Introducing @guard -- a Proactive Measure to Limit Phishing on Steemit


As many of you might know, there have been several phishing attempts on users here on Steemit, aimed at stealing your private keys. As a reminder to all users, please be careful when clicking links and entering your private keys! Do not open links from users you do not trust. Do not provide your private keys to any third party websites.

Phishing is an extremely invasive attack that can become exponential if not contained early, similar to how a virus works. Once the phisher gets a hold of a posting key of another account, the newly infected account can then also be used as a carrier to try and spread the infection. The only way to immunize against such a threat is to start early, and pro-actively attack the commonality (the virus) rather than post-actively quarantine users as they become infected. Worse, users infected may have their funds stolen -- the damage has already been done. We want to prevent more users from being infected immediately.

To address this, I have created @guard. Rather than work of a list of known infected accounts, @guard instead searches for the phishing links themselves, and presents a warning any time one is detected. Despite attackers attempts to hide phishing links (such as with link shorteners), @guard will still catch them.

With this introduction to @guard, please understand the following two pieces of information on how to help us fight phishing.

1. How to Properly Warn Others of Phishing Links

While it is great that users are warning others of phishing links, including the phishing link itself in the warning can actually lead to accidentally spreading the infection! It is important to be careful. Try to make sure when commenting/warning about a phishing link, to avoid using the url itself. This includes links you think may not be clickable (such as removing the www, or http://), as some browsers / extensions can make them clickable anyway.

Furthermore, it is not possible to programically determine if a user is warning of a phishing link, or actively trying to phish, if both cases use the phishing link itself. To this end, please, when warning others, try to use something un-clickable like badwebsite(dot)com.

2. Reporting Discovery of new Phishing Links

As this method of prevention does need to be updated when new phishing links (e.g. new domains) are discovered, timeliness is important. If you find a link you believe to be phishing (and wasn't already automatically caught by @guard, or manually found by @steemcleaners), please report it immediately to @steemcleaners via our discord chat. If unavailable, you can try directly contacting a @steemcleaners member.


That's it. If you have any thoughts/questions/recommendations about the bot, feel free to comment below!



Like what I'm doing for Steem? If you want to see development of Steemcleaners and associated efforts continue, please vote for me as a witness here!

H2
H3
H4
3 columns
2 columns
1 column
93 Comments