Three weeks ago I wanted to raise awareness of the ongoing phishing scams operating to steal your keys and used the power of the Steem blockchain to find skillful developers that will help solve this issue. CAUTION: Steemit Clone Stealing Passwords + 50 SBD Reward for an Anti-Phishing Browser Extension So many people showed interest that I needed to make it into a contest but in the end only two of them actually made the extension. I'm really pleased with the results and am hoping that we will once and for all prevent all phishing attempts on Steemit.
@quochuy made Steemed Phish
Download it here
The extension works with:
- a whitelist of friendly Steemit websites
- a blacklist of known scam websites
- checks of external links on friendly websites and make them obvious
This extension will validate Steemit related websites by changing its icon color:
- red is for blacklisted sites
- green is for recognised friendly sites
- grey is for unrecognised sites
When a site is neither whitelisted or blacklisted, Steemed Phish will try to check the URL structure to find known patterns and flag a link as supsicious by coloring it in pink.
There are currently 19 blacklisted websites and 31 whitelisted websites.
Phishing Alerts
If a user lands on a phishing website, Steemed Phish will display two types of alerts:
- a dialog that shows up even if the page was loaded in a tab in the background
- a full page alert, that covers the whole phishing page and offers a link to go back to Steemit.com. The full page alert also reminds the user of not using their Steemit Keys on unknown websites and keep their password (Owner Key) safe.
When landing on a phishing site the app will warn you and prevent any action untill you confirm the warning message
Once the page is loaded the app will display a full page warning when possible
Expand shorten URL
Some links are shortened using services such as bit.ly, this prevents people from easily analysing the URL of the link. Steemed Phish uses a link expanding API to determine the destination URL of a link and then compare it again against the white/blacklist logic above.
Making external links more visible
Ideally, a user should be more careful on links they are clicking on by always paying attention to the URL of an anchor. But this is easier said than done and even the most experienced user can let down their guard sometimes and get tricked by the scammers.
Recently, Steemit.com, has added a feature that marks external links with a grey icon on the right of each links. Steemed Phish will make that icon more obvious by coloring it in purple. On top of that, it will make a bubble appear next to the mouse cursor with a text explaining the fact that clicking on the link with leads you away so don't use your password. This bubble won't show up on friendly (whitelisted) websites.
Roadmap and potential ideas
- make a bot that browses steemit for reports and extract URLs to be added to the blacklist
- make a bot that follows another bot (@guard) and listens for its downvotes and update the blacklist accordingly
- monitor the https://steem.chat/channel/steemitabuse channel for more URls to be added to the blacklist
- If Steem Guard project goes live, use its API to update the blacklist: @hernandev/proposal-steemguard-phishing-and-scam-protection-tools
@codingdefined made CheckSteemitLink
Download it here
CheckSteemitLink warns when going on a non Steemit link and it does the same for wallet messages containing links. Although this might be confusing for many users imo it's still a great tool for all the unsuspecting people rushing to throw their keys away.
For more info check his video and utopian posts:
Phishing Link Checker Chrome Extension
Phishing Link Checker Chrome Extension - Update V1.1 and V1.2
Now its your turn to test and vote for the best extension
As noted in the previous post I highly value communities opinion, so now is your time to test the extensions and let me know what you think about them. Especially if you have ideas or skills to make them better.
Currently operating phishing scams to test on:
https://sleemitdotcom
http://steemildotcom/
NOTE: Dot is in the links to avoid flags from project @guard aimed to protect and warn the community of phishing scams. To see the websites obviously replace dot with . and don't enter your credentials there there as this are known phishing scams. Just test the apps and tell me how you like them.
If you know of any other phishing scams please leave a comment so we can update the blacklist.
Winner will be announced in a week and rewarded with 50 SBD, the other dev will get 25 SBD donated from @ebargains
Then it's just a matter of promoting it and getting the word out
In a way that we get maximum coverage and visibility. Because if only 100 people will use it, we didn't do much.
You can help by:
- Writing a post or making a dtube/dlive video explaining the problem and solution ( use #nomorephishes tag so I can find the post and reward you for your efforts)
- Resteeming this and future posts about the extension
- Warning your friends about the ongoing phishing scamms
- Participating in the PR campaign that will be announced in a week
In form of upvotes I'll reward everyone who helps, so be on the lookout for my future post announcing the campaign that will last untill I feel like enough people have heard about and downloaded the winning extension.