[ Powered by Steem ] Browser extension to prevent phishing scam attempts
Three weeks ago I wanted to raise awareness of the ongoing phishing scams operating to steal your keys and used the power of the Steem blockchain to find skillful developers that will help solve this issue. CAUTION: Steemit Clone Stealing Passwords + 50 SBD Reward for an Anti-Phishing Browser Extension So many people showed interest that I needed to make it into a contest but in the end only two of them actually made the extension. I'm really pleased with the results and am hoping that we will once and for all prevent all phishing attempts on Steemit.
@quochuy made Steemed Phish
Download it here
The extension works with:
- a whitelist of friendly Steemit websites
- a blacklist of known scam websites
- checks of external links on friendly websites and make them obvious
This extension will validate Steemit related websites by changing its icon color:
- red is for blacklisted sites
- green is for recognised friendly sites
- grey is for unrecognised sites
When a site is neither whitelisted or blacklisted, Steemed Phish will try to check the URL structure to find known patterns and flag a link as supsicious by coloring it in pink.
There are currently 19 blacklisted websites and 31 whitelisted websites.
Phishing Alerts
If a user lands on a phishing website, Steemed Phish will display two types of alerts:
- a dialog that shows up even if the page was loaded in a tab in the background
- a full page alert, that covers the whole phishing page and offers a link to go back to Steemit.com. The full page alert also reminds the user of not using their Steemit Keys on unknown websites and keep their password (Owner Key) safe.
When landing on a phishing site the app will warn you and prevent any action untill you confirm the warning message
Once the page is loaded the app will display a full page warning when possible
Expand shorten URL
Some links are shortened using services such as bit.ly, this prevents people from easily analysing the URL of the link. Steemed Phish uses a link expanding API to determine the destination URL of a link and then compare it again against the white/blacklist logic above.
Making external links more visible
Ideally, a user should be more careful on links they are clicking on by always paying attention to the URL of an anchor. But this is easier said than done and even the most experienced user can let down their guard sometimes and get tricked by the scammers.
Recently, Steemit.com, has added a feature that marks external links with a grey icon on the right of each links. Steemed Phish will make that icon more obvious by coloring it in purple. On top of that, it will make a bubble appear next to the mouse cursor with a text explaining the fact that clicking on the link with leads you away so don't use your password. This bubble won't show up on friendly (whitelisted) websites.
Roadmap and potential ideas
- make a bot that browses steemit for reports and extract URLs to be added to the blacklist
- make a bot that follows another bot (@guard) and listens for its downvotes and update the blacklist accordingly
- monitor the https://steem.chat/channel/steemitabuse channel for more URls to be added to the blacklist
- If Steem Guard project goes live, use its API to update the blacklist: https://steemit.com/steem/@hernandev/proposal-steemguard-phishing-and-scam-protection-tools
@codingdefined made CheckSteemitLink
Download it here
CheckSteemitLink warns when going on a non Steemit link and it does the same for wallet messages containing links. Although this might be confusing for many users imo it's still a great tool for all the unsuspecting people rushing to throw their keys away.
For more info check his video and utopian posts:
Phishing Link Checker Chrome Extension
Phishing Link Checker Chrome Extension - Update V1.1 and V1.2
Now its your turn to test and vote for the best extension
As noted in the previous post I highly value communities opinion, so now is your time to test the extensions and let me know what you think about them. Especially if you have ideas or skills to make them better.
Currently operating phishing scams to test on:
https://sleemitdotcom
http://steemildotcom/
NOTE: Dot is in the links to avoid flags from project @guard aimed to protect and warn the community of phishing scams. To see the websites obviously replace dot with . and don't enter your credentials there there as this are known phishing scams. Just test the apps and tell me how you like them.
If you know of any other phishing scams please leave a comment so we can update the blacklist.
Winner will be announced in a week and rewarded with 50 SBD, the other dev will get 25 SBD donated from @ebargains
Then it's just a matter of promoting it and getting the word out
In a way that we get maximum coverage and visibility. Because if only 100 people will use it, we didn't do much.
You can help by:
- Writing a post or making a dtube/dlive video explaining the problem and solution ( use #nomorephishes tag so I can find the post and reward you for your efforts)
- Resteeming this and future posts about the extension
- Warning your friends about the ongoing phishing scamms
- Participating in the PR campaign that will be announced in a week
In form of upvotes I'll reward everyone who helps, so be on the lookout for my future post announcing the campaign that will last untill I feel like enough people have heard about and downloaded the winning extension.
thanks for the mention @runicar!
SteemGuard will be renamed because of an already existing bot called @guard.
The project development will start this week, I'll give you an update by the weekend.
Thanks!
Np, thanks for working on keeping the community safe!
WARNING! A link in this post by @runicar leads to a known phishing site that could steal your account.
Do not open links from users you do not trust. Do not provide your private keys to any third party websites.
Nice to see guard working his magic but sad in the same time because of the downvotes, hope I wont get attacked by a bot army for this.
Hi @runicar
I have tried extension steemed phish and check steemit link. And I've created a tutorial of use for both with indoensia language. I choose and recommend steemed phish to users. Because steemed phish has the ability to unshorten phishing links and has a blacklist that is always ready to update. Thanks to @quochuy for his great job
Here is my post related steemed phish
Steemed Phish :
and this link about check steemit link :
Great work, thanks for spreading the word and giving input about the extensions. Will upvote your posts tommorow when I recharge a bit.
Thanks @runicar for your support
Resteemed and will encourage others!
Thanks, much appreciated!
This is great news! I might reference this post in my next issue of Unlocking the Power of Chrome, if that is okay with you. Probably just a couple of sentences since you have already covered everything really well here!
Of course you can! Throw a link back to this post for people who want more info :)
Awesome, Thanks! I will probably write about it in my next post on Wednesday.
Nice! Hit me up when you post it.
Here you go! https://steemit.com/chrome/@bozz/unlocking-the-power-of-chrome-issue-28
@quochuy did a pretty great job out there :)
It sure is a great help and will be of help to many :)
Hey @runicar. I originally heard about this from @codingdefined when he began work on his extension.
As the leader of a community (@thesteemengine), extensions and resources like these can be incredibly valuable to protect the accounts of our members. This is also useful information since I am working on a project called The Beginner's Guide to Steemit, and I addressed phishing briefly in the Security lesson.
I'm going to share this post with my community, which will hopefully get some more people to try out both extensions and give feedback. I'm going to use the extensions also and hopefully be able to also provide input.
Once again, from myself and the members of @thesteemengine, thank you for hosting this contest and seeking to help keep Steemians safe from scams.
Thanks for the support! It's highly appreciated.
We really need it. Looks like many scammers are here lately. My account was stolen yesterday and abused :( They upvoted their own comments and downvoted other users. They stole many accounts and transferred money to their other account.
Sad to hear that, do you know how you landed on the phishing site? And which one was it so we can add it to the blacklist.
Yes one user commented on my post and I followed the link :(
I wrote this post yesterday regarding the what happened and shared more photos.
https://steemit.com/steemit/@hanen/my-steemit-account-was-stolen-and-recovered
They steal accounts with high reputation to make people trust them :(
I hope this can be helpful.
Can you send me the exact comment youclicked on so I check which clone is it. The one we already got blacklisted or a new one.
yes it is this one:
Also check the comments from their other account:
https://steemit.com/@angela-noel/comments
Thanks, the extensions work great and warned correctly. Be sure to get them installed so that you never have to worry about this issue any more.
OK great. i will install it. Thank you very much :)
Okay I gotta catch some sleep but I promise to do this first thing in the morning. WIll edit my comment :)
Thank you!
Hope you didn't forget about it :)
I resteemed so I would not forget for sure, but here we are. Having this convo lolz Gonna put my mind to it in a min!
Great, btw you missed my last comment from yesterday. Dankweedguyz, can't wait to get back to Slovenia for some fire skunk :)
oh, I guess I did. Mahh man, make sure to hit me up when you visit! Did you join the weed challenge=? Its super easy and fun!
Will do :) Where are you at if it's not a secret? I try to help @ggirl with the challenges but we are somehow always off. Dunno why but your nugs always look lighter than they actually are :) But I'll start participating on my own from now on.
Congratulations @runicar, this post is the forth most rewarded post (based on pending payouts) in the last 12 hours written by a Superuser account holder (accounts that hold between 1 and 10 Mega Vests). The total number of posts by Superuser account holders during this period was 1357 and the total pending payments to posts in this category was $7153.72. To see the full list of highest paid posts across all accounts categories, click here.
If you do not wish to receive these messages in future, please reply stop to this comment.
sorry for the downvote but because of the vote you got here it just ruins the flow of my comment section