I recently received a memo message for a "survey" from an account with no post or comment history asking me to go to a website with a Hive-related name. It seems to be starting on accounts with the letter A so thought I'd get this message out before it reaches many others.
Be very careful with clicking on unknown links from accounts with no history or reputation on chain. This is a sure way to get your keys stolen and account hacked and that's the case most of the time with these that come out of nowhere.
I'm not going to link to the account here but I'm sure it's not that hard to find it based on my first paragraph, but I suggest you don't and just warn others about it.
It's very cheap to send mass-links to Hive accounts since it only costs 0.001 Hive to send a memo with a large message and you need not that much Hive Power or RC delegation to send out a lot of them. 100 Hive would be enough to send to 100,000 accounts and for these hackers it's enough that they manage to steal funds from a few accounts to profit off of that activity.
Anyway, that's it. I'd prefer not to have to spend more time trying to recover people's accounts due to things like this and have brought up this issue with others in the past to figure out ways to mute accounts with suspicious/potentially harmful activity such as this from front-ends.
Thanks for the warning @acidyo!
This one is particularly sneaky because of its "genuine looking" nature. Research study? Sure. No promise of "riches," just a small token thank you for participation.
Checked it (I have a "trash machine" I use only for dodgy stuff)
Launches from what is actually a legit domain. No weirdness. No forwarding. No sneaky background install/download attempts. Actually has an entire "survey" that looks like could be genuine. Includes limitations to disqualify people. Everything looks copacetic till the very end where you click to "submit" the survey.
Then there's a "you have to be logged in to get your reward" message.
BIG RED FLAG!! Of course you don't have to be "logged in" for someone to send you a couple of Hive.
Just a warning to all that some things can be set up to be incredibly authentic looking!
=^..^=
Hey thanks for taking the time to check it out! And yeah, that's where many would fall for it along with looking somewhat harmless early on.
Whoever did this went to a lot of trouble to disguise their intentions, OR it's a genuine thing that was very poorly conceived... because if they can send us 0.001 Hive without being logged in, they can also send people 3 Hive without being logged in... all they need is your username, and that's public information. Besides, why send a wallet memo, rather than just make a public post about who and what they are? Pretty sketchy...
The reason I even mention "genuine" is that the names given as originators of the survey ARE verifiable faculty members at the University of Hong Kong.
Sad that we live in a world where we have to be so uber-suspicious of everything...
=^..^=
It's actually perfectly reasonable to have someone sign a message to authenticate who they are. It would be a means to prevent impersonation and to a degree sybil attacks.
The only keychain command I received was to sign a message, ie. to log in. However it is entirely possible that the back end code sends different commands to different users (depending on value of account, for example). The important thing for users to do is to learn the skill to evaluate the transaction that they are signing. In principle, even trusted sites like peakd.com and hive.blog could cheat users by doing a 'switcheroo' with transaction details in a keychain command.
I would also suggest that the use of memo messages is probably part of the study design to avoid sampling bias. Making a post about it would encourage major sampling bias.
That is certainly a valid point.
At the same time, relying only on responses from a wallet memo creates its own sampling bias in that you're only going to get responses from people who are not suspicious of wallet memos... which almost suggests that there's really no "winning" in trying to conduct such a survey, if it actually IS legit.
=^..^=
This certainly sounds and looks very strange, but the person behind this seems to be a legitimate person who is indeed a researcher.
https://www.hkubs.hku.hk/tc/people/sichen-dong/
This may actually be a real survey, but being conducted in a non-appropriate way
I have not yet seen the "you have to be logged in to get your reward" message so I am not sure where it is and of course I discourage everyone from logging in it
It looks like a rather sophisticated campaign.
Did Fakebook for you too. Thanks for the heads up.
Thank you for this warning which I will pass on as often as possible. I have not yet been confronted with this situation but never exclude that one day it could happen. Thanks again for the warning
Thank you for the heads up, we can never be too cautious
I believe that this may actually be legit, so I sent him an email asking him to make a post on hive in order to address any questions by the community here.
Thanks again acidyo
Let me know what they say, and mention that login isn't needed, especially without keychain.
I am not sure if they use keychain, because I did not move to the next step - but they mention to use it
I will definitely let you know when they reply (and I think they will)
They seem to be using Hive Keychain BUT they oddly ask for the active key when the posting key is enough to log in.
More info here
Thank you very much for alerting us. I will immediately spread this message.
👌
Giving security advice is always helpful and especially for new users. Since I've been here on Hive I've helped some unfortunate hiver get their account back and except for one case where the email had been hacked all the other times the problem had been a click on a link promising rewards so you did well to write this post.
Have a nice weekend
Thanks for this warning.
Thank you for the reminder. Rather than, "mind the gap," it's "mind your account."
Appreciated.🥰
I'm sure there's still going to be people who will fall for it. No matter how many times we warn them, there's always going to be the handful of greedy people who will do anything for a few cents
Grateful for the notice, I pay attention from now on and I will share this post so that it reaches more people 🙏
Maybe once a rogue memo is discovered (containing a malicious link) the front-ends could flag the memo in the wallet feed.
So something like this: Received from accountname
Would become something like this: Received from accountname Hacking Attempt
Or something along those lines.
As I recall, we do have an automated utility under the account name @keys-defender which spots account hacks/hack attempts, but this sort of thing may be outside their scope, since there — on the surface — is nothing malicious about the submitted URL.
Articles:
- !phishing command and universal script
- !scam, !unsafe and !info commands
_ Vote for our WITNESS to support this FREE service!
- !phishing {link}
- !scam {link}
- !unsafe {link}
- !hacked @{user}
- !recovered @{user}
- !info
Yeah I am aware of that service and tend to think this sort of thing is 'outside their scope' as well... hence my suggestion to integrate a protection mechanism into the wallet feed itself.
Perhaps it can be expanded to do that but I think a front-end approach would be more effective... or at least more 'in your face' when looking at the memos.
When a link or author is marked as malicious, their memo are immediately followed by mine warning the user that received it.
Integrating the wallet feature to grey out memos from malicious users would be better though. (see thread below)
cc: @curatorcat
Nice solutions!
It was discussed that the best option would be to grey out a memo once the community flagged an author or link as malicious.
It's up to the Hive frontends to implement this, though.
ie. @peakd @ecency @leofinance @quochuy (hive.blog) etc
The community uses my bot (this) to mark authors and links as phishing (see info about my !phishing command at the bottom of this recent post of mine about this same topic as this post) and the flagged users/domains are available to everyone HERE.
Note: top-40 witnesses can blacklist users/links OR in alternative 3 above-50 users reporting the same user/link. Auto-upvotes are in place to incentivize reports and whitelists are used for reputable users/domains.
Hopefully we see the frontend developers put this to use!
What's the best way to access a list of malicious author / links?
Here you go! 💪
var PERMLINKS = { HACKED_USERS: 'hacked-users-db', SCAM_DOMAINS: 'scam-domains-db', COMPROMISED_DOMAINS: 'unsafe-domains-db', // eg. when 3speak got stolen PHISHING_DOMAINS: 'phishing-db', }; // Other phishing lists that @keys-defender consumes to counter comment/memo spam: // https://spaminator.me/api/p/domains.json // https://raw.githubusercontent.com/gryter/plentyofphish/master/phishingurls.txt hive.api.getContent('keys-defender', PERMLINKS.PHISHING_DOMAINS, (err, result) => { console.log(err, JSON.parse(result.body)); });Example:
cc: @jarvie @asgarth
@anomadsoul @khalkaz1
@chrisrice
Thank you @keys-defender.
Posted via D.Buzz
Articles:
- !phishing command and universal script
- !scam, !unsafe and !info commands
_ Vote for our WITNESS to support this FREE service!
- !phishing {link}
- !scam {link}
- !unsafe {link}
- !hacked @{user}
- !recovered @{user}
- !info
There is similar project that as far I know is already integrated into multiple frontends: https://github.com/ecency/hivescript
Would be so much easier for everyone to integrate you integrate your work with the list that is already there.
Interesting, never seen that one before. Will consume those lists too.
The contributors seem to be @good-karma, @therealwolf, @rishi556, @holger80, @reazuliqbal, @quochuy.
It does not seem to be actively maintained though, those lists haven't been updated in 2.5 years (1.5 ys for bad actors and 2.5 ys for bad domains).
Using that library, to get an updated list of known bad actors/domains requires you to pull the updated npm library and do a frontend release. Not as quick as required to counteract phishing waves.
Besides the lists of bad actors/domains in my "database", KD consumes @guiltyparties / @logic lists too:
So ideally Hive frontends should consume from all 3 sources. Or let the user decide which ones to consume from (eg. with checkboxes).
Mine is going to keep being actively maintained as it has for the past 3.5 years.
That's also because I have more development plans for this bot, as the token of my game (crypto shots) will be used to unlock premium features for this and other projects of mine in order to add utility. [spoiler 😉]
By adding list into above hivescript, we could potentially have same API from multiple frontends, pointing to same list. @asgarth what do you think? Is your @keys-defender, db or code opensource which we can use to combine somehow and create multiple endpoint of same list?
Totally agree. A single list (or at least a single API) will be so much easier to handle for multiple frontends.
@good-karma you mean having hivescript dynamically consume data from my "database" and the other APIs maintained by other Hive folks?
Yeh we could fork that repo (not loving the name) and add that code there.
Something like:
import { fetchBadUsers, fetchBadDomain } from '@hiveio/newname/index.js'For mine it's just a matter of doing this:
https://peakd.com/psa/@keys-defender/re-quochuy-s3wa0h
Repo forked and added this to my backlog but not really sure when I'll have some free time for this.
I've received countless messages kike this from inactive Hive account users when I first joined Hive, thankfully I really do not like clicking on links unless I am sure where it is leading me to.
Thanks for the reminder once again.
If you come across phishing links, please report them using my !phishing command.
More info at the bottom of my recent post.
We had an account executive-board sending links to all new users and my bot was automatically warning all potential victims with a memo right above it.
Now they stopped but others may come so it's up to the community to report them.
Thx
Okay no problem.
Thank you for this Information.
New users like me would have been victims if we didn't get information like this
Thanks for the heads up. I got something similar the other day. I just ignored it, but I was a little surprised because it was the first memo message I have gotten like that in quite some time. Perhaps the impending bull market is bringing the bad actors out of the shadows!
We're bound to see much more of this as Hive grows. The apps count show a warning if a memo has a link in it. They could blacklist scammy accounts too as soon as someone alerts them.
I don't actually check for memos too often, so I may miss some.
I'm 'Administer' lol! Was surprised it was even available, about 2 yrs ago. I know it's not 'Administrator', but most people wouldn't notice the difference.
I know it would be exceptional for scamming but I didn't get it for that. I just thought it was funny AF. I wouldn't scam. I like it for a couple of reasons.
congrats, lol
Cheers for the heads up @acidyo
Thanks for your advice
Thanks for heads up, I'll look out for them
I saw that shit too in my transfers, but first and foremost I treat everything, which i not know with big distance. Hope that many people not click anything from suspect persons and they will be safe. Mostly folks are aware of fake big prize wins in other crypto, when without any lottery they won something. Transaction senders with memo know that transfers are permanent in history, so they can reach big audience. This is not a good side of a blockchain, when we can't delete these transfers from wallet logs to prevent others see that message, but try to keep safe and be carefoul.
We could still hide them or grey them out once they are flagged as malicious. It's up to the various Hive frontends to do that.
(I am maintaining a public record of blacklisted users/links - see here at the bottom)
Thanks for the warning. I think frequent reminder like these help keep people on their toes. While not clicking links is a basic thing everyone should be aware of, some people do forget or make the mistake of doing.
This is sad, especially considering that they are impersonating a legitimate place...
My first reblog in ages!
This post has been manually curated by the VYB curation project
We have to be very careful with any and all types of links or strange elements that arrive in our DMs or emails, whether on traditional social networks or here on Hive, you can't be too careful.
My discord has already been full of scam messages trying to scam me, I simply block everything strange that arrives. We need to stay alert at all times so that we don't fall for these scams.
!PIZZA
I'm not going to advise others to take the survey because it's entirely possible that it will send a different keychain command to others, but I filled in the survey and the only keychain command that was sent to me was to sign a basic message, which is perfectly safe to do.
I used an alt account just in case, but there was no maliciousness involved that is apparent to me as of now.
Their code does not seem to do something tricky like that, for now. So they would have to put out a new version that does that. And it's defo possible.
It looks like they stopped issuing rewards so noise around this should stop soon.
$PIZZA slices delivered:
@speedtuning(6/10) tipped @acidyo
I am highly grateful for this time piece of advice. I will be watchful and spread this information.
@acidyo
Just to let you know; while trying to claim delegation rewards for holozing my AV is blocking the page and it's telling me it's a botnet.