Phishing via a forum’s Private Messages

We are all used to the phishing emails that we get sent from “banks” and “auctions sites” – trying to steal your logins for financial gain. A new phase has started where phishing messages are sent via the private message (PM) facility at a forum.

The motive in this case is pure revenge, but with forums being used for trading, deals, and product promotion the trend is very dangerous – primarily because you believe you “know” the users, or atleast have some sort of respect and trust between you.

Lets walk through the steps.

  1. Dodgy guy gets mad about something
  2. Dodgy guy buys a domain that is very close to the forums domain and puts a copy of the forums “please login” page on the site
  3. Dodgy guy sends private messages to people saying “Please review the rules etc” and adds the url of the real message – however he makes the url a link to his phishing domain.
  4. Nice guy gets the PM and gets a message that he needs to login. Odd, he thinks, but logs in. Especially easy if it’s a kid on a shared computer and he gets the PM via email – the kid expects to have to login.
  5. As Nice guy logs in his details are stored and a script logs him into the real forum and transfers him to the real thread. Nice guy is none the wiser.
  6. Dodgy guy then uses Nice guy’s account to send a stack of private messages to other people – people who no doubt know that Nice guy is nice, and trust his message and … go to step 4.
  7. Wise guy gets a PM and smells a rat and lets the forum admins know what is going on.
  8. Admins ban Nice guy until they can verify he is who he is and to stop Dodgy guy from using the account. This wastes Admin time and is probably the ultimate goal.
  9. Nice guy can no longer participate in the forum. It’s not personal, he was just too nice to suspect foul play when in his forum community. After all, that’s what forum owners strive to do, to make their forums a place people feel at home. It’s a shame that even then we still need to be on our guard.

So, what have we learnt?

  1. check the url of the link you are about to click
  2. if you are unexpectedly asked to login, check you are at the site you think you are at
  3. contact the hosting company of the phishing site and ask them to remove it

Lets hope we don’t see too much of this!

Categories

Recent Comments

Tags

7 Comments

  1. January 23, 2008

    Well written post.

    This is very similar to techniques used on a lot social media sites (facebook, bebo, myspace etc.) Happens all the time. Someone of a your login details can have a cascading effect …

    Two other suggestions to “what have we learnt?”:

    4.Always change your passwords regular basis.

    5.Don’t use the same password for multiple logins.

    Oh – And don’t keep your bankcard pin number in your wallet either 😀

    My 10c

  2. January 23, 2008

    *Someone gets hold of a your login details can have a cascading effect …

  3. February 2, 2008

    PLEASE HELP!

    I am very upset that someone is sending emails or pm’s to members of the Digital Point forum, claiming to be me. I don’t know what to do, but after reading the responses lately, it’s obvious my reputation has been damaged. The person claimed to be the “dadsworld owner”, and sent stuff to other DP members.

    I DID NOT SEND THIS! How does this happen? Someone is impersonating me and setting me up.

    Can’t you track this to find out who posted it? I never sign my emails “Owner of dadsworld”. THIS INFURIATES ME! Now I look bad and my company looks bad to the Digital Point forum users. We MUST get this straightened out. Please contact me and help me get my username reinstated and let the community know IT WASN’T ME THAT SENT THIS!!!

    Thanks again for your time. This is just unbelievable to me.

    Rick Gray

    President

    http://www.dadsworld.com

    rick@dadsworld.com

    503-475-497

  4. February 2, 2008

    Rick, you’ve been phished – you would have thought you were at forums.digitalpoint dot com but you would have been at forums-digitalpoint dot com and you would have tried to log in. It’s a bugger and you will have a temporary ban now at the real digitalpoint until it all gets sorted.

    I think most people know it wasn’t you sent the messages.

  5. March 22, 2008

    Rick, the admins over at digitalpoint will be able to tell who posted the messages by the IP address. Send a message to the admin email address and explain the situation.

  6. March 22, 2008

    I think that’s why Rick was here 😉

    If it was a simple as chasing an IP address it would have been resolved much sooner. It’s been a month now, Rick should be sorted.

  7. John
    July 22, 2008

    That’s original. With email I’m already wary of phishing, but forum PM’s is new territory.

    Maybe the moral here is be wary of any hyperlink embedded in any kind of message?

    Phish this! john.smith@hotmail.com

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.