April 18th 2019 Update: This phishing campaign seems to have restarted, so I am putting this sticky back up. Thank you to /u/atomicwallet for notifying usSo far this new campaign points to one phishing site: atomwallet [dot] io (Phishing links visible here)What you can do: If you see these phishing posts, you can help by doing one or more of the following:Downvote itReport it as spamLeave a comment warning other users if there is not sufficient warning in the comments alreadyContact the mods of the subreddit and ask them to implement AutoMod rules to block these phishing posts. There is code to do so near the bottom of this post. The same code to block the last attack would have blocked this one if they implemented it a month agoOriginal post below:Please be advised, we have noticed a network of zombie accounts posting incorrect URLs to Atomic Wallet across much of crypto reddit. The correct url is AtomicWallet [dot] io, but they will post URLs like cryptoatomicwallet[dot]com or atomcwallet[dot]net or various other domain names similar enough to the real one to fool people. They have usually cloned the real site and the post title is typically about the subreddit's coin being added to the wallet, which is meant to get people excited instead of suspicious.*This is not an endorsement or guarantee of the correct Atomic WalletHere is a page where you can view examples for yourself. It goes without saying, do not click any of these linkshttps://old.reddit.com/r/cryptocurrency/search?q=atomic+wallet+self%3Ano&sort=relevance&t=weekSome of these accounts:http://bit.ly/2ItOpIi domains sometimes even have good SEO. A slightly incorrect search term finds the malicious site as the top result on some search engines:http://bit.ly/2XkQr0D usersPlease downvote and report these posts as spam when you see them. Leave a comment on the post warning people if someone hasn't alreadyFor moderatorsPlease contact me if you would be interested in a bot that allows mods across subreddits to collaborate on bans and post removals in cases like these. We've all be plagued with luckygames and other spam before, but this is certainly the worst campaign I've seen. I've been building a bot that should help us in cases like thisHere is some automod code to catch these posts in their current form. Please note the attack may evolve to evade this rule so stay on your toes. Several case insensitive keywords are included, so add or remove entries based on what is right for your subreddit. This will filter posts so they await your approval in modqueue rather than being outright deleted--- ###### Section 1A-1 - AtomicWallet scam type: submission url+title (includes, regex): ['.*atom.*wallet.*'] ~domain: ["atomicwallet.io"] action: filter action_reason: "Section 1A-1 - WARNING! Suspected Malware: ." Analysishttps://www.virustotal.com/#/file/9a704693f6fb909ccbd146cfc4aed9f523f4354ec33a9483b93217cdd13c11d4/detectionhttps://www.virustotal.com/#/file/edf746b4f2d727ce2659f0ab8d79cdc29807345289bbb03a1eb1aaef2ee0372c/detectionhttps://www.virustotal.com/#/file/be87b92e02576e4217cb7b11f37dd10891a3563433020caf42dd353d19d726d5/detectionhttps://www.virustotal.com/#/file/75ce0fc587f5d8815eb261ed8e5b670a9d653f221b6448c0ec3fd33ca7b91e2f/detectionhttps://www.virustotal.com/#/file/583affa7d444ac2a91931ba470e23917965a34c941e2e53977903c07aa067b7c/detectionThe lack of detections on the last 4 binaries should not be taken to mean they are safe. Their hashes are different from the binaries hosted on the proper website
Submitted February 20, 2019 at 10:17PM
No comments:
Post a Comment