50 SBD Bounty To Make an Anti-Phishing App For Steemit

in #bounty4 years ago (edited)

I'm still shocked by the recent, outrageos attack by a malicious user operating several Steemit clones, the magnitude of the scam and how it all played out. He/she got control of a couple of established steemians with 60+ reputation and spammed out commets containing links to the cloned Steemit pages. Dozen more low rep accounts were stolen and spammed out same or simmilar messages affecting thousands of users with one goal, get their keys and rip them of their time/effort/intelect spent on here.

People are people and many who got redirected to the clones didn't notice the obvious mistake in the url but that's understandable. I'm one of those people who actually managed to send coins to a wrong wallet on bittrex (took me 2 months to get them back) so I can understand when you are just on autopilot and don't notice.

This is just the beginning of a problem which will be ever increasing in the future as Steem price goes up and our wallet's values follow.

The goal


I was determined to find a solution that will make it impossible to get phished, ever again. I figured that we need an app to alert us of any malicious websites where an unsuspecting Steemian might enter their password. I realized it would be best to utilize the power of Steemit to find skilled developers to make it. So in my first ever dtube video I offered 50 SBD and @ebargains donated another 25 SBD to the person who makes the app. After a harsh day of promoting the idea and searching for devs in every possible Steemit related discord server, the next day I got so many people that took the offer and wanted to participate that I couldn't do anything else other than make it into a contest and including the community in the testing and voting process.

App Guidelines

  • Must be a Chrome extension

  • The code must be open source and will be checked to ensure it has no malicious code or security flaws that could make it vounerable in the future

  • Whitelisting/blacklisting/algorithm that can recognize websites trying to emulate the originals or any other method to recognize the scam websites can be used. I don't care which way you go. I just want it to work, 10/10

  • When entering a scam site the app needs to display a warning (the bigger, more obvious and harder to get by, the better :) full page warnings are the best solution

  • Has to have a submit option for users to alert of new phishes which would then be evaluated and added if necessary

  • The UI can look however you like, it doesn't really matter that much as we are going with functionallity, not good looks

  • When finished add it to Chrome store and contact me on discord with a small write-up about how it works

  • The winning app (depending on how it works) needs to always be up to date and work correctly because if a phish gets through and someone looses their keys with the app on we are loosing the whole point of making it in the first place

  • If the winning app needs a server to operate the developer will if possible pay with fiat for the service and I'll give them that much in SBD/Steem (I would give you the fiat if I could but I can't and I hope that it's not a problem, if it is we will find a way around it)

  • You have exactly 2 weeks starting from today to finish your app after which I will present all finished apps to the community who will then have a week to test them and decide which one they like the best. They will then vote for their faovorite app and with that taken in consideration, I'll choose a winner.

  • Testing will be done by trying to enter the currently operating Steemit clones

  • First place will get 50 SBD while 25 SBD donated from @ebargains will be evenly split amongst those who made a functioning app. Any possible new donations will be evenly split amongst the winner and the rest.

If I missed something feel free to contact me on discord with your questions. My nick is same as here.

I hope

That when the app/testing/voting is done that the winning app itself will become a tool used by countless Steemians who want to stay protected but don't want to be constantly checking the URLs to ensure safety.

That the app will save thousands of passwords that would be otherwise be snached away by malicious users.

That the app will get so popular amongst Steemians that it will discourage any new attempts of making a phishing website.

That this will make Steemit safe for everyone again. Even the most careless of us.

Sort:  

If I can find some time to spare I will help whomever is already working on this application (or if no one is, will build it myself).

You can ask @roj or @quochuy if they need any help, if not you can do it alone.

Wow did not know this was a thing. Thanks for the warning. Hope your campaign is successful.

Thanks for the warning and launching this contest. Hopefully all the developers involved will find a great idea. Maybe at the end all should help the winning extension an sans contribute to making a single strong app rather than making many different ones all doing different things.

Today I also notice that Steemit.com have updated their UI to help with phishing links. Whenever there is a link that takes you away from Steemit, they add a little icon next to the link, like this:
9F030FCB-4C99-4D54-8278-711D0A31D846.png

So look out for it while waiting for the Chrome extensions to be available.

Thats a great idea. I never thought we would have more than one functioning app so if all of you who made a functioning app could work together to make the winning app even better, that would be awesome!

What an awesome contribution,thanks!

Edit : https://steemit.com/utopian-io/@codingdefined/phishing-link-checker-chrome-extension

I will create the extension, few things I know is that whenever their is any link which is not Steemit LINK in the Transfer Memo, we will make it as RED to specify, it can be a phishing link. And add all the links which can be phishing to not show to the user.

Nice, contact me on discord, nick same as here.

I am sure there is no way by which a script can guess if a webpage is not the original one.

It can work if the webpage is marked by someone using the extension as fake.

It'll work like a webpage abc.com looking like Facebook. A user ends up on abc.com and realises that the page is fake, he'll click the button and the url will be blacklisted straight away (or after someone's manual approval)

So, when another extension user will end up at abc.com, as abc.com is already in our blacklisted database, I can show the message however we want to do.

Let me know if I'm getting it right or wrong..

You got a 5.19% upvote from @adriatik courtesy of @jmehta!

You are mostly right.

Google has an anti-phishing extension that does not try to detect fake Google sites. Instead it detects when a user use their Google credential on a non recognise Google website.

Sometimes, you could analyse the source of the page and see if the current page contains a recognised pattern and if the domain name is not whitelisted then show a warning.

All those methods are not 100% accurate or effective which is why I use a combo of methods to try catch as much cases as possible.

Nice idea @runicar because there are lots of it and I know somebody who was telling about how his rep dropped when he does not know how it happened also they keep spamming with different websites like steemil.com...

There is another one I saw but its obvious that its a scam but a newbie might now know

My little advice for people is to stay away from platform that are not having good reputation on steemit like @dlive, @dmania, @busy, @esteem those have good reputations onlike sites promising you 1000 followers in the name of allowing you to login and steal or your hard work on steemit

The picture below is am example of one a friend of mine was a victim of
IMG-20180220-WA0034.jpg

If you have not known much about steemit stick to steemit.com because there is no shortcut just flow with the journey

Good work @runicar I wish I can be part of the app project

yeah right the problems will increase more day by day if price of steem will increase

Thank you for this great posts.
Keep on the good work
I will follow you, please you can follow me too @bafspotlight.

yeah . one of my friend became victim of phishing . we should be a bit careful and really it is a waste of time and hardworking. I feel pity for those who lost their passwords to hackers :(

wow !! nice writing ...
I also face this problem.....
What should i do ?? @runicar

a good post ,You only need a few hours to get it, It's different with me so it takes a very long time once a year to get it and even not necessarily I get.

Greetings from Venezuela I follow you and vote

Very good post friend greetings I follow and vote from Venezuela

The ways not to phished out always check correct URL. Double check.. triple check and so on.

To listen to the audio version of this article click on the play image.

Brought to you by @tts. If you find it useful please consider upvote this reply.

This post has received gratitude of 26.80% from @appreciator courtesy of @runicar!

The version 0.0.14 of my extension is now out, it currently:

  • show a full page warning with a link back to Steemit
  • show an alert dialog every 15 seconds if you decide to stay on the blacklisted website or dismissed the full page alert
  • change the Steemit.com external link marker from grey to red for better visibility
  • highlight blacklisted (scam) links in red and stricken through

Screen Shot 2018-03-18 at 10.23.59 am.jpg

Screen Shot 2018-03-18 at 6.49.05 pm.jpg

Available here:
https://steemit.com/utopian-io/@quochuy/steemed-phish-v0-0-14-is-out-a-chrome-extension-to-protect-yourself-from-steemit-like-phishing-scam-websites

nice post @runicar

Tisko Bot
Send 0.200 STEEM/SBD and the URL in the memo to @tisko to use the bot for a resteem and to get 5 good upvots.
Click here to see how to use Tisko Bot.

U see another thing like this

I don't know what this is but I will not touch it

You can touch the flag top right corner

@runicar thanks for the alert

hi, @runicar
Thank you for writing good.
I will follow you and I hope to write better in the future.

Follow me ( @wonsama ), I'll providing korean realtime news every 1 hour.

Your post runicar is very good and I like it.

I will follow you, you can check my article about MINEN ICE ROCKS and give me your feedback!

My article MINEN ICE ROCKS

Keep it up.