sus's blog

By sus, history, 6 months ago, In English

I hate the fact that I have to write this blog right now but there are many people on this site who have probably fallen to some scams. This is the story about how I might have almost lost my Codeforces account. I am not sure what happened between 2021 and 2022 for the amount of scams to rise this rapidly.

I have seen blogs talking about scams being sent in direct messages and thought to myself "wow, these are obviously scams there is no way anyone would fall for them". These messages are very low effort and can easily be identified as a scam (look at this blog). It seems the main purpose of these types of phishing scams is to steal your account password so if you get a message like this, PLEASE don't click the link.

If you are wondering why people are trying to take your account (given it is high rated), a few reasons I can come up with are

  • to hold ransom and ask you for money in order to give your account back to you
  • sell the account to another person
  • change the account name during New Years Magic and pretend its their own (to fake job interviews and such)
  • have another account for the near coin thing

Another type of scam revolves around Cryptocurrency and such. If you get a message saying that you won 1000 dollars worth of Monogon-PurpleCrayon Token (yes, they have very silly names), please don't click on them because you did not, in fact, win anything. If the message asks you to send a message to another account, don't do that either and just ignore the messages.

Anyways those are the extremely obvious scams that not that many people fall for. Today, I received a scam that was not so obvious and I almost lost my account.

If you take a look at this email from the official Codeforces gmail account and compare it with an email I received this morning, you can see that someone in a panic might confuse the two and think the second one is real as well.

If you had just received an email from Codeforces saying that your account was hacked, would you not be alarmed as well? The email looks almost the same except for a few small details that someone who is panicked might overlook. Firstly, the email addresses are extremely similar except for a few minor details. If you get an email from Codeforces asking you to do something with your account, make sure the email is one of these two (Codeforces@codeforces.com or noreply@codeforces.com).

The second difference is the poor english. I did not think much of the poor English and thought it was a translation error from Russian to English.

When I hovered over the link and was about to click on it, it showed as a redirect to some cobeforces.com page that seems to be unavailable now (codeforces but with a 'b' where the 'd' goes — very clever scammers. The page looks like the real codeforces.com sign in page). This is when I realized that I was about to give my account details to some scammers and immediately checked the email address, and to my relief, it was a fake one. The amount of scams on this site now-days is scary and extremely alarming. It seems the scams evolve with the website and just get more realistic as time passes.

General rules to stay safe

  1. Don't click on any links
  2. Set users who can send me talks to Expert Newbie and above so unrated alts can't dm you
  3. Set your email to private on your profile(unless you have some other reason to have it public)
  4. Don't click on any links
  5. If something is too good to be true, then it is not true
  6. tourist does not want to give you 500 free Errichto Coin. He does not want you to message his alt account on codeforces your account password in order for him to give you the Coin
  7. Don't click on any links

I have created a fun and interactive test to see if you understood the rules or not here.

Let's see what plans MikeMirzayanov has to discipline and prevent these scammers from preying on innocent people.

waifu
 
 
 
 
  • Vote: I like it
  • +354
  • Vote: I do not like it

»
6 months ago, # |
Rev. 3   Vote: I like it +5 Vote: I do not like it

From the post:

I have created a fun and interactive test to see if you understood the rules or not here.

Spoilers for the test
  • »
    »
    6 months ago, # ^ |
      Vote: I like it 0 Vote: I do not like it

    Optimally, if you really want to open a link, open it in a private/incognito window or something. And don't log in. If you're really paranoid, get NoScript to block JavaScript, that'll stop most exploits.

    If you have to log in, try to log in on the actual site that you know has the right link before clicking, and make sure that the URL is of the right website, and doesn't have any typos or even Unicode characters. It's possible that the link contains a cyrillic character that looks the same as a latin character.

    A password manager (with a browser extension) can also help prevent phishing, as the autofill will not be detected. I recommend Bitwarden, as it's free and open source.

»
6 months ago, # |
  Vote: I like it +48 Vote: I do not like it

Plot twist : He made that gmail and sent those messages to create this blog XD

»
6 months ago, # |
  Vote: I like it 0 Vote: I do not like it

General rules to stay safe :)

  • »
    »
    6 months ago, # ^ |
      Vote: I like it +4 Vote: I do not like it

    yeah!

    Google Safe Browsing is a good place to start. Type in this URL http://google.com/safebrowsing/diagnostic?site= followed by the site you want to check, such as google.com or an IP address. It will let you know if it has hosted malware in the past 90 days.

    • »
      »
      »
      6 months ago, # ^ |
        Vote: I like it +28 Vote: I do not like it

      Is this link safe to click?

    • »
      »
      »
      6 months ago, # ^ |
        Vote: I like it +3 Vote: I do not like it

      It shows cobeforces.com as safe

      • »
        »
        »
        »
        6 months ago, # ^ |
          Vote: I like it +3 Vote: I do not like it

        Malware isn't the same as phishing and the site won't immediately detect a malicious site, it has to be reported first. So this isn't a be-all end-all tool, you still should be careful.

        Optimally, if you really want to open a link, open it in a private/incognito window or something. And don't log in. If you're really paranoid, get NoScript to block JavaScript, that'll stop most exploits.

        If you have to log in, try to log in on the actual site that you know has the right link before clicking, and make sure that the URL is of the right website, and doesn't have any typos or even Unicode characters. It's possible that the link contains a cyrillic character that looks the same as a latin character.

        A password manager (with a browser extension) can also help prevent phishing, as the autofill will not be detected. I recommend Bitwarden, it's FOSS and doesn't have weird restrictions like LastPass's restriction on mobile/desktop.

    • »
      »
      »
      6 months ago, # ^ |
        Vote: I like it 0 Vote: I do not like it

      Another good one I think https://safeweb.norton.com/ is a good way to check websites.

»
6 months ago, # |
  Vote: I like it +15 Vote: I do not like it
Summary
»
6 months ago, # |
  Vote: I like it +10 Vote: I do not like it

I failed the fun and interactive test. It's hella hard.

»
6 months ago, # |
  Vote: I like it +8 Vote: I do not like it

love Bunny Girl Senpai

»
6 months ago, # |
Rev. 2   Vote: I like it 0 Vote: I do not like it

Now I'm scared to click on every link I see :(

»
6 months ago, # |
  Vote: I like it +41 Vote: I do not like it
»
6 months ago, # |
  Vote: I like it +19 Vote: I do not like it

sus is not gray!

»
6 months ago, # |
  Vote: I like it +17 Vote: I do not like it

Yay, sus is not grey

»
6 months ago, # |
  Vote: I like it +3 Vote: I do not like it

what there are no free Errichto coins :|

»
6 months ago, # |
  Vote: I like it +3 Vote: I do not like it

So I guess I am pretty safe as of now ...... I never check my emails xD....

»
6 months ago, # |
  Vote: I like it 0 Vote: I do not like it

What is the 'near coin' thing?

»
6 months ago, # |
  Vote: I like it +8 Vote: I do not like it

On this topic, I want to ask something about email changes but I don't want to create a blog. if I try to change my account email, require validation of the previous email or not? If the answer is false, looks like a security problem to me. And in this point, Is it really beneficial to allow users to change the email? Because the codeforces staff it's not near enough to look to case per case, and if it was, how to validate an account for a random user?

»
6 months ago, # |
  Vote: I like it 0 Vote: I do not like it

What a great blog!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!11

»
5 weeks ago, # |
  Vote: I like it -10 Vote: I do not like it

Thank you for letting us know about these scams.