Shane019, Phishing & Odd login panel

[scrawnybob]

hi all

for a few hours a couple of days ago a new member Shane019 made 14 posts in quick succession all with broken images which included odd links to a site "4kingpoker.co.cc" this is NOT a legitmate site, these posts brought up a bogus "login" which was actually to this other site and NOT a login to our site ... the member has now been banned and all posts deleted

however further to this issue I can clarify that the banned member Shane019 had inserted links to broken images in his posts which then triggered a "login" box to come up ...

this was for a subdomain of a site .co.cc the way it was setup it was 4kingpoker.co.cc and could have looked like a legitimate part of 4kingpoker.com if not examined

basically our site was NOT hacked however this is likely a phishing attempt for members to input their logins & passwords going to 4kingpoker.co.cc ... which is NOT a site we have any control over

therefore I would urge any of the members who have view his now deleted posts and put in your normal forum login info into his login panel that came up ...

to change any matching passwords to ANY IMPORTANT sites you login into

I apologise for this inconvience - but please understand this was NOT a hack into 4kingpoker.com it was another site (4kingpoker.co.cc) that could be mistaken for us that they used ... I hope this has affected a limited number of members

and anyone who feels they need to please contact me via PM for clarification

cheers scrawnybob

[xxmommaxx]

I appreciate you looking into this for us. Thx a bunch!

[kingjames07]

ahhhhhhhhhh never even was a thought to put in my login on that pop up.......lol

[xxmommaxx]

No, I didn't put my name in either, but was wondering what that was all about. lol..

[snowfish]

Thx bob for the info and the good clean up.

cheers snowfish

[Logan]

This thing also happen yesterday in other forum, i guess this idiots will try this in all poker forums, be careful guys.

[rgchan]

Nice work to catch this early Bob. ! I don,t think any of the veterans here would fall for that scheme. But if you use the same PW for forum access that you do with Poker site logins you could be compromised. Maybe his IP Addy should be recorded too so it can be reported if he breaches anyones poker site accounts.
Rg

[Dan Abnormal]

Its just a pain in the ass, I dont quite understand forum security that some dude can come and put (I dont even know what he put up) cause I got the log in box is seemed the minute I hit a thread. ANd it doesnt send off any red flags to the the server that a hacker has put phishing software on a site. If thats the case these forums need to automatically delete any kind of linking to anywhere off the site. You run your cursor over something and then you get a login box to redirect to a new site and that doesnt send off warning bells to the main server hosting the site. And then to be told about the problem 3 days after the fact, I mmean kudos for the quick banning, but why would a site even allow this kind of software to work, if there are incoming firewall protections then there must be out going that would intercept any data being redirected to another site other than the poker sites they want you to join up to. Why members didnt get this message until Sunday. Its easy to say hey it wasnt us, but yeah it was, your forum allowed this kind of software to run to unsuspecting members. Yea I know , didnt you read the top link, well no, why would I feel the need on a secure forum. It seems like a new feature or it seemed like a script gone haywire but it didnt seem like a hacker thing. I dont even know if I used it or not, but probably since it got in the way. MEMBERS SHOULD OF BEEN ALERTED TO THIS FRIDAY NIGHT NOT SUNDAY. I wouldnt even thought twice about it until I saw a few posting about the crazy stuff coming up that night, There are no kudos for this, the site knew of the problem friday and waited until SUNDAY NIGHT to tell us. KUDOS

YEs Im glad you veterens are forum savvy to know this. But its just a pain the ass, even though my password wasnt the same as anything important. but it was for every forum I use, so I spent 1 hour yesterday changing passwords at every forum I belong to. So did this software also send this dude IP addresses too, thats where problems can really erupt

[thejudge]

I'm sorry ...but anyone who clicks on some link that turns up on a site (and I include u in this Dan) is a dickhead with no experience of Phishing or viruses....so go and learn what not to do ...b4 u get inundated with viruses.

[scrawnybob]

hi

ok it took us a while to figure out what had happened as it was NOT a hack into 4kingpoker.com at all

it was basically a link in a post to another site - which looked like a broken image
the site was 4kingpoker.co.cc but it could have just as easily been any other site link to an external site

so it wasnt something that would have been flagged up in the normal ongoing checks for hacks etc on the site that are constantly running

once the posts were not there the links were not there - therefore the problem wasnt there

the moment those posts were deleted that problem had gone - I couldnt have spotted or dealt with the posts any earlier than that ... so the actual problem was removed very quickly

I didnt announce anything in the forum because we were trying to work out why / what the point was in putting in these links and also to find out the owner etc of the site

and double check the extent of the problem was external and our system had NOT been hacked

of course links to another site wont set off warning bells to our server - the internet is ALL links to other sites

obviously I wish someone hadnt purposely added links to there site that automatically for malicious purpose or load up a login - but this is something many many forums are having problems with and unless we just disable ALL members any ability to upload images or stop everyone from add links then there is no other way to guard against this

im sure everyone would have avoided it if the url hadnt been 4kingpoker.co.cc (which looks similar to .com) ... this is exactly why they setup one of these free subdomain accounts ... they are NOT subdomains of our site & its NOT a hack of our site - its a totally separate site that gives out free subdomains - most of which afaiks get used for this kind of purpose ;-(

I would always keep an eye out for new members posting odd things - which in this case the member was clearly odd poster and a short poster and new poster

generally I probably delete maybe 5+ new members per day on basis of spam accounts etc and delete a bunch of posts before anyone is even aware of it ... alot of the time Im banning spammers as they are spamming ... however I cant and am not online 24/7

I also go back through member signups on a daily basis through possible spam accounts to re-check they havent started spamming ... also the members can send in report posts

dan and anyone else I'm really sorry if you've got caught out on this but best thing is to sus out the member posting the links before clicking on them or logging into non usual things

thankfully it looks like most avoided the login for the short period it was up - this wasnt a technique that we've come across before - hence the "slow" response to post on the forum - but the removal of the problem itself wasnt slow IMHO

please bear in mind that this IS and WILL be something that will be appearing on other forums and sites ... alot of sites admins WONT spot these broken image links and so ALL members must be vigalant to this problem on ALL the other forum sites you visit or anywhere that allows user added content ... there are alot of neglected or part managed forums so these sorts of posts will appear elsewhere - be careful

cheers SB