Community reported !phishing - automation added to @keys-defender

in HiveDevs9 months ago (edited)





Following up on the previous work I did to counteract phishing (1. auto-replies and 2. universal script to block phishing links in all Hive frontends) I now present a way for the Hive community to actively participate and timely stop phishing campaigns.



How does it work?

As soon as you spot a phishing link targeting the Hive ecosystem and being spammed on any platform (one of the Hive frontends, Discord, etc), post on any Hive frontend a comment structured in this way:

Outcome: @keys-defender will add the reported phishing domain to its banlist and it will immediately start replying to the phishing comments and counteracting the transfer memos in order to timely warn users against the phishing campaign.

Usage example:

https://hive.blog/hive-148441/@keys-defender/qq9fz0

image.png




Who controls the banlist?

Can anyone add a domain to the banlist? Kind of. In order to prevent abuse, some limitations are in place.
The type of users that are able to immediately blacklist a domain are:


Any other regular user can add domains to the banlist too BUT.. at least 3 reports from different users with a reputation above 50 are required in order for the entry to be automatically added to the banlist.

Example of regular user adding a phishing domain to the banlist:
https://hive.blog/hive-148441/@marcocasario/qq9gcd

image.png

👇   Logs



Perks:

Every report gets a ~ $ 0.25 upvote.
(Users that abuse this feature will get heavy downvotes from me and my flag trail)




Futher countermeasures and Tracking:

Every single report triggers a notification to my Discord server.
This allows me and the other volunteers (with a role assigned) in my discord to take action - eg. contact the hosting service to take the phishing website down.

This also allows us to have a record of who reported what (and every report is immutably stored in the Hive blockchain for everyone to see).

Discord notifications

image.png

Logs of the phishing-reports feature and Discord notification

image.png













Where is the banlist stored?

It's stored in the Hive blockchain itself -> https://hive.blog/hive-193084/@keys-defender/phishing-db

image.png


To see all the changes performed to it over time check out:   Hive Scribe or Hive-DB


image.png


Whitelist:

What if a rogue user tries to ban a legit domain just to cause trouble?

To prevent such scenario there is a domains whitelist in place. Meaning that if for example an attacker controlling 3 accounts with reputation above 50 tries to add to the banlist peakd.com in order to cause mass spam from @keys-defender, they won't be able to.



Future development:

The list of community reported phishing domains is now in use by @keys-defender, meaning that after a domain gets added to the banlist, @keys-defender will immediately start replying to any new comment containing that link.

The next step is to update and release a new version of my universal script for hive frontends so that all Hive frontends using it will not only consume @spaminator's api (that still needs a quick fix), but also @guiltyparties's banlist and mine.

My phishing domains banlist will be an initial copy of @spaminator's plus all the community reported links.

PS. see also these other plans posted shortly after.



Testers required

Test plan:

A.   Myself blacklisting a domain - PASSED

B1. My non-whitelisted alt account with reputation above 50 reporting the testing domain https://steemispoop.com - PASSED
B2.   2 more accounts with reputation above 50 reporting https://steemispoop.com - PASSED

C.   1 account with reputation below 50 reporting a link - PASSED

D.   1 top-40 witness reporting the testing domain https://phish-test-domain1.com - PASSED

E.   1 whitelisted user reporting the testing domain https://phish-test-domain2.com - PASSED

F.   Any account reporting a phishing link and forgetting to add the link (ie. "@keys-defender !phishing") - PASSED

G.   Any account not including the mention to @keys-defender (PS. now supported) and reporting a phishing link already known - PASSED

H.   Any account posting a comment with a link that has just been put in the banlist by other users - PASSED

Please post your test comments as reply to this comment of mine.
PS. All tests are now successful, thanks everyone!



Keys-Defender features:

- Keys protection[live scan of transfers / posts / comments / other_ops. Auto-transfers to savings, auto-reset of keys, ..] {see automatic posts on leak and monthly reports}
- Phishing protection [live scan of commentsa and posts to warn users against known phishing campaigns and compromised domains, scan of memos]
- Re-posting detection [mitigates the issue of re-posters]
- Code injections detection [live scan of blocks for malicious code targeting dapps of the Hive ecosystem]
- Anti spam efforts [counteracts spam from hive haters]



Please don't forget to upvote and reblog!
Delegations and follows to my fanbase
are welcome too!   =]

Take care, @keys-defender (@gaottantacinque)

Sort:  

Very nice, okay let me try @keys-defender !phishing https://lemmebybit.com/

Thank you for your report, the PHISHING domain "lemmebybit.com" was correctly processed.
Phishing domains can be blacklisted by any top-40 witness, any whitelisted user or by at least 3 users with reputation above 50 - @keys-defender

Thanks, it's working really well. lol

Reminder: if the feature is abused it will result in $5 downvotes

All reports mention all my discord server users..

05572296-37E0-448D-9701-C118F87E6870.jpeg

But I don't think that's an abuse since someone really sent me on DM. I thought you said it's fine to include the discord link?

If it’s phishing then yes it’s ok. Will verify later.

PS. It looks like it’s a scam but it’s not phishing and it’s not targeting hive:
https://www.google.com/amp/s/amp.reddit.com/r/Bitcoin/comments/k3psmc/report_this_scam_lemmebitcom/

Rules:
7F6C3A9F-80F9-4797-B50E-D7C7C1057F81.jpeg

I can’t upvote all reports of the dozens of scams that run on discord, let’s start with only the ones targeting Hive.

I will introduce a new !scam command for that 👍

Ah okay, but it seems that's kind of a threat that downvote. Then we should or I should not report it next time especially if I'm not sure that it's really phishing. I have no evidence or proof that it's a phishing site. I just thought to try since it dm me on discord. If this is the case I regret now sharing that fishy link. If it's not, don't downvote it for a bigger amount. Just see it tomorrow but I'm telling you I have no proof.
Screenshot_20210323-135728.jpg

Please see my updated reply above.
If you’re quite sure it’s phishing report it as phishing, if you suspect it’s a scam Google like I did “is {website} a scam” and if it is you’ll be able to report it with the !scam command. For the latter I plan on giving 0.02 upvotes.

Hey! I think I goofed up. I wanted to help with the TODO B1, but I wasn't thinking about the fact that my main account was whitelisted, so I think it fudged your test.

Let me know and I'll give it another try.

I did the TODO D.

I can do the C as well since I have a bunch of alts that are below 50 rep. Is there any particular link that I should use for that?

No problem, I reverted B1. Thanks!
C seems to be passed too now..

Since C has now passed, I'll re-report the link with my main account since it's an actual phishing link that was sent to Discord.

@keys-defender
!phishing
https://id09.ru/

Thank you for your report, entry added to @keys-defender's database of phishing domains.

So.
When I get a DM from a stranger in Discord and its I won 3 bitcoin click here to claim, I put in a comment.

@keys-defender https://the link from the DM

@thehive Yes, that will prevent it from spreading into Hive!

You forgot the !phishing command though.

Usage:

@keys-defender !phishing {somelink}

@thehive please see my last comment above. For scams I’ll introduce a !scam command with a smaller reward.

Thank you for your report but I was not able to process it: LINK MISSING.
Expected format: "@keys-defender !phishing https://somescam.com"

Fair enough 😅

Cool stuff. I hope it reduces the risks of people getting fooled. Maybe some people will automatically flag the phishing comments.

!BEER

!discovery 50


This post was shared and voted inside the discord by the curators team of discovery-it
Join our community! hive-193212
Discovery-it is also a Witness, vote for us here
Delegate to us for passive income. Check our 80% fee-back Program

Me parece estupendo este trabajo, gracias por darnos algo útil para defendernos y ayudar...

I just tried that on a real case, and what I don't like is that I have to actually post that link myself
Worked around by: https://steemit.com

Yeh I thought about that but your comment has the !phishing command so it should be pretty clear to readers.

The problem with having kd automatically detect the link from the parent comment is that it could have multiple ones and cause issues.

Please post your tests as reply to this comment - 🙇

Thank you for your report, entry added to @keys-defender's database of phishing domains.

Thank you for your report, entry added to @keys-defender's database of phishing domains.

PS. notification removed

Thank you for your report, entry added to @keys-defender's database of phishing domains.

Thank you for your report, entry added to @keys-defender's database of phishing domains.

test https://iamnotacryptorelatedwebsitebutwantyourkeys.net/airdrop

PS. failed because it did not fetch the updated list of phishing domains in time. Now fixed to fetch the updated list right after each update.

PPS. it was actually because this account is whitelisted for the phishing auto-replies. It let me improve the update mechanism though.

works also when i edit my comment and add another url?

yes it should

Thank you for your report, the PHISHING domain "steemispoop.com" was correctly processed.
Phishing domains can be blacklisted by a top 40 witness, a trusted user, or when at least 3 users with reputation above 50 report it - @keys-defender

Thank you for your report, the PHISHING domain "steemispoop.com" was correctly processed.
Phishing domains can be blacklisted by a top 40 witness, a trusted user, or when at least 3 users with reputation above 50 report it - @keys-defender

Thank you for your report but I cannot process it because your reputation is not high enough.
Phishing domains can be blacklisted by a top 40 witness, a whitelisted user, or when at least 3 users with reputation above 50 report it - @keys-defender

Thank you for your report, the PHISHING domain "steemispoop.com" was correctly processed.
Phishing domains can be blacklisted by a top 40 witness, a trusted user, or when at least 3 users with reputation above 50 report it - @keys-defender

Thank you for your report but I cannot process it because your reputation is not high enough.
Phishing domains can be blacklisted by a top 40 witness, a whitelisted user, or when at least 3 users with reputation above 50 report it - @keys-defender

@b0t5-t3sting Your comment cointains a link that is on my blacklist   ❗ ❗ ❗

@keys-defender, do NOT click on the link above in their comment.

Reason: PHISHING
Link: "iamnotacryptorelatedwebsitebutwantyourkeys.net*"     => DO NOT CLICK   ❗


More info:
https://hive.blog/hive/@keys-defender/new-feature-phishing-detection-and-auto-reply


Comment 10% downvoted to make it less visible.
This message is self-voted to be more visible among others.



@keys-defender

 9 months ago Reveal Comment