Today, two users reported on the chat that their accounts were hacked. After a quick check, the hijacker(s) were posting comments with suspicious links under the guise of our dear friend @grumpycat.
https://steemit.com/@mrs-yammy/comments
https://steemit.com/@simplymike/comments
These accounts are currently blacklisted, until they are recovered by their original owners.
The links in those comments are all fake and point to STEEMIL.COM instead of STEEMIT.COM.
Here's an example:
https://steemd.com/tx/04bfbf2da9fda6a18832cd90758fdf465b6201a1
Notice the use of steemil.com in all the code, instead of steemit.com. The website seems to be running Condenser, the Steemit website app. DO NOT LOGIN TO IT.
Obviously it's a phishing attempt to lure more users into signing in to a malicious website located in Malaysia.
IP: 111.90.149.128
Decimal: 1868207488
Hostname: felidae28.ipchina163.com
ASN: 45839
ISP: Shinjiru Technology Sdn Bhd
Organization: Shinjiru Technology Sdn Bhd
Services: None detected
Type: Broadband
Assignment: Static IP
Continent: Asia
Country: Malaysia my flag
State/Region: Selangor
City: Shah Alam
Latitude: 3.0544 (3° 3′ 15.84″ N)
Longitude: 101.5169 (101° 31′ 0.84″ E)
Postal Code: 40200
I ran a whois on the domain, and it's indeed with a Malaysian registrar http://shinjiru.com.my, registered on 2018-03-04T10:20:04Z
Domain Name: STEEMIL.COM
Registry Domain ID: 2235087516_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.ilovewww.com
Registrar URL: http://shinjiru.com.my
Updated Date: 2018-03-04T10:20:05Z
Creation Date: 2018-03-04T10:20:04Z
Registry Expiry Date: 2019-03-04T10:20:04Z
Registrar: Shinjiru Technology Sdn Bhd
Registrar IANA ID: 1741
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: NS1.IPCHINA163.COM
Name Server: NS2.IPCHINA163.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
I also ran a database query for the string https://steemil.com since the domain's creation date
SELECT author FROM Comments WHERE body LIKE '%https://steemil.com%' AND created BETWEEN '2018/03/04' AND '2018/03/07'
It turns out, the impostors aren't only faking @grumpycat's comments, but others as well, such as:
https://steemd.com/tx/02e66607125ed8cfeccdf28dbcdf9ddb7294bf9a
https://steemd.com/tx/f1eca9a530b4e5aeeacb15cd137b98cb8460cdfe
There are over 1100 phishing comments so far, with multiple SQL hits, by the following 15 hacked accounts:
@aideedavies @beautyloving @boontjie @enjoyinglife @kilbride @lalo78 @leader-sapa @mcgrafite @mrs-yammy @omikunlejackson @qustodian @simplymike @thedavidadesina @timmy2426 @william21
Some of them have already recovered, some haven't yet.
ALWAYS be careful when you click ANY links and ALWAYS look at the URL you're visiting in the browser address bar.
Available & Reliable. I am your Witness. I want to represent You.
🗳 If you like what I do, consider voting for me 🗳
If you never voted before, I wrote a detailed guide about Voting for Witnesses.
Go to https://steemit.com/~witnesses. My name is listed in the Top 50. Click 
once.
Alternatively you can vote via SteemConnect
https://v2.steemconnect.com/sign/account-witness-vote?witness=drakos&approve=1
Steemit is becoming popular , so is the spam attacks now
Scammers and phishings have been around for a while on Steemit, but they get more sophisticated.
Account recovered and back up 😁
Thanks again @drakos! If it weren’t for you I would still be emailing back and forth to the guys over at Blocktrades trying to tell them they should provide me with a recovery. Glad you stepped in and made them realize!
I owe you!
@simplymike
Glad you got your account back.
Thanks for helping many in this community from falling victim of this kind of scam. Am now guided
Wow! Thank you so much for this tips. Now, i know what happened to my friend's account: thedavidadesina. He couldn't log in and he still retains the hope of having it back.
Your friend can report this online straight to the authorities in Malaysia:
https://ereporting.rmp.gov.my/index.aspx
Thank you so much. He recovered it already, but with -3 rep and wiped out SBD. Will tell him.
Tell him to go to the Steemcleaners Discord channel. If he edits all the phishing comments sent from his account to make them harmless (just replace the existing phishing message with ‘spam comment deleted’), they can remove the flags, reinstating his rep score.
Make sure you tell him not to delete those comments, slnce they can’t remove the flags when the comments have been deleted.
(I fell victim too, that’s why I know 😉)
You are so adorable. Thank you so much for this. Will definitely pass it across to him, right away. Gracias.
Just a note: tell him to replce the comments with ‘comment deleted’.
I just realized that ‘spam comment deleted’ is not very good for your reputation, lol
Thanks a lot. You have such an adorable heart. Sincerely appreciate this. He said he has been trying to edit his comments but he couldn't. Kinda surprising.
Yes indeed, @thedavidadesina came to the chat asking for help.
I hope he gets the help and the recovery. Thank you so much for all you do.
You really will fall into this trap Thank you for the valuable information You are like me here I wish you a happy weekend
Wow this is becoming more and more popular on steemit...we need to be more careful people... Thank you @drakos, resteeming this for more visibility.... @dee-y over and out.
Hackers everywhere here on steemit. Please steemians be careful, so that you do loose your hard earned reward to some lazy thwarts you are not ready to work but the steal and destroy the valuable effort of other. Thanks @drakos for domain look-up
Thanks @drakos for exposing these criminals. I hope a people learn to avoid these criminals. Thanks. Resteemed..
Ah! good to know!!
I wish those people doing this will suffer. My friends were scammed recently
Hi @drakos, thanks for the post. Just to be clear, my account wasn't hacked.
You might have got me in the list because I wrote a post about the same hacking and included the name steemil shortly after simplymike's account was hacked.
Ah my bad. Your name showed one hit in the SQL query and your comment is legit, I'll remove you from the list. Sorry about that.
No problem at all. Just didn't want to run the risk of being added on to some blacklist.
Thanks for letting us know. I will pass it along. Everyone should resteem.
Nice info, thanks for sharing !!
Hey @drakos thanks for commenting and upvoting my post about the same thing, as you see I propose that the victims report it straight to the authorities in Malaysia: https://ereporting.rmp.gov.my/index.aspx
Because that hosting company could just be a front, and sending them angry emails probably won't work if that is the case...
Beautiful post
Yes it's so beautiful, isn't it!
You warn us about the worst scammers.
Thank for sharing
@kil what exactly do you mean by this?
Thanks for the heads up! I'm not tech savvy but I haven't been a victim of phishing. It was only a matter of time till it came to Steem...sadly
@drakos Nice post. Thanks for the heads up. Cant we ban these guys?
Thanks a lot again for help @drakos. I vote for you
I don't know what some people gain from hacking others accounts. I just don't know.
Thanks boss @drakos for sharing
@dhavey
Money, of course...They took only 14SBD from me, but if I wouldn't have been able to recover my account and they would have had the chance to power down my +600 SP, and do this with all hacked accounts, they would have gotten themselves a huge pile of money...
@drakos omg, other one?!? i posted earlier today too, about ilovewww attackers...it's horrible what is happening:(!!
Thanks for the great info, I was wondering how long until something like this would happen. good thing I check links :)
what a shit people exist, why we all have the same possibilities here. Rats!
I've been hearing about a lot of this lately in various social media. I had a near miss with one the other day myself. Thanks for helping spread awareness.
wow as always the bad people fucking others, thanks for the notification ... I'll be more aware of where I click.
Thanks for the info. It means so much to the person who not expert in IT like me.
This is a serious problem. we should be more careful when clicking on any links not just here on steemit but anywhere on internet.
Two thing come to mind when verifying the authenticity
In any case
if you don't trust it then don't click on it.
Thank you for sharing the information @drakos
You got a 6.90% upvote from @postpromoter courtesy of @drakos!
Want to promote your posts too? Check out the Steem Bot Tracker website for more info. If you would like to support the development of @postpromoter and the bot tracker please vote for @yabapmatt for witness!
Hi @drakos , thanks for the warning.
You may filed your complaint to Malaysian Communications and Multimedia Commission (MCMC): https://www.mcmc.gov.my/resources/guidelines/complaints-handling-resolution
Hope this helps.
Oh my God! only changing i to l in steemit how one can create so much nuisance! thanks drakos for informing and helping people to recover their account. Once you also helped me when I was not able to recover my username. Thanks again.
I made a Chrome extension to try help with identifying those links more easily:
https://steemit.com/utopian-io/@quochuy/steemed-phish-v0-0-14-is-out-a-chrome-extension-to-protect-yourself-from-steemit-like-phishing-scam-websites
Wow, thanks for the heads up! Resteemed and upvoted.
Just to clarify (I don't want to click through one of the links), if I were to click through, it would ask me to login with my steemit credentials, right? So, people are safe if they clicked through but didn't enter their passwords? (That's assuming there isn't other malware at that site, which is a big assumption.)
They're baiting people to log in on it to steal their credentials and their money.
Good to know, thanks again.
Don’t use your master password for daily logins. Use your private posting key instead. If you do that, and you would still be tricked and logged in, the hackers wouldn’t have access to your funds.