Warning, copy/paste hijack around!

7 52
Avatar for AnonSunamun
3 years ago
Topics: Scam, Help, Tips, Copy/paste, Lessons, ...

Please visit my sponsors, i need them more than ever now. Thank you.

Sponsors of AnonSunamun
empty
empty
empty

I fell for this one for the second damn time!

What happens is that if you copy an address into your cache memory, and then paste it, the address that gets pasted is not the one you copied. It's one under control of a malicious actor. As you can imagine, if the paste you do is in the field for the destination address when you're trying to send coin from one wallet to another. Or when you're trying, like i was, to send bch to Coinflex following the instructions in Jane's article.

I thought i was making a mistake, which turned out to be true but not as i thought it was.

I was really dead tired at that time and thought I'd done it the wrong way around, that i should've sent it to the metamask in bch normal network and then to coinflex through the 20network. So the bch disappearing and not ending up where i expected them wasn't unexpected. But, working with coinflex support through chat it became clear that when i posted a wallet address it wasn't my wallet address. (as in, i sent it from THIS wallet to THAT address, can you check if i done something stupid setting up the account or something?)

She kept looking and oddly enough a transaction with the same amount i had sent out had come into that wallet at around the same time.

Well turned out that i was pasting the address of the scammer's wallet into the chat when i had copied and thought was pasting my own wallet's address here on the site.

How i got the malware, where it resided, if i still have it and how to recognize?

That is a good question. I immediately shut down my system and then fired it back up from my h4ckst1ck (boots in either Parrot or Lubuntu) to make sure i could write up this warning to all y'all asap and hoping to prevent other people losing bch this way.

It cannot have come from any other sources than:

  • Here. (read.cash)

  • Coinflex

  • SmartBCH.org

  • Metamask

  • Or perhaps Cointree

Only thing that was picked up in the antivirus/malware scan i ran on the pc is a wincp.lnk file so I'm betting the malware is still on the machine but not detected by antiviruses and malware finders.

I'll be taking the following precautions from now on:

When transferring or in any way handling crypto's I'll be booting into Linux from a USB stick that saves nothing each time you shutdown. That way no malware can infect it for more than one session, if at all with Linux being more secure imho.

I'll also be copying an address, then pasting it in a notepad, checking if it is the same address, then pasting it in the field for the destination address and checking if it is the right address once again before clicking the submit button.

I must have been Adolf, Losif (Dzhugashvili) AND Mao in a previous life to deserve karma like this.

Which would be very strange indeed because they all lived at the same time for a while! But it seems every time i make progress and have a positive outlook to look forward to, getting things moving forward, something shit like this happens to me.

I had to tell my son this morning about this coming weekend that the game (treasure hunt) we were supposed to be going to play couldn't happen. The fee for the entrance tickets and the documents with hints and so on for the game cost €30.= which i now don't have to spare.

Never mind the repairs to my scooter that i now have to postpone. Even though without scooter I'll be back in my social isolation but i can live with that, I've done so before, but disappointing my son... that really gets me in the gut!

So watch out when pasting addresses to send coin to.

The address you paste might not be the one you copied. Even the CTRL-C CTRL-V isn't safe any more. What's the world coming to!!

Stay safe, and stay happy.

@AnonSunamun

5
$ 7.06
$ 6.83 from @TheRandomRewarder
$ 0.10 from @Pantera
$ 0.10 from @LucyStephanie
+ 3
Sponsors of AnonSunamun
empty
empty
empty
Avatar for AnonSunamun
3 years ago
Topics: Scam, Help, Tips, Copy/paste, Lessons, ...

Comments

Huh? Didn't know that could happen. 😦 Sorry to hear that. At least now more people are also aware after reading this.

$ 0.00
3 years ago

This seems like a real crappy situation. Not sure what else to say other than thank you for making others aware.

$ 0.00
3 years ago

Usually a downloaded app may contain this kind of malware. Sucks and this is why I am rarely giving links to apps/wallets, etc, but always explaining to download from the official source. I've read of that malware since years ago, and the only way to be sure is to always check the sending address again and again before we proceed with the transcation. I hope you didn't lose too much, mate. It really sucks.

You are doing a service to write about this and warn others. This was very common malware about two or three years ago. It instantly scans the address for networks like BTC, BCH,ETh, even Doge and changes it to scammers address.

$ 0.00
3 years ago

Yeah, i unfortunately know about the iteration from two years ago the hard way. I was victim back then as well. That is why i am sooooo incredibly pissed at myself for falling for it a second time. A lot less though than i was yesterday though. Because i foud out today, after having stepped away from the computer for a while fearing i would teach it how to fly out of frustration yesterday, that Avast, AVG, Defender, Malwarebytes and Kaspersky aren't finding it, and it's still there in the windows environment. I'm now working from my Parrot environment because i decided i wasn't gonna fix it in a couple of minutes or hours most likely so i'd better get on with something usefull first and then get back to hunting the scamware down and removing it. Ofcourse first thing i did, starting the "useful" stuff was come here on read.cash.... i don't know if that is good or bad actually LOL. But anyways, the scamware is misleading the major antivirus/antimallware software that's out there (for free) so its not as embarrasing as i thought it was. If something can stay under the radar of the antivirus software world, it's not just a scriptkiddies little troll or something....

$ 0.00
3 years ago

Gee! If that happens to me I'd have no way of fixing it. is there an easier way of checking other than booting from a USB?

$ 0.00
3 years ago

Yes, checking character by character if the address you copied is the address you paste BEFORE you click submit. That's the best way to see if you're infected and should be a step ALWAYS to be taken when transferring.

$ 0.00
3 years ago

I usually remember the first 3 and last 3 characters - I'll just match them completely just in case though. Useful tip - thanks so much!

$ 0.00
3 years ago