Description

Bundle Leftovers

thanks :>

2 years ago
Permalink

Comment has been collapsed.

Hello. If I'm not mistaken, you created the sgtools.info site. Great work on it. I work in the security industry, and I wanted to request you purchase the domain: sgtoois.info (it should only cost you a few dollars at most).

The reason I suggest you do this is because sgtools is very popular and recognizable here. But if a malicious person wanted to, they could purchase the domain and then post links to sgtoois.info instead. Because a capital i looks like a lowercase L, it would be easy to guide a number of people to a malicious site. And if they redirected from that site to the real one, it's unlikely it would be noticed. It could be particularly bad if it redirected all existing sgtools users to the real site and performed a phishing attack on anyone that was going through the Steam account linking process.

Thanks again for your work on the site. I hope you'll consider purchasing the domain.

5 months ago
Permalink

Comment has been collapsed.

You are not mistaken and thanks :)

I am aware that by having only one domain, and not buying the similar ones, that opens a vector of attack for malicious parties to try to exploit. But in all honesty, business usually ends up buying dozens of domains in order to try to minimize this kind of attack vectors and that is not something I can maintain for a hobby project that is already eating money of my wallet every month.

There are far more interesting phishing targets than SGTools, like all the raffles and "get a free game" type of website. Those attract a way broader audience that don't even know about Steamgifts, let alone SGTools.

Thanks for sharing your concerns and advice with me :)

5 months ago
Permalink

Comment has been collapsed.

Yeah, I can understand that. I have a free security offering that costs me money to provide which can be rather annoying.

The other spoof-like URLs (e.g. sgtools.com) are easy for the forum to self-police by pointing out they are the wrong address. SGToois.info is different because it's indistinguishable from the real site when you view the link in most browsers. It's hard to self-police by users because both links look identical: https://SGTools.info and https://SGTooIs.info . Or if they want to be even trickier (since the hover over in some browsers would show a lower case i), they can do this: https://NoBots/SGTooIs.info to make it look identical even in a hover-over.

There is potentially a free solution. We could have a script check daily if domains you are concerned with are still available for purchase. If they are, nothing to do. If they aren't, then a PSA could at least make the user-base aware of the risk.

There's one other free alternative that could help. SteamGifts.com may already have a list of banned link domains. If it does, adding SGToois.info (and for that matter SGTools.com, etc) to that list would prevent potential abuse on this site. Since that is pretty much the only place someone could carry out a successful attack against a large number of users, that would cover most of the risk. If you'd like, I can send a support ticket to ask if that is possible (or you can if you want).

5 months ago*
Permalink

Comment has been collapsed.

I will create a simple script that checks if the problematic url responds with some valid html an if it does it'll email me, so I can warn people at the forum in a PSA. This sounds like the best option that is feasible.

We should not expect CG to implement a blacklist of outgoing links, because there are a ton of other things that should be done before and the pace of changes in the site is rather... slow. It would be an awesome barrier and not only for this case but the recent wave of phishing sites, but I think we won't be able to convince him to implement that in this century.

Thanks for all the ideas :)

5 months ago
Permalink

Comment has been collapsed.

If you'd like, I can create the script for you. Should be a pretty short Python script. I'd likely opt for making a REST API call for a WHOIS lookup to see if the domain has been registered. Just let me know.

It's possible there already is blacklist capability for links (if not explicitly implemented by the SG staff, as part of the whatever the forum runs on). I'll ask.

5 months ago
Permalink

Comment has been collapsed.

I created a simple script that is executed every 4 hours to check the domain availability. If it detects that any of the domains listed is registered it sends me an email, so it should be enough.

I'm pretty sure there is no such thing implemented on the forums, since there are some forbidden websites that still gets linked from time to time.

5 months ago
Permalink

Comment has been collapsed.

You do not have permission to comment on giveaways.