Login
Signup
Write a post
Switch light

Don’t get hacked - How to be Smart!

81
7 years ago
in#steemit

Don't get hacked - How to be Smart!

The number of accounts being hacked in the last month or so has climbed significantly. In the last few months, the amount of phishing happening on the blockchain has skyrocketed. The number of hacked accounts has gone up as a result.

What is phishing?

Phishing is the practice of confusing a victim into clicking on a link thinking it is someone else. In the case of Steemit, users are posting links that leave Steemit and go to a site that looks and feel like Steemit and then asks for a username and active key. If you enter your key, they gain control of your account, drain your funds, then use your account to attempt to phish other users.

Example

A good example is this victim who was hacked and used to attempt to phish more users.

This is a small account but you can see the user's funds were drained immediately and then set to post comments on other threads luring in more victims.

If you look at the attacker, you can see many have fallen for this trick and funds have been sold on the exchange immediately.

How not to be a victim

This is surprisingly easy, but I will give you a few tips.

Look for the icon that represents an external link.

In the above example comment, you can see an external link icon that tells you the link will take you away from Steemit. This is your first warning you need to be careful and pay close attention to what you do next. If you are then asked for a Steem username/password, you are likely being phished.

There are some situations this is not the case, for example when following a link that uses SteemConnect. SteemConnect is considered safe by many and is more secure than trusting a third party with your private keys.

The important thing here is did you expect to be prompted for a username or password? If you click a link that asks you to vote for a witness, you can expect a username/password prompt to follow. If it is SteemConnect, it will tell you the action being performed prior to asking you to log in with your username and private key.

For example, if you in my footer you will see an animation asking for a witness vote. If you click on the image it will bring you directly to SteemConnect with the action to vote for @themarkymark as witness (you should, if you are not sure why, check this out)

This is an expected action when clicking on a link to vote for a witness to be prompted to vote for a witness. Now if it said transfer funds or something different, I'd have serious problems continuing and would contact a witness or someone you trust.

This doesn't mean all SteemConnect links are safe, you need to trust who you are giving access to. If someone posts a link about looking at a picture of their dog, and all of sudden asks for posting authority, you likely have a problem.

Look at the address bar

Look at where you are and confirm you see you are in fact on the site you think you are. If you are on Steemit, you can confirm in the address bar it is, in fact, Steemit and is a secure encrypted connection.

If you are prompted for a SteemConnect link like the witness vote above, you should confirm you are actually on SteemConnect.

Secure SSL Icon

This is handled differently in different browsers. This does not confirm you are actually on a safe site, but a lot of phishing attempts use improper SSL certificates and when combined with confirming the URL step above, should help prevent a lot of phishing attempts.

Secure Site - Chrome

Secure Site - Firefox

You can click on the lock icon to get more information about the certificate if you are unsure of where you are and if the site is legitimate.

It is not impossible to get a valid SSL certificate for a domain you do not own, so you always need to confirm the URL if you are unsure of where you are.

Common Sense

This is your best defense if you click on a link and immediately prompted for a password you need to take a moment and think if this is what should have happened. Do some due diligence, look at the URL, check the SSL, check the full URL and see if you see any clues to what is being done.

If it is too good to be true, it likely is. If someone promises you upvotes for life if you sign into their site or endless followers, you are likely about to be duped.

At this time, a large amount of non-Steemit links in the comment section are spam and phishing attempts. Look at the users reputation, if it is below 60 I would be very concerned about clicking a link from them. Reputation isn't hard to abuse, but low reputation is usually more accurate than high reputation. You need to use all available information to make a decision if you are going to trust someone with your private keys.

In most cases, I would suggest never handing over your keys to any third party. It is one thing to have your posting key compromised as this is easily recovered and only results in someone having access to post, comment, and vote with your account, but if you give up your active key they can change your keys, lock you out, and steal all your funds. Even if you know who hacked you, your funds are likely gone for good.

These techniques are nothing new, it is the same common sense rules you should use when opening any email or website. If you don't feel you are comfortable with any of this, look for a cybersecurity awareness training course, there are many well-known companies who offer this for free.

Anyone on the Internet in this day in age should be able to protect themselves against most phishing and hacking attempts using common sense and due diligence.

If you are still unsure about someone, ask someone you trust or jump on Steem.chat and go into the #help channel. In most cases you don't need to do what you are doing immediately, take time and make the right decisions.

Don't be a victim

X48EJ

Why you should vote me as witness

Witness & Administrator of four full nodes

themarkymark.png

My recent popular posts

STEEM, STEEM Power, Vests, and Steem Dollars. wtf is this shit?
The truth and lies about 25% curation, why what you know is FAKE NEWS
WTF is a hardware wallet, and why should you have one?
GINABOT - The Secret to your Sanity on Steemit
How to calculate post rewards
Use SSH all the time? Time for a big boy SSH Client
How to change your recovery account
How curation rewards work and how to be a kick ass curator
Markdown 101 - How to make kick ass posts on Steemit
Work ON your business, not in your business! - How to succeed as a small business
You are not entitled to an audience, you need to earn it!
How to properly setup SSH Key Authentication - If you are logging into your server with root, you are doing it wrong!
Building a Portable Game Console

steemitsecurityphishingbusyscam
7 years ago
themarkymark81
Posted from One Bitcoin Club
$ 132.62
157
H2
H3
H4
Upload from PC
Video gallery
3 columns
2 columns
1 column
38 Comments