Steem Funded Browser Extension To Prevent All Phishing Attacks
Are you sure that was steemit.com not steelitdotcom?
Steelit.com? What are you talking about? There have been more than 15 steemit clones in the past two months and their only purpose is to steal as much accounts as possible. The clones are indentical to steemit.com but have different names like sleemit, steewit, steelit, etc... Once you get redirected to the clone by clicking on a link on steemit (commented by the hacker spamming from stolen accounts) everything will look exactly the same as here but when you try to upvote or comment, you'll realize that you aren't logged in and that's when you unknowingly give your account info and lose everything you had in the wallet.
Is your account safe?
Judging by the scale of the attack, chances are that you have seen the spammy comments leading to the phsihing sites at least a couple of times. But did you follow them them? YES, NO? How can you be sure? Some of the messages wren't that obvious and seemed somewhat genuine. Think again. Did you get "logged out" of "steemit" recently? That's something that can happen on steemit sometimes but usually you just need to refresh and you are back in. When on a steemit clone, you will always be logged out as the goal is to get you to enter your account information. How can you be so sure that the last time you got logged out of steemit you werent on a clone? You can't, because you didn't check the URL to see if you are actually on Steemit.com or on Steewit.com.
How to protect your account?
The first thing I would suggest everyone that is in doubt to do is to change your password immediately. That way you can be sure that no one can change it, even if they had the old one. Next download Steemed Phish. It's a browser extension made by @quochuy as an answer to my request 50 SBD Bounty To Make an Anti-Phishing App For Steemit
That's pretty much it. You can now carelessly browse through Steemit without paranoya of constantly fearing and checking URLs to ensure you are not on a scam website because as soon as you land on it or encounter a link promoting it, Steemed Phish will give you a message and a full page warning.
About Steemed Phish
The extension works with:
- a whitelist of friendly Steemit websites
- a blacklist of known scam websites
- checks of external links on friendly websites and make them obvious
This extension will validate Steemit related websites by changing its icon color:
- red is for blacklisted sites
- green is for recognised friendly sites
- grey is for unrecognised sites
When a site is neither whitelisted or blacklisted, Steemed Phish will try to check the URL structure to find known patterns and flag a link as supsicious by coloring it in pink.
There are currently 19 blacklisted websites and 31 whitelisted websites.
Phishing Alerts
If a user lands on a phishing website, Steemed Phish will display two types of alerts:
- a dialog that shows up even if the page was loaded in a tab in the background
- a full page alert, that covers the whole phishing page and offers a link to go back to Steemit.com. The full page alert also reminds the user of not using their Steemit Keys on unknown websites and keep their password (Owner Key) safe.
When landing on a phishing site the app will warn you and prevent any action untill you confirm the warning message
Once the page is loaded the app will display a full page warning when possible
Expand shorten URL
Some links are shortened using services such as bit.ly, this prevents people from easily analysing the URL of the link. Steemed Phish uses a link expanding API to determine the destination URL of a link and then compare it again against the white/blacklist logic above.
Making external links more visible
Ideally, a user should be more careful on links they are clicking on by always paying attention to the URL of an anchor. But this is easier said than done and even the most experienced user can let down their guard sometimes and get tricked by the scammers.
Recently, Steemit.com, has added a feature that marks external links with a grey icon on the right of each links. Steemed Phish will make that icon more obvious by coloring it in purple. On top of that, it will make a bubble appear next to the mouse cursor with a text explaining the fact that clicking on the link with leads you away so don't use your password. This bubble won't show up on friendly (whitelisted) websites.
Roadmap and potential ideas
- make a bot that browses steemit for reports and extract URLs to be added to the blacklist
- make a bot that follows another bot (@guard) and listens for its downvotes and update the blacklist accordingly
- monitor the https://steem.chat/channel/steemitabuse channel for more URls to be added to the blacklist
- If Steem Guard project goes live, use its API to update the blacklist: https://steemit.com/steem/@hernandev/proposal-steemguard-phishing-and-scam-protection-tools
Big thanks to @quochuy for making the app and @ebargains for donating 25 SBD to increase the reward pool!
Show your appreciation by voting him as a witness or by directly donating Steem/SBD to his steemit account. To vote, go on the Witness Voting page, tipe in @quochuy and cast your vote.
I'll make a PR campaign that anybody can join with the goal of warning people about the ongoing attacks and introducing them to Steemed Phish Everyone that participates will be rewarded.
You'll be able to write a post or make a dtube or dlive video and even a meme as I did here and let everyone know about the problem and solution. Every contribution will be rewarded with an upvote while top 3 will split a 10 SBD bounty. Quality posts and those that reach more people will get bigger upvotes and have a higher chance to land in the top 3. If that's something you would like to participate in, stop by my blog tommorow evening or the day after in the morning hours.
Interesting phishing attempts are growing massively over the last year and some are rather sophisticated.
How difficult can it be to check URL before clicking? I don't get it. Those who fall for phishing attacks deserve it, because they are so obvious.
You wouldn't believe how many people don't even know about phishing attacks. Imo, Steemit should be safe to use for everyone, even the most careless of users.
those have to be kids who usually just check youtube and facebook. or maybe older people who just got taught how to handle pc... just my thought
I have never clicked any of those. Having to input one's details should set the alarm off anybody's head.
But like @runicar said some don't even know about it. This post and especially the extension is a welcome development.
WARNING! A link in this post by @runicar leads to a known phishing site that could steal your account.
Do not open links from users you do not trust. Do not provide your private keys to any third party websites.
ALL STEEMIT HAS TO DO IS ADD AN ALERT
"you are now leaving steemit"
HOW FUCKEN HARD IS THAT?
Thanks so much for this post @runicar.. You have done a very nice job by trying to help other steemians especially newbies like me..
At least, now i will have to be more careful now on steemit. Thanks once again
Hello friend if it has happened. To several friends it is very terrible this thanks your valuable information that a great day greetings
You got a 12.74% upvote from @postpromoter courtesy of @runicar!
Want to promote your posts too? Check out the Steem Bot Tracker website for more info. If you would like to support the development of @postpromoter and the bot tracker please vote for @yabapmatt for witness!
That's why I convert all my sbd to steem and all my steem to steempower.
It'll take them too long to get anything. Steemit shouldn't be viewed as a job but as a long term investment, imo. With crypto currencies going up and down all the time, it's not a good idea to base your life and bills on this as a means to live.
Thank you for the post, Now I Know!
cryptonite by metacert is also a great way to protect your account:
https://steemit.com/phishing/@holger80/steemit-com-is-finally-verified-by-cryptonite-by-metacert