So I was logging on to set up an order for about a $1000 USD and I noticed that there was a problem when it came time for me to get the address--
This has always been a process where I'm given a PGP message to decrypt and that PGP message has the XMR wallet key/id for me to send the coins to.
Instead, upon getting to this point I'm in a position where there's a "signed" PGP message (which I can't get verified) with the XMR wallet id/key readily displayed, instead of a fully encrypted message.
I tried checking the links and lo and behold they're just a few symbols off--but the weird thing is it's only the v3 addresses that I tried. I tried multipled v3 addresses and each did the same thing.
Not only that but the XMR addresses given by each v3 address is definitely not what I ended up wtih when I went through the v2 address provided on here.
It's been a while since I felt the need to confirm a shop everytime I use it, if someone could give me a message with a quick and dirty rundown on how to do so exactly, I'd really appreciate it. I could see this fooling a LOT of users and if this is indeed a phishing scam then it could potentitally steal thousands of coins, maybe millions of dollars.
IDK what's going on but it's beyond fishy, I'm compiling some SS and a video for any admin to check out
/u/[deleted] · N/A votes · 18th January, 2021 - 20:03 · Link
You did not get phishing links from the real dark.fail you got them from a fake one.
/u/DonQuixote007 · N/A votes · 18th January, 2021 - 12:52 · Link
Thanks for making your post and keeping the community informed, I think dark dot fail has been using phising links every once in a while for some time now. Good catch and goes to show you really must make sure you get that good signature before sending over any coin! Hopefully this is seen and addressed by dread staff, if they have any knowledge on the matter. /u/Paris /u/HugBunter /u/Shakybeats
/u/HugBunter · N/A votes · 18th January, 2021 - 23:54 · Link
Highly doubt it, actually tested this and left a scraper picking up every URL a while back for Empire when there were lots of regular claims of this. This was during their mirror rotations too so collected 1000's of addresses, every single one checked out. Whilst this proves nothing and it could have been done now, I highly doubt it. The only logical explanation would be either he mistakenly copied in a phishing address, but that would mean it would still be there now, another option is that the user visited a DDF phishing clone, it's as easy as mistyping the address. Or the final option, which I find unlikely in this case, but the user could be lying.
/u/BarryOM · N/A votes · 19th January, 2021 - 04:57 · Link
Hi, I personally have encountered this my self only once and ensured i was browsing dark.fail but this is what everybody has been failing to realize then this happens it is the exit node replacing shit if you grab a new identity when it happens the mirrors go back to normal and when it happens if you visit a genuine market mirror it redirects to a phishing mirror and also re writes crypto address's i have personally encountered this issue and The Tor Project has tried to tackle this issue in the past but struggled due to lack of staff and evil exit nodes still slip the cracks and this is why this is occurring very occasionally and at the time of Empire was when there was a very large group pushing "evil exit nodes" taking up around 2% of the tor network if i am remembering correctly i know if i am wrong here Hug will correct me but i can honestly say this has happened with me and i could tell that they were not legit mirrors but i was browsing dark.fail with no typos what so ever...
/u/HugBunter · N/A votes · 19th January, 2021 - 04:59 · Link
Exit nodes cannot replace anything, Dark.fail is served over SSL, MiTM is not possible unless they are managing to strip it. There have been possible cases of such vulnerabilities in the past, but not right now.
/u/BarryOM · N/A votes · 19th January, 2021 - 05:02 · Link
I just remember encountering this not so long ago with Dark Market and i knew immediately none of the mirrors displayed on the page were legit until i grabbed a new identity and browsing dark.fail 100s of times daily i knew it wasn't right but it was not served by dark.fail i remember the https was not there was what grabbed my attention i also triple checked the URL this was not recent however.
/u/BarryOM · N/A votes · 19th January, 2021 - 05:24 · Link
[removed]
/u/HugBunter · N/A votes · 19th January, 2021 - 06:41 · Link
Yeah on your own onion, I mean on an exit node to his legit clearnet address. Deleted your comment just to be on the safe side lol
/u/rudekid · N/A votes · 18th January, 2021 - 13:31 · Link
Ok great post , im not saying anything but BUT didn't the phishers move fast on this one , cough cough , wink wink. WHM saved im all eyes and ears from now ON
/u/badman13356 · N/A votes · 18th January, 2021 - 17:09 · Link
Enforced pgp avoids funds being stolen by phishers. True or not, pgp haters should learn from this.
/u/HugBunter · N/A votes · 18th January, 2021 - 23:54 · Link
It doesn't
/u/BarryOM · N/A votes · 19th January, 2021 - 04:59 · Link
No not at all because if a user accesses there account on a phishers MITM proxy and decrypts the 2FA message then that cookie is then stored on the Phishers system allowing them to session hijack the user without needing 2FA...
/u/badman13356 · N/A votes · 19th January, 2021 - 07:27 · Link
But a phisher can't change your payment address since it's encrypted with your pgp key by the market. And after decryption, you can verify the message since it's also signed by the market's key.And if it's not signed by the market or you can't verify it, you know something is wrong. It makes sure you won't get an address generated by the phisher. As for withdraw from a market wallet, market requires you to signed your send-to address with your private key, thus the market won't be fooled by any phisher. Here every sensitive step requires knowledge of a private key of either the market or the user. So a phisher can't do nothing while lack those knowledge. Is there anything wrong with my statement?