RE: Warning about phishing links
Very interesting find. Very sneaky form of attack. Scary thing is it is so easy to register a domain name and even SSL certificate these days. Also scary because anyone can pretty much run a frontend for condenser, but it is hard to know if the site is trustworthy or not. Thanks for the article, I find this kind of thing super interesting. Will be following you.
Some of the guys that do phising like do make use of url shorteners to hide the actual link. Or from what I could tell in your post they used steem markup to disguise the actual link. In the case where the use a url shortnerer for example tinyurl then you can actually check what the link redirects to by making use of curl. You can do it like this:
$ curl -I https://tinyurl.com/2fcpre6
See the output. The actual url it redirects to is in the "Location" section in the response.
This link for example was a tinyurl link for the video:"Rick Astley - Never Gonna Give You Up". Haha I got you!
Anyways tinyurl has a feature where you can take any link shortened by tinyurl and preview it by prefixing tinyurl with "preview" like this: https://preview.tinyurl.com/2fcpre6.
Just take in mind that tinyurl is one of many sites that people could use to shorten a url. Twitter even have their own site that they use to shorten any links posted on twitter. My curl trick should work on almost any url shortener, but if you aren't that technical I would suggest that you try:
http://www.checkshorturl.com/ which you can use to check shortened urls. For example I did a check for this url that was shortened by twitter's url shortening service: https://t.co/LGaAniJH32
Something you can also do if you aren't sure if a frontend/site other than steemit.com is legit or not is to use security related reputation checking site to check what other people have to say about the site. Here is a list of sites you can use to check if the site is flagged as malicious by other users or not:
https://www.threatcrowd.org
https://www.virustotal.com/ (It has a feature to check a url and there is a very handy comments section)
https://www.phishtank.com/
(Btw I check sleemit.com and its not mentioned on any of these sites yet , unfortunately).
These are some really nice resources to know about. I myself have clicked on a redirecting phishing link on here but it is worrisome especially for those who don't have a good idea about how front-ends interact with the blockchain.
Anyone can build their own Steemit-like front-end, that's not a problem at all as it can be totally legitimate without needing Steemit to sanction it, but knowing who to trust when it's not Steemit or doesn't use Steemconnect is tricky. It's nice that there are easy technical and user friendly options out there to check but yeah, keeping an eye out and protecting yourself starts to get a bit more serious in decentralized systems.
You can maybe ask these guys:(Who wrote this blog post)
http://blog.thinkst.com/p/canarytokensorg-quick-free-detection.html
To add a honey/canary token for steemit active or posting keys to their site. Which would enable you to see if somebody tries to use a fake made up posting or active steem key that you posted to a frontend, the site emails you if someone tries to use the details that you generated on: http://canarytokens.org/generate
Hope that makes sense? Maybe somebody needs to make a site to track the reputation of steemit frontends.
Be careful what you are clicking on. If it runs javascript then it can do a great deal on your computer, for example people can even go so far to open a shell on your computer using javascript. This is something that people do often when they exploit xss attacks, but if you are willingly visiting a site then they don't even need to trick you into running the javascript.
You can see more about this type of attack here:
https://www.slideshare.net/BartLeppens/owasp-appseceu-2015-beef-session (See from slide 49)
Thanks for your feedback on my comment!
Awesome stuff again, especially those canary tokens. I'm not sure how exactly it could be implemented, but I can see maybe some sort of interesting key-specific decryption of a picture like they were talking on a website that logs use automatically. Not sure how that would work on attacker's own websites or even Steemit though. Interesting to think about.
And yeah, I even read somewhere that web javascript could exploit those Spectre and Meltdown vulnerabilities. I just love it because it runs so easy... everywhere.