Page 1 of 1

phishing trip ? Hack ?

Posted: 2018-05-04T02:03:43-07:00
by imaggie
This morning I got an email notification of a post to a thread I follow. However all the links are to what looks like a clone of IM site.

Looks a lot like a password phishing trip. If so you need to notify all users a.s.a.p.

http://www.wizards-toolkit.org/discourse-server/

The post by "king" on this thread was total spam junk so it does look like malevolent behaviour.
http://www.wizards-toolkit.org/discours ... ead#unread

If this is not a clone set up by IM team you need to take a look .

regards.

Re: phishing trip ? Hack ?

Posted: 2018-05-04T05:43:28-07:00
by snibgo
A new user "king" massively spammed the ImageMagick forums a few hours ago. Users who receive notifications will get emails.

I have deleted the spams and banned the spammer.

Re: phishing trip ? Hack ?

Posted: 2018-05-04T06:06:03-07:00
by imaggie
what about the clone domain !?

Why did I get a notification with all links leading somewhere else other than IM.org.

There is more to this than just one spammer.

Re: phishing trip ? Hack ?

Posted: 2018-05-04T06:19:31-07:00
by magick
ImageMagick Studio owns the wizards-toolkit.org domain. The links you received are fine-- however to avoid confusion in the future, we removed the discourse server link from that domain.

Re: phishing trip ? Hack ?

Posted: 2018-05-04T06:34:53-07:00
by imaggie
Thanks. So which domain got spammed and why did I get notifications since I'm not involved with that domain?

It seems that all previous notifications I have came from this domain, not wizards . Since this kind of clone is a common phishing trick, I think you are likely to cause much confusion by doing this.

The notification today said it came from IM.org but that can easily be spoofed and again is favourite trick on fake phishing emails.

Re: phishing trip ? Hack ?

Posted: 2018-05-04T06:59:07-07:00
by snibgo
imaggie wrote:So which domain got spammed and why did I get notifications since I'm not involved with that domain?
This forum, at imagemagick.org, got spammed by over 100 replies posted on threads. Each reply was a long list of links that were clearly irrelevant to image processing. The effect was similar to an ordinary user replying to threads. Originators of threads sometimes tick a box saying they want to be notified when anyone replies to the thread.

I suspect the notification was genuine, and came from the software behind this forum.

Re: phishing trip ? Hack ?

Posted: 2018-05-04T07:25:43-07:00
by imaggie
We don't seem to be hearing each other.

I got an email "from" loki@IM.org as would be normal since I was watching that thread.

What was not normal is that all the links were to ( apparently cloned content ) on wizards domain which I had never heard of. So why would the forum software at IM.org be send out notifications with links to a different domain and not here as usual?!

that would seem to suggest that is was wizards which got spammed not IM.org.

Indeed your replies are showing links to IM.org and this is consistent with previous threads on which I'm active.

What is the function of the cloned wizards forum?

Re: phishing trip ? Hack ?

Posted: 2018-05-04T07:48:39-07:00
by snibgo
Sorry, I know nothing about IM.org, which seems to be "Alliance for Academic Internal Medicine".

Re: phishing trip ? Hack ?

Posted: 2018-05-04T08:04:42-07:00
by imaggie
jeez, "IM.org" was an abbreviation to avoid have to type imagemagick.org every time. You really did not work that out?! Similarly any reference to "wizards" above refers to the cloned www.wizards-toolkit.org/discourse-server

At this stage there seems that you are being deliberately obtuse and that there is something about this business that you are no willing to explain.

Re: phishing trip ? Hack ?

Posted: 2018-05-04T08:40:05-07:00
by snibgo
You mentioned "IM.org" so I assumed you meant "IM.org". I'm not deliberately obtuse but I do take people literally. I have explained what I did. The spam seemed to be ordinary spam that we frequently suffer, apparently with links that offer products that had no relevance to image processing. But it was a larger post than we usually get, and repeated on more threads than usual.

I know nothing about phishing trips. I suspect that some or all of the links in the spam are not genuine vendors, and anyone following those links might get viruses or be invited to buy products that never arrive or be invited to reveal their bank details or whatever. That wasn't important to me. It was clearly spam, so I removed it.

Re: phishing trip ? Hack ?

Posted: 2018-05-04T08:58:23-07:00
by imaggie
Phishing is trying to trick people out of their confidentiality details. One common trick is to clone a web site and trick users into logging in via an email : thus harvesting their account name and password. This often involves links which look like they go to a familiar site but actually end up elsewhere. Often the "from" field of an email is falsified to make it look like it came from a trusted source. That appeared to be the case this morning.

Since all msgs I get from this forum link back here, clearly something else was going on this a.m. The links were to www.wizards-toolkit.org/discourse-server . That is not consistent with your suggestion that it was this forum's software here which produced those msgs.

So the question remains why did I get email linking back there?

what is the function of this clone web-site which seems to dupe the content of this forum?

Re: phishing trip ? Hack ?

Posted: 2018-05-04T09:17:56-07:00
by snibgo
The page at www.wizards-toolkit.org claims to be copyright by ImageMagick Studio LLC. This is confirmed by user "magick" (the prime developer of ImageMagick) above.

From what magick says, I assume the discourse server link from that domain was a link to this forum. Not a clone, simply an alternative address. Perhaps that was confusing.

Re: phishing trip ? Hack ?

Posted: 2018-05-04T11:07:51-07:00
by magick
Its likely the spammer logged into the ImageMagick discourse server from http://www.wizards-toolkit.org/ and that is why your links reflected that site. A few years ago, there was a forum in the ImageMagick discourse server for the Wizards Toolkit. We removed the forum but did not remove the link to the forum. That problem was corrected as of today. FYI, both ImageMagick and the Wizards Toolkit have the same principal architect. Both are copyright ImageMagick Studio LLC.

Thank you for bringing this problem to our attention. The removal of the ImageMagick discourse server link from http://www.wizards-toolkit.org/ should ensure this problem does not occur again.

Re: phishing trip ? Hack ?

Posted: 2018-05-04T11:39:01-07:00
by imaggie
"Thank you for bringing this problem to our attention. "

thanks Magick. That is the kind of response I was expecting. Glad my info was useful.