Investigation: Active "steemit.network" Phishing Campaign Targetting Steem Users.

in #steemit7 years ago

So, earlier today, I was alerted to an active phishing campaign targeting Steemit users by the wonderful @mars9 in this post. I might be currently on my holidays, but people like me who work in computer security never really take a fucking break.

Now, in their post, they redacted some details. I don't do redaction. So I decided, despite it being my holiday, to do some quick and dirty investigation of this phishing campaign. Outlined below is what happened. This post will be screenshot heavy, as it is kind of a visual walkthrough of how I did a quick investigation of this whole thing.

phish.jpg

The "Deceptive Comment"

So, from mars9's posting, I quickly located the deceptive comment in question, which I have added a screenshot of below. As you can see, it contains a bit.ly link, which is our first point of investigation.

Screenshot_2017-06-04_23-58-17.png

Analytics Pages are Useful.

So, a bit.ly link. There is a neat trick where we can check its analytics by appending a "+" to the end of the URL, so we do that... At this time, the link has had 40 "clicks".

Screenshot_2017-06-05_00-25-34.png

Following the Phish...

Our next trick, is using the command line utility "curl" to request the bit.ly link and see where it is taking us. For now, I don't want to hit the phishing URL in a browser at all.

Screenshot_2017-06-04_23-59-25.png

Further Down the Rabbit Hole...

So, we are being redirected to something called "steemit.network". This seems like a good lead, lets follow this trail onward... By opening it in the Tor Browser for safety. I did not want to open this in a browser with any active login sessions as a precaution!

So, we see it is a... Open directory with one link, to an "indexxxxx.php" script. Lets click it!

Screenshot_2017-06-05_00-01-08.png

The Phishing Page

I really, really regret not grabbing the HTML source of the page while I had the chance. You will see why this is not possible in a few minutes ;)

The page is pretty clever - it mimics the Steemit interface pretty well, and people are used to having to login again when their session times out. Quite evil, really!

Screenshot_2017-06-05_00-01-30.png

The DNS Story

So I decided the logical next step would be to use the PassiveTotal service to dig up Whois data and other DNS data on this threat actor. The following screenshots tell that story.

Screenshot_2017-06-05_00-03-03.png

And here we have OSINT data of "places this link/site was posted to"... It seems our phishing person was quite active.

Screenshot_2017-06-05_00-04-26.png

We also were able to determine that the phishing page was hosted on THC-Servers. So...

The Happy Ending

I quickly got in touch with the THC-Servers abuse team. They responded incredibly quickly and terminated the site and its user, eradicating the threat. A happy ending for all involved!

Screenshot_2017-06-05_00-33-08.png

Lessons Learned

Fucking asshole criminals are targeting Steem users. Be vigilant, be wary, and if you see anything, feel free to drop me a line or tip me off and I will look into it. Also, THC-Servers are very good at responding to abuse complaints!

Sort:  

Thanks man. Can never be too careful on ANY platform nowadays. Fist rule of thumb: Do not EVER click on links that look fishy. a bit.ly link? Um, nooo.

Using TOR was a good idea! You're bringing me back to a few years ago where I was working on computers everyday. Actually a lot of fun. I'm glad you are helping bring this information to the community.

You can always use tools like GetLinkInfo to know where the link is redirecting you, there are some userscripts too but if you are in paranoid mode (which is the correct mode to be) I don't recommend it to you if you don't know javascript.

@synapse ... having been hacked before and coins stolen https://steemit.com/steemit/@bitrocker2020/i-got-hacked
I am glad to know that you've taken your time and efforts to hunt down these bastards who thru their cunning and technical knowledge tries steal precious coins from innocent people. Great work and fantastic sharing buddy. up, re & fo ... hope to hear more from you . @bitrocker2020

It's despicable. There is nothing that gets under my skin more than hackers who are trying to steal from innocent people.

Hi brother thanks a lot to you
On protection and distinctive explanation
Really thank you brother...

Wow, you certainly know all the tools, thanks for the heads up about Steemit phishing. STEEM has a quite high value now so naturally it would become a target.It's great that it was caught early. Law enforcement should be set upon the perp.

Resteemed, very useful.

the site is down, you did a great job

so I gotta ask, did you call him from a pay phone?

I was tempted to phone the number, but no pay phones out in the place I currently am. Might give the number a call from the airport tomorrow though...

you think that's his real name?

I really doubt the name is real. I might email the email address though. The phone is likely bogus, but could be hilarious to try calling anyway :)

please do post what happens when you call!

Great post, we are always learning, thanks for sharing with the comunity! <3
resteemed

It is good to know there are people in the know on here. People who don't can get tricked and lose. Thanks, upvoted ,followed,and resteemed