- I already posted such a script a few months back: https://hive.blog/@keys-defender/script-to-fill-a-phisher-s-database-with-thousands-of-false-positives ;)
- The attacker is so lazy that always uses the same fake hivesigner page so that code should still work. It just needs to point to the new endpoint + “/submit.php”
- I have been running already a version of it improved in time, as mentioned in other comments down here =]
I do run it every time and noticed that when I do their next attack starts later because they spent more time trying the thousands of credentials (script, multiple people manually? Not sure).
In other attacks they were trying to collect people’s username and passwords to do credentials stuffing into their email provider. I suspect that’s how they found a private key of a user that unfortunately lost 200 k 😌
How many people signed up with an email anyways?
Right, I forgot about the sign up emails. I created my accounts through code and paying 3 HIVE :)
- The attacker is indeed not skilled. He puts up quickly phishing pages that always point to their fake hivesigner. They have been doing this for months and pretended that various airdrops were happening: Appics, Leofinance, you name it. Examples:
1 - https://hive.blog/@keys-defender/watch-out-new-phishing-wave-do-not-vote-for-leofinance-using-that-link-its-phishing 2 - https://hive.blog/@keys-defender/new-phishing-wave-do-not-fall-for-it-there-is-no-mainnet-launch 3 - https://hive.blog/@keys-defender/there-is-no-airdrop-it-s-just-phishing 4 - https://hive.blog/@keys-defender/phishing-campaign-on-hive-be-aware
I’ll tell you more (since this is not sensitive anymore). A few months back their profile ID leaked into their phishing page code so I was able to programmatically poll that profile every 30s to found out immediately when they published a new phishing site. That way multiple times their attack stopped immediacy because they were already discovered. I must have driven them crazy because eventually they stopped (or at least for a couple of months - until now that they started using a different hosting provider).
There is also great work by other people like @guiltyparties and @louis88 that immediately contact the hosting services to take the phishing site down!
We are collecting more intel on them as they keep making mistakes. Stay tuned 😉
Ah, I see you're way ahead of me on that one 😅
Yeah, I noticed this recent domain is being hosted on
web.appwhich I believe is a Google hosting service, so hopefully it'll be easy to send in phishing reports.Again, great work fighting against these attacks. Cheers! 🍻
Thanks, and thank you for the delegation as well! =]