There is spam happening involving usage of this project/script #98
Comments
|
I also received an email like this and I've reported it to SendGrid, so they'll hopefully suspend the account that was used to send this, but the spammers will likely figure out a different way to send their emails in the future, so this project should definitely mention the spam somewhere in its README so that people don't fall for it. |
|
I have also received this same spam email. |
Definitely a good idea! |
|
I've been getting several of these emails, which are obviously scammers. However for "transparency" they redirect to this repo, which leaves me confused. If this project is legit, what does it do, and what is the scammers' plan. |
|
No free energy and no free money 🤑 |
|
@Fil From my limited understanding, Fluence is launching a cryptocurrency token, so Fluence (randomly?) selected a bunch of GitHub accounts to give 5000 of those tokens to. Of course, using OAuth would be too easy and secure, so instead they created their own system, but they didn't add mutual authentication, so if a scammer intercepts the communication (or deceives you into communicating with them) they can pretend to be you and get your tokens. Warning Even if you don't care about these tokens and would be happy to sell them, don't give your bank account number or other payment details to random people on the Internet. I think Fluence's authentication method works as follows. Fluence took the public SSH keys of the selected users and used those to encrypt some secret data, and uploaded those encrypted pieces of data to a public location. If (and only if) you have the corresponding SSH private key, you can decrypt the data, and with that you can create a proof validating your ownership. This repository is a tool that automates the user-side part of it and spits out a proof if you give it your SSH private key. You can then upload this proof at https://claim.fluence.network/ (don't sue me if that's the wrong link, verify it yourself) to claim the tokens into an Ethereum wallet of your choice. Of course, if you give your proof to a scammer, they'll take your tokens instead. Apart from lacking mutual authentication, there's a few other security flaws in their design as well. Most notably, it requires access to your private SSH key. Of course, they promise they won't abuse that privilege (you do thoroughly read all scripts before running them, right?), but they do not consider supply chain attacks (e.g. by pinning package versions with hashes). They don't even have a security policy. |
|
Thanks for the explanation. I have no plans to sue you nor to run any of these scripts :) |
|
I replied back on this email saying that i need to know more about what this code does and here is the reply I received. Make sure you look out for this phone number: |
Their explanation is sound, but that's usually how they get ya. But $500 for just a bunch of tokens? Well, if it sounds too good to be true, it probably is. |
|
So I was the one who batch sent this email. And I'm not a scam. I did purchase proof from some people. And I will deliver the money if they send me the proof. There is a lot of speculation around the FLT so some people are willing to sell the proof for a certain amount of money, also 500 dollars is negotiable and it is a fair market. I don't intend to run away with other people's proof without paying, so I don't think it is a scam. |
Yes, in hindsight, I realised it might not be a scam, since it appears that the tokens are currently valued at $1 each (and eligible people receive 5000 tokens), which explains your interest much more. (Though I still disapprove of your email not sufficiently informing people of the impact of sharing such a proof.) That said, though, unless I misunderstand something, how is the proof useful to you if you don't also have a corresponding signature containing the address of your own Ethereum wallet? |
|
By the way, if anyone here is willing to sell their proof, you can reach out to me at highground.ou@gmail.com, also you can add my telegram:xiaomaogy. I'm willing to buy the github proof if you are qualified, and the price is negotiable. |
So basically I can give them an address when they generate their proof. So the token price fluctuates, and it's hard to tell how much it would worth when it gets unlocked. There is a two month unlocking period. Also a lot of people don't have the channel to sell the token. I'm just providing another channel for them to benefit from it. Also I think I'm doing a good thing, because of my email more developers are aware of the dev reward, and if they don't want to sell at least they can claim it by themselves, and avoid the halfing later on. If you are bothered by my email, I'm really sorry. I don't want to scam you, but this is the only way I can reach out to people, and see if they are interested. Again add me on telegram if you are interested in selling, my telegram handle is: xiaomaogy |
You got some competition, I received an email offering $700 😄 |
|
Ah, so I'm not the first 😝 |
|
I've seen a lot of bad scams, but this one really shoots the bird |
Yes, I can compete with that price. I will offer the best price on the market. Just contact me on telegram if you are interest in selling. My telegram is: xiaomaogy |
I mean, I think it's fairly safe to generate the proof and sell it to someone if it's done properly (payment to ETH wallet, never sending private key etc.) they will not have access to any critical information? but maybe i'm missing something? |
👀 there is also a substantial risk to lose your private ssh key this way, which if you use this one for paid work, can also cause quite some very expensive liability issues. |
|
@FWDekker No way that I run those scripts, but did you have a look at the paranoid instruction? What do you think? I found an old vulnerability from grep but the ubuntu 22.04 they tell to spin is supposed to have the patched version 🤔 Looks legit to me, but I'd be up to have second opinions before trying it, don't want my sk to get hacked |
I understand, thankfully I can dispose of my ssh key and already have generated a new one, so I don't know if there are more "shady" parts about that, the only thing I can say about @xiaomaogy is that he paid what we settled for the proof, half before half after so that part I can vouch for |
The paranoid instructions involve disabling the network of the Docker container before importing your SSH key, so it can't covertly exfiltrate your key. (Instead of Docker, you can also use Podman, which is rootless, but then you can only disable the network by running The proof itself also doesn't contain anything that is related to your private SSH key. The private SSH key is only used to decrypt the ciphertext from I haven't checked the other scripts in this repo, but if you follow the paranoid instructions I don't see the private key leaking (assuming they have not been maliciously edited as of me writing this). No, I think the main risk here is you giving away tokens without the other paying you. If you are still paranoid about losing your SSH key, then generate the proof, remove your public SSH key from all accounts where you use it, and then give the proof to someone else. (If you follow the best practice of using a unique SSH key per machine per service, this is easy. Otherwise, this might be a good time to start doing that.) |
|
I also received one of those mails. Well, fluence is not up to date on ssh obviously. FIDO2 ssh keys private part never leaves the security token (and so you can't use them with age), so good luck generating your proof in that case ! 😆 |
Yeah. Otherwise a scammer will send money to your bank account and you'll be left with the money like an idiot. |
Go ahead, share whatever details you want with strangers on the Internet. Surely, they won't use it to build a profile by connecting various data leaks to perform a (spear)fishing attack against you, your family, or your colleagues, right? ;-) |
|
Yes scamming is really a thing these days. After purchasing around 5 proofs I got someone contacting me, acting as if they are certain github account users. I didn't verify that(which is my fault), and sent them the first half of the money via different crypto payment method (like ZEC or Dash). And after they received the crypto they deleted the telegram chat and disappeared. I'm really disappointed and now I really need to verify the ownership of the account before I actually pay people. I'm still purchasing git proof for the fluence rewards if anyone is interested. My telegram is: xiaomaogy. But I will be more careful. |
|
Why don't use OAuth for this proof??? |
|
I don't know why I was listed in it either. And I really don't care about any of that crypto stuff. However, I can vouch for @xiaomaogy as well. I sold my tokens to them because I have no use for it. The process was pretty straightforward there. So that at least isn't a scam. |
I was paranoid but highly curious. I went with a hybrid of the paranoid method but used the web interface to generate proofs:
Complete overkill, but worked.
|
Thanks for the vouch, really appreciate it. So far I've traded with more than 25 people. Some of them are scams and never return after I sent them the initial batch of the money, but many of them are honest and we made the trade work. You can still reach out to me on telegram: xiaomaogy. I'm still purchasing the git proof. I can also use the approach mentioned by @LeslieOA if you are worried. That way I don't have access to anything from you, just the proof. You can be sure that I'm honest and all I want to do is get the proof so that I can claim the FLT reward. |
|
@xiaomaogy not scammer. Hi send me $250 in eth. But then i read this project more carefull and claim tokens for myself. Send eth to @xiaomaogy back. No scam, no hate. |
|
The TLDR, Is running that script and giving the requested proof safe? Can anyone confirm? |
I got this Mail.
The text was updated successfully, but these errors were encountered: