
Someone used my IPFS gateway for phishing - jstanley
https://incoherency.co.uk/blog/stories/hardbin-phishing.html
======
imhoguy
Sorry to hear, but you are not alone [0]. It was matter of time for a new tech
to be exploited like that. Providing IPFS gateway is like opening up public
HTTP proxy (popular back in 90s). You had good intentions, but there will be
lot of nasty things going thru your machine. Of course guys like Cloudflare
can absorb arising liability but I think they will shutdown their gateway at
some point.

I think the best way to popularize IPFS will be out-of-the box support in
major browsers. I think Mozilla may be the first one here.

[0] [https://www.bleepingcomputer.com/news/security/phishing-
atta...](https://www.bleepingcomputer.com/news/security/phishing-attacks-
distributed-through-cloudflares-ipfs-gateway/)

~~~
akerro
Mozilla talks a lot and don't do much in this direction, they promised Tor
integration like 4-5 years ago and all they did is setup 3 middle-nodes.

Brave Browser already has Tor integration in private tabs and working IPFS
integration on -dev channel since beginning of this year
[https://github.com/brave/brave-
browser/issues/819](https://github.com/brave/brave-browser/issues/819)

~~~
jerheinze
> they promised Tor integration like 4-5 years ago and all they did is setup 3
> middle-nodes.

They never promised any Tor integration for the near future, see:
[https://news.ycombinator.com/item?id=17205441](https://news.ycombinator.com/item?id=17205441)
and the first comment. Brave can do Tor integration because its user bases is
much smaller than Mozilla's (scaling the Tor network to support the load from
all FF users still requires much work).

------
iknowstuff
>Around the same time that this email was forwarded to me, DigitalOcean
disabled the network interface on my VPS in order to stop the phishing attack
from working. Fair enough, can't really expect them to do any more than that.

I disagree. I don't think this is okay. Aside from this IPFS story,
DigitalOcean in general does not care about abuse. Unlike providers such as
OVH, DigitalOcean will simply nullroute you when you fall victim to a DDoS
attack. I wish they stepped up their game - until then, after hearing those
stories, I will not be using their service for anything I care about.

~~~
rmdoss
Yep, both DO and Linode do the same thing. Just null route your IP and take
forever to remove it once you fixed whatever problem it was (even if it was a
false alarm).

------
paranoidrobot
"And if you know a hosting provider that is less likely to switch your
networking off, I'm all ears."

No reputable hosting provider is going to ignore abuse complaints. The best
you can hope for is a 24-72 hour window to respond to any complaint.

------
Scaevolus
Proxies are XSS-as-a-service, so you should expect abuse complaints. At least
the US provides some protections as a carrier.

------
cwkoss
How does GMA.html send the creds back to their server?

Interesting question of who has culpability:

\- Server receiving creds seems clearly in wrong

\- OneDrive hosting the html file which can be used to exfiltrate creds is a
bit murkier

\- Hosting a link to the onedrive url on IPFS is murkier still.

~~~
jstanley
Note that the link to the OneDrive URL does _not_ come from IPFS. It comes
from the URL fragment, which makes it even _more_ murky as to whether the IPFS
hash should even be blocked! Perfectly legitimate sites could be using exactly
the same content with no knowledge of the phishing attack. It is just copy and
pasted from [https://itty.bitty.site/](https://itty.bitty.site/)

I didn't look into how GMA.html works, but a quick look just now shows that it
posts to
[https://searchurl.bid/joyceesther0101/finish1.php](https://searchurl.bid/joyceesther0101/finish1.php)

~~~
cwkoss
Ah, I didn't catch that the Base64 string was part of the query param, not
stored in IFPS. Yeah, seems like IFPS data isn't offending whatsoever in this
case.

Interesting that it is 'facilitating' phishing (as in dependency in attack
chain), but only to the extent that would apply to a number of general-purpose
open source libraries, or the browser, or any OS or ISP.

Seems like DigitalOcean made the wrong choice, but the technical complexity of
the situation is enough to not put too much blame on them. Unresponsive
support is disappointing.

~~~
jstanley
I agree that it's too complex to expect front-line abuse support to work out
what's going on, but yes I did expect them to turn my networking back on after
I blacklisted the hash.

~~~
miyuru
Digitalocean disabled network access to one of my droplets too. They won't
respond to your emails, but poke them on twitter and hopefully you will get a
response back. mine to 10 days to get a reply.

I switched to scaleway afterwards.

------
ChuckMcM
Hmm, doesn't bode well of IPFS. To the extent that bad actors can "easily"
disable swaths of infrastructure in a difficult to parse/manage way.

~~~
LeoPanthera
Web-IPFS gateways are not part of the IPFS infrastructure, nor are they
essential.

~~~
setr
They are, however, essential for the transition to it; at least as long as
they continue the goal of becoming the new web.

~~~
jstanley
If you want to use IPFS without using a public gateway, it is very easy to
install and use a local gateway.

If you also use a browser extension like "IPFS Companion", it can
automatically redirect all IPFS-looking URLs to your local gateway.

I agree this doesn't help for casual users who have never heard of it, but
it's at least better than "everyone has to use a public gateway all the time".

~~~
sneak
Neither of these things you mention are very easy on my primary computer, an
iPad Pro.

~~~
phyzome
You don't have a general-purpose computer, you have a locked down browser.

(But point taken, a lot of people aren't using general-purpose computers.)

------
mynameisvlad
> (although their hosting provider doesn't appear to have switched their
> networking off).

I doubt that _Microsoft_ Azure is going to switch off the networking for all
of _Microsoft_ OneDrive over this.

~~~
rhplus
That's not a OneDrive URL
("[https://onedrivepreinhabitat.**blob.core.windows.net**"](https://onedrivepreinhabitat.**blob.core.windows.net**"))
- it's Azure Blob Storage (equiv to Amazon S3). Microsoft could absolutely
disable that account.

------
sigi45
We all should take actions against evil participants. Blocking that URL is
part of it.

------
sitepodmatt
It's very shitty of DigitalOcean to not at least give you a small window of
opportunity to investigate and remove offending content, especially if first
complaint. Given that their investigation would of been limited too (unlike
yours) it makes it somewhat easy to knock off someone on DigitalOcean with a
flimsy complaint.

~~~
askmike
> especially if first complaint

Well:

> It was sent by PhishLabs to DigitalOcean, and DigitalOcean forwarded it to
> me.

I don't think this is the first complaint from PhishLabs to DigitalOcean. I do
think DO would have "investigated" up to the level where they'd click the link
and see "yep, that's a google sign in form". It's not up to DO to dispute
claims made by people who send them abuse e-mails. As for the dispute itself,
we all seem to think the IPFS was not hosting the content. But I'm not sure if
that holds up in a legal case (the PirateBay is also not hosting any illegal
content).

~~~
jstanley
IPFS isn't even linking to illegal content.

IPFS has no knowledge of the illegal content whatsoever, it all comes from the
URL fragment and Microsoft Azure.

~~~
sitepodmatt
By the same merit, any site (big, small, government or otherwise) with an XSS
like el.outerHTML = window.location.search or el.outerHTML =
window.location.query is vunerable to be shutdown if hosted on DO. Makes one
think..

------
gassed
Leaving an IPFS gateway open seems as intelligent as running a Tor exit node.

~~~
mindslight
Indeed it is - stage 6. Individually acting for the good of others and the
future, rather than short term self interest.

[https://en.wikipedia.org/wiki/Lawrence_Kohlberg%27s_stages_o...](https://en.wikipedia.org/wiki/Lawrence_Kohlberg%27s_stages_of_moral_development)

