Mastodawn

Belinda Grey May 17, 2023

Jerry 🦙💝🦙

As many of you know, there's been a few focused attempts at spamming the fediverse with crypto offers. The wat this is currently happening is that someone is registering hundreds or thousands of accounts on an instance (first it was mastodon.social, and most recently mastodon.world) and then proceeding to post messages with links to get your free crypto. These messages are sent using the "mentioned people only" visibility setting, meaning that if you're not tagged in them, you don't know that this issue is happening. It's unclear how spam victims are selected, however it's very likely collecting user names recently appearing in timelines.

Obviously, just like with spam and malicious emails, if you receive one of these messages, you should not click on links - at best it's a scam, and at worst, it's something that will attempt to steal passwords or install malware - usually for the purpose of stealing your identity, your money, and so on. If you receive such a message, simply use the reporting function on your instance to report the spam to your moderators and the moderators of the originating instance.

For this particular tactic, it is prudent to consider disabling direct messages from people you don't follow. To do that, go to settings, preferences, notifications, and check the box next to "Block direct messages from people you don't follow" at the bottom of the screen. It's also possible to block the domain of the spammers, however it's important to note that doing so will remove all your followers and follows on that domain.

Rairii May 17, 2023

@jerry the first couple were advance fee fraud attempts (you had to have a "paid account" to "withdraw")

the last one had about 6MB of obfuscated javascript. never did deobfuscate it but it wants metamask permissions so probably just signs a transaction sending everything you have to the attacker

MikeZilla Minus One May 17, 2023

very true statements

but isn't it incumbent on folks just to avoid clicking on these links - are we dealing with grownups or children?

LeeRayl May 17, 2023

@MikeyMcFilms @jerry neither, social media has the ability to make humans forget about risks.

You are right, it’s on the user to be vigilant but life happens.

The human factor and threats of social media are amplified because your not at work having IT and security people reminding you every 10 mins. People are haphazard in social situations, online is no different.

MikeZilla Minus One May 17, 2023

@leerayl @jerry

Lee, even at work people are not vigilant - before i retired, IT would send out those emails with links that came from a higher up and a whopping 80% of them (including me, the first time, i admit) clicked on them to receive a link to the company guide to avoid phishing. the ratio never got better except for me being the minus one

it's like a link is a shiny balloon and the people are children who want it

Jesse May 17, 2023

I feel like the Venn diagram of people who are able to use the fediverse, and the people who would fall for the obvious scam I was just sent has got to be vanishingly small.

Rob Bos May 17, 2023

@MikeyMcFilms
The best of us can slip up.
@jerry

mcc May 17, 2023

@MikeyMcFilms @jerry I often read Mastodon on a phone. On a phone the way you select a link is "touch the screen" and the way you scroll the page is "touch the screen". So of course it's very easy to trigger a touch event without intending to tap or even seeing what you tapped on…

Of course I don't have any cryptocurrency to steal, but just being reminded cryptocurrency exists is a bad enough outcome imo

MikeZilla Minus One May 17, 2023

i see crypto in a profile, it's an immediate block for me

Dagnabbit, Pascaline! 💥May 18, 2023

@mcc @MikeyMcFilms @jerry So true, some app designs are trickier than others. Something should be developed to prevent launching links. I know a few older folks who do not want to click on a link but accidentally do. If a pop-up with 'Do you want to load this link' were possible that would be great. Developers could implement this, maybe, to first show a pop-up if the user wants to see that pop-up, and not show it if this option was not activated.

Michael Kohne May 18, 2023

@MikeyMcFilms @jerry Even the best trained and most experienced people in a specialized field sometimes forget to do stuff. Look up the history of how we got cockpit checklists for examples.

Reminding the average lay user one more time is good practice when an attack is ongoing. People forget and need reminders.

@jerry This is a popular thing on Instagram at the moment too. It seems like I'm tagged 3 times a day by someone I don't know with free offers of some sort, usually crypto-related.

Predictably, Instagram doesn't care.

𝚫rakakis 🇨🇦May 17, 2023

@jerry

I should interject, to provide a user's point of view, and one who was a "victim" of both waves: it was insignificant!! To the average user it was less than a second of lost time. The tech people did their jobs. The fediverse was not disturbed. Doomsayers will continue to say loudly what they always say ... 'Just you wait"

Nekodojo May 17, 2023

@jerry I wonder if having a dozen or so “honeypots” would help with this. Depends on how targets are selected I guess

Zorro Notorious MEB 😡May 17, 2023

@nekodojo @jerry If it's of any help, I've received five of them so far in just a few days. They obviously have some kind of harvesting tool. For a non-celebrity I have a large number of followers and I post frequently.

AlisonW ♿🏳️‍🌈♾️May 17, 2023

@jerry
Yeah, I just had one here too.

The Tardis🤞May 17, 2023

@jerry Thank you. I never knew you could block those direct messages.💙💙

Matthew Clover May 17, 2023

@jerry Thank you!

MostlyTato May 17, 2023

@jerry
When I go to report the messages, they have vanished, I can only see the preview, not an actual thread.

Crystal_Fish_Caves May 17, 2023

@jerry I got one of those earlier and tried to report it. I clicked on the report but it just sat there so I just blocked it. It was a crypto suspicious.

Jack Yan (甄爵恩)May 17, 2023

@jerry Thank you, Iʼve enabled this setting.

Scissors Cut Paper...May 17, 2023

I'd previously posted that I had zero idea this was happening. Now I know why.

I am a Boomer. I learned to code BASIC on a Honeywell mini in the mid-1970s.

I have not had malware on any of my systems that I don't share with someone who brought it in.

I'm not special. The only actual precautions that I actively take are, what I consider to be reasonable.

I don't share passwords. I don't reuse passwords. I don't connect with unknown devices (including chargers, cuz that charging port is also a data port). I don't click on links without ensuring I know where I'll end up.

Back in the day, your home page was a page of links to places you wanted to go back to. That's when I learned how links worked. You can have it display anything you want, and the link can go some totally other place.

Really, I'm not some super expert - I just a a bit careful. It still takes me three tries to plug in a thumb drive.

Jerry 🦙💝🦙May 17, 2023

@vor I am not far behind you on the calendar. I learned to program using basic on a commodore Vic 20 in ~1982

2xfo May 18, 2023

@vor @jerry
Your last line reminded me

neocat_flag_polyam

🚫👑May 18, 2023

@RnDanger @vor @jerry Ergo, USB keys (thumb drives, flash drives) exist in four-dimensional space!

chicating May 17, 2023

@jerry I did get an incomprehensible PM on this topic this morning!

CindyG May 18, 2023

@jerry Thank you..

grin May 18, 2023

@jerry "to report the spam to the moderators of the originating instance"? Does it really?

beladona May 18, 2023

@jerry
Yes I have received the "targeted" notification, but am far too wary to go clicking on unsolicited offers, especially if they are trumpeting that they are free

Graham Sutherland / Polynomial May 18, 2023

@jerry Can you edit this post to include alt-text on the image, please?

HistoPol (#HP) 🏴 🇺🇸 🏴May 18, 2023

Very important security information from @jerry of the infosec.exchange:

https://infosec.exchange/@jerry/110384254052694131

Jerry Bell :verified_paw: :donor: :verified_dragon: :rebelverified: (@[email protected])

Attached: 1 image As many of you know, there's been a few focused attempts at spamming the fediverse with crypto offers. The wat this is currently happening is that someone is registering hundreds or thousands of accounts on an instance (first it was mastodon.social, and most recently mastodon.world) and then proceeding to post messages with links to get your free crypto. These messages are sent using the "mentioned people only" visibility setting, meaning that if you're not tagged in them, you don't know that this issue is happening. It's unclear how spam victims are selected, however it's very likely collecting user names recently appearing in timelines. Obviously, just like with spam and malicious emails, if you receive one of these messages, you should not click on links - at best it's a scam, and at worst, it's something that will attempt to steal passwords or install malware - usually for the purpose of stealing your identity, your money, and so on. If you receive such a message, simply use the reporting function on your instance to report the spam to your moderators and the moderators of the originating instance. For this particular tactic, it is prudent to consider disabling direct messages from people you don't follow. To do that, go to settings, preferences, notifications, and check the box next to "Block direct messages from people you don't follow" at the bottom of the screen. It's also possible to block the domain of the spammers, however it's important to note that doing so will remove all your followers and follows on that domain.

Infosec Exchange

HistoPol (#HP) 🏴 🇺🇸 🏴May 18, 2023

Thanks a lot!

James Young May 19, 2023

@jerry I could be mistaken, but I've read that enabling this won't prevent DMs, it silently breaks them.

x0rp'May 19, 2023

@jerry poke @fs0c131y

toxtethogrady May 19, 2023

@jerry Are you saying we're being hacked by Elon Musk?

🇪🇺🏳️‍🌈May 19, 2023

As a mod on a relatively small instance, we were hammered with reports in one of the early attacks 😖

This is such a useful tip in a great toot...thank you 🙏

Charming Malcontent May 19, 2023

I just reply with a "please fuck off"

Mrissi Neko💕🎮🎧Jul 3, 2023

@jerry I’m get these every few weeks. I have no idea how they target the users but I was careful to not click on anything and report it straight away.

Jerry 🦙💝🦙Jul 3, 2023

@mrissi_neko reporting them is the best way to handle. I believe they identify targets by looking at who recently appeared in timelines.