Don't get hacked - How to be Smart!
The number of accounts being hacked in the last month or so has climbed significantly. In the last few months, the amount of phishing happening on the blockchain has skyrocketed. The number of hacked accounts has gone up as a result.
What is phishing?
Phishing is the practice of confusing a victim into clicking on a link thinking it is someone else. In the case of Steemit, users are posting links that leave Steemit and go to a site that looks and feel like Steemit and then asks for a username and active key. If you enter your key, they gain control of your account, drain your funds, then use your account to attempt to phish other users.
Example
A good example is this victim who was hacked and used to attempt to phish more users.
This is a small account but you can see the user's funds were drained immediately and then set to post comments on other threads luring in more victims.
If you look at the attacker, you can see many have fallen for this trick and funds have been sold on the exchange immediately.
How not to be a victim
This is surprisingly easy, but I will give you a few tips.
Look for the icon that represents an external link.
In the above example comment, you can see an external link icon that tells you the link will take you away from Steemit. This is your first warning you need to be careful and pay close attention to what you do next. If you are then asked for a Steem username/password, you are likely being phished.
There are some situations this is not the case, for example when following a link that uses SteemConnect. SteemConnect is considered safe by many and is more secure than trusting a third party with your private keys.
The important thing here is did you expect to be prompted for a username or password? If you click a link that asks you to vote for a witness, you can expect a username/password prompt to follow. If it is SteemConnect, it will tell you the action being performed prior to asking you to log in with your username and private key.
For example, if you in my footer you will see an animation asking for a witness vote. If you click on the image it will bring you directly to SteemConnect with the action to vote for @themarkymark as witness (you should, if you are not sure why, check this out)
This is an expected action when clicking on a link to vote for a witness to be prompted to vote for a witness. Now if it said transfer funds or something different, I'd have serious problems continuing and would contact a witness or someone you trust.
This doesn't mean all SteemConnect links are safe, you need to trust who you are giving access to. If someone posts a link about looking at a picture of their dog, and all of sudden asks for posting authority, you likely have a problem.
Look at the address bar
Look at where you are and confirm you see you are in fact on the site you think you are. If you are on Steemit, you can confirm in the address bar it is, in fact, Steemit and is a secure encrypted connection.
If you are prompted for a SteemConnect link like the witness vote above, you should confirm you are actually on SteemConnect.
Secure SSL Icon
This is handled differently in different browsers. This does not confirm you are actually on a safe site, but a lot of phishing attempts use improper SSL certificates and when combined with confirming the URL step above, should help prevent a lot of phishing attempts.
Secure Site - Chrome
Secure Site - Firefox
You can click on the lock icon to get more information about the certificate if you are unsure of where you are and if the site is legitimate.
It is not impossible to get a valid SSL certificate for a domain you do not own, so you always need to confirm the URL if you are unsure of where you are.
Common Sense
This is your best defense if you click on a link and immediately prompted for a password you need to take a moment and think if this is what should have happened. Do some due diligence, look at the URL, check the SSL, check the full URL and see if you see any clues to what is being done.
If it is too good to be true, it likely is. If someone promises you upvotes for life if you sign into their site or endless followers, you are likely about to be duped.
At this time, a large amount of non-Steemit links in the comment section are spam and phishing attempts. Look at the users reputation, if it is below 60 I would be very concerned about clicking a link from them. Reputation isn't hard to abuse, but low reputation is usually more accurate than high reputation. You need to use all available information to make a decision if you are going to trust someone with your private keys.
In most cases, I would suggest never handing over your keys to any third party. It is one thing to have your posting key compromised as this is easily recovered and only results in someone having access to post, comment, and vote with your account, but if you give up your active key they can change your keys, lock you out, and steal all your funds. Even if you know who hacked you, your funds are likely gone for good.
These techniques are nothing new, it is the same common sense rules you should use when opening any email or website. If you don't feel you are comfortable with any of this, look for a cybersecurity awareness training course, there are many well-known companies who offer this for free.
Anyone on the Internet in this day in age should be able to protect themselves against most phishing and hacking attempts using common sense and due diligence.
If you are still unsure about someone, ask someone you trust or jump on Steem.chat and go into the #help channel. In most cases you don't need to do what you are doing immediately, take time and make the right decisions.
Don't be a victim
Why you should vote me as witness
Witness & Administrator of four full nodes
My recent popular posts
STEEM, STEEM Power, Vests, and Steem Dollars. wtf is this shit?
The truth and lies about 25% curation, why what you know is FAKE NEWS
WTF is a hardware wallet, and why should you have one?
GINABOT - The Secret to your Sanity on Steemit
How to calculate post rewards
Use SSH all the time? Time for a big boy SSH Client
How to change your recovery account
How curation rewards work and how to be a kick ass curator
Markdown 101 - How to make kick ass posts on Steemit
Work ON your business, not in your business! - How to succeed as a small business
You are not entitled to an audience, you need to earn it!
How to properly setup SSH Key Authentication - If you are logging into your server with root, you are doing it wrong!
Building a Portable Game Console
People nowadays need to attend a basic Internet security class before granting access to it.
My thoughts exactly!
I didn't know you could look up the certificate by clicking on the lock. TIL.
Money attached to a bloggers account. Like a dream for any hacker.
So I guess we can only expect this trend with more attacks to continue...
Important Contribution !
Phising is the most used way to get your keys stolen.
Thank you for keeping the Comminity safe @themarkymark :)
thanks! good info!
The rate at which accounts are getting hacked this day is just so alarming maybe the hackers are starting to realize steem is going to be the next hot topic!!! So they subject them self to this act , which is very bad ... thank you @themarkymark for creating this awareness !!!
I heard a group of hackers left YouTube to come and phish on Steemit. I am not sure how true it is but I’ve heard it from two different people.
Wow ....let me resteem so I can spread the awareness
I guess they got demonetized on YouTube so they came here...
Yeah I guess so too .... we all have to be extra careful now !!!
I dont understand what happened to my Reputation Level. I was at 65 or so and its at 2 now did I do something wrong can you help me understand?
People always get advice how to avoid being hacked but it seems they're having hard time following it.
Hackers just have to get it right once u know, so it's not really their fault .... ignorance is truly a disease
Hackers are afraid that you will learn these 4 secrets.
WEP encryption cannot protect your wireless network. It's easy to hack in a few minutes, so you only get a false sense of security. Even an inexperienced hacker can break WEP encryption in a matter of minutes, making it useless as a protection mechanism. Many people have been using the router for many years, but don't even think about changing the password after a while and upgrading WEP to a more powerful and secure version of WPA2. Updating the router to WPA2 is a fairly simple process. To do this, you only need to follow the instructions that can be found on the official website.
Using the router's MAC filter to prevent unauthorized devices from joining is ineffective. Any IP hardware, whether it's a computer, a game, a printer, or anything else, has a unique MAC address in its network interface. Many routers allow you to allow or deny access to the network based on the MAC address of the device. The wireless router checks the MAC address of the network device requesting access and compares it to the list of banned and allowed addresses. This does sound like a good security mechanism, but the problem is that hackers can create a fake MAC address that matches the allowed LIST. All they have to do is use a wireless intercept program and see which MAC addresses bypass the network. They then set up a MAC address that matches the ONE that's allowed to enter the network.
Disabling the wireless router's remote administration feature can be a very effective measure to prevent hacking. Many routers have a setting that allows you to control them using a wireless connection. You get access to all router security settings and other features without having to access the computer that is connected to the router by cable. Although it is very convenient to be able to administer the router, this function opens an entry point for a hacker who can easily get to the security settings. In addition, many people never change the factory password on your router, thereby "help" the work of the hacker. Therefore, it is recommended to disable the remote control function so that only those with physical access to the network have access to the router settings.
If you use Hotspot for public use, you can easily become a target for a hacker attack. Hackers often use tools such as Firesheep or AirJack to get in the line of communication between the sender and the recipient during a conversation for which you are using a wireless connection. Once they get into your line of communication, they have the ability to retrieve your account passwords, read emails, and view messages. Also hackers use a tool such as SSLStrip, which allows you to access protected sites that you visit using your passwords. Therefore, it is advisable to use a VPN to protect your data if you are connected via Wi-Fi. Since VPN provides additional security, and it is very difficult to crack. If the hacker is not very persistent, he will most likely try only once and will move on to easier targets.
Thanks....
muy buena tu publicacion te felicito realmente la disfruto exito
Good post! Yeah, I think books are not enough to be smart today unlike those kids from yesterday. Internet can be a dangerous place for newbies isn't it?
thanks Mark, good info , I get a lot of suspect links and am fairly sensible, but I can imagine a lot of people are falling for this type of scam. Rock on my friend - David
thanks @themarkymark going forward i would be smart for this post got it all. i really appreciate this piece @themarkymark
I’ve unfortunately seen a lot of post from people who’ve been hacked. Resteemed! Hopefully this will at the very least help prevent others from getting hacked who take the time to read your post.
Always good to alert the unwary .(I'm way too cynical lol).
Reading your post made me think of a way they might try to gain access to account...
(I'm not techy so forgive any idiotic, impossible statements)
Hi, I'm themarkymark (y) <
...and then links to a skin of the same page as the witness vote.
.... enter passcode...blah blah.
I haven't seen this one yet - but surely it's only a matter of time...
My girlfriend will upvote you as a witness, later.
I can't for ethical bot voting reasons, sorry. (although I did use buildawhale back in the day...)
These tips are so simple and so important! sometimes we do not pay attention to small details that give us security, thanks for the alert and tips, in these times we must be with the tools at hand, to avoid this type of attacks, happy night
Excuse my English, I use a translator.
Common sense is key, but there's plenty of people who lack it when it comes to online security and it only takes 1 bad lapse in judgement. I would know, I had an account hacked through a bad link about 10 years ago. Never again.
There is a browser extension cryptonite from metacert which protect steemit.com and busy. org now. https://steemit.com/phishing/@holger80/steemit-com-is-finally-verified-by-cryptonite-by-metacert
I check twice before provide my key on SteemConnect
I don't realize that something like that is working. I always think about similar accounts where the author post only comments and encourage people to visit his site. Now I know that this is fake so we shouldn't go to this sites.
Thanks a lot for this article. It opened my mind and now I know the danger. Please share with us more similar posts. Keep doing :)
The one question I have about steemconnect is that someone told me that before going to the steembottracker open the steemconnect window and somehow that protects you from giving your key out to the wrong person. How does having a open window behind the window you are on protect you? I couldn't quite figure that out.
Not really sure what they mean on this one.
Me either and I consider him a very trusted source. He said sign up for steemconnect first and I did. Then open the window to steemconnect before steembot tracker site. I did notice that if I didn't the screen got shaky, which didn't allow you to do the transfer, if I did the screen doesn't shake. Weird huh? I only did it once and with a trusted name so I wasn't that worried about whether that really worked or not. Maybe you should do a lay out on transferring funds for use of a bot like you did with the witness thing. I really haven't gotten around to do anything about voting for a witness because I feel there's to many problems with the site that just aren't being addressed.
Ok, the markymark, I’ll give it a go. I don’t think I’ve been able to do the witness thing because of passwords
This is great awareness writing. All should know how accounts are hacked. Many things take home from this post.
Thank you for this valuable post. You explained really up to a level of basic and backing it up with pictures. For someone like myself - not a computer expert, far from it in was really helpful. Very much so!
By the way reputation means nothing look at @rewardpoolrape and @laurabanfield. Look at how they have behaved and look at the numbers they have for their reputations. Steemit reputation really means nothing.
Great write up! This type of education has to be repeated over and over again. Sorry for the large image banner, but think it's useful enough to stand out for anyone viewing this post. Check out Metacert's Cryptonite plugin. It takes a whitelist approach for cryptocurrency related sites and can adjust in real-time as things change (such as when MEW gets hacked).
The green shield lets you know more than if the site is legit (as in, it has a valid SSL certificate), but also if it is who it claims to be in the cryptocurrency space.
I would also highly recommend everyone use a password manager like 1Password or LastPass. Super important today. No one should "know" their passwords. They should all be generated and encrypted at rest until you need to use them.
Very good post! People need the this education.
Dont trust and your pasword will be sure