June 14, 2020

For the past year, a site called Privnotes.com has been impersonating Privnote.com, a legitimate, free service that offers private, encrypted messages which self-destruct automatically after they are read. Until recently, I couldn’t quite work out what Privnotes was up to, but today it became crystal clear: Any messages containing bitcoin addresses will be automatically altered to include a different bitcoin address, as long as the Internet addresses of the sender and receiver of the message are not the same.

Earlier this year, KrebsOnSecurity heard from the owners of Privnote.com, who complained that someone had set up a fake clone of their site that was fooling quite a few regular users of the service.

And it’s not hard to see why: Privnotes.com is confusingly similar in name and appearance to the real thing, and comes up second in Google search results for the term “privnote.” Also, anyone who mistakenly types “privnotes” into Google search may see at the top of the results a misleading paid ad for “Privnote” that actually leads to privnotes.com.

A Google search for the term “privnotes” brings up a misleading paid ad for the phishing site privnotes.com, which is listed above the legitimate site — privnote.com.

Privnote.com (the legit service) employs technology that encrypts all messages so that even Privnote itself cannot read the contents of the message. And it doesn’t send and receive messages. Creating a message merely generates a link. When that link is clicked or visited, the service warns that the message will be gone forever after it is read.

But according to the owners of Privnote.com, the phishing site Privnotes.com does not fully implement encryption, and can read and/or modify all messages sent by users.

“It is very simple to check that the note in privnoteS is sent unencrypted in plain text,” Privnote.com explained in a February 2020 message, responding to inquiries from KrebsOnSecurity. “Moreover, it doesn’t enforce any kind of decryption key when opening a note and the key after # in the URL can be replaced by arbitrary characters and the note will still open.”

But that’s not the half of it. KrebsOnSecurity has learned that the phishing site Privnotes.com uses some kind of automated script that scours messages for bitcoin addresses, and replaces any bitcoin addresses found with its own bitcoin address. The script apparently only modifies messages if the note is opened from a different Internet address than the one that composed the address.

Here’s an example, using the bitcoin wallet address from bitcoin’s Wikipedia page as an example. The following message was composed at Privnotes.com from a computer with an Internet address in New York, with the message, “please send money to bc1qar0srrr7xfkvy5l643lydnw9re59gtzzwf5mdq thanks”:

A test message composed on privnotes.com, which is phishing users of the legitimate encrypted message service privnote.com. Pay special attention to the bitcoin address in this message.

When I visited the Privnotes.com link generated by clicking the “create note” button on the above page from a different computer with an Internet address in California, this was the result. As you can see, it lists a different bitcoin address, albeit one with the same first four characters.

The altered message. Notice the bitcoin address has been modified and is not the same address that was sent in the original note.

Several other tests confirmed that the bitcoin modifying script does not seem to change message contents if the sender and receiver’s IP addresses are the same, or if one composes multiple notes with the same bitcoin address in it.

Allison Nixon, the security expert who helped me with this testing, said the script also only seems to replace the first instance of a bitcoin address if it’s repeated within a message, and the site stops replacing a wallet address if it is sent repeatedly over multiple messages.

“And because of the design of the site, the sender won’t be able to view the message because it self destructs after one open, and the type of people using privnote aren’t the type of people who are going to send that bitcoin wallet any other way for verification purposes,” said Nixon, who is chief research officer at Unit 221B. “It’s a pretty smart scam.”

Given that Privnotes.com is phishing bitcoin users, it’s a fair bet the phony service also is siphoning other sensitive data from people who use their site.

“So if there are password dumps in the message, they would be able to read that, too,” Nixon said. “At first, I thought that was their whole angle, just to siphon data. But the bitcoin wallet replacement is probably much closer to the main motivation for running the fake site.”

Even if you never use or plan to use the legitimate encrypted message service Privnote.com, this scam is a great reminder why it pays to be extra careful about using search engines to find sites that you plan to entrust with sensitive data. A far better approach is to bookmark such sites, and rely exclusively on those instead.


34 thoughts on “Privnotes.com Is Phishing Bitcoin from Users of Private Messaging Service Privnote.com

  1. Dennis

    The obvious question that immediately comes to mind – why didn’t the owners of the legitimate Privnotes site register all easy-to-mistake combinations of their domain name? That’s the #1 thing anyone who plans to start an online business would do. And it doesn’t cost too much to do either.

    So this should be a good lesson for anyone who plans to open an online business.

    1. Chris Holland

      That was indeed the validly accepted wisdom until several important factors all but deprecated that route.

      1. The Rise Of The Smartphone

      The inexorable rise of the now ubiquitous smartphone. As the other commenter rightly pointed out, the tiny font sizes make it virtually impossible to verify the correct URL. Especially when combined with and exacerbated by the following additional recent developments.

      2. ICANN’s launch of numerous additional gTLDs

      Whereas sensible brand protection hitherto involved securing defensive registrations of close variations of the primary URL, such as with and without hyphen(s), the plural version of a singular name (as in the subject of Brian’s article) or vice versa, the .net, org and any appropriate ccTLD(s) whose annual renewal fees combined wouldn’t be able to buy even five billable minutes of a top notch intellectual property attorney’s time, that well travelled route was a virtual no brainer.

      With the supposedly not-for-profit ICANN, the de facto authority that manages the global DNS root and IP numbering systems, recently revealing the ruthless predatory instincts far more associated with its near namesake, legendary corporate raider Carl ICAHN, the extremely well remunerated and hugely expensed executives of this eyewateringly profitable not-for-profit gravy train have expanded the handful of original and subsequently launched gTLDs such as .com, .net, .org, .info & .biz, to a staggering 1,238 as of the date of writing. This number however is subject to almost daily increase, rather like the number of billions amassed by a certain folically challenged billionaire. If you were to be tasked to slavishly adhere to the definition of ‘all’, then using just 10 variations (very much on the low side) x 1,238 gTLDS plus a few hundred ccTLDs, then you’ve just raised the stakes to commit to a multi million dollar annual domain renewal spend, to register such forgettable nonsense as yourbrand.WTF, .XYZ, .NINJA and even .BlackFriday. The latter gTLD being deployed, and in one case weaponised by one of its registrations, Rebecca.BlackFriday by the supremely untalented Rebecca where unwitting, or perhaps half wit, visitors are regaled with her horrendous tune ‘Friday’.

      3. The rise of PPC/AdSense income by TypoSquatters

      If you own a prominent global brand its easy to register every possible variation to protect your brand, isn’t it? Well, not any more. Virtually every site in the Alex Top 10,000 has long since had every single FTR permutation of their URL carpetbagged, sorry registered, by a new creature on the block called the ‘typosquatter’. Although this accurate term is defined as a pejorative, they prefer to be called ‘Internet Investors’ or, if they’re squatting on more than a single domain, humorously, ‘Serial Internet Entrepreneurs’, the legion of annoying garish pages spawned by the variations provide these true assets to society incomes that in some cases amount to millions of dollars a year.

      I was previously commissioned to produce a study on the then Top 25 global digital brands. There wasn’t a single one, even two of those owned by two of the far most proactive by enforcement – Amazon and Google, that owned even a fraction of the total number of domain permutations. Mostly because all the even half decent ones had either already been secured or were being monetised (SIC, English/UK spelling of what is, after all, the ‘English’ Language, this commenter is British) by the aforementioned faceless, privacy protected operators. Not even Jeff, Sergey, or Larry would be able to retain the services of a top drawer domain lawyer like John Berryhill to fight every single possible UDRP.

      To be clear, as distasteful to some as typosquatting might appear, it is not in itself a criminal offence. If an operator’s sole motivation is obtaining their miserable cut (disingenuously called ‘revshare’) of around 1% of the AdWords revenue that Google (‘because we can’) rakes in, that’s surely a preferable outcome to having the bitcoin wallets of a brand’s customers or users looted en masse.

      1. c1ph3rqueen

        Great comments Chris – It’s time for ICANN to make the takedown process more streamlined and accessible to ordinary domain owners.

  2. Ima Curios

    Have you never visited your own website via a mobile phone.
    REALLY small text.
    Shame for that. Good site otherwise.
    CSS alternate style for portal window.

    1. Brian Fiori (AKA The Dean)

      I’ve never had a problem with Krebsonsecurity. Loads small, but is easily adjustable to larger size. I find choosing “Desktop Site” helps many sites behave better on a mobile device. Counterintuitive to be sure.

      BTW using Android with Chrome browser.

  3. Richard

    Thanks for this. I was not aware of Privnote until now but it does look pretty useful. My only question is: How do they hope to make money off this service?

    1. PJ

      Ads, but I’m guessing they’ll offer subscriptions eventually.

  4. Nikon 1

    A BIG thumbs up to Chris Holland for is “term paper” of an explanation as to just how “greedy” the ICANN is and how difficult it can be to protect a website from unscrupulous / criminally minded low lifes and “domain squatters.”

    Outstanding information presented clearly an succinctly.

    And another thumbs up to Brian for exposing this whole scam.

  5. G.Scott H.

    Typing a URL into the browser address bar or using a bookmark previously saved has become passe, unfortunately.

    Instead people start at Google and type part of the URL and click the first reasonable link. Even those trying to do better are using a hybrid search/address bar by default in most browsers these days.

    Every time I see it done I try to educate, but “it’s too hard” is the usual response. I’m thinking I should memorize a few typosquated names which can be used as examples for a better learning experience.

    Again, thanks for all the phish Mr. Krebs.

    1. Joe

      This is exactly right. It should be added to Mr. Holland’s Opus comment above.

      Browsers integrate the URL bar with a default search engine, and have for years now.

      They have also made it harder to access bookmarks on their mobile versions. Chrome especially, since its a Google product. The intent is to direct users to the search engine for better tracking and advertising.

      The choice users have is to make 3 or 4 clicks using a bookmark, or make 2 clicks using the URL bar as a search.

      It makes the “bookmark” obsolete in the face of a dynamic link that may change depending on who is paying Google the most to be a “top result” or “sponsored result”.

    2. melk

      I’m not sure typing the address manually does more good than harm compared to googling, especially when applied to “big” websites. There is a good chance that by manually entering it you make a typo (after all, its ‘typosquatting’, not ‘googlesquatting’), and those fake sites usually have a much lower google-ranking than the real ones, because pushing your fake site up the google results is time-consuming and expensive (again, if we’re talking about “big” websites). There are exceptions, sure, but in most cases, i’d say google is more reliable than typing.

  6. x

    privnoteS.com reported to Google Phishing:
    12:00PM EST June 14 (Tik-Tok)

  7. Network guy

    The registrar of the privnoteS domain is namesilo. If you have
    independently confirmed they are modifying messages – I think that is enough to report the domain.
    I’ve used the real privnote.com site for years and looking at the other version it sure is visually a knock-off!

  8. Jimmy

    What did people copy paste an address into privnote fake and had it changed and sent money to mitm fraudster? Super lame.

  9. chris

    Correctly typing URLs is definitely a challenge. I never directly type a bank or other important url. First, I go to google and then do a search and then carefully review the provided list. Even so, finding the correct site is not guaranteed.

  10. inf

    What private note sites are recommend? I usually use temp.pm, it seems prehaps this is an open source implementation? Could you just run it yourself on a server (would be good to make sure it genuinely leaves nothing)

  11. Jim

    Another, what’s wrong with this site? Problem in the states. Is exampled by politicians also use this method of messaging those in their parties, escaping the local freedom of information acts, you may remember greitens of Missouri. The courts could not prove wrong doing, the traces had been eliminated. The law violated means bad guys get to become governor again. Lucky us, he will Rob us even further.

  12. Michael N

    Brian,

    Time to do the voodoo that you do and take these miscreants to task. So, when does betting open: is this a State, organized crime, or individual entrepreneur as the responsible party?

  13. BobF

    I use my password manager to launch any important/sensitive websites. Searching in the manager for a site is as fast as googling it and it will alway take me to the correct domain.

  14. Osiris

    If this isn’t a clear-cut case for a take-down and prosecution, there aren’t any. ICANN needs to step up their game and ban facsimiles to existing domain names. Then the burden won’t be on the innocent, and criminal activities should be curbed. It’s not rocket science, it’s practical action. Come on ICANN, step it up and fix your… stuff.

    1. Michael N

      Well, ICANN is not a legal enforcement body. This takes the collective action of Congress and the Judiciary to make this activity stop, or at least become more manageable. And it would help to bring ICANN back under the fold of the US.

  15. Anon

    Domain is now down, either got shutdown or they quit from all the attention. Wd Krebs.

    1. BrianKrebs Post author

      I and several others reported it to Namesilo, who took it down today. Hopefully, they also locked the domain so it can’t be transferred somewhere else.

  16. Steve

    I’m interested in how the perpetrators always have a Bitcoin address with the same first four digits as whatever address was in the original message. Does it required something like a vanity address generator, or is there a different method?

  17. Bobby B

    In order to pay for Google Ads, the miscreants will need a credit card. This, surely, makes them traceable.

    Wouldn’t their purchase of ads lead to the perpetrators being identified?

    1. Joe

      The one thing miscreants have… are stolen cards.

      1. Bobby B

        The domain was registered in July 2019 and was thus up for almost one year.

        If stolen cards were used for Google Ads, don’t you think that Google would have been notified at some point and stopped providing Ads?

        Also, using an anonymous IP e.g. VPN and Tor while using a stolen credit card would not be the easiest model.

        I realise no-one is reading this now but I would like to know from Brian (should he know) whether miscreants who use Google Ads can be identified and, if so, how?

        1. Joe

          Good points. I don’t know what happens once the card is reported stolen.
          Do banks even notify all past vendors?

  18. Austin44

    New Leaf Survey about the quality and administrations notwithstanding achieving astounding offer that is Validation Code To Redeem.

Comments are closed.