Community reported !phishing - automation added to @keys-defender
Following up on the previous work I did to counteract phishing (1. auto-replies and 2. universal script to block phishing links in all Hive frontends) I now present a way for the Hive community to actively participate and timely stop phishing campaigns.
How does it work?
As soon as you spot a phishing link targeting the Hive ecosystem and being spammed on any platform (one of the Hive frontends, Discord, etc), post on any Hive frontend a comment structured in this way:
- Mention @keys-defender
- Include the command "!phishing"
- Add the phishing link - eg. https://givemeallyourhoney.com/airdrop
Outcome: @keys-defender will add the reported phishing domain to its banlist and it will immediately start replying to the phishing comments and counteracting the transfer memos in order to timely warn users against the phishing campaign.
Usage example:
https://hive.blog/hive-148441/@keys-defender/qq9fz0
Who controls the banlist?
Can anyone add a domain to the banlist? Kind of. In order to prevent abuse, some limitations are in place.
The type of users that are able to immediately blacklist a domain are:
(apologies for the mass tag)
- myself 👈
- Any top-40 witness 👉
- Any trusted user - current list 👇
@gaottantacinque, @hivewatchers, @hivewatcher, @spaminator, @enforcer48, @logic, @joshman, @shmooglesukami, @penguinpablo, @jlsplatts, @splatts, @anthonyadavisii, @steevc, @hiveseph,
@louis88, @saboin, @memehub, @antisocialist, @reazuliqbal, @r0nd0n, @edicted, @slobberchops, @taskmaster4450, @aggroed, @tarazkp, @drutter, @solominer, @steemseph
Any other regular user can add domains to the banlist too BUT.. at least 3 reports from different users with a reputation above 50 are required in order for the entry to be automatically added to the banlist.
https://hive.blog/hive-148441/@marcocasario/qq9gcd
Perks:
Every report gets a ~ $ 0.25 upvote.
(Users that abuse this feature will get heavy downvotes from me and my flag trail)
Futher countermeasures and Tracking:
Every single report triggers a notification to my Discord server.
This allows me and the other volunteers (with a role assigned) in my discord to take action - eg. contact the hosting service to take the phishing website down.
This also allows us to have a record of who reported what (and every report is immutably stored in the Hive blockchain for everyone to see).
Where is the banlist stored?
It's stored in the Hive blockchain itself -> https://hive.blog/hive-193084/@keys-defender/phishing-db
To see all the changes performed to it over time check out: Hive Scribe or Hive-DB
Whitelist:
What if a rogue user tries to ban a legit domain just to cause trouble?
To prevent such scenario there is a domains whitelist in place. Meaning that if for example an attacker controlling 3 accounts with reputation above 50 tries to add to the banlist peakd.com in order to cause mass spam from @keys-defender, they won't be able to.
Future development:
The list of community reported phishing domains is now in use by @keys-defender, meaning that after a domain gets added to the banlist, @keys-defender will immediately start replying to any new comment containing that link.
The next step is to update and release a new version of my universal script for hive frontends so that all Hive frontends using it will not only consume @spaminator's api (that still needs a quick fix), but also @guiltyparties's banlist and mine.
My phishing domains banlist will be an initial copy of @spaminator's plus all the community reported links.
Testers required
Test plan:
A. Myself blacklisting a domain - PASSED
B1. My non-whitelisted alt account with reputation above 50 reporting the testing domain https://steemispoop.com - PASSED
B2. 2 more accounts with reputation above 50 reporting https://steemispoop.com - PASSED
C. 1 account with reputation below 50 reporting a link - PASSED
D. 1 top-40 witness reporting the testing domain https://phish-test-domain1.com - PASSED
E. 1 whitelisted user reporting the testing domain https://phish-test-domain2.com - PASSED
F. Any account reporting a phishing link and forgetting to add the link (ie. "@keys-defender !phishing") - PASSED
G. Any account not including the mention to @keys-defender (PS. now supported) and reporting a phishing link already known - PASSED
H. Any account posting a comment with a link that has just been put in the banlist by other users - PASSED
PS. All tests are now successful, thanks everyone!
- XSS vulnerabilities in #########.com
- XSS vulnerabilities in hive-db.com
- XSS vulnerabilities in scribe.hivekings.com
- XSS vulnerabilities in hiveblockexplorer.com
- Malicious ads redirecting all Steemit iOS users to a phishing site
- Reverse tabnabbing and clickjacking in steem.chat and steeemit registration page
Other contributions:
- Universal script to prevent phishing in all Hive frontends
- Commands for community reports and ban lists
Keys-Defender features:
- Phishing protection [live scan of commentsa and posts to warn users against known phishing campaigns and compromised domains, scan of memos]
- Re-posting detection [mitigates the issue of re-posters]
- Code injections detection [live scan of blocks for malicious code targeting dapps of the Hive ecosystem]
- Anti spam efforts [counteracts spam from hive haters]
Take care, @keys-defender (@gaottantacinque)
So.
When I get a DM from a stranger in Discord and its I won 3 bitcoin click here to claim, I put in a comment.
@keys-defender https://the link from the DM
@thehive Yes, that will prevent it from spreading into Hive!
You forgot the !phishing command though.
Usage:
@keys-defender !phishing {somelink}
Thank you for your report but I was not able to process it: LINK MISSING.
Expected format: "@keys-defender !phishing https://somescam.com"
Fair enough 😅
@thehive please see my last comment above. For scams I’ll introduce a !scam command with a smaller reward.
Please post your tests as reply to this comment - 🙇
@keys-defender
!phishing
https://steemispoop.com
Thank you for your report, entry added to @keys-defender's database of phishing domains.
PS. notification removed
@keys-defender
!phishing
https://steemispoop.com
Thank you for your report, the PHISHING domain "steemispoop.com" was correctly processed.
Phishing domains can be blacklisted by a top 40 witness, a trusted user, or when at least 3 users with reputation above 50 report it - @keys-defender
@keys-defender
!phishing
https://phish-test-domain2.com
Thank you for your report, entry added to @keys-defender's database of phishing domains.
@keys-defender
!phishing
https://iamnotacryptorelatedwebsitebutwantyourkeys.net/pickyourairdrop
Thank you for your report, entry added to @keys-defender's database of phishing domains.
test https://iamnotacryptorelatedwebsitebutwantyourkeys.net/airdrop
PS. failed because it did not fetch the updated list of phishing domains in time. Now fixed to fetch the updated list right after each update.
PPS. it was actually because this account is whitelisted for the phishing auto-replies. It let me improve the update mechanism though.
works also when i edit my comment and add another url?
yes it should
@keys-defender
!phishing
https://id09.ru/
Thank you for your report but I cannot process it because your reputation is not high enough.
Phishing domains can be blacklisted by a top 40 witness, a whitelisted user, or when at least 3 users with reputation above 50 report it - @keys-defender
@keys-defender !phishing https://steemispoop.com/airdrop
Thank you for your report, the PHISHING domain "steemispoop.com" was correctly processed.
Phishing domains can be blacklisted by a top 40 witness, a trusted user, or when at least 3 users with reputation above 50 report it - @keys-defender
@keys-defender !phishing https://steemispoop.com/login.php
Thank you for your report but I cannot process it because your reputation is not high enough.
Phishing domains can be blacklisted by a top 40 witness, a whitelisted user, or when at least 3 users with reputation above 50 report it - @keys-defender
@keys-defender !phishing https://steemispoop.com/login.php
Thank you for your report, the PHISHING domain "steemispoop.com" was correctly processed.
Phishing domains can be blacklisted by a top 40 witness, a trusted user, or when at least 3 users with reputation above 50 report it - @keys-defender
@b0t5-t3sting Your comment cointains a link that is on my blacklist ❗ ❗ ❗
@keys-defender, do NOT click on the link above in their comment.
Link: "iamnotacryptorelatedwebsitebutwantyourkeys.net*" => DO NOT CLICK ❗
More info:
https://hive.blog/hive/@keys-defender/new-feature-phishing-detection-and-auto-reply
Comment 10% downvoted to make it less visible.
This message is self-voted to be more visible among others.
@keys-defender
@keys-defender
!phishing
https://phish-test-domain1.com
Thank you for your report, entry added to @keys-defender's database of phishing domains.
!discovery 50
This post was shared and voted inside the discord by the curators team of discovery-it
Join our community! hive-193212
Discovery-it is also a Witness, vote for us here
Delegate to us for passive income. Check our 80% fee-back Program
Hey! I think I goofed up. I wanted to help with the TODO B1, but I wasn't thinking about the fact that my main account was whitelisted, so I think it fudged your test.
Let me know and I'll give it another try.
I did the TODO D.
I can do the C as well since I have a bunch of alts that are below 50 rep. Is there any particular link that I should use for that?
No problem, I reverted B1. Thanks!
C seems to be passed too now..
Since C has now passed, I'll re-report the link with my main account since it's an actual phishing link that was sent to Discord.
@keys-defender
!phishing
https://id09.ru/
Thank you for your report, entry added to @keys-defender's database of phishing domains.
Cool stuff. I hope it reduces the risks of people getting fooled. Maybe some people will automatically flag the phishing comments.
!BEER
View or trade
BEER
.Hey @keys-defender, here is a little bit of
BEER
from @steevc for you. Enjoy it!Learn how to earn FREE BEER each day by staking your
BEER
.https://twitter.com/tetrahedroseph/status/1374065281123815428
Very nice, okay let me try @keys-defender !phishing https://lemmebybit.com/
Thank you for your report, the PHISHING domain "lemmebybit.com" was correctly processed.
Phishing domains can be blacklisted by any top-40 witness, any whitelisted user or by at least 3 users with reputation above 50 - @keys-defender
Thanks, it's working really well. lol
Reminder: if the feature is abused it will result in $5 downvotes
All reports mention all my discord server users..
But I don't think that's an abuse since someone really sent me on DM. I thought you said it's fine to include the discord link?
If it’s phishing then yes it’s ok. Will verify later.
PS. It looks like it’s a scam but it’s not phishing and it’s not targeting hive:
https://www.google.com/amp/s/amp.reddit.com/r/Bitcoin/comments/k3psmc/report_this_scam_lemmebitcom/
Rules:
I can’t upvote all reports of the dozens of scams that run on discord, let’s start with only the ones targeting Hive.
I will introduce a new !scam command for that 👍
Ah okay, but it seems that's kind of a threat that downvote. Then we should or I should not report it next time especially if I'm not sure that it's really phishing. I have no evidence or proof that it's a phishing site. I just thought to try since it dm me on discord. If this is the case I regret now sharing that fishy link. If it's not, don't downvote it for a bigger amount. Just see it tomorrow but I'm telling you I have no proof.
Please see my updated reply above.
If you’re quite sure it’s phishing report it as phishing, if you suspect it’s a scam Google like I did “is {website} a scam” and if it is you’ll be able to report it with the !scam command. For the latter I plan on giving 0.02 upvotes.
Me parece estupendo este trabajo, gracias por darnos algo útil para defendernos y ayudar...
I just tried that on a real case, and what I don't like is that I have to actually post that link myself
Worked around by:
https://steemit.com
Yeh I thought about that but your comment has the !phishing command so it should be pretty clear to readers.
The problem with having kd automatically detect the link from the parent comment is that it could have multiple ones and cause issues.
@keys-defender !phishing https://love69date.top/
Thank you for your report, entry added to @keys-defender's database "PHISHING".