Server sync... Block time in database: 1613352738, server time: 1653787433, offset: 40434695

Steem Blockchain: Phishing/Hacking Response



Image source and phishing information


Phishing and hacking are both taken extremely seriously on the Steem blockchain. Although these incidents are becoming less frequent due to the hackers/phishers moving away from Steem for easier targets (we try to make it as difficult as we can for them), they still occur from time to time.


The purpose of this post is to advise you as to what to expect when a phishing/hacking incident gets reported to myself, one way or another.


Typical phishing/hacking response


All or part of the following steps get covered for each reported incident.


Manual check of all transactions


Every transaction that has to do or potentially has to do with the incident is manually checked. The hacking is then confirmed or an alternate reason for the alarm is found.


Mute by @plentyofphish


The @plentyofphish account holds the master list of hacked accounts on Steem. The list is accessible through querying who the account has muted. Once the owner recovers the account, it is unmuted to remove it from the list. (More information on the Plenty of Phish project can be found here http://pofpofpof.com -- the account is largely maintained by @bullionstackers) ## Marking downvote by @plentyofphish
There are times the account will downvote a post to mark it for future investigation or to remove rewards that the hacker is awaiting. (When @plentyofphish isn't fighting hackers, it's being used to fight spam)


Add to Github list


The name of the hacked account is added to the Github list (found in the Plentyofphish repository at https://github.com/gryter/plentyofphish) of all hacked accounts.


Add to Phishing list on Spaminator/Mack-Bot interface


The account is added to the main list for downvotes by the Spaminator/Mack-Bot bots. The bots are manually restarted to make sure that the list is adapted that very second.


Comment on account


A comment is left on the hacked account to make sure that the owner knows that they've been compromised. Often, account owners are unaware until funds start getting removed from their wallets. The comment may be left by an official account or a personal account belonging to one of the Steemclcleaners (@pjau or @logic aside from myself).### Coent and flag by @quarantine
The @quarantine account will come in and provide a warning and explanation comment, as necessary. It will also downvote to ensure hackers do not receive rewards.


Manual downvote or nuke, as deemed required, by either Spaminator or Steemcleaners


The nuke demolishes the reputation of an account, making it unattractive to hackers. The goal is to make the hacker abandon the account so it may be recovered by its original owner.


Contact with account owner, often through various intermediaries


Additional effort to reach the account owner, which sometimes includes phoning them or messaging them, is undertaken to ensure they are immediately aware of the situation and can react before their funds are stolen and account damaged.


Message to trustee account operator if not @steem


Where the trustee of the account (the account that created it and acts as a recovery) is not @steem, a message is sent to them to give them the heads up that they will need to run their recovery script soon. That lets them prepare for when the user initiates recovery and we all collectively make sure that the user has the correct information on how to recover.


Warning messages by @guard


Where a hacked account is used to spread phishing links, @guard (run by @anyx) and @arcange will provide warning comments as applicable to ensure no one clicks on them.


Recovery followup


When the account receives its recovery email from @steem, due to certain discrepancies in Steemit Inc's mailing system, follow up is needed to make sure the account is indeed recovered. (More details below.)


We've gotten the above down to a science through years of practice.



This is what the @plentyofphish repo looks like. Easy for everyone to understand and browse.


@Steem Recovery Issues


Since the split between the main steemit.com website from its wallet, or steemitwallet.com, recovery emails have not worked without tweaking. This is a known issue that the Steemit Inc team is working to correct. To get a recovery email to work you must replace steemit.com in the emailed recovery URL with steemitwallet.com. The URL will then work.


False Positives


You can also see by the above list how many people are potentially involved in rectifying a single incident of phishing. This includes false positives or suspicious incidents that are treated as a potential hacking.


For example, when one user mistakenly made an out-of-character post revealing a DTube key, the following people were involved aside from myself: @ookamisuuhaisha reported the suspicious post in the Steemcleaners Discord, @justyy contacted the user through an off-chain method, @bullionstackers helped investigate, @heimindanger clarified the process and the mistake that led up to the post. That's 's four additional people fa single case.


This type of a response is the norm. In a real incident, the speed of the response is the main factor.


Challenging Cases



Pixabay: Image by qimono


Hacking that involves users that are specifically targeted is usually very challenging to deal with. There are typically additional elements involved such as the hacker being someone the victim knew and trusted. These are rare.


You can see by the false positive example above how many unrelated community members it takes to rectify just one small incident. Those numbers are greatly amplified where an actual case is identified, particularly where it is either a large account whose hacking can cause additional repercussions or it's a targeted case.


The largest most-complex case we dealt with involved a number of Steem developers and witnesses, Steemit Inc team members, and several external cybersecurity/police specialists. All of these people volunteered their time and expertise.


Part of what I do is keep track of cases where a hacking or other malicious act occurred. Even where I don't publicly disclose the knowledge, I am fully aware of who is responsible for which scam. Particularly when it has to do with a compromise of someone else's account or system. Keeping up the level of awareness helps in learning from the previous incidents to effectively respond to anything that will happen in the future and keep the Steem ecosystem better off.






Comments 18