Rapidshare users : READ THIS THREAD, IMPORTANT PHISHING NOTICE

[woody2]

UPDATE : IF YOU OWN A PREMIUM ACCOUNT AND YOUR COOKIE IS NOT RECOGNIZED AFTER CLICKING A LINK, NEVER ENTER YOU PREMIUM PASSWORD WITHOUT CHECKING THE ADDRESS BAR AND MAKING SURE THERE IS A VALID SSL SECURITY CERTIFICATE! THERE ARE A LOT OF PHISHING LINKS HERE ON RB!!!

Remember if you entered your premium information on mistake to contact rapidshare.com right away. They will change and restore your password.

Original Post.

I'm sure many of you already are aware of these scams, however, I figured I'd post this thread in-case some of you were not.

Here is an example link
http://www.lil-link.com/4046
(PLEASE DO NOT ENTER YOUR PREMIUM ACCOUNT INFO INTO THE ABOVE LINK!)
The user cloaks the link to make it appear as if it's going directly to rapidshare. So it looks like this

http://rapidshare.com/files/10267702/SNR.rar

However, it goes to the link above, please be aware that there at least 10 duplicate sites with different URLs. They're all designed to do the same thing, steal your rapidshare premium account.

Never enter in your premium account information into any site, if it's truly rapidshare.com it will recognize your cookie, (if you delete your cookies often then make sure it's actually rapidshare.com's site, it will have a security certficate.)

If you accidently entered your premium account information into one of these phishing sites, contact rapidshare right away.

http://rapidshare.com/security.html

http://rapidshare.com/support.html

Here is an example thread of one of the users trying to pull this scam..(mods, his IP should be banned BTW)

http://rapeboard.com/showthread.php?t=15215

http://rapeboard.com/showthread.php?t=13769

edit: Here is some technical information on the scam posted by Aboracus.

Quote:

Originally Posted by Aboracus

First I would like to thank woody2 for finding this security threat. Great work!

Some technical details:
When you look at the source code, you will find an iframe with source given as:
"rapidsharei.t35.com/files.php?rs=http://rs381.rapidshare.com/files/94761332/sleepymom.rar&s=87355"
The part after the "=" is the harmless rapidshare link, but the part before the "=" is the phishing script, hosted on the free hosting service "t35.com".

"lil-link.com" is innocent, it's just redirecting to the evil site "rapidsharei.t35.com". Banning the redirector "lil-link.com" is useless, as the phisher can easily change it.

But banning the user and the IP is a very good idea from rightidiot.
All links posted by the user should also be deleted.

Be weary of ALL links when entering in your RS password!!!!!

Some more scams to beware of, (thanks touriquet)

Quote:

Originally Posted by touriquet2001

some other scams to beware of ...

http://www.rapeboard.com/showthread.php?t=15464

http://www.rapeboard.com/showthread.php?t=12461

best way to defeat these idiots is to pay attention and be careful

A nice illustration from Drivetrain.
http://rapeboard.com/showpost.php?p=233738&postcount=35

[mailmandude]

I certainly appreciate the heads-up, but EVERYTHING about the site smells of Rapidshare, including the logo. Maybe I'm just naive but it sure looks genuine to me. A little clarification, perhaps?

[Tin Manifest]

Yeah, they basically copied a rapidshare download page. I even clicked on the free download button and got the rapidshare message about the file being suspected of TOS violations. Definitely a phishing site.

[woody2]

Quote:

Originally Posted by Noir

Are you absolutely sure this isn't just a link shortening service with one major flaw?

Yes, I am 100% sure. Click on 'premium user', it will ask you to enter your premium account information. You will notice your cookie works on rapidshare's site and not on the phishing site. Trust me, the user is trying to deceive users into thinking it's rapidshare's actual site by even going as far as to cloak the link with a fake rapidshare URL. If it was just a link shortening service he would just post the direct link. Also, link shortening services are meant to hide the actual link, his phishing gateway makes the actual link visible.

Quote:

Originally Posted by mailmandude

I certainly appreciate the heads-up, but EVERYTHING about the site smells of Rapidshare, including the logo. Maybe I'm just naive but it sure looks genuine to me. A little clarification, perhaps?

Yes man, that is the idea! He wants you to think it's rapidshare's site so you enter in your premium account information without thinking twice.. Please read the security link I posted above.

http://rapidshare.com/security.html

Quote:

Originally Posted by rapidshare.com

If you receive a RapidShare download link from an unknown person, please carefully check if the link really leads to RapidShare.com. Unfortunately, there are websites that imitate RapidShare download pages with the purpose of stealing your password.

Rapidshare's genuine site is SSL protected with a security cerficate.

https://ssl.rapidshare.com/premiumzone.html

If you look at your information bar on the bottom you will notice all the links on the fake phishing site point to rapidshare's actual site, HOWEVER, the "premium login" link goes back to the phishing site.

This is a well known scam on many other vanilla porn forums, looks like the scammer has made his way over here, so beware!

[rightidiot]

I CONCUR - DO NOT USE THIS LINK
Damn good call woody2.

Researched lil-link.com. It is a legitimate url hiding service as recognised by aio (all in one - guide to worez).

Checked up on Whois and everythinks seemed fine.

Checked some of the other forums for negative responses. Lots were ok, but some instances of lil-link.com being used to piggybank to phishing sites.

Tested some legitimate links and they seemed fine, but something not quite right with this one, seems to be hopping to another site before redirecting to rapidshare (had to throttle my download speeds to see it). Not only that, the behaviour in respect of login request, does not seem to be consistent with other sites (from my research).

Mods, urge you to suspend the link on the post. Banning user and IP also seems acceptable.

Quote:

Originally Posted by woody2

I'm sure many of you already are aware of these scams, however, I figured I'd post this thread in-case some of you were not.

Here is an example link
http://www.lil-link.com/4046
(PLEASE DO NOT ENTER YOUR PREMIUM ACCOUNT INFO INTO THE ABOVE LINK!)
The user cloaks the link to make it appear as if it's going directly to rapidshare. So it looks like this

http://rapidshare.com/files/10267702/SNR.rar

However, it goes to the link above, please be aware that there at least 10 duplicate sites with different URLs. They're all designed to do the same thing, steal your rapidshare premium account.

Never enter in your premium account information into any site, if it's truly rapidshare.com it will recognize your cookie, (if you delete your cookies often then make sure it's actually rapidshare.com's site, it will have a security certficate.)

If you accidently entered your premium account information into one of these phishing sites, contact rapidshare right away.

http://rapidshare.com/security.html

http://rapidshare.com/support.html

Here is an example thread of one of the users trying to pull this scam..(mods, his IP should be banned BTW)

http://rapeboard.com/showthread.php?t=15215

http://rapeboard.com/showthread.php?t=13769

[randyandy]

Thanks for the heads-up woody2! i wasn't aware of this at all. i followed all the links you provided in OP and am amazed... they've also spoofed the MU page. just now I compared landing at MU and RS via my Bookmarks, then again via your links; via Bookmarks I'm auto-IDed as Premium. absolutely no other link-protector i've seen has ever blocked RS or MU from auto-IDing me once I click through on Premium. but without your alert i just might have entered my creds this time -phew

[Aboracus]

First I would like to thank woody2 for finding this security threat. Great work!

Some technical details:
When you look at the source code, you will find an iframe with source given as:
"rapidsharei.t35.com/files.php?rs=http://rs381.rapidshare.com/files/94761332/sleepymom.rar&s=87355"
The part after the "=" is the harmless rapidshare link, but the part before the "=" is the phishing script, hosted on the free hosting service "t35.com".

"lil-link.com" is innocent, it's just redirecting to the evil site "rapidsharei.t35.com". Banning the redirector "lil-link.com" is useless, as the phisher can easily change it.

But banning the user and the IP is a very good idea from rightidiot.
All links posted by the user should also be deleted.

[woody2]

Quote:

Originally Posted by Aboracus

First I would like to thank woody2 for finding this security threat. Great work!

Some technical details:
When you look at the source code, you will find an iframe with source given as:
"rapidsharei.t35.com/files.php?rs=http://rs381.rapidshare.com/files/94761332/sleepymom.rar&s=87355"
The part after the "=" is the harmless rapidshare link, but the part before the "=" is the phishing script, hosted on the free hosting service "t35.com".

"lil-link.com" is innocent, it's just redirecting to the evil site "rapidsharei.t35.com". Banning the redirector "lil-link.com" is useless, as the phisher can easily change it.

But banning the user and the IP is a very good idea from rightidiot.
All links posted by the user should also be deleted.

Good observation, thanks for pointing that out. There are more than just one of these URLs going around, and as shown above by Aboracus they can be disguised many different ways. As a general rule of thumb never enter in your premium account information unless you're 100% sure it's rapidshare's site and the SSL security certificate is visible and valid. You should also be suspicious if your cookie isn't recognized as randyandy pointed out. Unless you manually delete your cookies you shouldn't be running into that problem.

[woody2]

Quote:

Originally Posted by randyandy

Thanks for the heads-up woody2! i wasn't aware of this at all. i followed all the links you provided in OP and am amazed... they've also spoofed the MU page. just now I compared landing at MU and RS via my Bookmarks, then again via your links; via Bookmarks I'm auto-IDed as Premium. absolutely no other link-protector i've seen has ever blocked RS or MU from auto-IDing me once I click through on Premium. but without your alert i just might have entered my creds this time -phew

[danielseah76]

Thanks for the warning o_O

[mailmandude]

I'm convinced what woody2 has shared with us is a legitimate threat. Granted, like many others I was slow to accept it, what with the actual Rapidshare logo appearing and all, but after reading the exchange between our members, I won't be following any such links in the future.

Fellow members, I think throwing woody2 a Rep point is appropriate in this situation.

[Sanitarium]

Member banned
IP reported
Posts deleted

[rightidiot]

Quote:

Originally Posted by Aboracus

First I would like to thank woody2 for finding this security threat. Great work!

Some technical details:
When you look at the source code, you will find an iframe with source given as:
"rapidsharei.t35.com/files.php?rs=http://rs381.rapidshare.com/files/94761332/sleepymom.rar&s=87355"
The part after the "=" is the harmless rapidshare link, but the part before the "=" is the phishing script, hosted on the free hosting service "t35.com".

"lil-link.com" is innocent, it's just redirecting to the evil site "rapidsharei.t35.com". Banning the redirector "lil-link.com" is useless, as the phisher can easily change it.

But banning the user and the IP is a very good idea from rightidiot.
All links posted by the user should also be deleted.

Aboracus - bloody hell - your good. You definitely, know your shit man, and comming from an ex-techie, please take this as a compliment (bad eyes and RSI - forced me out).

I wish I could give multiple reputations points to both yourself and "woody2" for this valuable contribution.

Board members, please oblige me - give them the rep they deserve.

[batffink]

Warning came too late for me I'm afraid. I don't remember which link I used but sometime later my password was rejected by R/share When I contacted them they said that another user had been using my password at the same time as me. I NEVER give my password to anyone else. R/share quickly gave me a new password and everything has been OK since. Thanks to woody2 and also to Aboracus, rep to each of you.

[woody2]

Quote:

Originally Posted by batffink

Warning came too late for me I'm afraid. I don't remember which link I used but sometime later my password was rejected by R/share When I contacted them they said that another user had been using my password at the same time as me. I NEVER give my password to anyone else. R/share quickly gave me a new password and everything has been OK since. Thanks to woody2 and also to Aboracus, rep to each of you.

Sorry to hear you fell victim to this scam. Glad everything worked out in the end though.

[colector]

thank you for warning, it is allways good to stay in allert when surfing the web.

regards c.

[craxon]

MANY thanks
can we ban lil-link as well?
after all... they allow this to happen!

[Raven Darkheart]

gj woody

[swissman]

thank you for it, but, here where I live, we receive a lot of mails from money bancs, saying that they have imprived their security sysntem and before x hoyrs we need to insert user and password. Of course it's also phising, but sometimes, i receive from bancs which are not "mine", and as I have nothing there, I clic to see, and the url and the page is perfect. So, coming back to this now, in this case the url is not rapidshare, is lillxxx, but somebody can do it better......and steal again user names and passwords

[woody2]

Ttt