In cybersquatting and the Phishing, threat agents have created a site that "imitates" the legal service secure exchange of notes Privnote.com, aiming to steal bitcoin. The creators of the legal Privnote.com expressed their concern as they suspected that someone had created a fake version of their site, to deceive users, motivating them to use it. Some time ago, KrebsOnSecurity learned that the owners of Privnote.com were worried because someone had created a "clone" of their site that deceived several regular users of the service, as reported by the investigative journalist. security Brian Krebs. The legitimate site Privnote.com offers the ability to send encrypted notes that can be shared with other users. Now, a site called Privnotes.com has been created that mimics the original Privnote.com. The site - clone Privnotes added ads to Google Search so that its result exceeds the "organic" results.
This means that every time a user types in "privnote (s)" search, Google will first display the "fake" Privnotes.com ad. The developers of Privnote.com discovered that the site - clone not only does not apply encryption but it also steals bitcoin by changing past addresses.
With the help of security expert Allison Nixon, Krebs discovered that Privnotes.com was created to steal cryptocurrency payment requests, which are sent through their platform. When the contents of a paste include a BitCoin address, the creator of the fake site changes the BitCoin address to one under his control in order to steal bitcoin. In addition, in order not to be noticed, the first four characters of the changed BitCoin address are the same as the initially pasted address. Also, to make it difficult for a end user to detect this behavior, it changes the BitCoin address only if the access the paste is made from a different IP address from that of the creator.
However, when tested by BleepingComputer with use VPN and individual periods of anonymous browsing (to avoid monitoring via cookie), it appeared that the site has currently revoked the malicious behavior. The BitCoin addresses remained the same in the BleepingComputer tests. For example, the BleepingComputer team sent a message containing the Bitcoin address "3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy". On a different computer, the same Bitcoin address was received by the recipient at a different IP address. While both sites offer a "secure connection" using SSL / TLS, Bleeping Computer noted the obvious differences between certified : Fake Privnotes.com uses a free Let's Encrypt certificate. Using the Let's Encrypt certificate does not necessarily mean that a site is malicious. However, Let's Encrypt is an attractive choice for phishing scammers. This complex scam is a warning to both end users and site creators, whenever sensitive information is shared online. In this case, users may not have realized that the Privenotes site is fake.