There's a virus going around Steemit and it's not just stealing your password...
.jpg)
I don't like when people tell me what to do. I don't even like when my best friends do it. Dare I say, I don't even like when I'm asked not to do something when I know I have every right to as a grown ass adult.
Call me stubborn or whatever— I'm a Gemini on the Taurus cusp. That means I don't usually give a shit and I'm obstinate about it to boot. Further, I take a certain degree of pride in the fact that I'm a firecracker. I only make noise unless you're handling me wrong while I'm lit, then I'll probably take your fingers with me when I go off. Hey, I don't hide it. You've been warned.
So I was a bit shitty when I got a comment today by the wonderful @simplymike asking me not to hide my links with Google analytics because it's a link shortener.
Hide? B^tch holdup?! (lol)
tee-hee
Of course, my snazzy ass is thinking, "Can't you pick on someone your own size?" Then I realized, "Oh shit, we ARE the same size... doh!" Well, close. Her rep is 56.11 and mine is 52.11— how is this so? I was off Steemit for a whole year so how am I shyly behind her in rep after a month of activity?
It turns out, she was hacked. Hacked bad. I mean, bad bad. The reason she wanted me to ditch the shortener is there's a lot of funky spam accounts going around using short-links and raising hell around here. I knew about that, but I wasn't aware of what happened to her or how bad the Steemit phishing situation has gotten in the past few weeks.
Sigh
Begin tantrum sequence... "I need my analytics!" "I like my analytics!" (...my brain yelling to itself)
And I have a right to use them on the blockchain. Boss up.
Alas, all that being true— I can't be a total douchebag. I should at least consider the appeal because I would want the same if it were my appeal. "Fine," I think... stomping away like an angry toddler.
"Right now I should be posting, commenting, and engaging my readers. I just won a Curie and I left an armful of comments ignored on my post." Blah blah blah.
Why does this disturb me?
I almost got phished a few weeks ago too. I'm just a clever little nerd sometimes so I dodged the bullet. I could have the sentiment that I'm not responsible for people dealing with technologies they're not educated about. Simultaneously, the entire Steemit marketing pitch is kind of shady. It sucked me in too. Look how addicted I am. (smiles)
If I wasn't the benevolent filthy capitalist I am, and if I were not as clever as I am, I would be food here.
That translates to, pretty much all the other planktons and minnows are food here.
Okay sitting ducks, listen up!
I disclaim, I'm not telling you how to live your life or implying that you're an idiot with the following information.
What is Phishing?... In Plain English
Phishing is when a LINK is a BIG LIAR— basically. A link looks safe, but it's not. It could be a link similar to one like Steemit's, or it could be another link that takes you to a site that looks like Steemit or another app— like Steemconnect. Phishing happens on lots of sites as well, so you're never safe unless you're educated: even on Facebook, Twitter, etc.
These sites will usually hook you with a concerning message or huge opportunity.
Then they take all your money, infect you with viruses, and make you look like a fool.
It's sort of like a toxic relationship— except from a web page.
Oh shit! How can I avoid getting phished?
You will be safer if you NEVER login to Steemit with your Owner Key, Master Password, or Active Key unless you are making transactions in your wallet on Steemit or a safe network. Once you've done making said transactions, you would be safer to log out and login again using only your Posting Key.
You will be safer if you NEVER click on a link anywhere on the web — and especially on Steemit — without verifying its safe. If you don't know how to do that, you're safer if you don't click.
Always check the address bar. Then check it again. And again. Make sure the link is spelled right. Make sure the site is using https. Look for the green lock symbol.
But, but, how do I check if a link is safe???
Ah, young grasshopper.
On most computers, you can hover a link to see its destination. It will show up on the bottom left side of your browser. Or you can right-click and copy the link destination, and paste it into a note to read it.
On a smartphone, you can usually copy a link destination and paste it into a note to read it.
On regular mobile, why the hell are you surfing the web on regular mobile? It's 2018. Smdh. I can't help you.
ADVANCED NINJA SKILLS
There's a website you can bookmark for quick link expansion: http://checkshorturl.com
Or doing it manually:
- If a link is shortened with google shortener, bitly, or steem.link— you can add a + to the end of the URL to open a preview page. For example:
Just add a + like so...
Voila! Now you can see the original url that the shortener is pointing to without visiting it directly. This will give you the needed space to research the link before clicking on it.
- For tinyurl you would add the preview. before the url
You would change it to
https://preview.tinyurl.com/omitaylor
You can also do this on MOBILE browsers.
Observe.
Hold down the link for a long time until the options panel pops up. Select copy link.
Paste the link into a note!
If the link is shortened by google, bitly, or steem.link you can check it on mobile also.
Paste the link from your clipboard into your mobile browser address bar, and add a + to the end.
And boom!
That's your preview. Now if the link is to Steemit or another safe website, go for it.
You can also do the same on mobile for Tinyurl as I mentioned previously...
There are many websites that shorten links be these are the most common ones people use. When in doubt, you're safer not to click.
Once you have an original link, if you don't recognize it and don't want to click away you can also scan it.
Google has a tool that will let you check if a link has malware.
http://google.com/safebrowsing/diagnostic?site=YOURLINKHERE
You can also wait, and check the link later from a safer browser— like at home where you (hopefully) have an anti-virus on your computer.
And remember, technology isn't wrong. Link shorteners aren't BAD nor nefarious in nature. They were originally created for link tracking and to make long ugly urls easy to remember. But with every good invention, some dickhead has to come along and abuse it for their own corrupt reasons— and ruin it for everyone. Don't demonize link shorteners. Be educated about technology instead and use these wonderful features for good as there were intended for— and blame misusers for misuse.
OMG! I saw a phishing link! What do I do?
DO NOT DOWNFLAG IT unless you have significant enough voting power to do so.
REPLY to the comment: DO NOT CLICK ^^^ @guard @steemcleaners
Immediately go to https://steemcleaners.org/abuse-report/ and report the link
Head over to Steem Cleaners on Discord (if you have it) and report the link: https://discord.gg/WfBZAaH
Create a NEW comment on the post saying: There is a bad link by NAME below! It has been reported. Do not click! And upvote your comment with the highest vote for visibility. Add a really alarming image to your comment for attention.
Like this...
Or like this...
Make sure the FIRST thing you do is report it BEFORE you go on a warning spree.
As an added bonus, Steem Cleaners will reward you for finding NEW threats.
You can get .001 or more just for reporting. Some people have gotten over 1 SBD for finding new threats.
It's nice to know that you can be rewarded for your good deeds. Report away!
Bonus: Steemd Phish Plugin
If you use Google Chrome Browser (like I do) on your laptop or regular computer, @quochuy has created a really handy and advanced plugin called Steemd Phish that will help you detect funky urls before you click.
I use this plugin and I vote for @quochuy as a witness. Both I believe to be trustworthy.
Here are some more links about this issue and resolutions to common problems. Spending an hour out of your life to become educated will favor your safety online and on Steemit.
@simplymike — Contest to Warn About Phishing Threat
@simplymike — How to recover after being phished
@anyx — Introducing GUARD Phishing protector bot
@wizardave — Hover before you click!
@imbigdee — Recognizing Phishing comments
@simplymike — Mass spam-comment eraser script
@arcange — Steemit.com Virus Threat + List of Phishing Alerts
I am glad to see another post helping people avoid, and showing them where to turn when they have a suspicious link. I myself still do not like tiny URL's and even with the tools you showed will never click on one. Yes that means I amy miss out on some cool locations on the web, but I prefer the ugly URL. It shows in the browser, so if people use the full link in proper form to link words I see no need for the tiny URL example your page, people can hover the link and see where it goes. No ugly https style link or unknown destination tiny URL.
Once again thanks for the post warning and helping others.
Addendum:
Fixed a few typos. Sorry, I was sleepy when I wrote this. Let me know if you notice any others I may have missed.
I'm of the opinion that people have a right to use these link technologies on the blockchain and I'm not for bullying people around. However, I'm also of the opinion that a computer virus is not a person. So, I don't believe it to be over-reaching to report the activities of malicious scripts. They're not people, they're code zombies. Lol.
Hi There! You have just been upvoted by @justinadams Witness. You will always recieve a free upvote on every post you make on steemit as long as you keep your witness vote. Thanks For Your Support.
Good going madame, phishing on steemit feels like its on its all time hight at the moment how often it is going on.
good suggestions on checking how first!
Thanks for reading. Apparently, it's growing at an unfathomable rate according to Steemcleaners so it's worth getting the word out.
Congratulations @omitaylor, your post has been selected by the @asapers for a resteem and a feature in our brand new curation post. Issue 37
What does this mean for you? Well first an upvote from some members of the team, we are no @curie or @ocd but who is going to be unhappy with some extra upvotes. Also each post featured in the article will receive a 10% share of the SBD generated from the curation post.
Keep up the great work and please consider supporting the @asapers with an upvote and/or a resteem on the post you feature in. Please wait seven days for payout.
Your friendly @asapers
Giving back A.S.A.P
Holy cow!!! Thank you!!! I will resteem right away! Thank you SO much!
Congratulations! Your post has been selected as a daily Steemit truffle! It is listed on rank 14 of all contributions awarded today. You can find the TOP DAILY TRUFFLE PICKS HERE.
I upvoted your contribution because to my mind your post is at least 21 SBD worth and should receive 99 votes. It's now up to the lovely Steemit community to make this come true.
I am
TrufflePig, an Artificial Intelligence Bot that helps minnows and content curators using Machine Learning. If you are curious how I select content, you can find an explanation here!Have a nice day and sincerely yours,
TrufflePigThank you @trufflepig 🐷
Hi There! You have just been upvoted by @justinadams Witness. You will always recieve a free upvote on every post you make on steemit as long as you keep your witness vote. Thanks For Your Support.
Good job. Very informative and very entertaining! @omitaylor
My pleasure Wizard dave!
Hi There! You have just been upvoted by @justinadams Witness. You will always recieve a free upvote on every post you make on steemit as long as you keep your witness vote. Thanks For Your Support.
Do what you love @omitaylor the Tigress
Don't worry about wolves!!
People usually has tendency to pull successful person down!
Also, thanks for raising awareness and suggesting tool for phishing links!!
Thank you my friend. Most are well intended. Some are right, I admit. Some are just trolling. Idk. I'm doing my best. Can't make everyone happy but keeping me happy seems to be working for everyone else too, so it's all good. Thanks for reading and for supporting me.
Well written article. Thanks for contributing to raising awareness of this plague!
My pleasure. @simplymike had a reasonable appeal. And I support your plugin. It rocks. Thanks for your work as a witness. I'll be mentioning you and your contributions in a future article. :)
Hi There! You have just been upvoted by @justinadams Witness. You will always recieve a free upvote on every post you make on steemit as long as you keep your witness vote. Thanks For Your Support.
I’m very happy I was able to trigger you firecracker ass into writing such a valuable educational/informational post.
I don’t like people to tell me what to do either. But I had to learn that sometimes they had a point, and that I had to take that point into consideration when I made my decisions (not fun)
Anyway, I’m planning on making a DBook with information on how to protect yourself, so the information won’t be buried in the dungeons of SteemIt and we have to write awareness posts over and over again.
I still need to figure out how the DBooks site exactly works, but I think this information about link shortneners is important to add.
I’ll get back to you soon
You made a valid point with a reasonable argument. I'm no crusader but I thought it through completely and you're right; malicious scripts aren't people. Script activities have no inherent rights of their own. I don't believe it is over-reaching to downvote viral comments.
And anyone has a right to use their stake to downvote the human accounts planting the initial viral seeds on the blockchain. It's not really my war, but I understand why no-one would value content containing destructive code.
I've decided to refrain from using analytics for now. I'd like to try to track down the owner of http://steem.link and see if they are still actively maintaining the project. If not, perhaps someone can take it over. Either way, I'd like to see Steem.link work with Steemcleaners, Guard, Quochuy, and others on sharing a universal blacklist. That way Steem.link could be used to shorten benign links. I don't see why they can't scan links before they shorten them.
I also think it would be a good idea to compile a list of reasonably safe Steem sites. I believe Busy, Steemconnect, Steembottracker, Dlive and many others are all as safe as Steemit to login to with an Active key for the sake of transactions. It may be worthwhile for a small group to be formed to verify a list of safe Steem websites. Steem projects, Steem tools, and Utopia are all directories that could easily feature a verified badge. And not saying other tools should not exist, or unverified accounts either— I'm for choice anonymity. However, I think for those willing to volunteer to be verified and provide extra information for the trust and safety of others would only benefit (in traffic) from participating in such a verification program.
I don't know what Dbook is. Let me know.
The Wiki is also a good place where such information could be compiled. While the Wiki is editable by anyone, it's peer reviewed I believe. And they pay rewards for updates. There is no Wiki page under Phishing.
https://steemit.com/steem-project/@seablue/steemcenter-wiki-the-wiki-for-steemians-posted-from-chainbb
What do you think?
Hi There! You have just been upvoted by @justinadams Witness. You will always recieve a free upvote on every post you make on steemit as long as you keep your witness vote. Thanks For Your Support.
Thanks friend ♥️
Hi There! You have just been upvoted by @justinadams Witness. You will always recieve a free upvote on every post you make on steemit as long as you keep your witness vote. Thanks For Your Support.
I think you have a point there, about implementing some kind of safety label. Because I’m aware of the fact that the message I’m spreading could lead to paranoia against a lot of sites that are actually safe to use...
I did hear about the wiki before, but haven’t taken the time to check it out. I will. If there’s indeed nothing about phishing on there, it definitely needs some updating...
I wouldn't mind (as time permits) adding what techy stuff I know about phishing to the wiki. I don't know yet how to make pages on the wiki yet. It would literally take a day for me to learn how to wiki. Lol! The dbook idea is good too. Or both. Can't hurt to get the info out there.
I guess the bot stopped.
In all my years on the World Wide Web this is the first time hearing about the + sign at the end of a url. It deserves its place in some Life Hack top 10. 😎
Wow! I thought I have been doing a decent job protecting my account. Then I read this:
I've been vigilant in using only my Posting Key to login, but I never thought to logout after using my Active Key to complete a transaction.
Thanks for pointing this out.
I feel it depends. If you're an educated and vigilant person, you can probably stay logged in with your active key per session. But always log out of your active session when you're finished is the point really. It's even safer if you do things like keep most of your Steem as Steem Power, keep your cache clear, delete your cookies regularly, etc. But if you're just going to leave your computer logged in or surf around as a information consumer- Posting Key ONLY is like wearing a condom hahahaha. Because the worst thing that can happen is you get hijacked and post comments or blogs. Those can usually be cleaned up with a script. But if you get hijacked with your Active key logged in, someone could steal your liquid Steem— and even power down if you're not paying attention.
Now that I think about it, there probably should be a Wiki about how to safely log out of Steemit and how to clear caches, and do all that fiddle-diddle. It's habitual for some of us nerdy types, but most average people probably don't have a shut down routine. I imagine the reason these phishing scripts are multiplying so rapidly is because the average user is using an app with their master pass and just surfing like this is Facebook.
Thanks for commenting. It gave me other things to think about as well.
A shutdown routine. I like the sound of that. I wonder what that should look like for me. A lot of people, myself included, have a startup routine, but I never really thought about what to do once I'm done for the day. Thanks again. You gave me a few things to think about.
Hi There! You have just been upvoted by @justinadams Witness. You will always recieve a free upvote on every post you make on steemit as long as you keep your witness vote. Thanks For Your Support.
Your post is very helpful to us ,thanks for sharing .😊 i will resteem this article for other minnows awareness!!
Thanks for resteeming @reginecruz. @simplymike is really the lead operative working with antiphishing efforts across steemit to help others. I'm just spreading the word because phishing is growing exponentially.
Hi There! You have just been upvoted by @justinadams Witness. You will always recieve a free upvote on every post you make on steemit as long as you keep your witness vote. Thanks For Your Support.
Haha, you have a stalker, bribing you for keeping your witness vote in place ;0)
I can hardly be called the lead operative - I’m more like a concerned victim trying to protect others from the terrible experience I went through.
I’m definitely not an expert.
The real hunters and experts are people like @arcange and @guiltyparties, and the people from @steemcleaners
Nevertheless, thanks for resteeming, @reginecruz. I really appreciate that you are helping to spread the word.
Yeah lol :o) I don't mind beneficial stalker bots or reasonable bribes haha. He's doing some hardcore work right now building community witness and seed nodes and appealing to other witnesses to install seed nodes. He keeps an updated database of active nodes and is pruning lists, so folks aren't maintaining votes for witness any longer with us. Well, look at me shilling ;)
Some of the newer witnesses are running full installs and really busting their ass against the complacency of the regulars. I like the vigor!
I think eventually the bot will vote silently. Someone will probably flag it eventually. Lol.
Minnows definitely love you, Thanks for the awareness @omonitaylor this is something every steemians should have in mind all the time. I may not have huge followers but I will definitely resteem this to spread the news and stop those dickheads as you say haha. Keep it up! happy weekend to you my friend :)
Thank you very much @gavinci13 I appreciate that a great deal ♥️
Nice article Omi, you've always got some helpful pointers for the community!
One thing, ditch that Chrome browser for the open-source, blockchain-enabled Brave browser!
https://brave.com/
Oh, and, I'm in Boston next weekend...do you have an opinion on which of the vegan restaurants are best??
What do you think of Brave browser (personally)?
I've been meaning to ask if the browser mines or if you get coins for using it- or if it's just a regular browser.
Hm. Vegan, Massachusetts has a lot of options.
Veggie Galaxy, VO2 Vegan Café, Oleana, Life Alive, and Clover Food Lab are all near Central Square Cambridge.
My Thai Vegan Cafe, By Chloe, Cocobeet, Cuong's Vegan, Estragon Tapas Bar near or in Boston.
Veggie Crust and Dosa next door have mostly vegan options but do lacto/ovo (ask what's not)
For breakfast, CrepeBerry is like iHop but vegetarian.
Real "dinner" (not fancy, but like 4 course meal) Forage is the place.
Upscale L'Espalier isn't a vegan place but has a vegan menu.
Fomu for Vegan Icecreams and desserts
As a browser, i've been using it full-time for about 2 months. Like all browsers it has it quirks to get used to, however, I really do like it (as much as Chrome which I was using for the past 5? years). The browser doesn't mine, you get rewarded in BAT if you enable ads (I haven't bothered with this, yet) or you create content.
Thanks for the list of restaurants. I gave a quick looks online and saw something like 40 in Mass...pretty cool, your list helps narrow :)
There are FAR more. However, these are vetted. I've eaten at all of these establishments myself at one point. If you go to Veggie Galaxy, their Vegan Cheese Fries are heavenly. They use hot potato cashew cheese. I don't know what they do to it but it tastes and feels like cheese even after it's cooled down (eg leftovers/doggiebag.) Middle East is next door and is owned by family friends of ours. They have a great Falafel pita roll up. They make their Falafel deep fried in olive oil (and use a separate fryer for vegan foods.) I'm more of the fast-food vegan fare. I don't know the name for sure, but Buddha's Delight downtown Boston (might have moved) was also good if it's still open. Their rice-noodle bowl is better than other non-vegan options for rice-noodle dishes in town.
Glad to help you enjoy the area and what it has to offer. My kids are on school April vacation this whole week. Are you coming out here this coming week or the following week?
Awesome, will definitely check out some of your recommends. I'm up there 4/21-4/23
And thanks for the heads up about Brave. See, I didn't know you'd have to enable ads to earn BAT. Very interesting idea. I wonder how much one earns when enabling ads. I will go have a look.
yeah, great concept though I have no idea about earnings/etc...will try eventually. I just like the quality of the browser. It's like firefox only better
You just planted 0.01 tree(s)!
Thanks to @omitaylor
We have planted already 4808.99 trees
out of 1,000,000
Let's save and restore Abongphen Highland Forest
in Cameroonian village Kedjom-Keku!
Plant trees with @treeplanter and get paid for it!
My Steem Power = 18677.79
Thanks a lot!
@martin.mikes coordinator of @kedjom-keku
This post has received a 0.88% upvote from
thanks to: @omitaylor.
For more information, click here!!!!
Try the new Minnowhelper Bots for more information here
Help support @minnowhelper and the bot tracker by voting for @yabapmatt for Steem witness! To vote, click the button below or go to https://steemit.com/~witnesses and find @yabapmatt in the list and click the upvote icon. Thank you.
Voting for @yabapmatt
Awesome post! I consider myself a rather astute web user, yet there were tricks here that I hadn't seen before such as adding the + to a tinyurl. Thanks for that! I'm bookmarking this post so that I can come back to it if I see something phishy.
Also, thanks for the downvote/flagging comment, it was something I'd wondered about recently.
I would just ask if (on a PC) using the password keeper on Chrome (or whatever) is good enough to keep you safe from most phishing attacks? i.e if your browser doesn't fill in the password, it is not the right site?
Thanks again.
Hello there @viking-ventures.
Thanks for your thoughtful comment. To check tiny urls you would prepend the following code to your url
preview.not add a + at the end. But indeed, the concept is the same. Link shorteners have ways to see inside them without clicking blindly. I believe they have to have this feature if hosted on a server in the USA. And most webmasters follow suit. I have the expander bookmarked on my phone, which is much easier.As for logging into crypto sites with a password or key, I'm very skeptical about using password plugins because if I lose my laptop, or if someone visits my home, they can just login to my accounts. That said, I think we each make our best judgment for our own circumstances. I know that software exists that can read your browser keystroke activity, and even your computer keystroke and clipboard activity. It's called a keylogger.
That said, paper wallets (laminated) and usb wallets seem the safest places for keys. Sites like steemit aren't really built for people to withdraw and hold their money outside the platform. So it's extra important to stay safe (especially if you're a dolphin or more.)
I've heard various pros and cons of using password keeper program. I'll look into that more.
Thanks again for commenting.
Thank you @omitaylor for this comprehensive post. Having been phished, I am particularly appreciative and your rant is not inappropriate. That said, I have also had fabulous support from folk like @zord189, @raymondspeaks, @fates and @simplymike. It's also a bit weird that after I went through the "rehab" process to clean up the mess and restore my rep, I got locked out of the account. The hack was on Wednesday. Locked out on Friday. Don't know why. Requested account recovery. Still not had the email to recover it. Am nagging @steemcleaners daily. That said, I am told that account recovery is manual and we have had a weekend, so I must cut @steemit some slack. That said, also, I think that having humans doing the account recovery, while it may be time-consuming and there may be the odd human error, maybe a bit more secure. Or am I just being naieve?
This is avery long read, to be honest. But it is worth it.
Personally i make sure to summon @steemcleaners/turning over to their report portal, and reporting anything i find suspecious.
Your advice here is as useful as it gets.And timely, i might add. Because yes, there is so many of those phising attempts taking place currently, you just cannot tell when next they might lure you to unknowingly give out your account credentials.
And then, just to be on the safe side, it is smarter to make sure you use your posting rather than master key even here on steemit. Just in case.
Meanwhile, just so you know, @asapers led me here! Cheers!
This post has been upvoted by @minibot with 25.0%!
Thank you for giving your trust and witness vote to my creator @isnochys!
More profits? 100% Payout! Delegate some SteemPower to @minibot: 1 SP, 5 SP, 10 SP, custom amount
You like to bet and win 20x your bid? Have a look at @gtw and this description!
Helpful post! I even learned something, and I've been online since the damn 90s lol 😏
First thing I did was add that Chrome plugin. Second thing, resteem. Third, I think you just solved a conundrum for me. I have my own link shortener that I run through Replug for stats (among other things). I was on the fence as to whether to start using it on here, however with all of the phishing issues, it is probably best to wait.
Keep being awesome - you rock! 😎
hahaha wow congratulation i like that great post @omitaylor
Hola amigo excelente publicación, y gracias por estar pendiente de los que somos saltamontes en tecnología. Tristemente en todos lados hay los que no quieren esforzarse por ser productivos y demuestran su ineptitud, aunque se creen muy brillantes, robando le a los demás su esfuerzo. Voy ha marcar tu publicación para posteriores consultas.
No soy bueno para hablar español. Lol! :)
Gracias por tus cumplidos. Agradezco tu comentario 😀
This is good, thanks for the insight
Testing
@tipu upvote this post for 0.05 SBD
this info was very helpful thanks for getting me to think more about cyber security. Does steem pay you anything for cleaning it up?
Great educational post you wrote "in your sleep", to quote one of your own comments. ;0)
I'm sorry but you lost me when you said your star sign. It's a pet peeve.
@gaman is on the @abusereports blacklist for being a bad Steemian! Bad spammer, bad!
Lolllll
I'll +1 that LOL! haha
Gaman is a freesteemer bot. I don't know why it's abusive honestly. But hey... AR's auto-response was hilarious too. It too is a autoresponder though. Ha. #botwars
Hi There! You have just been upvoted by @justinadams Witness. You will always recieve a free upvote on every post you make on steemit as long as you keep your witness vote. Thanks For Your Support.