New feature: immediate auto-reply for PHISHING links and compromised domains

in #hive4 years ago (edited)


Last night I found an XSS stored vulnerability on hiveblockexplorer.com and some Hive users were giving me "crap" because I disclosed it before the maintainer fixed it.

I know that maybe I should have waited longer, but at the same time:

  • I did not share the code of the exploit;
  • I had been trying to reach @penguinpablo via multiple means already;
  • There's no session to be compromised on that site (as I mentioned in the post, only the redirection bit is dangerous).
  • Hive frontends don't allow unsafe tags in posts either, so average users couldn't use the exploit even if they knew it.

To compensate, I then decided to add a feature that @guiltyparties asked me if I could add a while back..


ANNOUNCEMENT:

Starting from today @keys-defender will keep a list of known phishing links and compromised domains. As part of the scanning of new blocks added to the Hive blockchain, besides as usual protecting leaked keys, it will now automatically reply to any post or comment containing a known phishing link or compromised domain.

Until @penguinpablo fixes the XSS that I reported last night, a subpath of his site will be in the blacklist, in order to warn users of the potential threat.


Logs:

image.png


Example of automated reply:

https://hive.blog/hive-193552/@keys-defender/antiphish-keys-defender-bot-1598120388219


image.png


FUTURE IMPROVEMENTS:


FI-1. Check all memos transfers too for potential phishing attempts;
FI-2. Allow top 30 witnesses and whitelisted users to add a phishing link to my list simply sending @keys-defender a memo structured in this way "phishing::https://evil-link.com";
FI-3. Allow whitelisted users on my Discord server to add a phishing link using a command like: "!phishing https://evil.com".
FI-4. {PS. periodically query a few services that publish known phishing domains as soon as they are discovered - may charge users a little bit for this additional service though as those APIs are not free}


If you want to timely notify me of phishing campaigns happening on Hive, tag me or the other users in my discord: https://discord.gg/SXuwsH7. In alternative, join the HiveWatchers (@hivewatchers) discord and they'll add it themselves when the improvements above are ready.




UPDATES:

FI-1 --- Protection of wallet transfers: https://hive.blog/hive-139531/@keys-defender/new-feature-phishing-protection-for-hive-wallet-transfers

EXTRA-1 --- Universal script to prevent phishing in all Hive frontends: https://peakd.com/hive-139531/@keys-defender/phishing-on-hive-no-more-solution-for-all-frontends

FI-2 --- Community reported phishing - automation added to @keys-defender: https://peakd.com/hive-139531/@keys-defender/community-reported-phishing-automation-added-to-keys-defender

Sort:  

Your bot spammed a bunch of my posts today, and linked me to this post for an explanation. It doesn't appear to contain an explanation.
Can someone please explain the actions of this bot? Many of my posts are affected, and none of them contain any dangerous links. They are plain and regular links to my 3Speak uploads. Please remove all your recent comments on my posts.

How dare you.

@dailyeagle Please see my last post, 3speak.co was compromised.

I am furious! I do not like being slandered. I will thank You to keep Your lies to Yourself and leave Me alone.

image.png

   
amaterasusolar is a hacker/hacked account.
@keys-defender please do not click on any links it may post. More info: 1 | 2.  Sincerely, @keys-defender
Comment 10% downvoted to make it less visible. This message is self-voted to be more visible among others.

No. I am NOT! This is highly unEthical of You to push these lies. I will take You to the cleaners if You don't leave Me alone.

Lol, the cleaners themselves temporarily blacklisted 3speak.

Please see the updates on my last post:
https://hive.blog/hivedev/@keys-defender/3speak-is-compromised-at-the-moment-please-do-not-use-it-until-resolved

Hello, I just had two comments about problems with the links, I explained that I solved the error and that it was an autodetection system error, and then another comment came to me saying the same thing, the first comment was edited as if they had accepted that it was a error, but the second is still present even when you added a screenshot where it is clearly seen that the only two links of that type were in the same comments made by Key-defender.

Hola, acabo de tener dos comentarios sobre problemas con los link, expliqué que solucioné el error y que fué un error de sistema de autodeteccion, y luego me llegó otro comentario diciendome lo mismo, el primer comentario fue editado como si hubieran aceptado que fué un error, pero el segundo sigue estando presente aun cuando agregó una captura de pantalla donde se ve claramente que los únicos dos enlaces de ese tipo estaban en los mismos comentarios hechos por Key-defender.

image.png

image.png

Apologies, false positive - I had to blacklist a url shortener service because I’m not home and needed to counteract a phishing campaign