phishing trip ? Hack ?

Questions and postings pertaining to the development of ImageMagick, feature enhancements, and ImageMagick internals. ImageMagick source code and algorithms are discussed here. Usage questions which are too arcane for the normal user list should also be posted here.
Post Reply
imaggie
Posts: 88
Joined: 2011-12-19T04:15:36-07:00
Authentication code: 8675308

phishing trip ? Hack ?

Post by imaggie »

This morning I got an email notification of a post to a thread I follow. However all the links are to what looks like a clone of IM site.

Looks a lot like a password phishing trip. If so you need to notify all users a.s.a.p.

http://www.wizards-toolkit.org/discourse-server/

The post by "king" on this thread was total spam junk so it does look like malevolent behaviour.
http://www.wizards-toolkit.org/discours ... ead#unread

If this is not a clone set up by IM team you need to take a look .

regards.
snibgo
Posts: 12159
Joined: 2010-01-23T23:01:33-07:00
Authentication code: 1151
Location: England, UK

Re: phishing trip ? Hack ?

Post by snibgo »

A new user "king" massively spammed the ImageMagick forums a few hours ago. Users who receive notifications will get emails.

I have deleted the spams and banned the spammer.
snibgo's IM pages: im.snibgo.com
imaggie
Posts: 88
Joined: 2011-12-19T04:15:36-07:00
Authentication code: 8675308

Re: phishing trip ? Hack ?

Post by imaggie »

what about the clone domain !?

Why did I get a notification with all links leading somewhere else other than IM.org.

There is more to this than just one spammer.
User avatar
magick
Site Admin
Posts: 11064
Joined: 2003-05-31T11:32:55-07:00

Re: phishing trip ? Hack ?

Post by magick »

ImageMagick Studio owns the wizards-toolkit.org domain. The links you received are fine-- however to avoid confusion in the future, we removed the discourse server link from that domain.
imaggie
Posts: 88
Joined: 2011-12-19T04:15:36-07:00
Authentication code: 8675308

Re: phishing trip ? Hack ?

Post by imaggie »

Thanks. So which domain got spammed and why did I get notifications since I'm not involved with that domain?

It seems that all previous notifications I have came from this domain, not wizards . Since this kind of clone is a common phishing trick, I think you are likely to cause much confusion by doing this.

The notification today said it came from IM.org but that can easily be spoofed and again is favourite trick on fake phishing emails.
snibgo
Posts: 12159
Joined: 2010-01-23T23:01:33-07:00
Authentication code: 1151
Location: England, UK

Re: phishing trip ? Hack ?

Post by snibgo »

imaggie wrote:So which domain got spammed and why did I get notifications since I'm not involved with that domain?
This forum, at imagemagick.org, got spammed by over 100 replies posted on threads. Each reply was a long list of links that were clearly irrelevant to image processing. The effect was similar to an ordinary user replying to threads. Originators of threads sometimes tick a box saying they want to be notified when anyone replies to the thread.

I suspect the notification was genuine, and came from the software behind this forum.
snibgo's IM pages: im.snibgo.com
imaggie
Posts: 88
Joined: 2011-12-19T04:15:36-07:00
Authentication code: 8675308

Re: phishing trip ? Hack ?

Post by imaggie »

We don't seem to be hearing each other.

I got an email "from" loki@IM.org as would be normal since I was watching that thread.

What was not normal is that all the links were to ( apparently cloned content ) on wizards domain which I had never heard of. So why would the forum software at IM.org be send out notifications with links to a different domain and not here as usual?!

that would seem to suggest that is was wizards which got spammed not IM.org.

Indeed your replies are showing links to IM.org and this is consistent with previous threads on which I'm active.

What is the function of the cloned wizards forum?
snibgo
Posts: 12159
Joined: 2010-01-23T23:01:33-07:00
Authentication code: 1151
Location: England, UK

Re: phishing trip ? Hack ?

Post by snibgo »

Sorry, I know nothing about IM.org, which seems to be "Alliance for Academic Internal Medicine".
snibgo's IM pages: im.snibgo.com
imaggie
Posts: 88
Joined: 2011-12-19T04:15:36-07:00
Authentication code: 8675308

Re: phishing trip ? Hack ?

Post by imaggie »

jeez, "IM.org" was an abbreviation to avoid have to type imagemagick.org every time. You really did not work that out?! Similarly any reference to "wizards" above refers to the cloned www.wizards-toolkit.org/discourse-server

At this stage there seems that you are being deliberately obtuse and that there is something about this business that you are no willing to explain.
snibgo
Posts: 12159
Joined: 2010-01-23T23:01:33-07:00
Authentication code: 1151
Location: England, UK

Re: phishing trip ? Hack ?

Post by snibgo »

You mentioned "IM.org" so I assumed you meant "IM.org". I'm not deliberately obtuse but I do take people literally. I have explained what I did. The spam seemed to be ordinary spam that we frequently suffer, apparently with links that offer products that had no relevance to image processing. But it was a larger post than we usually get, and repeated on more threads than usual.

I know nothing about phishing trips. I suspect that some or all of the links in the spam are not genuine vendors, and anyone following those links might get viruses or be invited to buy products that never arrive or be invited to reveal their bank details or whatever. That wasn't important to me. It was clearly spam, so I removed it.
snibgo's IM pages: im.snibgo.com
imaggie
Posts: 88
Joined: 2011-12-19T04:15:36-07:00
Authentication code: 8675308

Re: phishing trip ? Hack ?

Post by imaggie »

Phishing is trying to trick people out of their confidentiality details. One common trick is to clone a web site and trick users into logging in via an email : thus harvesting their account name and password. This often involves links which look like they go to a familiar site but actually end up elsewhere. Often the "from" field of an email is falsified to make it look like it came from a trusted source. That appeared to be the case this morning.

Since all msgs I get from this forum link back here, clearly something else was going on this a.m. The links were to www.wizards-toolkit.org/discourse-server . That is not consistent with your suggestion that it was this forum's software here which produced those msgs.

So the question remains why did I get email linking back there?

what is the function of this clone web-site which seems to dupe the content of this forum?
snibgo
Posts: 12159
Joined: 2010-01-23T23:01:33-07:00
Authentication code: 1151
Location: England, UK

Re: phishing trip ? Hack ?

Post by snibgo »

The page at www.wizards-toolkit.org claims to be copyright by ImageMagick Studio LLC. This is confirmed by user "magick" (the prime developer of ImageMagick) above.

From what magick says, I assume the discourse server link from that domain was a link to this forum. Not a clone, simply an alternative address. Perhaps that was confusing.
snibgo's IM pages: im.snibgo.com
User avatar
magick
Site Admin
Posts: 11064
Joined: 2003-05-31T11:32:55-07:00

Re: phishing trip ? Hack ?

Post by magick »

Its likely the spammer logged into the ImageMagick discourse server from http://www.wizards-toolkit.org/ and that is why your links reflected that site. A few years ago, there was a forum in the ImageMagick discourse server for the Wizards Toolkit. We removed the forum but did not remove the link to the forum. That problem was corrected as of today. FYI, both ImageMagick and the Wizards Toolkit have the same principal architect. Both are copyright ImageMagick Studio LLC.

Thank you for bringing this problem to our attention. The removal of the ImageMagick discourse server link from http://www.wizards-toolkit.org/ should ensure this problem does not occur again.
imaggie
Posts: 88
Joined: 2011-12-19T04:15:36-07:00
Authentication code: 8675308

Re: phishing trip ? Hack ?

Post by imaggie »

"Thank you for bringing this problem to our attention. "

thanks Magick. That is the kind of response I was expecting. Glad my info was useful.
Post Reply