Steem Blockchain: Phishing/Hacking Response

in utopian-io •  5 years ago  (edited)


Image source and phishing information

Phishing and hacking are both taken extremely seriously on the Steem blockchain. Although these incidents are becoming less frequent due to the hackers/phishers moving away from Steem for easier targets (we try to make it as difficult as we can for them), they still occur from time to time.

The purpose of this post is to advise you as to what to expect when a phishing/hacking incident gets reported to myself, one way or another.

Typical phishing/hacking response

All or part of the following steps get covered for each reported incident.

Manual check of all transactions

Every transaction that has to do or potentially has to do with the incident is manually checked. The hacking is then confirmed or an alternate reason for the alarm is found.

Mute by @plentyofphish

The @plentyofphish account holds the master list of hacked accounts on Steem. The list is accessible through querying who the account has muted. Once the owner recovers the account, it is unmuted to remove it from the list. (More information on the Plenty of Phish project can be found here http://pofpofpof.com -- the account is largely maintained by @bullionstackers)

Marking downvote by @plentyofphish

There are times the account will downvote a post to mark it for future investigation or to remove rewards that the hacker is awaiting. (When @plentyofphish isn't fighting hackers, it's being used to fight spam)

Add to Github list

The name of the hacked account is added to the Github list (found in the Plentyofphish repository at https://github.com/gryter/plentyofphish) of all hacked accounts.

Add to Phishing list on Spaminator/Mack-Bot interface

The account is added to the main list for downvotes by the Spaminator/Mack-Bot bots. The bots are manually restarted to make sure that the list is adapted that very second.

Comment on account

A comment is left on the hacked account to make sure that the owner knows that they've been compromised. Often, account owners are unaware until funds start getting removed from their wallets. The comment may be left by an official account or a personal account belonging to one of the Steemcleaners (@pjau or @logic aside from myself).

Comment and flag by @quarantine

The @quarantine account will come in and provide a warning and explanation comment, as necessary. It will also downvote to ensure hackers do not receive rewards.

Manual downvote or nuke, as deemed required, by either Spaminator or Steemcleaners

The nuke demolishes the reputation of an account, making it unattractive to hackers. The goal is to make the hacker abandon the account so it may be recovered by its original owner.

Contact with account owner, often through various intermediaries

Additional effort to reach the account owner, which sometimes includes phoning them or messaging them, is undertaken to ensure they are immediately aware of the situation and can react before their funds are stolen and account damaged.

Message to trustee account operator if not @steem

Where the trustee of the account (the account that created it and acts as a recovery) is not @steem, a message is sent to them to give them the heads up that they will need to run their recovery script soon. That lets them prepare for when the user initiates recovery and we all collectively make sure that the user has the correct information on how to recover.

Warning messages by @guard

Where a hacked account is used to spread phishing links, @guard (run by @anyx) and @arcange will provide warning comments as applicable to ensure no one clicks on them.

Recovery followup

When the account receives its recovery email from @steem, due to certain discrepancies in Steemit Inc's mailing system, follow up is needed to make sure the account is indeed recovered. (More details below.)

We've gotten the above down to a science through years of practice.


This is what the @plentyofphish repo looks like. Easy for everyone to understand and browse.

@Steem Recovery Issues

Since the split between the main steemit.com website from its wallet, or steemitwallet.com, recovery emails have not worked without tweaking. This is a known issue that the Steemit Inc team is working to correct. To get a recovery email to work you must replace steemit.com in the emailed recovery URL with steemitwallet.com. The URL will then work.

False Positives

You can also see by the above list how many people are potentially involved in rectifying a single incident of phishing. This includes false positives or suspicious incidents that are treated as a potential hacking.

For example, when one user mistakenly made an out-of-character post revealing a DTube key, the following people were involved aside from myself: @ookamisuuhaisha reported the suspicious post in the Steemcleaners Discord, @justyy contacted the user through an off-chain method, @bullionstackers helped investigate, @heimindanger clarified the process and the mistake that led up to the post. That's four additional people for a single case.

This type of a response is the norm. In a real incident, the speed of the response is the main factor.

Challenging Cases


Pixabay: Image by qimono

Hacking that involves users that are specifically targeted is usually very challenging to deal with. There are typically additional elements involved such as the hacker being someone the victim knew and trusted. These are rare.

You can see by the false positive example above how many unrelated community members it takes to rectify just one small incident. Those numbers are greatly amplified where an actual case is identified, particularly where it is either a large account whose hacking can cause additional repercussions or it's a targeted case.

The largest most-complex case we dealt with involved a number of Steem developers and witnesses, Steemit Inc team members, and several external cybersecurity/police specialists. All of these people volunteered their time and expertise.

Part of what I do is keep track of cases where a hacking or other malicious act occurred. Even where I don't publicly disclose the knowledge, I am fully aware of who is responsible for which scam. Particularly when it has to do with a compromise of someone else's account or system. Keeping up the level of awareness helps in learning from the previous incidents to effectively respond to anything that will happen in the future and keep the Steem ecosystem better off.


Like what we're doing? Support us as a Witness.
Go to https://steemit.com/~witnesses
At the bottom, type in guiltyparties
Click VOTE


Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

There was so much valuable information in this post concerning process and really provides a lot of insight.

This part I found particularly helpful and could save vital time to recover a compromised account which is of the essence.

To get a recovery email to work you must replace steemit.com in the emailed recovery URL with steemitwallet.com. The URL will then work.

I'm going to put that in my hip pocket and hope I never need to use it. All in all, I consider this post a home run. Great work, @guiltyparties!

Your contribution has been evaluated according to Utopian policies and guidelines, as well as a predefined set of questions pertaining to the category.

To view those questions and the relevant answers related to your post, click here.


Need help? Chat with us on Discord.

[utopian-moderator]

Posted using Partiko Android

Thank you for your review, @anthonyadavisii! Keep up the good work!

Okay

First thank you ( and all the other mentioned accounts ) for all the work. And its sad that its needed. We come across Some cases in the steemterminal where new account sometimes make a big mistake by not knowing the keys. I Will make sure to have this blog pinned there for information use.
Do you think the HF21 Will be a moment to be more aware than we normal already are ?

Agreed my friend, but thoughtful (see what I did there) for all of the above mentioned accounts... yes... upvoted, resteemed... Appreciate all your support, work, and time my friends...

Thank you...

this will help us understand about those account has been hacked. It should be resteemed and anyway thanks for this.

Posted using Partiko Android

This is some great information @guiltyparties! Resteeming so I remember. 😁

So grateful you work so diligently to keep us safe! It takes quite a group as these hackers are indeed persistent. Thank you @guiltyparties :)

Hello!

This post has been manually curated, resteemed
and gifted with some virtually delicious cake
from the @helpiecake curation team!

Much love to you from all of us at @helpie!
Keep up the great work!


helpiecake

Manually curated by @vibesforlife.

Thank you for this @guiltyparties and all you and your team do to keep us less savvy folk safe on the blockchain. It really is appreciated.

Gladly noted!

Noted, and all blessings to the work that you do.
Consider yourself voted as a witness by us!
Blessings!

Great info! Thanks!

Do it once and do it right!

That's what I say.

That's what we do to those hackers here.

Thanks for the good service to the community, i will vote you as my witness.

Posted using Partiko iOS

Thank you, appreciated.

Hey, @guiltyparties!

Thanks for contributing on Utopian.
We’re already looking forward to your next contribution!

Get higher incentives and support Utopian.io!
Simply set @utopian.pay as a 5% (or higher) payout beneficiary on your contribution post (via SteemPlus or Steeditor).

Want to chat? Join us on Discord https://discord.gg/h52nFrV.

Vote for Utopian Witness!