Encrypted Messaging Site Privnote Cloned to Steal Bitcoin

clones-twins
15 June 2020

Privnote, a free web service that lets users send encrypted messages that self-destruct once read, has been copied with the reported aim of redirecting users’ bitcoin to criminals.

In a Sunday post on cybersecurity blog KrebsonSecurity, journalist Brian Krebs warned users of a phishing scam that lures unsuspecting victims to a near-identical version of the privnote.com website known as privnotes.com.

However, the fake site doesn’t fully encrypt messages, as Krebs discovered in tests, and can “read and/or modify all messages sent by users.”

Just as worrying, it contains a script that hunts out messages containing bitcoin addresses and changes the original address into the bad actor’s own address in the sent message. This would mean any funds sent would arrive at the bitcoin address owned by the criminal, not the one intended by the message sender.

“Any messages containing bitcoin addresses will be automatically altered to include a different bitcoin address, as long as the Internet addresses of the sender and receiver of the message are not the same,” Krebs said in the post.

“Until recently, I couldn’t quite work out what Privnotes was up to, but today it became crystal clear,” he said.

Krebs explained he’d been notified by the owners of privnote.com that someone had built a clone version of their site and that it was tricking users of the legitimate site.

See also: Crypto Scams Targeting Pacific Communities on the Rise, Say New Zealand Regulators

“It’s not hard to see why: Privnotes.com is confusingly similar in name and appearance to the real thing, and comes up second in Google search results for the term “privnote.” Also, anyone who mistakenly types “privnotes” into Google search may see at the top of the results a misleading paid ad for “Privnote” that actually leads to privnotes.com,” Krebs wrote.

privnotes
A Google search for “privnotes” pulls up a paid advert for the phishing site privnotes.com
Source: KrebsonSecurity

A quick Google search by CoinDesk verified this finding.

Making the scam harder to spot, the self-destructing nature of these messages means victims are unable to go back and check on the bitcoin addresses the script alters: they are sent, read and deleted. According to Allison Nixon, chief research officer at Unit 221B, who helped identify and test the phishing scam, said the script appears to only alter the first instance of a bitcoin address if it’s repeated within a message.

“The type of people using privnote aren’t the type of people who are going to send that bitcoin wallet any other way for verification purposes,” Nixon said in the post. “It’s a pretty smart scam.”

See also: FBI Warns COVID-19 Scammers Are Targeting Crypto Holders

Bitcoin-related scams have been on the rise in recent months, particularly with concerns relating the coronavirus pandemic. U.K residents were warned in late March that scams were being used to exploit fear and uncertainty through text messages and emails posing as an official health organization.

“Even if you never use or plan to use the legitimate encrypted message service Privnote.com, this scam is a great reminder of why it pays to be extra careful about using search engines to find sites that you plan to entrust with sensitive data,” Krebs said.