! ;)

Definitely a positive way to looking at it @dexterdumb. If Steem wasn't making a name for themselves, then scammers won't even give it a second look 😅. Thanks for stopping by!

Thanks for your attention to this issue!

Post Supported !

Appreciate you stopping by to show your support @bullionstackers! Thanks again for your help in Steem Cleaners discord. Many of us don't realize the work the SC team are doing to combat phishing/abuse attacks since it is all done behind the scenes. You and the other volunteers are doing an amazing job helping users at their time of need. :)

I was just coming over to see if you are feeling better. Here you are taking time to do a helpful post in spite of being sick.
That is probably why I like you so much (been trying to figure that out)
Thanks for warning us. There have been some other strange flag things going around. But those seem harmless compared to this one.
Hope you start feeling better.

That is so sweet of you to check up on me! 😊 I am feeling better, finally! I had the lingering cold/flu symptoms for nearly a month that I couldn't shake off. I was quite surprised at the last doctor visit to hear the word 'pneumonia'. Never thought I would ever get that, but apparently I did. So after another dose of antibiotic drug, I am finally getting better. Not 100%, but better enough to write a post (and comment).

I think we both like one another because we share the same sentiments and outlook on some things. You are very perceptive and take the time to 'dig' for truths. I do the same, if I care to look. Well, not so much on the perceptive aspect, but more along the wavelength of trying to discover the ways of workings on here.

palikari123 wrote a post about those strange flags too. Seems like there are new accounts being created that are not posting or commenting, but simply going around flagging people. I received a flag on this post as well, lol. Since their rep doesn't go beyond 25 and most likely won't since they may fear retaliation (because these accounts are just mass flagging accounts), then there really is no reason to pay them any mind.

Just be sure NOT to click on any comment links! Thanks again for stopping by, appreciate it. I know I have several comments from you and others that I have to catch up on. On my list, although I know you don't mind if I get back late. :)

Is it possible to gain upvotes from those witnesses by voting them for witnesses?

Hi @skreza. I believe there are a few witnesses that will pay you if you vote them as witnesses, either via upvote/sbd. I can't remember whom since I don't support any of them.

I do have several witnesses that show their upvote support on my posts, but it's not because I voted for them. I engage with the witnesses and they know me through the engagement. All the witnesses I've voted for show support to the community in one form or another. Some choose to engage back with me, and others I've never had a single conversation with.

We are all users and investors on this platform. I know we all want to grow, but we also have to support the witnesses that are doing their best to make STEEM a better place for users. For me, my vote for witnesses would always go to these individuals that are trying to build STEEM into a platform that attract end users and investors. I don't know what these witnesses willing to "pay for votes" offer for the STEEM blockchain, aside from self-profit. My vote wouldn't go to these individuals.

My recommendation would be to visit the blogs of the witnesses you've researched and feel are contributing to the platform. Engage with them. Support when received in the truest form is always best.

Ok thanks

But i think witnesses are not doing us any free favor.. they are doing a job which only few has the opportunity to do and for which they are being paid thousands of steem daily from the reward pool..

I understand some may feel this way about witnesses. Everyone has different opinions of this platform and the witnesses. It is only the witnesses in the top 20 that are receiving thousands of steem daily. Witnesses in the lower ranking are barely making enough to pay for server costs, but some of these witnesses do show community support.

I will shamelessly list my top three witnesses if you care to read. None of these witnesses are in the top 20 so they are not making thousands of steem, but they are doing their best to show support to the community and make STEEM a better platform. That is why they have my witness votes. The steemcleaners community are also doing a wonderful job helping users regain their account after being hacked. Who else would help these users? It's not Steemit Inc.


@steemcommunity is a witness where @abh12345 is co-partner. Asher (abh12345) hosts a weekly contest for engagement and steem prizes are given out to people who engage on the platform. He also delegates to individuals (myself included) to help us grow. He doesn't ask anything in return, and in fact, did all this when many accounts had barely any SP.

@yabapmatt is a witness that co-founded @steemmonsters, which encourages user activity here on the platform. Once the game is "live", users will have the opportunity to earn steem/sbd by playing in tournaments. The current prize pool is estimated to be in the 1,000 sbd (or maybe USD) range. I love the steemmonsters concept because users no longer have to be a writer or video producer to succeed here. They can play games and earn if that is their preference. They also have weekly contests where users could win cards and sbd. Matt recently donated to a contest where over $200 sbd in prizes were given to newbies/minnows. He also delegates to community-oriented members.

@danielsaori is a witness that co-founded @dustsweeper. The bot will come "upvote" any votes received that do not meet the 0.02 dust threshold required to be awarded. He also hosts a weekly contest for quality commenters, and users could win sbd and SP delegation.

Great comment @beeyou !

You are right in that the vast majority of witnesses are losing money on STEEM mined verses server costs. Even the base set-up is not going to show any profit at all for around half the active witnesses.

Many (including @steemcommunity) have the plan in mind that if the node starts turning a profit, more equipment will be added thus balancing the expenses. I would suggest that at present if you are not in the top 20 and have all the kit, then you wont be making money as a witness right now.

Thank you for the kind mention of @steemcommunity :D

I would suggest that at present if you are not in the top 20 and have all the kit, then you wont be making money as a witness right now.

In my 7 months of being on here, it is witnesses such as yourself, Matt, and Daniel (all not in the top 20), that have shown support to us small fishes. It is this very reason why many of us redfishes and minnows try our best to bring awareness to the importance of witness voting. Imagine the many lives you would impact if you had the financial support of being in the top 20. We minnows may lack influence, but I know a lot of us will continue to spread awareness and aim for our favorite witnesses to make it to the top 20. :)

Appreciate you stopping by Asher!

I’m not sure how a platform can ever possibly ‘catch-on’ when it’s single line of user-protection is advising it’s users not..to..click..on..any..links.. It especially sucks when trying to use other platforms running on the Steem Blockchain which require your password such as Dtube for example. Since Steemits sole defensive strategy is for users not to clink links and definitely not to input their passwords the whole thing gets schizophrenic in a hurry. And thanks to the miracle of decentralization your recourse after being victimized is zero.

Hey @originalsimulant! Long time no see. :)

I’m not sure how a platform can ever possibly ‘catch-on’ when it’s single line of user-protection is advising it’s users not..to..click..on..any..links..

Sadly, the advice extends beyond the platform into the real-world because there isn't much else that can be done with phishing scams, aside from user education. Even at my workplace, the only advice that is given to users about email-phishing is not to click on any links. Those fake websites are complete replica of the real one, and maybe only one letter inserted that is different, and users don't always pay attention.

It especially sucks when trying to use other platforms running on the Steem Blockchain which require your password such as Dtube for example.

I do see the problem here as well. Different dapps require different passwords to login, for instance, Busy and DLive require you to give your active key to login to use. If users are "actively" using this active key, it opens the door for hackers to come in and "phish" the active key and steal the steem/sbd funds. Steemit require only the posting key which does lessen the risk of funds being stolen since hackers wouldn't be able to make wallet transactions with a posting key.

I did hear on the MSP show last night that yabapmatt (witness) is in the process of building an extension for STEEM, similar to Metamask, which is an extension on the web browser that is used to store passwords and can use be used on the different dapps on the STEEM blockchain. I don't understand the technical details very well, and it hasn't been released yet, but what I got out of it is that users could now save their password in this extension which will allow safe access into dapps like steemit, busy, and dtube/dlive. My hope is that with the release of the extension, users that click on a "phishing link" would know it is a scam because they are asked to enter a password. Because if the site was legit, the password would already be saved in the extension and the user wouldn't be asked! I hope that is how it works. That would require the usage of browser extension addon but decrease the chance of phishing activities.

Great job here @beeyou. Thanks for informing us all of what's going on! 🐝 🚁 ✈🚀

Also, please take care of yourself and rest up...I wish you a speedy recovery from your bout of pneumonia. 😷😇

Thanks for the best wishes @palikari123. :)

The key system is the part that actually fails most.

People use the master key far to often, since that is the only key that always works. and the other keys, well i still have to figure most of that out myself. I think i'm using them correct most of the time, but there is no way to be sure. As often the very key that the login screen asks about simply fails to work, then only a 'more powerful' is the only solution, and people being people then just use the strongest key to get over the bloody login wall

Hi @bifilarcoil. The key system can be confusing to new users. Here is how I use the keys:

1.NEVER use the MASTER key. Save it offline, and don't use it unless your account has been hacked/compromised, and you would only use it to change the passwords, then never again.

2. POSTING key should be used for your daily activities on Steemit like posting and commenting. That's what I do.

3. ACTIVE key should only be used used for wallet transactions, or for logging on to dapp platforms like dlive and busy that requires the active key to use. I use busy to post, but I don't use it to browse since I have to log in with my active key. I prefer to use steemit with my posting key to do all my browsing and upvotes/comments. If I do use my active key on a wallet transaction, I will log off immediately after and go back to using my posting key.

There is also the memo key, which I am not too familar with. I know if you are sending money from an exchange, you give them the public memo key. I think the private memo key is used to send a private memo message via the wallet so others can't read the message, but I am not sure myself. Don't quote me on the memo key.

Main thing is to be careful with your keys and use the POSTING key as often as possible. Try not to use the ACTIVE key unless you need to make a transaction in your wallet. NEVER use the MASTER key unless your account is compromised, say you accidently posted your key in public and then you would use the master key to change all the passwords.

Yes, however,
It is never clear what the difference is between the Active and the master key.

the posting key often dos not work / is not accepted.

Then users go into 'aaaah fuck it mode' and just use the key that always works.
and there you have the plot to a disaster. :-)

I'm now on Busy and can't check the actual key names on steemit right away to make my point. As I forgot the exact reason why i get the keys messed up.

The thing is this, is people loose full access to their accounts that is proof that they use the main / master password key phrase or something with an even more interesting name. This is probably the main reason for the confusion since steemit uses a mix these words to describe the same key.

This is where the mess begins

I try to point out why people loose the main key due to the way steemit causes confusion and people just use the master key to get rid of the hassle.

Ahh, okay.

It is never clear what the difference is between the Active and the master key.

My understanding is that the MASTER key is your all-4-one key. You can post, use it for wallet transactions, and change the account password. The last part is important, master key can be used to change the account password!

As for the ACTIVE key, you can use it to post and for wallet transactions, but it can NOT be used to change the account password. So a user who is "phished" out of the active key could lose the steem/sbd in the account, but a hacker cannot change the password on the account. If lucky, the user could log back in immediately with the master key and change all the passwords and lock the hacker out of the account before funds are stolen.

The thing is this, is people loose full access to their accounts that is proof that they use the main / master password key phrase or something with an even more interesting name.

I think the problem starts with Steemit Inc. giving users the master key as the password to use when starting their account. New users don't know that they are supposed to go grab all their passwords (posting, active, memo), and then store away the master key. Most probably are using the master key, and as a result, are giving hackers an all-4-one key to their account.

I'm now on Busy

I just started using Busy, and I don't really like the fact that they require the user to use the active key to log on. I use busy to write a post, but then switch back to steemit which is safer since I only have to use my posting key. Dapps like busy that require users to log on with their active key doesn't help with the phishing issue because users are "accustomed" to using the active key to use the platform. As a result, when there is a phishing attack, the user is then giving the hacker their active key, which would result in stolen funds.

If I have some time, I'll try to write a post to help newbies clarify the different keys and how they should be used. I'm not an expert on the matter, but perhaps one or two users would find it helpful.

My understanding is that the MASTER key is your all-4-one key. You can post, use it for wallet transactions, and change the account password. The last part is important, master key can be used to change the account password!
And that last one should somehow NOT be included IN the combo key.

The master key should ONLY be able to change the 'key chain' (all the user keys) AND to request a fresh master key Yet it should NOT open all the locks including the master lock.

I hope that this is still making sense as it is hard not to confuse the key names that already are a bit mixed up. :-)

I think the problem starts with Steemit Inc. giving users the master key as the password to use when starting their account. New users don't know that they are supposed to go grab all their passwords (posting, active, memo), and then store away the master key. Most probably are using the master key, and as a result, are giving hackers an all-4-one key to their account.

Good point, yet people would then ask MANY annoying questions right from the start. :-D

I just started using Busy, and I don't really like the fact that they require the user to use the active key to log on. I use busy to write a post, but then switch back to steemit which is safer since I only have to use my posting key. Dapps like busy that require users to log on with their active key doesn't help with the phishing issue because users are "accustomed" to using the active key to use the platform. As a result, when there is a phishing attack, the user is then giving the hacker their active key, which would result in stolen funds.

Ah , that explains why i could not log in with any other key LOL I thought it was due to my keys, but now i get it!
As steemit annoys me with a policy wall and 2 checkboxes that i need to click to get to 'MY' money that kinda pisses me off.
Even my bank would not do such a stupid thing. People should always be able to access their money regardless of policy changes. That they are used from the blog stuff thats probably not such a big issue. So i moved to Busy, as that does not lock me out with a BS policy wall. A website should first respect it's users, then users will eventually respect the policy BS if it is reasonable. This is why i never used facebook, and commited 'collective MySpace Suicide' This was a solution cooked up by people who could no-longer live with the policy changed that MySpace forced on people.
It deleted the 'friends list' and all the personal data before it deleted the account.

If I have some time, I'll try to write a post to help newbies clarify the different keys and how they should be used. I'm not an expert on the matter, but perhaps one or two users would find it helpful.

There are many guides out there already and they all add to the confusion
As the way the keys work is a bit weird. And the naming of the keys adds to the weirdness. It would be best if steemit would do something about that. And make it more intuitive and separate the master key from the 'functionality keys'
But i guess the developers would be a bit reluctant about making changes to the key system. :-D

People should always be able to access their money regardless of policy changes.

Don't get me started. I went through the same thing with coinbase. Of course I relented though because they held my money hostage until I confirmed identity. At least you are able to log on to steem with other dapps! That's one good thing.

As for the keys..well, a complicated system require complicated keys! We all know it definitely is not simple on here. Nothing is ever black or white.

@bifilarcoil

And this one :D

Perhaps I will slowly creep back up the engagement league. Being somewhere in the middle ranking is a good starting point.😀